Commit cfc4d882 authored by Daniel Jurgens's avatar Daniel Jurgens Committed by Paul Moore

selinux: Implement Infiniband PKey "Access" access vector

Add a type and access vector for PKeys. Implement the ib_pkey_access
hook to check that the caller has permission to access the PKey on the
given subnet prefix. Add an interface to get the PKey SID. Walk the PKey
ocontexts to find an entry for the given subnet prefix and pkey.
Signed-off-by: default avatarDaniel Jurgens <danielj@mellanox.com>
Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
Acked-by: default avatarDoug Ledford <dledford@redhat.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 3a976fa6
......@@ -45,6 +45,11 @@ struct lsm_ioctlop_audit {
u16 cmd;
};
struct lsm_ibpkey_audit {
u64 subnet_prefix;
u16 pkey;
};
/* Auxiliary data to use in generating the audit record. */
struct common_audit_data {
char type;
......@@ -60,6 +65,7 @@ struct common_audit_data {
#define LSM_AUDIT_DATA_DENTRY 10
#define LSM_AUDIT_DATA_IOCTL_OP 11
#define LSM_AUDIT_DATA_FILE 12
#define LSM_AUDIT_DATA_IBPKEY 13
union {
struct path path;
struct dentry *dentry;
......@@ -77,6 +83,7 @@ struct common_audit_data {
char *kmod_name;
struct lsm_ioctlop_audit *op;
struct file *file;
struct lsm_ibpkey_audit *ibpkey;
} u;
/* this union contains LSM specific data */
union {
......
......@@ -410,6 +410,17 @@ static void dump_common_audit_data(struct audit_buffer *ab,
audit_log_format(ab, " kmod=");
audit_log_untrustedstring(ab, a->u.kmod_name);
break;
case LSM_AUDIT_DATA_IBPKEY: {
struct in6_addr sbn_pfx;
memset(&sbn_pfx.s6_addr, 0,
sizeof(sbn_pfx.s6_addr));
memcpy(&sbn_pfx.s6_addr, &a->u.ibpkey->subnet_prefix,
sizeof(a->u.ibpkey->subnet_prefix));
audit_log_format(ab, " pkey=0x%x subnet_prefix=%pI6c",
a->u.ibpkey->pkey, &sbn_pfx);
break;
}
} /* switch (a->type) */
}
......
......@@ -6148,6 +6148,27 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#endif
#ifdef CONFIG_SECURITY_INFINIBAND
static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
{
struct common_audit_data ad;
int err;
u32 sid = 0;
struct ib_security_struct *sec = ib_sec;
struct lsm_ibpkey_audit ibpkey;
err = security_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
if (err)
return err;
ad.type = LSM_AUDIT_DATA_IBPKEY;
ibpkey.subnet_prefix = subnet_prefix;
ibpkey.pkey = pkey_val;
ad.u.ibpkey = &ibpkey;
return avc_has_perm(sec->sid, sid,
SECCLASS_INFINIBAND_PKEY,
INFINIBAND_PKEY__ACCESS, &ad);
}
static int selinux_ib_alloc_security(void **ib_sec)
{
struct ib_security_struct *sec;
......@@ -6352,6 +6373,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
#ifdef CONFIG_SECURITY_INFINIBAND
LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
#endif
......
......@@ -231,6 +231,8 @@ struct security_class_mapping secclass_map[] = {
{ COMMON_SOCK_PERMS, NULL } },
{ "smc_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "infiniband_pkey",
{ "access", NULL } },
{ NULL }
};
......
......@@ -181,6 +181,8 @@ int security_get_user_sids(u32 callsid, char *username,
int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
int security_netif_sid(char *name, u32 *if_sid);
int security_node_sid(u16 domain, void *addr, u32 addrlen,
......
......@@ -2232,6 +2232,46 @@ int security_port_sid(u8 protocol, u16 port, u32 *out_sid)
return rc;
}
/**
* security_pkey_sid - Obtain the SID for a pkey.
* @subnet_prefix: Subnet Prefix
* @pkey_num: pkey number
* @out_sid: security identifier
*/
int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
{
struct ocontext *c;
int rc = 0;
read_lock(&policy_rwlock);
c = policydb.ocontexts[OCON_IBPKEY];
while (c) {
if (c->u.ibpkey.low_pkey <= pkey_num &&
c->u.ibpkey.high_pkey >= pkey_num &&
c->u.ibpkey.subnet_prefix == subnet_prefix)
break;
c = c->next;
}
if (c) {
if (!c->sid[0]) {
rc = sidtab_context_to_sid(&sidtab,
&c->context[0],
&c->sid[0]);
if (rc)
goto out;
}
*out_sid = c->sid[0];
} else
*out_sid = SECINITSID_UNLABELED;
out:
read_unlock(&policy_rwlock);
return rc;
}
/**
* security_netif_sid - Obtain the SID for a network interface.
* @name: interface name
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment