[v3,8/9] selinux: Add IB Port SMP access vector

Message ID	1469800416-125043-9-git-send-email-danielj@mellanox.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <selinux-bounces@tycho.nsa.gov> IronPort-PHdr: =?us-ascii?q?9a23=3AzFeqexVDM7jDbHun+BnnTEO3a7fV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYZxOPt8tkgFKBZ4jH8fUM07OQ6PG4HzJRqsnQ+Fk5M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?= =?us-ascii?q?K/jvHcaK1oLshrj0pcyYPFQArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?= =?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Loc7coIbYHWN+R9FOQZX3waNDU+5Nfqrgbr?= =?us-ascii?q?VgyS/T4HVWFQlQBHR0Dd5Qz+do/4ry+/s+16wiTcNsrzCfgvVS+K87ZgSBiujj?= =?us-ascii?q?wOcTE+7iWfh9R5lqNAiAqovR1k24rda4zTM+BxOuvRed4WS21bUu5LWiBBC5/6?= =?us-ascii?q?ZIwKS6IaMO9e6YnwqUcfhRq4GQSoQujoz3sAhnbym7c9yOknCh3B1w8IENcHsX?= =?us-ascii?q?CSp9LwZ4kIVuXg4KDOhRfedfxb3yy1vITBdBEspfOkWL90dcPXzllpHATA2AbD?= =?us-ascii?q?4bf5Ni+Yg7xe+1OQ6PBtAKf202M=3D?= IronPort-PHdr: =?us-ascii?q?9a23=3A5RSqmhBRzwInBtmttg0UUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSP/zosbcNUDSrc9gkEXOFd2CrakV06yI4uu+BSQp2tWoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?= =?us-ascii?q?fr2zQd+KyZrmnL7us7ToICxwzAKnZr1zKBjk5S7wjeIxxbVYF6Aq1xHSqWFJce?= =?us-ascii?q?kFjUlhJFaUggqurpzopM0r221qtvkg789NV7nhN+R9FOQATWduD2dg783xtALc?= =?us-ascii?q?ZRCI+2BZSWIS1B1SDEyN9BjnWr/puzb+8+963zOXe8bxSPR8Qji5x7t6Qx/vzi?= =?us-ascii?q?EcPng293+TwsFohbhauzq5rgZ+2JbQaYqYcv1kceeVcdcXSWRGRMp5TSFNAoqg?= =?us-ascii?q?KYAICq5JJutRqc/9qlUSvDO/AxWhAKXkzToMzn//2esg1P8sFxra2wcjN90LuX?= =?us-ascii?q?XQ6t7yMfQ8S+ewmYXBy33hculZ1DHmoNzEexYgrPWOdbd9dc7Yz04/UQjCiwPD?= =?us-ascii?q?+sTeIzqJ27FV4CCg5O16WLfq0jZ/pg=3D=3D?= From: Dan Jurgens <danielj@mellanox.com> To: chrisw@sous-sol.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, dledford@redhat.com, sean.hefty@intel.com, hal.rosenstock@gmail.com Subject: [PATCH v3 8/9] selinux: Add IB Port SMP access vector Date: Fri, 29 Jul 2016 16:53:35 +0300 Message-Id: <1469800416-125043-9-git-send-email-danielj@mellanox.com> In-Reply-To: <1469800416-125043-1-git-send-email-danielj@mellanox.com> References: <1469800416-125043-1-git-send-email-danielj@mellanox.com> Precedence: list Cc: linux-rdma@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Message ID

1469800416-125043-9-git-send-email-danielj@mellanox.com (mailing list archive)

State

Superseded

Headers

IronPort-PHdr: =?us-ascii?q?9a23=3AzFeqexVDM7jDbHun+BnnTEO3a7fV8LGtZVwlr6E/?=
	=?us-ascii?q?grcLSJyIuqrYZxOPt8tkgFKBZ4jH8fUM07OQ6PG4HzJRqsnQ+Fk5M7V0Hycfjs?=
	=?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?=
	=?us-ascii?q?K/jvHcaK1oLshrj0pcyYPFQArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?=
	=?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Loc7coIbYHWN+R9FOQZX3waNDU+5Nfqrgbr?=
	=?us-ascii?q?VgyS/T4HVWFQlQBHR0Dd5Qz+do/4ry+/s+16wiTcNsrzCfgvVS+K87ZgSBiujj?=
	=?us-ascii?q?wOcTE+7iWfh9R5lqNAiAqovR1k24rda4zTM+BxOuvRed4WS21bUu5LWiBBC5/6?=
	=?us-ascii?q?ZIwKS6IaMO9e6YnwqUcfhRq4GQSoQujoz3sAhnbym7c9yOknCh3B1w8IENcHsX?=
	=?us-ascii?q?CSp9LwZ4kIVuXg4KDOhRfedfxb3yy1vITBdBEspfOkWL90dcPXzllpHATA2AbD?=
	=?us-ascii?q?4bf5Ni+Yg7xe+1OQ6PBtAKf202M=3D?=
IronPort-PHdr: =?us-ascii?q?9a23=3A5RSqmhBRzwInBtmttg0UUyQJP3N1i/DPJgcQr6Af?=
	=?us-ascii?q?oPdwSP/zosbcNUDSrc9gkEXOFd2CrakV06yI4uu+BSQp2tWoiDg6aptCVhsI24?=
	=?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?=
	=?us-ascii?q?fr2zQd+KyZrmnL7us7ToICxwzAKnZr1zKBjk5S7wjeIxxbVYF6Aq1xHSqWFJce?=
	=?us-ascii?q?kFjUlhJFaUggqurpzopM0r221qtvkg789NV7nhN+R9FOQATWduD2dg783xtALc?=
	=?us-ascii?q?ZRCI+2BZSWIS1B1SDEyN9BjnWr/puzb+8+963zOXe8bxSPR8Qji5x7t6Qx/vzi?=
	=?us-ascii?q?EcPng293+TwsFohbhauzq5rgZ+2JbQaYqYcv1kceeVcdcXSWRGRMp5TSFNAoqg?=
	=?us-ascii?q?KYAICq5JJutRqc/9qlUSvDO/AxWhAKXkzToMzn//2esg1P8sFxra2wcjN90LuX?=
	=?us-ascii?q?XQ6t7yMfQ8S+ewmYXBy33hculZ1DHmoNzEexYgrPWOdbd9dc7Yz04/UQjCiwPD?=
	=?us-ascii?q?+sTeIzqJ27FV4CCg5O16WLfq0jZ/pg=3D=3D?=
From: Dan Jurgens <danielj@mellanox.com>
To: chrisw@sous-sol.org, paul@paul-moore.com, sds@tycho.nsa.gov,
	eparis@parisplace.org, dledford@redhat.com, sean.hefty@intel.com,
	hal.rosenstock@gmail.com
Subject: [PATCH v3 8/9] selinux: Add IB Port SMP access vector
Date: Fri, 29 Jul 2016 16:53:35 +0300
Message-Id: <1469800416-125043-9-git-send-email-danielj@mellanox.com>
In-Reply-To: <1469800416-125043-1-git-send-email-danielj@mellanox.com>
References: <1469800416-125043-1-git-send-email-danielj@mellanox.com>
Precedence: list
Cc: linux-rdma@vger.kernel.org, linux-security-module@vger.kernel.org,
	selinux@tycho.nsa.gov
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Commit Message

Daniel Jurgens July 29, 2016, 1:53 p.m. UTC

From: Daniel Jurgens <danielj@mellanox.com>

Add a type for Infiniband ports and an access vector for subnet
management packets. Implement the ib_port_smp hook to check that the
caller has permission to send and receive SMPs on the end port specified
by the device name and port. Add interface to query the SID for a IB
port, which walks the IB_PORT ocontexts to find an entry for the
given name and port.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>

---
v2:
- Shorted ib_end_port. Paul Moore
- Pass void blobs to security hooks. Paul Moore
- Log specific IB port info in audit log. Paul Moore
- Don't create a new intial sid, use unlabeled. Stephen Smalley
- Changed "smp" to "manage_subnet". Paul Moore

v3:
- ib_port -> ib_endport. Paul Moore
- Don't log device name as untrusted string. Paul Moore
- Reorder parameters of LSM hook. Paul Moore

 include/linux/lsm_audit.h           | 32 +++++++++++++++++-----------
 security/lsm_audit.c                |  5 +++++
 security/selinux/hooks.c            | 25 ++++++++++++++++++++++
 security/selinux/include/classmap.h |  2 ++
 security/selinux/include/security.h |  2 ++
 security/selinux/ss/services.c      | 42 +++++++++++++++++++++++++++++++++++++
 6 files changed, 96 insertions(+), 12 deletions(-)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 8ff7eae..4f82e52 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -21,6 +21,7 @@ 
 #include <linux/path.h>
 #include <linux/key.h>
 #include <linux/skbuff.h>
+#include <rdma/ib_verbs.h>
 
 struct lsm_network_audit {
 	int netif;
@@ -50,21 +51,27 @@  struct lsm_pkey_audit {
 	u16	pkey;
 };
 
+struct lsm_ib_endport_audit {
+	char	dev_name[IB_DEVICE_NAME_MAX];
+	u8	port_num;
+};
+
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
 	char type;
-#define LSM_AUDIT_DATA_PATH	1
-#define LSM_AUDIT_DATA_NET	2
-#define LSM_AUDIT_DATA_CAP	3
-#define LSM_AUDIT_DATA_IPC	4
-#define LSM_AUDIT_DATA_TASK	5
-#define LSM_AUDIT_DATA_KEY	6
-#define LSM_AUDIT_DATA_NONE	7
-#define LSM_AUDIT_DATA_KMOD	8
-#define LSM_AUDIT_DATA_INODE	9
-#define LSM_AUDIT_DATA_DENTRY	10
-#define LSM_AUDIT_DATA_IOCTL_OP	11
-#define LSM_AUDIT_DATA_PKEY	12
+#define LSM_AUDIT_DATA_PATH		1
+#define LSM_AUDIT_DATA_NET		2
+#define LSM_AUDIT_DATA_CAP		3
+#define LSM_AUDIT_DATA_IPC		4
+#define LSM_AUDIT_DATA_TASK		5
+#define LSM_AUDIT_DATA_KEY		6
+#define LSM_AUDIT_DATA_NONE		7
+#define LSM_AUDIT_DATA_KMOD		8
+#define LSM_AUDIT_DATA_INODE		9
+#define LSM_AUDIT_DATA_DENTRY		10
+#define LSM_AUDIT_DATA_IOCTL_OP		11
+#define LSM_AUDIT_DATA_PKEY		12
+#define LSM_AUDIT_DATA_IB_ENDPORT	13
 	union 	{
 		struct path path;
 		struct dentry *dentry;
@@ -82,6 +89,7 @@  struct common_audit_data {
 		char *kmod_name;
 		struct lsm_ioctlop_audit *op;
 		struct lsm_pkey_audit *pkey;
+		struct lsm_ib_endport_audit *ib_endport;
 	} u;
 	/* this union contains LSM specific data */
 	union {
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 2546d82..ffb077b 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -410,6 +410,11 @@  static void dump_common_audit_data(struct audit_buffer *ab,
 				 a->u.pkey->pkey, &sbn_pfx);
 		break;
 	}
+	case LSM_AUDIT_DATA_IB_ENDPORT:
+		audit_log_format(ab, " device=%s port_num=%u",
+				 a->u.ib_endport->dev_name,
+				 a->u.ib_endport->port_num);
+		break;
 	} /* switch (a->type) */
 }
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 101ea82..5aa345f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6017,6 +6017,29 @@  static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
 			    INFINIBAND_PKEY__ACCESS, &ad);
 }
 
+static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
+					    u8 port_num)
+{
+	struct common_audit_data ad;
+	int err;
+	u32 sid = 0;
+	struct ib_security_struct *sec = ib_sec;
+	struct lsm_ib_endport_audit ib_endport;
+
+	err = security_ib_endport_sid(dev_name, port_num, &sid);
+
+	if (err)
+		return err;
+
+	ad.type = LSM_AUDIT_DATA_IB_ENDPORT;
+	strncpy(ib_endport.dev_name, dev_name, sizeof(ib_endport.dev_name));
+	ib_endport.port_num = port_num;
+	ad.u.ib_endport = &ib_endport;
+	return avc_has_perm(sec->sid, sid,
+			    SECCLASS_INFINIBAND_ENDPORT,
+			    INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
+}
+
 static int selinux_ib_alloc_security(void **ib_sec)
 {
 	struct ib_security_struct *sec;
@@ -6219,6 +6242,8 @@  static struct security_hook_list selinux_hooks[] = {
 	LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
 #ifdef CONFIG_SECURITY_INFINIBAND
 	LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
+	LSM_HOOK_INIT(ib_endport_manage_subnet,
+		      selinux_ib_endport_manage_subnet),
 	LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
 	LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
 #endif
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index d42dd4d..f93b64b 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -167,5 +167,7 @@  struct security_class_mapping secclass_map[] = {
 	  { COMMON_CAP2_PERMS, NULL } },
 	{ "infiniband_pkey",
 	  { "access", NULL } },
+	{ "infiniband_endport",
+	  { "manage_subnet", NULL } },
 	{ NULL }
   };
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 8f1a66e..1b575b7 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -182,6 +182,8 @@  int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
 
 int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
 
+int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
+
 int security_netif_sid(char *name, u32 *if_sid);
 
 int security_node_sid(u16 domain, void *addr, u32 addrlen,
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ba346da..1b5f693 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2270,6 +2270,48 @@  out:
 }
 
 /**
+ * security_ib_endport_sid - Obtain the SID for a subnet management interface.
+ * @dev_name: device name
+ * @port: port number
+ * @out_sid: security identifier
+ */
+int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
+{
+	struct ocontext *c;
+	int rc = 0;
+
+	read_lock(&policy_rwlock);
+
+	c = policydb.ocontexts[OCON_IB_ENDPORT];
+	while (c) {
+		if (c->u.ib_endport.port_num == port_num &&
+		    !strncmp(c->u.ib_endport.dev_name,
+			     dev_name,
+			     IB_DEVICE_NAME_MAX))
+			break;
+
+		c = c->next;
+	}
+
+	if (c) {
+		if (!c->sid[0]) {
+			rc = sidtab_context_to_sid(&sidtab,
+						   &c->context[0],
+						   &c->sid[0]);
+			if (rc)
+				goto out;
+		}
+		*out_sid = c->sid[0];
+	} else {
+		*out_sid = SECINITSID_UNLABELED;
+	}
+
+out:
+	read_unlock(&policy_rwlock);
+	return rc;
+}
+
+/**
  * security_netif_sid - Obtain the SID for a network interface.
  * @name: interface name
  * @if_sid: interface SID

[v3,8/9] selinux: Add IB Port SMP access vector

Commit Message

Patch