[Ofvwg] OFVWG meeting notes - 10/6/2015
Liran Liss
liranl at mellanox.com
Tue Oct 6 12:30:25 PDT 2015
Daniel Jurgens presented an approach for implementing RMDA support for SELinux and provided a demonstration of an initial implementation.
SELinux provides mandatory access control primarily using type information.
For Infiniband, the basic support for access control seems to be labeled networking based on partitions, since partitions are carried by every packet (except subnet management) and enforced at all times.
Controlling access to subnet management (the SMI interface) should also be provided.
The presented implementation enforces partition checks based on partition values.
However, it is desirable to provide more granular control by specifying the device and port in addition to the partition.
Allowing access to a partition by all means (normal QP, umad, CM) seems to be the right abstraction.
However, the policy rule should specify a more meaningful operation than "modify", which only applies to QPs.
"access" could work, e.g., "allow sysadm_t default_pkey_t:rdma_pkey access".
Also, hex syntax for specifying partition values looks better because it is consistent with the SM configuration files.
A similar syntax could be used for the SMI, e.g., "allow sysadm_t smi:rdma_mgt access".
In any case, we should provide a document summarizing the syntax to security sys admins for review.
When a QP is transitioned into error by the kernel following a dynamic partition change in the fabric, the application should be notified other than just observing completion errors. A asynchronous error seems like the right direction.
Verifying arbitrary (umad) or rdmacm MADs amounts to dropping packets upon conflicts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/ofvwg/attachments/20151006/17cdd3c8/attachment.html>
More information about the ofvwg
mailing list