RE: GPF in sidtab_context_to_sid

[Roberts, William C]

> -Original Message-
> From: Paul Moore [mailto:p...@paul-moore.com]
> Sent: Tuesday, November 8, 2016 12:57 PM
> To: Roberts, William C 
> Cc: selinux@tycho.nsa.gov
> Subject: Re: GPF in sidtab_context_to_sid
> 
> On Tue, Nov 8, 2016 at 1:26 PM, Roberts, William C 
> 
> wrote:
> > I found a very similar oops online:
> >
> > http://oops.kernel.org/oops/general-protection-fault-in-sidtab_context
> > _to_sid/
> >
> > Has anyone encountered this bug?
> >
> > I had something reported to me very similar where the faulting
> > instruction
> > was:
> >
> > 0x8133c81e <+174>:   mov0x14(%r12),%eax
> >
> > Addr2line on vmlinux produced:
> >
> > $ addr2line -f -e ./vmlinux 8133c81e context_cmp
> > kernel/cht/security/selinux/ss/context.h:152
> 
> I'm guessing you don't have a reproducer?

Supposedly, I am digging that slowly out of the reporters. If I can use it to
reproduce, I'll let you know.

> 
> It looks like both these kernels are older (3.x), have you seen this on 
> anything
> recent?

No.

> 
> --
> paul moore
> www.paul-moore.com

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v4 6/9] selinux: Allocate and free infiniband security hooks

[Dan Jurgens]

From: Daniel Jurgens 

Implement and attach hooks to allocate and free Infiniband object
security structures.

issue: 736423
Change-Id: I3bdbecee7aab6d7615a02967c39a5a8792a14d44
Signed-off-by: Daniel Jurgens 

---
v2:
- Use void * blobs for security structs.  Paul Moore
- Shorten ib_end_port to ib_port.  Paul Moore
- Allocate memory for security struct with GFP_KERNEL. Yuval Shaia

Signed-off-by: Daniel Jurgens 
---
 security/selinux/hooks.c  | 25 -
 security/selinux/include/objsec.h |  5 +
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7578198..f48759d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -17,6 +17,7 @@
  * Paul Moore 
  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  *Yuichi Nakamura 
+ *  Copyright (C) 2016 Mellanox Technologies
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -6082,7 +6083,26 @@ static int selinux_key_getsecurity(struct key *key, char 
**_buffer)
*_buffer = context;
return rc;
 }
+#endif
+
+#ifdef CONFIG_SECURITY_INFINIBAND
+static int selinux_ib_alloc_security(void **ib_sec)
+{
+   struct ib_security_struct *sec;
+
+   sec = kzalloc(sizeof(*sec), GFP_KERNEL);
+   if (!sec)
+   return -ENOMEM;
+   sec->sid = current_sid();
+
+   *ib_sec = sec;
+   return 0;
+}
 
+static void selinux_ib_free_security(void *ib_sec)
+{
+   kfree(ib_sec);
+}
 #endif
 
 static struct security_hook_list selinux_hooks[] = {
@@ -6269,7 +6289,10 @@ static int selinux_key_getsecurity(struct key *key, char 
**_buffer)
LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
-
+#ifdef CONFIG_SECURITY_INFINIBAND
+   LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
+   LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
+#endif
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc),
LSM_HOOK_INIT(xfrm_policy_clone_security, selinux_xfrm_policy_clone),
diff --git a/security/selinux/include/objsec.h 
b/security/selinux/include/objsec.h
index c21e135..8e7db43 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -10,6 +10,7 @@
  *
  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  *  Copyright (C) 2003 Red Hat, Inc., James Morris 
+ *  Copyright (C) 2016 Mellanox Technologies
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -128,6 +129,10 @@ struct key_security_struct {
u32 sid;/* SID of key */
 };
 
+struct ib_security_struct {
+   u32 sid;/* SID of the queue pair or MAD agent */
+};
+
 extern unsigned int selinux_checkreqprot;
 
 #endif /* _SELINUX_OBJSEC_H_ */
-- 
1.8.3.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v4 3/9] selinux lsm IB/core: Implement LSM notification system

[Dan Jurgens]

From: Daniel Jurgens 

Add a generic notificaiton mechanism in the LSM. Interested consumers
can register a callback with the LSM and security modules can produce
events.

Because access to Infiniband QPs are enforced in the setup phase of a
connection security should be enforced again if the policy changes.
Register infiniband devices for policy change notification and check all
QPs on that device when the notification is received.

Add a call to the notification mechanism from SELinux when the AVC
cache changes or setenforce is cleared.

issue: 736423
Change-Id: I9f5a13026c9219105ee5e0cd99edf8eabdafe946
Signed-off-by: Daniel Jurgens 

---
v2:
- new patch that has the generic notification, replaces selinux and
  IB/core patches related to the ib_flush callback. Yuval Shaia and Paul
  Moore

v3:
- use notifier chains. Paul Moore

v4:
- Seperate avc callback for LSM notifier. Paul Moore

Signed-off-by: Daniel Jurgens 
---
 drivers/infiniband/core/device.c | 53 
 include/linux/security.h |  8 ++
 security/security.c  | 20 +++
 security/selinux/hooks.c | 11 +
 security/selinux/selinuxfs.c |  2 ++
 5 files changed, 94 insertions(+)

diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index 5b42e83..7b6fd06 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -39,6 +39,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 #include 
 #include 
 #include 
@@ -82,6 +84,14 @@ struct ib_client_data {
 static DEFINE_MUTEX(device_mutex);
 static DECLARE_RWSEM(lists_rwsem);
 
+static int ib_security_change(struct notifier_block *nb, unsigned long event,
+ void *lsm_data);
+static void ib_policy_change_task(struct work_struct *work);
+static DECLARE_WORK(ib_policy_change_work, ib_policy_change_task);
+
+static struct notifier_block ibdev_lsm_nb = {
+   .notifier_call = ib_security_change,
+};
 
 static int ib_device_check_mandatory(struct ib_device *device)
 {
@@ -344,6 +354,40 @@ static int setup_port_pkey_list(struct ib_device *device)
return 0;
 }
 
+static void ib_policy_change_task(struct work_struct *work)
+{
+   struct ib_device *dev;
+
+   down_read(_rwsem);
+   list_for_each_entry(dev, _list, core_list) {
+   int i;
+
+   for (i = rdma_start_port(dev); i <= rdma_end_port(dev); i++) {
+   u64 sp;
+   int ret = ib_get_cached_subnet_prefix(dev,
+ i,
+ );
+
+   WARN_ONCE(ret,
+ "ib_get_cached_subnet_prefix err: %d, this 
should never happen here\n",
+ ret);
+   ib_security_cache_change(dev, i, sp);
+   }
+   }
+   up_read(_rwsem);
+}
+
+static int ib_security_change(struct notifier_block *nb, unsigned long event,
+ void *lsm_data)
+{
+   if (event != LSM_POLICY_CHANGE)
+   return NOTIFY_DONE;
+
+   schedule_work(_policy_change_work);
+
+   return NOTIFY_OK;
+}
+
 /**
  * ib_register_device - Register an IB device with IB core
  * @device:Device to register
@@ -1075,10 +1119,18 @@ static int __init ib_core_init(void)
goto err_sa;
}
 
+   ret = register_lsm_notifier(_lsm_nb);
+   if (ret) {
+   pr_warn("Couldn't register LSM notifier. ret %d\n", ret);
+   goto err_ibnl_clients;
+   }
+
ib_cache_setup();
 
return 0;
 
+err_ibnl_clients:
+   ib_remove_ibnl_clients();
 err_sa:
ib_sa_cleanup();
 err_mad:
@@ -1098,6 +1150,7 @@ static int __init ib_core_init(void)
 
 static void __exit ib_core_cleanup(void)
 {
+   unregister_lsm_notifier(_lsm_nb);
ib_cache_cleanup();
ib_remove_ibnl_clients();
ib_sa_cleanup();
diff --git a/include/linux/security.h b/include/linux/security.h
index 342ca4c..d8c29cd 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -69,6 +69,14 @@
 struct user_namespace;
 struct timezone;
 
+enum lsm_event {
+   LSM_POLICY_CHANGE,
+};
+
+int call_lsm_notifier(enum lsm_event event, void *data);
+int register_lsm_notifier(struct notifier_block *nb);
+int unregister_lsm_notifier(struct notifier_block *nb);
+
 /* These functions are in security/commoncap.c */
 extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
   int cap, int audit);
diff --git a/security/security.c b/security/security.c
index 7d3bf2f..40326d4 100644
--- a/security/security.c
+++ b/security/security.c
@@ -33,6 +33,8 @@
 /* Maximum number of letters for an LSM name string */
 #define SECURITY_NAME_MAX  10
 
+static 

[PATCH v4 2/9] IB/core: Enforce PKey security on QPs

[Dan Jurgens]

From: Daniel Jurgens 

Add new LSM hooks to allocate and free security contexts and check for
permission to access a PKey.

Allocate and free a security context when creating and destroying a QP.
This context is used for controlling access to PKeys.

When a request is made to modify a QP that changes the port, PKey index,
or alternate path, check that the QP has permission for the PKey in the
PKey table index on the subnet prefix of the port. If the QP is shared
make sure all handles to the QP also have access.

Store which port and PKey index a QP is using. After the reset to init
transition the user can modify the port, PKey index and alternate path
independently. So port and PKey settings changes can be a merge of the
previous settings and the new ones.

In order to maintain access control if there are PKey table or subnet
prefix change keep a list of all QPs are using each PKey index on
each port. If a change occurs all QPs using that device and port must
have access enforced for the new cache settings.

These changes add a transaction to the QP modify process. Association
with the old port and PKey index must be maintained if the modify fails,
and must be removed if it succeeds. Association with the new port and
PKey index must be established prior to the modify and removed if the
modify fails.

1. When a QP is modified to a particular Port, PKey index or alternate
   path insert that QP into the appropriate lists.

2. Check permission to access the new settings.

3. If step 2 grants access attempt to modify the QP.

4a. If steps 2 and 3 succeed remove any prior associations.

4b. If ether fails remove the new setting associations.

If a PKey table or subnet prefix changes walk the list of QPs and
check that they have permission. If not send the QP to the error state
and raise a fatal error event. If it's a shared QP make sure all the
QPs that share the real_qp have permission as well. If the QP that
owns a security structure is denied access the security structure is
marked as such and the QP is added to an error_list. Once the moving
the QP to error is complete the security structure mark is cleared.

Maintaining the lists correctly turns QP destroy into a transaction.
The hardware driver for the device frees the ib_qp structure, so while
the destroy is in progress the ib_qp pointer in the ib_qp_security
struct is undefined. When the destroy process begins the ib_qp_security
structure is marked as destroying. This prevents any action from being
taken on the QP pointer. After the QP is destroyed successfully it
could still listed on an error_list wait for it to be processed by that
flow before cleaning up the structure.

If the destroy fails the QPs port and PKey settings are reinserted into
the appropriate lists, the destroying flag is cleared, and access control
is enforced, in case there were any cache changes during the destroy
flow.

To keep the security changes isolated a new file is used to hold security
related functionality.

issue: 736423
Change-Id: I0509141a57a8e08c91a9e0c059800251949b18e6
Signed-off-by: Daniel Jurgens 

---
v2:
- Squashed LSM hook additions. Paul Moore
- Changed security blobs to void*. Paul Moore

v3:
- Change parameter order of pkey_access hook. Paul Moore

Signed-off-by: Daniel Jurgens 
---
 drivers/infiniband/core/Makefile |   3 +-
 drivers/infiniband/core/cache.c  |  21 +-
 drivers/infiniband/core/core_priv.h  |  77 +
 drivers/infiniband/core/device.c |  33 ++
 drivers/infiniband/core/security.c   | 617 +++
 drivers/infiniband/core/uverbs_cmd.c |  20 +-
 drivers/infiniband/core/verbs.c  |  27 +-
 include/linux/lsm_hooks.h|  27 ++
 include/linux/security.h |  21 ++
 include/rdma/ib_verbs.h  |  48 +++
 security/Kconfig |   9 +
 security/security.c  |  31 ++
 12 files changed, 925 insertions(+), 9 deletions(-)
 create mode 100644 drivers/infiniband/core/security.c

diff --git a/drivers/infiniband/core/Makefile b/drivers/infiniband/core/Makefile
index edaae9f..da4e2c1 100644
--- a/drivers/infiniband/core/Makefile
+++ b/drivers/infiniband/core/Makefile
@@ -10,7 +10,8 @@ obj-$(CONFIG_INFINIBAND_USER_ACCESS) +=   ib_uverbs.o 
ib_ucm.o \
 ib_core-y :=   packer.o ud_header.o verbs.o cq.o rw.o sysfs.o \
device.o fmr_pool.o cache.o netlink.o \
roce_gid_mgmt.o mr_pool.o addr.o sa_query.o \
-   multicast.o mad.o smi.o agent.o mad_rmpp.o
+   multicast.o mad.o smi.o agent.o mad_rmpp.o \
+   security.o
 ib_core-$(CONFIG_INFINIBAND_USER_MEM) += umem.o
 ib_core-$(CONFIG_INFINIBAND_ON_DEMAND_PAGING) += umem_odp.o umem_rbtree.o
 
diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index affc8ef..48eaeca 

[PATCH v4 7/9] selinux: Implement Infiniband PKey "Access" access vector

[Dan Jurgens]

From: Daniel Jurgens 

Add a type and access vector for PKeys. Implement the ib_pkey_access
hook to check that the caller has permission to access the PKey on the
given subnet prefix. Add an interface to get the PKey SID. Walk the PKey
ocontexts to find an entry for the given subnet prefix and pkey.

issue: 736423
Change-Id: Ib3f7df9b5f98da77a6048855d146f9dcaceba336
Signed-off-by: Daniel Jurgens 

---
v2:
- Use void* blobs for security structs. Paul Moore
- Add pkey specific data to the audit log. Paul Moore
- Don't introduce a new initial sid, use unlabeled. Stephen Smalley

v3:
- Reorder parameters to pkey_access hook. Paul Moore

Signed-off-by: Daniel Jurgens 
---
 include/linux/lsm_audit.h   |  7 +++
 security/lsm_audit.c| 13 
 security/selinux/hooks.c| 23 +
 security/selinux/include/classmap.h |  2 ++
 security/selinux/include/security.h |  2 ++
 security/selinux/ss/services.c  | 41 +
 6 files changed, 88 insertions(+)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index e58e577..402b770 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -45,6 +45,11 @@ struct lsm_ioctlop_audit {
u16 cmd;
 };
 
+struct lsm_pkey_audit {
+   u64 subnet_prefix;
+   u16 pkey;
+};
+
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
char type;
@@ -60,6 +65,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_DENTRY  10
 #define LSM_AUDIT_DATA_IOCTL_OP11
 #define LSM_AUDIT_DATA_FILE12
+#define LSM_AUDIT_DATA_PKEY13
union   {
struct path path;
struct dentry *dentry;
@@ -77,6 +83,7 @@ struct common_audit_data {
char *kmod_name;
struct lsm_ioctlop_audit *op;
struct file *file;
+   struct lsm_pkey_audit *pkey;
} u;
/* this union contains LSM specific data */
union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 37f04da..b18d277 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -410,6 +410,19 @@ static void dump_common_audit_data(struct audit_buffer *ab,
audit_log_format(ab, " kmod=");
audit_log_untrustedstring(ab, a->u.kmod_name);
break;
+   case LSM_AUDIT_DATA_PKEY: {
+   struct in6_addr sbn_pfx;
+
+   memset(_pfx.s6_addr, 0,
+  sizeof(sbn_pfx.s6_addr));
+
+   memcpy(_pfx.s6_addr, >u.pkey->subnet_prefix,
+  sizeof(a->u.pkey->subnet_prefix));
+
+   audit_log_format(ab, " pkey=0x%x subnet_prefix=%pI6c",
+a->u.pkey->pkey, _pfx);
+   break;
+   }
} /* switch (a->type) */
 }
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f48759d..20fb292 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6086,6 +6086,28 @@ static int selinux_key_getsecurity(struct key *key, char 
**_buffer)
 #endif
 
 #ifdef CONFIG_SECURITY_INFINIBAND
+static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 
pkey_val)
+{
+   struct common_audit_data ad;
+   int err;
+   u32 sid = 0;
+   struct ib_security_struct *sec = ib_sec;
+   struct lsm_pkey_audit pkey;
+
+   err = security_pkey_sid(subnet_prefix, pkey_val, );
+
+   if (err)
+   return err;
+
+   ad.type = LSM_AUDIT_DATA_PKEY;
+   pkey.subnet_prefix = subnet_prefix;
+   pkey.pkey = pkey_val;
+   ad.u.pkey = 
+   return avc_has_perm(sec->sid, sid,
+   SECCLASS_INFINIBAND_PKEY,
+   INFINIBAND_PKEY__ACCESS, );
+}
+
 static int selinux_ib_alloc_security(void **ib_sec)
 {
struct ib_security_struct *sec;
@@ -6290,6 +6312,7 @@ static void selinux_ib_free_security(void *ib_sec)
LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
 #ifdef CONFIG_SECURITY_INFINIBAND
+   LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
 #endif
diff --git a/security/selinux/include/classmap.h 
b/security/selinux/include/classmap.h
index 1f1f4b2..d42dd4d 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -165,5 +165,7 @@ struct security_class_mapping secclass_map[] = {
  { COMMON_CAP_PERMS, NULL } },
{ "cap2_userns",
  { COMMON_CAP2_PERMS, NULL } },
+   { "infiniband_pkey",
+ { "access", NULL } },
{ NULL }
   };
diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index 

[PATCH v4 4/9] IB/core: Enforce security on management datagrams

[Dan Jurgens]

From: Daniel Jurgens 

Allocate and free a security context when creating and destroying a MAD
agent.  This context is used for controlling access to PKeys and sending
and receiving SMPs.

When sending or receiving a MAD check that the agent has permission to
access the PKey for the Subnet Prefix of the port.

During MAD and snoop agent registration for SMI QPs check that the
calling process has permission to access the manage the subnet  and
register a callback with the LSM to be notified of policy changes. When
notificaiton of a policy change occurs recheck permission and set a flag
indicating sending and receiving SMPs is allowed.

When sending and receiving MADs check that the agent has access to the
SMI if it's on an SMI QP.  Because security policy can change it's
possible permission was allowed when creating the agent, but no longer
is.

issue: 736423
Change-Id: I17343224da7e7ee0cc67dadd44c473e453d0
Signed-off-by: Daniel Jurgens 

---
v2:
- Squashed LSM hook additions. Paul Moore
- Changed security blobs to void*. Paul Moore
- Shorten end_port to port. Paul Moore
- Change "smp" to "manage_subnet". Paul Moore
- Use the LSM policy change notification and a flag to track permission
  instead of calling the LSM hook for every SMP. Dan Jurgens
- Squashed PKey and SMP enforcement into the same patch and moved the
  logic into security.c. Dan Jurgens

v3:
- ib_port -> ib_endport. Paul Moore
- Use notifier chains for LSM notification. Paul Moore
- Reorder LSM hook parameters to put sec first. Paul Moore

Signed-off-by: Daniel Jurgens 
---
 drivers/infiniband/core/core_priv.h | 35 ++
 drivers/infiniband/core/mad.c   | 52 +
 drivers/infiniband/core/security.c  | 92 +
 include/linux/lsm_hooks.h   |  8 
 include/linux/security.h|  6 +++
 include/rdma/ib_mad.h   |  4 ++
 security/security.c |  8 
 7 files changed, 197 insertions(+), 8 deletions(-)

diff --git a/drivers/infiniband/core/core_priv.h 
b/drivers/infiniband/core/core_priv.h
index 68e3de0..2c35162 100644
--- a/drivers/infiniband/core/core_priv.h
+++ b/drivers/infiniband/core/core_priv.h
@@ -37,6 +37,8 @@
 #include 
 
 #include 
+#include 
+#include "mad_priv.h"
 
 struct pkey_index_qp_list {
struct list_headpkey_index_list;
@@ -166,6 +168,11 @@ int ib_get_cached_subnet_prefix(struct ib_device *device,
u64  *sn_pfx);
 
 #ifdef CONFIG_SECURITY_INFINIBAND
+int ib_security_pkey_access(struct ib_device *dev,
+   u8 port_num,
+   u16 pkey_index,
+   void *sec);
+
 void ib_security_destroy_port_pkey_list(struct ib_device *device);
 
 void ib_security_cache_change(struct ib_device *device,
@@ -183,7 +190,19 @@ int ib_security_modify_qp(struct ib_qp *qp,
 void ib_destroy_qp_security_end(struct ib_qp_security *sec);
 int ib_open_shared_qp_security(struct ib_qp *qp, struct ib_device *dev);
 void ib_close_shared_qp_security(struct ib_qp_security *sec);
+int ib_mad_agent_security_setup(struct ib_mad_agent *agent,
+   enum ib_qp_type qp_type);
+void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent);
+int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index);
 #else
+static inline int ib_security_pkey_access(struct ib_device *dev,
+ u8 port_num,
+ u16 pkey_index,
+ void *sec)
+{
+   return 0;
+}
+
 static inline void ib_security_destroy_port_pkey_list(struct ib_device *device)
 {
 }
@@ -232,5 +251,21 @@ static inline int ib_open_shared_qp_security(struct ib_qp 
*qp,
 static inline void ib_close_shared_qp_security(struct ib_qp_security *sec)
 {
 }
+
+static inline int ib_mad_agent_security_setup(struct ib_mad_agent *agent,
+ enum ib_qp_type qp_type)
+{
+   return 0;
+}
+
+static inline void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)
+{
+}
+
+static inline int ib_mad_enforce_security(struct ib_mad_agent_private *map,
+ u16 pkey_index)
+{
+   return 0;
+}
 #endif
 #endif /* _CORE_PRIV_H */
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 40cbd6b..b6041ec 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -40,9 +40,11 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 
 #include "mad_priv.h"
+#include "core_priv.h"
 #include "mad_rmpp.h"
 #include "smi.h"
 #include "opa_smi.h"
@@ -367,6 +369,12 @@ struct ib_mad_agent *ib_register_mad_agent(struct 
ib_device *device,
atomic_set(_agent_priv->refcount, 1);
init_completion(_agent_priv->comp);
 
+   ret2 = 

[PATCH v4 5/9] selinux: Create policydb version for Infiniband support

[Dan Jurgens]

From: Daniel Jurgens 

Support for Infiniband requires the addition of two new object contexts,
one for infiniband PKeys and another IB Ports. Added handlers to read
and write the new ocontext types when reading or writing a binary policy
representation.

issue: 736423
Change-Id: I906bf7a1e0bd59c3cccdce278e5fe98ba8c404b8
Signed-off-by: Daniel Jurgens 
Reviewed-by: Eli Cohen 

---
v2:
- Shorten ib_end_port to ib_port. Paul Moore
- Added bounds checking to port number. Paul Moore
- Eliminated {} in OCON_PKEY case statement.  Yuval Shaia

v3:
- ib_port -> ib_endport. Paul Moore

v4:
- removed unneeded brackets in ocontext_read. Paul Moore

Signed-off-by: Daniel Jurgens 
---
 security/selinux/include/security.h |   3 +-
 security/selinux/ss/policydb.c  | 129 +++-
 security/selinux/ss/policydb.h  |  27 +---
 3 files changed, 135 insertions(+), 24 deletions(-)

diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index 308a286..6bb9b0a 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -36,10 +36,11 @@
 #define POLICYDB_VERSION_DEFAULT_TYPE  28
 #define POLICYDB_VERSION_CONSTRAINT_NAMES  29
 #define POLICYDB_VERSION_XPERMS_IOCTL  30
+#define POLICYDB_VERSION_INFINIBAND31
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_XPERMS_IOCTL
+#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_INFINIBAND
 
 /* Mask for just the mount related flags */
 #define SE_MNTMASK 0x0f
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index d719db4..24e16da 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -17,6 +17,11 @@
  *
  *  Added support for the policy capability bitmap
  *
+ * Update: Mellanox Techonologies
+ *
+ * Added Infiniband support
+ *
+ * Copyright (C) 2016 Mellanox Techonologies
  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
@@ -76,81 +81,86 @@ struct policydb_compat_info {
{
.version= POLICYDB_VERSION_BASE,
.sym_num= SYM_NUM - 3,
-   .ocon_num   = OCON_NUM - 1,
+   .ocon_num   = OCON_NUM - 3,
},
{
.version= POLICYDB_VERSION_BOOL,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM - 1,
+   .ocon_num   = OCON_NUM - 3,
},
{
.version= POLICYDB_VERSION_IPV6,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_NLCLASS,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_MLS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_AVTAB,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_RANGETRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_POLCAP,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_PERMISSIVE,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_BOUNDARY,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_FILENAME_TRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_ROLETRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= 

[PATCH v4 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

[Dan Jurgens]

From: Daniel Jurgens 

It is likely that the SID for the same PKey will be requested many
times. To reduce the time to modify QPs and process MADs use a cache to
store PKey SIDs.

This code is heavily based on the "netif" and "netport" concept
originally developed by James Morris  and Paul Moore
 (see security/selinux/netif.c and
security/selinux/netport.c for more information)

issue: 736423
Change-Id: I176c3079d5d84d06839b4f750100ac47a6081e94
Signed-off-by: Daniel Jurgens 

---
v2:
- Renamed the files to ibpkey. Paul Moore
- Fixed a braket indentation mismatch in sel_pkey_find. Yuval Shaia
- Change spin_lock_bh to spin_lock_irqsave to resolve HARDIRQ lockdep
  warning.  Dan Jurgens

Signed-off-by: Daniel Jurgens 
---
 security/selinux/Makefile |   2 +-
 security/selinux/hooks.c  |   4 +-
 security/selinux/ibpkey.c | 245 ++
 security/selinux/include/ibpkey.h |  31 +
 security/selinux/include/objsec.h |   6 +
 5 files changed, 286 insertions(+), 2 deletions(-)
 create mode 100644 security/selinux/ibpkey.c
 create mode 100644 security/selinux/include/ibpkey.h

diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 3411c33..ff5895e 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -5,7 +5,7 @@
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
 
 selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
-netnode.o netport.o exports.o \
+netnode.o netport.o ibpkey.o exports.o \
 ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
 ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ea3f6d0..619d2ea 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -90,6 +90,7 @@
 #include "netif.h"
 #include "netnode.h"
 #include "netport.h"
+#include "ibpkey.h"
 #include "xfrm.h"
 #include "netlabel.h"
 #include "audit.h"
@@ -174,6 +175,7 @@ static int selinux_netcache_avc_callback(u32 event)
 static int selinux_lsm_notifier_avc_callback(u32 event)
 {
if (event == AVC_CALLBACK_RESET) {
+   sel_pkey_flush();
call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
}
return 0;
@@ -6094,7 +6096,7 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 
subnet_prefix, u16 pkey_val)
struct ib_security_struct *sec = ib_sec;
struct lsm_pkey_audit pkey;
 
-   err = security_pkey_sid(subnet_prefix, pkey_val, );
+   err = sel_pkey_sid(subnet_prefix, pkey_val, );
 
if (err)
return err;
diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c
new file mode 100644
index 000..6e52c54
--- /dev/null
+++ b/security/selinux/ibpkey.c
@@ -0,0 +1,245 @@
+/*
+ * Pkey table
+ *
+ * SELinux must keep a mapping of Infinband PKEYs to labels/SIDs.  This
+ * mapping is maintained as part of the normal policy but a fast cache is
+ * needed to reduce the lookup overhead.
+ *
+ * This code is heavily based on the "netif" and "netport" concept originally
+ * developed by
+ * James Morris  and
+ * Paul Moore 
+ *   (see security/selinux/netif.c and security/selinux/netport.c for more
+ *   information)
+ *
+ */
+
+/*
+ * (c) Mellanox Technologies, 2016
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ */
+
+#include 
+#include 
+#include 
+#include 
+
+#include "ibpkey.h"
+#include "objsec.h"
+
+#define SEL_PKEY_HASH_SIZE   256
+#define SEL_PKEY_HASH_BKT_LIMIT   16
+
+struct sel_pkey_bkt {
+   int size;
+   struct list_head list;
+};
+
+struct sel_pkey {
+   struct pkey_security_struct psec;
+   struct list_head list;
+   struct rcu_head rcu;
+};
+
+static LIST_HEAD(sel_pkey_list);
+static DEFINE_SPINLOCK(sel_pkey_lock);
+static struct sel_pkey_bkt sel_pkey_hash[SEL_PKEY_HASH_SIZE];
+
+/**
+ * sel_pkey_hashfn - Hashing function for the pkey table
+ * @pkey: pkey number
+ *
+ * Description:
+ * This is the hashing function for the pkey table, it returns the bucket
+ * number for the given pkey.
+ *
+ */
+static unsigned int sel_pkey_hashfn(u16 pkey)
+{
+   return (pkey & (SEL_PKEY_HASH_SIZE - 1));
+}
+
+/**
+ * sel_pkey_find - Search for a pkey record
+ * @subnet_prefix: subnet_prefix
+ * @pkey_num: pkey_num
+ *
+ * Description:
+ * Search the pkey table and return the matching record.  If an entry
+ * can not be 

[PATCH v4 8/9] selinux: Add IB Port SMP access vector

[Dan Jurgens]

From: Daniel Jurgens 

Add a type for Infiniband ports and an access vector for subnet
management packets. Implement the ib_port_smp hook to check that the
caller has permission to send and receive SMPs on the end port specified
by the device name and port. Add interface to query the SID for a IB
port, which walks the IB_PORT ocontexts to find an entry for the
given name and port.

issue: 736423
Change-Id: If8b365f3cf32e77a2060073f1a53e27ea846804d
Signed-off-by: Daniel Jurgens 

---
v2:
- Shorted ib_end_port. Paul Moore
- Pass void blobs to security hooks. Paul Moore
- Log specific IB port info in audit log. Paul Moore
- Don't create a new intial sid, use unlabeled. Stephen Smalley
- Changed "smp" to "manage_subnet". Paul Moore

v3:
- ib_port -> ib_endport. Paul Moore
- Don't log device name as untrusted string. Paul Moore
- Reorder parameters of LSM hook. Paul Moore

Signed-off-by: Daniel Jurgens 
---
 include/linux/lsm_audit.h   |  8 +++
 security/lsm_audit.c|  5 +
 security/selinux/hooks.c| 25 ++
 security/selinux/include/classmap.h |  2 ++
 security/selinux/include/security.h |  2 ++
 security/selinux/ss/services.c  | 42 +
 6 files changed, 84 insertions(+)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 402b770..7047b4c 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -21,6 +21,7 @@
 #include 
 #include 
 #include 
+#include 
 
 struct lsm_network_audit {
int netif;
@@ -50,6 +51,11 @@ struct lsm_pkey_audit {
u16 pkey;
 };
 
+struct lsm_ib_endport_audit {
+   chardev_name[IB_DEVICE_NAME_MAX];
+   u8  port_num;
+};
+
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
char type;
@@ -66,6 +72,7 @@ struct common_audit_data {
 #define LSM_AUDIT_DATA_IOCTL_OP11
 #define LSM_AUDIT_DATA_FILE12
 #define LSM_AUDIT_DATA_PKEY13
+#define LSM_AUDIT_DATA_IB_ENDPORT 14
union   {
struct path path;
struct dentry *dentry;
@@ -84,6 +91,7 @@ struct common_audit_data {
struct lsm_ioctlop_audit *op;
struct file *file;
struct lsm_pkey_audit *pkey;
+   struct lsm_ib_endport_audit *ib_endport;
} u;
/* this union contains LSM specific data */
union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index b18d277..549fe9d 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -423,6 +423,11 @@ static void dump_common_audit_data(struct audit_buffer *ab,
 a->u.pkey->pkey, _pfx);
break;
}
+   case LSM_AUDIT_DATA_IB_ENDPORT:
+   audit_log_format(ab, " device=%s port_num=%u",
+a->u.ib_endport->dev_name,
+a->u.ib_endport->port_num);
+   break;
} /* switch (a->type) */
 }
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 20fb292..ea3f6d0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6108,6 +6108,29 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 
subnet_prefix, u16 pkey_val)
INFINIBAND_PKEY__ACCESS, );
 }
 
+static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
+   u8 port_num)
+{
+   struct common_audit_data ad;
+   int err;
+   u32 sid = 0;
+   struct ib_security_struct *sec = ib_sec;
+   struct lsm_ib_endport_audit ib_endport;
+
+   err = security_ib_endport_sid(dev_name, port_num, );
+
+   if (err)
+   return err;
+
+   ad.type = LSM_AUDIT_DATA_IB_ENDPORT;
+   strncpy(ib_endport.dev_name, dev_name, sizeof(ib_endport.dev_name));
+   ib_endport.port_num = port_num;
+   ad.u.ib_endport = _endport;
+   return avc_has_perm(sec->sid, sid,
+   SECCLASS_INFINIBAND_ENDPORT,
+   INFINIBAND_ENDPORT__MANAGE_SUBNET, );
+}
+
 static int selinux_ib_alloc_security(void **ib_sec)
 {
struct ib_security_struct *sec;
@@ -6313,6 +6336,8 @@ static void selinux_ib_free_security(void *ib_sec)
LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
 #ifdef CONFIG_SECURITY_INFINIBAND
LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
+   LSM_HOOK_INIT(ib_endport_manage_subnet,
+ selinux_ib_endport_manage_subnet),
LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
 #endif
diff --git a/security/selinux/include/classmap.h 
b/security/selinux/include/classmap.h
index d42dd4d..f93b64b 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h

[PATCH v4 1/9] IB/core: IB cache enhancements to support Infiniband security

[Dan Jurgens]

From: Daniel Jurgens 

Cache the subnet prefix and add a function to access it. Enforcing
security requires frequent queries of the subnet prefix and the pkeys in
the pkey table.

Also removed an unneded pr_warn about memory allocation failure.

issue: 736423
Change-Id: Ifdef64b097a8d1d55db65f08ce401d9d2e4b025e
Signed-off-by: Daniel Jurgens 
Reviewed-by: Eli Cohen 
Reviewed-by: Leon Romanovsky 

---
v2:
- In ib_get_cached_subnet_prefix wait to initialize p until after
  validation.  Yuval Shaia

Signed-off-by: Daniel Jurgens 
---
 drivers/infiniband/core/cache.c | 36 ++--
 drivers/infiniband/core/core_priv.h |  3 +++
 include/rdma/ib_verbs.h |  1 +
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index 1a2984c..affc8ef 100644
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -934,6 +934,26 @@ int ib_get_cached_pkey(struct ib_device *device,
 }
 EXPORT_SYMBOL(ib_get_cached_pkey);
 
+int ib_get_cached_subnet_prefix(struct ib_device *device,
+   u8port_num,
+   u64  *sn_pfx)
+{
+   unsigned long flags;
+   int p;
+
+   if (port_num < rdma_start_port(device) ||
+   port_num > rdma_end_port(device))
+   return -EINVAL;
+
+   p = port_num - rdma_start_port(device);
+   read_lock_irqsave(>cache.lock, flags);
+   *sn_pfx = device->cache.subnet_prefix_cache[p];
+   read_unlock_irqrestore(>cache.lock, flags);
+
+   return 0;
+}
+EXPORT_SYMBOL(ib_get_cached_subnet_prefix);
+
 int ib_find_cached_pkey(struct ib_device *device,
u8port_num,
u16   pkey,
@@ -1110,6 +1130,8 @@ static void ib_cache_update(struct ib_device *device,
 
device->cache.lmc_cache[port - rdma_start_port(device)] = tprops->lmc;
 
+   device->cache.subnet_prefix_cache[port - rdma_start_port(device)] =
+   tprops->subnet_prefix;
write_unlock_irq(>cache.lock);
 
kfree(gid_cache);
@@ -1168,9 +1190,18 @@ int ib_cache_setup_one(struct ib_device *device)
  (rdma_end_port(device) -
   rdma_start_port(device) + 1),
  GFP_KERNEL);
+
+   device->cache.subnet_prefix_cache =
+   kcalloc((rdma_end_port(device) - rdma_start_port(device) + 1),
+   sizeof(*device->cache.subnet_prefix_cache),
+   GFP_KERNEL);
+
if (!device->cache.pkey_cache ||
-   !device->cache.lmc_cache) {
-   pr_warn("Couldn't allocate cache for %s\n", device->name);
+   !device->cache.lmc_cache ||
+   !device->cache.subnet_prefix_cache) {
+   kfree(device->cache.pkey_cache);
+   kfree(device->cache.lmc_cache);
+   kfree(device->cache.subnet_prefix_cache);
return -ENOMEM;
}
 
@@ -1213,6 +1244,7 @@ void ib_cache_release_one(struct ib_device *device)
gid_table_release_one(device);
kfree(device->cache.pkey_cache);
kfree(device->cache.lmc_cache);
+   kfree(device->cache.subnet_prefix_cache);
 }
 
 void ib_cache_cleanup_one(struct ib_device *device)
diff --git a/drivers/infiniband/core/core_priv.h 
b/drivers/infiniband/core/core_priv.h
index 19d499d..ce826e4 100644
--- a/drivers/infiniband/core/core_priv.h
+++ b/drivers/infiniband/core/core_priv.h
@@ -153,4 +153,7 @@ int ib_nl_handle_set_timeout(struct sk_buff *skb,
 int ib_nl_handle_ip_res_resp(struct sk_buff *skb,
 struct netlink_callback *cb);
 
+int ib_get_cached_subnet_prefix(struct ib_device *device,
+   u8port_num,
+   u64  *sn_pfx);
 #endif /* _CORE_PRIV_H */
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
index 5ad43a4..db178fd 100644
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -1761,6 +1761,7 @@ struct ib_cache {
struct ib_pkey_cache  **pkey_cache;
struct ib_gid_table   **gid_cache;
u8 *lmc_cache;
+   u64*subnet_prefix_cache;
 };
 
 struct ib_dma_mapping_ops {
-- 
1.8.3.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v4 0/9] SELinux support for Infiniband RDMA

[Dan Jurgens]

From: Daniel Jurgens 

Infiniband applications access HW from user-space -- traffic is generated
directly by HW, bypassing the kernel. Consequently, Infiniband Partitions,
which are associated directly with HW transport endpoints, are a natural
choice for enforcing granular mandatory access control for Infiniband. QPs may
only send or receives packets tagged with the corresponding partition key
(PKey). The PKey is not a cryptographic key; it's a 16 bit number identifying
the partition.

Every Infiniband fabric is controlled by a central Subnet Manager (SM). The SM
provisions the partitions by assigning each port with the partitions it can
access. In addition, the SM tags each port with a subnet prefix, which
identifies the subnet. Determining which users are allowed to access which
partition keys on a given subnet forms an effective policy for isolating users
on the fabric. Any application that attempts to send traffic on a given subnet
is automatically subject to the policy, regardless of which device and port it
uses. SM software configures the subnet through a privileged Subnet Management
Interface (SMI), which is presented by each Infiniband port. Thus, the SMI must
also be controlled to prevent unauthorized changes to fabric configuration and
partitioning. 

To support access control for IB partitions and subnet management, security
contexts must be provided for two new types of objects - PKeys and IB ports.

A PKey label consists of a subnet prefix and a range of PKey values and is
similar to the labeling mechanism for netports. Each Infiniband port can reside
on a different subnet. So labeling the PKey values for specific subnet prefixes
provides the user maximum flexibility, as PKey values may be determined
independently for different subnets. There is a single access vector for PKeys
called "access".

An Infiniband port is labeled by device name and port number. There is a single
access vector for IB ports called "manage_subnet".

Because RDMA allows kernel bypass, enforcement must be done during connection
setup. Communication over RDMA requires a send and receive queue, collectively
known as a Queue Pair (QP). A QP must be initialized by privileged system calls
before it can be used to send or receive data. During initialization the user
must provide the PKey and port the QP will use; at this time access control can
be enforced.

Because there is a possibility that the enforcement settings or security
policy can change, a means of notifying the ib_core module of such changes
is required. To facilitate this a generic notification callback mechanism
is added to the LSM. One callback is registered for checking the QP PKey
associations when the policy changes. Mad agents also register a callback,
they cache the permission to send and receive SMPs to avoid another per
packet call to the LSM.

Because frequent accesses to the same PKey's SID is expected a cache is
implemented which is very similar to the netport cache.

In order to properly enforce security when changes to the PKey table or
security policy or enforcement occur ib_core must track which QPs are
using which port, pkey index, and alternate path for every IB device.
This makes operations that used to be atomic transactional.

When modifying a QP, ib_core must associate it with the PKey index, port,
and alternate path specified. If the QP was already associated with
different settings, the QP is added to the new list prior to the
modification. If the modify succeeds then the old listing is removed. If
the modify fails the new listing is removed and the old listing remains
unchanged.

When destroying a QP the ib_qp structure is freed by the decive specific
driver (i.e. mlx4_ib) if the 'destroy' is successful. This requires storing
security related information in a separate structure. When a 'destroy'
request is in process the ib_qp structure is in an undefined state so if
there are changes to the security policy or PKey table, the security checks
cannot reset the QP if it doesn't have permission for the new setting. If
the 'destroy' fails, security for that QP must be enforced again and its
status in the list is restored. If the 'destroy' succeeds the security info
can be cleaned up and freed.

There are a number of locks required to protect the QP security structure
and the QP to device/port/pkey index lists. If multiple locks are required,
the safe locking order is: QP security structure mutex first, followed by
any list locks needed, which are sorted first by port followed by pkey
index.

---
v2:
- Use void* blobs in the LSM hooks. Paul Moore
- Make the policy change callback generic. Yuval Shaia, Paul Moore
- Squash LSM changes into the patches where the calls are added. Paul Moore
- Don't add new initial SIDs. Stephen Smalley
- Squash MAD agent PKey and SMI patches and move logic to IB security. Dan 
Jurgens
- Changed ib_end_port to ib_port. Paul Moore
- Changed ib_port access vector from smp to manage_subnet. 

Re: [RFC] Split up policycoreutils

[Stephen Smalley]

On 10/31/2016 02:05 PM, Stephen Smalley wrote:
> On 10/21/2016 01:47 PM, Stephen Smalley wrote:
>> Hi,
>>
>> policycoreutils started life as a small set of utilities that were
>> necessary or at least widely used in production on a SELinux system.
>> Over time though it has grown to include many optional components, and
>> even within a given subdirectory (e.g. sepolicy) there seem to be a
>> number of components that should be optional (e.g. the dbus service).
>> I'd like to propose that we move a number of components out of
>> policycoreutils into their own top-level subdirectory (possibly grouping
>> some of the related ones together).
>>
>> Some possible components to move and the rationale for doing so include:
>>
>> - gui: not required for operation.  Unsure if this is even used outside
>> of Fedora, or how widely it is used within Fedora compared to the
>> command line tools. Packaged separately by Fedora as part of
>> policycoreutils-gui.
>>
>> - mcstrans: not required for operation outside of MLS environments (and
>> even there, only if using that label encoding functionality), not built
>> by default even upstream (omitted from policycoreutils/Makefile).
>> Packaged separately in Fedora as mcstrans.
>>
>> - restorecond: not required for operation, adds dbus and glib
>> dependencies, largely obsoleted by name-based type transition support in
>> the kernel.  Packaged separately in Fedora as policycoreutils-restorecond.
>>
>> - sandbox: not required for basic operation of SELinux.  Packaged
>> separately by Fedora as policycoreutils-sandbox.
>>  restorecond
>> - semodule_deps/expand/link: developer tools only, not required for
>> operation, unlike semodule.  Packaged separately by Fedora as part of
>> policycoreutils-devel.
>>
>> - sepolicy/{org.selinux*,selinux_client.py,selinux_server.py}: D-BUS
>> service for managing SELinux, not required for basic operation, not
>> desirable in high security environments. Packaged separately by Fedora
>> as part of policycoreutils-gui.  Could perhaps be combined with the gui
>> above, although I think they are logically distinct.
>>
>> We could of course go further, but those seem to be the most obvious
>> candidates.
>>
>> Thoughts?
> 
> For discussion purposes, I've pushed a splitpolicycoreutils branch that
> moves the above components and others identified in the discussion
> thread, and makes it easy to omit the non-core components from the
> build.  Take a look and see what you think.  Known issues:
> 
> - I did not deal with splitting the policycoreutils/po files and moving
> them around.  Not sure what the best way to handle that is.
> 
> - python/sepolicy likely needs further rearrangement. I am unclear on
> the purpose/use of the desktop file and pixmaps; if those are only for
> the gui, then they can be moved to gui/, but I don't understand why they
> are called sepolicy* or located here.  Also, should
> python/sepolicy/sepolicy/sedbus.py be moved over to dbus/ or stay here?
> Dan?
> 
> - dbus/selinux_client.py (formerly
> policycoreutils/sepolicy/selinux_client.py) seems like leftover testing
> cruft.  Remove?
> 
> - restorecond presently reuses source code directly from setfiles, so
> building it as a separate package may be a nuisance.  OTOH, I'm not
> entirely clear on whether restorecond needs to be kept around at all
> anymore?
> 
> - policycoreutils/sepolgen-ifgen contains a single C program,
> sepolgen-ifgen-attr-helper, that is only used by
> python/audit2allow/sepolgen-ifgen.  Any reason to not just coalesce it
> into python/audit2allow even though it is not python itself?
> 
> - After the restructuring, the only script left in policycoreutils is
> fixfiles.  Technically, that's not required for production either as one
> can always just run setfiles or restorecon directly, but distros seem to
> rely on it.  Is it worth moving just to free policycoreutils of any bash
> dependencies, and if so, where?
> 
> - I moved policycoreutils/semodule_{deps,expand,link} into a new
> semodule-utils directory.  This might however be slightly confusing
> since semodule and semodule_package remain in policycoreutils since they
> are required and not merely for developers.  Feel free to suggest
> another name or structure.  Actually, I guess semodule_package might be
> optional now with CIL, so perhaps that one can be moved too.

I've made further changes on the splitpolicycoreutils branch based on
the discussion (as well as rebasing it on latest master).  This is a
call for final comments or objections before merging it to master.  With
the current branch, we will have the following source tar files in a
release:

Unchanged:
* libsepol
* libselinux
* libsemanage
* checkpolicy
* secilc

Modified or new:
* policycoreutils (containing only hll, load_policy, newrole, run_init,
scripts/fixfiles, secon, semodule, sestatus, setfiles, setsebool)
* mcstrans
* restorecond
* semodule-utils (containing semodule_package, semodule_link,
semodule_expand, semodule_deps)
* 

GPF in sidtab_context_to_sid

[Roberts, William C]

I found a very similar oops online:
http://oops.kernel.org/oops/general-protection-fault-in-sidtab_context_to_sid/

Has anyone encountered this bug?

I had something reported to me very similar where the faulting instruction was:

0x8133c81e <+174>:   mov0x14(%r12),%eax

Addr2line on vmlinux produced:
$ addr2line -f -e ./vmlinux 8133c81e
context_cmp
kernel/cht/security/selinux/ss/context.h:152

Actual Dump:

[131436.409639] general protection fault:  [#1] PREEMPT SMP
[131436.416085] Modules linked in: tcp_diag inet_diag
atomisp_css2401a0_v21 videobuf_vmalloc videobuf_core bt_lpm
rfkill_gpio 8723bs(O) cfg80211 ov2680 ov8858_driver silead_ts ltr501
bmg160 ak09911 kxcjk_1013
[131436.436623] CPU: 3 PID: 3177 Comm: SettingsProvide Tainted: G
  W  O 3.14.70-x86_64-02246-g49319b8 #1
[131436.447500] Hardware name: XXX
CHTMRD.A6.002.016 09/20/2016
[131436.456542] task: 88006039cb30 ti: 88005e2ea000 task.ti:
88005e2ea000
[131436.465000] RIP: 0010:[]
[131436.469579]  [] sidtab_context_to_sid+0xae/0x480
[131436.476783] RSP: 0018:88005e2ebae0  EFLAGS: 00010286
[131436.482814] RAX: fff9f9f9 RBX: 82776540 RCX:

[131436.490884] RDX:  RSI:  RDI:
82776540
[131436.498953] RBP: 88005e2ebb28 R08: 88005e2ebb88 R09:

[131436.507022] R10: 88007826c000 R11: 2f2f2f2f2f2f2f2f R12:
fff9f9f9fff9f9f9
[131436.515091] R13: 88005e2ebba0 R14: 88005e2ebbb8 R15:
0068
[131436.523160] FS:  d1efbe00(006b) GS:88007938(0063)
knlGS:d1a77960
[131436.532297] CS:  0010 DS: 002b ES: 002b CR0: 80050033
[131436.538813] CR2: 72e67750 CR3: 5e1ba000 CR4:
001007e0
[131436.546883] Last Branch Records:
[131436.550590]to: [] general_protection+0x0/0x80
[131436.557700]  from: [] sidtab_context_to_sid+0xae/0x480
[131436.565292]to: [] sidtab_context_to_sid+0xa0/0x480
[131436.572885]  from: [] sidtab_context_to_sid+0x96/0x480
[131436.580478]to: [] sidtab_context_to_sid+0x90/0x480
[131436.588070]  from: [] sidtab_context_to_sid+0xb5/0x480
[131436.595662]to: [] sidtab_context_to_sid+0xa0/0x480
[131436.603255]  from: [] sidtab_context_to_sid+0xd2/0x480
[131436.610847]to: [] sidtab_context_to_sid+0xa0/0x480
[131436.618439]  from: [] sidtab_context_to_sid+0xd2/0x480
[131436.626031]to: [] sidtab_context_to_sid+0xa0/0x480
[131436.633624]  from: [] sidtab_context_to_sid+0xd2/0x480
[131436.641216]to: [] sidtab_context_to_sid+0xae/0x480
[131436.648810]  from: [] sidtab_context_to_sid+0x7f/0x480
[131436.656401]to: [] sidtab_context_to_sid+0x75/0x480
[131436.663994]  from: [] sidtab_context_to_sid+0x34b/0x480
[131436.671684] Stack:
[131436.674023]  88005e2ebb88 88005e2ebb08 8134938e
88005e2ebc3c
[131436.682416]   88005e2ebb88 0010
880060371ea8
[131436.690809]  8800716d4968 88005e2ebbf8 8134372f
0006
[131436.699204] Call Trace:
[131436.702036]  [] ? mls_context_isvalid+0x2e/0xb0
[131436.708944]  [] security_compute_sid.part.10+0x43f/0x550
[131436.716727]  [] ? search_dir+0x40/0x120
[131436.722851]  [] security_compute_sid+0x4e/0x50
[131436.729660]  [] security_transition_sid+0x2d/0x40
[131436.736762]  [] may_create+0x96/0x100
[131436.742699]  [] selinux_inode_create+0x13/0x20
[131436.749509]  [] security_inode_create+0x1f/0x30
[131436.756417]  [] vfs_create+0x8e/0x140
[131436.762353]  [] do_last+0x7e1/0x1210
[131436.768192]  [] ? link_path_walk+0x8c/0xfb0
[131436.774712]  [] ? kmem_cache_alloc_trace+0xe1/0x1d0
[131436.782008]  [] ? selinux_file_alloc_security+0x3c/0x60
[131436.789692]  [] path_openat+0xbb/0x6d0
[131436.795724]  [] ? SYSC_renameat+0xe8/0x3f0
[131436.802146]  [] do_filp_open+0x3a/0xa0
[131436.808179]  [] ? _raw_spin_unlock+0x18/0x40
[131436.814795]  [] ? __alloc_fd+0xa7/0x130
[131436.820925]  [] do_sys_open+0x12c/0x220
[131436.827056]  [] compat_SyS_openat+0x11/0x20
[131436.833574]  [] sysenter_dispatch+0x7/0x1f
[131436.839997]  [] ? trace_hardirqs_on_thunk+0x3a/0x3c
[131436.847289] Code: 02 00 00 66 2e 0f 1f 84 00 00 00 00 00 41 8b 50
0c 85 d2 74 08 39 d0 0f 84 70 02 00 00 4d 8b 64 24 50 4d 85 e4 0f 84
92 02 00 00 <41> 8b 44 24 14 85 c0 75 d9 41 8b 48 0c 85 c9 75 e1 49 8b
00 49
[131436.869023] RIP
[131436.870977]  [] sidtab_context_to_sid+0xae/0x480
[131436.878180]  RSP 
[131436.882285] ---[ end trace 4c33bfa820f020fe ]---

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/1] libselinux, libsemanage: remove *swig_python_exception.i if its creation failed

[William Roberts]

On Mon, Nov 7, 2016 at 2:07 PM, Nicolas Iooss  wrote:
> On 07/11/16 22:19, William Roberts wrote:
>> On Nov 7, 2016 13:03, "Stephen Smalley" > > wrote:
>>>
>>> On 11/05/2016 05:24 PM, Nicolas Iooss wrote:
>>> > When compiling libselinux with CC=clang, "make pywrap" reports the
>>> > following message:
>>> >
>>> > bash exception.sh > selinuxswig_python_exception.i
>>> > clang-3.9: error: no such file or directory: 'temp.aux'
>>> > awk: fatal: cannot open file `temp.aux' for reading (No such file or
>>> > directory)
>>> >
>>> > This does not make the build fail as exception.sh returns an "OK"
>>> > status. Use "bash -e" with this script to make it return an error value.
>>> >
>>> > In order not to keep an empty selinuxswig_python_exception.i file after
>>> > a build fails (which would make a second run of "make pywrap"
>> incorrectly
>>> > succeed), remove the file when exception.sh fails.
>>> >
>>> > As libsemanage uses the same code to build
>>> > semanageswig_python_exception.i, modify its Makefile too.
>>> >
>>> > By the way, on Linux clang does not seem to currently support -aux-info
>>> > so it cannot be used to craft selinuxswig_python_exception.i.
>>>
>>> Thanks, applied all three.  Maybe we need to just always set CC to gcc
>>> in exception.sh?
>>>
>>
>> What if you don't have GCC? We should support CC consistently and not
>> set it under the hood IMHO.
>
> There are also valid scenarios where exception.sh works without CC being
> gcc, for example when cross-compiling with CC=arm--gcc, or building
> with wrappers like CC=musl-gcc, etc.
> What about using gcc as a fallback if $CC did not work? i.e. something
> like this in exception.sh:
>
> if ! ${CC:-gcc} -x c -c -I../include - -aux-info  ; then
> # clang does not support -aux-info so fall back to gcc
> gcc -x c -c -I../include - -aux-info 
> fi
>
> Nicolas

Looking at exception.sh it appears that it takes in selinux.h and
produces custom
exception handlers for the swig interface.

We could potentially do this without -aux-info and just write the swig
interface by hand.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] libsepol: sepol_{bool|iface|user}_key_create: copy name

[Stephen Smalley]

The sepol_{bool|iface|user}_key_create() functions were not
copying the name.  This produces a use-after-free in the
swig-generated code for python3 bindings.  Copy the name
in these functions, and free it upon sepol_{bool|iface|user}_key_free().

Reported-by: Nicolas Iooss 
Signed-off-by: Stephen Smalley 
---
 libsepol/src/boolean_record.c | 10 --
 libsepol/src/iface_record.c   | 10 --
 libsepol/src/user_record.c| 10 --
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/libsepol/src/boolean_record.c b/libsepol/src/boolean_record.c
index 8b64413..ebef7f1 100644
--- a/libsepol/src/boolean_record.c
+++ b/libsepol/src/boolean_record.c
@@ -15,7 +15,7 @@ struct sepol_bool {
 
 struct sepol_bool_key {
/* This boolean's name */
-   const char *name;
+   char *name;
 };
 
 int sepol_bool_key_create(sepol_handle_t * handle,
@@ -30,7 +30,12 @@ int sepol_bool_key_create(sepol_handle_t * handle,
return STATUS_ERR;
}
 
-   tmp_key->name = name;
+   tmp_key->name = strdup(name);
+   if (!tmp_key->name) {
+   ERR(handle, "out of memory, " "could not create boolean key");
+   free(tmp_key);
+   return STATUS_ERR;
+   }
 
*key_ptr = tmp_key;
return STATUS_SUCCESS;
@@ -62,6 +67,7 @@ int sepol_bool_key_extract(sepol_handle_t * handle,
 
 void sepol_bool_key_free(sepol_bool_key_t * key)
 {
+   free(key->name);
free(key);
 }
 
diff --git a/libsepol/src/iface_record.c b/libsepol/src/iface_record.c
index 09adeb7..c8b977c 100644
--- a/libsepol/src/iface_record.c
+++ b/libsepol/src/iface_record.c
@@ -20,7 +20,7 @@ struct sepol_iface {
 struct sepol_iface_key {
 
/* Interface name */
-   const char *name;
+   char *name;
 };
 
 /* Key */
@@ -36,7 +36,12 @@ int sepol_iface_key_create(sepol_handle_t * handle,
return STATUS_ERR;
}
 
-   tmp_key->name = name;
+   tmp_key->name = strdup(name);
+   if (!tmp_key->name) {
+   ERR(handle, "out of memory, could not create interface key");
+   free(tmp_key);
+   return STATUS_ERR;
+   }
 
*key_ptr = tmp_key;
return STATUS_SUCCESS;
@@ -68,6 +73,7 @@ int sepol_iface_key_extract(sepol_handle_t * handle,
 
 void sepol_iface_key_free(sepol_iface_key_t * key)
 {
+   free(key->name);
free(key);
 }
 
diff --git a/libsepol/src/user_record.c b/libsepol/src/user_record.c
index c59c54b..e7e2fc2 100644
--- a/libsepol/src/user_record.c
+++ b/libsepol/src/user_record.c
@@ -24,7 +24,7 @@ struct sepol_user {
 
 struct sepol_user_key {
/* This user's name */
-   const char *name;
+   char *name;
 };
 
 int sepol_user_key_create(sepol_handle_t * handle,
@@ -40,7 +40,12 @@ int sepol_user_key_create(sepol_handle_t * handle,
return STATUS_ERR;
}
 
-   tmp_key->name = name;
+   tmp_key->name = strdup(name);
+   if (!tmp_key->name) {
+   ERR(handle, "out of memory, could not create selinux user key");
+   free(tmp_key);
+   return STATUS_ERR;
+   }
 
*key_ptr = tmp_key;
return STATUS_SUCCESS;
@@ -71,6 +76,7 @@ int sepol_user_key_extract(sepol_handle_t * handle,
 
 void sepol_user_key_free(sepol_user_key_t * key)
 {
+   free(key->name);
free(key);
 }
 
-- 
2.7.4

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [Patch v2 2/2] policycoreutils: Make sepolicy work with python3

[Stephen Smalley]

On 11/07/2016 04:51 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville 
> 
> Add python3 support for sepolicy

Thanks, applied.

> 
> Signed-off-by: Laurent Bigonville 
> ---
>  policycoreutils/sepolicy/selinux_client.py   |  6 ++--
>  policycoreutils/sepolicy/sepolicy.py | 38 
> 
>  policycoreutils/sepolicy/sepolicy/__init__.py| 16 ++
>  policycoreutils/sepolicy/sepolicy/communicate.py |  4 +--
>  policycoreutils/sepolicy/sepolicy/generate.py| 30 +--
>  policycoreutils/sepolicy/sepolicy/interface.py   | 14 ++---
>  policycoreutils/sepolicy/sepolicy/manpage.py |  7 +++--
>  7 files changed, 65 insertions(+), 50 deletions(-)
> 
> diff --git a/policycoreutils/sepolicy/selinux_client.py 
> b/policycoreutils/sepolicy/selinux_client.py
> index 7f4a91c..dc29f28 100644
> --- a/policycoreutils/sepolicy/selinux_client.py
> +++ b/policycoreutils/sepolicy/selinux_client.py
> @@ -39,6 +39,6 @@ if __name__ == "__main__":
>  try:
>  dbus_proxy = SELinuxDBus()
>  resp = dbus_proxy.customized()
> -print convert_customization(resp)
> -except dbus.DBusException, e:
> -print e
> +print(convert_customization(resp))
> +except dbus.DBusException as e:
> +print(e)
> diff --git a/policycoreutils/sepolicy/sepolicy.py 
> b/policycoreutils/sepolicy/sepolicy.py
> index 3e502a7..5bf9b52 100755
> --- a/policycoreutils/sepolicy/sepolicy.py
> +++ b/policycoreutils/sepolicy/sepolicy.py
> @@ -262,7 +262,7 @@ def _print_net(src, protocol, perm):
>  if len(portdict) > 0:
>  bold_start = "\033[1m"
>  bold_end = "\033[0;0m"
> -print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
> bold_end
> +print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
> bold_end)
>  port_strings = []
>  boolean_text = ""
>  for p in portdict:
> @@ -275,7 +275,7 @@ def _print_net(src, protocol, perm):
>  port_strings.append("%s (%s)" % (", ".join(recs), t))
>  port_strings.sort(numcmp)
>  for p in port_strings:
> -print "\t" + p
> +print("\t" + p)
>  
>  
>  def network(args):
> @@ -286,7 +286,7 @@ def network(args):
>  if i[0] not in all_ports:
>  all_ports.append(i[0])
>  all_ports.sort()
> -print "\n".join(all_ports)
> +print("\n".join(all_ports))
>  
>  for port in args.port:
>  found = False
> @@ -297,18 +297,18 @@ def network(args):
>  else:
>  range = "%s-%s" % (i[0], i[1])
>  found = True
> -print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], 
> range)
> +print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], 
> range))
>  if not found:
>  if port < 500:
> -print "Undefined reserved port type"
> +print("Undefined reserved port type")
>  else:
> -print "Undefined port type"
> +print("Undefined port type")
>  
>  for t in args.type:
>  if (t, 'tcp') in portrecs.keys():
> -print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))
> +print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])))
>  if (t, 'udp') in portrecs.keys():
> -print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))
> +print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])))
>  
>  for a in args.applications:
>  d = sepolicy.get_init_transtype(a)
> @@ -357,7 +357,7 @@ def manpage(args):
>  
>  for domain in test_domains:
>  m = ManPage(domain, path, args.root, args.source_files, args.web)
> -print m.get_man_page_path()
> +print(m.get_man_page_path())
>  
>  if args.web:
>  HTMLManPages(manpage_roles, manpage_domains, path, args.os)
> @@ -418,7 +418,7 @@ def communicate(args):
>  out = list(set(writable) & set(readable))
>  
>  for t in out:
> -print t
> +print(t)
>  
>  
>  def gen_communicate_args(parser):
> @@ -445,7 +445,7 @@ def booleans(args):
>  args.booleans.sort()
>  
>  for b in args.booleans:
> -print "%s=_(\"%s\")" % (b, boolean_desc(b))
> +print("%s=_(\"%s\")" % (b, boolean_desc(b)))
>  
>  
>  def gen_booleans_args(parser):
> @@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""):
>  for i in interfaces:
>  if args.verbose:
>  try:
> -print get_interface_format_text(i + append)
> +print(get_interface_format_text(i + append))
>  except KeyError:
> -print i
> +print(i)
>  if args.compile:
>  try:
>  interface_compile_test(i)
>  except KeyError:
> -print i
> +

Re: [Patch v2 2/2] policycoreutils: Make sepolicy work with python3

[Stephen Smalley]

On 11/08/2016 10:21 AM, Stephen Smalley wrote:
> On 11/07/2016 04:51 AM, Laurent Bigonville wrote:
>> From: Laurent Bigonville 
>>
>> Add python3 support for sepolicy
>>
>> Signed-off-by: Laurent Bigonville 
>> ---
>>  policycoreutils/sepolicy/selinux_client.py   |  6 ++--
>>  policycoreutils/sepolicy/sepolicy.py | 38 
>> 
>>  policycoreutils/sepolicy/sepolicy/__init__.py| 16 ++
>>  policycoreutils/sepolicy/sepolicy/communicate.py |  4 +--
>>  policycoreutils/sepolicy/sepolicy/generate.py| 30 +--
>>  policycoreutils/sepolicy/sepolicy/interface.py   | 14 ++---
>>  policycoreutils/sepolicy/sepolicy/manpage.py |  7 +++--
>>  7 files changed, 65 insertions(+), 50 deletions(-)
> 
> make test doesn't pass in policycoreutils/sepolicy, although I'm not
> sure that's new to this patch.  I think the manpage ones were already
> failing; I don't recall the network one hanging before though.  But
> maybe that is because I wasn't testing with setools3 fully removed before?

Oh, I guess it is just very slow with setools4.  It did finally complete
sepolicy network -d and has moved on (next slow/hanging one is
transition -t).

>>
>> diff --git a/policycoreutils/sepolicy/selinux_client.py 
>> b/policycoreutils/sepolicy/selinux_client.py
>> index 7f4a91c..dc29f28 100644
>> --- a/policycoreutils/sepolicy/selinux_client.py
>> +++ b/policycoreutils/sepolicy/selinux_client.py
>> @@ -39,6 +39,6 @@ if __name__ == "__main__":
>>  try:
>>  dbus_proxy = SELinuxDBus()
>>  resp = dbus_proxy.customized()
>> -print convert_customization(resp)
>> -except dbus.DBusException, e:
>> -print e
>> +print(convert_customization(resp))
>> +except dbus.DBusException as e:
>> +print(e)
>> diff --git a/policycoreutils/sepolicy/sepolicy.py 
>> b/policycoreutils/sepolicy/sepolicy.py
>> index 3e502a7..5bf9b52 100755
>> --- a/policycoreutils/sepolicy/sepolicy.py
>> +++ b/policycoreutils/sepolicy/sepolicy.py
>> @@ -262,7 +262,7 @@ def _print_net(src, protocol, perm):
>>  if len(portdict) > 0:
>>  bold_start = "\033[1m"
>>  bold_end = "\033[0;0m"
>> -print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
>> bold_end
>> +print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
>> bold_end)
>>  port_strings = []
>>  boolean_text = ""
>>  for p in portdict:
>> @@ -275,7 +275,7 @@ def _print_net(src, protocol, perm):
>>  port_strings.append("%s (%s)" % (", ".join(recs), t))
>>  port_strings.sort(numcmp)
>>  for p in port_strings:
>> -print "\t" + p
>> +print("\t" + p)
>>  
>>  
>>  def network(args):
>> @@ -286,7 +286,7 @@ def network(args):
>>  if i[0] not in all_ports:
>>  all_ports.append(i[0])
>>  all_ports.sort()
>> -print "\n".join(all_ports)
>> +print("\n".join(all_ports))
>>  
>>  for port in args.port:
>>  found = False
>> @@ -297,18 +297,18 @@ def network(args):
>>  else:
>>  range = "%s-%s" % (i[0], i[1])
>>  found = True
>> -print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], 
>> range)
>> +print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], 
>> range))
>>  if not found:
>>  if port < 500:
>> -print "Undefined reserved port type"
>> +print("Undefined reserved port type")
>>  else:
>> -print "Undefined port type"
>> +print("Undefined port type")
>>  
>>  for t in args.type:
>>  if (t, 'tcp') in portrecs.keys():
>> -print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))
>> +print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])))
>>  if (t, 'udp') in portrecs.keys():
>> -print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))
>> +print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])))
>>  
>>  for a in args.applications:
>>  d = sepolicy.get_init_transtype(a)
>> @@ -357,7 +357,7 @@ def manpage(args):
>>  
>>  for domain in test_domains:
>>  m = ManPage(domain, path, args.root, args.source_files, args.web)
>> -print m.get_man_page_path()
>> +print(m.get_man_page_path())
>>  
>>  if args.web:
>>  HTMLManPages(manpage_roles, manpage_domains, path, args.os)
>> @@ -418,7 +418,7 @@ def communicate(args):
>>  out = list(set(writable) & set(readable))
>>  
>>  for t in out:
>> -print t
>> +print(t)
>>  
>>  
>>  def gen_communicate_args(parser):
>> @@ -445,7 +445,7 @@ def booleans(args):
>>  args.booleans.sort()
>>  
>>  for b in args.booleans:
>> -print "%s=_(\"%s\")" % (b, boolean_desc(b))
>> +print("%s=_(\"%s\")" % (b, 

Re: [Patch v2 2/2] policycoreutils: Make sepolicy work with python3

[Stephen Smalley]

On 11/07/2016 04:51 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville 
> 
> Add python3 support for sepolicy
> 
> Signed-off-by: Laurent Bigonville 
> ---
>  policycoreutils/sepolicy/selinux_client.py   |  6 ++--
>  policycoreutils/sepolicy/sepolicy.py | 38 
> 
>  policycoreutils/sepolicy/sepolicy/__init__.py| 16 ++
>  policycoreutils/sepolicy/sepolicy/communicate.py |  4 +--
>  policycoreutils/sepolicy/sepolicy/generate.py| 30 +--
>  policycoreutils/sepolicy/sepolicy/interface.py   | 14 ++---
>  policycoreutils/sepolicy/sepolicy/manpage.py |  7 +++--
>  7 files changed, 65 insertions(+), 50 deletions(-)

make test doesn't pass in policycoreutils/sepolicy, although I'm not
sure that's new to this patch.  I think the manpage ones were already
failing; I don't recall the network one hanging before though.  But
maybe that is because I wasn't testing with setools3 fully removed before?

> 
> diff --git a/policycoreutils/sepolicy/selinux_client.py 
> b/policycoreutils/sepolicy/selinux_client.py
> index 7f4a91c..dc29f28 100644
> --- a/policycoreutils/sepolicy/selinux_client.py
> +++ b/policycoreutils/sepolicy/selinux_client.py
> @@ -39,6 +39,6 @@ if __name__ == "__main__":
>  try:
>  dbus_proxy = SELinuxDBus()
>  resp = dbus_proxy.customized()
> -print convert_customization(resp)
> -except dbus.DBusException, e:
> -print e
> +print(convert_customization(resp))
> +except dbus.DBusException as e:
> +print(e)
> diff --git a/policycoreutils/sepolicy/sepolicy.py 
> b/policycoreutils/sepolicy/sepolicy.py
> index 3e502a7..5bf9b52 100755
> --- a/policycoreutils/sepolicy/sepolicy.py
> +++ b/policycoreutils/sepolicy/sepolicy.py
> @@ -262,7 +262,7 @@ def _print_net(src, protocol, perm):
>  if len(portdict) > 0:
>  bold_start = "\033[1m"
>  bold_end = "\033[0;0m"
> -print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
> bold_end
> +print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + 
> bold_end)
>  port_strings = []
>  boolean_text = ""
>  for p in portdict:
> @@ -275,7 +275,7 @@ def _print_net(src, protocol, perm):
>  port_strings.append("%s (%s)" % (", ".join(recs), t))
>  port_strings.sort(numcmp)
>  for p in port_strings:
> -print "\t" + p
> +print("\t" + p)
>  
>  
>  def network(args):
> @@ -286,7 +286,7 @@ def network(args):
>  if i[0] not in all_ports:
>  all_ports.append(i[0])
>  all_ports.sort()
> -print "\n".join(all_ports)
> +print("\n".join(all_ports))
>  
>  for port in args.port:
>  found = False
> @@ -297,18 +297,18 @@ def network(args):
>  else:
>  range = "%s-%s" % (i[0], i[1])
>  found = True
> -print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], 
> range)
> +print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], 
> range))
>  if not found:
>  if port < 500:
> -print "Undefined reserved port type"
> +print("Undefined reserved port type")
>  else:
> -print "Undefined port type"
> +print("Undefined port type")
>  
>  for t in args.type:
>  if (t, 'tcp') in portrecs.keys():
> -print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))
> +print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])))
>  if (t, 'udp') in portrecs.keys():
> -print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))
> +print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])))
>  
>  for a in args.applications:
>  d = sepolicy.get_init_transtype(a)
> @@ -357,7 +357,7 @@ def manpage(args):
>  
>  for domain in test_domains:
>  m = ManPage(domain, path, args.root, args.source_files, args.web)
> -print m.get_man_page_path()
> +print(m.get_man_page_path())
>  
>  if args.web:
>  HTMLManPages(manpage_roles, manpage_domains, path, args.os)
> @@ -418,7 +418,7 @@ def communicate(args):
>  out = list(set(writable) & set(readable))
>  
>  for t in out:
> -print t
> +print(t)
>  
>  
>  def gen_communicate_args(parser):
> @@ -445,7 +445,7 @@ def booleans(args):
>  args.booleans.sort()
>  
>  for b in args.booleans:
> -print "%s=_(\"%s\")" % (b, boolean_desc(b))
> +print("%s=_(\"%s\")" % (b, boolean_desc(b)))
>  
>  
>  def gen_booleans_args(parser):
> @@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""):
>  for i in interfaces:
>  if args.verbose:
>  try:
> -print get_interface_format_text(i + append)
> +print(get_interface_format_text(i + append))

Re: [PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result

[Stephen Smalley]

On 11/08/2016 09:58 AM, Laurent Bigonville wrote:
> Le 08/11/16 à 15:57, Stephen Smalley a écrit :
>> On 11/08/2016 08:34 AM, Stephen Smalley wrote:
>>> On 11/07/2016 06:09 PM, Laurent Bigonville wrote:
 Le 07/11/16 à 22:13, Stephen Smalley a écrit :
> On 11/07/2016 03:01 AM, Laurent Bigonville wrote:
>> From: Laurent Bigonville 
>>
>> sepolicy.info() now returns a generator, use next() to get the
>> results.
> This breaks sandbox for me,
> $ /usr/bin/sandbox -X firefox
> Traceback (most recent call last):
> File "/usr/bin/sandbox", line 529, in 
>   rc = sandbox.main()
> File "/usr/bin/sandbox", line 513, in main
>   self.__parse_options()
> File "/usr/bin/sandbox", line 308, in __parse_options
>   """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
> "sandbox_type"))['types'])
> TypeError: list object is not an iterator
 Which version of python and setools are you using?
>>> I have installed setools4 from source, both running setup.py via python
>>> and via python3 to install it for python 2.7 and python 3.5 (both are
>>> installed on Fedora, with python referencing 2.7 by default).  I have
>>> likewise built and installed the selinux userspace with PYTHON=python
>>> and with PYTHON=python3. I have tried running sandbox via python and via
>>> python3, and it yields the same exception in both cases with your patch,
>>> and works fine without your patch.
>> Ok, I forcibly removed the Fedora setools* packages (which also
>> uninstalled policycoreutils) and built and installed setools4 and
>> policycoreutils from upstream source again.  Now I do not get that
>> exception with your patch, but it also works fine without your patch - I
>> see no difference in behavior.  Not sure what I am missing.
> 
> If I don't have the sandbox policy installed I get a backtrace instead
> of a nice error:
> 
> Traceback (most recent call last):
>   File "sandbox", line 529, in 
> rc = sandbox.main()
>   File "sandbox", line 513, in main
> self.__parse_options()
>   File "sandbox", line 308, in __parse_options
> """) % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE,
> "sandbox_type"))[0]['types'])
> IndexError: list index out of range

Ok, got it.  If you could include reproducer information in your patch
descriptions, that would help.  Applied this one.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result

[Laurent Bigonville]

Le 08/11/16 à 15:57, Stephen Smalley a écrit :

On 11/08/2016 08:34 AM, Stephen Smalley wrote:

On 11/07/2016 06:09 PM, Laurent Bigonville wrote:

Le 07/11/16 à 22:13, Stephen Smalley a écrit :

On 11/07/2016 03:01 AM, Laurent Bigonville wrote:

From: Laurent Bigonville 

sepolicy.info() now returns a generator, use next() to get the results.

This breaks sandbox for me,
$ /usr/bin/sandbox -X firefox
Traceback (most recent call last):
File "/usr/bin/sandbox", line 529, in 
  rc = sandbox.main()
File "/usr/bin/sandbox", line 513, in main
  self.__parse_options()
File "/usr/bin/sandbox", line 308, in __parse_options
  """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
"sandbox_type"))['types'])
TypeError: list object is not an iterator

Which version of python and setools are you using?

I have installed setools4 from source, both running setup.py via python
and via python3 to install it for python 2.7 and python 3.5 (both are
installed on Fedora, with python referencing 2.7 by default).  I have
likewise built and installed the selinux userspace with PYTHON=python
and with PYTHON=python3. I have tried running sandbox via python and via
python3, and it yields the same exception in both cases with your patch,
and works fine without your patch.

Ok, I forcibly removed the Fedora setools* packages (which also
uninstalled policycoreutils) and built and installed setools4 and
policycoreutils from upstream source again.  Now I do not get that
exception with your patch, but it also works fine without your patch - I
see no difference in behavior.  Not sure what I am missing.


If I don't have the sandbox policy installed I get a backtrace instead 
of a nice error:


Traceback (most recent call last):
  File "sandbox", line 529, in 
rc = sandbox.main()
  File "sandbox", line 513, in main
self.__parse_options()
  File "sandbox", line 308, in __parse_options
""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, 
"sandbox_type"))[0]['types'])
IndexError: list index out of range

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result

[Stephen Smalley]

On 11/07/2016 06:09 PM, Laurent Bigonville wrote:
> Le 07/11/16 à 22:13, Stephen Smalley a écrit :
>> On 11/07/2016 03:01 AM, Laurent Bigonville wrote:
>>> From: Laurent Bigonville 
>>>
>>> sepolicy.info() now returns a generator, use next() to get the results.
>> This breaks sandbox for me,
>> $ /usr/bin/sandbox -X firefox
>> Traceback (most recent call last):
>>File "/usr/bin/sandbox", line 529, in 
>>  rc = sandbox.main()
>>File "/usr/bin/sandbox", line 513, in main
>>  self.__parse_options()
>>File "/usr/bin/sandbox", line 308, in __parse_options
>>  """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
>> "sandbox_type"))['types'])
>> TypeError: list object is not an iterator
> 
> Which version of python and setools are you using?

I have installed setools4 from source, both running setup.py via python
and via python3 to install it for python 2.7 and python 3.5 (both are
installed on Fedora, with python referencing 2.7 by default).  I have
likewise built and installed the selinux userspace with PYTHON=python
and with PYTHON=python3. I have tried running sandbox via python and via
python3, and it yields the same exception in both cases with your patch,
and works fine without your patch.

>>
>>> Signed-off-by: Laurent Bigonville 
>>> ---
>>>   policycoreutils/sandbox/sandbox | 8 
>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/policycoreutils/sandbox/sandbox
>>> b/policycoreutils/sandbox/sandbox
>>> index 4010e83..c07a1d8 100644
>>> --- a/policycoreutils/sandbox/sandbox
>>> +++ b/policycoreutils/sandbox/sandbox
>>> @@ -305,8 +305,8 @@ kill -TERM $WM_PID  2> /dev/null
>>>   types = _("""
>>>   Policy defines the following types for use with the -t:
>>>   \t%s
>>> -""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE,
>>> "sandbox_type"))[0]['types'])
>>> -except RuntimeError:
>>> +""") % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
>>> "sandbox_type"))['types'])
>>> +except StopIteration:
>>>   pass
>>> usage = _("""
>>> @@ -380,8 +380,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T
>>> tempdir]] [-I includefile ] [-
>>>   self.setype = DEFAULT_X_TYPE
>>>   else:
>>>   try:
>>> -sepolicy.info(sepolicy.TYPE, "sandbox_t")
>>> -except RuntimeError:
>>> +next(sepolicy.info(sepolicy.TYPE, "sandbox_t"))
>>> +except StopIteration:
>>>   raise ValueError(_("Sandbox Policy is not currently
>>> installed.\nYou need to install the selinux-policy-sandbox package in
>>> order to run this command"))
>>> if self.__options.setype:
>>>
> 
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov.
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.