@@ -45,6 +45,11 @@ struct lsm_ioctlop_audit {
u16 cmd;
};
+struct lsm_pkey_audit {
+ u64 subnet_prefix;
+ u16 pkey;
+};
+
/* Auxiliary data to use in generating the audit record. */
struct common_audit_data {
char type;
@@ -59,6 +64,7 @@ struct common_audit_data {
#define LSM_AUDIT_DATA_INODE 9
#define LSM_AUDIT_DATA_DENTRY 10
#define LSM_AUDIT_DATA_IOCTL_OP 11
+#define LSM_AUDIT_DATA_PKEY 12
union {
struct path path;
struct dentry *dentry;
@@ -75,6 +81,7 @@ struct common_audit_data {
#endif
char *kmod_name;
struct lsm_ioctlop_audit *op;
+ struct lsm_pkey_audit *pkey;
} u;
/* this union contains LSM specific data */
union {
@@ -5958,6 +5958,44 @@ static void selinux_unregister_ib_flush_callback(void)
mutex_unlock(&ib_flush_mutex);
}
+static int selinux_pkey_access(u64 subnet_prefix, u16 pkey_val, void *security)
+{
+ struct common_audit_data ad;
+ int err;
+ u32 sid = 0;
+ struct ib_security_struct *sec = security;
+ struct lsm_pkey_audit pkey;
+
+ err = security_pkey_sid(subnet_prefix, pkey_val, &sid);
+
+ if (err)
+ goto out;
+
+ ad.type = LSM_AUDIT_DATA_PKEY;
+ pkey.subnet_prefix = subnet_prefix;
+ pkey.pkey = pkey_val;
+ ad.u.pkey = &pkey;
+ err = avc_has_perm(sec->sid, sid,
+ SECCLASS_INFINIBAND_PKEY,
+ INFINIBAND_PKEY__ACCESS, &ad);
+out:
+ return err;
+}
+
+static int selinux_ib_qp_pkey_access(u64 subnet_prefix, u16 pkey_val,
+ struct ib_qp_security *qp_sec)
+{
+ return selinux_pkey_access(subnet_prefix, pkey_val,
+ qp_sec->q_security);
+}
+
+static int selinux_ib_mad_agent_pkey_access(u64 subnet_prefix, u16 pkey_val,
+ struct ib_mad_agent *mad_agent)
+{
+ return selinux_pkey_access(subnet_prefix, pkey_val,
+ mad_agent->m_security);
+}
+
static int selinux_ib_qp_alloc_security(struct ib_qp_security *qp_sec)
{
struct ib_security_struct *sec;
@@ -6187,6 +6225,9 @@ static struct security_hook_list selinux_hooks[] = {
selinux_register_ib_flush_callback),
LSM_HOOK_INIT(unregister_ib_flush_callback,
selinux_unregister_ib_flush_callback),
+ LSM_HOOK_INIT(ib_qp_pkey_access, selinux_ib_qp_pkey_access),
+ LSM_HOOK_INIT(ib_mad_agent_pkey_access,
+ selinux_ib_mad_agent_pkey_access),
LSM_HOOK_INIT(ib_qp_alloc_security,
selinux_ib_qp_alloc_security),
LSM_HOOK_INIT(ib_qp_free_security,
@@ -157,5 +157,7 @@ struct security_class_mapping secclass_map[] = {
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
{ "binder", { "impersonate", "call", "set_context_mgr", "transfer",
NULL } },
+ { "infiniband_pkey",
+ { "access", NULL } },
{ NULL }
};
@@ -29,5 +29,6 @@ static const char *initial_sid_to_string[] =
"policy",
"scmp_packet",
"devnull",
+ "pkey",
};
@@ -180,6 +180,8 @@ int security_get_user_sids(u32 callsid, char *username,
int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
+int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
+
int security_netif_sid(char *name, u32 *if_sid);
int security_node_sid(u16 domain, void *addr, u32 addrlen,
@@ -2229,6 +2229,47 @@ out:
}
/**
+ * security_pkey_sid - Obtain the SID for a pkey.
+ * @subnet_prefix: Subnet Prefix
+ * @pkey_num: pkey number
+ * @out_sid: security identifier
+ */
+int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid)
+{
+ struct ocontext *c;
+ int rc = 0;
+
+ read_lock(&policy_rwlock);
+
+ c = policydb.ocontexts[OCON_PKEY];
+ while (c) {
+ if (c->u.pkey.low_pkey <= pkey_num &&
+ c->u.pkey.high_pkey >= pkey_num &&
+ c->u.pkey.subnet_prefix == subnet_prefix)
+ break;
+
+ c = c->next;
+ }
+
+ if (c) {
+ if (!c->sid[0]) {
+ rc = sidtab_context_to_sid(&sidtab,
+ &c->context[0],
+ &c->sid[0]);
+ if (rc)
+ goto out;
+ }
+ *out_sid = c->sid[0];
+ } else {
+ *out_sid = SECINITSID_PKEY;
+ }
+
+out:
+ read_unlock(&policy_rwlock);
+ return rc;
+}
+
+/**
* security_netif_sid - Obtain the SID for a network interface.
* @name: interface name
* @if_sid: interface SID