* [refpolicy] [PATCH 1/1] refpolicy: Infiniband pkeys and endports
@ 2017-05-17 15:45 Dan Jurgens
2017-05-17 22:09 ` Chris PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Dan Jurgens @ 2017-05-17 15:45 UTC (permalink / raw)
To: refpolicy
From: Daniel Jurgens <danielj@mellanox.com>
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.
Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.
This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
---
Makefile | 2 +-
Rules.modular | 2 +
Rules.monolithic | 2 +
policy/flask/access_vectors | 10 ++
policy/flask/security_classes | 4 +
policy/modules/kernel/corenetwork.if.in | 156 ++++++++++++++++++++++++++++++++
policy/modules/kernel/corenetwork.if.m4 | 64 +++++++++++++
policy/modules/kernel/corenetwork.te.in | 17 ++++
policy/modules/kernel/corenetwork.te.m4 | 26 ++++++
policy/modules/kernel/kernel.te | 5 +
policy/modules/roles/staff.te | 5 +
policy/modules/roles/sysadm.te | 6 ++
| 2 +-
13 files changed, 299 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index d19985eb..b4b2d43a 100644
--- a/Makefile
+++ b/Makefile
@@ -370,7 +370,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat $@.in >> $@
- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+ $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \
| $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
diff --git a/Rules.modular b/Rules.modular
index 49d3cca9..331a979d 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(comment_move_decl) $^ > $@
diff --git a/Rules.monolithic b/Rules.monolithic
index ce112d78..80e00821 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
+ $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
$(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(comment_move_decl) $^ > $@
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 69f69af8..520a3c28 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -926,6 +926,16 @@ inherits database
set_value
}
+class infiniband_pkey
+{
+ access
+}
+
+class infiniband_endport
+{
+ manage_subnet
+}
+
class db_language
inherits database
{
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 18f18fd8..393621bf 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -139,6 +139,10 @@ class netlink_crypto_socket
class x_pointer # userspace
class x_keyboard # userspace
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
# More Database stuff
class db_schema # userspace
class db_view # userspace
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 2101ea1b..62d90c6c 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -3134,3 +3134,159 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
+
+########################################
+## <summary>
+## Define type to be an infiniband pkey type
+## </summary>
+## <desc>
+## <p>
+## Define type to be an infiniband pkey type
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for network ports.
+## </summary>
+## </param>
+#
+interface(`corenet_ibpkey',`
+ gen_require(`
+ attribute ibpkey_type;
+ ')
+
+ typeattribute $1 ibpkey_type;
+')
+
+########################################
+## <summary>
+## Access unlabeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ibpkey_access_unlabeled_pkeys',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:infiniband_pkey { access };
+')
+
+########################################
+## <summary>
+## Access all labeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ibpkey_access_all_labeled_pkeys',`
+ gen_require(`
+ attribute ibpkey_type;
+ ')
+
+ allow $1 ibpkey_type:infiniband_pkey { access };
+')
+
+########################################
+## <summary>
+## Access all infiniband pkeys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ibpkey_access_all_pkeys',`
+ corenet_ibpkey_access_all_labeled_pkeys($1)
+ corenet_ibpkey_access_unlabeled_pkeys($1)
+')
+
+########################################
+## <summary>
+## Define type to be an infiniband endport
+## </summary>
+## <desc>
+## <p>
+## Define type to be an infiniband endport
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for infiniband endports.
+## </summary>
+## </param>
+#
+interface(`corenet_ibendport',`
+ gen_require(`
+ attribute ibendport_type;
+ ')
+
+ typeattribute $1 ibendport_type;
+')
+
+########################################
+## <summary>
+## Manage subnets on all labeled Infiniband endports
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ibendport_manage_subnet_all_labeled_endports',`
+ gen_require(`
+ attribute ibendport_type;
+ ')
+
+ allow $1 ibendport_type:infiniband_endport { manage_subnet };
+')
+
+########################################
+## <summary>
+## Manage subnet on all unlabeled Infiniband endports
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ibendport_manage_subnet_unlabeled_endports',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:infiniband_endport { manage_subnet };
+')
+
+########################################
+## <summary>
+## Manage subnet on all infiniband endports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ibendport_manage_subnet_all_endports',`
+ corenet_ibendport_manage_subnet_unlabeled_endports($1)
+ corenet_ibendport_manage_subnet_all_labeled_endports($1)
+')
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index 468fb344..12050937 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -776,6 +776,48 @@ interface(`corenet_relabelto_$1_packets',`
')
'') dnl end create_port_interfaces
+define(`create_ibpkey_interfaces',``
+########################################
+## <summary>
+## Access the infiniband fabric on the $1 ibpkey.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_ibpkey_access_$1_pkey',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:infiniband_pkey { access };
+')
+'') dnl end create_ibpkey_interfaces
+
+define(`create_ibendport_interfaces',``
+########################################
+## <summary>
+## Manage the subnet on $1 ibendport.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_ibendport_manage_subnet_$1_endport',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ allow dollarsone $1_$2:infiniband_endport { manage_subnet };
+')
+'') dnl end create_ibendport_interfaces
+
#
# create_netif_*_interfaces(linux_interfacename)
#
@@ -851,3 +893,25 @@ define(`network_packet',`
create_packet_interfaces($1_client)
create_packet_interfaces($1_server)
')
+
+# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity)
+# (these wrap create_port_interfaces to handle attributes and types)
+define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))')
+
+#
+# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity)
+#
+define(`ib_pkey',`
+create_ibpkey_type_interfaces($*)
+')
+
+# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity)
+# (these wrap create_port_interfaces to handle attributes and types)
+define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))')
+
+#
+# ib_endport(name,device_name, portnum mls_sensitivity)
+#
+define(`ib_endport',`
+create_ibendport_type_interfaces($*)
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 1ca96d38..bc8ee090 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,8 @@ attribute port_type;
attribute reserved_port_type;
attribute rpc_port_type;
attribute server_packet_type;
+attribute ibpkey_type;
+attribute ibendport_type;
# This is an optimization for { port_type -reserved_port_type }
attribute unreserved_port_type;
@@ -346,6 +348,15 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
########################################
#
+# Infiniband Pkeys
+#
+#
+# unlabeled_t is the default type of infiniband pkeys.
+#
+ib_pkey(default, fe80::,0xFFFF,s1)
+
+########################################
+#
# Unconfined access to this module
#
@@ -358,3 +369,9 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+
+# Infiniband
+optional_policy(`
+ corenet_ibpkey_access_all_pkeys(corenet_unconfined_type)
+ corenet_ibendport_manage_subnet_all_endports(corenet_unconfined_type)
+')
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
index 3f6e1688..380e64f3 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -111,3 +111,29 @@ define(`network_packet',`
type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type;
')
+
+define(`declare_ibpkeycons',`dnl
+ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
+')
+
+#
+# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
+#
+define(`ib_pkey',`
+type $1_ibpkey_t, ibpkey_type;
+ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
+')
+
+define(`declare_ibendportcons',`dnl
+ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
+')
+
+#
+# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])
+#
+define(`ib_endport',`
+type $1_ibendport_t, ibendport_type;
+ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
+')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 89923242..e107feca 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -449,6 +449,11 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
+optional_policy(`
+ corenet_ibpkey_access_all_pkeys(kernel_t)
+ corenet_ibendport_manage_subnet_all_endports(kernel_t)
+')
+
########################################
#
# Unlabeled process local policy
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 27c2fffa..91a1a555 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff)
#
optional_policy(`
+ corenet_ibpkey_access_default_pkey(staff_t)
+ corenet_ibpkey_access_unlabeled_pkeys(staff_t)
+')
+
+optional_policy(`
apache_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 54df4354..dbc5d08f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -277,6 +277,12 @@ optional_policy(`
')
optional_policy(`
+ corenet_ibpkey_access_default_pkey(sysadm_t)
+ corenet_ibpkey_access_unlabeled_pkeys(sysadm_t)
+ corenet_ibendport_manage_subnet_unlabeled_endports(sysadm_t)
+')
+
+optional_policy(`
couchdb_admin(sysadm_t, sysadm_r)
')
--git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
index 00b94b6a..90813480 100644
--- a/support/comment_move_decl.sed
+++ b/support/comment_move_decl.sed
@@ -6,7 +6,7 @@
/optional \{/,/} # end optional/b nextline
/^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
/^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
--
2.12.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] refpolicy: Infiniband pkeys and endports
2017-05-17 15:45 [refpolicy] [PATCH 1/1] refpolicy: Infiniband pkeys and endports Dan Jurgens
@ 2017-05-17 22:09 ` Chris PeBenito
2017-05-18 11:39 ` Daniel Jurgens
0 siblings, 1 reply; 5+ messages in thread
From: Chris PeBenito @ 2017-05-17 22:09 UTC (permalink / raw)
To: refpolicy
On 05/17/2017 11:45 AM, Dan Jurgens via refpolicy wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> Every Infiniband network will have a default pkey, so that is labeled.
> The rest of the pkey configuration is network specific. The policy allows
> access to the default and unlabeled pkeys for sysadm and staff users.
> kernel_t is allowed access to all pkeys, which it needs to process and
> route management datagrams.
>
> Endports are all unlabeled by default, sysadm users are allowed to
> manage the subnet on unlabeled endports. kernel_t is allowed to manage
> the subnet on all ibendports, which is required for configuring the HCA.
>
> This patch requires selinux series: "SELinux user space support for
> Infiniband RDMA", due to the new ipkeycon labeling mechanism.
>
> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> ---
> Makefile | 2 +-
> Rules.modular | 2 +
> Rules.monolithic | 2 +
> policy/flask/access_vectors | 10 ++
> policy/flask/security_classes | 4 +
> policy/modules/kernel/corenetwork.if.in | 156 ++++++++++++++++++++++++++++++++
> policy/modules/kernel/corenetwork.if.m4 | 64 +++++++++++++
> policy/modules/kernel/corenetwork.te.in | 17 ++++
> policy/modules/kernel/corenetwork.te.m4 | 26 ++++++
> policy/modules/kernel/kernel.te | 5 +
> policy/modules/roles/staff.te | 5 +
> policy/modules/roles/sysadm.te | 6 ++
> support/comment_move_decl.sed | 2 +-
> 13 files changed, 299 insertions(+), 2 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index d19985eb..b4b2d43a 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -370,7 +370,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
> @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
> @echo "#" >> $@
> $(verbose) cat $@.in >> $@
> - $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
> + $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \
> | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
> | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
>
> diff --git a/Rules.modular b/Rules.modular
> index 49d3cca9..331a979d 100644
> --- a/Rules.modular
> +++ b/Rules.modular
> @@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
> $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
> $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
> $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
> + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
> + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
>
> $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
> $(verbose) $(comment_move_decl) $^ > $@
> diff --git a/Rules.monolithic b/Rules.monolithic
> index ce112d78..80e00821 100644
> --- a/Rules.monolithic
> +++ b/Rules.monolithic
> @@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
> $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
> $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
> $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
> + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
> + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
>
> $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
> $(verbose) $(comment_move_decl) $^ > $@
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 69f69af8..520a3c28 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -926,6 +926,16 @@ inherits database
> set_value
> }
>
> +class infiniband_pkey
> +{
> + access
> +}
> +
> +class infiniband_endport
> +{
> + manage_subnet
> +}
> +
> class db_language
> inherits database
> {
> diff --git a/policy/flask/security_classes b/policy/flask/security_classes
> index 18f18fd8..393621bf 100644
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -139,6 +139,10 @@ class netlink_crypto_socket
> class x_pointer # userspace
> class x_keyboard # userspace
>
> +# Infiniband
> +class infiniband_pkey
> +class infiniband_endport
> +
> # More Database stuff
> class db_schema # userspace
> class db_view # userspace
> diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
> index 2101ea1b..62d90c6c 100644
> --- a/policy/modules/kernel/corenetwork.if.in
> +++ b/policy/modules/kernel/corenetwork.if.in
> @@ -3134,3 +3134,159 @@ interface(`corenet_unconfined',`
>
> typeattribute $1 corenet_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Define type to be an infiniband pkey type
> +## </summary>
> +## <desc>
> +## <p>
> +## Define type to be an infiniband pkey type
> +## </p>
> +## <p>
> +## This is for supporting third party modules and its
> +## use is not allowed in upstream reference policy.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used for network ports.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ibpkey',`
> + gen_require(`
> + attribute ibpkey_type;
> + ')
> +
> + typeattribute $1 ibpkey_type;
> +')
> +
> +########################################
> +## <summary>
> +## Access unlabeled infiniband pkeys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ibpkey_access_unlabeled_pkeys',`
I'm wondering if we could simplify these interface names a little, such
as corenet_ib_access_unlabeled_pkeys(). It would also change the above
and below interface names to corenet_ib_pkey() and corenet_ib_endport()
> + gen_require(`
> + type unlabeled_t;
> + ')
> +
> + allow $1 unlabeled_t:infiniband_pkey { access };
Here and below the patch, I'd prefer to skip the unnecessary braces
around the single permission, to keep the visual clutter down.
Additionally, the challenge is that unlabeled_t doesn't belong to this
module, so it shouldn't be referenced directly.
> +')
> +
> +########################################
> +## <summary>
> +## Access all labeled infiniband pkeys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ibpkey_access_all_labeled_pkeys',`
I think the "labeled" should be dropped here and latter interfaces, as
it is inconsistent with how we handle interface naming for accessing
attributes.
> + gen_require(`
> + attribute ibpkey_type;
> + ')
> +
> + allow $1 ibpkey_type:infiniband_pkey { access };
> +')
> +
> +########################################
> +## <summary>
> +## Access all infiniband pkeys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ibpkey_access_all_pkeys',`
> + corenet_ibpkey_access_all_labeled_pkeys($1)
> + corenet_ibpkey_access_unlabeled_pkeys($1)
This would drop with the above revision.
> +')
> +
> +########################################
> +## <summary>
> +## Define type to be an infiniband endport
> +## </summary>
> +## <desc>
> +## <p>
> +## Define type to be an infiniband endport
> +## </p>
> +## <p>
> +## This is for supporting third party modules and its
> +## use is not allowed in upstream reference policy.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used for infiniband endports.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ibendport',`
> + gen_require(`
> + attribute ibendport_type;
> + ')
> +
> + typeattribute $1 ibendport_type;
> +')
> +
> +########################################
> +## <summary>
> +## Manage subnets on all labeled Infiniband endports
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ibendport_manage_subnet_all_labeled_endports',`
> + gen_require(`
> + attribute ibendport_type;
> + ')
> +
> + allow $1 ibendport_type:infiniband_endport { manage_subnet };
> +')
> +
> +########################################
> +## <summary>
> +## Manage subnet on all unlabeled Infiniband endports
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ibendport_manage_subnet_unlabeled_endports',`
> + gen_require(`
> + type unlabeled_t;
> + ')
> +
> + allow $1 unlabeled_t:infiniband_endport { manage_subnet };
> +')
> +
> +########################################
> +## <summary>
> +## Manage subnet on all infiniband endports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_ibendport_manage_subnet_all_endports',`
> + corenet_ibendport_manage_subnet_unlabeled_endports($1)
> + corenet_ibendport_manage_subnet_all_labeled_endports($1)
> +')
> diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
> index 468fb344..12050937 100644
> --- a/policy/modules/kernel/corenetwork.if.m4
> +++ b/policy/modules/kernel/corenetwork.if.m4
> @@ -776,6 +776,48 @@ interface(`corenet_relabelto_$1_packets',`
> ')
> '') dnl end create_port_interfaces
>
> +define(`create_ibpkey_interfaces',``
> +########################################
> +## <summary>
> +## Access the infiniband fabric on the $1 ibpkey.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_ibpkey_access_$1_pkey',`
> + gen_require(`
> + $3 $1_$2;
> + ')
> +
> + allow dollarsone $1_$2:infiniband_pkey { access };
> +')
> +'') dnl end create_ibpkey_interfaces
> +
> +define(`create_ibendport_interfaces',``
> +########################################
> +## <summary>
> +## Manage the subnet on $1 ibendport.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_ibendport_manage_subnet_$1_endport',`
> + gen_require(`
> + $3 $1_$2;
> + ')
> +
> + allow dollarsone $1_$2:infiniband_endport { manage_subnet };
> +')
> +'') dnl end create_ibendport_interfaces
> +
> #
> # create_netif_*_interfaces(linux_interfacename)
> #
> @@ -851,3 +893,25 @@ define(`network_packet',`
> create_packet_interfaces($1_client)
> create_packet_interfaces($1_server)
> ')
> +
> +# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity)
> +# (these wrap create_port_interfaces to handle attributes and types)
> +define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))')
> +
> +#
> +# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity)
> +#
> +define(`ib_pkey',`
> +create_ibpkey_type_interfaces($*)
> +')
> +
> +# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity)
> +# (these wrap create_port_interfaces to handle attributes and types)
> +define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))')
> +
> +#
> +# ib_endport(name,device_name, portnum mls_sensitivity)
> +#
> +define(`ib_endport',`
> +create_ibendport_type_interfaces($*)
> +')
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index 1ca96d38..bc8ee090 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -16,6 +16,8 @@ attribute port_type;
> attribute reserved_port_type;
> attribute rpc_port_type;
> attribute server_packet_type;
> +attribute ibpkey_type;
> +attribute ibendport_type;
> # This is an optimization for { port_type -reserved_port_type }
> attribute unreserved_port_type;
>
> @@ -346,6 +348,15 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
>
> ########################################
> #
> +# Infiniband Pkeys
> +#
> +#
> +# unlabeled_t is the default type of infiniband pkeys.
> +#
> +ib_pkey(default, fe80::,0xFFFF,s1)
> +
> +########################################
> +#
> # Unconfined access to this module
> #
>
> @@ -358,3 +369,9 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
> # Bind to any network address.
> allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
> allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
> +
> +# Infiniband
> +optional_policy(`
> + corenet_ibpkey_access_all_pkeys(corenet_unconfined_type)
> + corenet_ibendport_manage_subnet_all_endports(corenet_unconfined_type)
> +')
> diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
> index 3f6e1688..380e64f3 100644
> --- a/policy/modules/kernel/corenetwork.te.m4
> +++ b/policy/modules/kernel/corenetwork.te.m4
> @@ -111,3 +111,29 @@ define(`network_packet',`
> type $1_client_packet_t, packet_type, client_packet_type;
> type $1_server_packet_t, packet_type, server_packet_type;
> ')
> +
> +define(`declare_ibpkeycons',`dnl
> +ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
> +ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
> +')
> +
> +#
> +# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
> +#
> +define(`ib_pkey',`
> +type $1_ibpkey_t, ibpkey_type;
> +ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
> +')
> +
> +define(`declare_ibendportcons',`dnl
> +ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)
> +ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
> +')
> +
> +#
> +# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])
> +#
> +define(`ib_endport',`
> +type $1_ibendport_t, ibendport_type;
> +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
> +')
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 89923242..e107feca 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -449,6 +449,11 @@ optional_policy(`
> unconfined_domain_noaudit(kernel_t)
> ')
>
> +optional_policy(`
> + corenet_ibpkey_access_all_pkeys(kernel_t)
> + corenet_ibendport_manage_subnet_all_endports(kernel_t)
> +')
> +
> ########################################
> #
> # Unlabeled process local policy
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 27c2fffa..91a1a555 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -15,6 +15,11 @@ userdom_unpriv_user_template(staff)
> #
>
> optional_policy(`
> + corenet_ibpkey_access_default_pkey(staff_t)
> + corenet_ibpkey_access_unlabeled_pkeys(staff_t)
> +')
> +
> +optional_policy(`
> apache_role(staff_r, staff_t)
> ')
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 54df4354..dbc5d08f 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -277,6 +277,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + corenet_ibpkey_access_default_pkey(sysadm_t)
> + corenet_ibpkey_access_unlabeled_pkeys(sysadm_t)
> + corenet_ibendport_manage_subnet_unlabeled_endports(sysadm_t)
> +')
> +
> +optional_policy(`
> couchdb_admin(sysadm_t, sysadm_r)
> ')
>
> diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
> index 00b94b6a..90813480 100644
> --- a/support/comment_move_decl.sed
> +++ b/support/comment_move_decl.sed
> @@ -6,7 +6,7 @@
> /optional \{/,/} # end optional/b nextline
>
> /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
> -/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
> +/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/
> /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
> /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
> /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] refpolicy: Infiniband pkeys and endports
2017-05-17 22:09 ` Chris PeBenito
@ 2017-05-18 11:39 ` Daniel Jurgens
2017-05-22 22:59 ` Chris PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Daniel Jurgens @ 2017-05-18 11:39 UTC (permalink / raw)
To: refpolicy
On 5/17/2017 5:10 PM, Chris PeBenito wrote:
> On 05/17/2017 11:45 AM, Dan Jurgens via refpolicy wrote:
>> From: Daniel Jurgens <danielj@mellanox.com>
>>
>> +########################################
>> +## <summary>
>> +## Access unlabeled infiniband pkeys.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`corenet_ibpkey_access_unlabeled_pkeys',`
> I'm wondering if we could simplify these interface names a little, such
> as corenet_ib_access_unlabeled_pkeys(). It would also change the above
> and below interface names to corenet_ib_pkey() and corenet_ib_endport()
I can shorten the names.
>
>> + gen_require(`
>> + type unlabeled_t;
>> + ')
>> +
>> + allow $1 unlabeled_t:infiniband_pkey { access };
> Here and below the patch, I'd prefer to skip the unnecessary braces
> around the single permission, to keep the visual clutter down.
>
> Additionally, the challenge is that unlabeled_t doesn't belong to this
> module, so it shouldn't be referenced directly.
I'd like to allow access to all unlabeled pkeys out of the box, most infiniband users will want that type of behavior. Since there's no initial SID for pkeys they are unlabeled_t by default.
Can you suggest a way to do this without a direct reference to unlabeled_t?
>
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Access all labeled infiniband pkeys.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`corenet_ibpkey_access_all_labeled_pkeys',`
> I think the "labeled" should be dropped here and latter interfaces, as
> it is inconsistent with how we handle interface naming for accessing
> attributes.
>
Here I'd like to have a difference between all pkey (labeled or unlabeled, which kernel_t needs permission for) and only those that are unlabeled (for sysadm and staff roles). The resolution of this comment is related to the question I asked above.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] refpolicy: Infiniband pkeys and endports
2017-05-18 11:39 ` Daniel Jurgens
@ 2017-05-22 22:59 ` Chris PeBenito
2017-05-23 14:45 ` Daniel Jurgens
0 siblings, 1 reply; 5+ messages in thread
From: Chris PeBenito @ 2017-05-22 22:59 UTC (permalink / raw)
To: refpolicy
On 05/18/2017 07:39 AM, Daniel Jurgens wrote:
> On 5/17/2017 5:10 PM, Chris PeBenito wrote:
>> On 05/17/2017 11:45 AM, Dan Jurgens via refpolicy wrote:
>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>
>>> +########################################
>>> +## <summary>
>>> +## Access unlabeled infiniband pkeys.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`corenet_ibpkey_access_unlabeled_pkeys',`
>> I'm wondering if we could simplify these interface names a little, such
>> as corenet_ib_access_unlabeled_pkeys(). It would also change the above
>> and below interface names to corenet_ib_pkey() and corenet_ib_endport()
> I can shorten the names.
>
>>
>>> + gen_require(`
>>> + type unlabeled_t;
>>> + ')
>>> +
>>> + allow $1 unlabeled_t:infiniband_pkey { access };
>> Here and below the patch, I'd prefer to skip the unnecessary braces
>> around the single permission, to keep the visual clutter down.
>>
>> Additionally, the challenge is that unlabeled_t doesn't belong to this
>> module, so it shouldn't be referenced directly.
>
> I'd like to allow access to all unlabeled pkeys out of the box, most infiniband users will want that type of behavior. Since there's no initial SID for pkeys they are unlabeled_t by default.
>
> Can you suggest a way to do this without a direct reference to unlabeled_t?
See the unlabeled packet interface in corenetwork for an example.
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Access all labeled infiniband pkeys.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`corenet_ibpkey_access_all_labeled_pkeys',`
>> I think the "labeled" should be dropped here and latter interfaces, as
>> it is inconsistent with how we handle interface naming for accessing
>> attributes.
>>
>
> Here I'd like to have a difference between all pkey (labeled or unlabeled, which kernel_t needs permission for) and only those that are unlabeled (for sysadm and staff roles). The resolution of this comment is related to the question I asked above.
The way to do that is to have an interface for unlabeled pkeys and one
for all pkeys, which would be pkeys that have a specific label. Then if
you need access to both, you call both interfaces.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] refpolicy: Infiniband pkeys and endports
2017-05-22 22:59 ` Chris PeBenito
@ 2017-05-23 14:45 ` Daniel Jurgens
0 siblings, 0 replies; 5+ messages in thread
From: Daniel Jurgens @ 2017-05-23 14:45 UTC (permalink / raw)
To: refpolicy
On 5/22/2017 5:59 PM, Chris PeBenito wrote:
> On 05/18/2017 07:39 AM, Daniel Jurgens wrote:
>> On 5/17/2017 5:10 PM, Chris PeBenito wrote:
>>> On 05/17/2017 11:45 AM, Dan Jurgens via refpolicy wrote:
>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>
>>>> +########################################
>>>> +## <summary>
>>>> +## Access unlabeled infiniband pkeys.
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +## <summary>
>>>> +## Domain allowed access.
>>>> +## </summary>
>>>> +## </param>
>>>> +#
>>>> +interface(`corenet_ibpkey_access_unlabeled_pkeys',`
>>> I'm wondering if we could simplify these interface names a little, such
>>> as corenet_ib_access_unlabeled_pkeys(). It would also change the above
>>> and below interface names to corenet_ib_pkey() and corenet_ib_endport()
>> I can shorten the names.
>>
>>>> + gen_require(`
>>>> + type unlabeled_t;
>>>> + ')
>>>> +
>>>> + allow $1 unlabeled_t:infiniband_pkey { access };
>>> Here and below the patch, I'd prefer to skip the unnecessary braces
>>> around the single permission, to keep the visual clutter down.
>>>
>>> Additionally, the challenge is that unlabeled_t doesn't belong to this
>>> module, so it shouldn't be referenced directly.
>> I'd like to allow access to all unlabeled pkeys out of the box, most infiniband users will want that type of behavior. Since there's no initial SID for pkeys they are unlabeled_t by default.
>>
>> Can you suggest a way to do this without a direct reference to unlabeled_t?
> See the unlabeled packet interface in corenetwork for an example.
>
>>>> +')
>>>> +
>>>> +########################################
>>>> +## <summary>
>>>> +## Access all labeled infiniband pkeys.
>>>> +## </summary>
>>>> +## <param name="domain">
>>>> +## <summary>
>>>> +## Domain allowed access.
>>>> +## </summary>
>>>> +## </param>
>>>> +#
>>>> +interface(`corenet_ibpkey_access_all_labeled_pkeys',`
>>> I think the "labeled" should be dropped here and latter interfaces, as
>>> it is inconsistent with how we handle interface naming for accessing
>>> attributes.
>>>
>> Here I'd like to have a difference between all pkey (labeled or unlabeled, which kernel_t needs permission for) and only those that are unlabeled (for sysadm and staff roles). The resolution of this comment is related to the question I asked above.
> The way to do that is to have an interface for unlabeled pkeys and one
> for all pkeys, which would be pkeys that have a specific label. Then if
> you need access to both, you call both interfaces.
>
Thank you Chris, I've addressed your comments and sent v1.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-05-23 14:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-17 15:45 [refpolicy] [PATCH 1/1] refpolicy: Infiniband pkeys and endports Dan Jurgens
2017-05-17 22:09 ` Chris PeBenito
2017-05-18 11:39 ` Daniel Jurgens
2017-05-22 22:59 ` Chris PeBenito
2017-05-23 14:45 ` Daniel Jurgens
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.