| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Oct 2023 11:21:37 +0300
From: Patrisious Haddad <phaddad@...dia.com>
To: <jgg@...pe.ca>, <leon@...nel.org>, <dsahern@...il.com>,
<stephen@...workplumber.org>
CC: Patrisious Haddad <phaddad@...dia.com>, <netdev@...r.kernel.org>,
<linux-rdma@...r.kernel.org>, <linuxarm@...wei.com>,
<linux-kernel@...r.kernel.org>, <huangjunxian6@...ilicon.com>,
<michaelgur@...dia.com>
Subject: [PATCH iproute2-next 2/3] rdma: Add an option to set privileged QKEY parameter
Enrich rdmatool with an option to enable or disable privileged QKEY.
When enabled, non-privileged users will be allowed to specify a
controlled QKEY.
By default this parameter is disabled in order to comply with IB spec.
According to the IB specification rel-1.6, section 3.5.3:
"QKEYs with the most significant bit set are considered controlled
QKEYs, and a HCA does not allow a consumer to arbitrarily specify a
controlled QKEY."
This allows old applications which existed before the kernel commit:
0cadb4db79e1 ("RDMA/uverbs: Restrict usage of privileged QKEYs")
they can use privileged QKEYs without being a privileged user to now
be able to work again without being privileged granted they turn on this
parameter.
rdma tool command examples and output.
$ rdma system show
netns shared privileged-qkey off copy-on-fork on
$ rdma system set privileged-qkey on
$ rdma system show
netns shared privileged-qkey on copy-on-fork on
Signed-off-by: Patrisious Haddad <phaddad@...dia.com>
Reviewed-by: Michael Guralnik <michaelgur@...dia.com>
---
rdma/sys.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++--
rdma/utils.c | 1 +
2 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/rdma/sys.c b/rdma/sys.c
index fd785b25..32ca3444 100644
--- a/rdma/sys.c
+++ b/rdma/sys.c
@@ -17,6 +17,11 @@ static const char *netns_modes_str[] = {
"shared",
};
+static const char *privileged_qkey_str[] = {
+ "off",
+ "on",
+};
+
static int sys_show_parse_cb(const struct nlmsghdr *nlh, void *data)
{
struct nlattr *tb[RDMA_NLDEV_ATTR_MAX] = {};
@@ -40,6 +45,22 @@ static int sys_show_parse_cb(const struct nlmsghdr *nlh, void *data)
mode_str);
}
+ if (tb[RDMA_NLDEV_SYS_ATTR_PRIVILEGED_QKEY_MODE]) {
+ const char *pqkey_str;
+ uint8_t pqkey_mode;
+
+ pqkey_mode =
+ mnl_attr_get_u8(tb[RDMA_NLDEV_SYS_ATTR_PRIVILEGED_QKEY_MODE]);
+
+ if (pqkey_mode < ARRAY_SIZE(privileged_qkey_str))
+ pqkey_str = privileged_qkey_str[pqkey_mode];
+ else
+ pqkey_str = "unknown";
+
+ print_color_string(PRINT_ANY, COLOR_NONE, "privileged-qkey",
+ "privileged-qkey %s ", pqkey_str);
+ }
+
if (tb[RDMA_NLDEV_SYS_ATTR_COPY_ON_FORK])
cof = mnl_attr_get_u8(tb[RDMA_NLDEV_SYS_ATTR_COPY_ON_FORK]);
@@ -67,8 +88,9 @@ static int sys_show_no_args(struct rd *rd)
static int sys_show(struct rd *rd)
{
const struct rd_cmd cmds[] = {
- { NULL, sys_show_no_args},
- { "netns", sys_show_no_args},
+ { NULL, sys_show_no_args},
+ { "netns", sys_show_no_args},
+ { "privileged-qkey", sys_show_no_args},
{ 0 }
};
@@ -86,6 +108,17 @@ static int sys_set_netns_cmd(struct rd *rd, bool enable)
return rd_sendrecv_msg(rd, seq);
}
+static int sys_set_privileged_qkey_cmd(struct rd *rd, bool enable)
+{
+ uint32_t seq;
+
+ rd_prepare_msg(rd, RDMA_NLDEV_CMD_SYS_SET,
+ &seq, (NLM_F_REQUEST | NLM_F_ACK));
+ mnl_attr_put_u8(rd->nlh, RDMA_NLDEV_SYS_ATTR_PRIVILEGED_QKEY_MODE, enable);
+
+ return rd_sendrecv_msg(rd, seq);
+}
+
static bool sys_valid_netns_cmd(const char *cmd)
{
int i;
@@ -97,6 +130,17 @@ static bool sys_valid_netns_cmd(const char *cmd)
return false;
}
+static bool sys_valid_privileged_qkey_cmd(const char *cmd)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(privileged_qkey_str); i++) {
+ if (!strcmp(cmd, privileged_qkey_str[i]))
+ return true;
+ }
+ return false;
+}
+
static int sys_set_netns_args(struct rd *rd)
{
bool cmd;
@@ -111,10 +155,25 @@ static int sys_set_netns_args(struct rd *rd)
return sys_set_netns_cmd(rd, cmd);
}
+static int sys_set_privileged_qkey_args(struct rd *rd)
+{
+ bool cmd;
+
+ if (rd_no_arg(rd) || !sys_valid_privileged_qkey_cmd(rd_argv(rd))) {
+ pr_err("valid options are: { on | off }\n");
+ return -EINVAL;
+ }
+
+ cmd = (strcmp(rd_argv(rd), "on") == 0) ? true : false;
+
+ return sys_set_privileged_qkey_cmd(rd, cmd);
+}
+
static int sys_set_help(struct rd *rd)
{
pr_out("Usage: %s system set [PARAM] value\n", rd->filename);
pr_out(" system set netns { shared | exclusive }\n");
+ pr_out(" system set privileged-qkey { on | off }\n");
return 0;
}
@@ -124,6 +183,7 @@ static int sys_set(struct rd *rd)
{ NULL, sys_set_help },
{ "help", sys_set_help },
{ "netns", sys_set_netns_args},
+ { "privileged-qkey", sys_set_privileged_qkey_args},
{ 0 }
};
diff --git a/rdma/utils.c b/rdma/utils.c
index 8a091c05..09985069 100644
--- a/rdma/utils.c
+++ b/rdma/utils.c
@@ -473,6 +473,7 @@ static const enum mnl_attr_data_type nldev_policy[RDMA_NLDEV_ATTR_MAX] = {
[RDMA_NLDEV_ATTR_STAT_AUTO_MODE_MASK] = MNL_TYPE_U32,
[RDMA_NLDEV_ATTR_DEV_DIM] = MNL_TYPE_U8,
[RDMA_NLDEV_ATTR_RES_RAW] = MNL_TYPE_BINARY,
+ [RDMA_NLDEV_SYS_ATTR_PRIVILEGED_QKEY_MODE] = MNL_TYPE_U8,
};
static int rd_attr_check(const struct nlattr *attr, int *typep)
--
2.18.1
Powered by blists - more mailing lists