From patchwork Wed Apr 6 23:33:48 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Jurgens X-Patchwork-Id: 8767211 Return-Path: X-Original-To: patchwork-linux-rdma@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id B44A19F372 for ; Wed, 6 Apr 2016 23:34:47 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id A7DAD201EC for ; Wed, 6 Apr 2016 23:34:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BA833201C8 for ; Wed, 6 Apr 2016 23:34:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754538AbcDFXen (ORCPT ); Wed, 6 Apr 2016 19:34:43 -0400 Received: from [193.47.165.129] ([193.47.165.129]:33823 "EHLO mellanox.co.il" rhost-flags-FAIL-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1754233AbcDFXem (ORCPT ); Wed, 6 Apr 2016 19:34:42 -0400 Received: from Internal Mail-Server by MTLPINE1 (envelope-from danielj@mellanox.com) with ESMTPS (AES256-SHA encrypted); 7 Apr 2016 02:34:11 +0300 Received: from x-vnc01.mtx.labs.mlnx (x-vnc01.mtx.labs.mlnx [10.12.150.16]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id u36NY4Ti002830; Thu, 7 Apr 2016 02:34:10 +0300 From: Dan Jurgens To: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, linux-rdma@vger.kernel.org Cc: yevgenyp@mellanox.com, Daniel Jurgens Subject: [RFC PATCH v2 03/13] selinux: Implement Infiniband flush callback Date: Thu, 7 Apr 2016 02:33:48 +0300 Message-Id: <1459985638-37233-4-git-send-email-danielj@mellanox.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1459985638-37233-1-git-send-email-danielj@mellanox.com> References: <1459985638-37233-1-git-send-email-danielj@mellanox.com> Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Spam-Status: No, score=-7.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel Jurgens Because access for infiniband is enforced in the setup phase of a connection there must be a way to notify ib_core if the policy or enforcement setting have changed. Added register and unregister_ib_flush_callback hooks so infiniband can setup notification of policy and enforment changes. In the AVC reset callback function call the ib_flush callback if it's registered. Also renamed the callback function, the previous name was 'net' specific. Signed-off-by: Daniel Jurgens Reviewed-by: Eli Cohen --- security/selinux/hooks.c | 36 ++++++++++++++++++++++++++++++++++-- 1 files changed, 34 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fce7dc8..0fbf3f8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -94,6 +94,9 @@ #include "audit.h" #include "avc_ss.h" +static void (*ib_flush_callback)(void); +static DEFINE_MUTEX(ib_flush_mutex); + /* SECMARK reference count */ static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); @@ -159,13 +162,17 @@ static int selinux_peerlbl_enabled(void) return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); } -static int selinux_netcache_avc_callback(u32 event) +static int selinux_cache_avc_callback(u32 event) { if (event == AVC_CALLBACK_RESET) { sel_netif_flush(); sel_netnode_flush(); sel_netport_flush(); synchronize_net(); + mutex_lock(&ib_flush_mutex); + if (ib_flush_callback) + ib_flush_callback(); + mutex_unlock(&ib_flush_mutex); } return 0; } @@ -5977,6 +5984,23 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif +#ifdef CONFIG_SECURITY_INFINIBAND +static void selinux_register_ib_flush_callback(void (*callback)(void)) +{ + mutex_lock(&ib_flush_mutex); + ib_flush_callback = callback; + mutex_unlock(&ib_flush_mutex); +} + +static void selinux_unregister_ib_flush_callback(void) +{ + mutex_lock(&ib_flush_mutex); + ib_flush_callback = NULL; + mutex_unlock(&ib_flush_mutex); +} + +#endif + static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), @@ -6158,6 +6182,12 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), +#ifdef CONFIG_SECURITY_INFINIBAND + LSM_HOOK_INIT(register_ib_flush_callback, + selinux_register_ib_flush_callback), + LSM_HOOK_INIT(unregister_ib_flush_callback, + selinux_unregister_ib_flush_callback), +#endif #ifdef CONFIG_SECURITY_NETWORK_XFRM LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), @@ -6217,9 +6247,11 @@ static __init int selinux_init(void) 0, SLAB_PANIC, NULL); avc_init(); + ib_flush_callback = NULL; + security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); - if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) + if (avc_add_callback(selinux_cache_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC netcache callback\n"); if (selinux_enforcing)