Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 29, 2016 at 06:16:03PM -0400, Paul Moore wrote:
> The queue pair (QP) concept lives in the RDMA layer and isn't tied to
> any particular transport.  They appear to be somewhat analogous to
> network sockets, although I'm guessing they can't be shared/passed
> between process like a network socket, yes?

Yes

> The IB partition is similar to a ethernet VLAN in that it providedes
> enforced separation across the network; IB uses partition keys, VLANs
> use tags/IDs.  IB partition keys are a 16 bit number,

> GIDs appear to be a 16 byte number created from some combination of
> IP address, MAC address, and VLAN ID.

There are several gid formats

IB/OPA: 128 bit IPv6 address
RoCEv1: Sort of a link local IPv6 (?), vlan is specified directly
        by apps
RoCEv2: Some sort of label that also implies a vlan tag

We also have iwarp vs rocee where AFAIK iwarp should get the vlan tag
from the IP socket that is allocated against the eth interface.

> In the case of RDMA over IB, we want to control QP access to
> partitions/pkeys; in the case of RDMA over ethernet we want to control
> QP access to VLANs/GIDs.

Broadly, yes, and I don't know what restriction iwarp would
need. Probably restrict access based on the eth device, but that will
probably need additional selinux checking in the rdma core.

There are also UD QPs which are like UDP sockets, so every address
handle creation will need a security check too.

Jason
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux