From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
To: Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
Cc: Liran Liss <liranl-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>,
Leon Romanovsky <leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
"linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org"
<chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org>,
"dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org"
<selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
"sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org"
<sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
"ira.weiny" <ira.weiny-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
"hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org"
<hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA
Date: Thu, 8 Sep 2016 16:44:36 +0000 [thread overview]
Message-ID: <DB6PR0501MB24227FF5BE230C826615111FC4FB0@DB6PR0501MB2422.eurprd05.prod.outlook.com> (raw)
In-Reply-To: 20160908161948.GA21614@obsidianresearch.com
On 9/8/2016 11:20 AM, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 02:12:48PM +0000, Daniel Jurgens wrote:
>
>> It would have to include the port, but idea of using a device name
>> for this is pretty ugly. <subnet_prefix,pkey> makes it very easy to
>> write a policy that can be deployed widely. <device,port,pkey/vlan>
>> could require many different policies depending on the configuration
>> of each machine.
> What does net do? Should we have a way to unformly label the rdma ports?
>
> How do you imagine these policies working anyhow? They cannot be
> shipped from a distro. Are these going to be labeled on filesystem
> objects? (how doe that work??) Or somehow injected when starting a
> container?
>
> If they are not written to disk I don't see the problem, the dynamic
> injector will have to figure out what interface is what.
>
> Jason
>
Net has variety of means of enforcement, one of which is controlling access to ports <tcp/udp,port number>, which is the most like what I'm doing here. They also have other enforcement options that can't work for RDMA because it bypasses the kernel.
It will work like any other SELinux policy. You label the things you want to control with a type and setup rules about which roles/types can interact with them and how. I'm sure the default policy from distros will be to not restrict access. Policy is loaded into the kernel, the disk and filesystem has nothing to do with this aside from it being where the policy is stored before being loaded. What is this dynamic injector you are talking about?
Assume you have machines on one subnet (0xfe80::) one has a device called mlx5_0, the another mlx4_0 and you want to grant access to system administrators.
This hypothetical policy could be deployed on both:
pkeycon 0xfe80:: 0xFFFF gen_context(system_u:object_r:default_pkey_t);
allow sysadm_t default_pkey_t access;
If we use device name you'd need to write separate policy for each node.
pkeyvlancon mlx4_0 1 0xFFFF gen_context(system_u:object_r:default_pkey_t);
or
pkeyvlancon mlx5_0 1 0xFFFF gen_context(system_u:object_r:default_pkey_t);
_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Jurgens <danielj@mellanox.com>
To: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Cc: "ira.weiny" <ira.weiny@intel.com>,
Liran Liss <liranl@mellanox.com>,
"Paul Moore" <paul@paul-moore.com>,
Leon Romanovsky <leon@kernel.org>,
"chrisw@sous-sol.org" <chrisw@sous-sol.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
"dledford@redhat.com" <dledford@redhat.com>,
"sean.hefty@intel.com" <sean.hefty@intel.com>,
"hal.rosenstock@gmail.com" <hal.rosenstock@gmail.com>,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
Yevgeny Petrilin <yevgenyp@mellanox.com>
Subject: Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA
Date: Thu, 8 Sep 2016 16:44:36 +0000 [thread overview]
Message-ID: <DB6PR0501MB24227FF5BE230C826615111FC4FB0@DB6PR0501MB2422.eurprd05.prod.outlook.com> (raw)
In-Reply-To: 20160908161948.GA21614@obsidianresearch.com
On 9/8/2016 11:20 AM, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 02:12:48PM +0000, Daniel Jurgens wrote:
>
>> It would have to include the port, but idea of using a device name
>> for this is pretty ugly. <subnet_prefix,pkey> makes it very easy to
>> write a policy that can be deployed widely. <device,port,pkey/vlan>
>> could require many different policies depending on the configuration
>> of each machine.
> What does net do? Should we have a way to unformly label the rdma ports?
>
> How do you imagine these policies working anyhow? They cannot be
> shipped from a distro. Are these going to be labeled on filesystem
> objects? (how doe that work??) Or somehow injected when starting a
> container?
>
> If they are not written to disk I don't see the problem, the dynamic
> injector will have to figure out what interface is what.
>
> Jason
>
Net has variety of means of enforcement, one of which is controlling access to ports <tcp/udp,port number>, which is the most like what I'm doing here. They also have other enforcement options that can't work for RDMA because it bypasses the kernel.
It will work like any other SELinux policy. You label the things you want to control with a type and setup rules about which roles/types can interact with them and how. I'm sure the default policy from distros will be to not restrict access. Policy is loaded into the kernel, the disk and filesystem has nothing to do with this aside from it being where the policy is stored before being loaded. What is this dynamic injector you are talking about?
Assume you have machines on one subnet (0xfe80::) one has a device called mlx5_0, the another mlx4_0 and you want to grant access to system administrators.
This hypothetical policy could be deployed on both:
pkeycon 0xfe80:: 0xFFFF gen_context(system_u:object_r:default_pkey_t);
allow sysadm_t default_pkey_t access;
If we use device name you'd need to write separate policy for each node.
pkeyvlancon mlx4_0 1 0xFFFF gen_context(system_u:object_r:default_pkey_t);
or
pkeyvlancon mlx5_0 1 0xFFFF gen_context(system_u:object_r:default_pkey_t);
next prev parent reply other threads:[~2016-09-08 16:44 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-29 13:53 [PATCH v3 0/9] SELinux support for Infiniband RDMA Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 1/9] IB/core: IB cache enhancements to support Infiniband security Dan Jurgens
[not found] ` <1469800416-125043-1-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-07-29 13:53 ` [PATCH v3 2/9] IB/core: Enforce PKey security on QPs Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 3/9] selinux lsm IB/core: Implement LSM notification system Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
[not found] ` <1469800416-125043-4-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-07-29 22:40 ` kbuild test robot
2016-07-29 22:40 ` kbuild test robot
2016-09-01 1:35 ` Paul Moore
2016-07-29 13:53 ` [PATCH v3 4/9] IB/core: Enforce security on management datagrams Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 5/9] selinux: Create policydb version for Infiniband support Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
[not found] ` <1469800416-125043-6-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2016-09-01 1:39 ` Paul Moore
2016-09-01 1:39 ` Paul Moore
2016-07-29 13:53 ` [PATCH v3 9/9] selinux: Add a cache for quicker retreival of PKey SIDs Dan Jurgens
2016-07-29 13:53 ` Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 6/9] selinux: Allocate and free infiniband security hooks Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 7/9] selinux: Implement Infiniband PKey "Access" access vector Dan Jurgens
2016-07-29 13:53 ` [PATCH v3 8/9] selinux: Add IB Port SMP " Dan Jurgens
2016-08-29 21:40 ` [PATCH v3 0/9] SELinux support for Infiniband RDMA Paul Moore
2016-08-29 21:48 ` Daniel Jurgens
2016-08-30 0:00 ` Paul Moore
2016-08-30 7:46 ` Leon Romanovsky
2016-08-30 13:53 ` Paul Moore
2016-08-30 14:06 ` Daniel Jurgens
2016-08-30 14:06 ` Daniel Jurgens
[not found] ` <VI1PR0501MB242949202A1DA23E5C8E1E8AC4E00-o1MPJYiShEyB6Z+oivrBG8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-08-30 15:01 ` Leon Romanovsky
2016-08-30 15:01 ` Leon Romanovsky
2016-08-30 18:46 ` Jason Gunthorpe
2016-08-30 18:52 ` Daniel Jurgens
2016-08-30 18:52 ` Daniel Jurgens
2016-08-30 18:55 ` Jason Gunthorpe
2016-08-30 19:10 ` Daniel Jurgens
2016-08-30 19:10 ` Daniel Jurgens
2016-09-01 16:34 ` Jason Gunthorpe
[not found] ` <20160901163418.GA6479-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-09-01 18:06 ` Paul Moore
2016-09-01 18:06 ` Paul Moore
2016-09-06 20:02 ` Jason Gunthorpe
2016-09-06 20:35 ` Daniel Jurgens
2016-09-06 20:35 ` Daniel Jurgens
2016-09-06 21:55 ` Jason Gunthorpe
2016-09-08 0:01 ` ira.weiny
2016-09-08 14:12 ` Daniel Jurgens
2016-09-08 14:12 ` Daniel Jurgens
2016-09-08 16:19 ` Jason Gunthorpe
2016-09-08 16:44 ` Daniel Jurgens [this message]
2016-09-08 16:44 ` Daniel Jurgens
2016-09-08 18:36 ` Jason Gunthorpe
2016-09-08 18:59 ` Daniel Jurgens
2016-09-08 18:59 ` Daniel Jurgens
2016-09-08 19:32 ` Jason Gunthorpe
2016-09-21 16:16 ` ira.weiny
[not found] ` <20160921161626.GA27837-W4f6Xiosr+yv7QzWx2u06xL4W9x8LtSr@public.gmane.org>
2016-09-22 15:04 ` Liran Liss
2016-09-22 15:04 ` Liran Liss
[not found] ` <20160908161948.GA21614-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
2016-09-08 19:14 ` ira.weiny
2016-09-08 19:14 ` ira.weiny
2016-09-08 19:35 ` Jason Gunthorpe
2016-09-15 1:52 ` ira.weiny
[not found] ` <DB6PR0501MB2422EA34EED4EE35EE7B1D28C4FB0-wTfl6qNNZ1ODMMyMbWtEF8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-09-08 17:47 ` Liran Liss
2016-09-08 17:47 ` Liran Liss
2016-09-08 18:37 ` Jason Gunthorpe
2016-09-08 19:01 ` Daniel Jurgens
2016-09-08 19:01 ` Daniel Jurgens
2016-09-08 18:34 ` ira.weiny
2016-09-20 23:43 ` Paul Moore
2016-09-23 13:26 ` Daniel Jurgens
2016-09-23 13:26 ` Daniel Jurgens
[not found] ` <VI1PR0501MB24299E036F1FCD335A2C2049C4C80-o1MPJYiShEyB6Z+oivrBG8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2016-09-29 22:16 ` Paul Moore
2016-09-29 22:16 ` Paul Moore
[not found] ` <CAHC9VhShCgxonV1rN-J7LyezamzZtKNZ1SR7ywnTB9Kgia_u1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-09-29 22:41 ` Jason Gunthorpe
2016-09-29 22:41 ` Jason Gunthorpe
2016-09-30 19:59 ` Paul Moore
[not found] ` <CAHC9VhTBW9VsMHag41x1GWUbwPQeLngi8_iq9CPuQ=UMxDebkg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-09-30 20:46 ` Jason Gunthorpe
2016-09-30 20:46 ` Jason Gunthorpe
2016-09-26 18:17 ` Jason Gunthorpe
[not found] ` <20160830074607.GN594-2ukJVAZIZ/Y@public.gmane.org>
2016-08-30 15:02 ` Or Gerlitz
2016-08-30 15:02 ` Or Gerlitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DB6PR0501MB24227FF5BE230C826615111FC4FB0@DB6PR0501MB2422.eurprd05.prod.outlook.com \
--to=danielj-vpraknaxozvwk0htik3j/w@public.gmane.org \
--cc=chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=ira.weiny-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org \
--cc=leon-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=liranl-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \
--cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.