From: Dan Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> To: chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org, paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org, sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org, eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org, dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org, hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org Cc: selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org, linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org, Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> Subject: [PATCH v3 0/9] SELinux support for Infiniband RDMA Date: Fri, 29 Jul 2016 16:53:27 +0300 [thread overview] Message-ID: <1469800416-125043-1-git-send-email-danielj@mellanox.com> (raw) From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> The selinux next tree is missing some patches for IB/core. This series applies cleanly to ib-next, and should apply cleanly to selinux-next once the IB patches are merged. Currently there is no way to provide granular access control to an Infiniband fabric. By providing an ability to restrict user access to specific virtual subfabrics, administrators can limit access to bandwidth and isolate users on the fabric. The approach for controlling access for Infiniband is to control access to partitions. A partition is similar in concept to a VLAN where each data packet carries the partition key (PKey) in its header and isolation is enforced by the hardware. The partition key is not a cryptographic key, it's a 16 bit number identifying the partition. By controlling access to PKeys, users can be isolated on the fabric. Every Infiniband fabric must have a subnet manager. The subnet manager provisions the partitions and configures the end nodes. Each end port has a PKey table containing the partitions it can access. In order to enforce access to partitions, the subnet management interface (SMI) must also be controlled to prevent unauthorized changes to the fabric configuration. In order to support this there must be a capability to provide security contexts for two new types of objects - PKeys and IB ports. A PKey label consists of a subnet prefix and a range of PKey values and is similar to the labeling mechanism for netports. Each Infiniband port can reside on a different subnet, labeling the PKey values for specific subnet prefixes provides the user maximum flexibility. There is a single access vector for PKeys called "access". An Infiniband port is labeled by name and port number. There is a single access vector for IB ports called "manage_subnet". Because RDMA allows kernel bypass, enforcement must be done during connection setup. Communication over RDMA requires a send and receive queue called a queue pair (QP). During the creation of a QP it is initialized before it can be used to send or receive data. During initialization the user must provide the PKey and port the QP will use, at this time access can be enforced. Because there is a possibility that the enforcement settings or security policy can change, a means of notifying the ib_core module of such changes is required. To facilitate this a generic notification callback mechanism is added to the LSM. One callback is registered for checking the QP PKey associations when the policy changes. Mad agents also register a callback, they cache the permission to send and receive SMPs to avoid another per packet call to the LSM. Because frequent accesses to the same PKey's SID is expected a cache is implemented which is very similar to the netport cache. In order to properly enforce security when changes to the PKey table or security policy or enforcement occur ib_core must track which QPs are using which port, pkey index, and alternate path for every IB device. This makes operations that used to be atomic transactional. When modifying a QP, ib_core must associate it with the PKey index, port, and alternate path specified. If the QP was already associated with different settings, the QP is added to the new list prior to the modification. If the modify succeeds then the old listing is removed. If the modify fails the new listing is removed and the old listing remains unchanged. When destroying a QP the ib_qp structure is freed by the decive specific driver (i.e. mlx4_ib) if the 'destroy' is successful. This requires storing security related information in a separate structure. When a 'destroy' request is in process the ib_qp structure is in an undefined state so if there are changes to the security policy or PKey table, the security checks cannot reset the QP if it doesn't have permission for the new setting. If the 'destroy' fails, security for that QP must be enforced again and its status in the list is restored. If the 'destroy' succeeds the security info can be cleaned up and freed. There are a number of locks required to protect the QP security structure and the QP to device/port/pkey index lists. If multiple locks are required, the safe locking order is: QP security structure mutex first, followed by any list locks needed, which are sorted first by port followed by pkey index. --- v2: - Use void* blobs in the LSM hooks. Paul Moore - Make the policy change callback generic. Yuval Shaia, Paul Moore - Squash LSM changes into the patches where the calls are added. Paul Moore - Don't add new initial SIDs. Stephen Smalley - Squash MAD agent PKey and SMI patches. Dan Jurgens - Changed ib_end_port to ib_port. Paul Moore - Changed ib_port access vector from smp to manage_subnet. Paul Moore - Added pkey and ib_port details to the audit log. Paul Moore - See individual patches for more detail. v3: - ib_port -> ib_endport. Paul Moore - use notifier chains for LSM notifications. Paul Moore - reorder parameters in hooks to put security blob first. Paul Moore - Don't treat device name as untrusted string in audit log. Paul Moore Daniel Jurgens (9): IB/core: IB cache enhancements to support Infiniband security IB/core: Enforce PKey security on QPs selinux lsm IB/core: Implement LSM notification system IB/core: Enforce security on management datagrams selinux: Create policydb version for Infiniband support selinux: Allocate and free infiniband security hooks selinux: Implement Infiniband PKey "Access" access vector selinux: Add IB Port SMP access vector selinux: Add a cache for quicker retreival of PKey SIDs drivers/infiniband/core/Makefile | 3 +- drivers/infiniband/core/cache.c | 57 ++- drivers/infiniband/core/core_priv.h | 115 ++++++ drivers/infiniband/core/device.c | 86 +++++ drivers/infiniband/core/mad.c | 52 ++- drivers/infiniband/core/security.c | 709 +++++++++++++++++++++++++++++++++++ drivers/infiniband/core/uverbs_cmd.c | 20 +- drivers/infiniband/core/verbs.c | 27 +- include/linux/lsm_audit.h | 37 +- include/linux/lsm_hooks.h | 35 ++ include/linux/security.h | 35 ++ include/rdma/ib_mad.h | 4 + include/rdma/ib_verbs.h | 49 +++ security/Kconfig | 9 + security/lsm_audit.c | 18 + security/security.c | 59 +++ security/selinux/Makefile | 2 +- security/selinux/hooks.c | 80 +++- security/selinux/ibpkey.c | 245 ++++++++++++ security/selinux/include/classmap.h | 4 + security/selinux/include/ibpkey.h | 31 ++ security/selinux/include/objsec.h | 11 + security/selinux/include/security.h | 7 +- security/selinux/selinuxfs.c | 2 + security/selinux/ss/policydb.c | 130 ++++++- security/selinux/ss/policydb.h | 27 +- security/selinux/ss/services.c | 83 ++++ 27 files changed, 1879 insertions(+), 58 deletions(-) create mode 100644 drivers/infiniband/core/security.c create mode 100644 security/selinux/ibpkey.c create mode 100644 security/selinux/include/ibpkey.h -- 1.8.3.1 -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Dan Jurgens <danielj@mellanox.com> To: chrisw@sous-sol.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, dledford@redhat.com, sean.hefty@intel.com, hal.rosenstock@gmail.com Cc: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, linux-rdma@vger.kernel.org, yevgenyp@mellanox.com, Daniel Jurgens <danielj@mellanox.com> Subject: [PATCH v3 0/9] SELinux support for Infiniband RDMA Date: Fri, 29 Jul 2016 16:53:27 +0300 [thread overview] Message-ID: <1469800416-125043-1-git-send-email-danielj@mellanox.com> (raw) From: Daniel Jurgens <danielj@mellanox.com> The selinux next tree is missing some patches for IB/core. This series applies cleanly to ib-next, and should apply cleanly to selinux-next once the IB patches are merged. Currently there is no way to provide granular access control to an Infiniband fabric. By providing an ability to restrict user access to specific virtual subfabrics, administrators can limit access to bandwidth and isolate users on the fabric. The approach for controlling access for Infiniband is to control access to partitions. A partition is similar in concept to a VLAN where each data packet carries the partition key (PKey) in its header and isolation is enforced by the hardware. The partition key is not a cryptographic key, it's a 16 bit number identifying the partition. By controlling access to PKeys, users can be isolated on the fabric. Every Infiniband fabric must have a subnet manager. The subnet manager provisions the partitions and configures the end nodes. Each end port has a PKey table containing the partitions it can access. In order to enforce access to partitions, the subnet management interface (SMI) must also be controlled to prevent unauthorized changes to the fabric configuration. In order to support this there must be a capability to provide security contexts for two new types of objects - PKeys and IB ports. A PKey label consists of a subnet prefix and a range of PKey values and is similar to the labeling mechanism for netports. Each Infiniband port can reside on a different subnet, labeling the PKey values for specific subnet prefixes provides the user maximum flexibility. There is a single access vector for PKeys called "access". An Infiniband port is labeled by name and port number. There is a single access vector for IB ports called "manage_subnet". Because RDMA allows kernel bypass, enforcement must be done during connection setup. Communication over RDMA requires a send and receive queue called a queue pair (QP). During the creation of a QP it is initialized before it can be used to send or receive data. During initialization the user must provide the PKey and port the QP will use, at this time access can be enforced. Because there is a possibility that the enforcement settings or security policy can change, a means of notifying the ib_core module of such changes is required. To facilitate this a generic notification callback mechanism is added to the LSM. One callback is registered for checking the QP PKey associations when the policy changes. Mad agents also register a callback, they cache the permission to send and receive SMPs to avoid another per packet call to the LSM. Because frequent accesses to the same PKey's SID is expected a cache is implemented which is very similar to the netport cache. In order to properly enforce security when changes to the PKey table or security policy or enforcement occur ib_core must track which QPs are using which port, pkey index, and alternate path for every IB device. This makes operations that used to be atomic transactional. When modifying a QP, ib_core must associate it with the PKey index, port, and alternate path specified. If the QP was already associated with different settings, the QP is added to the new list prior to the modification. If the modify succeeds then the old listing is removed. If the modify fails the new listing is removed and the old listing remains unchanged. When destroying a QP the ib_qp structure is freed by the decive specific driver (i.e. mlx4_ib) if the 'destroy' is successful. This requires storing security related information in a separate structure. When a 'destroy' request is in process the ib_qp structure is in an undefined state so if there are changes to the security policy or PKey table, the security checks cannot reset the QP if it doesn't have permission for the new setting. If the 'destroy' fails, security for that QP must be enforced again and its status in the list is restored. If the 'destroy' succeeds the security info can be cleaned up and freed. There are a number of locks required to protect the QP security structure and the QP to device/port/pkey index lists. If multiple locks are required, the safe locking order is: QP security structure mutex first, followed by any list locks needed, which are sorted first by port followed by pkey index. --- v2: - Use void* blobs in the LSM hooks. Paul Moore - Make the policy change callback generic. Yuval Shaia, Paul Moore - Squash LSM changes into the patches where the calls are added. Paul Moore - Don't add new initial SIDs. Stephen Smalley - Squash MAD agent PKey and SMI patches. Dan Jurgens - Changed ib_end_port to ib_port. Paul Moore - Changed ib_port access vector from smp to manage_subnet. Paul Moore - Added pkey and ib_port details to the audit log. Paul Moore - See individual patches for more detail. v3: - ib_port -> ib_endport. Paul Moore - use notifier chains for LSM notifications. Paul Moore - reorder parameters in hooks to put security blob first. Paul Moore - Don't treat device name as untrusted string in audit log. Paul Moore Daniel Jurgens (9): IB/core: IB cache enhancements to support Infiniband security IB/core: Enforce PKey security on QPs selinux lsm IB/core: Implement LSM notification system IB/core: Enforce security on management datagrams selinux: Create policydb version for Infiniband support selinux: Allocate and free infiniband security hooks selinux: Implement Infiniband PKey "Access" access vector selinux: Add IB Port SMP access vector selinux: Add a cache for quicker retreival of PKey SIDs drivers/infiniband/core/Makefile | 3 +- drivers/infiniband/core/cache.c | 57 ++- drivers/infiniband/core/core_priv.h | 115 ++++++ drivers/infiniband/core/device.c | 86 +++++ drivers/infiniband/core/mad.c | 52 ++- drivers/infiniband/core/security.c | 709 +++++++++++++++++++++++++++++++++++ drivers/infiniband/core/uverbs_cmd.c | 20 +- drivers/infiniband/core/verbs.c | 27 +- include/linux/lsm_audit.h | 37 +- include/linux/lsm_hooks.h | 35 ++ include/linux/security.h | 35 ++ include/rdma/ib_mad.h | 4 + include/rdma/ib_verbs.h | 49 +++ security/Kconfig | 9 + security/lsm_audit.c | 18 + security/security.c | 59 +++ security/selinux/Makefile | 2 +- security/selinux/hooks.c | 80 +++- security/selinux/ibpkey.c | 245 ++++++++++++ security/selinux/include/classmap.h | 4 + security/selinux/include/ibpkey.h | 31 ++ security/selinux/include/objsec.h | 11 + security/selinux/include/security.h | 7 +- security/selinux/selinuxfs.c | 2 + security/selinux/ss/policydb.c | 130 ++++++- security/selinux/ss/policydb.h | 27 +- security/selinux/ss/services.c | 83 ++++ 27 files changed, 1879 insertions(+), 58 deletions(-) create mode 100644 drivers/infiniband/core/security.c create mode 100644 security/selinux/ibpkey.c create mode 100644 security/selinux/include/ibpkey.h -- 1.8.3.1
next reply other threads:[~2016-07-29 13:53 UTC|newest] Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-07-29 13:53 Dan Jurgens [this message] 2016-07-29 13:53 ` [PATCH v3 0/9] SELinux support for Infiniband RDMA Dan Jurgens 2016-07-29 13:53 ` [PATCH v3 1/9] IB/core: IB cache enhancements to support Infiniband security Dan Jurgens [not found] ` <1469800416-125043-1-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-07-29 13:53 ` [PATCH v3 2/9] IB/core: Enforce PKey security on QPs Dan Jurgens 2016-07-29 13:53 ` Dan Jurgens 2016-07-29 13:53 ` [PATCH v3 3/9] selinux lsm IB/core: Implement LSM notification system Dan Jurgens 2016-07-29 13:53 ` Dan Jurgens [not found] ` <1469800416-125043-4-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-07-29 22:40 ` kbuild test robot 2016-07-29 22:40 ` kbuild test robot 2016-09-01 1:35 ` Paul Moore 2016-07-29 13:53 ` [PATCH v3 4/9] IB/core: Enforce security on management datagrams Dan Jurgens 2016-07-29 13:53 ` Dan Jurgens 2016-07-29 13:53 ` [PATCH v3 5/9] selinux: Create policydb version for Infiniband support Dan Jurgens 2016-07-29 13:53 ` Dan Jurgens [not found] ` <1469800416-125043-6-git-send-email-danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> 2016-09-01 1:39 ` Paul Moore 2016-09-01 1:39 ` Paul Moore 2016-07-29 13:53 ` [PATCH v3 9/9] selinux: Add a cache for quicker retreival of PKey SIDs Dan Jurgens 2016-07-29 13:53 ` Dan Jurgens 2016-07-29 13:53 ` [PATCH v3 6/9] selinux: Allocate and free infiniband security hooks Dan Jurgens 2016-07-29 13:53 ` [PATCH v3 7/9] selinux: Implement Infiniband PKey "Access" access vector Dan Jurgens 2016-07-29 13:53 ` [PATCH v3 8/9] selinux: Add IB Port SMP " Dan Jurgens 2016-08-29 21:40 ` [PATCH v3 0/9] SELinux support for Infiniband RDMA Paul Moore 2016-08-29 21:48 ` Daniel Jurgens 2016-08-30 0:00 ` Paul Moore 2016-08-30 7:46 ` Leon Romanovsky 2016-08-30 13:53 ` Paul Moore 2016-08-30 14:06 ` Daniel Jurgens 2016-08-30 14:06 ` Daniel Jurgens [not found] ` <VI1PR0501MB242949202A1DA23E5C8E1E8AC4E00-o1MPJYiShEyB6Z+oivrBG8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-08-30 15:01 ` Leon Romanovsky 2016-08-30 15:01 ` Leon Romanovsky 2016-08-30 18:46 ` Jason Gunthorpe 2016-08-30 18:52 ` Daniel Jurgens 2016-08-30 18:52 ` Daniel Jurgens 2016-08-30 18:55 ` Jason Gunthorpe 2016-08-30 19:10 ` Daniel Jurgens 2016-08-30 19:10 ` Daniel Jurgens 2016-09-01 16:34 ` Jason Gunthorpe [not found] ` <20160901163418.GA6479-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org> 2016-09-01 18:06 ` Paul Moore 2016-09-01 18:06 ` Paul Moore 2016-09-06 20:02 ` Jason Gunthorpe 2016-09-06 20:35 ` Daniel Jurgens 2016-09-06 20:35 ` Daniel Jurgens 2016-09-06 21:55 ` Jason Gunthorpe 2016-09-08 0:01 ` ira.weiny 2016-09-08 14:12 ` Daniel Jurgens 2016-09-08 14:12 ` Daniel Jurgens 2016-09-08 16:19 ` Jason Gunthorpe 2016-09-08 16:44 ` Daniel Jurgens 2016-09-08 16:44 ` Daniel Jurgens 2016-09-08 18:36 ` Jason Gunthorpe 2016-09-08 18:59 ` Daniel Jurgens 2016-09-08 18:59 ` Daniel Jurgens 2016-09-08 19:32 ` Jason Gunthorpe 2016-09-21 16:16 ` ira.weiny [not found] ` <20160921161626.GA27837-W4f6Xiosr+yv7QzWx2u06xL4W9x8LtSr@public.gmane.org> 2016-09-22 15:04 ` Liran Liss 2016-09-22 15:04 ` Liran Liss [not found] ` <20160908161948.GA21614-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org> 2016-09-08 19:14 ` ira.weiny 2016-09-08 19:14 ` ira.weiny 2016-09-08 19:35 ` Jason Gunthorpe 2016-09-15 1:52 ` ira.weiny [not found] ` <DB6PR0501MB2422EA34EED4EE35EE7B1D28C4FB0-wTfl6qNNZ1ODMMyMbWtEF8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-09-08 17:47 ` Liran Liss 2016-09-08 17:47 ` Liran Liss 2016-09-08 18:37 ` Jason Gunthorpe 2016-09-08 19:01 ` Daniel Jurgens 2016-09-08 19:01 ` Daniel Jurgens 2016-09-08 18:34 ` ira.weiny 2016-09-20 23:43 ` Paul Moore 2016-09-23 13:26 ` Daniel Jurgens 2016-09-23 13:26 ` Daniel Jurgens [not found] ` <VI1PR0501MB24299E036F1FCD335A2C2049C4C80-o1MPJYiShEyB6Z+oivrBG8DSnupUy6xnnBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org> 2016-09-29 22:16 ` Paul Moore 2016-09-29 22:16 ` Paul Moore [not found] ` <CAHC9VhShCgxonV1rN-J7LyezamzZtKNZ1SR7ywnTB9Kgia_u1w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2016-09-29 22:41 ` Jason Gunthorpe 2016-09-29 22:41 ` Jason Gunthorpe 2016-09-30 19:59 ` Paul Moore [not found] ` <CAHC9VhTBW9VsMHag41x1GWUbwPQeLngi8_iq9CPuQ=UMxDebkg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2016-09-30 20:46 ` Jason Gunthorpe 2016-09-30 20:46 ` Jason Gunthorpe 2016-09-26 18:17 ` Jason Gunthorpe [not found] ` <20160830074607.GN594-2ukJVAZIZ/Y@public.gmane.org> 2016-08-30 15:02 ` Or Gerlitz 2016-08-30 15:02 ` Or Gerlitz
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1469800416-125043-1-git-send-email-danielj@mellanox.com \ --to=danielj-vpraknaxozvwk0htik3j/w@public.gmane.org \ --cc=chrisw-69jw2NvuJkxg9hUCZPvPmw@public.gmane.org \ --cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \ --cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \ --cc=hal.rosenstock-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \ --cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \ --cc=paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org \ --cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \ --cc=sean.hefty-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org \ --cc=selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \ --cc=yevgenyp-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.