diff options
| author | Daniel Jurgens <danielj@mellanox.com> | 2017-05-19 08:48:58 -0400 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2017-05-23 12:28:02 -0400 |
| commit | ab861dfca1652aa09b26b7aa2899feb29b33dfd9 (patch) | |
| tree | f67494faf93d675ed39ffd4e19c755c4f50d0251 /security/selinux/hooks.c | |
| parent | cfc4d882d41780d93471066d57d4630995427b29 (diff) | |
selinux: Add IB Port SMP access vector
Add a type for Infiniband ports and an access vector for subnet
management packets. Implement the ib_port_smp hook to check that the
caller has permission to send and receive SMPs on the end port specified
by the device name and port. Add interface to query the SID for a IB
port, which walks the IB_PORT ocontexts to find an entry for the
given name and port.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Acked-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b59255f86274..91ec46dd34d9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -6169,6 +6169,29 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) | |||
| 6169 | INFINIBAND_PKEY__ACCESS, &ad); | 6169 | INFINIBAND_PKEY__ACCESS, &ad); |
| 6170 | } | 6170 | } |
| 6171 | 6171 | ||
| 6172 | static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, | ||
| 6173 | u8 port_num) | ||
| 6174 | { | ||
| 6175 | struct common_audit_data ad; | ||
| 6176 | int err; | ||
| 6177 | u32 sid = 0; | ||
| 6178 | struct ib_security_struct *sec = ib_sec; | ||
| 6179 | struct lsm_ibendport_audit ibendport; | ||
| 6180 | |||
| 6181 | err = security_ib_endport_sid(dev_name, port_num, &sid); | ||
| 6182 | |||
| 6183 | if (err) | ||
| 6184 | return err; | ||
| 6185 | |||
| 6186 | ad.type = LSM_AUDIT_DATA_IBENDPORT; | ||
| 6187 | strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name)); | ||
| 6188 | ibendport.port = port_num; | ||
| 6189 | ad.u.ibendport = &ibendport; | ||
| 6190 | return avc_has_perm(sec->sid, sid, | ||
| 6191 | SECCLASS_INFINIBAND_ENDPORT, | ||
| 6192 | INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); | ||
| 6193 | } | ||
| 6194 | |||
| 6172 | static int selinux_ib_alloc_security(void **ib_sec) | 6195 | static int selinux_ib_alloc_security(void **ib_sec) |
| 6173 | { | 6196 | { |
| 6174 | struct ib_security_struct *sec; | 6197 | struct ib_security_struct *sec; |
| @@ -6374,6 +6397,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { | |||
| 6374 | LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), | 6397 | LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), |
| 6375 | #ifdef CONFIG_SECURITY_INFINIBAND | 6398 | #ifdef CONFIG_SECURITY_INFINIBAND |
| 6376 | LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), | 6399 | LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), |
| 6400 | LSM_HOOK_INIT(ib_endport_manage_subnet, | ||
| 6401 | selinux_ib_endport_manage_subnet), | ||
| 6377 | LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), | 6402 | LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), |
| 6378 | LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), | 6403 | LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), |
| 6379 | #endif | 6404 | #endif |