[PATCH v1 1/1] IB/core: Fix static analysis warning in ib_policy_change_task

From: Daniel Jurgens ib_get_cached_subnet_prefix can technically fail, but the only way it could is not possible based on the loop conditions. Check the return value before using the variable sp to resolve a static analysis warning. Fixes: 8f408ab64be6 ("selinux lsm

[PATCH] IB/core: Fix static analysis warning in ib_policy_change_task

From: Daniel Jurgens ib_get_cached_subnet_prefix can technically fail, but the only way it could is not possible based on the loop conditions. Check the return value before using the variable sp to resolve a static analysis warning. Fixes: 8f408ab64be6 ("selinux lsm

[PATCH] IB/core: Fix uninitialized variable use in check_qp_port_pkey_settings

From: Daniel Jurgens Check the return value from get_pkey_and_subnet_prefix to prevent using uninitialized variables. Fixes: d291f1a65232 ("IB/core: Enforce PKey security on QPs") Signed-off-by: Daniel Jurgens Reported-by: Dan Carpenter

[PATCH v2 1/2] selinux-testsuite: Infiniband pkey tests

From: Daniel Jurgens New tests for infiniband pkeys. Most users don't have Infiniband hardware, and if they do the pkey configuration is not standardized. There is a configuration file for enabling the test and setting environment specific test configurations. If the tests

[PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

From: Daniel Jurgens New tests for Infiniband endports. Most users do not have infiniband hardware, and if they do the device names can vary. There is a configuration file for enabling the tests and setting environment specific configurations. If the tests are disabled

[PATCH v2 0/2] Selinux tests for Infinfiband

From: Daniel Jurgens Implements new tests for Infiniband pkeys and endports. Because infiniband isn't widely used, and when it is the configuration is site specific, configuration files are used to enable the tests and set environment specific settings. When the tests are

[PATCH 1/1] semanage: Fix manpage author for ibpkey and ibendport pages.

From: Daniel Jurgens Signed-off-by: Daniel Jurgens --- python/semanage/semanage-ibendport.8 | 2 +- python/semanage/semanage-ibpkey.8| 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/python/semanage/semanage-ibendport.8

[PATCH v1 2/2] selinux-testsuite: Infiniband endport tests

From: Daniel Jurgens New tests for Infiniband endports. Most users do not have infiniband hardware, and if they do the device names can vary. There is a configuration file for enabling the tests and setting environment specific configurations. If the tests are disabled

[PATCH v1 1/2] selinux-testsuite: Infiniband pkey tests

From: Daniel Jurgens New tests for infiniband pkeys. Most users don't have Infiniband hardware, and if they do the pkey configuration is not standardized. There is a configuration file for enabling the test and setting environment specific test configurations. If the tests

[PATCH v1 0/2] Selinux tests for Infinfiband

From: Daniel Jurgens Implements new tests for Infiniband pkeys and endports. Because infiniband isn't widely used, and when it is the configuration is site specific, configuration files are used to enable the tests and set environment specific settings. When the tests are

[PATCH v8 2/9] IB/core: Enforce PKey security on QPs

From: Daniel Jurgens Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey. Allocate and free a security context when creating and destroying a QP. This context is used for controlling access to PKeys. When a request is made to

[PATCH v3 6/9] libsepol: Add IB end port handling to CIL

From: Daniel Jurgens Add IB end port parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- v1: James Carter: - Add cil_resolve_ibendportcon prototype in cil_resolve_ast.h --- libsepol/cil/src/cil.c

[PATCH v3 2/9] libsepol: Add ibpkey ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying Infiniband Pkey ocontext data. Also add support for querying a Pkey sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed domain and type params from

[PATCH v3 5/9] libsepol: Add ibendport ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed unused domain and type

[PATCH v3 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

From: Daniel Jurgens Update libsepol and libsemanage to work with pkey records. Add local storage for new and modified pkey records in pkeys.local. Update semanage to parse the pkey command options to add, modify, and delete pkeys. Signed-off-by: Daniel Jurgens

[PATCH v3 4/9] checkpolicy: Add support for ibendportcon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibendportcon labels. Also create a new ocontext for IB end ports. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Check IB device name length when parsing policy. - Use

[PATCH v3 1/9] checkpolicy: Add support for ibpkeycon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley:

[PATCH v3 0/9] SELinux user space support for Infiniband RDMA

From: Daniel Jurgens Infiniband applications access HW from user-space -- traffic is generated directly by HW, bypassing the kernel. Consequently, Infiniband Partitions, which are associated directly with HW transport endpoints, are a natural choice for enforcing granular

[PATCH v7 4/9] IB/core: Enforce security on management datagrams

ag to track permission instead of calling the LSM hook for every SMP. Dan Jurgens - Squashed PKey and SMP enforcement into the same patch and moved the logic into security.c. Dan Jurgens v3: - ib_port -> ib_endport. Paul Moore - Use notifier chains for LSM notification. Paul Moore - Reorder L

[PATCH v7 5/9] selinux: Create policydb version for Infiniband support

From: Daniel Jurgens Support for Infiniband requires the addition of two new object contexts, one for infiniband PKeys and another IB Ports. Added handlers to read and write the new ocontext types when reading or writing a binary policy representation. Signed-off-by:

[PATCH v7 8/9] selinux: Add IB Port SMP access vector

From: Daniel Jurgens Add a type for Infiniband ports and an access vector for subnet management packets. Implement the ib_port_smp hook to check that the caller has permission to send and receive SMPs on the end port specified by the device name and port. Add interface to

[PATCH v7 3/9] selinux lsm IB/core: Implement LSM notification system

From: Daniel Jurgens Add a generic notificaiton mechanism in the LSM. Interested consumers can register a callback with the LSM and security modules can produce events. Because access to Infiniband QPs are enforced in the setup phase of a connection security should be

[PATCH v7 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

Moore - Fixed a bracket indentation mismatch in sel_pkey_find. Yuval Shaia - Change spin_lock_bh to spin_lock_irqsave to resolve HARDIRQ lockdep warning. Dan Jurgens v6: - Fixed sel_pkey_sid_slow error handling. James Morris v7: - Renamed sel_pkey* to sel_ib_pkey* in the pkey cache. security/selinux

[PATCH v7 2/9] IB/core: Enforce PKey security on QPs

From: Daniel Jurgens Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey. Allocate and free a security context when creating and destroying a QP. This context is used for controlling access to PKeys. When a request is made to

[PATCH v7 7/9] selinux: Implement Infiniband PKey "Access" access vector

From: Daniel Jurgens Add a type and access vector for PKeys. Implement the ib_pkey_access hook to check that the caller has permission to access the PKey on the given subnet prefix. Add an interface to get the PKey SID. Walk the PKey ocontexts to find an entry for the given

[PATCH v7 6/9] selinux: Allocate and free infiniband security hooks

From: Daniel Jurgens Implement and attach hooks to allocate and free Infiniband object security structures. Signed-off-by: Daniel Jurgens --- v2: - Use void * blobs for security structs. Paul Moore - Shorten ib_end_port to ib_port. Paul Moore -

[PATCH v7 1/9] IB/core: IB cache enhancements to support Infiniband security

From: Daniel Jurgens Cache the subnet prefix and add a function to access it. Enforcing security requires frequent queries of the subnet prefix and the pkeys in the pkey table. Signed-off-by: Daniel Jurgens Reviewed-by: Eli Cohen

[PATCH v2 6/9] libsepol: Add IB end port handling to CIL

From: Daniel Jurgens Add IB end port parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- v1: James Carter: - Add cil_resolve_ibendportcon prototype in cil_resolve_ast.h --- libsepol/cil/src/cil.c

[PATCH v2 4/9] checkpolicy: Add support for ibendportcon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibendportcon labels. Also create a new ocontext for IB end ports. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Check IB device name length when parsing policy. - Use

[PATCH v2 9/9] semanage: Update man pages for infiniband

From: Daniel Jurgens Update the main man page and add specific pages for ibpkeys and ibendports. Signed-off-by: Daniel Jurgens --- python/semanage/semanage-ibendport.8 | 66 python/semanage/semanage-ibpkey.8|

[PATCH v2 8/9] semanage: Update semanage to allow runtime labeling of ibendports

From: Daniel Jurgens Update libsepol and libsemanage to work with ibendport records. Add local storage for new and modified ibendport records in ibendports.local. Update semanage to parse the ibendport command options to add, modify, and delete them. Signed-off-by: Daniel

[PATCH v2 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

From: Daniel Jurgens Update libsepol and libsemanage to work with pkey records. Add local storage for new and modified pkey records in pkeys.local. Update semanage to parse the pkey command options to add, modify, and delete pkeys. Signed-off-by: Daniel Jurgens

[PATCH v2 3/9] libsepol: Add Infiniband Pkey handling to CIL

From: Daniel Jurgens Add Infiniband pkey parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- libsepol/cil/src/cil.c | 19 + libsepol/cil/src/cil_binary.c | 39 +

[PATCH v2 2/9] libsepol: Add ibpkey ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying Infiniband Pkey ocontext data. Also add support for querying a Pkey sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed domain and type params from

[PATCH v2 1/9] checkpolicy: Add support for ibpkeycon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley:

[PATCH v2 5/9] libsepol: Add ibendport ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed unused domain and type

[PATCH v2 0/9] SELinux user space support for Infiniband RDMA

From: Daniel Jurgens Infiniband applications access HW from user-space -- traffic is generated directly by HW, bypassing the kernel. Consequently, Infiniband Partitions, which are associated directly with HW transport endpoints, are a natural choice for enforcing granular

[PATCH 2/2] selinux-testsuite: Infiniband endport tests

From: Daniel Jurgens New tests for Infiniband endports. Most users do not have infiniband hardware, and if they do the device names can vary. There is a configuration file for enabling the tests and setting environment specific configurations. If the tests are disabled

[PATCH 1/2] selinux-testsuite: Infiniband pkey tests

From: Daniel Jurgens New tests for infiniband pkeys. Most users don't have Infiniband hardware, and if they do the pkey configuration is not standardized. There is a configuration file for enabling the test and setting environment specific test configurations. If the tests

[PATCH v1 9/9] semanage: Update man pages for infiniband

From: Daniel Jurgens Update the main man page and add specific pages for ibpkeys and ibendports. Signed-off-by: Daniel Jurgens --- python/semanage/semanage-ibendport.8 | 66 python/semanage/semanage-ibpkey.8|

[PATCH v1 6/9] libsepol: Add IB end port handling to CIL

From: Daniel Jurgens Add IB end port parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- v1: James Carter: - Add cil_resolve_ibendportcon prototype in cil_resolve_ast.h Signed-off-by: Daniel Jurgens

[PATCH v1 4/9] checkpolicy: Add support for ibendportcon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibendportcon labels. Also create a new ocontext for IB end ports. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Check IB device name length when parsing policy. - Use

[PATCH v1 8/9] semanage: Update semanage to allow runtime labeling of ibendports

From: Daniel Jurgens Update libsepol and libsemanage to work with ibendport records. Add local storage for new and modified ibendport records in ibendports.local. Update semanage to parse the ibendport command options to add, modify, and delete them. Signed-off-by: Daniel

[PATCH v1 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

From: Daniel Jurgens Update libsepol and libsemanage to work with pkey records. Add local storage for new and modified pkey records in pkeys.local. Update semanage to parse the pkey command options to add, modify, and delete pkeys. Signed-off-by: Daniel Jurgens

[PATCH v1 3/9] libsepol: Add Infiniband Pkey handling to CIL

From: Daniel Jurgens Add Infiniband pkey parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- libsepol/cil/src/cil.c | 19 + libsepol/cil/src/cil_binary.c | 39 +

[PATCH v1 1/9] checkpolicy: Add support for ibpkeycon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley:

[PATCH v1 5/9] libsepol: Add ibendport ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed unused domain and type

[PATCH v1 2/9] libsepol: Add ibpkey ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying Infinabinda Pkey ocontext data. Also add support for querying a Pkey sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed domain and type params from

[PATCH 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

From: Daniel Jurgens Update libsepol and libsemanage to work with pkey records. Add local storage for new and modified pkey records in pkeys.local. Update semanage to parse the pkey command options to add, modify, and delete pkeys. Signed-off-by: Daniel Jurgens

[PATCH 3/9] libsepol: Add Infiniband Pkey handling to CIL

From: Daniel Jurgens Add Infiniband pkey parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- libsepol/cil/src/cil.c | 19 libsepol/cil/src/cil_binary.c | 39

[PATCH 6/9] libsepol: Add IB end port handling to CIL

From: Daniel Jurgens Add IB end port parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- libsepol/cil/src/cil.c | 18 ++ libsepol/cil/src/cil_binary.c | 29

[PATCH 4/9] checkpolicy: Add support for ibendportcon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibendportcon labels. Also create a new ocontext for IB end ports. Signed-off-by: Daniel Jurgens --- checkpolicy/policy_define.c| 70

[PATCH 9/9] semanage: Update man pages for infiniband

From: Daniel Jurgens Update the main man page and add specific pages for ibpkeys and ibendports. Signed-off-by: Daniel Jurgens --- python/semanage/semanage-ibendport.8 | 66 ++ python/semanage/semanage-ibpkey.8|

[PATCH 5/9] libsepol: Add ibendport ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens --- checkpolicy/checkpolicy.c | 20

[PATCH 1/9] checkpolicy: Add support for ibpkeycon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens ---

[PATCH 8/9] semanage: Update semanage to allow runtime labeling of ibendports

From: Daniel Jurgens Update libsepol and libsemanage to work with ibendport records. Add local storage for new and modified ibendport records in ibendports.local. Update semanage to parse the ibendport command options to add, modify, and delete them. Signed-off-by: Daniel

[PATCH 0/9] SELinux user space support for Infiniband RDMA

From: Daniel Jurgens Infiniband applications access HW from user-space -- traffic is generated directly by HW, bypassing the kernel. Consequently, Infiniband Partitions, which are associated directly with HW transport endpoints, are a natural choice for enforcing granular

[PATCH v6 5/9] selinux: Create policydb version for Infiniband support

From: Daniel Jurgens Support for Infiniband requires the addition of two new object contexts, one for infiniband PKeys and another IB Ports. Added handlers to read and write the new ocontext types when reading or writing a binary policy representation. Signed-off-by:

[PATCH v6 2/9] IB/core: Enforce PKey security on QPs

From: Daniel Jurgens Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey. Allocate and free a security context when creating and destroying a QP. This context is used for controlling access to PKeys. When a request is made to

[PATCH v6 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

Moore - Fixed a bracket indentation mismatch in sel_pkey_find. Yuval Shaia - Change spin_lock_bh to spin_lock_irqsave to resolve HARDIRQ lockdep warning. Dan Jurgens v6: - Fixed sel_pkey_sid_slow error handling. James Morris --- security/selinux/Makefile | 2 +- security/selinux/hooks.c

[PATCH v6 8/9] selinux: Add IB Port SMP access vector

From: Daniel Jurgens Add a type for Infiniband ports and an access vector for subnet management packets. Implement the ib_port_smp hook to check that the caller has permission to send and receive SMPs on the end port specified by the device name and port. Add interface to

[PATCH v6 0/9] SELinux support for Infiniband RDMA

new initial SIDs. Stephen Smalley - Squash MAD agent PKey and SMI patches and move logic to IB security. Dan Jurgens - Changed ib_end_port to ib_port. Paul Moore - Changed ib_port access vector from smp to manage_subnet. Paul Moore - Added pkey and ib_port details to the audit log. Paul Moor

[PATCH v6 1/9] IB/core: IB cache enhancements to support Infiniband security

From: Daniel Jurgens Cache the subnet prefix and add a function to access it. Enforcing security requires frequent queries of the subnet prefix and the pkeys in the pkey table. Also removed an unneded pr_warn about memory allocation failure. Signed-off-by: Daniel Jurgens

[PATCH v5 5/9] selinux: Create policydb version for Infiniband support

From: Daniel Jurgens Support for Infiniband requires the addition of two new object contexts, one for infiniband PKeys and another IB Ports. Added handlers to read and write the new ocontext types when reading or writing a binary policy representation. Signed-off-by:

[PATCH v5 2/9] IB/core: Enforce PKey security on QPs

From: Daniel Jurgens Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey. Allocate and free a security context when creating and destroying a QP. This context is used for controlling access to PKeys. When a request is made to

[PATCH v5 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

Moore - Fixed a braket indentation mismatch in sel_pkey_find. Yuval Shaia - Change spin_lock_bh to spin_lock_irqsave to resolve HARDIRQ lockdep warning. Dan Jurgens --- security/selinux/Makefile | 2 +- security/selinux/hooks.c | 7 +- security/selinux/ibpkey.c | 245

[PATCH v5 6/9] selinux: Allocate and free infiniband security hooks

From: Daniel Jurgens Implement and attach hooks to allocate and free Infiniband object security structures. Signed-off-by: Daniel Jurgens --- v2: - Use void * blobs for security structs. Paul Moore - Shorten ib_end_port to ib_port. Paul Moore -

[PATCH v5 4/9] IB/core: Enforce security on management datagrams

ag to track permission instead of calling the LSM hook for every SMP. Dan Jurgens - Squashed PKey and SMP enforcement into the same patch and moved the logic into security.c. Dan Jurgens v3: - ib_port -> ib_endport. Paul Moore - Use notifier chains for LSM notification. Paul Moore - Reorder L

[PATCH v5 3/9] selinux lsm IB/core: Implement LSM notification system

From: Daniel Jurgens Add a generic notificaiton mechanism in the LSM. Interested consumers can register a callback with the LSM and security modules can produce events. Because access to Infiniband QPs are enforced in the setup phase of a connection security should be

[PATCH v5 0/9] SELinux support for Infiniband RDMA

new initial SIDs. Stephen Smalley - Squash MAD agent PKey and SMI patches and move logic to IB security. Dan Jurgens - Changed ib_end_port to ib_port. Paul Moore - Changed ib_port access vector from smp to manage_subnet. Paul Moore - Added pkey and ib_port details to the audit log. Paul Moor

[PATCH v4 6/9] selinux: Allocate and free infiniband security hooks

From: Daniel Jurgens Implement and attach hooks to allocate and free Infiniband object security structures. issue: 736423 Change-Id: I3bdbecee7aab6d7615a02967c39a5a8792a14d44 Signed-off-by: Daniel Jurgens --- v2: - Use void * blobs for security

[PATCH v4 3/9] selinux lsm IB/core: Implement LSM notification system

From: Daniel Jurgens Add a generic notificaiton mechanism in the LSM. Interested consumers can register a callback with the LSM and security modules can produce events. Because access to Infiniband QPs are enforced in the setup phase of a connection security should be

[PATCH v4 2/9] IB/core: Enforce PKey security on QPs

From: Daniel Jurgens Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey. Allocate and free a security context when creating and destroying a QP. This context is used for controlling access to PKeys. When a request is made to

[PATCH v4 7/9] selinux: Implement Infiniband PKey "Access" access vector

From: Daniel Jurgens Add a type and access vector for PKeys. Implement the ib_pkey_access hook to check that the caller has permission to access the PKey on the given subnet prefix. Add an interface to get the PKey SID. Walk the PKey ocontexts to find an entry for the given

[PATCH v4 4/9] IB/core: Enforce security on management datagrams

". Paul Moore - Use the LSM policy change notification and a flag to track permission instead of calling the LSM hook for every SMP. Dan Jurgens - Squashed PKey and SMP enforcement into the same patch and moved the logic into security.c. Dan Jurgens v3: - ib_port -> ib_endport. Paul

[PATCH v4 5/9] selinux: Create policydb version for Infiniband support

From: Daniel Jurgens Support for Infiniband requires the addition of two new object contexts, one for infiniband PKeys and another IB Ports. Added handlers to read and write the new ocontext types when reading or writing a binary policy representation. issue: 736423

[PATCH v4 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

ellanox.com> --- v2: - Renamed the files to ibpkey. Paul Moore - Fixed a braket indentation mismatch in sel_pkey_find. Yuval Shaia - Change spin_lock_bh to spin_lock_irqsave to resolve HARDIRQ lockdep warning. Dan Jurgens Signed-off-by: Daniel Jurgens <dani...@mellanox.com> --- security/s

[PATCH v4 8/9] selinux: Add IB Port SMP access vector

From: Daniel Jurgens Add a type for Infiniband ports and an access vector for subnet management packets. Implement the ib_port_smp hook to check that the caller has permission to send and receive SMPs on the end port specified by the device name and port. Add interface to

[PATCH v4 1/9] IB/core: IB cache enhancements to support Infiniband security

From: Daniel Jurgens Cache the subnet prefix and add a function to access it. Enforcing security requires frequent queries of the subnet prefix and the pkeys in the pkey table. Also removed an unneded pr_warn about memory allocation failure. issue: 736423 Change-Id:

[PATCH v4 0/9] SELinux support for Infiniband RDMA

new initial SIDs. Stephen Smalley - Squash MAD agent PKey and SMI patches and move logic to IB security. Dan Jurgens - Changed ib_end_port to ib_port. Paul Moore - Changed ib_port access vector from smp to manage_subnet. Paul Moore - Added pkey and ib_port details to the audit log. Paul Moor

[PATCH v3 7/9] selinux: Implement Infiniband PKey "Access" access vector

From: Daniel Jurgens Add a type and access vector for PKeys. Implement the ib_pkey_access hook to check that the caller has permission to access the PKey on the given subnet prefix. Add an interface to get the PKey SID. Walk the PKey ocontexts to find an entry for the given

[PATCH v3 6/9] selinux: Allocate and free infiniband security hooks

From: Daniel Jurgens Implement and attach hooks to allocate and free Infiniband object security structures. Signed-off-by: Daniel Jurgens --- v2: - Use void * blobs for security structs. Paul Moore - Shorten ib_end_port to ib_port. Paul Moore -

[PATCH v3 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

Moore - Fixed a braket indentation mismatch in sel_pkey_find. Yuval Shaia - Change spin_lock_bh to spin_lock_irqsave to resolve HARDIRQ lockdep warning. Dan Jurgens security/selinux/Makefile | 2 +- security/selinux/hooks.c | 4 +- security/selinux/ibpkey.c | 245

[PATCH v3 4/9] IB/core: Enforce security on management datagrams

ag to track permission instead of calling the LSM hook for every SMP. Dan Jurgens - Squashed PKey and SMP enforcement into the same patch and moved the logic into security.c. Dan Jurgens v3: - ib_port -> ib_endport. Paul Moore - Use notifier chains for LSM notification. Paul Moore - Reorder L

[PATCH v3 5/9] selinux: Create policydb version for Infiniband support

From: Daniel Jurgens Support for Infiniband requires the addition of two new object contexts, one for infiniband PKeys and another IB Ports. Added handlers to read and write the new ocontext types when reading or writing a binary policy representation. Signed-off-by:

[PATCH v3 2/9] IB/core: Enforce PKey security on QPs

From: Daniel Jurgens Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey. Allocate and free a security context when creating and destroying a QP. This context is used for controlling access to PKeys. When a request is made to

[PATCH v3 3/9] selinux lsm IB/core: Implement LSM notification system

From: Daniel Jurgens Add a generic notificaiton mechanism in the LSM. Interested consumers can register a callback with the LSM and security modules can produce events. Because access to Infiniband QPs are enforced in the setup phase of a connection security should be

[PATCH v3 1/9] IB/core: IB cache enhancements to support Infiniband security

From: Daniel Jurgens Cache the subnet prefix and add a function to access it. Enforcing security requires frequent queries of the subnet prefix and the pkeys in the pkey table. Also removed an unneded pr_warn about memory allocation failure. Signed-off-by: Daniel Jurgens

[PATCH v3 0/9] SELinux support for Infiniband RDMA

Shaia, Paul Moore - Squash LSM changes into the patches where the calls are added. Paul Moore - Don't add new initial SIDs. Stephen Smalley - Squash MAD agent PKey and SMI patches. Dan Jurgens - Changed ib_end_port to ib_port. Paul Moore - Changed ib_port access vector from smp to manage_subne

[PATCH v2 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

Moore - Fixed a braket indentation mismatch in sel_pkey_find. Yuval Shaia - Change spin_lock_bh to spin_lock_irqsave to resolve HARDIRQ lockdep warning. Dan Jurgens --- security/selinux/Makefile |2 +- security/selinux/hooks.c |5 +- security/selinux/ibpkey.c | 245 +++

[PATCH v2 7/9] selinux: Implement Infiniband PKey "Access" access vector

From: Daniel Jurgens Add a type and access vector for PKeys. Implement the ib_pkey_access hook to check that the caller has permission to access the PKey on the given subnet prefix. Add an interface to get the PKey SID. Walk the PKey ocontexts to find an entry for the given

[PATCH v2 6/9] selinux: Allocate and free infiniband security hooks

From: Daniel Jurgens Implement and attach hooks to allocate and free Infiniband object security structures. Signed-off-by: Daniel Jurgens --- v2: - Use void * blobs for security structs. Paul Moore - Shorten ib_end_port to ib_port. Paul Moore -

[PATCH v2 4/9] IB/core: Enforce security on management datagrams

ag to track permission instead of calling the LSM hook for every SMP. Dan Jurgens - Squashed PKey and SMP enforcement into the same patch and moved the logic into security.c. Dan Jurgens --- drivers/infiniband/core/core_priv.h | 35 + drivers/infiniband/core/mad.c |

[PATCH v2 2/9] IB/core: Enforce PKey security on QPs

From: Daniel Jurgens Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey. Allocate and free a security context when creating and destroying a QP. This context is used for controlling access to PKeys. When a request is made to

[PATCH v2 3/9] selinux lsm IB/core: Implement LSM notification system

From: Daniel Jurgens Add a generic notificaiton mechanism in the LSM. Interested consumers can register a callback with the LSM and security modules can produce events. Because access to Infiniband QPs are enforced in the setup phase of a connection security should be

[PATCH v2 1/9] IB/core: IB cache enhancements to support Infiniband security

From: Daniel Jurgens Cache the subnet prefix and add a function to access it. Enforcing security requires frequent queries of the subnet prefix and the pkeys in the pkey table. Also removed an unneded pr_warn about memory allocation failure. Signed-off-by: Daniel Jurgens

[PATCH 06/12] selinux: Add IB End Port SMP access vector

From: Daniel Jurgens Add a type for Infiniband end ports and an access vector for subnet management packets. Implement the ib_end_port_smp hook to check that the caller has permission to send and receive SMPs on the end port specified by the device name and port. Add

[PATCH 04/12] selinux: Allocate and free infiniband security hooks

From: Daniel Jurgens Implement and attach hooks to allocate and free Infiniband QP and MAD agent security structures. Signed-off-by: Daniel Jurgens Reviewed-by: Eli Cohen --- include/rdma/ib_mad.h | 1 +

[PATCH 10/12] IB/core: Enforce PKey security on management datagrams

From: Daniel Jurgens Allocate and free a security context when creating and destroying a MAD agent. This context is used for controlling access to PKeys. When sending or receiving a MAD check that the agent has permission to access the PKey for the Subnet Prefix of the

[PATCH 08/12] IB/core: IB cache enhancements to support Infiniband security

From: Daniel Jurgens Cache the subnet prefix and add a function to access it. Enforcing security requires frequent queries of the subnet prefix and the pkeys in the pkey table. Also removed an unneded pr_warn about memory allocation failure. Signed-off-by: Daniel Jurgens

  1   2   >