On 11/27/2017 10:19 AM, Paul Moore wrote:
> On Mon, Nov 27, 2017 at 9:03 AM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> For controlling IPoIB VLANs
>>
>> Reported-by: Honggang LI
>> Signed-off-by: Daniel Jurgens
>> Tested-by: Honggang LI
On 7/3/2017 6:03 PM, Paul Moore wrote:
> On Fri, Jun 30, 2017 at 11:15 AM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> ib_get_cached_subnet_prefix can technically fail, but the only way it
>> could is not possible based on the loop conditions. Check the retur
On 6/9/2017 3:01 PM, Paul Moore wrote:
> On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgens wrote:
>
> Should be all set now, let me know if you notice any problems. I did
> add a separate third commit to munge the style/formatting (see
> previous emails); I didn't bother posti
On 6/9/2017 9:50 AM, Paul Moore wrote:
> On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgens wrote:
>> On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
>>> On 6/5/2017 5:13 PM, Paul Moore wrote:
>>>> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley
>>>> wrot
On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
> On 6/5/2017 5:13 PM, Paul Moore wrote:
>> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley wrote:
>>> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>>>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>&
On 6/5/2017 5:13 PM, Paul Moore wrote:
> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley wrote:
>> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wro
On 5/30/2017 12:48 PM, Stephen Smalley wrote:
> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>>>> From: Daniel Jurgens
>>>>
>>&
On 5/30/2017 12:05 PM, Stephen Smalley wrote:
> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> New tests for Infiniband endports. Most users do not have infiniband
>> hardware, and if they do the device names can vary. There is
On 5/25/2017 3:04 PM, Stephen Smalley wrote:
> On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>>
>> +allow test_ibendport_manage_subnet_t bin_t:file entrypoint;
>> +allow test_ibendport_manage_subnet_t bin_t:file execute;
>
On 5/25/2017 2:52 PM, Stephen Smalley wrote:
> On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> +corenet_ib_pkey(test_ibpkey_t)
>> +corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
> This will break the build on current
On 5/24/2017 4:07 PM, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 16:08 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Update the main man page and add specific pages for ibpkeys and
>> ibendports.
> Thanks, applied all nine. I did notice that you lef
On 5/22/2017 4:06 PM, Paul Moore wrote:
> On Sun, May 21, 2017 at 5:47 AM, kbuild test robot
> wrote:
>> tree: git://git.infradead.org/users/pcmoore/selinux next
>> head: b76dd295790d44ecb04932110309bb6c15f263a8
>> commit: b76dd295790d44ecb04932110309bb6c15f263a8 [17/17] selinux: Add a
>> cac
On 5/21/2017 7:35 PM, James Morris wrote:
> On Fri, 19 May 2017, Dan Jurgens wrote:
>
>> From: Daniel Jurgens
> What kind of testing has this code had? It's relatively complex and as a
> security feature, it especially needs to be well-tested.
>
>
I tested it on my
On 5/21/2017 7:13 PM, James Morris wrote:
> On Fri, 19 May 2017, Dan Jurgens wrote:
>
>> security/security.c | 385 ++
> This looks wrong -- merge problem?
Yes, it was a merge problem. I added back the per field initialization of the
security head hooks. Paul
On 5/19/2017 2:35 PM, Paul Moore wrote:
> On Fri, May 19, 2017 at 12:47 PM, Daniel Jurgens wrote:
>> On 5/19/2017 7:49 AM, Dan Jurgens wrote:
>>> From: Daniel Jurgens
>>>
>>> Note on v7, it applies cleanly on Paul Moores' tree. 'git am' fails
On 5/19/2017 2:21 PM, Paul Moore wrote:
> On Fri, May 19, 2017 at 8:48 AM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Allocate and free a security context when creating and destroying a MAD
>> agent. This context is used for controlling access to PKeys and se
On 5/19/2017 7:49 AM, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Note on v7, it applies cleanly on Paul Moores' tree. 'git am' fails to
> apply patch 0002* to Dougs' tree, but 'patch' applies it without rejects.
> There's a new file
On 5/16/2017 2:10 PM, Stephen Smalley wrote:
> On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Update libsepol and libsemanage to work with pkey records. Add local
>> storage for new and modified pkey records in pkeys.local. Update
On 5/17/2017 8:53 AM, James Carter wrote:
> On 05/15/2017 04:42 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>>
>> +exit:
>> +if (rc != 0) {
>> +sepol_log_err("Error writing ibendportcon rules to CIL\n");
>> +}
&g
On 5/16/2017 1:41 PM, Stephen Smalley wrote:
> On Tue, 2017-05-16 at 14:43 -0400, Stephen Smalley wrote:
>> On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
>>> From: Daniel Jurgens
>>>
>>>
>>> + case OCON_IBPKEY:
>>> +
On 5/16/2017 1:39 PM, Stephen Smalley wrote:
> On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Add support for reading, writing, and copying Infinabinda Pkey
> Infiniband
>
>> ocontext
>> data. Also add support
On 5/16/2017 1:18 PM, Stephen Smalley wrote:
> On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> +if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) {
>> +yyerror("subnet prefix should be
On 5/16/2017 2:36 PM, Stephen Smalley wrote:
> On Tue, 2017-05-16 at 19:34 +0000, Daniel Jurgens wrote:
>> On 5/16/2017 2:30 PM, Stephen Smalley wrote:
>>> On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
>>>> From: Daniel Jurgens
>>>>
>>>
On 5/16/2017 2:30 PM, Stephen Smalley wrote:
> On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Update libsepol and libsemanage to work with pkey records. Add local
>> storage for new and modified pkey records in pkeys.local. Update
On 5/16/2017 11:48 AM, Jason Zaman wrote:
> On Mon, May 15, 2017 at 11:42:40PM +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Update libsepol and libsemanage to work with ibendport records. Add local
>> storage for new and modified ibendport records in
On 5/11/2017 10:07 AM, James Carter wrote:
> On 05/09/2017 04:50 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>>
>> diff --git a/libsepol/cil/src/cil_resolve_ast.c
>> b/libsepol/cil/src/cil_resolve_ast.c
>> index 1df41da..69ce786 100644
>> ---
On 5/11/2017 10:20 AM, James Carter wrote:
> Like I mentioned for patch 2, kernel_to_cil.c and kernel_to_conf.c need to be
> updated.
>
> Jim
Added
> On 05/09/2017 04:50 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Add support for reading, writing, and
or
> module_to_c.
>
> Jim
Added. Thanks for reviewing, completely missed when those files were added.
>
> On 05/09/2017 04:50 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Add support for reading, writing, and copying Infinabinda Pkey ocontext
>> data. Also add support for querying a Pkey sid to checkpolicy.
>>
On 5/10/2017 2:22 PM, Stephen Smalley wrote:
> On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>>
>> libsepol/src/ibpkeys.c| 264 ++
>> python/semanage/semanage | 60 +++
On 5/10/2017 2:05 PM, Stephen Smalley wrote:
> On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> --- a/libsepol/include/sepol/policydb/services.h
>> +++ b/libsepol/include/sepol/policydb/services.h
>> @@ -199,6 +199,16 @@ ext
On 5/10/2017 1:56 PM, Stephen Smalley wrote:
> On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>> } ibendport;
> These were pkey and ib_endport in the kernel patch, and port was
> port_num. Either way is fine but they probably ought to b
On 5/10/2017 1:51 PM, Stephen Smalley wrote:
> On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Add support for reading, writing, and copying Infinabinda Pkey
> s/Infinabinda/Infiniband/
Done
>
>> --- a/libsepol/include/s
On 5/10/2017 1:18 PM, Stephen Smalley wrote:
> On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>>
>> +#ifdef DARWIN
>> +memcpy(&newc->u.ibpkey.subnet_prefix[0],
>> &subnet_prefix.s6_addr[0],
>> +
On 5/3/2017 9:41 AM, Paul Moore wrote:
> On Wed, Nov 23, 2016 at 9:17 AM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Infiniband applications access HW from user-space -- traffic is generated
>> directly by HW, bypassing the kernel. Consequently, Infiniba
On 4/26/2017 10:38 AM, Casey Schaufler wrote:
> On 4/26/2017 8:02 AM, Sebastien Buisson wrote:
>> From: Daniel Jurgens
>>
>> Add a generic notification mechanism in the LSM. Interested consumers
>> can register a callback with the LSM and security modules can produce
On 1/24/2017 3:45 PM, Doug Ledford wrote:
> On Tue, 2017-01-24 at 16:40 -0500, Doug Ledford wrote:
>> On Tue, 2016-12-13 at 17:17 -0500, Paul Moore wrote:
>>> On Tue, Dec 13, 2016 at 11:25 AM, Daniel Jurgens >> co
>>> m> wrote:
>>>>
&
On 12/13/2016 9:01 AM, Stephen Smalley wrote:
> On 11/23/2016 09:17 AM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Infiniband applications access HW from user-space -- traffic is generated
>> directly by HW, bypassing the kernel. Consequently, Infiniband Partitio
On 12/13/2016 8:35 AM, Stephen Smalley wrote:
> On 11/23/2016 09:17 AM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Support for Infiniband requires the addition of two new object contexts,
>> one for infiniband PKeys and another IB Ports. Added handlers to read
&g
On 12/13/2016 8:26 AM, Stephen Smalley wrote:
> On 11/23/2016 09:17 AM, Dan Jurgens wrote:
>> @@ -177,6 +177,8 @@ static ssize_t sel_write_enforce(struct file *file,
>> const char __user *buf,
>> avc_ss_reset(0);
>> selnl_notify_setenforce(selinux_enforcing);
>>
On 11/22/2016 5:24 PM, James Morris wrote:
> On Tue, 22 Nov 2016, Dan Jurgens wrote:
>
>> From: Daniel Jurgens
>>
>> Add new LSM hooks to allocate and free security contexts and check for
>> permission to access a PKey.
> I guess Doug's is best tree for these
On 11/22/2016 4:53 PM, James Morris wrote:
> On Tue, 22 Nov 2016, Dan Jurgens wrote:
>
>> +static int sel_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid)
>> +{
>> +int ret = -ENOMEM;
>> +struct sel_pkey *pkey;
>> +struct sel_pkey *new = NULL;
>> +unsigned long flags;
>> +
>
On 11/22/2016 4:47 PM, James Morris wrote:
> On Tue, 22 Nov 2016, Dan Jurgens wrote:
>
>> +*out_sid = c->sid[0];
>> +} else {
>> +*out_sid = SECINITSID_UNLABELED;
>> +}
> Per previous comment about the braces.
The coding style says if one branch requires brackets the
On 11/9/2016 1:05 AM, Leon Romanovsky wrote:
> On Tue, Nov 08, 2016 at 11:06:25PM +0200, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> It is likely that the SID for the same PKey will be requested many
>> times. To reduce the time to modify QPs and process MADs u
On 11/8/2016 4:36 PM, kbuild test robot wrote:
> Hi Daniel,
>
> [auto build test ERROR on rdma/master]
> [also build test ERROR on v4.9-rc4]
> [cannot apply to next-20161108]
> [if your patch is applied to the wrong git tree, please drop us a note to
> help improve the system]
>
> url:
> https
On 9/20/2016 6:43 PM, Paul Moore wrote:
> On Tue, Sep 6, 2016 at 4:02 PM, Jason Gunthorpe
> wrote:
>> On Thu, Sep 01, 2016 at 02:06:46PM -0400, Paul Moore wrote:
>>
>>> Jason and/or Daniel, I think it would be helpful if you could explain
>>> both the InifiniBand and IP based approaches for those
On 9/8/2016 1:38 PM, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 05:47:46PM +, Liran Liss wrote:
>
>> This patch-set enables partition-based isolation for Infiniband networks in
>> a very intuitive manner, that's it.
>> IB partitions don't have anything to do with VLANs.
> You guys need t
On 9/8/2016 1:36 PM, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 04:44:36PM +0000, Daniel Jurgens wrote:
>
>> Net has variety of means of enforcement, one of which is controlling
>> access to ports , which is the most like what
>> I'm doing here.
> No, the a
On 9/8/2016 11:20 AM, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 02:12:48PM +0000, Daniel Jurgens wrote:
>
>> It would have to include the port, but idea of using a device name
>> for this is pretty ugly. makes it very easy to
>> write a policy that can be dep
On 9/7/2016 7:01 PM, ira.weiny wrote:
> On Tue, Sep 06, 2016 at 03:55:48PM -0600, Jason Gunthorpe wrote:
>> On Tue, Sep 06, 2016 at 08:35:56PM +0000, Daniel Jurgens wrote:
>>
>>> I think to control access to a VLAN for RoCE there would have to
>>> labels for GIDs,
On 9/6/2016 3:02 PM, Jason Gunthorpe wrote:
> On Thu, Sep 01, 2016 at 02:06:46PM -0400, Paul Moore wrote:
>
>> Jason and/or Daniel, I think it would be helpful if you could explain
>> both the InifiniBand and IP based approaches for those of us who know
>> SELinux, but not necessarily the RDMA and
On 8/30/2016 1:56 PM, Jason Gunthorpe wrote:
>
> Are subsystems usually SELinux enabled in such a piecemeal way?
>
> Are you sure the 'partition' SELinux label should not be more general
> to cover more of the similar RDMA cases?
>
> Jason
>
In order to label something you have to be able to descri
On 8/30/2016 1:46 PM, Jason Gunthorpe wrote:
> On Tue, Aug 30, 2016 at 02:06:53PM +0000, Daniel Jurgens wrote:
>
>> I don't this will be useful, RoCE doesn't have partitions/PKeys
>> because it uses Ethernet as the transport instead of Infiniband.
> The vlan
On 8/30/2016 8:53 AM, Paul Moore wrote:
> On Tue, Aug 30, 2016 at 3:46 AM, Leon Romanovsky wrote:
>> On Mon, Aug 29, 2016 at 08:00:32PM -0400, Paul Moore wrote:
>>> On Mon, Aug 29, 2016 at 5:48 PM, Daniel Jurgens
>>> wrote:
>>>> On 8/29/2016 4:40 PM, Paul
On 8/29/2016 4:40 PM, Paul Moore wrote:
> On Fri, Jul 29, 2016 at 9:53 AM, Dan Jurgens wrote:
>> From: Daniel Jurgens
> ...
>
>> Daniel Jurgens (9):
>> IB/core: IB cache enhancements to support Infiniband security
>> IB/core: Enforce PKey security on QPs
&g
On 7/22/2016 2:26 PM, Paul Moore wrote:
> On Thu, Jul 14, 2016 at 6:56 PM, Dan Jurgens wrote:
>
>> + audit_log_format(ab, " port=%u", a->u.ib_port->port);
> Based on our other conversations, I'm guessing that should be " endport=%u"?
I think port is fine there, device name and port
On 7/22/2016 11:47 AM, Jason Gunthorpe wrote:
> On Fri, Jul 22, 2016 at 12:29:25PM -0400, Paul Moore wrote:
>> We had a discussion about this in the last patchset and I think things
>> may have gotten confused. From what I remember, according to the IB
>> developers the proper term is "end port";
On 7/22/2016 11:21 AM, Paul Moore wrote:
> On Thu, Jul 14, 2016 at 6:56 PM, Dan Jurgens wrote:
>> v2:
>> - new patch that has the generic notification, replaces selinux and
>> IB/core patches related to the ib_flush callback. Yuval Shaia and Paul
>> Moore
>> ---
>> drivers/infiniband/core/dev
On 7/22/2016 10:46 AM, Paul Moore wrote:
> On Thu, Jul 14, 2016 at 6:56 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> The selinux next tree is missing some patches for IB/core. This series
>> applies cleanly to ib-next, and should apply cleanly to selinux-next
On 7/11/2016 9:45 AM, Stephen Smalley wrote:
> On 06/23/2016 03:52 PM, Dan Jurgens wrote:
>> diff --git a/security/selinux/include/initial_sid_to_string.h
>> b/security/selinux/include/initial_sid_to_string.h
>> index a59b64e..8f2eefc 100644
>> --- a/security/selinux/include/initial_sid_to_string.
On 7/1/2016 3:13 PM, Casey Schaufler wrote:
> On 7/1/2016 12:17 PM, Paul Moore wrote:
>> On Fri, Jul 1, 2016 at 2:59 PM, Daniel Jurgens wrote:
>>> On 7/1/2016 1:54 PM, Paul Moore wrote:
>>>> On Thu, Jun 30, 2016 at 5:48 PM, Daniel Jurgens
>>>> wrote:
&
On 7/1/2016 2:26 PM, Paul Moore wrote:
> On Fri, Jul 1, 2016 at 3:16 PM, Daniel Jurgens wrote:
>> On 7/1/2016 1:59 PM, Paul Moore wrote:
>>> On Fri, Jul 1, 2016 at 2:21 PM, Daniel Jurgens wrote:
>>>> On 7/1/2016 11:29 AM, Paul Moore wrote:
>>>>> I won
On 7/1/2016 1:59 PM, Paul Moore wrote:
> On Fri, Jul 1, 2016 at 2:21 PM, Daniel Jurgens wrote:
>> On 7/1/2016 11:29 AM, Paul Moore wrote:
>>> I wondered about this earlier in the patchset when we were discussing
>>> the policy format, and I'm still wo
On 7/1/2016 1:54 PM, Paul Moore wrote:
> On Thu, Jun 30, 2016 at 5:48 PM, Daniel Jurgens wrote:
>> On 6/30/2016 4:06 PM, Casey Schaufler wrote:
>>> On 6/30/2016 1:42 PM, Paul Moore wrote:
>>>>> };
>>>>>
>>>>> /**
>>>>&
On 7/1/2016 11:29 AM, Paul Moore wrote:
> On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Add a type and access vector for PKeys. Implement the qp_pkey_access
>> and mad_agent_pkey_access hooks to check that the caller has
>> per
On 7/1/2016 7:50 AM, Leon Romanovsky wrote:
> On Thu, Jun 30, 2016 at 06:01:42PM +0300, Yuval Shaia wrote:
>> On Thu, Jun 23, 2016 at 10:52:48PM +0300, Dan Jurgens wrote:
>>
>>> if (rc)
>>> return rc;
>>> br
On 6/30/2016 4:06 PM, Casey Schaufler wrote:
> On 6/30/2016 1:42 PM, Paul Moore wrote:
>> On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens wrote:
>>> From: Daniel Jurgens
>>>
>>> Implement and attach hooks to allocate and free Infiniband QP and MAD
>>>
On 6/30/2016 4:27 PM, Paul Moore wrote:
> On Thu, Jun 30, 2016 at 5:09 PM, Daniel Jurgens wrote:
>> On 6/30/2016 3:28 PM, Paul Moore wrote:
>>> On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens wrote:
>>>> From: Daniel Jurgens
>>>>
>>>> Add
On 6/30/2016 4:18 PM, Paul Moore wrote:
> On Thu, Jun 30, 2016 at 4:59 PM, Daniel Jurgens wrote:
>> On 6/30/2016 3:17 PM, Paul Moore wrote:
>>> On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens wrote:
>>>> From: Daniel Jurgens
>>>>
>>>> Support
On 6/30/2016 3:33 PM, Paul Moore wrote:
> On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens wrote:
>
>> diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
>> index 432bed5..3f6780b 100644
>> --- a/include/rdma/ib_verbs.h
>> +++ b/include/rdma/ib_verbs.h
>> @@ -1428,6 +1428,10 @@ struct ib_s
On 6/30/2016 3:28 PM, Paul Moore wrote:
> On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Add nine new hooks
>> 1. Allocate security contexts for Infiniband QPs.
>> 2. Free security contexts for Infiniband QPs.
>> 3. Al
On 6/30/2016 3:17 PM, Paul Moore wrote:
> On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Support for Infiniband requires the addition of two new object contexts,
>> one for infiniband PKeys and another IB End Ports. Added handlers t
On 6/30/2016 2:52 PM, Paul Moore wrote:
> I'm still working on understanding IB, but my current thinking is very
> similar to Yuval's suggestions. There is a risk of creating a general
> purpose mechanism to solve a specific, isolated problem, but adding a
> LSM notification mechanism does seem li
On 6/30/2016 10:10 AM, Yuval Shaia wrote:
> On Thu, Jun 23, 2016 at 10:52:49PM +0300, Dan Jurgens wrote:
>
>> +static void (*ib_flush_callback)(void);
> Do we really want to have such ib_ prefix in security/ directory?
>
>> +if (ib_flush_callback)
>> +ib_flush_callba
On 6/30/2016 10:24 AM, Yuval Shaia wrote:
> On Thu, Jun 23, 2016 at 10:52:51PM +0300, Dan Jurgens wrote:
>> +if (c) {
>> +if (!c->sid[0]) {
>> +rc = sidtab_context_to_sid(&sidtab,
>> + &c->context[0],
>> +
On 6/30/2016 9:43 AM, Yuval Shaia wrote:
> Few extremely minor cosmetic suggestions to commit message.
>
Thanks Yuval, I'll address these in the eventual v2 series.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le..
On 6/29/2016 12:33 PM, Paul Moore wrote:
> On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens wrote:
>> When destroying a QP the ib_qp structure is freed by the hardware driver
>> if the destroy is successful. This requires storing security related
>> information in a separate structure. When a destroy
On 4/14/2016 11:26 AM, Ira Weiny wrote:
> On Thu, Apr 14, 2016 at 01:11:15PM +0000, Daniel Jurgens wrote:
>> On 4/13/2016 11:23 PM, Hefty, Sean wrote:
>>>>>> Former (multicast modifications of fabric) also requires restricting
>>>>>> arbitrary UD
On 4/13/2016 11:23 PM, Hefty, Sean wrote:
Former (multicast modifications of fabric) also requires restricting
arbitrary UD QPs as well as QP1 as SA access is QPn (n > 0) <-> QP1.
>>>
>>> The SA could have an option to ignore all requests that do not originate
>> QP1,
>>> then protect acc
On 4/13/2016 7:27 PM, Ira Weiny wrote:
> On Wed, Apr 13, 2016 at 04:47:48PM +, Sean Hefty wrote:
>>> Former (multicast modifications of fabric) also requires restricting
>>> arbitrary UD QPs as well as QP1 as SA access is QPn (n > 0) <-> QP1.
>>
>> The SA could have an option to ignore all requ
On 4/13/2016 4:43 PM, Paul Moore wrote:
> From: Paul Moore
>
> Even if we are under memory pressure and can't allocate a new cache
> node we can still return the port/node/iface value we looked up from
> the policy.
>
> Reported-by: Greg
> Signed-off-by: Paul Moore
> ---
> security/selinux/ne
On 4/13/2016 7:10 AM, Hal Rosenstock wrote:
> On 4/12/2016 1:58 PM, Jason Gunthorpe wrote:
>> On Tue, Apr 12, 2016 at 05:06:45PM +, Hefty, Sean wrote:
Wouldn't QP1 require different access control than QP0 due to SA clients
on every end node ?
>>>
>>> QP1 still allows modification of
On 4/12/2016 12:12 AM, Hal Rosenstock wrote:
> On 4/11/2016 7:35 PM, Daniel Jurgens wrote:
>> On 4/11/2016 6:12 PM, Jason Gunthorpe wrote:
>>> On Mon, Apr 11, 2016 at 10:30:54PM +0000, Daniel Jurgens wrote:
>>>
>>> Like I said, the user facing name shoul
On 4/11/2016 7:06 PM, Jason Gunthorpe wrote:
> On Mon, Apr 11, 2016 at 11:35:57PM +0000, Daniel Jurgens wrote:
>
>> OK, I'll change idbev to ibendport and smi to qp0, or qpzero if the
>> SELinux user space code doesn't allow numbers in access vector identifiers.
>
On 4/11/2016 6:12 PM, Jason Gunthorpe wrote:
> On Mon, Apr 11, 2016 at 10:30:54PM +0000, Daniel Jurgens wrote:
>
> Like I said, the user facing name should be QP0 in that case.
>
> Jason
>
OK, I'll change idbev to ibendport and smi to qp0, or qpzero if the
SELinux user s
On 4/11/2016 5:12 PM, Jason Gunthorpe wrote:
> On Mon, Apr 11, 2016 at 08:38:50PM +0000, Daniel Jurgens wrote:
>>>> An Infiniband device (ibdev) is labeled by name and port number. There is
>>>> a
>>>> single access vector for ibdevs as well, called "s
On 4/11/2016 3:12 PM, Jason Gunthorpe wrote:
> On Thu, Apr 07, 2016 at 02:33:45AM +0300, Dan Jurgens wrote:
>
>> Currently there is no way to provide granular access control to an Infiniband
>> fabric. By providing an ability to restrict user access to specific virtual
>> subfabrics administrator
On 4/7/2016 3:54 PM, Leon Romanovsky wrote:
> On Thu, Apr 07, 2016 at 02:33:56AM +0300, Dan Jurgens wrote:
>> +dev_err(&device->dev,
>> +"%s: Access Denied. Err: %d\n",
>
> Please convert it to lower case.
> Can malicious user flood the system with t
On 4/7/2016 4:11 PM, l...@leon.nu wrote:
> On Thu, Apr 07, 2016 at 09:02:43PM +0000, Daniel Jurgens wrote:
>> On 4/7/2016 11:31 AM, Leon Romanovsky wrote:
>>> On Thu, Apr 07, 2016 at 02:33:54AM +0300, Dan Jurgens wrote:
>>>
>>>> + if (sec->qp == sec->
On 4/7/2016 11:31 AM, Leon Romanovsky wrote:
> On Thu, Apr 07, 2016 at 02:33:54AM +0300, Dan Jurgens wrote:
>
>> +if (sec->qp == sec->qp->real_qp) {
>> +/* The caller of this function holds the QP security
>> + * mutex so this list traversal is safe
>> +*/
>
On 4/7/2016 12:40 PM, l...@leon.nu wrote:
> On Thu, Apr 07, 2016 at 05:03:50PM +0000, Daniel Jurgens wrote:
>> On 4/7/2016 11:31 AM, Leon Romanovsky wrote:
>>> On Thu, Apr 07, 2016 at 02:33:54AM +0300, Dan Jurgens wrote:
>>>> From: Daniel Jurgens
&g
On 4/7/2016 11:31 AM, Leon Romanovsky wrote:
> On Thu, Apr 07, 2016 at 02:33:54AM +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>> drivers/infiniband/core/core_priv.h | 41
>> drivers/infiniband/core/core_security.c | 331
>> +++
On 4/6/2016 9:53 PM, Leon Romanovsky wrote:
> On Thu, Apr 07, 2016 at 02:33:53AM +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> +int ret = 0;
>
> It is not needed, just return 0 directly.
Okay
On 4/7/2016 10:24 AM, Leon Romanovsky wrote:
> On Thu, Ap
On 4/4/2016 8:55 PM, James Morris wrote:
> On Tue, 5 Apr 2016, Daniel Jurgens wrote:
>
>> On 4/4/2016 8:13 PM, James Morris wrote:
>>> On Tue, 5 Apr 2016, Dan Jurgens wrote:
>>>
>>>> From: Daniel Jurgens
>>>>
>>>>
On 4/4/2016 6:48 PM, Casey Schaufler wrote:
> On 4/4/2016 2:48 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Add five new hooks
>> 1. Allocate security contexts for Infiniband objects
>> 2. Free security contexts for Infiniband objects
>> 3. Enforc
On 4/4/2016 8:13 PM, James Morris wrote:
> On Tue, 5 Apr 2016, Dan Jurgens wrote:
>
>> From: Daniel Jurgens
>>
>> Currently there is no way to provide granular access control to an Infiniband
>> fabric. By providing an ability to restrict user access to
95 matches
Mail list logo
