Re: Secondary process access control mechanism

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Stephen Hemminger <stephen@networkplumber.org>
To: "Morten Brørup" <mb@smartsharesystems.com>
Cc: "Anatoly Burakov" <anatoly.burakov@intel.com>, <dev@dpdk.org>
Subject: Re: Secondary process access control mechanism
Date: Wed, 9 Jul 2025 14:20:39 -0700	[thread overview]
Message-ID: <20250709142039.283dcaf8@hermes.local> (raw)
In-Reply-To: <98CBD80474FA8B44BF855DF32C47DC35E9FDAD@smartserver.smartshare.dk>

On Wed, 9 Jul 2025 20:02:30 +0200
Morten Brørup <mb@smartsharesystems.com> wrote:

> Are there any access control mechanisms to govern what a secondary process can do to a primary process?
> 
> Let's say I'm running a primary process, and want to allow only authorized secondary processes to attach to it. No unauthorized secondary processes should be able to attach to it.
> 
> I assume there is no fine grained control over which features various secondary processes can access.
> 
> 
> Med venlig hilsen / Kind regards,
> -Morten Brørup
> 

No DPDK does not have any access control mechanism itself. But it the wrong place to do it.
What you want to protect is access to hugepages and device memory as well as the unix domain
socket channel to the primary process. For the typical case where both run as root, there really
isn't anything that can be done. But if you want security, the DPDK primary process should
be running in a container with only certain privledges granted. And the container isolation
would protect it.

     prev parent reply	other threads:[~2025-07-09 21:20 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-09 18:02 Morten Brørup
2025-07-09 21:20 ` Stephen Hemminger [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250709142039.283dcaf8@hermes.local \
    --to=stephen@networkplumber.org \
    --cc=anatoly.burakov@intel.com \
    --cc=dev@dpdk.org \
    --cc=mb@smartsharesystems.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).