From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leon Romanovsky Subject: [PATCH rdma-next 25/25] IB/mlx5: Enable DEVX on IB Date: Mon, 17 Sep 2018 14:04:18 +0300 Message-ID: <20180917110418.18937-26-leon@kernel.org> References: <20180917110418.18937-1-leon@kernel.org> Cc: Leon Romanovsky , RDMA mailing list , Yishai Hadas , Saeed Mahameed , linux-netdev To: Doug Ledford , Jason Gunthorpe Return-path: Received: from mail.kernel.org ([198.145.29.99]:51102 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728382AbeIQQcx (ORCPT ); Mon, 17 Sep 2018 12:32:53 -0400 In-Reply-To: <20180917110418.18937-1-leon@kernel.org> Sender: netdev-owner@vger.kernel.org List-ID: From: Yishai Hadas IB has additional protections with SELinux that cannot be extended to the DEVX domain. SELinux can restrict access to pkeys. The first version of DEVX blocked IB entirely until this could be understood. Since DEVX requires CAP_NET_RAW, it supersedes the SELinux restriction and allows userspace to form arbitrary packets with arbitrary pkeys. Thus we enable IB for DEVX when CAP_NET_RAW is given. Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky --- drivers/infiniband/hw/mlx5/main.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 8cc285c4da8e..c31e57bead8e 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -1759,12 +1759,6 @@ static struct ib_ucontext *mlx5_ib_alloc_ucontext(struct ib_device *ibdev, #endif if (req.flags & MLX5_IB_ALLOC_UCTX_DEVX) { - /* Block DEVX on Infiniband as of SELinux */ - if (mlx5_ib_port_link_layer(ibdev, 1) != IB_LINK_LAYER_ETHERNET) { - err = -EPERM; - goto out_uars; - } - err = mlx5_ib_devx_create(dev); if (err < 0) goto out_uars; -- 2.14.4