On 4/4/2016 6:48 PM, Casey Schaufler wrote:
> On 4/4/2016 2:48 PM, Dan Jurgens wrote:
>> From: Daniel Jurgens
>>
>> Add five new hooks
>> 1. Allocate security contexts for Infiniband objects
>> 2. Free security contexts for Infiniband objects
>> 3. Enforce access to Pkeys
>> 4. Enforce access to Infiniband devices subnet management interfaces.
>> 5. A hook to be implemented by IB core to receive notifications of
>> security policy or enforcement changes. Restricting a QPs access to
>> a pkey will be done during setup and not on a per packet basis
>> access must be enforced again.
>>
>> Because IB core is usually compiled as a module it must be able to
>> delete it's hooks. Remove the SELinux specific ifdef around
>> security_delete_hooks and update the comment. Also EXPORT_SYMBOL for
>> security_hook_heads so IB core can access it to add and delete the hook.
>
> The LSM infrastructure does not actually support dynamic
> loading and unloading of modules. It happens that the SELinux
> code is structured so that it can be safely unloaded if
> the policy has not been loaded.
>
If a module calls synchronize_rcu after deleting it's hooks but before
unloading isn't safety assured? I can send an out of context patch in a
reply showing how ib_core manages that hook if that would be helpful for
context.
>> Signed-off-by: Daniel Jurgens
>> Reviewed-by: Eli Cohen
>> ---
>> include/linux/lsm_hooks.h | 43 -
>> include/linux/security.h | 37
>> security/Kconfig |9 +++
>> security/security.c | 52
>> +
>> 4 files changed, 135 insertions(+), 6 deletions(-)
>>
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index 71969de..c0c7a40 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -8,6 +8,7 @@
>> * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
>> * Copyright (C) 2015 Intel Corporation.
>> * Copyright (C) 2015 Casey Schaufler
>> + * Copyright (C) 2016 Mellanox Techonologies.
>> *
>> * This program is free software; you can redistribute it and/or modify
>> * it under the terms of the GNU General Public License as published by
>> @@ -877,6 +878,21 @@
>> * associated with the TUN device's security structure.
>> * @security pointer to the TUN devices's security structure.
>> *
>> + * Security hooks for Infiniband
>> + *
>> + * @pkey_access:
>> + * Check permission when modifing a QP or transmitting and receiving MADs.
>> + * @ibdev_smi:
>> + * Check permissions to access the devices subnet management interface
>> (SMI).
>> + * @infiniband_alloc_security:
>> + * Allocate a security structure to be used by Infiniband QPs and MAD
>> + * agents.
>> + * @infiniband_free_security:
>> + * Free an Infiniband security structure.
>> + * @infiniband_flush:
>> + * Security modules can use this hook to notify IB core of policy changes
>> + * or when enforcement changes.
>> + *
>> * Security hooks for XFRM operations.
>> *
>> * @xfrm_policy_alloc_security:
>> @@ -1577,6 +1593,14 @@ union security_list_options {
>> int (*tun_dev_open)(void *security);
>> #endif /* CONFIG_SECURITY_NETWORK */
>>
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +int (*pkey_access)(u64 subnet_prefix, u16 pkey, void *security);
>> +int (*ibdev_smi)(const char *dev_name, u8 port, void *security);
>> +int (*infiniband_alloc_security)(void **security);
>> +void (*infiniband_free_security)(void *security);
>
> Please attach the security blobs to objects (like an inode) rather
> than just passing a blob pointer. It's going to make module stacking
> lots easier.
>
That makes sense. I wondered how modules stacking would work with the
opaque security field, most alloc/free pairs have the lone blob so I
followed that convention.
>> +void (*infiniband_flush)(void);
>> +#endif /* CONFIG_SECURITY_INFINIBAND */
>> +
>> #ifdef CONFIG_SECURITY_NETWORK_XFRM
>> int (*xfrm_policy_alloc_security)(struct xfrm_sec_ctx **ctxp,
>>struct xfrm_user_sec_ctx *sec_ctx,
>> @@ -1805,6 +1829,13 @@ struct security_hook_heads {
>> struct list_head tun_dev_open;
>> struct list_head skb_owned_by;
>> #endif /* CONFIG_SECURITY_NETWORK */
>> +#ifdef CONFIG_SECURITY_INFINIBAND
>> +struct list_head pkey_access;
>> +struct list_head ibdev_smi;
>> +struct list_head infiniband_alloc_security;
>> +struct list_head infiniband_free_security;
>> +struct list_head infiniband_flush;
>> +#endif /* CONFIG_SECURITY_INFINIBAND */
>> #ifdef CONFIG_SECURITY_NETWORK_XFRM
>> struct list_head xfrm_policy_alloc_security;
>> struct list_head xfrm_policy_clone_security;
>> @@ -1862,7 +1893,6 @@ static