[RFC PATCH 0/7] SELinux support for Infiniband RDMA

[RFC PATCH 0/7] SELinux support for Infiniband RDMA

[Dan Jurgens]

From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

Currently there is no way to provide granular access control to an Infiniband
fabric.  By providing an ability to restrict user access to specific virtual
subfabrics administrators can limit access to bandwidth and isolate users on
the fabric.

The approach for controlling access for Infiniband is to control access to
partitions.  A partition is similar in concept to a VLAN where each data packet
carries the partition key (PKey) in its header and isolation is enforced by
the hardware.  The partition key is not a cryptographic key, it's a 16 bit
number identifying the partition.  By controlling access to PKeys users can be
isolated on the fabric.

All Infiniband fabrics must have a subnet manager.  The subnet manager
provisions the partitions and configures the end nodes.  Each end port has a
PKey table containing all the partitions it can access.  In order to enforce
access to partitions the subnet management interface (SMI) must also be
controlled to prevent unauthorized changes to the fabric configuration. 

In order to support this there must be a capability to provide security
contexts for two new types of objects - PKeys and SMIs.

A PKey label consists of a subnet prefix and a range of PKey values and is
similar to the labeling mechanism for netports.  Each port of an infiniband
device can reside on a different subnet, labeling the PKey values for specific
subnet prefixes provides the user maximum flexibility. There is a single access
vector for PKeys, called "access".

An Infiniband device (ibdev) is labeled by name and port number.  There is a
single access vector for ibdevs as well, called "smi".

Because RDMA allows for kernel bypass all enforcement must be done during
connection setup.  To communicate over RDMA requires a send and receive queue
called a queue pair (QP).  During the creation of a QP it is initialized
before it can be used to send or receive data.  During initialization the user
must provide the PKey and port the QP will use, at this time access can be
enforced.

Because there is a possibility that the enforcement settings or security
policy can change, a means of notifying the ib_core module of such changes is
required.  To facilitate this a single LSM hook is provided, ib_core will
register for this hook and when called will recheck the PKey access for all
existing QPs.

Because frequent accesses to the same PKey's SID is expected a cache is
implemented which is very similar to the netport cache.

Daniel Jurgens (7):
  security: Add LSM hooks for Infiniband security
  selinux: Create policydb version for Infiniband support
  selinux: Call infiniband_flush LSM hook on AVC reset
  selinux: Allocate and free infiniband security hooks
  selinux: Implement Infiniband PKey "Access" access vector
  selinux: Implement IB Device SMI access vector
  selinux: Add a cache for quicker retreival of PKey SIDs

 include/linux/lsm_audit.h                        |   15 ++
 include/linux/lsm_hooks.h                        |   43 ++++-
 include/linux/security.h                         |   37 ++++
 security/Kconfig                                 |    9 +
 security/security.c                              |   52 +++++
 security/selinux/Makefile                        |    2 +-
 security/selinux/hooks.c                         |   87 +++++++++-
 security/selinux/include/classmap.h              |    4 +
 security/selinux/include/initial_sid_to_string.h |    2 +
 security/selinux/include/objsec.h                |   12 ++
 security/selinux/include/pkey.h                  |   33 ++++
 security/selinux/include/security.h              |    7 +-
 security/selinux/pkey.c                          |  220 ++++++++++++++++++++++
 security/selinux/ss/policydb.c                   |  129 +++++++++++--
 security/selinux/ss/policydb.h                   |   13 ++-
 security/selinux/ss/services.c                   |   84 ++++++++
 16 files changed, 723 insertions(+), 26 deletions(-)
 create mode 100644 security/selinux/include/pkey.h
 create mode 100644 security/selinux/pkey.c

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[RFC PATCH 1/7] security: Add LSM hooks for Infiniband security

[Dan Jurgens]

From: Daniel Jurgens <danielj@mellanox.com>

Add five new hooks
 1. Allocate security contexts for Infiniband objects
 2. Free security contexts for Infiniband objects
 3. Enforce access to Pkeys
 4. Enforce access to Infiniband devices subnet management interfaces.
 5. A hook to be implemented by IB core to receive notifications of
    security policy or enforcement changes.  Restricting a QPs access to
    a pkey will be done during setup and not on a per packet basis
    access must be enforced again.

Because IB core is usually compiled as a module it must be able to
delete it's hooks.  Remove the SELinux specific ifdef around
security_delete_hooks and update the comment.  Also EXPORT_SYMBOL for
security_hook_heads so IB core can access it to add and delete the hook.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
---
 include/linux/lsm_hooks.h |   43 ++++++++++++++++++++++++++++++++-----
 include/linux/security.h  |   37 ++++++++++++++++++++++++++++++++
 security/Kconfig          |    9 +++++++
 security/security.c       |   52 +++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 135 insertions(+), 6 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 71969de..c0c7a40 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -8,6 +8,7 @@
  * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
  * Copyright (C) 2015 Intel Corporation.
  * Copyright (C) 2015 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) 2016 Mellanox Techonologies. <danielj@mellanox.com>
  *
  *	This program is free software; you can redistribute it and/or modify
  *	it under the terms of the GNU General Public License as published by
@@ -877,6 +878,21 @@
  *	associated with the TUN device's security structure.
  *	@security pointer to the TUN devices's security structure.
  *
+ * Security hooks for Infiniband
+ *
+ * @pkey_access:
+ *	Check permission when modifing a QP or transmitting and receiving MADs.
+ * @ibdev_smi:
+ *	Check permissions to access the devices subnet management interface (SMI).
+ * @infiniband_alloc_security:
+ *	Allocate a security structure to be used by Infiniband QPs and MAD
+ *	agents.
+ * @infiniband_free_security:
+ *	Free an Infiniband security structure.
+ * @infiniband_flush:
+ *	Security modules can use this hook to notify IB core of policy changes
+ *	or when enforcement changes.
+ *
  * Security hooks for XFRM operations.
  *
  * @xfrm_policy_alloc_security:
@@ -1577,6 +1593,14 @@ union security_list_options {
 	int (*tun_dev_open)(void *security);
 #endif	/* CONFIG_SECURITY_NETWORK */
 
+#ifdef CONFIG_SECURITY_INFINIBAND
+	int (*pkey_access)(u64 subnet_prefix, u16 pkey, void *security);
+	int (*ibdev_smi)(const char *dev_name, u8 port, void *security);
+	int (*infiniband_alloc_security)(void **security);
+	void (*infiniband_free_security)(void *security);
+	void (*infiniband_flush)(void);
+#endif	/* CONFIG_SECURITY_INFINIBAND */
+
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 	int (*xfrm_policy_alloc_security)(struct xfrm_sec_ctx **ctxp,
 					  struct xfrm_user_sec_ctx *sec_ctx,
@@ -1805,6 +1829,13 @@ struct security_hook_heads {
 	struct list_head tun_dev_open;
 	struct list_head skb_owned_by;
 #endif	/* CONFIG_SECURITY_NETWORK */
+#ifdef CONFIG_SECURITY_INFINIBAND
+	struct list_head pkey_access;
+	struct list_head ibdev_smi;
+	struct list_head infiniband_alloc_security;
+	struct list_head infiniband_free_security;
+	struct list_head infiniband_flush;
+#endif	/* CONFIG_SECURITY_INFINIBAND */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 	struct list_head xfrm_policy_alloc_security;
 	struct list_head xfrm_policy_clone_security;
@@ -1862,7 +1893,6 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
 		list_add_tail_rcu(&hooks[i].list, hooks[i].head);
 }
 
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
 /*
  * Assuring the safety of deleting a security module is up to
  * the security module involved. This may entail ordering the
@@ -1870,10 +1900,12 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
  * the module once a policy is loaded or any number of other
  * actions better imagined than described.
  *
- * The name of the configuration option reflects the only module
- * that currently uses the mechanism. Any developer who thinks
- * disabling their module is a good idea needs to be at least as
- * careful as the SELinux team.
+ * Any developer who thinks disabling their module is a good
+ * idea needs to be at least as careful as the SELinux team.
+ *
+ * ib_core is usually built as a module.  It may register a
+ * single instance to a single hook (infiniband_flush), and
+ * must be able to delete it when the module is unloaded.
  */
 static inline void security_delete_hooks(struct security_hook_list *hooks,
 						int count)
@@ -1883,7 +1915,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
 	for (i = 0; i < count; i++)
 		list_del_rcu(&hooks[i].list);
 }
-#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
 
 extern int __init security_module_enable(const char *module);
 extern void __init capability_add_hooks(void);
diff --git a/include/linux/security.h b/include/linux/security.h
index 4824a4c..fde0a92 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -6,6 +6,7 @@
  * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
  * Copyright (C) 2001 James Morris <jmorris@intercode.com.au>
  * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
+ * Copyright (C) 2016 Mellanox Techonologies. <danielj@mellanox.com>
  *
  *	This program is free software; you can redistribute it and/or modify
  *	it under the terms of the GNU General Public License as published by
@@ -1350,6 +1351,42 @@ static inline int security_tun_dev_open(void *security)
 }
 #endif	/* CONFIG_SECURITY_NETWORK */
 
+#ifdef CONFIG_SECURITY_INFINIBAND
+int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security);
+int security_ibdev_smi(const char *dev_name, u8 port, void *security);
+int security_infiniband_alloc_security(void **security);
+void security_infiniband_free_security(void *security);
+void security_infiniband_flush(void);
+#else	/* CONFIG_SECURITY_INFINIBAND */
+static inline int security_pkey_access(u64 subnet_prefix,
+				       u16 pkey,
+				       void *security)
+{
+	return 0;
+}
+
+static inline int security_ibdev_smi(const char *dev_name,
+				     u8 port,
+				     void *security)
+{
+	return 0;
+}
+
+static inline int security_infiniband_alloc_security(void **security)
+{
+	*security = NULL;
+	return 0;
+}
+
+static inline void security_infiniband_free_security(void *security)
+{
+}
+
+static inline void security_infiniband_flush(void)
+{
+}
+#endif	/* CONFIG_SECURITY_INFINIBAND */
+
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 
 int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
diff --git a/security/Kconfig b/security/Kconfig
index e452378..bac790a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -49,6 +49,15 @@ config SECURITY_NETWORK
 	  implement socket and networking access controls.
 	  If you are unsure how to answer this question, answer N.
 
+config SECURITY_INFINIBAND
+	bool "Infiniband Security Hooks"
+	depends on SECURITY && INFINIBAND
+	help
+	  This enables the Infiniband security hooks.
+	  If enabled, a security module can use these hooks to
+	  implement Infiniband access controls.
+	  If you are unsure how to answer this question, answer N.
+
 config SECURITY_NETWORK_XFRM
 	bool "XFRM (IPSec) Networking Security Hooks"
 	depends on XFRM && SECURITY_NETWORK
diff --git a/security/security.c b/security/security.c
index e8ffd92..a3e3e35 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4,6 +4,7 @@
  * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
  * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
  * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
+ * Copyright (C) 2016 Mellanox Technologies.  <danielj@mellanox.com>
  *
  *	This program is free software; you can redistribute it and/or modify
  *	it under the terms of the GNU General Public License as published by
@@ -1396,6 +1397,44 @@ EXPORT_SYMBOL(security_tun_dev_open);
 
 #endif	/* CONFIG_SECURITY_NETWORK */
 
+#ifdef CONFIG_SECURITY_INFINIBAND
+
+int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security)
+{
+	return call_int_hook(pkey_access,
+			0,
+			subnet_prefix,
+			pkey,
+			security);
+}
+EXPORT_SYMBOL(security_pkey_access);
+
+int security_ibdev_smi(const char *dev_name, u8 port, void *security)
+{
+	return call_int_hook(ibdev_smi, 0, dev_name, port, security);
+}
+EXPORT_SYMBOL(security_ibdev_smi);
+
+int security_infiniband_alloc_security(void **security)
+{
+	return call_int_hook(infiniband_alloc_security, 0, security);
+}
+EXPORT_SYMBOL(security_infiniband_alloc_security);
+
+void security_infiniband_free_security(void *security)
+{
+	call_void_hook(infiniband_free_security, security);
+}
+EXPORT_SYMBOL(security_infiniband_free_security);
+
+void security_infiniband_flush(void)
+{
+	call_void_hook(infiniband_flush);
+}
+EXPORT_SYMBOL(security_infiniband_flush);
+
+#endif	/* CONFIG_SECURITY_INFINIBAND */
+
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 
 int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
@@ -1848,6 +1887,18 @@ struct security_hook_heads security_hook_heads = {
 	.tun_dev_open =	LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
 	.skb_owned_by =	LIST_HEAD_INIT(security_hook_heads.skb_owned_by),
 #endif	/* CONFIG_SECURITY_NETWORK */
+
+#ifdef CONFIG_SECURITY_INFINIBAND
+	.pkey_access = LIST_HEAD_INIT(security_hook_heads.pkey_access),
+	.ibdev_smi = LIST_HEAD_INIT(security_hook_heads.ibdev_smi),
+	.infiniband_alloc_security =
+		LIST_HEAD_INIT(security_hook_heads.infiniband_alloc_security),
+	.infiniband_free_security =
+		LIST_HEAD_INIT(security_hook_heads.infiniband_free_security),
+	.infiniband_flush =
+		LIST_HEAD_INIT(security_hook_heads.infiniband_flush),
+#endif	/* CONFIG_SECURITY_INFINIBAND */
+
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 	.xfrm_policy_alloc_security =
 		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
@@ -1891,3 +1942,4 @@ struct security_hook_heads security_hook_heads = {
 		LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
 #endif /* CONFIG_AUDIT */
 };
+EXPORT_SYMBOL(security_hook_heads);
-- 
1.7.1

[RFC PATCH 2/7] selinux: Create policydb version for Infiniband support

[Dan Jurgens]

From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

Support for Infiniband requires the addition of two new object contexts,
one for infiniband PKeys and another IB Devices.  Added handlers to read
and write the new ocontext types when reading or writing a binary policy
representation.

Signed-off-by: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Reviewed-by: Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
---
 security/selinux/include/security.h |    3 +-
 security/selinux/ss/policydb.c      |  129 +++++++++++++++++++++++++++++++----
 security/selinux/ss/policydb.h      |   13 +++-
 3 files changed, 128 insertions(+), 17 deletions(-)

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 38feb55..a7e6ed2 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -36,13 +36,14 @@
 #define POLICYDB_VERSION_DEFAULT_TYPE	28
 #define POLICYDB_VERSION_CONSTRAINT_NAMES	29
 #define POLICYDB_VERSION_XPERMS_IOCTL	30
+#define POLICYDB_VERSION_INFINIBAND		31
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_XPERMS_IOCTL
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_INFINIBAND
 #endif
 
 /* Mask for just the mount related flags */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 992a315..de2f0b1 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -17,6 +17,11 @@
  *
  *      Added support for the policy capability bitmap
  *
+ * Update: Mellanox Techonologies <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
+ *
+ *	Added Infiniband support
+ *
+ * Copyright (C) 2016 Mellanox Techonologies
  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
@@ -76,81 +81,86 @@ static struct policydb_compat_info policydb_compat[] = {
 	{
 		.version	= POLICYDB_VERSION_BASE,
 		.sym_num	= SYM_NUM - 3,
-		.ocon_num	= OCON_NUM - 1,
+		.ocon_num	= OCON_NUM - 3,
 	},
 	{
 		.version	= POLICYDB_VERSION_BOOL,
 		.sym_num	= SYM_NUM - 2,
-		.ocon_num	= OCON_NUM - 1,
+		.ocon_num	= OCON_NUM - 3,
 	},
 	{
 		.version	= POLICYDB_VERSION_IPV6,
 		.sym_num	= SYM_NUM - 2,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_NLCLASS,
 		.sym_num	= SYM_NUM - 2,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_MLS,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_AVTAB,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_RANGETRANS,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_POLCAP,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_PERMISSIVE,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_BOUNDARY,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_FILENAME_TRANS,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_ROLETRANS,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_DEFAULT_TYPE,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_CONSTRAINT_NAMES,
 		.sym_num	= SYM_NUM,
-		.ocon_num	= OCON_NUM,
+		.ocon_num	= OCON_NUM - 2,
 	},
 	{
 		.version	= POLICYDB_VERSION_XPERMS_IOCTL,
 		.sym_num	= SYM_NUM,
+		.ocon_num	= OCON_NUM - 2,
+	},
+	{
+		.version	= POLICYDB_VERSION_INFINIBAND,
+		.sym_num	= SYM_NUM,
 		.ocon_num	= OCON_NUM,
 	},
 };
@@ -2219,6 +2229,58 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
 					goto out;
 				break;
 			}
+			case OCON_PKEY: {
+				rc = next_entry(nodebuf, fp, sizeof(u32) * 6);
+				if (rc)
+					goto out;
+
+				c->u.pkey.subnet_prefix = be64_to_cpu(*((__be64 *)nodebuf));
+				/* The subnet prefix is stored as an IPv6
+				 * address in the policy.
+				 *
+				 * Check that the lower 2 DWORDS are 0.
+				 */
+				if (nodebuf[2] || nodebuf[3]) {
+					rc = -EINVAL;
+					goto out;
+				}
+
+				if (nodebuf[4] > 0xffff ||
+				    nodebuf[5] > 0xffff) {
+					rc = -EINVAL;
+					goto out;
+				}
+
+				c->u.pkey.low_pkey = le32_to_cpu(nodebuf[4]);
+				c->u.pkey.high_pkey = le32_to_cpu(nodebuf[5]);
+
+				rc = context_read_and_validate(&c->context[0],
+							       p,
+							       fp);
+				if (rc)
+					goto out;
+				break;
+			}
+			case OCON_IBDEV:
+				rc = next_entry(buf, fp, sizeof(u32) * 2);
+				if (rc)
+					goto out;
+				len = le32_to_cpu(buf[0]);
+
+				rc = str_read(&c->u.ibdev.dev_name, GFP_KERNEL,
+					      fp,
+					      len);
+				if (rc)
+					goto out;
+
+				c->u.ibdev.port = le32_to_cpu(buf[1]);
+
+				rc = context_read_and_validate(&c->context[0],
+							       p,
+							       fp);
+				if (rc)
+					goto out;
+				break;
 			}
 		}
 	}
@@ -3147,6 +3209,43 @@ static int ocontext_write(struct policydb *p, struct policydb_compat_info *info,
 				if (rc)
 					return rc;
 				break;
+			case OCON_PKEY: {
+				__be64 *sbn_pfx = (__be64 *)nodebuf;
+				*sbn_pfx = cpu_to_be64(c->u.pkey.subnet_prefix);
+
+				/*
+				 * The low order 2 bits were confirmed to be 0
+				 * when the policy was loaded. Write them out
+				 * as zero
+				 */
+				nodebuf[2] = 0;
+				nodebuf[3] = 0;
+
+				nodebuf[4] = cpu_to_le32(c->u.pkey.low_pkey);
+				nodebuf[5] = cpu_to_le32(c->u.pkey.high_pkey);
+
+				rc = put_entry(nodebuf, sizeof(u32), 6, fp);
+				if (rc)
+					return rc;
+				rc = context_write(p, &c->context[0], fp);
+				if (rc)
+					return rc;
+				break;
+			}
+			case OCON_IBDEV:
+				len = strlen(c->u.ibdev.dev_name);
+				buf[0] = cpu_to_le32(len);
+				buf[1] = cpu_to_le32(c->u.ibdev.port);
+				rc = put_entry(buf, sizeof(u32), 2, fp);
+				if (rc)
+					return rc;
+				rc = put_entry(c->u.ibdev.dev_name, 1, len, fp);
+				if (rc)
+					return rc;
+				rc = context_write(p, &c->context[0], fp);
+				if (rc)
+					return rc;
+				break;
 			}
 		}
 	}
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 725d594..06c572e 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -187,6 +187,15 @@ struct ocontext {
 			u32 addr[4];
 			u32 mask[4];
 		} node6;        /* IPv6 node information */
+		struct {
+			u64 subnet_prefix;
+			u16 low_pkey;
+			u16 high_pkey;
+		} pkey;
+		struct {
+			char *dev_name;
+			u8 port;
+		} ibdev;
 	} u;
 	union {
 		u32 sclass;  /* security class for genfs */
@@ -222,7 +231,9 @@ struct genfs {
 #define OCON_NODE  4	/* nodes */
 #define OCON_FSUSE 5	/* fs_use */
 #define OCON_NODE6 6	/* IPv6 nodes */
-#define OCON_NUM   7
+#define OCON_PKEY  7    /* Infiniband PKEYs */
+#define OCON_IBDEV 8    /* Infiniband devices */
+#define OCON_NUM   9
 
 /* The policy database */
 struct policydb {
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[RFC PATCH 3/7] selinux: Call infiniband_flush LSM hook on AVC reset

[Dan Jurgens]

From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

In the AVC reset callback notify the infiniband module. Also renamed the
callback function, the previous name was 'net' specific.

Signed-off-by: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Reviewed-by: Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
---
 security/selinux/hooks.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f1ab715..156e232 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -159,13 +159,14 @@ static int selinux_peerlbl_enabled(void)
 	return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
 }
 
-static int selinux_netcache_avc_callback(u32 event)
+static int selinux_cache_avc_callback(u32 event)
 {
 	if (event == AVC_CALLBACK_RESET) {
 		sel_netif_flush();
 		sel_netnode_flush();
 		sel_netport_flush();
 		synchronize_net();
+		security_infiniband_flush();
 	}
 	return 0;
 }
@@ -6174,7 +6175,7 @@ static __init int selinux_init(void)
 
 	security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
 
-	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
+	if (avc_add_callback(selinux_cache_avc_callback, AVC_CALLBACK_RESET))
 		panic("SELinux: Unable to register AVC netcache callback\n");
 
 	if (selinux_enforcing)
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[RFC PATCH 4/7] selinux: Allocate and free infiniband security hooks

[Dan Jurgens]

From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

Implement and attach hooks to allocate and free infiniband security
structures.

Signed-off-by: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
Reviewed-by: Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
---
 security/selinux/hooks.c          |   29 +++++++++++++++++++++++++++++
 security/selinux/include/objsec.h |    6 ++++++
 2 files changed, 35 insertions(+), 0 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 156e232..cd0c6f4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -17,6 +17,8 @@
  *	Paul Moore <paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org>
  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  *		       Yuichi Nakamura <ynakam-FkO1umbPgv4fag7Bw7Dlfw@public.gmane.org>
+ *  Copyright (C) 2016 Mellanox Technologies,
+ *					Dan Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
  *
  *	This program is free software; you can redistribute it and/or modify
  *	it under the terms of the GNU General Public License version 2,
@@ -5934,6 +5936,26 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
 
 #endif
 
+#ifdef CONFIG_SECURITY_INFINIBAND
+static int selinux_infiniband_alloc_security(void **security)
+{
+	struct infiniband_security_struct *sec;
+
+	sec = kzalloc(sizeof(*sec), GFP_ATOMIC);
+	if (!sec)
+		return -ENOMEM;
+	sec->sid = current_sid();
+
+	*security = sec;
+	return 0;
+}
+
+static void selinux_infiniband_free_security(void *security)
+{
+	kfree(security);
+}
+#endif
+
 static struct security_hook_list selinux_hooks[] = {
 	LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
 	LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
@@ -6115,6 +6137,13 @@ static struct security_hook_list selinux_hooks[] = {
 	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
 
+#ifdef CONFIG_SECURITY_INFINIBAND
+	LSM_HOOK_INIT(infiniband_alloc_security,
+		      selinux_infiniband_alloc_security),
+	LSM_HOOK_INIT(infiniband_free_security,
+		      selinux_infiniband_free_security),
+#endif
+
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
 	LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
 	LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index a2ae054..4e36976 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -10,6 +10,8 @@
  *
  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  *  Copyright (C) 2003 Red Hat, Inc., James Morris <jmorris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
+ *  Copyright (C) 2016 Mellanox Technologies,
+ *					Dan Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
  *
  *	This program is free software; you can redistribute it and/or modify
  *	it under the terms of the GNU General Public License version 2,
@@ -129,6 +131,10 @@ struct key_security_struct {
 	u32 sid;	/* SID of key */
 };
 
+struct infiniband_security_struct {
+	u32 sid;        /* SID of the queue pair or MAD agent */
+};
+
 extern unsigned int selinux_checkreqprot;
 
 #endif /* _SELINUX_OBJSEC_H_ */
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[RFC PATCH 5/7] selinux: Implement Infiniband PKey "Access" access vector

[Dan Jurgens]

From: Daniel Jurgens <danielj@mellanox.com>

Add a type and access vector for PKeys. Implement the pkey_access hook
to check that the caller has permission to access the PKey on the given
subnet prefix.  Add an interface to get the PKey SID. Walk the PKey
ocontexts to find an entry for the given subnet prefix and pkey.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
---
 include/linux/lsm_audit.h                        |    7 ++++
 security/selinux/hooks.c                         |   25 +++++++++++++
 security/selinux/include/classmap.h              |    2 +
 security/selinux/include/initial_sid_to_string.h |    1 +
 security/selinux/include/security.h              |    2 +
 security/selinux/ss/services.c                   |   41 ++++++++++++++++++++++
 6 files changed, 78 insertions(+), 0 deletions(-)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index ffb9c9d..8ff7eae 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -45,6 +45,11 @@ struct lsm_ioctlop_audit {
 	u16 cmd;
 };
 
+struct lsm_pkey_audit {
+	u64	subnet_prefix;
+	u16	pkey;
+};
+
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
 	char type;
@@ -59,6 +64,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_INODE	9
 #define LSM_AUDIT_DATA_DENTRY	10
 #define LSM_AUDIT_DATA_IOCTL_OP	11
+#define LSM_AUDIT_DATA_PKEY	12
 	union 	{
 		struct path path;
 		struct dentry *dentry;
@@ -75,6 +81,7 @@ struct common_audit_data {
 #endif
 		char *kmod_name;
 		struct lsm_ioctlop_audit *op;
+		struct lsm_pkey_audit *pkey;
 	} u;
 	/* this union contains LSM specific data */
 	union {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index cd0c6f4..829746b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5937,6 +5937,30 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
 #endif
 
 #ifdef CONFIG_SECURITY_INFINIBAND
+static int selinux_pkey_access(u64 subnet_prefix, u16 pkey_val, void *security)
+{
+	struct common_audit_data ad;
+	int err;
+	u32 sid = 0;
+	struct infiniband_security_struct *sec = security;
+	struct lsm_pkey_audit pkey;
+
+	err = security_pkey_sid(subnet_prefix, pkey_val, &sid);
+
+	if (err)
+		goto out;
+
+	ad.type = LSM_AUDIT_DATA_PKEY;
+	pkey.subnet_prefix = subnet_prefix;
+	pkey.pkey = pkey_val;
+	ad.u.pkey = &pkey;
+	err = avc_has_perm(sec->sid, sid,
+			   SECCLASS_INFINIBAND_PKEY,
+			   INFINIBAND_PKEY__ACCESS, &ad);
+out:
+	return err;
+}
+
 static int selinux_infiniband_alloc_security(void **security)
 {
 	struct infiniband_security_struct *sec;
@@ -6138,6 +6162,7 @@ static struct security_hook_list selinux_hooks[] = {
 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
 
 #ifdef CONFIG_SECURITY_INFINIBAND
+	LSM_HOOK_INIT(pkey_access, selinux_pkey_access),
 	LSM_HOOK_INIT(infiniband_alloc_security,
 		      selinux_infiniband_alloc_security),
 	LSM_HOOK_INIT(infiniband_free_security,
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index ef83c4b..46eb7a1 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -157,5 +157,7 @@ struct security_class_mapping secclass_map[] = {
 	  { COMMON_SOCK_PERMS, "attach_queue", NULL } },
 	{ "binder", { "impersonate", "call", "set_context_mgr", "transfer",
 		      NULL } },
+	{ "infiniband_pkey",
+	  { "access", NULL } },
 	{ NULL }
   };
diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h
index a59b64e..8f2eefc 100644
--- a/security/selinux/include/initial_sid_to_string.h
+++ b/security/selinux/include/initial_sid_to_string.h
@@ -29,5 +29,6 @@ static const char *initial_sid_to_string[] =
     "policy",
     "scmp_packet",
     "devnull",
+    "pkey",
 };
 
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index a7e6ed2..8f1a66e 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -180,6 +180,8 @@ int security_get_user_sids(u32 callsid, char *username,
 
 int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
 
+int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
+
 int security_netif_sid(char *name, u32 *if_sid);
 
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ebda973..2fc48c5 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2229,6 +2229,47 @@ out:
 }
 
 /**
+ * security_pkey_sid - Obtain the SID for a pkey.
+ * @subnet_prefix: Subnet Prefix
+ * @pkey_num: pkey number
+ * @out_sid: security identifier
+ */
+int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
+{
+	struct ocontext *c;
+	int rc = 0;
+
+	read_lock(&policy_rwlock);
+
+	c = policydb.ocontexts[OCON_PKEY];
+	while (c) {
+		if (c->u.pkey.low_pkey <= pkey_num &&
+		    c->u.pkey.high_pkey >= pkey_num &&
+		    c->u.pkey.subnet_prefix == subnet_prefix)
+			break;
+
+		c = c->next;
+	}
+
+	if (c) {
+		if (!c->sid[0]) {
+			rc = sidtab_context_to_sid(&sidtab,
+						   &c->context[0],
+						   &c->sid[0]);
+			if (rc)
+				goto out;
+		}
+		*out_sid = c->sid[0];
+	} else {
+		*out_sid = SECINITSID_PKEY;
+	}
+
+out:
+	read_unlock(&policy_rwlock);
+	return rc;
+}
+
+/**
  * security_netif_sid - Obtain the SID for a network interface.
  * @name: interface name
  * @if_sid: interface SID
-- 
1.7.1

[RFC PATCH 6/7] selinux: Implement IB Device SMI access vector

[Dan Jurgens]

From: Daniel Jurgens <danielj@mellanox.com>

Add a type and access vector for infiniband devices and their subnet
management interface. Implement the ibdev_smi hook to check that the
caller has permission to access the SMI specified by the device name and
port.  Add interface to query the SID for a IB device, which walks the
IBDEV ocontexts to find an entry for the given name and port.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
---
 include/linux/lsm_audit.h                        |    8 ++++
 security/selinux/hooks.c                         |   26 +++++++++++++
 security/selinux/include/classmap.h              |    2 +
 security/selinux/include/initial_sid_to_string.h |    1 +
 security/selinux/include/security.h              |    2 +
 security/selinux/ss/services.c                   |   43 ++++++++++++++++++++++
 6 files changed, 82 insertions(+), 0 deletions(-)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 8ff7eae..9177ed3 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -21,6 +21,7 @@
 #include <linux/path.h>
 #include <linux/key.h>
 #include <linux/skbuff.h>
+#include <rdma/ib_verbs.h>
 
 struct lsm_network_audit {
 	int netif;
@@ -50,6 +51,11 @@ struct lsm_pkey_audit {
 	u16	pkey;
 };
 
+struct lsm_ibdev_audit {
+	char	dev_name[IB_DEVICE_NAME_MAX];
+	u8	port;
+};
+
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
 	char type;
@@ -65,6 +71,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_DENTRY	10
 #define LSM_AUDIT_DATA_IOCTL_OP	11
 #define LSM_AUDIT_DATA_PKEY	12
+#define LSM_AUDIT_DATA_IBDEV	13
 	union 	{
 		struct path path;
 		struct dentry *dentry;
@@ -82,6 +89,7 @@ struct common_audit_data {
 		char *kmod_name;
 		struct lsm_ioctlop_audit *op;
 		struct lsm_pkey_audit *pkey;
+		struct lsm_ibdev_audit *ibdev;
 	} u;
 	/* this union contains LSM specific data */
 	union {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 829746b..22cdafc 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5961,6 +5961,31 @@ out:
 	return err;
 }
 
+static int selinux_ibdev_smi(const char *dev_name, u8 port, void *security)
+{
+	struct common_audit_data ad;
+	int err;
+	u32 sid = 0;
+	struct infiniband_security_struct *sec = security;
+	struct lsm_ibdev_audit ibdev;
+
+	err = security_ibdev_sid(dev_name, port, &sid);
+
+	if (err)
+		goto out;
+
+	ad.type = LSM_AUDIT_DATA_IBDEV;
+	strncpy(ibdev.dev_name, dev_name, sizeof(ibdev.dev_name));
+	ibdev.port = port;
+	ad.u.ibdev = &ibdev;
+	err = avc_has_perm(sec->sid, sid,
+			   SECCLASS_INFINIBAND_DEVICE,
+			   INFINIBAND_DEVICE__SMI, &ad);
+
+out:
+	return err;
+}
+
 static int selinux_infiniband_alloc_security(void **security)
 {
 	struct infiniband_security_struct *sec;
@@ -6163,6 +6188,7 @@ static struct security_hook_list selinux_hooks[] = {
 
 #ifdef CONFIG_SECURITY_INFINIBAND
 	LSM_HOOK_INIT(pkey_access, selinux_pkey_access),
+	LSM_HOOK_INIT(ibdev_smi, selinux_ibdev_smi),
 	LSM_HOOK_INIT(infiniband_alloc_security,
 		      selinux_infiniband_alloc_security),
 	LSM_HOOK_INIT(infiniband_free_security,
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 46eb7a1..86459d4 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -159,5 +159,7 @@ struct security_class_mapping secclass_map[] = {
 		      NULL } },
 	{ "infiniband_pkey",
 	  { "access", NULL } },
+	{ "infiniband_device",
+	  { "smi", NULL } },
 	{ NULL }
   };
diff --git a/security/selinux/include/initial_sid_to_string.h b/security/selinux/include/initial_sid_to_string.h
index 8f2eefc..56737c3 100644
--- a/security/selinux/include/initial_sid_to_string.h
+++ b/security/selinux/include/initial_sid_to_string.h
@@ -30,5 +30,6 @@ static const char *initial_sid_to_string[] =
     "scmp_packet",
     "devnull",
     "pkey",
+    "ibdev",
 };
 
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 8f1a66e..692c3ce 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -182,6 +182,8 @@ int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
 
 int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
 
+int security_ibdev_sid(const char *dev_name, u8 port, u32 *out_sid);
+
 int security_netif_sid(char *name, u32 *if_sid);
 
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 2fc48c5..e49d276 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -53,6 +53,7 @@
 #include <linux/flex_array.h>
 #include <linux/vmalloc.h>
 #include <net/netlabel.h>
+#include <rdma/ib_verbs.h>
 
 #include "flask.h"
 #include "avc.h"
@@ -2270,6 +2271,48 @@ out:
 }
 
 /**
+ * security_ibdev_sid - Obtain the SID for a subnet management interface.
+ * @dev_name: device name
+ * @port: port number
+ * @out_sid: security identifier
+ */
+int security_ibdev_sid(const char *dev_name, u8 port, u32 *out_sid)
+{
+	struct ocontext *c;
+	int rc = 0;
+
+	read_lock(&policy_rwlock);
+
+	c = policydb.ocontexts[OCON_IBDEV];
+	while (c) {
+		if (c->u.ibdev.port == port &&
+		    !strncmp(c->u.ibdev.dev_name,
+			    dev_name,
+			    IB_DEVICE_NAME_MAX))
+			break;
+
+		c = c->next;
+	}
+
+	if (c) {
+		if (!c->sid[0]) {
+			rc = sidtab_context_to_sid(&sidtab,
+						   &c->context[0],
+						   &c->sid[0]);
+			if (rc)
+				goto out;
+		}
+		*out_sid = c->sid[0];
+	} else {
+		*out_sid = SECINITSID_IBDEV;
+	}
+
+out:
+	read_unlock(&policy_rwlock);
+	return rc;
+}
+
+/**
  * security_netif_sid - Obtain the SID for a network interface.
  * @name: interface name
  * @if_sid: interface SID
-- 
1.7.1

[RFC PATCH 7/7] selinux: Add a cache for quicker retreival of PKey SIDs

[Dan Jurgens]

From: Daniel Jurgens <danielj@mellanox.com>

It is likely that the SID for the same PKey will be requested many
times.  To reduce the time to modify QPs and process MADs use a cache to
store PKey SIDs.

This code is heavily based on the "netif" and "netport" concept
originally developed by James Morris <jmorris@redhat.com> and Paul Moore
<paul@paul-moore.com> (see security/selinux/netif.c and
security/selinux/netport.c for more information)

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
---
 security/selinux/Makefile         |    2 +-
 security/selinux/hooks.c          |    4 +-
 security/selinux/include/objsec.h |    6 +
 security/selinux/include/pkey.h   |   33 ++++++
 security/selinux/pkey.c           |  220 +++++++++++++++++++++++++++++++++++++
 5 files changed, 263 insertions(+), 2 deletions(-)
 create mode 100644 security/selinux/include/pkey.h
 create mode 100644 security/selinux/pkey.c

diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index ad5cd76..2a54c38 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -5,7 +5,7 @@
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
 
 selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
-	     netnode.o netport.o exports.o \
+	     netnode.o netport.o pkey.o exports.o \
 	     ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
 	     ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 22cdafc..81c0f06 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -91,6 +91,7 @@
 #include "netif.h"
 #include "netnode.h"
 #include "netport.h"
+#include "pkey.h"
 #include "xfrm.h"
 #include "netlabel.h"
 #include "audit.h"
@@ -168,6 +169,7 @@ static int selinux_cache_avc_callback(u32 event)
 		sel_netnode_flush();
 		sel_netport_flush();
 		synchronize_net();
+		sel_pkey_flush();
 		security_infiniband_flush();
 	}
 	return 0;
@@ -5945,7 +5947,7 @@ static int selinux_pkey_access(u64 subnet_prefix, u16 pkey_val, void *security)
 	struct infiniband_security_struct *sec = security;
 	struct lsm_pkey_audit pkey;
 
-	err = security_pkey_sid(subnet_prefix, pkey_val, &sid);
+	err = sel_pkey_sid(subnet_prefix, pkey_val, &sid);
 
 	if (err)
 		goto out;
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 4e36976..21779b6 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -135,6 +135,12 @@ struct infiniband_security_struct {
 	u32 sid;        /* SID of the queue pair or MAD agent */
 };
 
+struct pkey_security_struct {
+	u64	subnet_prefix; /* Port subnet prefix */
+	u16	pkey;	/* PKey number */
+	u32	sid;	/* SID of pkey */
+};
+
 extern unsigned int selinux_checkreqprot;
 
 #endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/include/pkey.h b/security/selinux/include/pkey.h
new file mode 100644
index 0000000..b298ed4
--- /dev/null
+++ b/security/selinux/include/pkey.h
@@ -0,0 +1,33 @@
+/*
+ * pkey table
+ *
+ * SELinux must keep a mapping of pkeys to labels/SIDs.  This
+ * mapping is maintained as part of the normal policy but a fast cache is
+ * needed to reduce the lookup overhead.
+ *
+ * Author: Dan Jurgens <danielj@mellanox.com>
+ *
+ */
+
+/*
+ * (c) Mellanox Technologies, 2016
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ */
+
+#ifndef _SELINUX_IB_H
+#define _SELINUX_IB_H
+
+void sel_pkey_flush(void);
+
+int sel_pkey_sid(u64 subnet_prefix, u16 pkey, u32 *sid);
+
+#endif
diff --git a/security/selinux/pkey.c b/security/selinux/pkey.c
new file mode 100644
index 0000000..bfb1f9c
--- /dev/null
+++ b/security/selinux/pkey.c
@@ -0,0 +1,220 @@
+/*
+ * Pkey table
+ *
+ * SELinux must keep a mapping of Infinband PKEYs to labels/SIDs.  This
+ * mapping is maintained as part of the normal policy but a fast cache is
+ * needed to reduce the lookup overhead.
+ *
+ * Author: Daniel Jurgens <danielj@mellanox.com>
+ *
+ * This code is heavily based on the "netif" and "netport" concept originally
+ * developed by
+ * James Morris <jmorris@redhat.com> and
+ * Paul Moore <paul@paul-moore.com>
+ *   (see security/selinux/netif.c and security/selinux/netport.c for more
+ *   information)
+ *
+ */
+
+/*
+ * (c) Mellanox Technologies, 2016
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ */
+
+#include <linux/types.h>
+#include <linux/rcupdate.h>
+#include <linux/list.h>
+#include <linux/spinlock.h>
+
+#include "pkey.h"
+#include "objsec.h"
+
+#define SEL_PKEY_HASH_SIZE       256
+#define SEL_PKEY_HASH_BKT_LIMIT   16
+
+struct sel_pkey_bkt {
+	int size;
+	struct list_head list;
+};
+
+struct sel_pkey {
+	struct pkey_security_struct psec;
+	struct list_head list;
+	struct rcu_head rcu;
+};
+
+static LIST_HEAD(sel_pkey_list);
+static DEFINE_SPINLOCK(sel_pkey_lock);
+static struct sel_pkey_bkt sel_pkey_hash[SEL_PKEY_HASH_SIZE];
+
+/**
+ * sel_pkey_hashfn - Hashing function for the pkey table
+ * @pkey: pkey number
+ *
+ * Description:
+ * This is the hashing function for the pkey table, it returns the bucket
+ * number for the given pkey.
+ *
+ */
+static unsigned int sel_pkey_hashfn(u16 pkey)
+{
+	return (pkey & (SEL_PKEY_HASH_SIZE - 1));
+}
+
+/**
+ * sel_pkey_insert - Insert a new pkey into the table
+ * @pkey: the new pkey record
+ *
+ * Description:
+ * Add a new pkey record to the hash table.
+ *
+ */
+static void sel_pkey_insert(struct sel_pkey *pkey)
+{
+	unsigned int idx;
+
+	/* we need to impose a limit on the growth of the hash table so check
+	 * this bucket to make sure it is within the specified bounds
+	 */
+	idx = sel_pkey_hashfn(pkey->psec.pkey);
+	list_add_rcu(&pkey->list, &sel_pkey_hash[idx].list);
+	if (sel_pkey_hash[idx].size == SEL_PKEY_HASH_BKT_LIMIT) {
+		struct sel_pkey *tail;
+
+		tail = list_entry(
+			rcu_dereference_protected(
+				sel_pkey_hash[idx].list.prev,
+				lockdep_is_held(&sel_pkey_lock)),
+			struct sel_pkey, list);
+		list_del_rcu(&tail->list);
+		kfree_rcu(tail, rcu);
+	} else {
+		sel_pkey_hash[idx].size++;
+	}
+}
+
+/**
+ * sel_pkey_sid_slow - Lookup the SID of a pkey using the policy
+ * @subnet_prefix: subnet prefix
+ * @pkey_num: pkey number
+ * @sid: pkey SID
+ *
+ * Description:
+ * This function determines the SID of a pkey by querying the security
+ * policy.  The result is added to the pkey table to speedup future
+ * queries.  Returns zero on success, negative values on failure.
+ *
+ */
+static int sel_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid)
+{
+	int ret = -ENOMEM;
+	struct sel_pkey *new = NULL;
+
+	spin_lock_bh(&sel_pkey_lock);
+	new = kzalloc(sizeof(*new), GFP_ATOMIC);
+	if (!new)
+		goto out;
+	ret = security_pkey_sid(subnet_prefix, pkey_num, sid);
+	if (ret != 0)
+		goto out;
+
+	new->psec.subnet_prefix = subnet_prefix;
+	new->psec.pkey = pkey_num;
+	new->psec.sid = *sid;
+	sel_pkey_insert(new);
+
+out:
+	spin_unlock_bh(&sel_pkey_lock);
+	if (unlikely(ret))
+		kfree(new);
+
+	return ret;
+}
+
+/**
+ * sel_pkey_sid - Lookup the SID of a PKEY
+ * @subnet_prefix: subnet_prefix
+ * @pkey_num: pkey number
+ * @sid: pkey SID
+ *
+ * Description:
+ * This function determines the SID of a PKEY using the fastest method
+ * possible.  First the pkey table is queried, but if an entry can't be found
+ * then the policy is queried and the result is added to the table to speedup
+ * future queries.  Returns zero on success, negative values on failure.
+ *
+ */
+int sel_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *sid)
+{
+	struct sel_pkey *pkey, *found_pkey = NULL;
+	unsigned int idx;
+
+	rcu_read_lock();
+	idx = sel_pkey_hashfn(pkey_num);
+	list_for_each_entry_rcu(pkey, &sel_pkey_hash[idx].list, list) {
+		if (pkey->psec.pkey == pkey_num &&
+		    pkey->psec.subnet_prefix == subnet_prefix) {
+			found_pkey = pkey;
+			break;
+		}
+	}
+
+	if (found_pkey) {
+		*sid = pkey->psec.sid;
+		rcu_read_unlock();
+		return 0;
+	}
+	rcu_read_unlock();
+
+	return sel_pkey_sid_slow(subnet_prefix, pkey_num, sid);
+}
+
+/**
+ * sel_pkey_flush - Flush the entire pkey table
+ *
+ * Description:
+ * Remove all entries from the pkey table
+ *
+ */
+void sel_pkey_flush(void)
+{
+	unsigned int idx;
+	struct sel_pkey *pkey, *pkey_tmp;
+
+	spin_lock_bh(&sel_pkey_lock);
+	for (idx = 0; idx < SEL_PKEY_HASH_SIZE; idx++) {
+		list_for_each_entry_safe(pkey, pkey_tmp,
+					 &sel_pkey_hash[idx].list, list) {
+			list_del_rcu(&pkey->list);
+			kfree_rcu(pkey, rcu);
+		}
+		sel_pkey_hash[idx].size = 0;
+	}
+	spin_unlock_bh(&sel_pkey_lock);
+}
+
+static __init int sel_pkey_init(void)
+{
+	int iter;
+
+	if (!selinux_enabled)
+		return 0;
+
+	for (iter = 0; iter < SEL_PKEY_HASH_SIZE; iter++) {
+		INIT_LIST_HEAD(&sel_pkey_hash[iter].list);
+		sel_pkey_hash[iter].size = 0;
+	}
+
+	return 0;
+}
+
+subsys_initcall(sel_pkey_init);
-- 
1.7.1

Re: [RFC PATCH 1/7] security: Add LSM hooks for Infiniband security

[Or Gerlitz]

On Tue, Apr 5, 2016 at 12:48 AM, Dan Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org> wrote:

> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -8,6 +8,7 @@
>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>   * Copyright (C) 2015 Intel Corporation.
>   * Copyright (C) 2015 Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
> + * Copyright (C) 2016 Mellanox Techonologies. <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>

Hi Dan,

I don't see the point to use personal copyright credits in our
upstream development. AFAIK, we don't do that for the NIC side
patches, if you don't mind, lets avoid that.

Or.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 1/7] security: Add LSM hooks for Infiniband security

[Or Gerlitz]

On Tue, Apr 5, 2016 at 12:48 AM, Dan Jurgens <danielj@mellanox.com> wrote:

> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -8,6 +8,7 @@
>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>   * Copyright (C) 2015 Intel Corporation.
>   * Copyright (C) 2015 Casey Schaufler <casey@schaufler-ca.com>
> + * Copyright (C) 2016 Mellanox Techonologies. <danielj@mellanox.com>

Hi Dan,

I don't see the point to use personal copyright credits in our
upstream development. AFAIK, we don't do that for the NIC side
patches, if you don't mind, lets avoid that.

Or.

Re: [RFC PATCH 1/7] security: Add LSM hooks for Infiniband security

[Casey Schaufler]

On 4/4/2016 2:48 PM, Dan Jurgens wrote:
> From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>
> Add five new hooks
>  1. Allocate security contexts for Infiniband objects
>  2. Free security contexts for Infiniband objects
>  3. Enforce access to Pkeys
>  4. Enforce access to Infiniband devices subnet management interfaces.
>  5. A hook to be implemented by IB core to receive notifications of
>     security policy or enforcement changes.  Restricting a QPs access to
>     a pkey will be done during setup and not on a per packet basis
>     access must be enforced again.
>
> Because IB core is usually compiled as a module it must be able to
> delete it's hooks.  Remove the SELinux specific ifdef around
> security_delete_hooks and update the comment.  Also EXPORT_SYMBOL for
> security_hook_heads so IB core can access it to add and delete the hook.

The LSM infrastructure does not actually support dynamic
loading and unloading of modules. It happens that the SELinux
code is structured so that it can be safely unloaded if
the policy has not been loaded.

> Signed-off-by: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> Reviewed-by: Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> ---
>  include/linux/lsm_hooks.h |   43 ++++++++++++++++++++++++++++++++-----
>  include/linux/security.h  |   37 ++++++++++++++++++++++++++++++++
>  security/Kconfig          |    9 +++++++
>  security/security.c       |   52 +++++++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 135 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 71969de..c0c7a40 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -8,6 +8,7 @@
>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>   * Copyright (C) 2015 Intel Corporation.
>   * Copyright (C) 2015 Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
> + * Copyright (C) 2016 Mellanox Techonologies. <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>   *
>   *	This program is free software; you can redistribute it and/or modify
>   *	it under the terms of the GNU General Public License as published by
> @@ -877,6 +878,21 @@
>   *	associated with the TUN device's security structure.
>   *	@security pointer to the TUN devices's security structure.
>   *
> + * Security hooks for Infiniband
> + *
> + * @pkey_access:
> + *	Check permission when modifing a QP or transmitting and receiving MADs.
> + * @ibdev_smi:
> + *	Check permissions to access the devices subnet management interface (SMI).
> + * @infiniband_alloc_security:
> + *	Allocate a security structure to be used by Infiniband QPs and MAD
> + *	agents.
> + * @infiniband_free_security:
> + *	Free an Infiniband security structure.
> + * @infiniband_flush:
> + *	Security modules can use this hook to notify IB core of policy changes
> + *	or when enforcement changes.
> + *
>   * Security hooks for XFRM operations.
>   *
>   * @xfrm_policy_alloc_security:
> @@ -1577,6 +1593,14 @@ union security_list_options {
>  	int (*tun_dev_open)(void *security);
>  #endif	/* CONFIG_SECURITY_NETWORK */
>  
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +	int (*pkey_access)(u64 subnet_prefix, u16 pkey, void *security);
> +	int (*ibdev_smi)(const char *dev_name, u8 port, void *security);
> +	int (*infiniband_alloc_security)(void **security);
> +	void (*infiniband_free_security)(void *security);

Please attach the security blobs to objects (like an inode) rather
than just passing a blob pointer. It's going to make module stacking
lots easier. 

> +	void (*infiniband_flush)(void);
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
> +
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  	int (*xfrm_policy_alloc_security)(struct xfrm_sec_ctx **ctxp,
>  					  struct xfrm_user_sec_ctx *sec_ctx,
> @@ -1805,6 +1829,13 @@ struct security_hook_heads {
>  	struct list_head tun_dev_open;
>  	struct list_head skb_owned_by;
>  #endif	/* CONFIG_SECURITY_NETWORK */
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +	struct list_head pkey_access;
> +	struct list_head ibdev_smi;
> +	struct list_head infiniband_alloc_security;
> +	struct list_head infiniband_free_security;
> +	struct list_head infiniband_flush;
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  	struct list_head xfrm_policy_alloc_security;
>  	struct list_head xfrm_policy_clone_security;
> @@ -1862,7 +1893,6 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
>  		list_add_tail_rcu(&hooks[i].list, hooks[i].head);
>  }
>  
> -#ifdef CONFIG_SECURITY_SELINUX_DISABLE
>  /*
>   * Assuring the safety of deleting a security module is up to
>   * the security module involved. This may entail ordering the
> @@ -1870,10 +1900,12 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
>   * the module once a policy is loaded or any number of other
>   * actions better imagined than described.
>   *
> - * The name of the configuration option reflects the only module
> - * that currently uses the mechanism. Any developer who thinks
> - * disabling their module is a good idea needs to be at least as
> - * careful as the SELinux team.
> + * Any developer who thinks disabling their module is a good
> + * idea needs to be at least as careful as the SELinux team.
> + *
> + * ib_core is usually built as a module.  It may register a
> + * single instance to a single hook (infiniband_flush), and
> + * must be able to delete it when the module is unloaded.
>   */
>  static inline void security_delete_hooks(struct security_hook_list *hooks,
>  						int count)
> @@ -1883,7 +1915,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
>  	for (i = 0; i < count; i++)
>  		list_del_rcu(&hooks[i].list);
>  }
> -#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
>  
>  extern int __init security_module_enable(const char *module);
>  extern void __init capability_add_hooks(void);
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 4824a4c..fde0a92 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -6,6 +6,7 @@
>   * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley-M06CiZnz2FM@public.gmane.org>
>   * Copyright (C) 2001 James Morris <jmorris-G2x6lROWQUcJY7gZg3T8ig@public.gmane.org>
>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
> + * Copyright (C) 2016 Mellanox Techonologies. <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>   *
>   *	This program is free software; you can redistribute it and/or modify
>   *	it under the terms of the GNU General Public License as published by
> @@ -1350,6 +1351,42 @@ static inline int security_tun_dev_open(void *security)
>  }
>  #endif	/* CONFIG_SECURITY_NETWORK */
>  
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security);
> +int security_ibdev_smi(const char *dev_name, u8 port, void *security);
> +int security_infiniband_alloc_security(void **security);
> +void security_infiniband_free_security(void *security);
> +void security_infiniband_flush(void);
> +#else	/* CONFIG_SECURITY_INFINIBAND */
> +static inline int security_pkey_access(u64 subnet_prefix,
> +				       u16 pkey,
> +				       void *security)
> +{
> +	return 0;
> +}
> +
> +static inline int security_ibdev_smi(const char *dev_name,
> +				     u8 port,
> +				     void *security)
> +{
> +	return 0;
> +}
> +
> +static inline int security_infiniband_alloc_security(void **security)
> +{
> +	*security = NULL;
> +	return 0;
> +}
> +
> +static inline void security_infiniband_free_security(void *security)
> +{
> +}
> +
> +static inline void security_infiniband_flush(void)
> +{
> +}
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
> +
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  
>  int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
> diff --git a/security/Kconfig b/security/Kconfig
> index e452378..bac790a 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -49,6 +49,15 @@ config SECURITY_NETWORK
>  	  implement socket and networking access controls.
>  	  If you are unsure how to answer this question, answer N.
>  
> +config SECURITY_INFINIBAND
> +	bool "Infiniband Security Hooks"
> +	depends on SECURITY && INFINIBAND
> +	help
> +	  This enables the Infiniband security hooks.
> +	  If enabled, a security module can use these hooks to
> +	  implement Infiniband access controls.
> +	  If you are unsure how to answer this question, answer N.
> +
>  config SECURITY_NETWORK_XFRM
>  	bool "XFRM (IPSec) Networking Security Hooks"
>  	depends on XFRM && SECURITY_NETWORK
> diff --git a/security/security.c b/security/security.c
> index e8ffd92..a3e3e35 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -4,6 +4,7 @@
>   * Copyright (C) 2001 WireX Communications, Inc <chris-ZMHXrckZAt0AvxtiuMwx3w@public.gmane.org>
>   * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
>   * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley-M06CiZnz2FM@public.gmane.org>
> + * Copyright (C) 2016 Mellanox Technologies.  <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>   *
>   *	This program is free software; you can redistribute it and/or modify
>   *	it under the terms of the GNU General Public License as published by
> @@ -1396,6 +1397,44 @@ EXPORT_SYMBOL(security_tun_dev_open);
>  
>  #endif	/* CONFIG_SECURITY_NETWORK */
>  
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +
> +int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security)
> +{
> +	return call_int_hook(pkey_access,
> +			0,
> +			subnet_prefix,
> +			pkey,
> +			security);

Please stick with the local convention for parameters.

	return call_int_hook(pkey_access, 0, subnet_perfix, pkey, security);

all on one line.
 

> +}
> +EXPORT_SYMBOL(security_pkey_access);
> +
> +int security_ibdev_smi(const char *dev_name, u8 port, void *security)
> +{
> +	return call_int_hook(ibdev_smi, 0, dev_name, port, security);
> +}
> +EXPORT_SYMBOL(security_ibdev_smi);
> +
> +int security_infiniband_alloc_security(void **security)
> +{
> +	return call_int_hook(infiniband_alloc_security, 0, security);
> +}
> +EXPORT_SYMBOL(security_infiniband_alloc_security);
> +
> +void security_infiniband_free_security(void *security)
> +{
> +	call_void_hook(infiniband_free_security, security);
> +}
> +EXPORT_SYMBOL(security_infiniband_free_security);
> +
> +void security_infiniband_flush(void)
> +{
> +	call_void_hook(infiniband_flush);
> +}
> +EXPORT_SYMBOL(security_infiniband_flush);
> +
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
> +
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  
>  int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
> @@ -1848,6 +1887,18 @@ struct security_hook_heads security_hook_heads = {
>  	.tun_dev_open =	LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
>  	.skb_owned_by =	LIST_HEAD_INIT(security_hook_heads.skb_owned_by),
>  #endif	/* CONFIG_SECURITY_NETWORK */
> +
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +	.pkey_access = LIST_HEAD_INIT(security_hook_heads.pkey_access),
> +	.ibdev_smi = LIST_HEAD_INIT(security_hook_heads.ibdev_smi),
> +	.infiniband_alloc_security =
> +		LIST_HEAD_INIT(security_hook_heads.infiniband_alloc_security),
> +	.infiniband_free_security =
> +		LIST_HEAD_INIT(security_hook_heads.infiniband_free_security),
> +	.infiniband_flush =
> +		LIST_HEAD_INIT(security_hook_heads.infiniband_flush),
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
> +
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  	.xfrm_policy_alloc_security =
>  		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
> @@ -1891,3 +1942,4 @@ struct security_hook_heads security_hook_heads = {
>  		LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
>  #endif /* CONFIG_AUDIT */
>  };
> +EXPORT_SYMBOL(security_hook_heads);

_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org

Re: [RFC PATCH 1/7] security: Add LSM hooks for Infiniband security

[Casey Schaufler]

On 4/4/2016 2:48 PM, Dan Jurgens wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> Add five new hooks
>  1. Allocate security contexts for Infiniband objects
>  2. Free security contexts for Infiniband objects
>  3. Enforce access to Pkeys
>  4. Enforce access to Infiniband devices subnet management interfaces.
>  5. A hook to be implemented by IB core to receive notifications of
>     security policy or enforcement changes.  Restricting a QPs access to
>     a pkey will be done during setup and not on a per packet basis
>     access must be enforced again.
>
> Because IB core is usually compiled as a module it must be able to
> delete it's hooks.  Remove the SELinux specific ifdef around
> security_delete_hooks and update the comment.  Also EXPORT_SYMBOL for
> security_hook_heads so IB core can access it to add and delete the hook.

The LSM infrastructure does not actually support dynamic
loading and unloading of modules. It happens that the SELinux
code is structured so that it can be safely unloaded if
the policy has not been loaded.

> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> Reviewed-by: Eli Cohen <eli@mellanox.com>
> ---
>  include/linux/lsm_hooks.h |   43 ++++++++++++++++++++++++++++++++-----
>  include/linux/security.h  |   37 ++++++++++++++++++++++++++++++++
>  security/Kconfig          |    9 +++++++
>  security/security.c       |   52 +++++++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 135 insertions(+), 6 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 71969de..c0c7a40 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -8,6 +8,7 @@
>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>   * Copyright (C) 2015 Intel Corporation.
>   * Copyright (C) 2015 Casey Schaufler <casey@schaufler-ca.com>
> + * Copyright (C) 2016 Mellanox Techonologies. <danielj@mellanox.com>
>   *
>   *	This program is free software; you can redistribute it and/or modify
>   *	it under the terms of the GNU General Public License as published by
> @@ -877,6 +878,21 @@
>   *	associated with the TUN device's security structure.
>   *	@security pointer to the TUN devices's security structure.
>   *
> + * Security hooks for Infiniband
> + *
> + * @pkey_access:
> + *	Check permission when modifing a QP or transmitting and receiving MADs.
> + * @ibdev_smi:
> + *	Check permissions to access the devices subnet management interface (SMI).
> + * @infiniband_alloc_security:
> + *	Allocate a security structure to be used by Infiniband QPs and MAD
> + *	agents.
> + * @infiniband_free_security:
> + *	Free an Infiniband security structure.
> + * @infiniband_flush:
> + *	Security modules can use this hook to notify IB core of policy changes
> + *	or when enforcement changes.
> + *
>   * Security hooks for XFRM operations.
>   *
>   * @xfrm_policy_alloc_security:
> @@ -1577,6 +1593,14 @@ union security_list_options {
>  	int (*tun_dev_open)(void *security);
>  #endif	/* CONFIG_SECURITY_NETWORK */
>  
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +	int (*pkey_access)(u64 subnet_prefix, u16 pkey, void *security);
> +	int (*ibdev_smi)(const char *dev_name, u8 port, void *security);
> +	int (*infiniband_alloc_security)(void **security);
> +	void (*infiniband_free_security)(void *security);

Please attach the security blobs to objects (like an inode) rather
than just passing a blob pointer. It's going to make module stacking
lots easier. 

> +	void (*infiniband_flush)(void);
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
> +
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  	int (*xfrm_policy_alloc_security)(struct xfrm_sec_ctx **ctxp,
>  					  struct xfrm_user_sec_ctx *sec_ctx,
> @@ -1805,6 +1829,13 @@ struct security_hook_heads {
>  	struct list_head tun_dev_open;
>  	struct list_head skb_owned_by;
>  #endif	/* CONFIG_SECURITY_NETWORK */
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +	struct list_head pkey_access;
> +	struct list_head ibdev_smi;
> +	struct list_head infiniband_alloc_security;
> +	struct list_head infiniband_free_security;
> +	struct list_head infiniband_flush;
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  	struct list_head xfrm_policy_alloc_security;
>  	struct list_head xfrm_policy_clone_security;
> @@ -1862,7 +1893,6 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
>  		list_add_tail_rcu(&hooks[i].list, hooks[i].head);
>  }
>  
> -#ifdef CONFIG_SECURITY_SELINUX_DISABLE
>  /*
>   * Assuring the safety of deleting a security module is up to
>   * the security module involved. This may entail ordering the
> @@ -1870,10 +1900,12 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
>   * the module once a policy is loaded or any number of other
>   * actions better imagined than described.
>   *
> - * The name of the configuration option reflects the only module
> - * that currently uses the mechanism. Any developer who thinks
> - * disabling their module is a good idea needs to be at least as
> - * careful as the SELinux team.
> + * Any developer who thinks disabling their module is a good
> + * idea needs to be at least as careful as the SELinux team.
> + *
> + * ib_core is usually built as a module.  It may register a
> + * single instance to a single hook (infiniband_flush), and
> + * must be able to delete it when the module is unloaded.
>   */
>  static inline void security_delete_hooks(struct security_hook_list *hooks,
>  						int count)
> @@ -1883,7 +1915,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
>  	for (i = 0; i < count; i++)
>  		list_del_rcu(&hooks[i].list);
>  }
> -#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
>  
>  extern int __init security_module_enable(const char *module);
>  extern void __init capability_add_hooks(void);
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 4824a4c..fde0a92 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -6,6 +6,7 @@
>   * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
>   * Copyright (C) 2001 James Morris <jmorris@intercode.com.au>
>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
> + * Copyright (C) 2016 Mellanox Techonologies. <danielj@mellanox.com>
>   *
>   *	This program is free software; you can redistribute it and/or modify
>   *	it under the terms of the GNU General Public License as published by
> @@ -1350,6 +1351,42 @@ static inline int security_tun_dev_open(void *security)
>  }
>  #endif	/* CONFIG_SECURITY_NETWORK */
>  
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security);
> +int security_ibdev_smi(const char *dev_name, u8 port, void *security);
> +int security_infiniband_alloc_security(void **security);
> +void security_infiniband_free_security(void *security);
> +void security_infiniband_flush(void);
> +#else	/* CONFIG_SECURITY_INFINIBAND */
> +static inline int security_pkey_access(u64 subnet_prefix,
> +				       u16 pkey,
> +				       void *security)
> +{
> +	return 0;
> +}
> +
> +static inline int security_ibdev_smi(const char *dev_name,
> +				     u8 port,
> +				     void *security)
> +{
> +	return 0;
> +}
> +
> +static inline int security_infiniband_alloc_security(void **security)
> +{
> +	*security = NULL;
> +	return 0;
> +}
> +
> +static inline void security_infiniband_free_security(void *security)
> +{
> +}
> +
> +static inline void security_infiniband_flush(void)
> +{
> +}
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
> +
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  
>  int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
> diff --git a/security/Kconfig b/security/Kconfig
> index e452378..bac790a 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -49,6 +49,15 @@ config SECURITY_NETWORK
>  	  implement socket and networking access controls.
>  	  If you are unsure how to answer this question, answer N.
>  
> +config SECURITY_INFINIBAND
> +	bool "Infiniband Security Hooks"
> +	depends on SECURITY && INFINIBAND
> +	help
> +	  This enables the Infiniband security hooks.
> +	  If enabled, a security module can use these hooks to
> +	  implement Infiniband access controls.
> +	  If you are unsure how to answer this question, answer N.
> +
>  config SECURITY_NETWORK_XFRM
>  	bool "XFRM (IPSec) Networking Security Hooks"
>  	depends on XFRM && SECURITY_NETWORK
> diff --git a/security/security.c b/security/security.c
> index e8ffd92..a3e3e35 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -4,6 +4,7 @@
>   * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
>   * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
>   * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
> + * Copyright (C) 2016 Mellanox Technologies.  <danielj@mellanox.com>
>   *
>   *	This program is free software; you can redistribute it and/or modify
>   *	it under the terms of the GNU General Public License as published by
> @@ -1396,6 +1397,44 @@ EXPORT_SYMBOL(security_tun_dev_open);
>  
>  #endif	/* CONFIG_SECURITY_NETWORK */
>  
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +
> +int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security)
> +{
> +	return call_int_hook(pkey_access,
> +			0,
> +			subnet_prefix,
> +			pkey,
> +			security);

Please stick with the local convention for parameters.

	return call_int_hook(pkey_access, 0, subnet_perfix, pkey, security);

all on one line.
 

> +}
> +EXPORT_SYMBOL(security_pkey_access);
> +
> +int security_ibdev_smi(const char *dev_name, u8 port, void *security)
> +{
> +	return call_int_hook(ibdev_smi, 0, dev_name, port, security);
> +}
> +EXPORT_SYMBOL(security_ibdev_smi);
> +
> +int security_infiniband_alloc_security(void **security)
> +{
> +	return call_int_hook(infiniband_alloc_security, 0, security);
> +}
> +EXPORT_SYMBOL(security_infiniband_alloc_security);
> +
> +void security_infiniband_free_security(void *security)
> +{
> +	call_void_hook(infiniband_free_security, security);
> +}
> +EXPORT_SYMBOL(security_infiniband_free_security);
> +
> +void security_infiniband_flush(void)
> +{
> +	call_void_hook(infiniband_flush);
> +}
> +EXPORT_SYMBOL(security_infiniband_flush);
> +
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
> +
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  
>  int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
> @@ -1848,6 +1887,18 @@ struct security_hook_heads security_hook_heads = {
>  	.tun_dev_open =	LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
>  	.skb_owned_by =	LIST_HEAD_INIT(security_hook_heads.skb_owned_by),
>  #endif	/* CONFIG_SECURITY_NETWORK */
> +
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +	.pkey_access = LIST_HEAD_INIT(security_hook_heads.pkey_access),
> +	.ibdev_smi = LIST_HEAD_INIT(security_hook_heads.ibdev_smi),
> +	.infiniband_alloc_security =
> +		LIST_HEAD_INIT(security_hook_heads.infiniband_alloc_security),
> +	.infiniband_free_security =
> +		LIST_HEAD_INIT(security_hook_heads.infiniband_free_security),
> +	.infiniband_flush =
> +		LIST_HEAD_INIT(security_hook_heads.infiniband_flush),
> +#endif	/* CONFIG_SECURITY_INFINIBAND */
> +
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>  	.xfrm_policy_alloc_security =
>  		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
> @@ -1891,3 +1942,4 @@ struct security_hook_heads security_hook_heads = {
>  		LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
>  #endif /* CONFIG_AUDIT */
>  };
> +EXPORT_SYMBOL(security_hook_heads);

Re: [RFC PATCH 0/7] SELinux support for Infiniband RDMA

[James Morris]

On Tue, 5 Apr 2016, Dan Jurgens wrote:

> From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> 
> Currently there is no way to provide granular access control to an Infiniband
> fabric.  By providing an ability to restrict user access to specific virtual
> subfabrics administrators can limit access to bandwidth and isolate users on
> the fabric.

Where are the LSM hooks placed?



-- 
James Morris
<jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 0/7] SELinux support for Infiniband RDMA

[James Morris]

On Tue, 5 Apr 2016, Dan Jurgens wrote:

> From: Daniel Jurgens <danielj@mellanox.com>
> 
> Currently there is no way to provide granular access control to an Infiniband
> fabric.  By providing an ability to restrict user access to specific virtual
> subfabrics administrators can limit access to bandwidth and isolate users on
> the fabric.

Where are the LSM hooks placed?



-- 
James Morris
<jmorris@namei.org>

Re: [RFC PATCH 0/7] SELinux support for Infiniband RDMA

[Daniel Jurgens]

On 4/4/2016 8:13 PM, James Morris wrote:
> On Tue, 5 Apr 2016, Dan Jurgens wrote:
> 
>> From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>>
>> Currently there is no way to provide granular access control to an Infiniband
>> fabric.  By providing an ability to restrict user access to specific virtual
>> subfabrics administrators can limit access to bandwidth and isolate users on
>> the fabric.
> 
> Where are the LSM hooks placed?
> 
> 
> 
The LSM hooks are defined in patch 1/7 of this series.  There are 4 that
will be called from ib_core, and one that's implemented by ib_core to be
called by a security module if the policy or enforcement setting change
(infiniband_flush).  That call from SELinux is added in patch 3/7 of
this series.

_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org

Re: [RFC PATCH 0/7] SELinux support for Infiniband RDMA

[Daniel Jurgens]

On 4/4/2016 8:13 PM, James Morris wrote:
> On Tue, 5 Apr 2016, Dan Jurgens wrote:
> 
>> From: Daniel Jurgens <danielj@mellanox.com>
>>
>> Currently there is no way to provide granular access control to an Infiniband
>> fabric.  By providing an ability to restrict user access to specific virtual
>> subfabrics administrators can limit access to bandwidth and isolate users on
>> the fabric.
> 
> Where are the LSM hooks placed?
> 
> 
> 
The LSM hooks are defined in patch 1/7 of this series.  There are 4 that
will be called from ib_core, and one that's implemented by ib_core to be
called by a security module if the policy or enforcement setting change
(infiniband_flush).  That call from SELinux is added in patch 3/7 of
this series.

Re: [RFC PATCH 1/7] security: Add LSM hooks for Infiniband security

[Daniel Jurgens]

On 4/4/2016 6:48 PM, Casey Schaufler wrote:
> On 4/4/2016 2:48 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>>
>> Add five new hooks
>>  1. Allocate security contexts for Infiniband objects
>>  2. Free security contexts for Infiniband objects
>>  3. Enforce access to Pkeys
>>  4. Enforce access to Infiniband devices subnet management interfaces.
>>  5. A hook to be implemented by IB core to receive notifications of
>>     security policy or enforcement changes.  Restricting a QPs access to
>>     a pkey will be done during setup and not on a per packet basis
>>     access must be enforced again.
>>
>> Because IB core is usually compiled as a module it must be able to
>> delete it's hooks.  Remove the SELinux specific ifdef around
>> security_delete_hooks and update the comment.  Also EXPORT_SYMBOL for
>> security_hook_heads so IB core can access it to add and delete the hook.
> 
> The LSM infrastructure does not actually support dynamic
> loading and unloading of modules. It happens that the SELinux
> code is structured so that it can be safely unloaded if
> the policy has not been loaded.
> 
If a module calls synchronize_rcu after deleting it's hooks but before
unloading isn't safety assured?  I can send an out of context patch in a
reply showing how ib_core manages that hook if that would be helpful for
context.

>> Signed-off-by: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>> Reviewed-by: Eli Cohen <eli-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>> ---
>>  include/linux/lsm_hooks.h |   43 ++++++++++++++++++++++++++++++++-----
>>  include/linux/security.h  |   37 ++++++++++++++++++++++++++++++++
>>  security/Kconfig          |    9 +++++++
>>  security/security.c       |   52 +++++++++++++++++++++++++++++++++++++++++++++
>>  4 files changed, 135 insertions(+), 6 deletions(-)
>>
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index 71969de..c0c7a40 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -8,6 +8,7 @@
>>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>>   * Copyright (C) 2015 Intel Corporation.
>>   * Copyright (C) 2015 Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
>> + * Copyright (C) 2016 Mellanox Techonologies. <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>>   *
>>   *	This program is free software; you can redistribute it and/or modify
>>   *	it under the terms of the GNU General Public License as published by
>> @@ -877,6 +878,21 @@
>>   *	associated with the TUN device's security structure.
>>   *	@security pointer to the TUN devices's security structure.
>>   *
>> + * Security hooks for Infiniband
>> + *
>> + * @pkey_access:
>> + *	Check permission when modifing a QP or transmitting and receiving MADs.
>> + * @ibdev_smi:
>> + *	Check permissions to access the devices subnet management interface (SMI).
>> + * @infiniband_alloc_security:
>> + *	Allocate a security structure to be used by Infiniband QPs and MAD
>> + *	agents.
>> + * @infiniband_free_security:
>> + *	Free an Infiniband security structure.
>> + * @infiniband_flush:
>> + *	Security modules can use this hook to notify IB core of policy changes
>> + *	or when enforcement changes.
>> + *
>>   * Security hooks for XFRM operations.
>>   *
>>   * @xfrm_policy_alloc_security:
>> @@ -1577,6 +1593,14 @@ union security_list_options {
>>  	int (*tun_dev_open)(void *security);
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>>  
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +	int (*pkey_access)(u64 subnet_prefix, u16 pkey, void *security);
>> +	int (*ibdev_smi)(const char *dev_name, u8 port, void *security);
>> +	int (*infiniband_alloc_security)(void **security);
>> +	void (*infiniband_free_security)(void *security);
> 
> Please attach the security blobs to objects (like an inode) rather
> than just passing a blob pointer. It's going to make module stacking
> lots easier. 
>

That makes sense.  I wondered how modules stacking would work with the
opaque security field, most alloc/free pairs have the lone blob so I
followed that convention.

>> +	void (*infiniband_flush)(void);
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>> +
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  	int (*xfrm_policy_alloc_security)(struct xfrm_sec_ctx **ctxp,
>>  					  struct xfrm_user_sec_ctx *sec_ctx,
>> @@ -1805,6 +1829,13 @@ struct security_hook_heads {
>>  	struct list_head tun_dev_open;
>>  	struct list_head skb_owned_by;
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +	struct list_head pkey_access;
>> +	struct list_head ibdev_smi;
>> +	struct list_head infiniband_alloc_security;
>> +	struct list_head infiniband_free_security;
>> +	struct list_head infiniband_flush;
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  	struct list_head xfrm_policy_alloc_security;
>>  	struct list_head xfrm_policy_clone_security;
>> @@ -1862,7 +1893,6 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
>>  		list_add_tail_rcu(&hooks[i].list, hooks[i].head);
>>  }
>>  
>> -#ifdef CONFIG_SECURITY_SELINUX_DISABLE
>>  /*
>>   * Assuring the safety of deleting a security module is up to
>>   * the security module involved. This may entail ordering the
>> @@ -1870,10 +1900,12 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
>>   * the module once a policy is loaded or any number of other
>>   * actions better imagined than described.
>>   *
>> - * The name of the configuration option reflects the only module
>> - * that currently uses the mechanism. Any developer who thinks
>> - * disabling their module is a good idea needs to be at least as
>> - * careful as the SELinux team.
>> + * Any developer who thinks disabling their module is a good
>> + * idea needs to be at least as careful as the SELinux team.
>> + *
>> + * ib_core is usually built as a module.  It may register a
>> + * single instance to a single hook (infiniband_flush), and
>> + * must be able to delete it when the module is unloaded.
>>   */
>>  static inline void security_delete_hooks(struct security_hook_list *hooks,
>>  						int count)
>> @@ -1883,7 +1915,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
>>  	for (i = 0; i < count; i++)
>>  		list_del_rcu(&hooks[i].list);
>>  }
>> -#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
>>  
>>  extern int __init security_module_enable(const char *module);
>>  extern void __init capability_add_hooks(void);
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 4824a4c..fde0a92 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -6,6 +6,7 @@
>>   * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley-M06CiZnz2FM@public.gmane.org>
>>   * Copyright (C) 2001 James Morris <jmorris-G2x6lROWQUcJY7gZg3T8ig@public.gmane.org>
>>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>> + * Copyright (C) 2016 Mellanox Techonologies. <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>>   *
>>   *	This program is free software; you can redistribute it and/or modify
>>   *	it under the terms of the GNU General Public License as published by
>> @@ -1350,6 +1351,42 @@ static inline int security_tun_dev_open(void *security)
>>  }
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>>  
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security);
>> +int security_ibdev_smi(const char *dev_name, u8 port, void *security);
>> +int security_infiniband_alloc_security(void **security);
>> +void security_infiniband_free_security(void *security);
>> +void security_infiniband_flush(void);
>> +#else	/* CONFIG_SECURITY_INFINIBAND */
>> +static inline int security_pkey_access(u64 subnet_prefix,
>> +				       u16 pkey,
>> +				       void *security)
>> +{
>> +	return 0;
>> +}
>> +
>> +static inline int security_ibdev_smi(const char *dev_name,
>> +				     u8 port,
>> +				     void *security)
>> +{
>> +	return 0;
>> +}
>> +
>> +static inline int security_infiniband_alloc_security(void **security)
>> +{
>> +	*security = NULL;
>> +	return 0;
>> +}
>> +
>> +static inline void security_infiniband_free_security(void *security)
>> +{
>> +}
>> +
>> +static inline void security_infiniband_flush(void)
>> +{
>> +}
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>> +
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  
>>  int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
>> diff --git a/security/Kconfig b/security/Kconfig
>> index e452378..bac790a 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -49,6 +49,15 @@ config SECURITY_NETWORK
>>  	  implement socket and networking access controls.
>>  	  If you are unsure how to answer this question, answer N.
>>  
>> +config SECURITY_INFINIBAND
>> +	bool "Infiniband Security Hooks"
>> +	depends on SECURITY && INFINIBAND
>> +	help
>> +	  This enables the Infiniband security hooks.
>> +	  If enabled, a security module can use these hooks to
>> +	  implement Infiniband access controls.
>> +	  If you are unsure how to answer this question, answer N.
>> +
>>  config SECURITY_NETWORK_XFRM
>>  	bool "XFRM (IPSec) Networking Security Hooks"
>>  	depends on XFRM && SECURITY_NETWORK
>> diff --git a/security/security.c b/security/security.c
>> index e8ffd92..a3e3e35 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -4,6 +4,7 @@
>>   * Copyright (C) 2001 WireX Communications, Inc <chris-ZMHXrckZAt0AvxtiuMwx3w@public.gmane.org>
>>   * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
>>   * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley-M06CiZnz2FM@public.gmane.org>
>> + * Copyright (C) 2016 Mellanox Technologies.  <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>>   *
>>   *	This program is free software; you can redistribute it and/or modify
>>   *	it under the terms of the GNU General Public License as published by
>> @@ -1396,6 +1397,44 @@ EXPORT_SYMBOL(security_tun_dev_open);
>>  
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>>  
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +
>> +int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security)
>> +{
>> +	return call_int_hook(pkey_access,
>> +			0,
>> +			subnet_prefix,
>> +			pkey,
>> +			security);
> 
> Please stick with the local convention for parameters.
> 
> 	return call_int_hook(pkey_access, 0, subnet_perfix, pkey, security);
> 
> all on one line.
>  
>

Sure, I just broke it up to keep the lines less than 80 characters.

>> +}
>> +EXPORT_SYMBOL(security_pkey_access);
>> +
>> +int security_ibdev_smi(const char *dev_name, u8 port, void *security)
>> +{
>> +	return call_int_hook(ibdev_smi, 0, dev_name, port, security);
>> +}
>> +EXPORT_SYMBOL(security_ibdev_smi);
>> +
>> +int security_infiniband_alloc_security(void **security)
>> +{
>> +	return call_int_hook(infiniband_alloc_security, 0, security);
>> +}
>> +EXPORT_SYMBOL(security_infiniband_alloc_security);
>> +
>> +void security_infiniband_free_security(void *security)
>> +{
>> +	call_void_hook(infiniband_free_security, security);
>> +}
>> +EXPORT_SYMBOL(security_infiniband_free_security);
>> +
>> +void security_infiniband_flush(void)
>> +{
>> +	call_void_hook(infiniband_flush);
>> +}
>> +EXPORT_SYMBOL(security_infiniband_flush);
>> +
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>> +
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  
>>  int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
>> @@ -1848,6 +1887,18 @@ struct security_hook_heads security_hook_heads = {
>>  	.tun_dev_open =	LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
>>  	.skb_owned_by =	LIST_HEAD_INIT(security_hook_heads.skb_owned_by),
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>> +
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +	.pkey_access = LIST_HEAD_INIT(security_hook_heads.pkey_access),
>> +	.ibdev_smi = LIST_HEAD_INIT(security_hook_heads.ibdev_smi),
>> +	.infiniband_alloc_security =
>> +		LIST_HEAD_INIT(security_hook_heads.infiniband_alloc_security),
>> +	.infiniband_free_security =
>> +		LIST_HEAD_INIT(security_hook_heads.infiniband_free_security),
>> +	.infiniband_flush =
>> +		LIST_HEAD_INIT(security_hook_heads.infiniband_flush),
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>> +
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  	.xfrm_policy_alloc_security =
>>  		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
>> @@ -1891,3 +1942,4 @@ struct security_hook_heads security_hook_heads = {
>>  		LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
>>  #endif /* CONFIG_AUDIT */
>>  };
>> +EXPORT_SYMBOL(security_hook_heads);
> 
> 


_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org

Re: [RFC PATCH 1/7] security: Add LSM hooks for Infiniband security

[Daniel Jurgens]

On 4/4/2016 6:48 PM, Casey Schaufler wrote:
> On 4/4/2016 2:48 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens <danielj@mellanox.com>
>>
>> Add five new hooks
>>  1. Allocate security contexts for Infiniband objects
>>  2. Free security contexts for Infiniband objects
>>  3. Enforce access to Pkeys
>>  4. Enforce access to Infiniband devices subnet management interfaces.
>>  5. A hook to be implemented by IB core to receive notifications of
>>     security policy or enforcement changes.  Restricting a QPs access to
>>     a pkey will be done during setup and not on a per packet basis
>>     access must be enforced again.
>>
>> Because IB core is usually compiled as a module it must be able to
>> delete it's hooks.  Remove the SELinux specific ifdef around
>> security_delete_hooks and update the comment.  Also EXPORT_SYMBOL for
>> security_hook_heads so IB core can access it to add and delete the hook.
> 
> The LSM infrastructure does not actually support dynamic
> loading and unloading of modules. It happens that the SELinux
> code is structured so that it can be safely unloaded if
> the policy has not been loaded.
> 
If a module calls synchronize_rcu after deleting it's hooks but before
unloading isn't safety assured?  I can send an out of context patch in a
reply showing how ib_core manages that hook if that would be helpful for
context.

>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>> Reviewed-by: Eli Cohen <eli@mellanox.com>
>> ---
>>  include/linux/lsm_hooks.h |   43 ++++++++++++++++++++++++++++++++-----
>>  include/linux/security.h  |   37 ++++++++++++++++++++++++++++++++
>>  security/Kconfig          |    9 +++++++
>>  security/security.c       |   52 +++++++++++++++++++++++++++++++++++++++++++++
>>  4 files changed, 135 insertions(+), 6 deletions(-)
>>
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index 71969de..c0c7a40 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -8,6 +8,7 @@
>>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>>   * Copyright (C) 2015 Intel Corporation.
>>   * Copyright (C) 2015 Casey Schaufler <casey@schaufler-ca.com>
>> + * Copyright (C) 2016 Mellanox Techonologies. <danielj@mellanox.com>
>>   *
>>   *	This program is free software; you can redistribute it and/or modify
>>   *	it under the terms of the GNU General Public License as published by
>> @@ -877,6 +878,21 @@
>>   *	associated with the TUN device's security structure.
>>   *	@security pointer to the TUN devices's security structure.
>>   *
>> + * Security hooks for Infiniband
>> + *
>> + * @pkey_access:
>> + *	Check permission when modifing a QP or transmitting and receiving MADs.
>> + * @ibdev_smi:
>> + *	Check permissions to access the devices subnet management interface (SMI).
>> + * @infiniband_alloc_security:
>> + *	Allocate a security structure to be used by Infiniband QPs and MAD
>> + *	agents.
>> + * @infiniband_free_security:
>> + *	Free an Infiniband security structure.
>> + * @infiniband_flush:
>> + *	Security modules can use this hook to notify IB core of policy changes
>> + *	or when enforcement changes.
>> + *
>>   * Security hooks for XFRM operations.
>>   *
>>   * @xfrm_policy_alloc_security:
>> @@ -1577,6 +1593,14 @@ union security_list_options {
>>  	int (*tun_dev_open)(void *security);
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>>  
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +	int (*pkey_access)(u64 subnet_prefix, u16 pkey, void *security);
>> +	int (*ibdev_smi)(const char *dev_name, u8 port, void *security);
>> +	int (*infiniband_alloc_security)(void **security);
>> +	void (*infiniband_free_security)(void *security);
> 
> Please attach the security blobs to objects (like an inode) rather
> than just passing a blob pointer. It's going to make module stacking
> lots easier. 
>

That makes sense.  I wondered how modules stacking would work with the
opaque security field, most alloc/free pairs have the lone blob so I
followed that convention.

>> +	void (*infiniband_flush)(void);
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>> +
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  	int (*xfrm_policy_alloc_security)(struct xfrm_sec_ctx **ctxp,
>>  					  struct xfrm_user_sec_ctx *sec_ctx,
>> @@ -1805,6 +1829,13 @@ struct security_hook_heads {
>>  	struct list_head tun_dev_open;
>>  	struct list_head skb_owned_by;
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +	struct list_head pkey_access;
>> +	struct list_head ibdev_smi;
>> +	struct list_head infiniband_alloc_security;
>> +	struct list_head infiniband_free_security;
>> +	struct list_head infiniband_flush;
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  	struct list_head xfrm_policy_alloc_security;
>>  	struct list_head xfrm_policy_clone_security;
>> @@ -1862,7 +1893,6 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
>>  		list_add_tail_rcu(&hooks[i].list, hooks[i].head);
>>  }
>>  
>> -#ifdef CONFIG_SECURITY_SELINUX_DISABLE
>>  /*
>>   * Assuring the safety of deleting a security module is up to
>>   * the security module involved. This may entail ordering the
>> @@ -1870,10 +1900,12 @@ static inline void security_add_hooks(struct security_hook_list *hooks,
>>   * the module once a policy is loaded or any number of other
>>   * actions better imagined than described.
>>   *
>> - * The name of the configuration option reflects the only module
>> - * that currently uses the mechanism. Any developer who thinks
>> - * disabling their module is a good idea needs to be at least as
>> - * careful as the SELinux team.
>> + * Any developer who thinks disabling their module is a good
>> + * idea needs to be at least as careful as the SELinux team.
>> + *
>> + * ib_core is usually built as a module.  It may register a
>> + * single instance to a single hook (infiniband_flush), and
>> + * must be able to delete it when the module is unloaded.
>>   */
>>  static inline void security_delete_hooks(struct security_hook_list *hooks,
>>  						int count)
>> @@ -1883,7 +1915,6 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
>>  	for (i = 0; i < count; i++)
>>  		list_del_rcu(&hooks[i].list);
>>  }
>> -#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
>>  
>>  extern int __init security_module_enable(const char *module);
>>  extern void __init capability_add_hooks(void);
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 4824a4c..fde0a92 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -6,6 +6,7 @@
>>   * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
>>   * Copyright (C) 2001 James Morris <jmorris@intercode.com.au>
>>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>> + * Copyright (C) 2016 Mellanox Techonologies. <danielj@mellanox.com>
>>   *
>>   *	This program is free software; you can redistribute it and/or modify
>>   *	it under the terms of the GNU General Public License as published by
>> @@ -1350,6 +1351,42 @@ static inline int security_tun_dev_open(void *security)
>>  }
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>>  
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security);
>> +int security_ibdev_smi(const char *dev_name, u8 port, void *security);
>> +int security_infiniband_alloc_security(void **security);
>> +void security_infiniband_free_security(void *security);
>> +void security_infiniband_flush(void);
>> +#else	/* CONFIG_SECURITY_INFINIBAND */
>> +static inline int security_pkey_access(u64 subnet_prefix,
>> +				       u16 pkey,
>> +				       void *security)
>> +{
>> +	return 0;
>> +}
>> +
>> +static inline int security_ibdev_smi(const char *dev_name,
>> +				     u8 port,
>> +				     void *security)
>> +{
>> +	return 0;
>> +}
>> +
>> +static inline int security_infiniband_alloc_security(void **security)
>> +{
>> +	*security = NULL;
>> +	return 0;
>> +}
>> +
>> +static inline void security_infiniband_free_security(void *security)
>> +{
>> +}
>> +
>> +static inline void security_infiniband_flush(void)
>> +{
>> +}
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>> +
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  
>>  int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
>> diff --git a/security/Kconfig b/security/Kconfig
>> index e452378..bac790a 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -49,6 +49,15 @@ config SECURITY_NETWORK
>>  	  implement socket and networking access controls.
>>  	  If you are unsure how to answer this question, answer N.
>>  
>> +config SECURITY_INFINIBAND
>> +	bool "Infiniband Security Hooks"
>> +	depends on SECURITY && INFINIBAND
>> +	help
>> +	  This enables the Infiniband security hooks.
>> +	  If enabled, a security module can use these hooks to
>> +	  implement Infiniband access controls.
>> +	  If you are unsure how to answer this question, answer N.
>> +
>>  config SECURITY_NETWORK_XFRM
>>  	bool "XFRM (IPSec) Networking Security Hooks"
>>  	depends on XFRM && SECURITY_NETWORK
>> diff --git a/security/security.c b/security/security.c
>> index e8ffd92..a3e3e35 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -4,6 +4,7 @@
>>   * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
>>   * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
>>   * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
>> + * Copyright (C) 2016 Mellanox Technologies.  <danielj@mellanox.com>
>>   *
>>   *	This program is free software; you can redistribute it and/or modify
>>   *	it under the terms of the GNU General Public License as published by
>> @@ -1396,6 +1397,44 @@ EXPORT_SYMBOL(security_tun_dev_open);
>>  
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>>  
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +
>> +int security_pkey_access(u64 subnet_prefix, u16 pkey, void *security)
>> +{
>> +	return call_int_hook(pkey_access,
>> +			0,
>> +			subnet_prefix,
>> +			pkey,
>> +			security);
> 
> Please stick with the local convention for parameters.
> 
> 	return call_int_hook(pkey_access, 0, subnet_perfix, pkey, security);
> 
> all on one line.
>  
>

Sure, I just broke it up to keep the lines less than 80 characters.

>> +}
>> +EXPORT_SYMBOL(security_pkey_access);
>> +
>> +int security_ibdev_smi(const char *dev_name, u8 port, void *security)
>> +{
>> +	return call_int_hook(ibdev_smi, 0, dev_name, port, security);
>> +}
>> +EXPORT_SYMBOL(security_ibdev_smi);
>> +
>> +int security_infiniband_alloc_security(void **security)
>> +{
>> +	return call_int_hook(infiniband_alloc_security, 0, security);
>> +}
>> +EXPORT_SYMBOL(security_infiniband_alloc_security);
>> +
>> +void security_infiniband_free_security(void *security)
>> +{
>> +	call_void_hook(infiniband_free_security, security);
>> +}
>> +EXPORT_SYMBOL(security_infiniband_free_security);
>> +
>> +void security_infiniband_flush(void)
>> +{
>> +	call_void_hook(infiniband_flush);
>> +}
>> +EXPORT_SYMBOL(security_infiniband_flush);
>> +
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>> +
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  
>>  int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
>> @@ -1848,6 +1887,18 @@ struct security_hook_heads security_hook_heads = {
>>  	.tun_dev_open =	LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
>>  	.skb_owned_by =	LIST_HEAD_INIT(security_hook_heads.skb_owned_by),
>>  #endif	/* CONFIG_SECURITY_NETWORK */
>> +
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +	.pkey_access = LIST_HEAD_INIT(security_hook_heads.pkey_access),
>> +	.ibdev_smi = LIST_HEAD_INIT(security_hook_heads.ibdev_smi),
>> +	.infiniband_alloc_security =
>> +		LIST_HEAD_INIT(security_hook_heads.infiniband_alloc_security),
>> +	.infiniband_free_security =
>> +		LIST_HEAD_INIT(security_hook_heads.infiniband_free_security),
>> +	.infiniband_flush =
>> +		LIST_HEAD_INIT(security_hook_heads.infiniband_flush),
>> +#endif	/* CONFIG_SECURITY_INFINIBAND */
>> +
>>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>>  	.xfrm_policy_alloc_security =
>>  		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
>> @@ -1891,3 +1942,4 @@ struct security_hook_heads security_hook_heads = {
>>  		LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
>>  #endif /* CONFIG_AUDIT */
>>  };
>> +EXPORT_SYMBOL(security_hook_heads);
> 
> 

Re: [RFC PATCH 0/7] SELinux support for Infiniband RDMA

[James Morris]

On Tue, 5 Apr 2016, Daniel Jurgens wrote:

> On 4/4/2016 8:13 PM, James Morris wrote:
> > On Tue, 5 Apr 2016, Dan Jurgens wrote:
> > 
> >> From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
> >>
> >> Currently there is no way to provide granular access control to an Infiniband
> >> fabric.  By providing an ability to restrict user access to specific virtual
> >> subfabrics administrators can limit access to bandwidth and isolate users on
> >> the fabric.
> > 
> > Where are the LSM hooks placed?
> > 
> > 
> > 
> The LSM hooks are defined in patch 1/7 of this series.  There are 4 that
> will be called from ib_core, and one that's implemented by ib_core to be
> called by a security module if the policy or enforcement setting change
> (infiniband_flush).  That call from SELinux is added in patch 3/7 of
> this series.

Can you post the ib_core patches, too?


-- 
James Morris
<jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>

_______________________________________________
Selinux mailing list
Selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org
To unsubscribe, send email to Selinux-leave-+05T5uksL2pAGbPMOrvdOA@public.gmane.org
To get help, send an email containing "help" to Selinux-request-+05T5uksL2pAGbPMOrvdOA@public.gmane.org

Re: [RFC PATCH 0/7] SELinux support for Infiniband RDMA

[James Morris]

On Tue, 5 Apr 2016, Daniel Jurgens wrote:

> On 4/4/2016 8:13 PM, James Morris wrote:
> > On Tue, 5 Apr 2016, Dan Jurgens wrote:
> > 
> >> From: Daniel Jurgens <danielj@mellanox.com>
> >>
> >> Currently there is no way to provide granular access control to an Infiniband
> >> fabric.  By providing an ability to restrict user access to specific virtual
> >> subfabrics administrators can limit access to bandwidth and isolate users on
> >> the fabric.
> > 
> > Where are the LSM hooks placed?
> > 
> > 
> > 
> The LSM hooks are defined in patch 1/7 of this series.  There are 4 that
> will be called from ib_core, and one that's implemented by ib_core to be
> called by a security module if the policy or enforcement setting change
> (infiniband_flush).  That call from SELinux is added in patch 3/7 of
> this series.

Can you post the ib_core patches, too?


-- 
James Morris
<jmorris@namei.org>

Re: [RFC PATCH 0/7] SELinux support for Infiniband RDMA

[Daniel Jurgens]

On 4/4/2016 8:55 PM, James Morris wrote:
> On Tue, 5 Apr 2016, Daniel Jurgens wrote:
> 
>> On 4/4/2016 8:13 PM, James Morris wrote:
>>> On Tue, 5 Apr 2016, Dan Jurgens wrote:
>>>
>>>> From: Daniel Jurgens <danielj-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
>>>>
>>>> Currently there is no way to provide granular access control to an Infiniband
>>>> fabric.  By providing an ability to restrict user access to specific virtual
>>>> subfabrics administrators can limit access to bandwidth and isolate users on
>>>> the fabric.
>>>
>>> Where are the LSM hooks placed?
>>>
>>>
>>>
>> The LSM hooks are defined in patch 1/7 of this series.  There are 4 that
>> will be called from ib_core, and one that's implemented by ib_core to be
>> called by a security module if the policy or enforcement setting change
>> (infiniband_flush).  That call from SELinux is added in patch 3/7 of
>> this series.
> 
> Can you post the ib_core patches, too?
> 
> 
Yes, I'll post them soon.
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 0/7] SELinux support for Infiniband RDMA

[Daniel Jurgens]

On 4/4/2016 8:55 PM, James Morris wrote:
> On Tue, 5 Apr 2016, Daniel Jurgens wrote:
> 
>> On 4/4/2016 8:13 PM, James Morris wrote:
>>> On Tue, 5 Apr 2016, Dan Jurgens wrote:
>>>
>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>
>>>> Currently there is no way to provide granular access control to an Infiniband
>>>> fabric.  By providing an ability to restrict user access to specific virtual
>>>> subfabrics administrators can limit access to bandwidth and isolate users on
>>>> the fabric.
>>>
>>> Where are the LSM hooks placed?
>>>
>>>
>>>
>> The LSM hooks are defined in patch 1/7 of this series.  There are 4 that
>> will be called from ib_core, and one that's implemented by ib_core to be
>> called by a security module if the policy or enforcement setting change
>> (infiniband_flush).  That call from SELinux is added in patch 3/7 of
>> this series.
> 
> Can you post the ib_core patches, too?
> 
> 
Yes, I'll post them soon.