From: Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> To: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> Cc: "chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org" <chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org>, "paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org" <paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org>, "sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org" <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>, "eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org" <eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org>, "dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org" <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>, "sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org" <sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>, "hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org" <hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>, "selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org" <selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>, "linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" <linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, "linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" <linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, Yevgeny Petrilin <yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> Subject: Re: [PATCH 05/12] selinux: Implement Infiniband PKey "Access" access vector Date: Fri, 1 Jul 2016 15:26:40 -0400 [thread overview] Message-ID: <CAGH-KguvznwFOhYVhPKdu0t8_z=Q_eZ5Njss=ECWquagPhkc2Q@mail.gmail.com> (raw) In-Reply-To: <DB6PR0501MB22614C80007D7408544B4B30C4250-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> On Fri, Jul 1, 2016 at 3:16 PM, Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> wrote: > On 7/1/2016 1:59 PM, Paul Moore wrote: >> On Fri, Jul 1, 2016 at 2:21 PM, Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> wrote: >>> On 7/1/2016 11:29 AM, Paul Moore wrote: >>>> I wondered about this earlier in the patchset when we were discussing >>>> the policy format, and I'm still wondering; perhaps you can help me >>>> understand IB a bit better ... >>>> >>>> From what I gather, the partition key is the IB security boundary, not >>>> the subnet, is that true? If so, why are we including the subnet with >>>> the partition key value/label? I understand the low/high pkey range >>>> as a way of simplifying the policy, but I don't quite understand the >>>> point of tying the subnet to the partition key label. Would you ever >>>> want to have multiple labels for a single partition key, or should it >>>> be a single label for the partition key regardless of the subnet? >>>> >>> Each subnet can have a different partition configuration and a node can be on multiple subnets. By specifying the subnet prefix along with the pkey value the user has flexibility to have different policy for different subnets, instead of a global PKey space that would require coordinating the partition configuration across all subnets. >> Perhaps a better explanation of partitions and subnets are in order, >> especially for those of like me who are new to IB. >> > > A subnet is a set of ports managed by a common subnet manager, which sets up the partition configuration. So there can be multiple partitions inside a subnet and not multiple subnets inside a partition? > A partition is a virtual fabric, similar to an VLAN. Yeah, I've read that in multiple places and I think that is what I find confusing as it doesn't seem to mesh with my understanding of what you are intending. > If there are multiple IB ports each could be connected to a different subnet. Ports are just end points, I get that. That's important, but it isn't helping me understand the relationship between subnets and partitions, that is where I'm struggling at the moment. > By including the subnet prefix in the label the subnets can use the same PKey values and policy can restrict access appropriately. This doesn't make any sense to me right now. > Without that mechanism if one of the subnets had a partition with PKey 1 the other partition couldn't reuse that PKey if a different security policy is desired for that subnet. <blank stare> -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <pmoore@redhat.com> To: Daniel Jurgens <danielj@mellanox.com> Cc: "chrisw@sous-sol.org" <chrisw@sous-sol.org>, "paul@paul-moore.com" <paul@paul-moore.com>, "sds@tycho.nsa.gov" <sds@tycho.nsa.gov>, "eparis@parisplace.org" <eparis@parisplace.org>, "dledford@redhat.com" <dledford@redhat.com>, "sean.hefty@intel.com" <sean.hefty@intel.com>, "hal.rosenstock@gmail.com" <hal.rosenstock@gmail.com>, "selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>, "linux-security-module@vger.kernel.org" <linux-security-module@vger.kernel.org>, "linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>, Yevgeny Petrilin <yevgenyp@mellanox.com> Subject: Re: [PATCH 05/12] selinux: Implement Infiniband PKey "Access" access vector Date: Fri, 1 Jul 2016 15:26:40 -0400 [thread overview] Message-ID: <CAGH-KguvznwFOhYVhPKdu0t8_z=Q_eZ5Njss=ECWquagPhkc2Q@mail.gmail.com> (raw) In-Reply-To: <DB6PR0501MB22614C80007D7408544B4B30C4250@DB6PR0501MB2261.eurprd05.prod.outlook.com> On Fri, Jul 1, 2016 at 3:16 PM, Daniel Jurgens <danielj@mellanox.com> wrote: > On 7/1/2016 1:59 PM, Paul Moore wrote: >> On Fri, Jul 1, 2016 at 2:21 PM, Daniel Jurgens <danielj@mellanox.com> wrote: >>> On 7/1/2016 11:29 AM, Paul Moore wrote: >>>> I wondered about this earlier in the patchset when we were discussing >>>> the policy format, and I'm still wondering; perhaps you can help me >>>> understand IB a bit better ... >>>> >>>> From what I gather, the partition key is the IB security boundary, not >>>> the subnet, is that true? If so, why are we including the subnet with >>>> the partition key value/label? I understand the low/high pkey range >>>> as a way of simplifying the policy, but I don't quite understand the >>>> point of tying the subnet to the partition key label. Would you ever >>>> want to have multiple labels for a single partition key, or should it >>>> be a single label for the partition key regardless of the subnet? >>>> >>> Each subnet can have a different partition configuration and a node can be on multiple subnets. By specifying the subnet prefix along with the pkey value the user has flexibility to have different policy for different subnets, instead of a global PKey space that would require coordinating the partition configuration across all subnets. >> Perhaps a better explanation of partitions and subnets are in order, >> especially for those of like me who are new to IB. >> > > A subnet is a set of ports managed by a common subnet manager, which sets up the partition configuration. So there can be multiple partitions inside a subnet and not multiple subnets inside a partition? > A partition is a virtual fabric, similar to an VLAN. Yeah, I've read that in multiple places and I think that is what I find confusing as it doesn't seem to mesh with my understanding of what you are intending. > If there are multiple IB ports each could be connected to a different subnet. Ports are just end points, I get that. That's important, but it isn't helping me understand the relationship between subnets and partitions, that is where I'm struggling at the moment. > By including the subnet prefix in the label the subnets can use the same PKey values and policy can restrict access appropriately. This doesn't make any sense to me right now. > Without that mechanism if one of the subnets had a partition with PKey 1 the other partition couldn't reuse that PKey if a different security policy is desired for that subnet. <blank stare> -- paul moore security @ redhat
next prev parent reply other threads:[~2016-07-01 19:26 UTC|newest] Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-06-23 19:52 [PATCH 00/12] SELinux support for Infiniband RDMA Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens 2016-06-23 19:52 ` [PATCH 01/12] security: Add LSM hooks for Infiniband security Dan Jurgens [not found] ` <1466711578-64398-2-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-06-30 14:57 ` Yuval Shaia 2016-06-30 14:57 ` Yuval Shaia 2016-06-30 20:27 ` Paul Moore 2016-06-30 20:27 ` Paul Moore 2016-06-30 21:09 ` Daniel Jurgens 2016-06-30 21:09 ` Daniel Jurgens 2016-06-30 21:27 ` Paul Moore 2016-06-30 21:34 ` Daniel Jurgens 2016-06-30 21:34 ` Daniel Jurgens 2016-06-30 20:33 ` Paul Moore 2016-06-30 20:33 ` Paul Moore 2016-06-30 21:27 ` Daniel Jurgens 2016-06-30 21:27 ` Daniel Jurgens [not found] ` <AM4PR0501MB2257674DEA1F81F53A35AC21C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-06-30 21:30 ` Paul Moore 2016-06-30 21:30 ` Paul Moore 2016-06-23 19:52 ` [PATCH 02/12] selinux: Create policydb version for Infiniband support Dan Jurgens [not found] ` <1466711578-64398-3-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-06-30 15:01 ` Yuval Shaia 2016-06-30 15:01 ` Yuval Shaia [not found] ` <20160630150140.GB22107-Hxa29pjIrETlQW142y8m19+IiqhCXseY@public.gmane.org> 2016-07-01 12:50 ` Leon Romanovsky 2016-07-01 12:50 ` Leon Romanovsky 2016-07-01 13:49 ` Daniel Jurgens 2016-07-01 13:49 ` Daniel Jurgens [not found] ` <DB6PR0501MB2261C7D467873122250A1F3EC4250-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-07-01 20:48 ` Leon Romanovsky 2016-07-01 20:48 ` Leon Romanovsky 2016-06-30 20:17 ` Paul Moore 2016-06-30 20:17 ` Paul Moore 2016-06-30 20:59 ` Daniel Jurgens 2016-06-30 20:59 ` Daniel Jurgens [not found] ` <AM4PR0501MB22579221434714783B0AFC68C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-06-30 21:18 ` Paul Moore 2016-06-30 21:18 ` Paul Moore 2016-06-30 21:32 ` Daniel Jurgens 2016-06-30 21:32 ` Daniel Jurgens [not found] ` <AM4PR0501MB2257CB8E6F84835315734487C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-06-30 21:37 ` Paul Moore 2016-06-30 21:37 ` Paul Moore 2016-06-23 19:52 ` [PATCH 10/12] IB/core: Enforce PKey security on management datagrams Dan Jurgens [not found] ` <1466711578-64398-1-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-06-23 19:52 ` [PATCH 03/12] selinux: Implement Infiniband flush callback Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens [not found] ` <1466711578-64398-4-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-06-30 15:10 ` Yuval Shaia 2016-06-30 15:10 ` Yuval Shaia 2016-06-30 15:44 ` Daniel Jurgens 2016-06-30 15:44 ` Daniel Jurgens [not found] ` <AM4PR0501MB22578AA5FF8B4062F650C581C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-06-30 19:52 ` Paul Moore 2016-06-30 19:52 ` Paul Moore [not found] ` <CAGH-Kgtn0EFxYc+UOvVQk-0Bco0oOG=STZA+aGYza4TmbNXq3A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2016-06-30 20:16 ` Casey Schaufler 2016-06-30 20:16 ` Casey Schaufler [not found] ` <13cf2b8b-1d4e-e61f-80fe-110af2a719cf-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org> 2016-06-30 20:24 ` Paul Moore 2016-06-30 20:24 ` Paul Moore 2016-06-30 20:39 ` Daniel Jurgens 2016-06-30 20:39 ` Daniel Jurgens 2016-06-23 19:52 ` [PATCH 04/12] selinux: Allocate and free infiniband security hooks Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens [not found] ` <1466711578-64398-5-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-06-30 15:15 ` Yuval Shaia 2016-06-30 15:15 ` Yuval Shaia 2016-06-30 20:42 ` Paul Moore 2016-06-30 20:42 ` Paul Moore [not found] ` <CAGH-KgvtN8T7e5bKq0jJZvSzrGfFwA2VpmPf5gJuqdLZi6odEw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2016-06-30 21:06 ` Casey Schaufler 2016-06-30 21:06 ` Casey Schaufler 2016-06-30 21:48 ` Daniel Jurgens 2016-06-30 21:48 ` Daniel Jurgens [not found] ` <AM4PR0501MB2257ADAB527392547179F779C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-07-01 18:54 ` Paul Moore 2016-07-01 18:54 ` Paul Moore 2016-07-01 18:59 ` Daniel Jurgens 2016-07-01 18:59 ` Daniel Jurgens 2016-07-01 19:17 ` Paul Moore 2016-07-01 20:13 ` Casey Schaufler 2016-07-01 20:46 ` Daniel Jurgens 2016-07-01 20:46 ` Daniel Jurgens [not found] ` <DB6PR0501MB226138FF74D031F6BD1C48C6C4250-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-07-01 21:16 ` Casey Schaufler 2016-07-01 21:16 ` Casey Schaufler 2016-07-01 22:15 ` Paul Moore 2016-06-23 19:52 ` [PATCH 05/12] selinux: Implement Infiniband PKey "Access" access vector Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens [not found] ` <1466711578-64398-6-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-06-30 15:23 ` Yuval Shaia 2016-06-30 15:23 ` Yuval Shaia 2016-06-30 15:35 ` Daniel Jurgens 2016-06-30 15:35 ` Daniel Jurgens 2016-07-01 16:29 ` Paul Moore 2016-07-01 16:29 ` Paul Moore 2016-07-01 18:21 ` Daniel Jurgens 2016-07-01 18:21 ` Daniel Jurgens 2016-07-01 18:58 ` Paul Moore 2016-07-01 19:16 ` Daniel Jurgens 2016-07-01 19:16 ` Daniel Jurgens [not found] ` <DB6PR0501MB22614C80007D7408544B4B30C4250-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-07-01 19:26 ` Paul Moore [this message] 2016-07-01 19:26 ` Paul Moore 2016-07-01 19:57 ` Daniel Jurgens 2016-07-01 19:57 ` Daniel Jurgens [not found] ` <DB6PR0501MB2261C903AB4CE9644604B9E8C4250-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-07-01 20:42 ` Paul Moore 2016-07-01 20:42 ` Paul Moore 2016-07-11 14:46 ` Stephen Smalley 2016-07-11 19:03 ` Daniel Jurgens 2016-07-11 19:03 ` Daniel Jurgens [not found] ` <1c637b46-7352-b369-4891-4b695ff80b3b-+05T5uksL2qpZYMLLGbcSA@public.gmane.org> 2016-07-12 20:28 ` Paul Moore 2016-07-12 20:28 ` Paul Moore 2016-06-23 19:52 ` [PATCH 06/12] selinux: Add IB End Port SMP " Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens 2016-06-30 15:31 ` Yuval Shaia [not found] ` <1466711578-64398-7-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-07-01 18:48 ` Paul Moore 2016-07-01 18:48 ` Paul Moore 2016-06-23 19:52 ` [PATCH 07/12] selinux: Add a cache for quicker retreival of PKey SIDs Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens [not found] ` <1466711578-64398-8-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-06-23 21:59 ` kbuild test robot 2016-06-23 21:59 ` kbuild test robot 2016-06-30 15:41 ` Yuval Shaia 2016-06-30 15:41 ` Yuval Shaia 2016-07-01 18:51 ` Paul Moore 2016-07-01 18:51 ` Paul Moore 2016-06-23 19:52 ` [PATCH 08/12] IB/core: IB cache enhancements to support Infiniband security Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens [not found] ` <1466711578-64398-9-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-06-30 15:47 ` Yuval Shaia 2016-06-30 15:47 ` Yuval Shaia 2016-06-23 19:52 ` [PATCH 09/12] IB/core: Enforce PKey security on QPs Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens 2016-06-23 19:52 ` [PATCH 11/12] IB/core: Enforce Infiniband device SMI security Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens 2016-06-23 19:52 ` [PATCH 12/12] IB/core: Implement the Infiniband flush callback Dan Jurgens 2016-06-23 19:52 ` Dan Jurgens 2016-06-30 14:43 ` [PATCH 00/12] SELinux support for Infiniband RDMA Yuval Shaia 2016-06-30 14:43 ` Yuval Shaia 2016-06-30 14:47 ` Daniel Jurgens 2016-06-30 14:47 ` Daniel Jurgens 2016-06-29 17:33 ` Paul Moore 2016-06-29 19:09 ` Daniel Jurgens 2016-06-29 19:09 ` Daniel Jurgens [not found] ` <DB6PR0501MB22611E2BA664DD033571AEDEC4230-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-06-30 15:18 ` Paul Moore
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CAGH-KguvznwFOhYVhPKdu0t8_z=Q_eZ5Njss=ECWquagPhkc2Q@mail.gmail.com' \ --to=pmoore-h+wxahxf7alqt0dzr+alfa@public.gmane.org \ --cc=chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org \ --cc=danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \ --cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \ --cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \ --cc=hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \ --cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org \ --cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \ --cc=sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \ --cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \ --cc=yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.