diff options
| author | Daniel Jurgens <danielj@mellanox.com> | 2017-05-19 08:48:54 -0400 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2017-05-23 12:27:21 -0400 |
| commit | 47a2b338fe63200d716d2e24131cdb49f17c77da (patch) | |
| tree | 2214ac893b108716acf44eb4098686fc34e48b03 | |
| parent | 8f408ab64be6319cb7736cbc6982838dcc362306 (diff) | |
IB/core: Enforce security on management datagrams
Allocate and free a security context when creating and destroying a MAD
agent. This context is used for controlling access to PKeys and sending
and receiving SMPs.
When sending or receiving a MAD check that the agent has permission to
access the PKey for the Subnet Prefix of the port.
During MAD and snoop agent registration for SMI QPs check that the
calling process has permission to access the manage the subnet and
register a callback with the LSM to be notified of policy changes. When
notificaiton of a policy change occurs recheck permission and set a flag
indicating sending and receiving SMPs is allowed.
When sending and receiving MADs check that the agent has access to the
SMI if it's on an SMI QP. Because security policy can change it's
possible permission was allowed when creating the agent, but no longer
is.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Acked-by: Doug Ledford <dledford@redhat.com>
[PM: remove the LSM hook init code]
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | drivers/infiniband/core/core_priv.h | 35 | ||||
| -rw-r--r-- | drivers/infiniband/core/mad.c | 52 | ||||
| -rw-r--r-- | drivers/infiniband/core/security.c | 92 | ||||
| -rw-r--r-- | include/linux/lsm_hooks.h | 8 | ||||
| -rw-r--r-- | include/linux/security.h | 6 | ||||
| -rw-r--r-- | include/rdma/ib_mad.h | 4 | ||||
| -rw-r--r-- | security/security.c | 6 |
7 files changed, 195 insertions, 8 deletions
diff --git a/drivers/infiniband/core/core_priv.h b/drivers/infiniband/core/core_priv.h index 7b63215f80c2..06645272c784 100644 --- a/drivers/infiniband/core/core_priv.h +++ b/drivers/infiniband/core/core_priv.h | |||
| @@ -38,6 +38,8 @@ | |||
| 38 | #include <linux/cgroup_rdma.h> | 38 | #include <linux/cgroup_rdma.h> |
| 39 | 39 | ||
| 40 | #include <rdma/ib_verbs.h> | 40 | #include <rdma/ib_verbs.h> |
| 41 | #include <rdma/ib_mad.h> | ||
| 42 | #include "mad_priv.h" | ||
| 41 | 43 | ||
| 42 | struct pkey_index_qp_list { | 44 | struct pkey_index_qp_list { |
| 43 | struct list_head pkey_index_list; | 45 | struct list_head pkey_index_list; |
| @@ -189,6 +191,11 @@ int ib_get_cached_subnet_prefix(struct ib_device *device, | |||
| 189 | u64 *sn_pfx); | 191 | u64 *sn_pfx); |
| 190 | 192 | ||
| 191 | #ifdef CONFIG_SECURITY_INFINIBAND | 193 | #ifdef CONFIG_SECURITY_INFINIBAND |
| 194 | int ib_security_pkey_access(struct ib_device *dev, | ||
| 195 | u8 port_num, | ||
| 196 | u16 pkey_index, | ||
| 197 | void *sec); | ||
| 198 | |||
| 192 | void ib_security_destroy_port_pkey_list(struct ib_device *device); | 199 | void ib_security_destroy_port_pkey_list(struct ib_device *device); |
| 193 | 200 | ||
| 194 | void ib_security_cache_change(struct ib_device *device, | 201 | void ib_security_cache_change(struct ib_device *device, |
| @@ -206,7 +213,19 @@ void ib_destroy_qp_security_abort(struct ib_qp_security *sec); | |||
| 206 | void ib_destroy_qp_security_end(struct ib_qp_security *sec); | 213 | void ib_destroy_qp_security_end(struct ib_qp_security *sec); |
| 207 | int ib_open_shared_qp_security(struct ib_qp *qp, struct ib_device *dev); | 214 | int ib_open_shared_qp_security(struct ib_qp *qp, struct ib_device *dev); |
| 208 | void ib_close_shared_qp_security(struct ib_qp_security *sec); | 215 | void ib_close_shared_qp_security(struct ib_qp_security *sec); |
| 216 | int ib_mad_agent_security_setup(struct ib_mad_agent *agent, | ||
| 217 | enum ib_qp_type qp_type); | ||
| 218 | void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent); | ||
| 219 | int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index); | ||
| 209 | #else | 220 | #else |
| 221 | static inline int ib_security_pkey_access(struct ib_device *dev, | ||
| 222 | u8 port_num, | ||
| 223 | u16 pkey_index, | ||
| 224 | void *sec) | ||
| 225 | { | ||
| 226 | return 0; | ||
| 227 | } | ||
| 228 | |||
| 210 | static inline void ib_security_destroy_port_pkey_list(struct ib_device *device) | 229 | static inline void ib_security_destroy_port_pkey_list(struct ib_device *device) |
| 211 | { | 230 | { |
| 212 | } | 231 | } |
| @@ -255,5 +274,21 @@ static inline int ib_open_shared_qp_security(struct ib_qp *qp, | |||
| 255 | static inline void ib_close_shared_qp_security(struct ib_qp_security *sec) | 274 | static inline void ib_close_shared_qp_security(struct ib_qp_security *sec) |
| 256 | { | 275 | { |
| 257 | } | 276 | } |
| 277 | |||
| 278 | static inline int ib_mad_agent_security_setup(struct ib_mad_agent *agent, | ||
| 279 | enum ib_qp_type qp_type) | ||
| 280 | { | ||
| 281 | return 0; | ||
| 282 | } | ||
| 283 | |||
| 284 | static inline void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent) | ||
| 285 | { | ||
| 286 | } | ||
| 287 | |||
| 288 | static inline int ib_mad_enforce_security(struct ib_mad_agent_private *map, | ||
| 289 | u16 pkey_index) | ||
| 290 | { | ||
| 291 | return 0; | ||
| 292 | } | ||
| 258 | #endif | 293 | #endif |
| 259 | #endif /* _CORE_PRIV_H */ | 294 | #endif /* _CORE_PRIV_H */ |
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c index 192ee3dafb80..f8f53bb90837 100644 --- a/drivers/infiniband/core/mad.c +++ b/drivers/infiniband/core/mad.c | |||
| @@ -40,9 +40,11 @@ | |||
| 40 | #include <linux/dma-mapping.h> | 40 | #include <linux/dma-mapping.h> |
| 41 | #include <linux/slab.h> | 41 | #include <linux/slab.h> |
| 42 | #include <linux/module.h> | 42 | #include <linux/module.h> |
| 43 | #include <linux/security.h> | ||
| 43 | #include <rdma/ib_cache.h> | 44 | #include <rdma/ib_cache.h> |
| 44 | 45 | ||
| 45 | #include "mad_priv.h" | 46 | #include "mad_priv.h" |
| 47 | #include "core_priv.h" | ||
| 46 | #include "mad_rmpp.h" | 48 | #include "mad_rmpp.h" |
| 47 | #include "smi.h" | 49 | #include "smi.h" |
| 48 | #include "opa_smi.h" | 50 | #include "opa_smi.h" |
| @@ -369,6 +371,12 @@ struct ib_mad_agent *ib_register_mad_agent(struct ib_device *device, | |||
| 369 | atomic_set(&mad_agent_priv->refcount, 1); | 371 | atomic_set(&mad_agent_priv->refcount, 1); |
| 370 | init_completion(&mad_agent_priv->comp); | 372 | init_completion(&mad_agent_priv->comp); |
| 371 | 373 | ||
| 374 | ret2 = ib_mad_agent_security_setup(&mad_agent_priv->agent, qp_type); | ||
| 375 | if (ret2) { | ||
| 376 | ret = ERR_PTR(ret2); | ||
| 377 | goto error4; | ||
| 378 | } | ||
| 379 | |||
| 372 | spin_lock_irqsave(&port_priv->reg_lock, flags); | 380 | spin_lock_irqsave(&port_priv->reg_lock, flags); |
| 373 | mad_agent_priv->agent.hi_tid = ++ib_mad_client_id; | 381 | mad_agent_priv->agent.hi_tid = ++ib_mad_client_id; |
| 374 | 382 | ||
| @@ -386,7 +394,7 @@ struct ib_mad_agent *ib_register_mad_agent(struct ib_device *device, | |||
| 386 | if (method) { | 394 | if (method) { |
| 387 | if (method_in_use(&method, | 395 | if (method_in_use(&method, |
| 388 | mad_reg_req)) | 396 | mad_reg_req)) |
| 389 | goto error4; | 397 | goto error5; |
| 390 | } | 398 | } |
| 391 | } | 399 | } |
| 392 | ret2 = add_nonoui_reg_req(mad_reg_req, mad_agent_priv, | 400 | ret2 = add_nonoui_reg_req(mad_reg_req, mad_agent_priv, |
| @@ -402,14 +410,14 @@ struct ib_mad_agent *ib_register_mad_agent(struct ib_device *device, | |||
| 402 | if (is_vendor_method_in_use( | 410 | if (is_vendor_method_in_use( |
| 403 | vendor_class, | 411 | vendor_class, |
| 404 | mad_reg_req)) | 412 | mad_reg_req)) |
| 405 | goto error4; | 413 | goto error5; |
| 406 | } | 414 | } |
| 407 | } | 415 | } |
| 408 | ret2 = add_oui_reg_req(mad_reg_req, mad_agent_priv); | 416 | ret2 = add_oui_reg_req(mad_reg_req, mad_agent_priv); |
| 409 | } | 417 | } |
| 410 | if (ret2) { | 418 | if (ret2) { |
| 411 | ret = ERR_PTR(ret2); | 419 | ret = ERR_PTR(ret2); |
| 412 | goto error4; | 420 | goto error5; |
| 413 | } | 421 | } |
| 414 | } | 422 | } |
| 415 | 423 | ||
| @@ -418,9 +426,10 @@ struct ib_mad_agent *ib_register_mad_agent(struct ib_device *device, | |||
| 418 | spin_unlock_irqrestore(&port_priv->reg_lock, flags); | 426 | spin_unlock_irqrestore(&port_priv->reg_lock, flags); |
| 419 | 427 | ||
| 420 | return &mad_agent_priv->agent; | 428 | return &mad_agent_priv->agent; |
| 421 | 429 | error5: | |
| 422 | error4: | ||
| 423 | spin_unlock_irqrestore(&port_priv->reg_lock, flags); | 430 | spin_unlock_irqrestore(&port_priv->reg_lock, flags); |
| 431 | ib_mad_agent_security_cleanup(&mad_agent_priv->agent); | ||
| 432 | error4: | ||
| 424 | kfree(reg_req); | 433 | kfree(reg_req); |
| 425 | error3: | 434 | error3: |
| 426 | kfree(mad_agent_priv); | 435 | kfree(mad_agent_priv); |
| @@ -491,6 +500,7 @@ struct ib_mad_agent *ib_register_mad_snoop(struct ib_device *device, | |||
| 491 | struct ib_mad_agent *ret; | 500 | struct ib_mad_agent *ret; |
| 492 | struct ib_mad_snoop_private *mad_snoop_priv; | 501 | struct ib_mad_snoop_private *mad_snoop_priv; |
| 493 | int qpn; | 502 | int qpn; |
| 503 | int err; | ||
| 494 | 504 | ||
| 495 | /* Validate parameters */ | 505 | /* Validate parameters */ |
| 496 | if ((is_snooping_sends(mad_snoop_flags) && !snoop_handler) || | 506 | if ((is_snooping_sends(mad_snoop_flags) && !snoop_handler) || |
| @@ -525,17 +535,25 @@ struct ib_mad_agent *ib_register_mad_snoop(struct ib_device *device, | |||
| 525 | mad_snoop_priv->agent.port_num = port_num; | 535 | mad_snoop_priv->agent.port_num = port_num; |
| 526 | mad_snoop_priv->mad_snoop_flags = mad_snoop_flags; | 536 | mad_snoop_priv->mad_snoop_flags = mad_snoop_flags; |
| 527 | init_completion(&mad_snoop_priv->comp); | 537 | init_completion(&mad_snoop_priv->comp); |
| 538 | |||
| 539 | err = ib_mad_agent_security_setup(&mad_snoop_priv->agent, qp_type); | ||
| 540 | if (err) { | ||
| 541 | ret = ERR_PTR(err); | ||
| 542 | goto error2; | ||
| 543 | } | ||
| 544 | |||
| 528 | mad_snoop_priv->snoop_index = register_snoop_agent( | 545 | mad_snoop_priv->snoop_index = register_snoop_agent( |
| 529 | &port_priv->qp_info[qpn], | 546 | &port_priv->qp_info[qpn], |
| 530 | mad_snoop_priv); | 547 | mad_snoop_priv); |
| 531 | if (mad_snoop_priv->snoop_index < 0) { | 548 | if (mad_snoop_priv->snoop_index < 0) { |
| 532 | ret = ERR_PTR(mad_snoop_priv->snoop_index); | 549 | ret = ERR_PTR(mad_snoop_priv->snoop_index); |
| 533 | goto error2; | 550 | goto error3; |
| 534 | } | 551 | } |
| 535 | 552 | ||
| 536 | atomic_set(&mad_snoop_priv->refcount, 1); | 553 | atomic_set(&mad_snoop_priv->refcount, 1); |
| 537 | return &mad_snoop_priv->agent; | 554 | return &mad_snoop_priv->agent; |
| 538 | 555 | error3: | |
| 556 | ib_mad_agent_security_cleanup(&mad_snoop_priv->agent); | ||
| 539 | error2: | 557 | error2: |
| 540 | kfree(mad_snoop_priv); | 558 | kfree(mad_snoop_priv); |
| 541 | error1: | 559 | error1: |
| @@ -581,6 +599,8 @@ static void unregister_mad_agent(struct ib_mad_agent_private *mad_agent_priv) | |||
| 581 | deref_mad_agent(mad_agent_priv); | 599 | deref_mad_agent(mad_agent_priv); |
| 582 | wait_for_completion(&mad_agent_priv->comp); | 600 | wait_for_completion(&mad_agent_priv->comp); |
| 583 | 601 | ||
| 602 | ib_mad_agent_security_cleanup(&mad_agent_priv->agent); | ||
| 603 | |||
| 584 | kfree(mad_agent_priv->reg_req); | 604 | kfree(mad_agent_priv->reg_req); |
| 585 | kfree(mad_agent_priv); | 605 | kfree(mad_agent_priv); |
| 586 | } | 606 | } |
| @@ -599,6 +619,8 @@ static void unregister_mad_snoop(struct ib_mad_snoop_private *mad_snoop_priv) | |||
| 599 | deref_snoop_agent(mad_snoop_priv); | 619 | deref_snoop_agent(mad_snoop_priv); |
| 600 | wait_for_completion(&mad_snoop_priv->comp); | 620 | wait_for_completion(&mad_snoop_priv->comp); |
| 601 | 621 | ||
| 622 | ib_mad_agent_security_cleanup(&mad_snoop_priv->agent); | ||
| 623 | |||
| 602 | kfree(mad_snoop_priv); | 624 | kfree(mad_snoop_priv); |
| 603 | } | 625 | } |
| 604 | 626 | ||
| @@ -1215,12 +1237,16 @@ int ib_post_send_mad(struct ib_mad_send_buf *send_buf, | |||
| 1215 | 1237 | ||
| 1216 | /* Walk list of send WRs and post each on send list */ | 1238 | /* Walk list of send WRs and post each on send list */ |
| 1217 | for (; send_buf; send_buf = next_send_buf) { | 1239 | for (; send_buf; send_buf = next_send_buf) { |
| 1218 | |||
| 1219 | mad_send_wr = container_of(send_buf, | 1240 | mad_send_wr = container_of(send_buf, |
| 1220 | struct ib_mad_send_wr_private, | 1241 | struct ib_mad_send_wr_private, |
| 1221 | send_buf); | 1242 | send_buf); |
| 1222 | mad_agent_priv = mad_send_wr->mad_agent_priv; | 1243 | mad_agent_priv = mad_send_wr->mad_agent_priv; |
| 1223 | 1244 | ||
| 1245 | ret = ib_mad_enforce_security(mad_agent_priv, | ||
| 1246 | mad_send_wr->send_wr.pkey_index); | ||
| 1247 | if (ret) | ||
| 1248 | goto error; | ||
| 1249 | |||
| 1224 | if (!send_buf->mad_agent->send_handler || | 1250 | if (!send_buf->mad_agent->send_handler || |
| 1225 | (send_buf->timeout_ms && | 1251 | (send_buf->timeout_ms && |
| 1226 | !send_buf->mad_agent->recv_handler)) { | 1252 | !send_buf->mad_agent->recv_handler)) { |
| @@ -1946,6 +1972,14 @@ static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv, | |||
| 1946 | struct ib_mad_send_wr_private *mad_send_wr; | 1972 | struct ib_mad_send_wr_private *mad_send_wr; |
| 1947 | struct ib_mad_send_wc mad_send_wc; | 1973 | struct ib_mad_send_wc mad_send_wc; |
| 1948 | unsigned long flags; | 1974 | unsigned long flags; |
| 1975 | int ret; | ||
| 1976 | |||
| 1977 | ret = ib_mad_enforce_security(mad_agent_priv, | ||
| 1978 | mad_recv_wc->wc->pkey_index); | ||
| 1979 | if (ret) { | ||
| 1980 | ib_free_recv_mad(mad_recv_wc); | ||
| 1981 | deref_mad_agent(mad_agent_priv); | ||
| 1982 | } | ||
| 1949 | 1983 | ||
| 1950 | INIT_LIST_HEAD(&mad_recv_wc->rmpp_list); | 1984 | INIT_LIST_HEAD(&mad_recv_wc->rmpp_list); |
| 1951 | list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list); | 1985 | list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list); |
| @@ -2003,6 +2037,8 @@ static void ib_mad_complete_recv(struct ib_mad_agent_private *mad_agent_priv, | |||
| 2003 | mad_recv_wc); | 2037 | mad_recv_wc); |
| 2004 | deref_mad_agent(mad_agent_priv); | 2038 | deref_mad_agent(mad_agent_priv); |
| 2005 | } | 2039 | } |
| 2040 | |||
| 2041 | return; | ||
| 2006 | } | 2042 | } |
| 2007 | 2043 | ||
| 2008 | static enum smi_action handle_ib_smi(const struct ib_mad_port_private *port_priv, | 2044 | static enum smi_action handle_ib_smi(const struct ib_mad_port_private *port_priv, |
diff --git a/drivers/infiniband/core/security.c b/drivers/infiniband/core/security.c index b2f170ddc062..3e8c38953912 100644 --- a/drivers/infiniband/core/security.c +++ b/drivers/infiniband/core/security.c | |||
| @@ -39,6 +39,7 @@ | |||
| 39 | #include <rdma/ib_verbs.h> | 39 | #include <rdma/ib_verbs.h> |
| 40 | #include <rdma/ib_cache.h> | 40 | #include <rdma/ib_cache.h> |
| 41 | #include "core_priv.h" | 41 | #include "core_priv.h" |
| 42 | #include "mad_priv.h" | ||
| 42 | 43 | ||
| 43 | static struct pkey_index_qp_list *get_pkey_idx_qp_list(struct ib_port_pkey *pp) | 44 | static struct pkey_index_qp_list *get_pkey_idx_qp_list(struct ib_port_pkey *pp) |
| 44 | { | 45 | { |
| @@ -610,4 +611,95 @@ int ib_security_modify_qp(struct ib_qp *qp, | |||
| 610 | } | 611 | } |
| 611 | EXPORT_SYMBOL(ib_security_modify_qp); | 612 | EXPORT_SYMBOL(ib_security_modify_qp); |
| 612 | 613 | ||
| 614 | int ib_security_pkey_access(struct ib_device *dev, | ||
| 615 | u8 port_num, | ||
| 616 | u16 pkey_index, | ||
| 617 | void *sec) | ||
| 618 | { | ||
| 619 | u64 subnet_prefix; | ||
| 620 | u16 pkey; | ||
| 621 | int ret; | ||
| 622 | |||
| 623 | ret = ib_get_cached_pkey(dev, port_num, pkey_index, &pkey); | ||
| 624 | if (ret) | ||
| 625 | return ret; | ||
| 626 | |||
| 627 | ret = ib_get_cached_subnet_prefix(dev, port_num, &subnet_prefix); | ||
| 628 | |||
| 629 | if (ret) | ||
| 630 | return ret; | ||
| 631 | |||
| 632 | return security_ib_pkey_access(sec, subnet_prefix, pkey); | ||
| 633 | } | ||
| 634 | EXPORT_SYMBOL(ib_security_pkey_access); | ||
| 635 | |||
| 636 | static int ib_mad_agent_security_change(struct notifier_block *nb, | ||
| 637 | unsigned long event, | ||
| 638 | void *data) | ||
| 639 | { | ||
| 640 | struct ib_mad_agent *ag = container_of(nb, struct ib_mad_agent, lsm_nb); | ||
| 641 | |||
| 642 | if (event != LSM_POLICY_CHANGE) | ||
| 643 | return NOTIFY_DONE; | ||
| 644 | |||
| 645 | ag->smp_allowed = !security_ib_endport_manage_subnet(ag->security, | ||
| 646 | ag->device->name, | ||
| 647 | ag->port_num); | ||
| 648 | |||
| 649 | return NOTIFY_OK; | ||
| 650 | } | ||
| 651 | |||
| 652 | int ib_mad_agent_security_setup(struct ib_mad_agent *agent, | ||
| 653 | enum ib_qp_type qp_type) | ||
| 654 | { | ||
| 655 | int ret; | ||
| 656 | |||
| 657 | ret = security_ib_alloc_security(&agent->security); | ||
| 658 | if (ret) | ||
| 659 | return ret; | ||
| 660 | |||
| 661 | if (qp_type != IB_QPT_SMI) | ||
| 662 | return 0; | ||
| 663 | |||
| 664 | ret = security_ib_endport_manage_subnet(agent->security, | ||
| 665 | agent->device->name, | ||
| 666 | agent->port_num); | ||
| 667 | if (ret) | ||
| 668 | return ret; | ||
| 669 | |||
| 670 | agent->lsm_nb.notifier_call = ib_mad_agent_security_change; | ||
| 671 | ret = register_lsm_notifier(&agent->lsm_nb); | ||
| 672 | if (ret) | ||
| 673 | return ret; | ||
| 674 | |||
| 675 | agent->smp_allowed = true; | ||
| 676 | agent->lsm_nb_reg = true; | ||
| 677 | return 0; | ||
| 678 | } | ||
| 679 | |||
| 680 | void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent) | ||
| 681 | { | ||
| 682 | security_ib_free_security(agent->security); | ||
| 683 | if (agent->lsm_nb_reg) | ||
| 684 | unregister_lsm_notifier(&agent->lsm_nb); | ||
| 685 | } | ||
| 686 | |||
| 687 | int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index) | ||
| 688 | { | ||
| 689 | int ret; | ||
| 690 | |||
| 691 | if (map->agent.qp->qp_type == IB_QPT_SMI && !map->agent.smp_allowed) | ||
| 692 | return -EACCES; | ||
| 693 | |||
| 694 | ret = ib_security_pkey_access(map->agent.device, | ||
| 695 | map->agent.port_num, | ||
| 696 | pkey_index, | ||
| 697 | map->agent.security); | ||
| 698 | |||
| 699 | if (ret) | ||
| 700 | return ret; | ||
| 701 | |||
| 702 | return 0; | ||
| 703 | } | ||
| 704 | |||
| 613 | #endif /* CONFIG_SECURITY_INFINIBAND */ | 705 | #endif /* CONFIG_SECURITY_INFINIBAND */ |
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 6d9f41fffda7..68d91e423bca 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h | |||
| @@ -919,6 +919,11 @@ | |||
| 919 | * @subnet_prefix the subnet prefix of the port being used. | 919 | * @subnet_prefix the subnet prefix of the port being used. |
| 920 | * @pkey the pkey to be accessed. | 920 | * @pkey the pkey to be accessed. |
| 921 | * @sec pointer to a security structure. | 921 | * @sec pointer to a security structure. |
| 922 | * @ib_endport_manage_subnet: | ||
| 923 | * Check permissions to send and receive SMPs on a end port. | ||
| 924 | * @dev_name the IB device name (i.e. mlx4_0). | ||
| 925 | * @port_num the port number. | ||
| 926 | * @sec pointer to a security structure. | ||
| 922 | * @ib_alloc_security: | 927 | * @ib_alloc_security: |
| 923 | * Allocate a security structure for Infiniband objects. | 928 | * Allocate a security structure for Infiniband objects. |
| 924 | * @sec pointer to a security structure pointer. | 929 | * @sec pointer to a security structure pointer. |
| @@ -1638,6 +1643,8 @@ union security_list_options { | |||
| 1638 | 1643 | ||
| 1639 | #ifdef CONFIG_SECURITY_INFINIBAND | 1644 | #ifdef CONFIG_SECURITY_INFINIBAND |
| 1640 | int (*ib_pkey_access)(void *sec, u64 subnet_prefix, u16 pkey); | 1645 | int (*ib_pkey_access)(void *sec, u64 subnet_prefix, u16 pkey); |
| 1646 | int (*ib_endport_manage_subnet)(void *sec, const char *dev_name, | ||
| 1647 | u8 port_num); | ||
| 1641 | int (*ib_alloc_security)(void **sec); | 1648 | int (*ib_alloc_security)(void **sec); |
| 1642 | void (*ib_free_security)(void *sec); | 1649 | void (*ib_free_security)(void *sec); |
| 1643 | #endif /* CONFIG_SECURITY_INFINIBAND */ | 1650 | #endif /* CONFIG_SECURITY_INFINIBAND */ |
| @@ -1875,6 +1882,7 @@ struct security_hook_heads { | |||
| 1875 | #endif /* CONFIG_SECURITY_NETWORK */ | 1882 | #endif /* CONFIG_SECURITY_NETWORK */ |
| 1876 | #ifdef CONFIG_SECURITY_INFINIBAND | 1883 | #ifdef CONFIG_SECURITY_INFINIBAND |
| 1877 | struct list_head ib_pkey_access; | 1884 | struct list_head ib_pkey_access; |
| 1885 | struct list_head ib_endport_manage_subnet; | ||
| 1878 | struct list_head ib_alloc_security; | 1886 | struct list_head ib_alloc_security; |
| 1879 | struct list_head ib_free_security; | 1887 | struct list_head ib_free_security; |
| 1880 | #endif /* CONFIG_SECURITY_INFINIBAND */ | 1888 | #endif /* CONFIG_SECURITY_INFINIBAND */ |
diff --git a/include/linux/security.h b/include/linux/security.h index f96e333f6042..549cb828a888 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -1432,6 +1432,7 @@ static inline int security_tun_dev_open(void *security) | |||
| 1432 | 1432 | ||
| 1433 | #ifdef CONFIG_SECURITY_INFINIBAND | 1433 | #ifdef CONFIG_SECURITY_INFINIBAND |
| 1434 | int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey); | 1434 | int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey); |
| 1435 | int security_ib_endport_manage_subnet(void *sec, const char *name, u8 port_num); | ||
| 1435 | int security_ib_alloc_security(void **sec); | 1436 | int security_ib_alloc_security(void **sec); |
| 1436 | void security_ib_free_security(void *sec); | 1437 | void security_ib_free_security(void *sec); |
| 1437 | #else /* CONFIG_SECURITY_INFINIBAND */ | 1438 | #else /* CONFIG_SECURITY_INFINIBAND */ |
| @@ -1440,6 +1441,11 @@ static inline int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey | |||
| 1440 | return 0; | 1441 | return 0; |
| 1441 | } | 1442 | } |
| 1442 | 1443 | ||
| 1444 | static inline int security_ib_endport_manage_subnet(void *sec, const char *dev_name, u8 port_num) | ||
| 1445 | { | ||
| 1446 | return 0; | ||
| 1447 | } | ||
| 1448 | |||
| 1443 | static inline int security_ib_alloc_security(void **sec) | 1449 | static inline int security_ib_alloc_security(void **sec) |
| 1444 | { | 1450 | { |
| 1445 | return 0; | 1451 | return 0; |
diff --git a/include/rdma/ib_mad.h b/include/rdma/ib_mad.h index d67b11b72029..2f4f1768ded4 100644 --- a/include/rdma/ib_mad.h +++ b/include/rdma/ib_mad.h | |||
| @@ -575,6 +575,10 @@ struct ib_mad_agent { | |||
| 575 | u32 flags; | 575 | u32 flags; |
| 576 | u8 port_num; | 576 | u8 port_num; |
| 577 | u8 rmpp_version; | 577 | u8 rmpp_version; |
| 578 | void *security; | ||
| 579 | bool smp_allowed; | ||
| 580 | bool lsm_nb_reg; | ||
| 581 | struct notifier_block lsm_nb; | ||
| 578 | }; | 582 | }; |
| 579 | 583 | ||
| 580 | /** | 584 | /** |
diff --git a/security/security.c b/security/security.c index b59be0d6535f..714433e3e9a2 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -1544,6 +1544,12 @@ int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey) | |||
| 1544 | } | 1544 | } |
| 1545 | EXPORT_SYMBOL(security_ib_pkey_access); | 1545 | EXPORT_SYMBOL(security_ib_pkey_access); |
| 1546 | 1546 | ||
| 1547 | int security_ib_endport_manage_subnet(void *sec, const char *dev_name, u8 port_num) | ||
| 1548 | { | ||
| 1549 | return call_int_hook(ib_endport_manage_subnet, 0, sec, dev_name, port_num); | ||
| 1550 | } | ||
| 1551 | EXPORT_SYMBOL(security_ib_endport_manage_subnet); | ||
| 1552 | |||
| 1547 | int security_ib_alloc_security(void **sec) | 1553 | int security_ib_alloc_security(void **sec) |
| 1548 | { | 1554 | { |
| 1549 | return call_int_hook(ib_alloc_security, 0, sec); | 1555 | return call_int_hook(ib_alloc_security, 0, sec); |