| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150715210342.GA32516@obsidianresearch.com> Date: Wed, 15 Jul 2015 15:03:42 -0600 From: Jason Gunthorpe <jgunthorpe@...idianresearch.com> To: Liran Liss <liranl@...lanox.com> Cc: Haggai Eran <haggaie@...lanox.com>, Doug Ledford <dledford@...hat.com>, "linux-rdma@...r.kernel.org" <linux-rdma@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, Guy Shapiro <guysh@...lanox.com>, Shachar Raindel <raindel@...lanox.com>, Yotam Kenneth <yotamke@...lanox.com> Subject: Re: [PATCH v1 08/12] IB/cma: Add net_dev and private data checks to RDMA CM On Wed, Jul 15, 2015 at 08:27:06PM +0000, Liran Liss wrote: > If you want to restrict a container to a specific set of pkeys, use > cgroups. Ideally yes, but in the absence of a cgroup the set of pkeys assigned to the container via ipoib is a reasonable alternate. > This would apply both to CM MADs and QPs. > - In the MAD case, CM MADs would be first matched to a namespace and rdma_id and dropped upon pkey conflict (with either the headers or the payload). > - In the QP case, modify_qp() would fail on conflict. > Partitioning needs to be enforced also for applications that don't use the CM at all... Yep, that is how pkey checking should work, cgroup or not. So, you agree with me. I say that until we get a cgroup capability, the pkey list of the container is the set of IPoIB interfaces associated with it, and we still have to do the various checks above. The first check is relavent to this patchset and should be done by using the GMP's headers to locate the net device. > For namespaces, it seems more natural to lookup the namespace based > solely on the CM payload. How so? Which payload content do you use? The primary path? The alternate path? > After all, it is the payload that designates the entity that you > want to establish a connection to, rather than the packet headers, > which are just meant to relay the packet to the proper CM No, that isn't right. The IBA uses the GMP's destination first, then serviceID as the demux. Services IDs are not globally unique, they are scoped by the destination. The path data is just *routing* it doesn't describe at all the entity we want to talk to, it is only a proposal for how to flow data to it. In any event, both the GMP headers and the path data needs to be checked against the container's pkey list. I don't know why this is so contentions. Jason -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists