On 31/12/2015 16:41, Yuval Shaia wrote:
> To support security applications, that need to filter out connections based
> on SGID, an ioctl command to retrieve SGID of a given socket is added.
Could you elaborate on the security applications? How do you see this ioctl
being used?
> diff --git a/drivers/infiniband/ulp/ipoib/ipoib_ioctl.c
> b/drivers/infiniband/ulp/ipoib/ipoib_ioctl.c
> new file mode 100644
> index 0000000..124d545
> --- /dev/null
> +++ b/drivers/infiniband/ulp/ipoib/ipoib_ioctl.c
> +static int ipoib_get_sguid(struct net_device *dev, int fd, u64 *sgid,
> + u64 *subnet_prefix)
A GID is composed of a GUID and a subnet prefix.
> +{
> + struct socket *sock;
> + struct inet_sock *inetsock;
> + struct neighbour *neigh;
> + int rc = 0;
> + union ib_gid *gid;
> + struct list_head *dev_list = 0;
> + struct ipoib_dev_priv *priv = netdev_priv(dev);
> + u16 pkey_index = priv->pkey_index;
> + struct ipoib_dev_priv *child_priv;
> +
> + sock = sockfd_lookup(fd, &rc);
> + if (IS_ERR_OR_NULL(sock))
> + return -EINVAL;
> +
> + inetsock = inet_sk(sock->sk);
> +
> + neigh = neigh_lookup(&arp_tbl, &inetsock->inet_daddr, dev);
Also, isn't inet_daddr the destination address? But the function claims
to return the SGID. I guess these can be ambiguous but still it seems
confusing.
> + if (!IS_ERR_OR_NULL(neigh))
> + goto found;
> +
> + /* If not found try in all other ipoib devices */
> + dev_list = ipoib_get_dev_list(priv->ca);
> + if (!dev_list)
> + return -EINVAL;
> +
> + list_for_each_entry(priv, dev_list, list) {
This list can contain devices that belong to a different namespace. It
doesn't make sense to do a neighbor lookup on these. Also, you can simply use
neigh_lookup_nodev if you don't care about the device.
> + if (priv->pkey_index == pkey_index) {
> + neigh = neigh_lookup(&arp_tbl, &inetsock->inet_daddr,
> + priv->dev);
> + if (!IS_ERR_OR_NULL(neigh))
> + goto found;
> + }
> + list_for_each_entry(child_priv, &priv->child_intfs, list) {
> + if (child_priv->pkey_index == pkey_index) {
> + neigh = neigh_lookup(&arp_tbl,
> + &inetsock->inet_daddr,
> + child_priv->dev);
> + if (!IS_ERR_OR_NULL(neigh))
> + goto found;
> + }
> + }
> + }
> +
> + return -ENODEV;
> +
> +found:
> + if (!(neigh->nud_state & NUD_VALID))
> + return -EINVAL;
> +
> + gid = (union ib_gid *)(neigh->ha + 4);
If you just take the GID from the hardware address why not do that from
userspace?
Why do you need a new ioctl to do that for you?
> + *sgid = be64_to_cpu(gid->global.interface_id);
> + *subnet_prefix = be64_to_cpu(gid->global.subnet_prefix);
> +
> + neigh_release(neigh);
> +
> + return 0;
> +}
Regards,
Haggai
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
