From patchwork Tue Apr 19 19:51:20 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Jurgens X-Patchwork-Id: 8882931 Return-Path: X-Original-To: patchwork-linux-rdma@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id CFC539F39A for ; Tue, 19 Apr 2016 19:52:23 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id D29E220204 for ; Tue, 19 Apr 2016 19:52:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D3ACF2024D for ; Tue, 19 Apr 2016 19:52:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754544AbcDSTwU (ORCPT ); Tue, 19 Apr 2016 15:52:20 -0400 Received: from [193.47.165.129] ([193.47.165.129]:39714 "EHLO mellanox.co.il" rhost-flags-FAIL-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1754024AbcDSTwT (ORCPT ); Tue, 19 Apr 2016 15:52:19 -0400 Received: from Internal Mail-Server by MTLPINE1 (envelope-from danielj@mellanox.com) with ESMTPS (AES256-SHA encrypted); 19 Apr 2016 22:51:50 +0300 Received: from x-vnc01.mtx.labs.mlnx (x-vnc01.mtx.labs.mlnx [10.12.150.16]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id u3JJph1b011960; Tue, 19 Apr 2016 22:51:48 +0300 From: Dan Jurgens To: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, linux-rdma@vger.kernel.org Cc: yevgenyp@mellanox.com, Daniel Jurgens Subject: [RFC PATCH v3 03/12] selinux: Implement Infiniband flush callback Date: Tue, 19 Apr 2016 22:51:20 +0300 Message-Id: <1461095489-18732-4-git-send-email-danielj@mellanox.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1461095489-18732-1-git-send-email-danielj@mellanox.com> References: <1461095489-18732-1-git-send-email-danielj@mellanox.com> Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Spam-Status: No, score=-7.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel Jurgens Because access for infiniband is enforced in the setup phase of a connection there must be a way to notify ib_core if the policy or enforcement setting have changed. Added register and unregister_ib_flush_callback hooks so infiniband can setup notification of policy and enforment changes. In the AVC reset callback function call the ib_flush callback if it's registered. Also renamed the callback function, the previous name was 'net' specific. Signed-off-by: Daniel Jurgens Reviewed-by: Eli Cohen --- v2: 1. Changed to implement 2 hooks for registering and unregistering a callback instead of ib_core registering for a hook that it can't safely delete. Casey 2. Changed hooks to take structure pointers instead of void* blobs. Casey v3: No changes. --- security/selinux/hooks.c | 36 ++++++++++++++++++++++++++++++++++-- 1 files changed, 34 insertions(+), 2 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 912deee..8c91441 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -94,6 +94,9 @@ #include "audit.h" #include "avc_ss.h" +static void (*ib_flush_callback)(void); +static DEFINE_MUTEX(ib_flush_mutex); + /* SECMARK reference count */ static atomic_t selinux_secmark_refcount = ATOMIC_INIT(0); @@ -159,13 +162,17 @@ static int selinux_peerlbl_enabled(void) return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); } -static int selinux_netcache_avc_callback(u32 event) +static int selinux_cache_avc_callback(u32 event) { if (event == AVC_CALLBACK_RESET) { sel_netif_flush(); sel_netnode_flush(); sel_netport_flush(); synchronize_net(); + mutex_lock(&ib_flush_mutex); + if (ib_flush_callback) + ib_flush_callback(); + mutex_unlock(&ib_flush_mutex); } return 0; } @@ -5933,6 +5940,23 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif +#ifdef CONFIG_SECURITY_INFINIBAND +static void selinux_register_ib_flush_callback(void (*callback)(void)) +{ + mutex_lock(&ib_flush_mutex); + ib_flush_callback = callback; + mutex_unlock(&ib_flush_mutex); +} + +static void selinux_unregister_ib_flush_callback(void) +{ + mutex_lock(&ib_flush_mutex); + ib_flush_callback = NULL; + mutex_unlock(&ib_flush_mutex); +} + +#endif + static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr), LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), @@ -6113,6 +6137,12 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), +#ifdef CONFIG_SECURITY_INFINIBAND + LSM_HOOK_INIT(register_ib_flush_callback, + selinux_register_ib_flush_callback), + LSM_HOOK_INIT(unregister_ib_flush_callback, + selinux_unregister_ib_flush_callback), +#endif #ifdef CONFIG_SECURITY_NETWORK_XFRM LSM_HOOK_INIT(xfrm_policy_alloc_security, selinux_xfrm_policy_alloc), @@ -6172,9 +6202,11 @@ static __init int selinux_init(void) 0, SLAB_PANIC, NULL); avc_init(); + ib_flush_callback = NULL; + security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks)); - if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) + if (avc_add_callback(selinux_cache_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC netcache callback\n"); if (selinux_enforcing)