@@ -21,6 +21,7 @@
#include <linux/path.h>
#include <linux/key.h>
#include <linux/skbuff.h>
+#include <rdma/ib_verbs.h>
struct lsm_network_audit {
int netif;
@@ -50,21 +51,27 @@ struct lsm_pkey_audit {
u16 pkey;
};
+struct lsm_ib_endport_audit {
+ char dev_name[IB_DEVICE_NAME_MAX];
+ u8 port_num;
+};
+
/* Auxiliary data to use in generating the audit record. */
struct common_audit_data {
char type;
-#define LSM_AUDIT_DATA_PATH 1
-#define LSM_AUDIT_DATA_NET 2
-#define LSM_AUDIT_DATA_CAP 3
-#define LSM_AUDIT_DATA_IPC 4
-#define LSM_AUDIT_DATA_TASK 5
-#define LSM_AUDIT_DATA_KEY 6
-#define LSM_AUDIT_DATA_NONE 7
-#define LSM_AUDIT_DATA_KMOD 8
-#define LSM_AUDIT_DATA_INODE 9
-#define LSM_AUDIT_DATA_DENTRY 10
-#define LSM_AUDIT_DATA_IOCTL_OP 11
-#define LSM_AUDIT_DATA_PKEY 12
+#define LSM_AUDIT_DATA_PATH 1
+#define LSM_AUDIT_DATA_NET 2
+#define LSM_AUDIT_DATA_CAP 3
+#define LSM_AUDIT_DATA_IPC 4
+#define LSM_AUDIT_DATA_TASK 5
+#define LSM_AUDIT_DATA_KEY 6
+#define LSM_AUDIT_DATA_NONE 7
+#define LSM_AUDIT_DATA_KMOD 8
+#define LSM_AUDIT_DATA_INODE 9
+#define LSM_AUDIT_DATA_DENTRY 10
+#define LSM_AUDIT_DATA_IOCTL_OP 11
+#define LSM_AUDIT_DATA_PKEY 12
+#define LSM_AUDIT_DATA_IB_ENDPORT 13
union {
struct path path;
struct dentry *dentry;
@@ -82,6 +89,7 @@ struct common_audit_data {
char *kmod_name;
struct lsm_ioctlop_audit *op;
struct lsm_pkey_audit *pkey;
+ struct lsm_ib_endport_audit *ib_endport;
} u;
/* this union contains LSM specific data */
union {
@@ -410,6 +410,11 @@ static void dump_common_audit_data(struct audit_buffer *ab,
a->u.pkey->pkey, &sbn_pfx);
break;
}
+ case LSM_AUDIT_DATA_IB_ENDPORT:
+ audit_log_format(ab, " device=%s port_num=%u",
+ a->u.ib_endport->dev_name,
+ a->u.ib_endport->port_num);
+ break;
} /* switch (a->type) */
}
@@ -6017,6 +6017,29 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val)
INFINIBAND_PKEY__ACCESS, &ad);
}
+static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name,
+ u8 port_num)
+{
+ struct common_audit_data ad;
+ int err;
+ u32 sid = 0;
+ struct ib_security_struct *sec = ib_sec;
+ struct lsm_ib_endport_audit ib_endport;
+
+ err = security_ib_endport_sid(dev_name, port_num, &sid);
+
+ if (err)
+ return err;
+
+ ad.type = LSM_AUDIT_DATA_IB_ENDPORT;
+ strncpy(ib_endport.dev_name, dev_name, sizeof(ib_endport.dev_name));
+ ib_endport.port_num = port_num;
+ ad.u.ib_endport = &ib_endport;
+ return avc_has_perm(sec->sid, sid,
+ SECCLASS_INFINIBAND_ENDPORT,
+ INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad);
+}
+
static int selinux_ib_alloc_security(void **ib_sec)
{
struct ib_security_struct *sec;
@@ -6219,6 +6242,8 @@ static struct security_hook_list selinux_hooks[] = {
LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
#ifdef CONFIG_SECURITY_INFINIBAND
LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access),
+ LSM_HOOK_INIT(ib_endport_manage_subnet,
+ selinux_ib_endport_manage_subnet),
LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security),
LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security),
#endif
@@ -167,5 +167,7 @@ struct security_class_mapping secclass_map[] = {
{ COMMON_CAP2_PERMS, NULL } },
{ "infiniband_pkey",
{ "access", NULL } },
+ { "infiniband_endport",
+ { "manage_subnet", NULL } },
{ NULL }
};
@@ -182,6 +182,8 @@ int security_port_sid(u8 protocol, u16 port, u32 *out_sid);
int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
+int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
+
int security_netif_sid(char *name, u32 *if_sid);
int security_node_sid(u16 domain, void *addr, u32 addrlen,
@@ -2270,6 +2270,48 @@ out:
}
/**
+ * security_ib_endport_sid - Obtain the SID for a subnet management interface.
+ * @dev_name: device name
+ * @port: port number
+ * @out_sid: security identifier
+ */
+int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid)
+{
+ struct ocontext *c;
+ int rc = 0;
+
+ read_lock(&policy_rwlock);
+
+ c = policydb.ocontexts[OCON_IB_ENDPORT];
+ while (c) {
+ if (c->u.ib_endport.port_num == port_num &&
+ !strncmp(c->u.ib_endport.dev_name,
+ dev_name,
+ IB_DEVICE_NAME_MAX))
+ break;
+
+ c = c->next;
+ }
+
+ if (c) {
+ if (!c->sid[0]) {
+ rc = sidtab_context_to_sid(&sidtab,
+ &c->context[0],
+ &c->sid[0]);
+ if (rc)
+ goto out;
+ }
+ *out_sid = c->sid[0];
+ } else {
+ *out_sid = SECINITSID_UNLABELED;
+ }
+
+out:
+ read_unlock(&policy_rwlock);
+ return rc;
+}
+
+/**
* security_netif_sid - Obtain the SID for a network interface.
* @name: interface name
* @if_sid: interface SID