Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 29, 2016 at 6:41 PM, Jason Gunthorpe
<jgunthorpe@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Thu, Sep 29, 2016 at 06:16:03PM -0400, Paul Moore wrote:
>> The queue pair (QP) concept lives in the RDMA layer and isn't tied to
>> any particular transport.  They appear to be somewhat analogous to
>> network sockets, although I'm guessing they can't be shared/passed
>> between process like a network socket, yes?
>
> Yes

Okay, that should make life easier.

>> The IB partition is similar to a ethernet VLAN in that it providedes
>> enforced separation across the network; IB uses partition keys, VLANs
>> use tags/IDs.  IB partition keys are a 16 bit number,
>
>> GIDs appear to be a 16 byte number created from some combination of
>> IP address, MAC address, and VLAN ID.
>
> There are several gid formats
>
> IB/OPA: 128 bit IPv6 address
> RoCEv1: Sort of a link local IPv6 (?), vlan is specified directly
>         by apps
> RoCEv2: Some sort of label that also implies a vlan tag

Thanks for the extra information, but at this point I don't think the
exact format is important; I'm just trying to get a basic
understanding of what we might need to do.

> We also have iwarp vs rocee where AFAIK iwarp should get the vlan tag
> from the IP socket that is allocated against the eth interface.

Sigh.

So we've got RDMA over IB (does this have an acronym?  my googling
isn't showing anything ...), RoCEv1 which appears to be RDMA over
Ethernet (although it looks like it might still use an IP header?),
RoCEv2 which appears to be RDMA over UDP, and iWARP which seems to be
RDMA over TCP/SCTP.  Are there any others?

We've already talked about the RDMA/IB's pkeys and RoCEv1's GID/VLANs,
but RoCEv2 and iWARP are a little more interesting as they ride on top
of a routable network transport.  Do RoCEv2 and iWARP use the kernel's
stack, or is that off-loaded?  Actually, now that I think of it,
RoCEv2 and iWARP are probably implemented as userspace libraries
aren't they?  The kernel probably doesn't know or care about these
protocols at all, or does it?

>> In the case of RDMA over IB, we want to control QP access to
>> partitions/pkeys; in the case of RDMA over ethernet we want to control
>> QP access to VLANs/GIDs.
>
> Broadly, yes, and I don't know what restriction iwarp would
> need. Probably restrict access based on the eth device, but that will
> probably need additional selinux checking in the rdma core.
>
> There are also UD QPs which are like UDP sockets, so every address
> handle creation will need a security check too.

-- 
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux