Re: [RFC PATCH v2 00/13] SELinux support for Infiniband RDMA

2016-04-11 Thread Daniel Jurgens 
On 4/11/2016 6:12 PM, Jason Gunthorpe wrote:
> On Mon, Apr 11, 2016 at 10:30:54PM +, Daniel Jurgens wrote:
> 
> Like I said, the user facing name should be QP0 in that case.
> 
> Jason
> 

OK, I'll change idbev to ibendport and smi to qp0, or qpzero if the
SELinux user space code doesn't allow numbers in access vector identifiers.


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [RFC PATCH v2 00/13] SELinux support for Infiniband RDMA

2016-04-11 Thread Daniel Jurgens 
On 4/11/2016 5:12 PM, Jason Gunthorpe wrote:
> On Mon, Apr 11, 2016 at 08:38:50PM +, Daniel Jurgens wrote:
 An Infiniband device (ibdev) is labeled by name and port number.  There is 
 a
 single access vector for ibdevs as well, called "smi".
>>>
>>> This is called an End Port (SMI is something else in the IB
>>> spec). Please use the standard terminology.
>> I see your point on the end port, I'll address this is the next series
>> by updating the commit messages and replacing ibdev with ibendport.
>>
>> I don't understand where you think I've gone wrong on SMI.
> 
> Well, this makes no sense:
>  There is a single access vector for ibdevs as well, called "smi".

Access vector is an SELinux term.  Object have access vectors.  For
example a file object has has many access vectors like "read", "write",
"unlink", etc.  Policy rules allow access to a type of object on a
subset of its access vectors.

Controlling the "smi" is to prevent someone from starting a subnet manager.

> SMI is not umad. SMI should only refer to the SMA access channel on a
> specific node, and I have no idea why someone would want to restrict
> local SMA access independently of generic umad qp0 access. Just call
> it QP0 or QP1 or umad.
> 
> SMI is an obscure internal term that should not be user facing.
> 

The point of control here is MAD agent registration and MAD transmit and
receive.  When a MAD agent is created it inherits the security ID of
it's parent task.  For MAD agents that have a QP of type IB_QPT_SMI,
when an attempt is made to send a MAD the security ID of the MAD agent
is checked for access to the SMI vector of the IB device (to become End
Port).  This is only for MAD agents that have a qp with of type
IB_QPT_SMI.  So having umad as the access vector is too broad.


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: genhomedircon USERID and USERNAME patches

2016-04-11 Thread Nicolas Iooss 
On Fri, Apr 8, 2016 at 6:05 PM, Jason Zaman  wrote:

> Hi all,
>
> I finally finished adding more templates to genhomedircon and a lot of
> general
> cleanups.
>
> The first few patches refactor the templating functions so they are
> smaller and
> easier to add new. All the common bits were taken out and they all take the
> user_entry_t struct instead of passing args one by one.
>
> The last three patches add the new templating types. I went with %{USERID}
> and
> %{USERNAME}. They now have a clear start and end unlike USER in the past
> and $
> is end of line in regexes so % seems safer. The matcher for USER now
> specifically excludes any line that has the new patterns in it too so
> there can
> be no conflict. It appears to work in the testing I have done with adding
> strange fcontexts. make test passes in the repo too but i have not run the
> full
> selinux-testsuite.
>

Hi,
Thanks for your work. Your patches are very well built and I have been able
to test them without any trouble. Here are some comments:
* In Patch 1, the last parameter of write_replacements() can be made a
const pointer: "const replacement_pair_t *repl" (parameters s and tpl too
but there are not currently const pointers).
* Patch 5 introduces a "gid" field in "struct user_entry", which is not
used in the templates. Why did you introduce it?
* Patch 7 introduces two functions, write_username_context
and write_userid_context, which handle lines containing %{USERNAME}
and %{USERID} separately. If a line includes both patterns, like
"%{USERID}-%{USERNAME}", the generated file will have for root user two
lines: one with "%{USERID}-root" and the other "0-%{USERNAME}". As a user I
would have expected both templates to be replaced. I believe this may be
achieved by merging the two predicate functions together (in patch 6), and
the substitutions functions too (in patch 7).


>
> %{USERNAME} defaults to ".*" in the fallback just like USER originally did
> %{USERID} defaults to "[0-9]+" for the fallback.
>
> Another thing I noticed was that HOME_DIR's fallback is "[^/]*", should it
> be +
> instead of *? I dont think it makes a huge difference because then it
> should
> match HOME_ROOT but it still seems wrong.
>

I agree. Moreover empty usernames or usernames with / look wrong to me too.
As refpolicy seems to use "USER" as if there was no slash in it, IMHO I
would suggest using "[^/]+" for %{USERNAME} default value too.

By the way, by grep'ing HOME_DIR in refpolicy I got a hit in a support
script, "support/genhomedircon" [1]. This script is invoked only when
building modular policy and I have not found an easy way to
invoke semanage_genhomedircon() from either the command line or a Python
script. Does this script needs to be updated or is there a way to use
libsemanage implementation instead?

Cheers,
Nicolas

[1]
https://github.com/TresysTechnology/refpolicy/blob/master/support/genhomedircon
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [RFC PATCH v2 00/13] SELinux support for Infiniband RDMA

2016-04-11 Thread Daniel Jurgens 
On 4/11/2016 3:12 PM, Jason Gunthorpe wrote:
> On Thu, Apr 07, 2016 at 02:33:45AM +0300, Dan Jurgens wrote:
> 
>> Currently there is no way to provide granular access control to an Infiniband
>> fabric.  By providing an ability to restrict user access to specific virtual
>> subfabrics administrators can limit access to bandwidth and isolate users on
>> the fabric.
> 
> Do you actually have a concrete use case for this?

We know the national labs are interested in this.

> This seems superficially similar to netlabel, which I guess targets a
> certain niche, but I'm really wondering with all the other container
> patches if this was supposed to be done with namespaces...

I can't speak to the goals of the other container patches.

Netlabel can't label kernel bypassed packets.  It can be used for IPoIB
though.

>> An Infiniband device (ibdev) is labeled by name and port number.  There is a
>> single access vector for ibdevs as well, called "smi".
> 
> This is called an End Port (SMI is something else in the IB
> spec). Please use the standard terminology.
I see your point on the end port, I'll address this is the next series
by updating the commit messages and replacing ibdev with ibendport.

I don't understand where you think I've gone wrong on SMI.

>From section 3.4.5.2: "Each node provides a Subnet Management Agent
(SMA) that the SM access through a well known interface called the
Subnet Management Interface (SMI)."

Thanks,
Dan


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] Android.mk: Add -D_GNU_SOURCE to common_cflags

2016-04-11 Thread Stephen Smalley 
On 04/06/2016 07:15 PM, Nick Kralevich wrote:
> Other build scripts define -D_GNU_SOURCE. The Android build
> system should too.
> 
> Fixes the following warning:
> 
> external/selinux/libsepol/cil/src/cil_mem.c:109:7: warning: implicit
>   declaration of function 'vasprintf' is invalid in C99
>   [-Wimplicit-function-declaration]

Thanks, applied.

> ---
>  libsepol/Android.mk | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/libsepol/Android.mk b/libsepol/Android.mk
> index a43b343..5d2c96b 100644
> --- a/libsepol/Android.mk
> +++ b/libsepol/Android.mk
> @@ -64,6 +64,7 @@ cil_src_files := \
>   cil/src/cil_verify.c
>  
>  common_cflags := \
> + -D_GNU_SOURCE \
>   -Wall -W -Wundef \
>   -Wshadow -Wmissing-noreturn \
>   -Wmissing-format-attribute
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [RFC PATCH v2 04/13] selinux: Allocate and free infiniband security hooks

2016-04-11 Thread Casey Schaufler 
On 4/6/2016 4:33 PM, Dan Jurgens wrote:
> From: Daniel Jurgens 
>
> Implement and attach hooks to allocate and free Infiniband QP and MAD
> agent security structures.
>
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> ---
>  include/rdma/ib_mad.h |1 +
>  include/rdma/ib_verbs.h   |5 +++

The ib_qp_security structure is defined here, but
referenced in 01/13. You should defined the structure
before you use it.

>  security/selinux/hooks.c  |   53 
> +
>  security/selinux/include/objsec.h |5 +++
>  4 files changed, 64 insertions(+), 0 deletions(-)
>
> diff --git a/include/rdma/ib_mad.h b/include/rdma/ib_mad.h
> index 37dd534..772135c 100644
> --- a/include/rdma/ib_mad.h
> +++ b/include/rdma/ib_mad.h
> @@ -481,6 +481,7 @@ struct ib_mad_agent {
>   u32 flags;
>   u8  port_num;
>   u8  rmpp_version;
> + void*m_security;
>  };
>  
>  /**
> diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
> index fb2cef4..66d37b8 100644
> --- a/include/rdma/ib_verbs.h
> +++ b/include/rdma/ib_verbs.h
> @@ -1416,6 +1416,10 @@ struct ib_srq {
>   } ext;
>  };
>  
> +struct ib_qp_security {
> + void *q_security;
> +};
> +
>  struct ib_qp {
>   struct ib_device   *device;
>   struct ib_pd   *pd;
> @@ -1433,6 +1437,7 @@ struct ib_qp {
>   void   *qp_context;
>   u32 qp_num;
>   enum ib_qp_type qp_type;
> + struct ib_qp_security  *qp_sec;
>  };
>  
>  struct ib_mr {
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 0fbf3f8..3ac29bd 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -17,6 +17,7 @@
>   *   Paul Moore 
>   *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
>   *  Yuichi Nakamura 
> + *  Copyright (C) 2016 Mellanox Technologies
>   *
>   *   This program is free software; you can redistribute it and/or modify
>   *   it under the terms of the GNU General Public License version 2,
> @@ -83,6 +84,8 @@
>  #include 
>  #include 
>  #include 
> +#include 
> +#include 
>  
>  #include "avc.h"
>  #include "objsec.h"
> @@ -5999,6 +6002,47 @@ static void selinux_unregister_ib_flush_callback(void)
>   mutex_unlock(_flush_mutex);
>  }
>  
> +static int selinux_ib_qp_alloc_security(struct ib_qp_security *qp_sec)
> +{
> + struct ib_security_struct *sec;
> +
> + sec = kzalloc(sizeof(*sec), GFP_ATOMIC);
> + if (!sec)
> + return -ENOMEM;
> + sec->sid = current_sid();
> +
> + qp_sec->q_security = sec;
> + return 0;
> +}
> +
> +static void selinux_ib_qp_free_security(struct ib_qp_security *qp_sec)
> +{
> + struct ib_security_struct *sec = qp_sec->q_security;
> +
> + qp_sec->q_security = NULL;
> + kfree(sec);
> +}
> +
> +static int selinux_ib_mad_agent_alloc_security(struct ib_mad_agent 
> *mad_agent)
> +{
> + struct ib_security_struct *sec;
> +
> + sec = kzalloc(sizeof(*sec), GFP_ATOMIC);
> + if (!sec)
> + return -ENOMEM;
> + sec->sid = current_sid();
> +
> + mad_agent->m_security = sec;
> + return 0;
> +}
> +
> +static void selinux_ib_mad_agent_free_security(struct ib_mad_agent 
> *mad_agent)
> +{
> + struct ib_security_struct *sec = mad_agent->m_security;
> +
> + mad_agent->m_security = NULL;
> + kfree(sec);
> +}
>  #endif
>  
>  static struct security_hook_list selinux_hooks[] = {
> @@ -6182,11 +6226,20 @@ static struct security_hook_list selinux_hooks[] = {
>   LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
>   LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
>   LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
> +
>  #ifdef CONFIG_SECURITY_INFINIBAND
>   LSM_HOOK_INIT(register_ib_flush_callback,
> selinux_register_ib_flush_callback),
>   LSM_HOOK_INIT(unregister_ib_flush_callback,
> selinux_unregister_ib_flush_callback),
> + LSM_HOOK_INIT(ib_qp_alloc_security,
> +   selinux_ib_qp_alloc_security),
> + LSM_HOOK_INIT(ib_qp_free_security,
> +   selinux_ib_qp_free_security),
> + LSM_HOOK_INIT(ib_mad_agent_alloc_security,
> +   selinux_ib_mad_agent_alloc_security),
> + LSM_HOOK_INIT(ib_mad_agent_free_security,
> +   selinux_ib_mad_agent_free_security),
>  #endif
>  
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
> diff --git a/security/selinux/include/objsec.h 
> b/security/selinux/include/objsec.h
> index c21e135..8e7db43 100644
> --- a/security/selinux/include/objsec.h
> +++ b/security/selinux/include/objsec.h
> @@ -10,6 +10,7 @@
>   *
>   *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
>   *  Copyright (C)