* [question] ibv_reg_mr() returning EACCESS
@ 2019-11-15 3:57 Vinit Agnihotri
2019-11-15 14:12 ` Jason Gunthorpe
0 siblings, 1 reply; 5+ messages in thread
From: Vinit Agnihotri @ 2019-11-15 3:57 UTC (permalink / raw)
To: linux-rdma
Hi,
I am trying to use setfsgid()/setfssid() calls to ensure proper access
check for linux users.
However if user is non-root then ibv_reg_mr() returns EACCESS. While I
am sure I am calling ibv_reg_mr()
as root user, not sure why it still returns EACCESS.
While going through libibverbs sources I realize EACCESS might be
returned by this call:
if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
return errno;
Can anyone provide any insight into this behavior? Does calling these
systems calls in threads can affect
entire process? I checked /dev/infiniband/* has appropriate privileges.
Thanks & Regards,
Vinit.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [question] ibv_reg_mr() returning EACCESS
2019-11-15 3:57 [question] ibv_reg_mr() returning EACCESS Vinit Agnihotri
@ 2019-11-15 14:12 ` Jason Gunthorpe
2019-11-18 4:59 ` Vinit Agnihotri
0 siblings, 1 reply; 5+ messages in thread
From: Jason Gunthorpe @ 2019-11-15 14:12 UTC (permalink / raw)
To: Vinit Agnihotri; +Cc: linux-rdma
On Fri, Nov 15, 2019 at 09:27:40AM +0530, Vinit Agnihotri wrote:
> Hi,
>
> I am trying to use setfsgid()/setfssid() calls to ensure proper access check
> for linux users.
>
> However if user is non-root then ibv_reg_mr() returns EACCESS. While I am
> sure I am calling ibv_reg_mr()
>
> as root user, not sure why it still returns EACCESS.
>
> While going through libibverbs sources I realize EACCESS might be returned
> by this call:
>
> if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
> return errno;
>
> Can anyone provide any insight into this behavior? Does calling these
> systems calls in threads can affect
>
> entire process? I checked /dev/infiniband/* has appropriate privileges.
This is a security limitation, if you want do this flow you need a new
enough kernel and rdma-core to support the ioctl() scheme for calling
verbs
Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [question] ibv_reg_mr() returning EACCESS
2019-11-15 14:12 ` Jason Gunthorpe
@ 2019-11-18 4:59 ` Vinit Agnihotri
2019-11-19 23:34 ` Jason Gunthorpe
0 siblings, 1 reply; 5+ messages in thread
From: Vinit Agnihotri @ 2019-11-18 4:59 UTC (permalink / raw)
To: Jason Gunthorpe; +Cc: linux-rdma
Thank you Jason.
I did went through archives for the same.
Can you please provide pointer towards documentation or
sample userspace usage for the same? Or which kernel version to be
looked into?
Thanks & Regards,
Vinit.
On 15/11/19 7:42 PM, Jason Gunthorpe wrote:
> On Fri, Nov 15, 2019 at 09:27:40AM +0530, Vinit Agnihotri wrote:
>> Hi,
>>
>> I am trying to use setfsgid()/setfssid() calls to ensure proper access check
>> for linux users.
>>
>> However if user is non-root then ibv_reg_mr() returns EACCESS. While I am
>> sure I am calling ibv_reg_mr()
>>
>> as root user, not sure why it still returns EACCESS.
>>
>> While going through libibverbs sources I realize EACCESS might be returned
>> by this call:
>>
>> if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
>> return errno;
>>
>> Can anyone provide any insight into this behavior? Does calling these
>> systems calls in threads can affect
>>
>> entire process? I checked /dev/infiniband/* has appropriate privileges.
> This is a security limitation, if you want do this flow you need a new
> enough kernel and rdma-core to support the ioctl() scheme for calling
> verbs
>
> Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [question] ibv_reg_mr() returning EACCESS
2019-11-18 4:59 ` Vinit Agnihotri
@ 2019-11-19 23:34 ` Jason Gunthorpe
2019-11-20 4:05 ` Vinit Agnihotri
0 siblings, 1 reply; 5+ messages in thread
From: Jason Gunthorpe @ 2019-11-19 23:34 UTC (permalink / raw)
To: Vinit Agnihotri; +Cc: linux-rdma
You need this kernel commit
commit 4785860e04bc8d7e244b25257168e1cf8a5529ab
Author: Jason Gunthorpe <jgg@ziepe.ca>
Date: Fri Nov 30 13:06:21 2018 +0200
RDMA/uverbs: Implement an ioctl that can call write and write_ex handlers
Now that the handlers do not process their own udata we can make a
sensible ioctl that wrappers them. The ioctl follows the same format as
the write_ex() and has the user explicitly specify the core and driver
in/out opaque structures and a command number.
This works for all forms of write commands.
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
And a rdma-core new enough to call UVERBS_METHOD_INVOKE_WRITE
On Mon, Nov 18, 2019 at 10:29:33AM +0530, Vinit Agnihotri wrote:
> Thank you Jason.
>
> I did went through archives for the same.
>
> Can you please provide pointer towards documentation or
>
> sample userspace usage for the same? Or which kernel version to be looked
> into?
>
>
> Thanks & Regards,
>
> Vinit.
>
> On 15/11/19 7:42 PM, Jason Gunthorpe wrote:
> > On Fri, Nov 15, 2019 at 09:27:40AM +0530, Vinit Agnihotri wrote:
> > > Hi,
> > >
> > > I am trying to use setfsgid()/setfssid() calls to ensure proper access check
> > > for linux users.
> > >
> > > However if user is non-root then ibv_reg_mr() returns EACCESS. While I am
> > > sure I am calling ibv_reg_mr()
> > >
> > > as root user, not sure why it still returns EACCESS.
> > >
> > > While going through libibverbs sources I realize EACCESS might be returned
> > > by this call:
> > >
> > > if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
> > > return errno;
> > >
> > > Can anyone provide any insight into this behavior? Does calling these
> > > systems calls in threads can affect
> > >
> > > entire process? I checked /dev/infiniband/* has appropriate privileges.
> > This is a security limitation, if you want do this flow you need a new
> > enough kernel and rdma-core to support the ioctl() scheme for calling
> > verbs
> >
> > Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [question] ibv_reg_mr() returning EACCESS
2019-11-19 23:34 ` Jason Gunthorpe
@ 2019-11-20 4:05 ` Vinit Agnihotri
0 siblings, 0 replies; 5+ messages in thread
From: Vinit Agnihotri @ 2019-11-20 4:05 UTC (permalink / raw)
To: Jason Gunthorpe; +Cc: linux-rdma
Thank you Jason,
I'll sure take a look.
Regards,
Vinit.
On 20/11/19 5:04 AM, Jason Gunthorpe wrote:
> You need this kernel commit
>
> commit 4785860e04bc8d7e244b25257168e1cf8a5529ab
> Author: Jason Gunthorpe <jgg@ziepe.ca>
> Date: Fri Nov 30 13:06:21 2018 +0200
>
> RDMA/uverbs: Implement an ioctl that can call write and write_ex handlers
>
> Now that the handlers do not process their own udata we can make a
> sensible ioctl that wrappers them. The ioctl follows the same format as
> the write_ex() and has the user explicitly specify the core and driver
> in/out opaque structures and a command number.
>
> This works for all forms of write commands.
>
> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
> Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
> Signed-off-by: Doug Ledford <dledford@redhat.com>
>
> And a rdma-core new enough to call UVERBS_METHOD_INVOKE_WRITE
>
> On Mon, Nov 18, 2019 at 10:29:33AM +0530, Vinit Agnihotri wrote:
>> Thank you Jason.
>>
>> I did went through archives for the same.
>>
>> Can you please provide pointer towards documentation or
>>
>> sample userspace usage for the same? Or which kernel version to be looked
>> into?
>>
>>
>> Thanks & Regards,
>>
>> Vinit.
>>
>> On 15/11/19 7:42 PM, Jason Gunthorpe wrote:
>>> On Fri, Nov 15, 2019 at 09:27:40AM +0530, Vinit Agnihotri wrote:
>>>> Hi,
>>>>
>>>> I am trying to use setfsgid()/setfssid() calls to ensure proper access check
>>>> for linux users.
>>>>
>>>> However if user is non-root then ibv_reg_mr() returns EACCESS. While I am
>>>> sure I am calling ibv_reg_mr()
>>>>
>>>> as root user, not sure why it still returns EACCESS.
>>>>
>>>> While going through libibverbs sources I realize EACCESS might be returned
>>>> by this call:
>>>>
>>>> if (write(pd->context->cmd_fd, cmd, cmd_size) != cmd_size)
>>>> return errno;
>>>>
>>>> Can anyone provide any insight into this behavior? Does calling these
>>>> systems calls in threads can affect
>>>>
>>>> entire process? I checked /dev/infiniband/* has appropriate privileges.
>>> This is a security limitation, if you want do this flow you need a new
>>> enough kernel and rdma-core to support the ioctl() scheme for calling
>>> verbs
>>>
>>> Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-11-20 4:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-15 3:57 [question] ibv_reg_mr() returning EACCESS Vinit Agnihotri
2019-11-15 14:12 ` Jason Gunthorpe
2019-11-18 4:59 ` Vinit Agnihotri
2019-11-19 23:34 ` Jason Gunthorpe
2019-11-20 4:05 ` Vinit Agnihotri
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).