linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [question] ibv_reg_mr() returning EACCESS
@ 2019-11-15  3:57 Vinit Agnihotri
  2019-11-15 14:12 ` Jason Gunthorpe
  0 siblings, 1 reply; 5+ messages in thread
From: Vinit Agnihotri @ 2019-11-15  3:57 UTC (permalink / raw)
  To: linux-rdma

Hi,

I am trying to use setfsgid()/setfssid() calls to ensure proper access 
check for linux users.

However if user is non-root then ibv_reg_mr() returns EACCESS. While I 
am sure I am calling ibv_reg_mr()

as root user, not sure why it still returns EACCESS.

While going through libibverbs sources I realize EACCESS might be 
returned by this call:

if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
         return errno;

Can anyone provide any insight into this behavior? Does calling these 
systems calls in threads can affect

entire process? I checked /dev/infiniband/* has appropriate privileges.


Thanks & Regards,

Vinit.


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [question] ibv_reg_mr() returning EACCESS
  2019-11-15  3:57 [question] ibv_reg_mr() returning EACCESS Vinit Agnihotri
@ 2019-11-15 14:12 ` Jason Gunthorpe
  2019-11-18  4:59   ` Vinit Agnihotri
  0 siblings, 1 reply; 5+ messages in thread
From: Jason Gunthorpe @ 2019-11-15 14:12 UTC (permalink / raw)
  To: Vinit Agnihotri; +Cc: linux-rdma

On Fri, Nov 15, 2019 at 09:27:40AM +0530, Vinit Agnihotri wrote:
> Hi,
> 
> I am trying to use setfsgid()/setfssid() calls to ensure proper access check
> for linux users.
> 
> However if user is non-root then ibv_reg_mr() returns EACCESS. While I am
> sure I am calling ibv_reg_mr()
> 
> as root user, not sure why it still returns EACCESS.
> 
> While going through libibverbs sources I realize EACCESS might be returned
> by this call:
> 
> if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
>         return errno;
> 
> Can anyone provide any insight into this behavior? Does calling these
> systems calls in threads can affect
> 
> entire process? I checked /dev/infiniband/* has appropriate privileges.

This is a security limitation, if you want do this flow you need a new
enough kernel and rdma-core to support the ioctl() scheme for calling
verbs

Jason

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [question] ibv_reg_mr() returning EACCESS
  2019-11-15 14:12 ` Jason Gunthorpe
@ 2019-11-18  4:59   ` Vinit Agnihotri
  2019-11-19 23:34     ` Jason Gunthorpe
  0 siblings, 1 reply; 5+ messages in thread
From: Vinit Agnihotri @ 2019-11-18  4:59 UTC (permalink / raw)
  To: Jason Gunthorpe; +Cc: linux-rdma

Thank you Jason.

I did went through archives for the same.

Can you please provide pointer towards documentation or

sample userspace usage for the same? Or which kernel version to be 
looked into?


Thanks & Regards,

Vinit.

On 15/11/19 7:42 PM, Jason Gunthorpe wrote:
> On Fri, Nov 15, 2019 at 09:27:40AM +0530, Vinit Agnihotri wrote:
>> Hi,
>>
>> I am trying to use setfsgid()/setfssid() calls to ensure proper access check
>> for linux users.
>>
>> However if user is non-root then ibv_reg_mr() returns EACCESS. While I am
>> sure I am calling ibv_reg_mr()
>>
>> as root user, not sure why it still returns EACCESS.
>>
>> While going through libibverbs sources I realize EACCESS might be returned
>> by this call:
>>
>> if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
>>          return errno;
>>
>> Can anyone provide any insight into this behavior? Does calling these
>> systems calls in threads can affect
>>
>> entire process? I checked /dev/infiniband/* has appropriate privileges.
> This is a security limitation, if you want do this flow you need a new
> enough kernel and rdma-core to support the ioctl() scheme for calling
> verbs
>
> Jason

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [question] ibv_reg_mr() returning EACCESS
  2019-11-18  4:59   ` Vinit Agnihotri
@ 2019-11-19 23:34     ` Jason Gunthorpe
  2019-11-20  4:05       ` Vinit Agnihotri
  0 siblings, 1 reply; 5+ messages in thread
From: Jason Gunthorpe @ 2019-11-19 23:34 UTC (permalink / raw)
  To: Vinit Agnihotri; +Cc: linux-rdma

You need this kernel commit

commit 4785860e04bc8d7e244b25257168e1cf8a5529ab
Author: Jason Gunthorpe <jgg@ziepe.ca>
Date:   Fri Nov 30 13:06:21 2018 +0200

    RDMA/uverbs: Implement an ioctl that can call write and write_ex handlers
    
    Now that the handlers do not process their own udata we can make a
    sensible ioctl that wrappers them. The ioctl follows the same format as
    the write_ex() and has the user explicitly specify the core and driver
    in/out opaque structures and a command number.
    
    This works for all forms of write commands.
    
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
    Signed-off-by: Doug Ledford <dledford@redhat.com>

And a rdma-core new enough to call UVERBS_METHOD_INVOKE_WRITE

On Mon, Nov 18, 2019 at 10:29:33AM +0530, Vinit Agnihotri wrote:
> Thank you Jason.
> 
> I did went through archives for the same.
> 
> Can you please provide pointer towards documentation or
> 
> sample userspace usage for the same? Or which kernel version to be looked
> into?
> 
> 
> Thanks & Regards,
> 
> Vinit.
> 
> On 15/11/19 7:42 PM, Jason Gunthorpe wrote:
> > On Fri, Nov 15, 2019 at 09:27:40AM +0530, Vinit Agnihotri wrote:
> > > Hi,
> > > 
> > > I am trying to use setfsgid()/setfssid() calls to ensure proper access check
> > > for linux users.
> > > 
> > > However if user is non-root then ibv_reg_mr() returns EACCESS. While I am
> > > sure I am calling ibv_reg_mr()
> > > 
> > > as root user, not sure why it still returns EACCESS.
> > > 
> > > While going through libibverbs sources I realize EACCESS might be returned
> > > by this call:
> > > 
> > > if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
> > >          return errno;
> > > 
> > > Can anyone provide any insight into this behavior? Does calling these
> > > systems calls in threads can affect
> > > 
> > > entire process? I checked /dev/infiniband/* has appropriate privileges.
> > This is a security limitation, if you want do this flow you need a new
> > enough kernel and rdma-core to support the ioctl() scheme for calling
> > verbs
> > 
> > Jason

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [question] ibv_reg_mr() returning EACCESS
  2019-11-19 23:34     ` Jason Gunthorpe
@ 2019-11-20  4:05       ` Vinit Agnihotri
  0 siblings, 0 replies; 5+ messages in thread
From: Vinit Agnihotri @ 2019-11-20  4:05 UTC (permalink / raw)
  To: Jason Gunthorpe; +Cc: linux-rdma

Thank you Jason,

I'll sure take a look.


Regards,

Vinit.

On 20/11/19 5:04 AM, Jason Gunthorpe wrote:
> You need this kernel commit
>
> commit 4785860e04bc8d7e244b25257168e1cf8a5529ab
> Author: Jason Gunthorpe <jgg@ziepe.ca>
> Date:   Fri Nov 30 13:06:21 2018 +0200
>
>      RDMA/uverbs: Implement an ioctl that can call write and write_ex handlers
>      
>      Now that the handlers do not process their own udata we can make a
>      sensible ioctl that wrappers them. The ioctl follows the same format as
>      the write_ex() and has the user explicitly specify the core and driver
>      in/out opaque structures and a command number.
>      
>      This works for all forms of write commands.
>      
>      Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
>      Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
>      Signed-off-by: Doug Ledford <dledford@redhat.com>
>
> And a rdma-core new enough to call UVERBS_METHOD_INVOKE_WRITE
>
> On Mon, Nov 18, 2019 at 10:29:33AM +0530, Vinit Agnihotri wrote:
>> Thank you Jason.
>>
>> I did went through archives for the same.
>>
>> Can you please provide pointer towards documentation or
>>
>> sample userspace usage for the same? Or which kernel version to be looked
>> into?
>>
>>
>> Thanks & Regards,
>>
>> Vinit.
>>
>> On 15/11/19 7:42 PM, Jason Gunthorpe wrote:
>>> On Fri, Nov 15, 2019 at 09:27:40AM +0530, Vinit Agnihotri wrote:
>>>> Hi,
>>>>
>>>> I am trying to use setfsgid()/setfssid() calls to ensure proper access check
>>>> for linux users.
>>>>
>>>> However if user is non-root then ibv_reg_mr() returns EACCESS. While I am
>>>> sure I am calling ibv_reg_mr()
>>>>
>>>> as root user, not sure why it still returns EACCESS.
>>>>
>>>> While going through libibverbs sources I realize EACCESS might be returned
>>>> by this call:
>>>>
>>>> if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
>>>>           return errno;
>>>>
>>>> Can anyone provide any insight into this behavior? Does calling these
>>>> systems calls in threads can affect
>>>>
>>>> entire process? I checked /dev/infiniband/* has appropriate privileges.
>>> This is a security limitation, if you want do this flow you need a new
>>> enough kernel and rdma-core to support the ioctl() scheme for calling
>>> verbs
>>>
>>> Jason

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-11-20  4:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-15  3:57 [question] ibv_reg_mr() returning EACCESS Vinit Agnihotri
2019-11-15 14:12 ` Jason Gunthorpe
2019-11-18  4:59   ` Vinit Agnihotri
2019-11-19 23:34     ` Jason Gunthorpe
2019-11-20  4:05       ` Vinit Agnihotri

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).