selinux: Add IB Port SMP access vector

Add a type for Infiniband ports and an access vector for subnet management packets. Implement the ib_port_smp hook to check that the caller has permission to send and receive SMPs on the end port specified by the device name and port. Add interface to query the SID for a IB port, which walks the IB_PORT ocontexts to find an entry for the given name and port. Signed-off-by: Daniel Jurgens <danielj@mellanox.com> Reviewed-by: James Morris <james.l.morris@oracle.com> Acked-by: Doug Ledford <dledford@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Daniel Jurgens <danielj@mellanox.com> 2017-05-19 08:48:58 -0400
committer: Paul Moore <paul@paul-moore.com> 2017-05-23 12:28:02 -0400
commit: ab861dfca1652aa09b26b7aa2899feb29b33dfd9 (patch)
tree: f67494faf93d675ed39ffd4e19c755c4f50d0251
parent: cfc4d882d41780d93471066d57d4630995427b29 (diff)
6 files changed, 83 insertions, 0 deletions
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 0df5639a4ff4..22b5d4e687ce 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -21,6 +21,7 @@
 #include <linux/path.h>
 #include <linux/key.h>
 #include <linux/skbuff.h>
+#include <rdma/ib_verbs.h>
 struct lsm_network_audit {
        int netif;
@@ -50,6 +51,11 @@ struct lsm_ibpkey_audit {
        u16     pkey;
 };
+struct lsm_ibendport_audit {
+        char    dev_name[IB_DEVICE_NAME_MAX];
+        u8      port;
+};
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
        char type;
@@ -66,6 +72,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_IOCTL_OP 11
 #define LSM_AUDIT_DATA_FILE     12
 #define LSM_AUDIT_DATA_IBPKEY   13
+#define LSM_AUDIT_DATA_IBENDPORT 14
        union   {
                struct path path;
                struct dentry *dentry;
@@ -84,6 +91,7 @@ struct common_audit_data {
                struct lsm_ioctlop_audit *op;
                struct file *file;
                struct lsm_ibpkey_audit *ibpkey;
+                struct lsm_ibendport_audit *ibendport;
        } u;
        /* this union contains LSM specific data */
        union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index c22c99fae06a..28d4c3a528ab 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -421,6 +421,11 @@ static void dump_common_audit_data(struct audit_buffer *ab,
                                 a->u.ibpkey->pkey, &sbn_pfx);
                break;
        }
+        case LSM_AUDIT_DATA_IBENDPORT:
+                audit_log_format(ab, " device=%s port_num=%u",
+                                 a->u.ibendport->dev_name,
+                                 a->u.ibendport->port);
+                break;
        } /* switch (a->type) */
 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b59255f86274..91ec46dd34d9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6169,6 +6169,29 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
                            INFINIBAND_PKEY__ACCESS, &ad);
 }
+static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
+                                            u8 port_num)
+{
+        struct common_audit_data ad;
+        int err;
+        u32 sid = 0;
+        struct ib_security_struct *sec = ib_sec;
+        struct lsm_ibendport_audit ibendport;
+        err = security_ib_endport_sid(dev_name, port_num, &sid);
+        if (err)
+                return err;
+        ad.type = LSM_AUDIT_DATA_IBENDPORT;
+        strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
+        ibendport.port = port_num;
+        ad.u.ibendport = &ibendport;
+        return avc_has_perm(sec->sid, sid,
+                            SECCLASS_INFINIBAND_ENDPORT,
+                            INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
+}
 static int selinux_ib_alloc_security(void **ib_sec)
 {
        struct ib_security_struct *sec;
@@ -6374,6 +6397,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
 #ifdef CONFIG_SECURITY_INFINIBAND
        LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
+        LSM_HOOK_INIT(ib_endport_manage_subnet,
+                      selinux_ib_endport_manage_subnet),
        LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
        LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
 #endif
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 0fec1c505f84..b9fe3434b036 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -233,6 +233,8 @@ struct security_class_mapping secclass_map[] = {
          { COMMON_SOCK_PERMS, NULL } },
        { "infiniband_pkey",
          { "access", NULL } },
+        { "infiniband_endport",
+          { "manage_subnet", NULL } },
        { NULL }
  };
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 592c014e369c..e91f08c16c0b 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -183,6 +183,8 @@ int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
 int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
+int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
 int security_netif_sid(char *name, u32 *if_sid);
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 02257d90adc9..202166612b80 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2273,6 +2273,47 @@ out:
 }
 /**
+ * security_ib_endport_sid - Obtain the SID for a subnet management interface.
+ * @dev_name: device name
+ * @port: port number
+ * @out_sid: security identifier
+ */
+int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
+{
+        struct ocontext *c;
+        int rc = 0;
+        read_lock(&policy_rwlock);
+        c = policydb.ocontexts[OCON_IBENDPORT];
+        while (c) {
+                if (c->u.ibendport.port == port_num &&
+                    !strncmp(c->u.ibendport.dev_name,
+                             dev_name,
+                             IB_DEVICE_NAME_MAX))
+                        break;
+                c = c->next;
+        }
+        if (c) {
+                if (!c->sid[0]) {
+                        rc = sidtab_context_to_sid(&sidtab,
+                                                   &c->context[0],
+                                                   &c->sid[0]);
+                        if (rc)
+                                goto out;
+                }
+                *out_sid = c->sid[0];
+        } else
+                *out_sid = SECINITSID_UNLABELED;
+out:
+        read_unlock(&policy_rwlock);
+        return rc;
+}
+/**
 * security_netif_sid - Obtain the SID for a network interface.
 * @name: interface name
 * @if_sid: interface SID
author	Daniel Jurgens <danielj@mellanox.com>	2017-05-19 08:48:58 -0400
committer	Paul Moore <paul@paul-moore.com>	2017-05-23 12:28:02 -0400
commit	ab861dfca1652aa09b26b7aa2899feb29b33dfd9 (patch)
tree	f67494faf93d675ed39ffd4e19c755c4f50d0251
parent	cfc4d882d41780d93471066d57d4630995427b29 (diff)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 0df5639a4ff4..22b5d4e687ce 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h
@@ -21,6 +21,7 @@
21	#include <linux/path.h>	21	#include <linux/path.h>
22	#include <linux/key.h>	22	#include <linux/key.h>
23	#include <linux/skbuff.h>	23	#include <linux/skbuff.h>
		24	#include <rdma/ib_verbs.h>
24		25
25	struct lsm_network_audit {	26	struct lsm_network_audit {
26	int netif;	27	int netif;
@@ -50,6 +51,11 @@ struct lsm_ibpkey_audit {
50	u16 pkey;	51	u16 pkey;
51	};	52	};
52		53
		54	struct lsm_ibendport_audit {
		55	char dev_name[IB_DEVICE_NAME_MAX];
		56	u8 port;
		57	};
		58
53	/* Auxiliary data to use in generating the audit record. */	59	/* Auxiliary data to use in generating the audit record. */
54	struct common_audit_data {	60	struct common_audit_data {
55	char type;	61	char type;
@@ -66,6 +72,7 @@ struct common_audit_data {
66	#define LSM_AUDIT_DATA_IOCTL_OP 11	72	#define LSM_AUDIT_DATA_IOCTL_OP 11
67	#define LSM_AUDIT_DATA_FILE 12	73	#define LSM_AUDIT_DATA_FILE 12
68	#define LSM_AUDIT_DATA_IBPKEY 13	74	#define LSM_AUDIT_DATA_IBPKEY 13
		75	#define LSM_AUDIT_DATA_IBENDPORT 14
69	union {	76	union {
70	struct path path;	77	struct path path;
71	struct dentry *dentry;	78	struct dentry *dentry;
@@ -84,6 +91,7 @@ struct common_audit_data {
84	struct lsm_ioctlop_audit *op;	91	struct lsm_ioctlop_audit *op;
85	struct file *file;	92	struct file *file;
86	struct lsm_ibpkey_audit *ibpkey;	93	struct lsm_ibpkey_audit *ibpkey;
		94	struct lsm_ibendport_audit *ibendport;
87	} u;	95	} u;
88	/* this union contains LSM specific data */	96	/* this union contains LSM specific data */
89	union {	97	union {


diff --git a/security/lsm_audit.c b/security/lsm_audit.c index c22c99fae06a..28d4c3a528ab 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c
@@ -421,6 +421,11 @@ static void dump_common_audit_data(struct audit_buffer *ab,
421	a->u.ibpkey->pkey, &sbn_pfx);	421	a->u.ibpkey->pkey, &sbn_pfx);
422	break;	422	break;
423	}	423	}
		424	case LSM_AUDIT_DATA_IBENDPORT:
		425	audit_log_format(ab, " device=%s port_num=%u",
		426	a->u.ibendport->dev_name,
		427	a->u.ibendport->port);
		428	break;
424	} /* switch (a->type) */	429	} /* switch (a->type) */
425	}	430	}
426		431


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b59255f86274..91ec46dd34d9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -6169,6 +6169,29 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
6169	INFINIBAND_PKEY__ACCESS, &ad);	6169	INFINIBAND_PKEY__ACCESS, &ad);
6170	}	6170	}
6171		6171
		6172	static int selinux_ib_endport_manage_subnet(void ib_sec, const char dev_name,
		6173	u8 port_num)
		6174	{
		6175	struct common_audit_data ad;
		6176	int err;
		6177	u32 sid = 0;
		6178	struct ib_security_struct *sec = ib_sec;
		6179	struct lsm_ibendport_audit ibendport;
		6180
		6181	err = security_ib_endport_sid(dev_name, port_num, &sid);
		6182
		6183	if (err)
		6184	return err;
		6185
		6186	ad.type = LSM_AUDIT_DATA_IBENDPORT;
		6187	strncpy(ibendport.dev_name, dev_name, sizeof(ibendport.dev_name));
		6188	ibendport.port = port_num;
		6189	ad.u.ibendport = &ibendport;
		6190	return avc_has_perm(sec->sid, sid,
		6191	SECCLASS_INFINIBAND_ENDPORT,
		6192	INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
		6193	}
		6194
6172	static int selinux_ib_alloc_security(void **ib_sec)	6195	static int selinux_ib_alloc_security(void **ib_sec)
6173	{	6196	{
6174	struct ib_security_struct *sec;	6197	struct ib_security_struct *sec;
@@ -6374,6 +6397,8 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
6374	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),	6397	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
6375	#ifdef CONFIG_SECURITY_INFINIBAND	6398	#ifdef CONFIG_SECURITY_INFINIBAND
6376	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),	6399	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
		6400	LSM_HOOK_INIT(ib_endport_manage_subnet,
		6401	selinux_ib_endport_manage_subnet),
6377	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),	6402	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
6378	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),	6403	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
6379	#endif	6404	#endif


diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 0fec1c505f84..b9fe3434b036 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h
@@ -233,6 +233,8 @@ struct security_class_mapping secclass_map[] = {
233	{ COMMON_SOCK_PERMS, NULL } },	233	{ COMMON_SOCK_PERMS, NULL } },
234	{ "infiniband_pkey",	234	{ "infiniband_pkey",
235	{ "access", NULL } },	235	{ "access", NULL } },
		236	{ "infiniband_endport",
		237	{ "manage_subnet", NULL } },
236	{ NULL }	238	{ NULL }
237	};	239	};
238		240


diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 592c014e369c..e91f08c16c0b 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h
@@ -183,6 +183,8 @@ int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
183		183
184	int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);	184	int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
185		185
		186	int security_ib_endport_sid(const char dev_name, u8 port_num, u32 out_sid);
		187
186	int security_netif_sid(char name, u32 if_sid);	188	int security_netif_sid(char name, u32 if_sid);
187		189
188	int security_node_sid(u16 domain, void *addr, u32 addrlen,	190	int security_node_sid(u16 domain, void *addr, u32 addrlen,


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 02257d90adc9..202166612b80 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -2273,6 +2273,47 @@ out:
2273	}	2273	}
2274		2274
2275	/**	2275	/**
		2276	* security_ib_endport_sid - Obtain the SID for a subnet management interface.
		2277	* @dev_name: device name
		2278	* @port: port number
		2279	* @out_sid: security identifier
		2280	*/
		2281	int security_ib_endport_sid(const char dev_name, u8 port_num, u32 out_sid)
		2282	{
		2283	struct ocontext *c;
		2284	int rc = 0;
		2285
		2286	read_lock(&policy_rwlock);
		2287
		2288	c = policydb.ocontexts[OCON_IBENDPORT];
		2289	while (c) {
		2290	if (c->u.ibendport.port == port_num &&
		2291	!strncmp(c->u.ibendport.dev_name,
		2292	dev_name,
		2293	IB_DEVICE_NAME_MAX))
		2294	break;
		2295
		2296	c = c->next;
		2297	}
		2298
		2299	if (c) {
		2300	if (!c->sid[0]) {
		2301	rc = sidtab_context_to_sid(&sidtab,
		2302	&c->context[0],
		2303	&c->sid[0]);
		2304	if (rc)
		2305	goto out;
		2306	}
		2307	*out_sid = c->sid[0];
		2308	} else
		2309	*out_sid = SECINITSID_UNLABELED;
		2310
		2311	out:
		2312	read_unlock(&policy_rwlock);
		2313	return rc;
		2314	}
		2315
		2316	/**
2276	* security_netif_sid - Obtain the SID for a network interface.	2317	* security_netif_sid - Obtain the SID for a network interface.
2277	* @name: interface name	2318	* @name: interface name
2278	* @if_sid: interface SID	2319	* @if_sid: interface SID