Re: [PATCH 03/12] selinux: Implement Infiniband flush callback

[Daniel Jurgens]

On 6/30/2016 2:52 PM, Paul Moore wrote:
> I'm still working on understanding IB, but my current thinking is very
> similar to Yuval's suggestions.  There is a risk of creating a general
> purpose mechanism to solve a specific, isolated problem, but adding a
> LSM notification mechanism does seem like a reasonable thing to do.
>
> My current thinking is to have the LSM framework itself, e.g.
> security/security.c, maintain a list of callbacks (BTW, please make it
> a RCU protected list) with other non-LSM subsystems registering
> callbacks, and specific LSMs making notification calls into the LSM
> framework itself which would handle iterating through the registered
> callbacks.  Since we're going down the general purpose solution route,
> I might add an event field and a void pointer to the callback, for
> example:
>
>   void lsm_notifier_callback(unsigned int event, void *ptr);
>
> ... I would expect at first we would only have a POLICY_CHANGE event
> (ptr set to NULL), but we may want/need to add other events in the
> future.
>
> Make sense?

Yes, I think so.  I'll make this change.


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 01/12] security: Add LSM hooks for Infiniband security

[Paul Moore]

On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens  wrote:
> From: Daniel Jurgens 
>
> Add nine new hooks
>  1. Allocate security contexts for Infiniband QPs.
>  2. Free security contexts for Infiniband QPs.
>  3. Allocate security contexts for Infiniband MAD agents.
>  4. Free security contexts for Infiniband MAD agents.
>  5. Enforce QP access to Pkeys
>  6. Enforce MAD agent access to Pkeys
>  7. Enforce MAD agent access to Infiniband End Ports for sending Subnet
> Management Packets (SMP)
>  8. A hook to register a callback to receive notifications of
> security policy or enforcement changes.  Restricting a QPs access to
> a pkey will be done during setup and not on a per packet basis
> access must be enforced again.
>  9. A hook to unregister the callback.
>
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> ---
>  include/linux/lsm_hooks.h | 71 
>  include/linux/security.h  | 63 +++
>  include/rdma/ib_verbs.h   |  4 +++
>  security/Kconfig  |  9 +
>  security/security.c   | 83 
> +++
>  5 files changed, 230 insertions(+)

...

> diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
> index 432bed5..3f6780b 100644
> --- a/include/rdma/ib_verbs.h
> +++ b/include/rdma/ib_verbs.h
> @@ -1428,6 +1428,10 @@ struct ib_srq {
> } ext;
>  };
>
> +struct ib_qp_security {
> +   void *q_security;
> +};

Sorry, I missed this earlier and didn't realize it until I was going
through 4/12 ... why both with ib_qp_security?  Why not just use a
straight void pointer?

-- 
paul moore
security @ redhat
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 01/12] security: Add LSM hooks for Infiniband security

[Paul Moore]

On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens  wrote:
> From: Daniel Jurgens 
>
> Add nine new hooks
>  1. Allocate security contexts for Infiniband QPs.
>  2. Free security contexts for Infiniband QPs.
>  3. Allocate security contexts for Infiniband MAD agents.
>  4. Free security contexts for Infiniband MAD agents.
>  5. Enforce QP access to Pkeys
>  6. Enforce MAD agent access to Pkeys
>  7. Enforce MAD agent access to Infiniband End Ports for sending Subnet
> Management Packets (SMP)
>  8. A hook to register a callback to receive notifications of
> security policy or enforcement changes.  Restricting a QPs access to
> a pkey will be done during setup and not on a per packet basis
> access must be enforced again.
>  9. A hook to unregister the callback.
>
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> ---
>  include/linux/lsm_hooks.h | 71 
>  include/linux/security.h  | 63 +++
>  include/rdma/ib_verbs.h   |  4 +++
>  security/Kconfig  |  9 +
>  security/security.c   | 83 
> +++
>  5 files changed, 230 insertions(+)

I'd recommend putting the IB hook calls into this patch as well, it
helps make the hooks a bit more concrete as you can see where, and how
they are called.

> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7ae3976..6b47c8d 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -8,6 +8,7 @@
>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>   * Copyright (C) 2015 Intel Corporation.
>   * Copyright (C) 2015 Casey Schaufler 
> + * Copyright (C) 2016 Mellanox Techonologies
>   *
>   * This program is free software; you can redistribute it and/or modify
>   * it under the terms of the GNU General Public License as published by
> @@ -876,6 +877,50 @@
>   * associated with the TUN device's security structure.
>   * @security pointer to the TUN devices's security structure.
>   *
> + * Security hooks for Infiniband
> + *
> + * @ib_qp_pkey_access:
> + * Check permission to access a pkey when modifing a QP.
> + * @subnet_prefix the subnet prefix of the port being used.
> + * @pkey the pkey to be accessed.
> + * @qp_sec pointer to the ib_qp_security structure.
> + * @ib_mad_agent_pkey_access:
> + * Check permission to access a pkey when transmiting and receiving MADS.
> + * @subnet_prefix the subnet prefix of the port being used.
> + * @pkey the pkey to be accessed.
> + * @mad_agent pointer to the ib_mad_agent structure.
> + * @ib_end_port_smp:
> + * Check permissions to send and receive SMPs on a end port.
> + * @dev_name the IB device name (i.e. mlx4_0).
> + * @port_num the port number.
> + * @mad_agent pointer to the ib_mad_agent structure.
> + * @ib_qp_alloc_security:
> + * Allocate and attach a security structure to the qp_sec->q_security
> + * field. The q_security field is initialized to NULL when the structure
> + * is allocated.  A separate QP security structure is used instead of the
> + * QP structure because when a QP is destroyed the memory is freed by the
> + * hardware driver.  That operation can fail so the security info must be
> + * maintained until the destroy completes successfully.
> + * @qp_sec contains the ib_qp_security structure to be modified.
> + * Return 0 if operation was successful.
> + * @ib_mad_agent_alloc_security:
> + * Allocate and attach a security structure to the mad_agent->m_security
> + * field. The m_security field is initialized to NULL when the structure
> + * is allocated.
> + * @mad_agent contains the ib_mad_agent structure to be modified.
> + * Return 0 if operation was successful.
> + * @ib_qp_free_security:
> + * Deallocate and clear the qp_sec->q_security field.
> + * @qp_sec contains the ib_qp_security structure to be modified.
> + * @ib_mad_agent_free_security:
> + * Deallocate and clear the mad_agent->m_security field.
> + * @mad_agent contains the ib_mad_agent structure to be modified.
> + * @register_ib_flush_callback:
> + * Provide a way for security modules to notify ib_core of policy 
> changes.
> + * @callback function pointer to call when policy changes.
> + * @unregister_ib_flush_callback:
> + * Unregister the callback function.
> + *
>   * Security hooks for XFRM operations.
>   *
>   * @xfrm_policy_alloc_security:

-- 
paul moore
security @ redhat
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 03/12] selinux: Implement Infiniband flush callback

[Paul Moore]

On Thu, Jun 30, 2016 at 4:16 PM, Casey Schaufler  wrote:
> On 6/30/2016 12:52 PM, Paul Moore wrote:
>> On Thu, Jun 30, 2016 at 11:44 AM, Daniel Jurgens  
>> wrote:
>>> On 6/30/2016 10:10 AM, Yuval Shaia wrote:
 On Thu, Jun 23, 2016 at 10:52:49PM +0300, Dan Jurgens wrote:

> +static void (*ib_flush_callback)(void);
 Do we really want to have such ib_ prefix in security/ directory?

> +if (ib_flush_callback)
> +ib_flush_callback();
 How about some generic mechanism (such as a list) in case more
 modules/drivers would like to register callbacks?
 ( assuming this is no longer RFC :) )

>>> Paul Moore and I were having a higher level discussion about this in the 
>>> 00/12 thread.  I think your suggestion makes sense, perhaps Paul will weigh 
>>> in when he reaches this patch.
>> I'm still working on understanding IB, but my current thinking is very
>> similar to Yuval's suggestions.  There is a risk of creating a general
>> purpose mechanism to solve a specific, isolated problem, but adding a
>> LSM notification mechanism does seem like a reasonable thing to do.
>>
>> My current thinking is to have the LSM framework itself, e.g.
>> security/security.c, maintain a list of callbacks (BTW, please make it
>> a RCU protected list) with other non-LSM subsystems registering
>> callbacks, and specific LSMs making notification calls into the LSM
>> framework itself which would handle iterating through the registered
>> callbacks.  Since we're going down the general purpose solution route,
>> I might add an event field and a void pointer to the callback, for
>> example:
>>
>>   void lsm_notifier_callback(unsigned int event, void *ptr);
>>
>> ... I would expect at first we would only have a POLICY_CHANGE event
>> (ptr set to NULL), but we may want/need to add other events in the
>> future.
>>
>> Make sense?
>
> Hmm. Do you think that we'd want to rewhack the audit code
> so that it used this new, general mechanism for its callbacks?

You aren't talking about the callbacks in common_lsm_audit() are you?
I think that's a completely different beast from a LSM notifier
callback.  I'm not opposed to changes to common_lsm_audit(), but I
think that's a different topic and a different thread.

-- 
paul moore
security @ redhat
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 02/12] selinux: Create policydb version for Infiniband support

[Paul Moore]

On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens  wrote:
> From: Daniel Jurgens 
>
> Support for Infiniband requires the addition of two new object contexts,
> one for infiniband PKeys and another IB End Ports.  Added handlers to read
> and write the new ocontext types when reading or writing a binary policy
> representation.
>
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> ---
>  security/selinux/include/security.h |   3 +-
>  security/selinux/ss/policydb.c  | 129 
> +++-
>  security/selinux/ss/policydb.h  |  27 +---
>  3 files changed, 135 insertions(+), 24 deletions(-)

...

> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 992a315..78b819c 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2219,6 +2229,58 @@ static int ocontext_read(struct policydb *p, struct 
> policydb_compat_info *info,
> goto out;
> break;
> }
> +   case OCON_PKEY: {
> +   rc = next_entry(nodebuf, fp, sizeof(u32) * 6);
> +   if (rc)
> +   goto out;
> +
> +   c->u.pkey.subnet_prefix = 
> be64_to_cpu(*((__be64 *)nodebuf));
> +   /* The subnet prefix is stored as an IPv6
> +* address in the policy.
> +*
> +* Check that the lower 2 DWORDS are 0.
> +*/

Any particular reason why you reusing an IPv6 address format here?
Why not use a u64 for the prefix and u16/u32 fields for the partition
keys?

> +   if (nodebuf[2] || nodebuf[3]) {
> +   rc = -EINVAL;
> +   goto out;
> +   }
> +
> +   if (nodebuf[4] > 0x ||
> +   nodebuf[5] > 0x) {
> +   rc = -EINVAL;
> +   goto out;
> +   }
> +
> +   c->u.pkey.low_pkey = le32_to_cpu(nodebuf[4]);
> +   c->u.pkey.high_pkey = le32_to_cpu(nodebuf[5]);
> +
> +   rc = context_read_and_validate(>context[0],
> +  p,
> +  fp);
> +   if (rc)
> +   goto out;
> +   break;
> +   }
> +   case OCON_IB_END_PORT:

This is a little bit of bikeshedding, but is there such thing as an IB
"port" that isn't an *end* "port"?  Could we simply use OCON_IB_PORT?

> +   rc = next_entry(buf, fp, sizeof(u32) * 2);
> +   if (rc)
> +   goto out;
> +   len = le32_to_cpu(buf[0]);
> +
> +   rc = str_read(>u.ib_end_port.dev_name, 
> GFP_KERNEL,
> + fp,
> + len);
> +   if (rc)
> +   goto out;
> +
> +   c->u.ib_end_port.port = le32_to_cpu(buf[1]);

No range checking on the port value like you do on the partition keys above?

> +   rc = context_read_and_validate(>context[0],
> +  p,
> +  fp);
> +   if (rc)
> +   goto out;
> +   break;
> }
> }
> }

-- 
paul moore
security @ redhat
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 03/12] selinux: Implement Infiniband flush callback

[Casey Schaufler]

On 6/30/2016 12:52 PM, Paul Moore wrote:
> On Thu, Jun 30, 2016 at 11:44 AM, Daniel Jurgens  wrote:
>> On 6/30/2016 10:10 AM, Yuval Shaia wrote:
>>> On Thu, Jun 23, 2016 at 10:52:49PM +0300, Dan Jurgens wrote:
>>>
 +static void (*ib_flush_callback)(void);
>>> Do we really want to have such ib_ prefix in security/ directory?
>>>
 +if (ib_flush_callback)
 +ib_flush_callback();
>>> How about some generic mechanism (such as a list) in case more
>>> modules/drivers would like to register callbacks?
>>> ( assuming this is no longer RFC :) )
>>>
>> Paul Moore and I were having a higher level discussion about this in the 
>> 00/12 thread.  I think your suggestion makes sense, perhaps Paul will weigh 
>> in when he reaches this patch.
> I'm still working on understanding IB, but my current thinking is very
> similar to Yuval's suggestions.  There is a risk of creating a general
> purpose mechanism to solve a specific, isolated problem, but adding a
> LSM notification mechanism does seem like a reasonable thing to do.
>
> My current thinking is to have the LSM framework itself, e.g.
> security/security.c, maintain a list of callbacks (BTW, please make it
> a RCU protected list) with other non-LSM subsystems registering
> callbacks, and specific LSMs making notification calls into the LSM
> framework itself which would handle iterating through the registered
> callbacks.  Since we're going down the general purpose solution route,
> I might add an event field and a void pointer to the callback, for
> example:
>
>   void lsm_notifier_callback(unsigned int event, void *ptr);
>
> ... I would expect at first we would only have a POLICY_CHANGE event
> (ptr set to NULL), but we may want/need to add other events in the
> future.
>
> Make sense?

Hmm. Do you think that we'd want to rewhack the audit code
so that it used this new, general mechanism for its callbacks?

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 03/12] selinux: Implement Infiniband flush callback

[Paul Moore]

On Thu, Jun 30, 2016 at 11:44 AM, Daniel Jurgens  wrote:
> On 6/30/2016 10:10 AM, Yuval Shaia wrote:
>> On Thu, Jun 23, 2016 at 10:52:49PM +0300, Dan Jurgens wrote:
>>
>>> +static void (*ib_flush_callback)(void);
>> Do we really want to have such ib_ prefix in security/ directory?
>>
>>> +if (ib_flush_callback)
>>> +ib_flush_callback();
>> How about some generic mechanism (such as a list) in case more
>> modules/drivers would like to register callbacks?
>> ( assuming this is no longer RFC :) )
>>
> Paul Moore and I were having a higher level discussion about this in the 
> 00/12 thread.  I think your suggestion makes sense, perhaps Paul will weigh 
> in when he reaches this patch.

I'm still working on understanding IB, but my current thinking is very
similar to Yuval's suggestions.  There is a risk of creating a general
purpose mechanism to solve a specific, isolated problem, but adding a
LSM notification mechanism does seem like a reasonable thing to do.

My current thinking is to have the LSM framework itself, e.g.
security/security.c, maintain a list of callbacks (BTW, please make it
a RCU protected list) with other non-LSM subsystems registering
callbacks, and specific LSMs making notification calls into the LSM
framework itself which would handle iterating through the registered
callbacks.  Since we're going down the general purpose solution route,
I might add an event field and a void pointer to the callback, for
example:

  void lsm_notifier_callback(unsigned int event, void *ptr);

... I would expect at first we would only have a POLICY_CHANGE event
(ptr set to NULL), but we may want/need to add other events in the
future.

Make sense?

-- 
paul moore
security @ redhat
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH V2 3/3] policycoreutils: setfiles - Modify to use selinux_restorecon

[Stephen Smalley]

On 06/19/2016 03:38 PM, Richard Haines wrote:
> Modify setfiles and restorecon to make use of the libselinux
> selinux_restorecon* set of functions.
> 
> The output from these commands should be much the same as before
> with some minor wording changes, the only exception being that
> a -I option has been added to ignore the digest.

This breaks building of restorecond due to dependency on setfiles/restore.c.

Also, due to logging in libselinux, you get e.g.:
$ restorecon /home/sds
specfiles SHA1 digest: dd66521e5f54258b6ef92a9bb5dcca36bb3d4761
calculated using the following specfile(s):
/etc/selinux/targeted/contexts/files/file_contexts.subs_dist
/etc/selinux/targeted/contexts/files/file_contexts.subs
/etc/selinux/targeted/contexts/files/file_contexts.bin
/etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin
/etc/selinux/targeted/contexts/files/file_contexts.local.bin

or
$ restorecon -I /home/sds
Digest not requested.

So we'll want to get rid of that logging.

> 
> Signed-off-by: Richard Haines 
> ---
> V2 changes as per http://marc.info/?l=selinux=146470720008392=2
> 
>  policycoreutils/setfiles/restore.c| 718 
> --
>  policycoreutils/setfiles/restore.h|  51 +--
>  policycoreutils/setfiles/restorecon.8 |  74 +++-
>  policycoreutils/setfiles/setfiles.8   |  75 +++-
>  policycoreutils/setfiles/setfiles.c   | 198 +-
>  5 files changed, 329 insertions(+), 787 deletions(-)
> 
> diff --git a/policycoreutils/setfiles/restore.c 
> b/policycoreutils/setfiles/restore.c
> index 2a7cfa3..b09307d 100644
> --- a/policycoreutils/setfiles/restore.c
> +++ b/policycoreutils/setfiles/restore.c
> @@ -1,704 +1,128 @@
>  #include "restore.h"
>  #include 
> -#include 
>  
> -#define SKIP -2
> -#define ERR -1
> -#define MAX_EXCLUDES 1000
> +char **exclude_list;
> +int exclude_count;
>  
> -/*
> - * The hash table of associations, hashed by inode number.
> - * Chaining is used for collisions, with elements ordered
> - * by inode number in each bucket.  Each hash bucket has a dummy 
> - * header.
> - */
> -#define HASH_BITS 16
> -#define HASH_BUCKETS (1 << HASH_BITS)
> -#define HASH_MASK (HASH_BUCKETS-1)
> +struct restore_opts *r_opts;
>  
> -/*
> - * An association between an inode and a context.
> - */
> -typedef struct file_spec {
> - ino_t ino;  /* inode number */
> - char *con;  /* matched context */
> - char *file; /* full pathname */
> - struct file_spec *next; /* next association in hash bucket chain */
> -} file_spec_t;
> -
> -struct edir {
> - char *directory;
> - size_t size;
> -};
> -
> -
> -static file_spec_t *fl_head;
> -static int filespec_add(ino_t ino, const security_context_t con, const char 
> *file);
> -struct restore_opts *r_opts = NULL;
> -static void filespec_destroy(void);
> -static void filespec_eval(void);
> -static int excludeCtr = 0;
> -static struct edir excludeArray[MAX_EXCLUDES];
> -
> -void remove_exclude(const char *directory)
> +void restore_init(struct restore_opts *opts)
>  {
> - int i = 0;
> - for (i = 0; i < excludeCtr; i++) {
> - if (strcmp(directory, excludeArray[i].directory) == 0) {
> - free(excludeArray[i].directory);
> - if (i != excludeCtr-1)
> - excludeArray[i] = excludeArray[excludeCtr-1];
> - excludeCtr--;
> - return;
> - }
> - }
> - return;
> -}
> + int rc;
>  
> -void restore_init(struct restore_opts *opts)
> -{
>   r_opts = opts;
>   struct selinux_opt selinux_opts[] = {
>   { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
> - { SELABEL_OPT_PATH, r_opts->selabel_opt_path }
> + { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
> + { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
>   };
> - r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2);
> +
> + r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
>   if (!r_opts->hnd) {
>   perror(r_opts->selabel_opt_path);
>   exit(1);
> - }   
> -}
> -
> -void restore_finish()
> -{
> - int i;
> - for (i = 0; i < excludeCtr; i++) {
> - free(excludeArray[i].directory);
> - }
> -}
> -
> -static int match(const char *name, struct stat *sb, char **con)
> -{
> - if (!(r_opts->hard_links) && !S_ISDIR(sb->st_mode) && (sb->st_nlink > 
> 1)) {
> - fprintf(stderr, "Warning! %s refers to a file with more than 
> one hard link, not fixing hard links.\n",
> - name);
> - return -1;
> - }
> - 
> - if (NULL != r_opts->rootpath) {
> - if (0 != strncmp(r_opts->rootpath, name, r_opts->rootpathlen)) {
> - fprintf(stderr, "%s:  %s is not located in %s\n",
> - 

Re: [PATCH 08/12] IB/core: IB cache enhancements to support Infiniband security

[Yuval Shaia]

On Thu, Jun 23, 2016 at 10:52:54PM +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> Cache the subnet prefix and add a function to access it. Enforcing
> security requires frequent queries of the subnet prefix and the pkeys in
> the pkey table.
> 
> Also removed an unneded pr_warn about memory allocation failure.
> 
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> Reviewed-by: Leon Romanovsky 
> ---
>  drivers/infiniband/core/cache.c | 35 +--
>  drivers/infiniband/core/core_priv.h |  3 +++
>  include/rdma/ib_verbs.h |  1 +
>  3 files changed, 37 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
> index c2e257d..4894e21 100644
> --- a/drivers/infiniband/core/cache.c
> +++ b/drivers/infiniband/core/cache.c
> @@ -926,6 +926,25 @@ int ib_get_cached_pkey(struct ib_device *device,
>  }
>  EXPORT_SYMBOL(ib_get_cached_pkey);
>  
> +int ib_get_cached_subnet_prefix(struct ib_device *device,
> + u8port_num,
> + u64  *sn_pfx)
> +{
> + unsigned long flags;
> + int p = port_num - rdma_start_port(device);

Suggesting to initialize p after the validation.

> +
> + if (port_num < rdma_start_port(device) ||
> + port_num > rdma_end_port(device))
> + return -EINVAL;
> +
> + read_lock_irqsave(>cache.lock, flags);
> + *sn_pfx = device->cache.subnet_prefix_cache[p];
> + read_unlock_irqrestore(>cache.lock, flags);
> +
> + return 0;
> +}
> +EXPORT_SYMBOL(ib_get_cached_subnet_prefix);
> +
>  int ib_find_cached_pkey(struct ib_device *device,
>   u8port_num,
>   u16   pkey,
> @@ -1102,6 +1121,8 @@ static void ib_cache_update(struct ib_device *device,
>  
>   device->cache.lmc_cache[port - rdma_start_port(device)] = tprops->lmc;
>  
> + device->cache.subnet_prefix_cache[port - rdma_start_port(device)] =
> + tprops->subnet_prefix;
>   write_unlock_irq(>cache.lock);
>  
>   kfree(gid_cache);
> @@ -1160,9 +1181,18 @@ int ib_cache_setup_one(struct ib_device *device)
> (rdma_end_port(device) -
>  rdma_start_port(device) + 1),
> GFP_KERNEL);
> +
> + device->cache.subnet_prefix_cache = kcalloc((rdma_end_port(device) -
> +  rdma_start_port(device) + 
> 1),
> + 
> sizeof(*device->cache.subnet_prefix_cache),

More than 80 characters.

> + GFP_KERNEL);
> +
>   if (!device->cache.pkey_cache ||
> - !device->cache.lmc_cache) {
> - pr_warn("Couldn't allocate cache for %s\n", device->name);
> + !device->cache.lmc_cache ||
> + !device->cache.subnet_prefix_cache) {
> + kfree(device->cache.pkey_cache);
> + kfree(device->cache.lmc_cache);
> + kfree(device->cache.subnet_prefix_cache);
>   return -ENOMEM;
>   }
>  
> @@ -1205,6 +1235,7 @@ void ib_cache_release_one(struct ib_device *device)
>   gid_table_release_one(device);
>   kfree(device->cache.pkey_cache);
>   kfree(device->cache.lmc_cache);
> + kfree(device->cache.subnet_prefix_cache);
>  }
>  
>  void ib_cache_cleanup_one(struct ib_device *device)
> diff --git a/drivers/infiniband/core/core_priv.h 
> b/drivers/infiniband/core/core_priv.h
> index 19d499d..ce826e4 100644
> --- a/drivers/infiniband/core/core_priv.h
> +++ b/drivers/infiniband/core/core_priv.h
> @@ -153,4 +153,7 @@ int ib_nl_handle_set_timeout(struct sk_buff *skb,
>  int ib_nl_handle_ip_res_resp(struct sk_buff *skb,
>struct netlink_callback *cb);
>  
> +int ib_get_cached_subnet_prefix(struct ib_device *device,
> + u8port_num,
> + u64  *sn_pfx);
>  #endif /* _CORE_PRIV_H */
> diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
> index e522acb..c00b6b1 100644
> --- a/include/rdma/ib_verbs.h
> +++ b/include/rdma/ib_verbs.h
> @@ -1637,6 +1637,7 @@ struct ib_cache {
>   struct ib_pkey_cache  **pkey_cache;
>   struct ib_gid_table   **gid_cache;
>   u8 *lmc_cache;
> + u64*subnet_prefix_cache;
>  };
>  
>  struct ib_dma_mapping_ops {
> -- 
> 1.8.3.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
___
Selinux mailing list

Re: [PATCH 03/12] selinux: Implement Infiniband flush callback

[Daniel Jurgens]

On 6/30/2016 10:10 AM, Yuval Shaia wrote:
> On Thu, Jun 23, 2016 at 10:52:49PM +0300, Dan Jurgens wrote:
>
>> +static void (*ib_flush_callback)(void);
> Do we really want to have such ib_ prefix in security/ directory?
>
>> +if (ib_flush_callback)
>> +ib_flush_callback();
> How about some generic mechanism (such as a list) in case more
> modules/drivers would like to register callbacks?
> ( assuming this is no longer RFC :) )
>
Paul Moore and I were having a higher level discussion about this in the 00/12 
thread.  I think your suggestion makes sense, perhaps Paul will weigh in when 
he reaches this patch.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 06/12] selinux: Add IB End Port SMP access vector

[Yuval Shaia]

On Thu, Jun 23, 2016 at 10:52:52PM +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> Add a type for Infiniband end ports and an access vector for subnet
> management packets. Implement the ib_end_port_smp hook to check that the
> caller has permission to send and receive SMPs on the end port specified
> by the device name and port.  Add interface to query the SID for a IB

Extra space before " Add"

> end port, which walks the IB_END_PORT ocontexts to find an entry for the
> given name and port.
> 
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> ---
>  include/linux/lsm_audit.h| 32 +++---
>  security/selinux/hooks.c | 27 +++
>  security/selinux/include/classmap.h  |  2 ++
>  security/selinux/include/initial_sid_to_string.h |  1 +
>  security/selinux/include/security.h  |  2 ++
>  security/selinux/ss/services.c   | 43 
> 
>  6 files changed, 95 insertions(+), 12 deletions(-)
> 
> diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
> index 8ff7eae..acf6de7 100644
> --- a/include/linux/lsm_audit.h
> +++ b/include/linux/lsm_audit.h
> @@ -21,6 +21,7 @@
>  #include 
>  #include 
>  #include 
> +#include 
>  
>  struct lsm_network_audit {
>   int netif;
> @@ -50,21 +51,27 @@ struct lsm_pkey_audit {
>   u16 pkey;
>  };
>  
> +struct lsm_ib_end_port_audit {
> + chardev_name[IB_DEVICE_NAME_MAX];
> + u8  port;
> +};
> +
>  /* Auxiliary data to use in generating the audit record. */
>  struct common_audit_data {
>   char type;
> -#define LSM_AUDIT_DATA_PATH  1
> -#define LSM_AUDIT_DATA_NET   2
> -#define LSM_AUDIT_DATA_CAP   3
> -#define LSM_AUDIT_DATA_IPC   4
> -#define LSM_AUDIT_DATA_TASK  5
> -#define LSM_AUDIT_DATA_KEY   6
> -#define LSM_AUDIT_DATA_NONE  7
> -#define LSM_AUDIT_DATA_KMOD  8
> -#define LSM_AUDIT_DATA_INODE 9
> -#define LSM_AUDIT_DATA_DENTRY10
> -#define LSM_AUDIT_DATA_IOCTL_OP  11
> -#define LSM_AUDIT_DATA_PKEY  12
> +#define LSM_AUDIT_DATA_PATH  1
> +#define LSM_AUDIT_DATA_NET   2
> +#define LSM_AUDIT_DATA_CAP   3
> +#define LSM_AUDIT_DATA_IPC   4
> +#define LSM_AUDIT_DATA_TASK  5
> +#define LSM_AUDIT_DATA_KEY   6
> +#define LSM_AUDIT_DATA_NONE  7
> +#define LSM_AUDIT_DATA_KMOD  8
> +#define LSM_AUDIT_DATA_INODE 9
> +#define LSM_AUDIT_DATA_DENTRY10
> +#define LSM_AUDIT_DATA_IOCTL_OP  11
> +#define LSM_AUDIT_DATA_PKEY  12
> +#define LSM_AUDIT_DATA_IB_END_PORT   13
>   union   {
>   struct path path;
>   struct dentry *dentry;
> @@ -82,6 +89,7 @@ struct common_audit_data {
>   char *kmod_name;
>   struct lsm_ioctlop_audit *op;
>   struct lsm_pkey_audit *pkey;
> + struct lsm_ib_end_port_audit *ib_end_port;
>   } u;
>   /* this union contains LSM specific data */
>   union {
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 5a40b10..fc44542 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6056,6 +6056,32 @@ static int selinux_ib_mad_agent_pkey_access(u64 
> subnet_prefix, u16 pkey_val,
>   mad_agent->m_security);
>  }
>  
> +static int selinux_ib_end_port_smp(const char *dev_name, u8 port,
> +struct ib_mad_agent *mad_agent)
> +{
> + struct common_audit_data ad;
> + int err;
> + u32 sid = 0;
> + struct ib_security_struct *sec = mad_agent->m_security;
> + struct lsm_ib_end_port_audit ib_end_port;
> +
> + err = security_ib_end_port_sid(dev_name, port, );
> +
> + if (err)
> + goto out;
> +
> + ad.type = LSM_AUDIT_DATA_IB_END_PORT;
> + strncpy(ib_end_port.dev_name, dev_name, sizeof(ib_end_port.dev_name));
> + ib_end_port.port = port;
> + ad.u.ib_end_port = _end_port;
> + err = avc_has_perm(sec->sid, sid,
> +SECCLASS_INFINIBAND_END_PORT,
> +INFINIBAND_END_PORT__SMP, );
> +
> +out:
> + return err;
> +}
> +
>  static int selinux_ib_qp_alloc_security(struct ib_qp_security *qp_sec)
>  {
>   struct ib_security_struct *sec;
> @@ -6289,6 +6315,7 @@ static struct security_hook_list selinux_hooks[] = {
>   LSM_HOOK_INIT(ib_qp_pkey_access, selinux_ib_qp_pkey_access),
>   LSM_HOOK_INIT(ib_mad_agent_pkey_access,
> selinux_ib_mad_agent_pkey_access),
> + LSM_HOOK_INIT(ib_end_port_smp, selinux_ib_end_port_smp),
>   LSM_HOOK_INIT(ib_qp_alloc_security,
> selinux_ib_qp_alloc_security),
>   LSM_HOOK_INIT(ib_qp_free_security,
> diff --git a/security/selinux/include/classmap.h 
> b/security/selinux/include/classmap.h
> index d42dd4d..21972c8 100644
> --- 

Re: [PATCH 03/12] selinux: Implement Infiniband flush callback

[Yuval Shaia]

On Thu, Jun 23, 2016 at 10:52:49PM +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> Because access for infiniband is enforced in the setup phase of a
> connection there must be a way to notify ib_core if the policy or
> enforcement setting have changed.
> 
> Added register and unregister_ib_flush_callback hooks so infiniband can
> setup notification of policy and enforment changes.  In the AVC reset

Extra space before " In"

> callback function call the ib_flush callback if it's registered. Also
> renamed the callback function, the previous name was 'net' specific.
> 
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> ---
>  security/selinux/hooks.c | 36 ++--
>  1 file changed, 34 insertions(+), 2 deletions(-)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index a86d537..6a8841d 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -94,6 +94,9 @@
>  #include "audit.h"
>  #include "avc_ss.h"
>  
> +static void (*ib_flush_callback)(void);

Do we really want to have such ib_ prefix in security/ directory?

> +static DEFINE_MUTEX(ib_flush_mutex);
> +
>  /* SECMARK reference count */
>  static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
>  
> @@ -159,13 +162,17 @@ static int selinux_peerlbl_enabled(void)
>   return (selinux_policycap_alwaysnetwork || netlbl_enabled() || 
> selinux_xfrm_enabled());
>  }
>  
> -static int selinux_netcache_avc_callback(u32 event)
> +static int selinux_cache_avc_callback(u32 event)
>  {
>   if (event == AVC_CALLBACK_RESET) {
>   sel_netif_flush();
>   sel_netnode_flush();
>   sel_netport_flush();
>   synchronize_net();
> + mutex_lock(_flush_mutex);

Suggesting to have the lock inside the callback (unless you accept my
suggestion below)

> + if (ib_flush_callback)
> + ib_flush_callback();

How about some generic mechanism (such as a list) in case more
modules/drivers would like to register callbacks?
( assuming this is no longer RFC :) )

> + mutex_unlock(_flush_mutex);
>   }
>   return 0;
>  }
> @@ -5993,6 +6000,23 @@ static int selinux_key_getsecurity(struct key *key, 
> char **_buffer)
>  
>  #endif
>  
> +#ifdef CONFIG_SECURITY_INFINIBAND
> +static void selinux_register_ib_flush_callback(void (*callback)(void))
> +{
> + mutex_lock(_flush_mutex);
> + ib_flush_callback = callback;
> + mutex_unlock(_flush_mutex);
> +}
> +
> +static void selinux_unregister_ib_flush_callback(void)
> +{
> + mutex_lock(_flush_mutex);
> + ib_flush_callback = NULL;
> + mutex_unlock(_flush_mutex);
> +}
> +
> +#endif
> +
>  static struct security_hook_list selinux_hooks[] = {
>   LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
>   LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
> @@ -6174,6 +6198,12 @@ static struct security_hook_list selinux_hooks[] = {
>   LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
>   LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
>   LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
> +#ifdef CONFIG_SECURITY_INFINIBAND
> + LSM_HOOK_INIT(register_ib_flush_callback,
> +   selinux_register_ib_flush_callback),
> + LSM_HOOK_INIT(unregister_ib_flush_callback,
> +   selinux_unregister_ib_flush_callback),
> +#endif
>  
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
>   LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
> @@ -6233,9 +6263,11 @@ static __init int selinux_init(void)
>   0, SLAB_PANIC, NULL);
>   avc_init();
>  
> + ib_flush_callback = NULL;
> +
>   security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks));
>  
> - if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
> + if (avc_add_callback(selinux_cache_avc_callback, AVC_CALLBACK_RESET))
>   panic("SELinux: Unable to register AVC netcache callback\n");
>  
>   if (selinux_enforcing)
> -- 
> 1.8.3.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 00/12] SELinux support for Infiniband RDMA

[Daniel Jurgens]

On 6/30/2016 9:43 AM, Yuval Shaia wrote:
> Few extremely minor cosmetic suggestions to commit message.
>
Thanks Yuval, I'll address these in the eventual v2 series.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 07/12] selinux: Add a cache for quicker retreival of PKey SIDs

[Yuval Shaia]

On Thu, Jun 23, 2016 at 10:52:53PM +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> It is likely that the SID for the same PKey will be requested many
> times.  To reduce the time to modify QPs and process MADs use a cache to
> store PKey SIDs.

Extra space before " To"

> 
> This code is heavily based on the "netif" and "netport" concept
> originally developed by James Morris  and Paul Moore
>  (see security/selinux/netif.c and
> security/selinux/netport.c for more information)
> 
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> ---
>  security/selinux/Makefile |   2 +-
>  security/selinux/hooks.c  |   5 +-
>  security/selinux/include/objsec.h |   6 +
>  security/selinux/include/pkey.h   |  31 +
>  security/selinux/pkey.c   | 243 
> ++
>  5 files changed, 285 insertions(+), 2 deletions(-)
>  create mode 100644 security/selinux/include/pkey.h
>  create mode 100644 security/selinux/pkey.c
> 
> diff --git a/security/selinux/Makefile b/security/selinux/Makefile
> index 3411c33..a698df4 100644
> --- a/security/selinux/Makefile
> +++ b/security/selinux/Makefile
> @@ -5,7 +5,7 @@
>  obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
>  
>  selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
> -  netnode.o netport.o exports.o \
> +  netnode.o netport.o pkey.o exports.o \
>ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
>ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o
>  
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index fc44542..5c8cebb 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -92,6 +92,7 @@
>  #include "netif.h"
>  #include "netnode.h"
>  #include "netport.h"
> +#include "pkey.h"
>  #include "xfrm.h"
>  #include "netlabel.h"
>  #include "audit.h"
> @@ -172,6 +173,8 @@ static int selinux_cache_avc_callback(u32 event)
>   sel_netnode_flush();
>   sel_netport_flush();
>   synchronize_net();
> +
> + sel_pkey_flush();
>   mutex_lock(_flush_mutex);
>   if (ib_flush_callback)
>   ib_flush_callback();
> @@ -6026,7 +6029,7 @@ static int selinux_pkey_access(u64 subnet_prefix, u16 
> pkey_val, void *security)
>   struct ib_security_struct *sec = security;
>   struct lsm_pkey_audit pkey;
>  
> - err = security_pkey_sid(subnet_prefix, pkey_val, );
> + err = sel_pkey_sid(subnet_prefix, pkey_val, );
>  
>   if (err)
>   goto out;
> diff --git a/security/selinux/include/objsec.h 
> b/security/selinux/include/objsec.h
> index 8e7db43..4139f28 100644
> --- a/security/selinux/include/objsec.h
> +++ b/security/selinux/include/objsec.h
> @@ -133,6 +133,12 @@ struct ib_security_struct {
>   u32 sid;/* SID of the queue pair or MAD agent */
>  };
>  
> +struct pkey_security_struct {
> + u64 subnet_prefix; /* Port subnet prefix */
> + u16 pkey;   /* PKey number */
> + u32 sid;/* SID of pkey */
> +};
> +
>  extern unsigned int selinux_checkreqprot;
>  
>  #endif /* _SELINUX_OBJSEC_H_ */
> diff --git a/security/selinux/include/pkey.h b/security/selinux/include/pkey.h
> new file mode 100644
> index 000..58a7a3b
> --- /dev/null
> +++ b/security/selinux/include/pkey.h
> @@ -0,0 +1,31 @@
> +/*
> + * pkey table
> + *
> + * SELinux must keep a mapping of pkeys to labels/SIDs.  This
> + * mapping is maintained as part of the normal policy but a fast cache is
> + * needed to reduce the lookup overhead.
> + *
> + */
> +
> +/*
> + * (c) Mellanox Technologies, 2016
> + *
> + * This program is free software: you can redistribute it and/or modify
> + * it under the terms of version 2 of the GNU General Public License as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + */
> +
> +#ifndef _SELINUX_IB_H
> +#define _SELINUX_IB_H
> +
> +void sel_pkey_flush(void);
> +
> +int sel_pkey_sid(u64 subnet_prefix, u16 pkey, u32 *sid);
> +
> +#endif
> diff --git a/security/selinux/pkey.c b/security/selinux/pkey.c
> new file mode 100644
> index 000..565474d
> --- /dev/null
> +++ b/security/selinux/pkey.c
> @@ -0,0 +1,243 @@
> +/*
> + * Pkey table
> + *
> + * SELinux must keep a mapping of Infinband PKEYs to labels/SIDs.  This
> + * mapping is maintained as part of the normal policy but a fast cache is
> + * needed to reduce the lookup overhead.
> + *
> + * This code is heavily based on the "netif" and "netport" concept originally
> + * developed by
> + * James Morris  and
> + * Paul 

Re: [PATCH 04/12] selinux: Allocate and free infiniband security hooks

[Yuval Shaia]

On Thu, Jun 23, 2016 at 10:52:50PM +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> Implement and attach hooks to allocate and free Infiniband QP and MAD
> agent security structures.
> 
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> ---
>  include/rdma/ib_mad.h |  1 +
>  include/rdma/ib_verbs.h   |  1 +
>  security/selinux/hooks.c  | 53 
> +++
>  security/selinux/include/objsec.h |  5 
>  4 files changed, 60 insertions(+)
> 
> diff --git a/include/rdma/ib_mad.h b/include/rdma/ib_mad.h
> index c8a773f..a1ed025 100644
> --- a/include/rdma/ib_mad.h
> +++ b/include/rdma/ib_mad.h
> @@ -537,6 +537,7 @@ struct ib_mad_agent {
>   u32 flags;
>   u8  port_num;
>   u8  rmpp_version;
> + void*m_security;
>  };
>  
>  /**
> diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
> index 3f6780b..e522acb 100644
> --- a/include/rdma/ib_verbs.h
> +++ b/include/rdma/ib_verbs.h
> @@ -1454,6 +1454,7 @@ struct ib_qp {
>   void   *qp_context;
>   u32 qp_num;
>   enum ib_qp_type qp_type;
> + struct ib_qp_security  *qp_sec;
>  };
>  
>  struct ib_mr {
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6a8841d..4f13ea4 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -17,6 +17,7 @@
>   *   Paul Moore 
>   *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
>   *  Yuichi Nakamura 
> + *  Copyright (C) 2016 Mellanox Technologies
>   *
>   *   This program is free software; you can redistribute it and/or modify
>   *   it under the terms of the GNU General Public License version 2,
> @@ -83,6 +84,8 @@
>  #include 
>  #include 
>  #include 
> +#include 
> +#include 
>  
>  #include "avc.h"
>  #include "objsec.h"
> @@ -6015,6 +6018,47 @@ static void selinux_unregister_ib_flush_callback(void)
>   mutex_unlock(_flush_mutex);
>  }
>  
> +static int selinux_ib_qp_alloc_security(struct ib_qp_security *qp_sec)
> +{
> + struct ib_security_struct *sec;
> +
> + sec = kzalloc(sizeof(*sec), GFP_ATOMIC);

Kindly reminder to make sure GFP_ATOMIC is needed.

> + if (!sec)
> + return -ENOMEM;
> + sec->sid = current_sid();
> +
> + qp_sec->q_security = sec;
> + return 0;
> +}
> +
> +static void selinux_ib_qp_free_security(struct ib_qp_security *qp_sec)
> +{
> + struct ib_security_struct *sec = qp_sec->q_security;
> +
> + qp_sec->q_security = NULL;
> + kfree(sec);
> +}
> +
> +static int selinux_ib_mad_agent_alloc_security(struct ib_mad_agent 
> *mad_agent)
> +{
> + struct ib_security_struct *sec;
> +
> + sec = kzalloc(sizeof(*sec), GFP_ATOMIC);
> + if (!sec)
> + return -ENOMEM;
> + sec->sid = current_sid();
> +
> + mad_agent->m_security = sec;
> + return 0;
> +}
> +
> +static void selinux_ib_mad_agent_free_security(struct ib_mad_agent 
> *mad_agent)
> +{
> + struct ib_security_struct *sec = mad_agent->m_security;
> +
> + mad_agent->m_security = NULL;
> + kfree(sec);
> +}
>  #endif
>  
>  static struct security_hook_list selinux_hooks[] = {
> @@ -6198,11 +6242,20 @@ static struct security_hook_list selinux_hooks[] = {
>   LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
>   LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
>   LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
> +
>  #ifdef CONFIG_SECURITY_INFINIBAND
>   LSM_HOOK_INIT(register_ib_flush_callback,
> selinux_register_ib_flush_callback),
>   LSM_HOOK_INIT(unregister_ib_flush_callback,
> selinux_unregister_ib_flush_callback),
> + LSM_HOOK_INIT(ib_qp_alloc_security,
> +   selinux_ib_qp_alloc_security),
> + LSM_HOOK_INIT(ib_qp_free_security,
> +   selinux_ib_qp_free_security),
> + LSM_HOOK_INIT(ib_mad_agent_alloc_security,
> +   selinux_ib_mad_agent_alloc_security),
> + LSM_HOOK_INIT(ib_mad_agent_free_security,
> +   selinux_ib_mad_agent_free_security),
>  #endif
>  
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
> diff --git a/security/selinux/include/objsec.h 
> b/security/selinux/include/objsec.h
> index c21e135..8e7db43 100644
> --- a/security/selinux/include/objsec.h
> +++ b/security/selinux/include/objsec.h
> @@ -10,6 +10,7 @@
>   *
>   *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
>   *  Copyright (C) 2003 Red Hat, Inc., James Morris 
> + *  Copyright (C) 2016 Mellanox Technologies
>   *
>   *   This program is free software; you can redistribute it and/or modify
>   *   it under the terms of the GNU General Public License version 2,
> @@ -128,6 +129,10 @@ struct 

Re: [PATCH 01/12] security: Add LSM hooks for Infiniband security

[Yuval Shaia]

On Thu, Jun 23, 2016 at 10:52:47PM +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> Add nine new hooks
>  1. Allocate security contexts for Infiniband QPs.
>  2. Free security contexts for Infiniband QPs.
>  3. Allocate security contexts for Infiniband MAD agents.
>  4. Free security contexts for Infiniband MAD agents.
>  5. Enforce QP access to Pkeys
>  6. Enforce MAD agent access to Pkeys
>  7. Enforce MAD agent access to Infiniband End Ports for sending Subnet
> Management Packets (SMP)
>  8. A hook to register a callback to receive notifications of
> security policy or enforcement changes.  Restricting a QPs access to
> a pkey will be done during setup and not on a per packet basis
> access must be enforced again.
>  9. A hook to unregister the callback.
> 
> Signed-off-by: Daniel Jurgens 
> Reviewed-by: Eli Cohen 
> ---
>  include/linux/lsm_hooks.h | 71 
>  include/linux/security.h  | 63 +++
>  include/rdma/ib_verbs.h   |  4 +++
>  security/Kconfig  |  9 +
>  security/security.c   | 83 
> +++
>  5 files changed, 230 insertions(+)
> 
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 7ae3976..6b47c8d 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -8,6 +8,7 @@
>   * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>   * Copyright (C) 2015 Intel Corporation.
>   * Copyright (C) 2015 Casey Schaufler 
> + * Copyright (C) 2016 Mellanox Techonologies
>   *
>   *   This program is free software; you can redistribute it and/or modify
>   *   it under the terms of the GNU General Public License as published by
> @@ -876,6 +877,50 @@
>   *   associated with the TUN device's security structure.
>   *   @security pointer to the TUN devices's security structure.
>   *
> + * Security hooks for Infiniband
> + *
> + * @ib_qp_pkey_access:
> + *   Check permission to access a pkey when modifing a QP.
> + *   @subnet_prefix the subnet prefix of the port being used.
> + *   @pkey the pkey to be accessed.
> + *   @qp_sec pointer to the ib_qp_security structure.
> + * @ib_mad_agent_pkey_access:
> + *   Check permission to access a pkey when transmiting and receiving MADS.
> + *   @subnet_prefix the subnet prefix of the port being used.
> + *   @pkey the pkey to be accessed.
> + *   @mad_agent pointer to the ib_mad_agent structure.
> + * @ib_end_port_smp:
> + *   Check permissions to send and receive SMPs on a end port.
> + *   @dev_name the IB device name (i.e. mlx4_0).
> + *   @port_num the port number.
> + *   @mad_agent pointer to the ib_mad_agent structure.
> + * @ib_qp_alloc_security:
> + *   Allocate and attach a security structure to the qp_sec->q_security
> + *   field. The q_security field is initialized to NULL when the structure
> + *   is allocated.  A separate QP security structure is used instead of the
> + *   QP structure because when a QP is destroyed the memory is freed by the
> + *   hardware driver.  That operation can fail so the security info must be
> + *   maintained until the destroy completes successfully.
> + *   @qp_sec contains the ib_qp_security structure to be modified.
> + *   Return 0 if operation was successful.
> + * @ib_mad_agent_alloc_security:
> + *   Allocate and attach a security structure to the mad_agent->m_security
> + *   field. The m_security field is initialized to NULL when the structure
> + *   is allocated.
> + *   @mad_agent contains the ib_mad_agent structure to be modified.
> + *   Return 0 if operation was successful.
> + * @ib_qp_free_security:
> + *   Deallocate and clear the qp_sec->q_security field.
> + *   @qp_sec contains the ib_qp_security structure to be modified.
> + * @ib_mad_agent_free_security:
> + *   Deallocate and clear the mad_agent->m_security field.
> + *   @mad_agent contains the ib_mad_agent structure to be modified.
> + * @register_ib_flush_callback:
> + *   Provide a way for security modules to notify ib_core of policy changes.
> + *   @callback function pointer to call when policy changes.
> + * @unregister_ib_flush_callback:
> + *   Unregister the callback function.
> + *
>   * Security hooks for XFRM operations.
>   *
>   * @xfrm_policy_alloc_security:
> @@ -1579,6 +1624,21 @@ union security_list_options {
>   int (*tun_dev_open)(void *security);
>  #endif   /* CONFIG_SECURITY_NETWORK */
>  
> +#ifdef CONFIG_SECURITY_INFINIBAND
> + int (*ib_qp_pkey_access)(u64 subnet_prefix, u16 pkey,
> +  struct ib_qp_security *qp_sec);
> + int (*ib_mad_agent_pkey_access)(u64 subnet_prefix, u16 pkey,
> + struct ib_mad_agent *mad_agent);
> + int (*ib_end_port_smp)(const char *dev_name, u8 port,
> +struct ib_mad_agent *mad_agent);
> + int 

Re: [PATCH 00/12] SELinux support for Infiniband RDMA

[Yuval Shaia]

Few extremely minor cosmetic suggestions to commit message.

On Thu, Jun 23, 2016 at 10:52:46PM +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> This patch series was submitted previously as an RFC.  The 3rd version was

Extra space before " The"

> posted on 19 Apr 2016 with the subject "[RFC PATCH v3 NN/MM] SELinux support
> for Infiniband RDMA".
> 
> Currently there is no way to provide granular access control to an Infiniband
> fabric.  By providing an ability to restrict user access to specific virtual

Extra space before " By"

> subfabrics administrators can limit access to bandwidth and isolate users on

Suggesting "," after "subfabrics"

> the fabric.
> 
> The approach for controlling access for Infiniband is to control access to
> partitions.  A partition is similar in concept to a VLAN where each data 
> packet

Extra space before " A partition"

> carries the partition key (PKey) in its header and isolation is enforced by
> the hardware.  The partition key is not a cryptographic key, it's a 16 bit

Extra space before " The partition"

> number identifying the partition.  By controlling access to PKeys users can be

1. Extra space before " By"
2. Suggesting "," after "PKeys"

> isolated on the fabric.
> 
> All Infiniband fabrics must have a subnet manager.  The subnet manager

1. s/All/Every
2. Extra space before " The subnet"

> provisions the partitions and configures the end nodes.  Each end port has a

Extra space before " Each end"

> PKey table containing all the partitions it can access.  In order to enforce

Extra space before " In order"

> access to partitions the subnet management interface (SMI) must also be

Suggesting "," after "partitions"

> controlled to prevent unauthorized changes to the fabric configuration. 
> 
> In order to support this there must be a capability to provide security
> contexts for two new types of objects - PKeys and SMIs.
> 
> A PKey label consists of a subnet prefix and a range of PKey values and is
> similar to the labeling mechanism for netports.  Infiniband end port can

Extra space before " Infiniband"

> reside on a different subnet, labeling the PKey values for specific subnet

s/reside/resides

> prefixes provides the user maximum flexibility. There is a single access
> vector for PKeys, called "access".

Suggesting to remove ","

> 
> An Infiniband end port (ib_end_port) is labeled by name and port number. There
> is a single access vector for ib_end_ports as well, called "smp".

Suggesting to remove ","

> 
> Because RDMA allows for kernel bypass all enforcement must be done during

1. Suggesting to remove "for"
2. Suggesting "," after "bypass"

> connection setup.  To communicate over RDMA requires a send and receive queue

1. Extra space before " To communicate"
2. Suggesting s/"The communication"/"To communicate"
3. s/queue/queues

> called a queue pair (QP).  During the creation of a QP it is initialized

Extra space before " During"

> before it can be used to send or receive data.  During initialization the user

Extra space before " During"

> must provide the PKey and port the QP will use, at this time access can be
> enforced.
> 
> Because there is a possibility that the enforcement settings or security
> policy can change, a means of notifying the ib_core module of such changes is
> required.  To facilitate this two LSM hooks are provided, ib_core will

1. Extra space before " To"
2. Suggesting "," after "this"

> register and unregister a callback function at init and cleanup respectively.
> SELinux will call the callback as appropriate if it has been registered.
> When the callback is called ib_core will recheck the PKey access for all
> existing QPs.
> 
> Because frequent accesses to the same PKey's SID is expected a cache is
> implemented which is very similar to the netport cache.
> 
> In order to properly enforce security when changes to the PKey table or
> security policy or enforcement occur ib_core must track which QPs are using
> each port, pkey index, and alternate path for every IB device.  This makes

1. s/each/which (unless i wrongly understood it)
2. Extra space before " This"

> operations that used to be atomic transactional.
> 
> When modifying a QP ib_core must associate it with the PKey index, port,

Suggesting "," after "QP"

> and alternate path specified.  If the QP was already associated with different

Extra space before " If"

> settings the QP is added to the new list prior to the modify attempt.  If

1. Suggesting "," after "settings"
2. Suggesting s/"modify attempt"/modification
3. Extra space before " If"

> the modify succeeds then the old listing is removed.  If the modify fails

1. s/modify/modification/g
2. Extra space before " If"

> the new listing is removed and the old listing remains unchanged.
> 
> When destroying a QP the ib_qp structure is freed by the hardware driver

What is "hardware driver"?

> if the destroy is successful.  This requires storing security related

Re: [PATCH V2 0/3] Update setfiles/restorecon to support selinux_restorecon

[Stephen Smalley]

On 06/19/2016 03:36 PM, Richard Haines wrote:
> These patches:
> 1) Add additional services to selinux_restorecon(3) so that setfiles(8)
> functionality can be supported.
> 2) Modify setfiles(8) and restorecon(8) to make use of the new libselinux
> functions.
> 
> I've supported all options except -q of the current restorecon(8) and
> setfiles(8) in selinux_restorecon_* services.
> 
> There is a new option of -I to ignore the digest as explained in the updated
> man pages.
> 
> The output from these commands should be much the same as before (some minor
> wording changes).
> 
> Changes for V2
> 1) All requested changes have been completed as per [1], [2] and [3].
> 2) As selinux_restorecon_set_alt_rootpath(3) and
> selinux_restorecon_set_exclude_list(3) now allocate memory etc. they return
> errors (they were void).

Unfortunately, we can't do that if they were included in a prior release
(e.g. 2.5).  That would be an ABI incompatibility.  Options:
1) Use symbol versioning.  This would require adding a linker version
script / map file to libselinux like we already have for libsepol and
libsemanage, and defining an old and new version of the symbol so that
existing binaries can keep using the void interface and programs
compiled against the new library can use the int interface.
2) Just leave it void and abort or something on memory allocation failure.
3) Leave the functions unchanged, i.e. don't allocate memory (but I
think this will be problematic in the future).

> 
> [1] http://marc.info/?l=selinux=146470027405908=2
> [2] http://marc.info/?l=selinux=146470835908849=2
> [3] http://marc.info/?l=selinux=146470720008392=2
> 
> Richard Haines (3):
>   libselinux: Evaluate inodes in selinux_restorecon(3)
>   libselinux: Add setfiles support to selinux_restorecon(3)
>   policycoreutils: setfiles - Modify to use selinux_restorecon
> 
>  libselinux/include/selinux/restorecon.h| 109 +++-
>  libselinux/man/man3/selinux_restorecon.3   |  80 ++-
>  .../man/man3/selinux_restorecon_set_alt_rootpath.3 |  35 +
>  .../man/man3/selinux_restorecon_set_exclude_list.3 |  16 +-
>  .../man/man3/selinux_restorecon_set_sehandle.3 |   4 +-
>  libselinux/src/selinux_restorecon.c| 710 ++--
>  libselinux/utils/selinux_restorecon.c  |  52 +-
>  policycoreutils/setfiles/restore.c | 718 
> ++---
>  policycoreutils/setfiles/restore.h |  51 +-
>  policycoreutils/setfiles/restorecon.8  |  74 ++-
>  policycoreutils/setfiles/setfiles.8|  75 ++-
>  policycoreutils/setfiles/setfiles.c| 198 +++---
>  12 files changed, 1201 insertions(+), 921 deletions(-)
>  create mode 100644 libselinux/man/man3/selinux_restorecon_set_alt_rootpath.3
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 00/12] SELinux support for Infiniband RDMA

[Daniel Jurgens]

On 6/29/2016 12:33 PM, Paul Moore wrote:
> On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens  wrote:
>> When destroying a QP the ib_qp structure is freed by the hardware driver
>> if the destroy is successful.  This requires storing security related
>> information in a separate structure. When a destroy request is in process
>> the ib_qp structure is in an undefined state so if there are changes to the
>> security policy or PKey table the security checks cannot reset the QP if it
>> doesn't have permission for the new setting.  If the destroy fails security
>> for that QP must be enforced again, and its status in the list restored.
>> If the destroy succeeds the security info can be cleaned up and freed.
> Perhaps I'll end up answering this for myself as I work my way through
> the patches, but hopefully you are handling the case where a destroy
> operation fails and the QP needs to be revalidated?

Yes, if the destroy fails the security is checked again.  You can see
this in security.c
ib_destroy_qp_security_abort which is added in "[PATCH 09/12] IB/core:
Enforce PKey
security on QPs"

> I'm also wondering if QP revalidation on a security policy change is
> worth the trouble; we've historically not been able to provide any
> revoke guarantees so I'm not sure if it is worth a lot of added
> complexity to gain this functionality just for Infiniband.  That said,
> it would be *nice* to have revalidation/revocation working, even if
> only for IB.  It may be that we need similar code to handle the
> various corner cases, so we may be stuck with the complexity anyway, I
> just thought it was worth bringing up as a topic of discussion.

QP re-validation on policy change comes cheap because it's possible for the
PKey table to change.  So a mechanism to recheck all the QPs is needed
regardless.  I'd be fine with getting rid of it if you think that's
best.  In a
production environment SELinux will always be enforcing so it's probably not
really needed.  During my testing it left a funny taste in my mouth when
I had
QPs that shouldn't be allowed continue to exist after setenforce 1.  On
the other
hand I'm not in love with the callback registration for policy change
notification
one off for Infiniband.  In on of the RFCs I used an LSM hook that
ib/core would
implement.  I think Casey commented on that, so I changed it to what you see
now.

Thank you for reviewing this.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.