On 6/26/2018 5:43 PM, Jason Gunthorpe wrote: > On Tue, Jun 26, 2018 at 05:33:10PM -0500, Daniel Jurgens wrote: > >>> Overall, I don't understand why ipoib is even *doing* selinux checks >>> at all. Surely that is the bug, isn't it? >>> >>> ipoib is *kernel* code, other that 'create child' it is not triggered >>> by the user, and certianly should not inherit the security context of >>> the module loader during startup. >> The process has the security context, not the code. > I think it is wrong to enforce pkey checks during things like > module_init(), makes no sense. And how is the verbs code supposed to know the QP is being modified during module_init and skip checking then? This is a policy "bug", not an enforcement bug. > If the user has permission to load a module then there should not be > additional permission needed beyond that for the module to initialize > properly. Why? Because a user has a permission to load a module now they should automatically have permission to use IB resources? There are many types of modules that that user could load that wouldn't allow them access to the outside world. Policy is granular, it's a feature. > Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html