6 files changed, 84 insertions, 0 deletions
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index e58e577117b6..0df5639a4ff4 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -45,6 +45,11 @@ struct lsm_ioctlop_audit {
        u16 cmd;
 };
+struct lsm_ibpkey_audit {
+        u64     subnet_prefix;
+        u16     pkey;
+};
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
        char type;
@@ -60,6 +65,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_DENTRY   10
 #define LSM_AUDIT_DATA_IOCTL_OP 11
 #define LSM_AUDIT_DATA_FILE     12
+#define LSM_AUDIT_DATA_IBPKEY   13
        union   {
                struct path path;
                struct dentry *dentry;
@@ -77,6 +83,7 @@ struct common_audit_data {
                char *kmod_name;
                struct lsm_ioctlop_audit *op;
                struct file *file;
+                struct lsm_ibpkey_audit *ibpkey;
        } u;
        /* this union contains LSM specific data */
        union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 37f04dadc8d6..c22c99fae06a 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -410,6 +410,17 @@ static void dump_common_audit_data(struct audit_buffer *ab,
                audit_log_format(ab, " kmod=");
                audit_log_untrustedstring(ab, a->u.kmod_name);
                break;
+        case LSM_AUDIT_DATA_IBPKEY: {
+                struct in6_addr sbn_pfx;
+                memset(&sbn_pfx.s6_addr, 0,
+                       sizeof(sbn_pfx.s6_addr));
+                memcpy(&sbn_pfx.s6_addr, &a->u.ibpkey->subnet_prefix,
+                       sizeof(a->u.ibpkey->subnet_prefix));
+                audit_log_format(ab, " pkey=0x%x subnet_prefix=%pI6c",
+                                 a->u.ibpkey->pkey, &sbn_pfx);
+                break;
+        }
        } /* switch (a->type) */
 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 062b459b62bf..b59255f86274 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6148,6 +6148,27 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
 #endif
 #ifdef CONFIG_SECURITY_INFINIBAND
+static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
+{
+        struct common_audit_data ad;
+        int err;
+        u32 sid = 0;
+        struct ib_security_struct *sec = ib_sec;
+        struct lsm_ibpkey_audit ibpkey;
+        err = security_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
+        if (err)
+                return err;
+        ad.type = LSM_AUDIT_DATA_IBPKEY;
+        ibpkey.subnet_prefix = subnet_prefix;
+        ibpkey.pkey = pkey_val;
+        ad.u.ibpkey = &ibpkey;
+        return avc_has_perm(sec->sid, sid,
+                            SECCLASS_INFINIBAND_PKEY,
+                            INFINIBAND_PKEY__ACCESS, &ad);
+}
 static int selinux_ib_alloc_security(void **ib_sec)
 {
        struct ib_security_struct *sec;
@@ -6352,6 +6373,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
        LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
 #ifdef CONFIG_SECURITY_INFINIBAND
+        LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
        LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
        LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
 #endif
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 3e49a78f1f46..0fec1c505f84 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -231,6 +231,8 @@ struct security_class_mapping secclass_map[] = {
          { COMMON_SOCK_PERMS, NULL } },
        { "smc_socket",
          { COMMON_SOCK_PERMS, NULL } },
+        { "infiniband_pkey",
+          { "access", NULL } },
        { NULL }
  };
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index b48a462cf446..592c014e369c 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -181,6 +181,8 @@ int security_get_user_sids(u32 callsid, char *username,
 int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
+int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
 int security_netif_sid(char *name, u32 *if_sid);
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 2dccba4851f8..02257d90adc9 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2233,6 +2233,46 @@ out:
 }
 /**
+ * security_pkey_sid - Obtain the SID for a pkey.
+ * @subnet_prefix: Subnet Prefix
+ * @pkey_num: pkey number
+ * @out_sid: security identifier
+ */
+int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
+{
+        struct ocontext *c;
+        int rc = 0;
+        read_lock(&policy_rwlock);
+        c = policydb.ocontexts[OCON_IBPKEY];
+        while (c) {
+                if (c->u.ibpkey.low_pkey <= pkey_num &&
+                    c->u.ibpkey.high_pkey >= pkey_num &&
+                    c->u.ibpkey.subnet_prefix == subnet_prefix)
+                        break;
+                c = c->next;
+        }
+        if (c) {
+                if (!c->sid[0]) {
+                        rc = sidtab_context_to_sid(&sidtab,
+                                                   &c->context[0],
+                                                   &c->sid[0]);
+                        if (rc)
+                                goto out;
+                }
+                *out_sid = c->sid[0];
+        } else
+                *out_sid = SECINITSID_UNLABELED;
+out:
+        read_unlock(&policy_rwlock);
+        return rc;
+}
+/**
 * security_netif_sid - Obtain the SID for a network interface.
 * @name: interface name
 * @if_sid: interface SID

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index e58e577117b6..0df5639a4ff4 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h
@@ -45,6 +45,11 @@ struct lsm_ioctlop_audit {
45	u16 cmd;	45	u16 cmd;
46	};	46	};
47		47
		48	struct lsm_ibpkey_audit {
		49	u64 subnet_prefix;
		50	u16 pkey;
		51	};
		52
48	/* Auxiliary data to use in generating the audit record. */	53	/* Auxiliary data to use in generating the audit record. */
49	struct common_audit_data {	54	struct common_audit_data {
50	char type;	55	char type;
@@ -60,6 +65,7 @@ struct common_audit_data {
60	#define LSM_AUDIT_DATA_DENTRY 10	65	#define LSM_AUDIT_DATA_DENTRY 10
61	#define LSM_AUDIT_DATA_IOCTL_OP 11	66	#define LSM_AUDIT_DATA_IOCTL_OP 11
62	#define LSM_AUDIT_DATA_FILE 12	67	#define LSM_AUDIT_DATA_FILE 12
		68	#define LSM_AUDIT_DATA_IBPKEY 13
63	union {	69	union {
64	struct path path;	70	struct path path;
65	struct dentry *dentry;	71	struct dentry *dentry;
@@ -77,6 +83,7 @@ struct common_audit_data {
77	char *kmod_name;	83	char *kmod_name;
78	struct lsm_ioctlop_audit *op;	84	struct lsm_ioctlop_audit *op;
79	struct file *file;	85	struct file *file;
		86	struct lsm_ibpkey_audit *ibpkey;
80	} u;	87	} u;
81	/* this union contains LSM specific data */	88	/* this union contains LSM specific data */
82	union {	89	union {


diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 37f04dadc8d6..c22c99fae06a 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c
@@ -410,6 +410,17 @@ static void dump_common_audit_data(struct audit_buffer *ab,
410	audit_log_format(ab, " kmod=");	410	audit_log_format(ab, " kmod=");
411	audit_log_untrustedstring(ab, a->u.kmod_name);	411	audit_log_untrustedstring(ab, a->u.kmod_name);
412	break;	412	break;
		413	case LSM_AUDIT_DATA_IBPKEY: {
		414	struct in6_addr sbn_pfx;
		415
		416	memset(&sbn_pfx.s6_addr, 0,
		417	sizeof(sbn_pfx.s6_addr));
		418	memcpy(&sbn_pfx.s6_addr, &a->u.ibpkey->subnet_prefix,
		419	sizeof(a->u.ibpkey->subnet_prefix));
		420	audit_log_format(ab, " pkey=0x%x subnet_prefix=%pI6c",
		421	a->u.ibpkey->pkey, &sbn_pfx);
		422	break;
		423	}
413	} /* switch (a->type) */	424	} /* switch (a->type) */
414	}	425	}
415		426


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 062b459b62bf..b59255f86274 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -6148,6 +6148,27 @@ static int selinux_key_getsecurity(struct key key, char *_buffer)
6148	#endif	6148	#endif
6149		6149
6150	#ifdef CONFIG_SECURITY_INFINIBAND	6150	#ifdef CONFIG_SECURITY_INFINIBAND
		6151	static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
		6152	{
		6153	struct common_audit_data ad;
		6154	int err;
		6155	u32 sid = 0;
		6156	struct ib_security_struct *sec = ib_sec;
		6157	struct lsm_ibpkey_audit ibpkey;
		6158
		6159	err = security_ib_pkey_sid(subnet_prefix, pkey_val, &sid);
		6160	if (err)
		6161	return err;
		6162
		6163	ad.type = LSM_AUDIT_DATA_IBPKEY;
		6164	ibpkey.subnet_prefix = subnet_prefix;
		6165	ibpkey.pkey = pkey_val;
		6166	ad.u.ibpkey = &ibpkey;
		6167	return avc_has_perm(sec->sid, sid,
		6168	SECCLASS_INFINIBAND_PKEY,
		6169	INFINIBAND_PKEY__ACCESS, &ad);
		6170	}
		6171
6151	static int selinux_ib_alloc_security(void **ib_sec)	6172	static int selinux_ib_alloc_security(void **ib_sec)
6152	{	6173	{
6153	struct ib_security_struct *sec;	6174	struct ib_security_struct *sec;
@@ -6352,6 +6373,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6352	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),	6373	LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
6353	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),	6374	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6354	#ifdef CONFIG_SECURITY_INFINIBAND	6375	#ifdef CONFIG_SECURITY_INFINIBAND
		6376	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
6355	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),	6377	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6356	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),	6378	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6357	#endif	6379	#endif


diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 3e49a78f1f46..0fec1c505f84 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h
@@ -231,6 +231,8 @@ struct security_class_mapping secclass_map[] = {
231	{ COMMON_SOCK_PERMS, NULL } },	231	{ COMMON_SOCK_PERMS, NULL } },
232	{ "smc_socket",	232	{ "smc_socket",
233	{ COMMON_SOCK_PERMS, NULL } },	233	{ COMMON_SOCK_PERMS, NULL } },
		234	{ "infiniband_pkey",
		235	{ "access", NULL } },
234	{ NULL }	236	{ NULL }
235	};	237	};
236		238


diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index b48a462cf446..592c014e369c 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h
@@ -181,6 +181,8 @@ int security_get_user_sids(u32 callsid, char *username,
181		181
182	int security_port_sid(u8 protocol, u16 port, u32 *out_sid);	182	int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
183		183
		184	int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
		185
184	int security_netif_sid(char name, u32 if_sid);	186	int security_netif_sid(char name, u32 if_sid);
185		187
186	int security_node_sid(u16 domain, void *addr, u32 addrlen,	188	int security_node_sid(u16 domain, void *addr, u32 addrlen,


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 2dccba4851f8..02257d90adc9 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -2233,6 +2233,46 @@ out:
2233	}	2233	}
2234		2234
2235	/**	2235	/**
		2236	* security_pkey_sid - Obtain the SID for a pkey.
		2237	* @subnet_prefix: Subnet Prefix
		2238	* @pkey_num: pkey number
		2239	* @out_sid: security identifier
		2240	*/
		2241	int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
		2242	{
		2243	struct ocontext *c;
		2244	int rc = 0;
		2245
		2246	read_lock(&policy_rwlock);
		2247
		2248	c = policydb.ocontexts[OCON_IBPKEY];
		2249	while (c) {
		2250	if (c->u.ibpkey.low_pkey <= pkey_num &&
		2251	c->u.ibpkey.high_pkey >= pkey_num &&
		2252	c->u.ibpkey.subnet_prefix == subnet_prefix)
		2253	break;
		2254
		2255	c = c->next;
		2256	}
		2257
		2258	if (c) {
		2259	if (!c->sid[0]) {
		2260	rc = sidtab_context_to_sid(&sidtab,
		2261	&c->context[0],
		2262	&c->sid[0]);
		2263	if (rc)
		2264	goto out;
		2265	}
		2266	*out_sid = c->sid[0];
		2267	} else
		2268	*out_sid = SECINITSID_UNLABELED;
		2269
		2270	out:
		2271	read_unlock(&policy_rwlock);
		2272	return rc;
		2273	}
		2274
		2275	/**
2236	* security_netif_sid - Obtain the SID for a network interface.	2276	* security_netif_sid - Obtain the SID for a network interface.
2237	* @name: interface name	2277	* @name: interface name
2238	* @if_sid: interface SID	2278	* @if_sid: interface SID