On Mon, Jun 11, 2018 at 12:22:22PM -0400, Dennis Dalessandro wrote: > On 6/8/2018 6:50 PM, Jason Gunthorpe wrote: > >So, if the interface starts with a given pkey I would think it should > >stay with that pkey or enter a link downed state until the pkey > >becomes available. > > Sort of a tangent, but what about in SELinux world? If PKey changes should > the link go down? This sort of thing is exactly why the pkey shouldn't change once it is committed into a netdev. The only possibly exception might be loading the default pkey from the SM for the default interface during system boot time.. But even that should be a one time event, you can't just migrate existing operational interfaces to different pkeys via SM MADs, that must be prevented. > Do we just ignore IPoIB and let SELinux on the netdev side > handle things? AFAIK, yes. SELinux Pkey is only about verbs and mad, not netdev.. > I would think the underlying QPs are going to get dealt with the same as any > other QP in the system and get checked by the verbs layer and sent to error > state if access is now denied. So maybe there isn't anything special we need > to do after all? IIRc, the kernel is the context creating the QPs so it bypasses SELinux. It is a bit confusing, and maybe a bit wrong. Perhaps we should check selinux permissions of the process that creates the ipoib child. Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
