From: Paul Moore <paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org>
To: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Cc: Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
"chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org"
<chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org>,
Eric Paris <eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org>,
"dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org"
<sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
"hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org"
<hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
"selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org"
<selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
"linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Yevgeny Petrilin
<yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Subject: Re: [PATCH 00/12] SELinux support for Infiniband RDMA
Date: Thu, 30 Jun 2016 11:18:44 -0400 [thread overview]
Message-ID: <CAHC9VhR3c7S-D8siditL-AAnvn4PW_n9A3cx7KyrcxCf+=b5Fw@mail.gmail.com> (raw)
In-Reply-To: <DB6PR0501MB22611E2BA664DD033571AEDEC4230-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
On Wed, Jun 29, 2016 at 3:09 PM, Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> wrote:
> On 6/29/2016 12:33 PM, Paul Moore wrote:
>> I'm also wondering if QP revalidation on a security policy change is
>> worth the trouble; we've historically not been able to provide any
>> revoke guarantees so I'm not sure if it is worth a lot of added
>> complexity to gain this functionality just for Infiniband. That said,
>> it would be *nice* to have revalidation/revocation working, even if
>> only for IB. It may be that we need similar code to handle the
>> various corner cases, so we may be stuck with the complexity anyway, I
>> just thought it was worth bringing up as a topic of discussion.
>
> QP re-validation on policy change comes cheap because it's possible for the
> PKey table to change. So a mechanism to recheck all the QPs is needed
> regardless.
Okay, if we need the mechanism anyway, let's keep it. Revalidation is
nice as long as we can make it work without too much pain, and based
on my first pass through the patches it didn't look as bad as I feared
it might.
> During my testing it left a funny taste in my mouth when I had QPs that shouldn't be allowed continue to exist after setenforce 1.
Yeah, the general inability to revoke access is pretty annoying, but
in practice I don't believe it is very common as I don't believe
people change their security policy very frequently, especially in
production.
> On the other hand I'm not in love with the callback registration for policy
> change notification one off for Infiniband. In on of the RFCs I used an
> LSM hook that ib/core would implement. I think Casey commented on that,
> so I changed it to what you see now.
I can't say I'm in love with it either, but sometimes things are just
awkward. I suspect I'll probably have some comments on the
notification mechanism too, but I'm not comfortable enough with your
patches yet to make any quality comments.
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2016-06-30 15:18 UTC|newest]
Thread overview: 128+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-23 19:52 [PATCH 00/12] SELinux support for Infiniband RDMA Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
2016-06-23 19:52 ` [PATCH 01/12] security: Add LSM hooks for Infiniband security Dan Jurgens
[not found] ` <1466711578-64398-2-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-06-30 14:57 ` Yuval Shaia
2016-06-30 14:57 ` Yuval Shaia
2016-06-30 20:27 ` Paul Moore
2016-06-30 20:27 ` Paul Moore
2016-06-30 21:09 ` Daniel Jurgens
2016-06-30 21:09 ` Daniel Jurgens
2016-06-30 21:27 ` Paul Moore
2016-06-30 21:34 ` Daniel Jurgens
2016-06-30 21:34 ` Daniel Jurgens
2016-06-30 20:33 ` Paul Moore
2016-06-30 20:33 ` Paul Moore
2016-06-30 21:27 ` Daniel Jurgens
2016-06-30 21:27 ` Daniel Jurgens
[not found] ` <AM4PR0501MB2257674DEA1F81F53A35AC21C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-06-30 21:30 ` Paul Moore
2016-06-30 21:30 ` Paul Moore
2016-06-23 19:52 ` [PATCH 02/12] selinux: Create policydb version for Infiniband support Dan Jurgens
[not found] ` <1466711578-64398-3-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-06-30 15:01 ` Yuval Shaia
2016-06-30 15:01 ` Yuval Shaia
[not found] ` <20160630150140.GB22107-Hxa29pjIrETlQW142y8m19+IiqhCXseY@public.gmane.org>
2016-07-01 12:50 ` Leon Romanovsky
2016-07-01 12:50 ` Leon Romanovsky
2016-07-01 13:49 ` Daniel Jurgens
2016-07-01 13:49 ` Daniel Jurgens
[not found] ` <DB6PR0501MB2261C7D467873122250A1F3EC4250-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-07-01 20:48 ` Leon Romanovsky
2016-07-01 20:48 ` Leon Romanovsky
2016-06-30 20:17 ` Paul Moore
2016-06-30 20:17 ` Paul Moore
2016-06-30 20:59 ` Daniel Jurgens
2016-06-30 20:59 ` Daniel Jurgens
[not found] ` <AM4PR0501MB22579221434714783B0AFC68C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-06-30 21:18 ` Paul Moore
2016-06-30 21:18 ` Paul Moore
2016-06-30 21:32 ` Daniel Jurgens
2016-06-30 21:32 ` Daniel Jurgens
[not found] ` <AM4PR0501MB2257CB8E6F84835315734487C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-06-30 21:37 ` Paul Moore
2016-06-30 21:37 ` Paul Moore
2016-06-23 19:52 ` [PATCH 10/12] IB/core: Enforce PKey security on management datagrams Dan Jurgens
[not found] ` <1466711578-64398-1-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-06-23 19:52 ` [PATCH 03/12] selinux: Implement Infiniband flush callback Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
[not found] ` <1466711578-64398-4-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-06-30 15:10 ` Yuval Shaia
2016-06-30 15:10 ` Yuval Shaia
2016-06-30 15:44 ` Daniel Jurgens
2016-06-30 15:44 ` Daniel Jurgens
[not found] ` <AM4PR0501MB22578AA5FF8B4062F650C581C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-06-30 19:52 ` Paul Moore
2016-06-30 19:52 ` Paul Moore
[not found] ` <CAGH-Kgtn0EFxYc+UOvVQk-0Bco0oOG=STZA+aGYza4TmbNXq3A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-06-30 20:16 ` Casey Schaufler
2016-06-30 20:16 ` Casey Schaufler
[not found] ` <13cf2b8b-1d4e-e61f-80fe-110af2a719cf-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2016-06-30 20:24 ` Paul Moore
2016-06-30 20:24 ` Paul Moore
2016-06-30 20:39 ` Daniel Jurgens
2016-06-30 20:39 ` Daniel Jurgens
2016-06-23 19:52 ` [PATCH 04/12] selinux: Allocate and free infiniband security hooks Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
[not found] ` <1466711578-64398-5-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-06-30 15:15 ` Yuval Shaia
2016-06-30 15:15 ` Yuval Shaia
2016-06-30 20:42 ` Paul Moore
2016-06-30 20:42 ` Paul Moore
[not found] ` <CAGH-KgvtN8T7e5bKq0jJZvSzrGfFwA2VpmPf5gJuqdLZi6odEw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-06-30 21:06 ` Casey Schaufler
2016-06-30 21:06 ` Casey Schaufler
2016-06-30 21:48 ` Daniel Jurgens
2016-06-30 21:48 ` Daniel Jurgens
[not found] ` <AM4PR0501MB2257ADAB527392547179F779C4240-dp/nxUn679hpbkYrVjfdjcDSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-07-01 18:54 ` Paul Moore
2016-07-01 18:54 ` Paul Moore
2016-07-01 18:59 ` Daniel Jurgens
2016-07-01 18:59 ` Daniel Jurgens
2016-07-01 19:17 ` Paul Moore
2016-07-01 20:13 ` Casey Schaufler
2016-07-01 20:46 ` Daniel Jurgens
2016-07-01 20:46 ` Daniel Jurgens
[not found] ` <DB6PR0501MB226138FF74D031F6BD1C48C6C4250-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-07-01 21:16 ` Casey Schaufler
2016-07-01 21:16 ` Casey Schaufler
2016-07-01 22:15 ` Paul Moore
2016-06-23 19:52 ` [PATCH 05/12] selinux: Implement Infiniband PKey "Access" access vector Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
[not found] ` <1466711578-64398-6-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-06-30 15:23 ` Yuval Shaia
2016-06-30 15:23 ` Yuval Shaia
2016-06-30 15:35 ` Daniel Jurgens
2016-06-30 15:35 ` Daniel Jurgens
2016-07-01 16:29 ` Paul Moore
2016-07-01 16:29 ` Paul Moore
2016-07-01 18:21 ` Daniel Jurgens
2016-07-01 18:21 ` Daniel Jurgens
2016-07-01 18:58 ` Paul Moore
2016-07-01 19:16 ` Daniel Jurgens
2016-07-01 19:16 ` Daniel Jurgens
[not found] ` <DB6PR0501MB22614C80007D7408544B4B30C4250-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-07-01 19:26 ` Paul Moore
2016-07-01 19:26 ` Paul Moore
2016-07-01 19:57 ` Daniel Jurgens
2016-07-01 19:57 ` Daniel Jurgens
[not found] ` <DB6PR0501MB2261C903AB4CE9644604B9E8C4250-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-07-01 20:42 ` Paul Moore
2016-07-01 20:42 ` Paul Moore
2016-07-11 14:46 ` Stephen Smalley
2016-07-11 19:03 ` Daniel Jurgens
2016-07-11 19:03 ` Daniel Jurgens
[not found] ` <1c637b46-7352-b369-4891-4b695ff80b3b-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>
2016-07-12 20:28 ` Paul Moore
2016-07-12 20:28 ` Paul Moore
2016-06-23 19:52 ` [PATCH 06/12] selinux: Add IB End Port SMP " Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
2016-06-30 15:31 ` Yuval Shaia
[not found] ` <1466711578-64398-7-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-07-01 18:48 ` Paul Moore
2016-07-01 18:48 ` Paul Moore
2016-06-23 19:52 ` [PATCH 07/12] selinux: Add a cache for quicker retreival of PKey SIDs Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
[not found] ` <1466711578-64398-8-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-06-23 21:59 ` kbuild test robot
2016-06-23 21:59 ` kbuild test robot
2016-06-30 15:41 ` Yuval Shaia
2016-06-30 15:41 ` Yuval Shaia
2016-07-01 18:51 ` Paul Moore
2016-07-01 18:51 ` Paul Moore
2016-06-23 19:52 ` [PATCH 08/12] IB/core: IB cache enhancements to support Infiniband security Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
[not found] ` <1466711578-64398-9-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-06-30 15:47 ` Yuval Shaia
2016-06-30 15:47 ` Yuval Shaia
2016-06-23 19:52 ` [PATCH 09/12] IB/core: Enforce PKey security on QPs Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
2016-06-23 19:52 ` [PATCH 11/12] IB/core: Enforce Infiniband device SMI security Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
2016-06-23 19:52 ` [PATCH 12/12] IB/core: Implement the Infiniband flush callback Dan Jurgens
2016-06-23 19:52 ` Dan Jurgens
2016-06-30 14:43 ` [PATCH 00/12] SELinux support for Infiniband RDMA Yuval Shaia
2016-06-30 14:43 ` Yuval Shaia
2016-06-30 14:47 ` Daniel Jurgens
2016-06-30 14:47 ` Daniel Jurgens
2016-06-29 17:33 ` Paul Moore
2016-06-29 19:09 ` Daniel Jurgens
2016-06-29 19:09 ` Daniel Jurgens
[not found] ` <DB6PR0501MB22611E2BA664DD033571AEDEC4230-wTfl6qNNZ1NK98U9gK7MJ8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-06-30 15:18 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhR3c7S-D8siditL-AAnvn4PW_n9A3cx7KyrcxCf+=b5Fw@mail.gmail.com' \
--to=paul-r2n+y4ga6xfzrors9yw3xa@public.gmane.org \
--cc=chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org \
--cc=danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \
--cc=hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.