On 9/20/2016 6:43 PM, Paul Moore wrote: > On Tue, Sep 6, 2016 at 4:02 PM, Jason Gunthorpe > <jgunthorpe@xxxxxxxxxxxxxxxxxxxx> wrote: >> On Thu, Sep 01, 2016 at 02:06:46PM -0400, Paul Moore wrote: >> >>> Jason and/or Daniel, I think it would be helpful if you could explain >>> both the InifiniBand and IP based approaches for those of us who know >>> SELinux, but not necessarily the RDMA and InfiniBand portions of this >>> discussion. Be verbose and explain it as if we were idiots (I get >>> called that enough, it must be true). >> Well, I'm not really familiar with SELinux, I know a little bit about >> how labels are applied in the netstack, but not that much... >> >> The RDMA subsystem supports 4 different networking standards, and they >> each have their own objects.. > All right, I'm done traveling for a bit and it seems like this > discussion has settled into a stalemate so let's try to pick things > back up and sort this out. > > Starting we a better RDMA education for me. > > So far the discussion has been around providing access controls at the > transport layer, are there any RDMA entities that are transport > agnostic that might be better suited for what we are trying to do? Or > is it simply that the RDMA layer is tied so tightly to the underlying > transport that we can't separate the two and have to consider them as > one? Welcome back Paul. I don't think there is a transport agnostic way to provide the kind of control I use in this patch set, which is very Infiniband specific. RoCE uses VLANs and they are conceptually similar to subnet partitions, but the means of using them is completely different. To use a different VLAN the user must select a GID for that VLAN. One could provide a means to control RoCE access to VLANs by labeling GIDs and controlling them in a similar way to how I do PKeys. That approach doesn't help with Infiniband partitions though, because the same GID can be used on multiple partitions. It's also not very desirable from a policy writers perspective because it makes it so a bespoke policy is required per node. Regardless of any other approaches one might like to use to provide access control for RDMA non-Infiniband transport I think controlling access to Infiniband PKeys is still a desirable feature and I don't see any other way to have that. -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
