diff options
| author | Daniel Jurgens <danielj@mellanox.com> | 2017-05-19 08:48:55 -0400 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2017-05-23 12:27:32 -0400 |
| commit | a806f7a1616f29b80749d708115a643c1f4ba056 (patch) | |
| tree | 5b002e6d61f6a43ab59b24bb5e92e369cbdceeca | |
| parent | 47a2b338fe63200d716d2e24131cdb49f17c77da (diff) | |
selinux: Create policydb version for Infiniband support
Support for Infiniband requires the addition of two new object contexts,
one for infiniband PKeys and another IB Ports. Added handlers to read
and write the new ocontext types when reading or writing a binary policy
representation.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Reviewed-by: Eli Cohen <eli@mellanox.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Acked-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | security/selinux/include/security.h | 3 | ||||
| -rw-r--r-- | security/selinux/ss/policydb.c | 112 | ||||
| -rw-r--r-- | security/selinux/ss/policydb.h | 27 |
3 files changed, 118 insertions, 24 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index c4224bbf9f4e..b48a462cf446 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h | |||
| @@ -36,10 +36,11 @@ | |||
| 36 | #define POLICYDB_VERSION_DEFAULT_TYPE 28 | 36 | #define POLICYDB_VERSION_DEFAULT_TYPE 28 |
| 37 | #define POLICYDB_VERSION_CONSTRAINT_NAMES 29 | 37 | #define POLICYDB_VERSION_CONSTRAINT_NAMES 29 |
| 38 | #define POLICYDB_VERSION_XPERMS_IOCTL 30 | 38 | #define POLICYDB_VERSION_XPERMS_IOCTL 30 |
| 39 | #define POLICYDB_VERSION_INFINIBAND 31 | ||
| 39 | 40 | ||
| 40 | /* Range of policy versions we understand*/ | 41 | /* Range of policy versions we understand*/ |
| 41 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE | 42 | #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE |
| 42 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_XPERMS_IOCTL | 43 | #define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND |
| 43 | 44 | ||
| 44 | /* Mask for just the mount related flags */ | 45 | /* Mask for just the mount related flags */ |
| 45 | #define SE_MNTMASK 0x0f | 46 | #define SE_MNTMASK 0x0f |
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 87d645d3a39f..aa6500abb178 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c | |||
| @@ -17,6 +17,11 @@ | |||
| 17 | * | 17 | * |
| 18 | * Added support for the policy capability bitmap | 18 | * Added support for the policy capability bitmap |
| 19 | * | 19 | * |
| 20 | * Update: Mellanox Techonologies | ||
| 21 | * | ||
| 22 | * Added Infiniband support | ||
| 23 | * | ||
| 24 | * Copyright (C) 2016 Mellanox Techonologies | ||
| 20 | * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. | 25 | * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. |
| 21 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. | 26 | * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. |
| 22 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC | 27 | * Copyright (C) 2003 - 2004 Tresys Technology, LLC |
| @@ -76,81 +81,86 @@ static struct policydb_compat_info policydb_compat[] = { | |||
| 76 | { | 81 | { |
| 77 | .version = POLICYDB_VERSION_BASE, | 82 | .version = POLICYDB_VERSION_BASE, |
| 78 | .sym_num = SYM_NUM - 3, | 83 | .sym_num = SYM_NUM - 3, |
| 79 | .ocon_num = OCON_NUM - 1, | 84 | .ocon_num = OCON_NUM - 3, |
| 80 | }, | 85 | }, |
| 81 | { | 86 | { |
| 82 | .version = POLICYDB_VERSION_BOOL, | 87 | .version = POLICYDB_VERSION_BOOL, |
| 83 | .sym_num = SYM_NUM - 2, | 88 | .sym_num = SYM_NUM - 2, |
| 84 | .ocon_num = OCON_NUM - 1, | 89 | .ocon_num = OCON_NUM - 3, |
| 85 | }, | 90 | }, |
| 86 | { | 91 | { |
| 87 | .version = POLICYDB_VERSION_IPV6, | 92 | .version = POLICYDB_VERSION_IPV6, |
| 88 | .sym_num = SYM_NUM - 2, | 93 | .sym_num = SYM_NUM - 2, |
| 89 | .ocon_num = OCON_NUM, | 94 | .ocon_num = OCON_NUM - 2, |
| 90 | }, | 95 | }, |
| 91 | { | 96 | { |
| 92 | .version = POLICYDB_VERSION_NLCLASS, | 97 | .version = POLICYDB_VERSION_NLCLASS, |
| 93 | .sym_num = SYM_NUM - 2, | 98 | .sym_num = SYM_NUM - 2, |
| 94 | .ocon_num = OCON_NUM, | 99 | .ocon_num = OCON_NUM - 2, |
| 95 | }, | 100 | }, |
| 96 | { | 101 | { |
| 97 | .version = POLICYDB_VERSION_MLS, | 102 | .version = POLICYDB_VERSION_MLS, |
| 98 | .sym_num = SYM_NUM, | 103 | .sym_num = SYM_NUM, |
| 99 | .ocon_num = OCON_NUM, | 104 | .ocon_num = OCON_NUM - 2, |
| 100 | }, | 105 | }, |
| 101 | { | 106 | { |
| 102 | .version = POLICYDB_VERSION_AVTAB, | 107 | .version = POLICYDB_VERSION_AVTAB, |
| 103 | .sym_num = SYM_NUM, | 108 | .sym_num = SYM_NUM, |
| 104 | .ocon_num = OCON_NUM, | 109 | .ocon_num = OCON_NUM - 2, |
| 105 | }, | 110 | }, |
| 106 | { | 111 | { |
| 107 | .version = POLICYDB_VERSION_RANGETRANS, | 112 | .version = POLICYDB_VERSION_RANGETRANS, |
| 108 | .sym_num = SYM_NUM, | 113 | .sym_num = SYM_NUM, |
| 109 | .ocon_num = OCON_NUM, | 114 | .ocon_num = OCON_NUM - 2, |
| 110 | }, | 115 | }, |
| 111 | { | 116 | { |
| 112 | .version = POLICYDB_VERSION_POLCAP, | 117 | .version = POLICYDB_VERSION_POLCAP, |
| 113 | .sym_num = SYM_NUM, | 118 | .sym_num = SYM_NUM, |
| 114 | .ocon_num = OCON_NUM, | 119 | .ocon_num = OCON_NUM - 2, |
| 115 | }, | 120 | }, |
| 116 | { | 121 | { |
| 117 | .version = POLICYDB_VERSION_PERMISSIVE, | 122 | .version = POLICYDB_VERSION_PERMISSIVE, |
| 118 | .sym_num = SYM_NUM, | 123 | .sym_num = SYM_NUM, |
| 119 | .ocon_num = OCON_NUM, | 124 | .ocon_num = OCON_NUM - 2, |
| 120 | }, | 125 | }, |
| 121 | { | 126 | { |
| 122 | .version = POLICYDB_VERSION_BOUNDARY, | 127 | .version = POLICYDB_VERSION_BOUNDARY, |
| 123 | .sym_num = SYM_NUM, | 128 | .sym_num = SYM_NUM, |
| 124 | .ocon_num = OCON_NUM, | 129 | .ocon_num = OCON_NUM - 2, |
| 125 | }, | 130 | }, |
| 126 | { | 131 | { |
| 127 | .version = POLICYDB_VERSION_FILENAME_TRANS, | 132 | .version = POLICYDB_VERSION_FILENAME_TRANS, |
| 128 | .sym_num = SYM_NUM, | 133 | .sym_num = SYM_NUM, |
| 129 | .ocon_num = OCON_NUM, | 134 | .ocon_num = OCON_NUM - 2, |
| 130 | }, | 135 | }, |
| 131 | { | 136 | { |
| 132 | .version = POLICYDB_VERSION_ROLETRANS, | 137 | .version = POLICYDB_VERSION_ROLETRANS, |
| 133 | .sym_num = SYM_NUM, | 138 | .sym_num = SYM_NUM, |
| 134 | .ocon_num = OCON_NUM, | 139 | .ocon_num = OCON_NUM - 2, |
| 135 | }, | 140 | }, |
| 136 | { | 141 | { |
| 137 | .version = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS, | 142 | .version = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS, |
| 138 | .sym_num = SYM_NUM, | 143 | .sym_num = SYM_NUM, |
| 139 | .ocon_num = OCON_NUM, | 144 | .ocon_num = OCON_NUM - 2, |
| 140 | }, | 145 | }, |
| 141 | { | 146 | { |
| 142 | .version = POLICYDB_VERSION_DEFAULT_TYPE, | 147 | .version = POLICYDB_VERSION_DEFAULT_TYPE, |
| 143 | .sym_num = SYM_NUM, | 148 | .sym_num = SYM_NUM, |
| 144 | .ocon_num = OCON_NUM, | 149 | .ocon_num = OCON_NUM - 2, |
| 145 | }, | 150 | }, |
| 146 | { | 151 | { |
| 147 | .version = POLICYDB_VERSION_CONSTRAINT_NAMES, | 152 | .version = POLICYDB_VERSION_CONSTRAINT_NAMES, |
| 148 | .sym_num = SYM_NUM, | 153 | .sym_num = SYM_NUM, |
| 149 | .ocon_num = OCON_NUM, | 154 | .ocon_num = OCON_NUM - 2, |
| 150 | }, | 155 | }, |
| 151 | { | 156 | { |
| 152 | .version = POLICYDB_VERSION_XPERMS_IOCTL, | 157 | .version = POLICYDB_VERSION_XPERMS_IOCTL, |
| 153 | .sym_num = SYM_NUM, | 158 | .sym_num = SYM_NUM, |
| 159 | .ocon_num = OCON_NUM - 2, | ||
| 160 | }, | ||
| 161 | { | ||
| 162 | .version = POLICYDB_VERSION_INFINIBAND, | ||
| 163 | .sym_num = SYM_NUM, | ||
| 154 | .ocon_num = OCON_NUM, | 164 | .ocon_num = OCON_NUM, |
| 155 | }, | 165 | }, |
| 156 | }; | 166 | }; |
| @@ -2206,6 +2216,51 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, | |||
| 2206 | goto out; | 2216 | goto out; |
| 2207 | break; | 2217 | break; |
| 2208 | } | 2218 | } |
| 2219 | case OCON_IBPKEY: | ||
| 2220 | rc = next_entry(nodebuf, fp, sizeof(u32) * 4); | ||
| 2221 | if (rc) | ||
| 2222 | goto out; | ||
| 2223 | |||
| 2224 | c->u.ibpkey.subnet_prefix = be64_to_cpu(*((__be64 *)nodebuf)); | ||
| 2225 | |||
| 2226 | if (nodebuf[2] > 0xffff || | ||
| 2227 | nodebuf[3] > 0xffff) { | ||
| 2228 | rc = -EINVAL; | ||
| 2229 | goto out; | ||
| 2230 | } | ||
| 2231 | |||
| 2232 | c->u.ibpkey.low_pkey = le32_to_cpu(nodebuf[2]); | ||
| 2233 | c->u.ibpkey.high_pkey = le32_to_cpu(nodebuf[3]); | ||
| 2234 | |||
| 2235 | rc = context_read_and_validate(&c->context[0], | ||
| 2236 | p, | ||
| 2237 | fp); | ||
| 2238 | if (rc) | ||
| 2239 | goto out; | ||
| 2240 | break; | ||
| 2241 | case OCON_IBENDPORT: | ||
| 2242 | rc = next_entry(buf, fp, sizeof(u32) * 2); | ||
| 2243 | if (rc) | ||
| 2244 | goto out; | ||
| 2245 | len = le32_to_cpu(buf[0]); | ||
| 2246 | |||
| 2247 | rc = str_read(&c->u.ibendport.dev_name, GFP_KERNEL, fp, len); | ||
| 2248 | if (rc) | ||
| 2249 | goto out; | ||
| 2250 | |||
| 2251 | if (buf[1] > 0xff || buf[1] == 0) { | ||
| 2252 | rc = -EINVAL; | ||
| 2253 | goto out; | ||
| 2254 | } | ||
| 2255 | |||
| 2256 | c->u.ibendport.port = le32_to_cpu(buf[1]); | ||
| 2257 | |||
| 2258 | rc = context_read_and_validate(&c->context[0], | ||
| 2259 | p, | ||
| 2260 | fp); | ||
| 2261 | if (rc) | ||
| 2262 | goto out; | ||
| 2263 | break; | ||
| 2209 | } | 2264 | } |
| 2210 | } | 2265 | } |
| 2211 | } | 2266 | } |
| @@ -3135,6 +3190,33 @@ static int ocontext_write(struct policydb *p, struct policydb_compat_info *info, | |||
| 3135 | if (rc) | 3190 | if (rc) |
| 3136 | return rc; | 3191 | return rc; |
| 3137 | break; | 3192 | break; |
| 3193 | case OCON_IBPKEY: | ||
| 3194 | *((__be64 *)nodebuf) = cpu_to_be64(c->u.ibpkey.subnet_prefix); | ||
| 3195 | |||
| 3196 | nodebuf[2] = cpu_to_le32(c->u.ibpkey.low_pkey); | ||
| 3197 | nodebuf[3] = cpu_to_le32(c->u.ibpkey.high_pkey); | ||
| 3198 | |||
| 3199 | rc = put_entry(nodebuf, sizeof(u32), 4, fp); | ||
| 3200 | if (rc) | ||
| 3201 | return rc; | ||
| 3202 | rc = context_write(p, &c->context[0], fp); | ||
| 3203 | if (rc) | ||
| 3204 | return rc; | ||
| 3205 | break; | ||
| 3206 | case OCON_IBENDPORT: | ||
| 3207 | len = strlen(c->u.ibendport.dev_name); | ||
| 3208 | buf[0] = cpu_to_le32(len); | ||
| 3209 | buf[1] = cpu_to_le32(c->u.ibendport.port); | ||
| 3210 | rc = put_entry(buf, sizeof(u32), 2, fp); | ||
| 3211 | if (rc) | ||
| 3212 | return rc; | ||
| 3213 | rc = put_entry(c->u.ibendport.dev_name, 1, len, fp); | ||
| 3214 | if (rc) | ||
| 3215 | return rc; | ||
| 3216 | rc = context_write(p, &c->context[0], fp); | ||
| 3217 | if (rc) | ||
| 3218 | return rc; | ||
| 3219 | break; | ||
| 3138 | } | 3220 | } |
| 3139 | } | 3221 | } |
| 3140 | } | 3222 | } |
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 725d5945a97e..5d23eed35fa7 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h | |||
| @@ -187,6 +187,15 @@ struct ocontext { | |||
| 187 | u32 addr[4]; | 187 | u32 addr[4]; |
| 188 | u32 mask[4]; | 188 | u32 mask[4]; |
| 189 | } node6; /* IPv6 node information */ | 189 | } node6; /* IPv6 node information */ |
| 190 | struct { | ||
| 191 | u64 subnet_prefix; | ||
| 192 | u16 low_pkey; | ||
| 193 | u16 high_pkey; | ||
| 194 | } ibpkey; | ||
| 195 | struct { | ||
| 196 | char *dev_name; | ||
| 197 | u8 port; | ||
| 198 | } ibendport; | ||
| 190 | } u; | 199 | } u; |
| 191 | union { | 200 | union { |
| 192 | u32 sclass; /* security class for genfs */ | 201 | u32 sclass; /* security class for genfs */ |
| @@ -215,14 +224,16 @@ struct genfs { | |||
| 215 | #define SYM_NUM 8 | 224 | #define SYM_NUM 8 |
| 216 | 225 | ||
| 217 | /* object context array indices */ | 226 | /* object context array indices */ |
| 218 | #define OCON_ISID 0 /* initial SIDs */ | 227 | #define OCON_ISID 0 /* initial SIDs */ |
| 219 | #define OCON_FS 1 /* unlabeled file systems */ | 228 | #define OCON_FS 1 /* unlabeled file systems */ |
| 220 | #define OCON_PORT 2 /* TCP and UDP port numbers */ | 229 | #define OCON_PORT 2 /* TCP and UDP port numbers */ |
| 221 | #define OCON_NETIF 3 /* network interfaces */ | 230 | #define OCON_NETIF 3 /* network interfaces */ |
| 222 | #define OCON_NODE 4 /* nodes */ | 231 | #define OCON_NODE 4 /* nodes */ |
| 223 | #define OCON_FSUSE 5 /* fs_use */ | 232 | #define OCON_FSUSE 5 /* fs_use */ |
| 224 | #define OCON_NODE6 6 /* IPv6 nodes */ | 233 | #define OCON_NODE6 6 /* IPv6 nodes */ |
| 225 | #define OCON_NUM 7 | 234 | #define OCON_IBPKEY 7 /* Infiniband PKeys */ |
| 235 | #define OCON_IBENDPORT 8 /* Infiniband end ports */ | ||
| 236 | #define OCON_NUM 9 | ||
| 226 | 237 | ||
| 227 | /* The policy database */ | 238 | /* The policy database */ |
| 228 | struct policydb { | 239 | struct policydb { |