From patchwork Thu Jul 14 22:56:47 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Jurgens X-Patchwork-Id: 9231885 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BE2C56075D for ; Fri, 15 Jul 2016 12:36:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AA5142621F for ; Fri, 15 Jul 2016 12:36:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9AF9227FA9; Fri, 15 Jul 2016 12:36:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id BAB972621F for ; Fri, 15 Jul 2016 12:36:39 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,368,1464652800"; d="scan'208";a="17673786" IronPort-PHdr: =?us-ascii?q?9a23=3AdZ0EBRGM/1BB3ZXVrBm0a51GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ7+ps6wAkXT6L1XgUPTWs2DsrQf2rKQ7/yrBTNIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBy?= =?us-ascii?q?brysXNWD14Lri6vupNX6WEZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu?= =?us-ascii?q?5blitCLFOXmAvgtI/rpMYwuxlKv7od0+IIEeCjJ+VrBYFeFyksZmAp+NW58l7b?= =?us-ascii?q?VwyK62ccX3gN1BtODQ/e4Rq8Qob6siy8sOFm02+fPMmxSLk1XTGr6eBsUAPpjy?= =?us-ascii?q?EccCU09GDRl9wjsaRAvRj0ohV+x5LTMpqYMPt4Y7OYZ94DWGdaQu5NRidBBcW6?= =?us-ascii?q?dIJJAO0fav1FpYvwrEdbsB2lGAO3D/nuwDIbunij1q0g0v8+ORrBwRdlBNUK9n?= =?us-ascii?q?POo5G9LK4PVcitxbTMiDDEaOlbnzz67cyAaRw6ie2dVrJ3N8zKwA8gEB2BxliI?= =?us-ascii?q?oJbkJBuN3/4MqHCf5uFtE+W1hCpvpwV8rjao3MsEkITFhosJjFvD8GEx24s8I5?= =?us-ascii?q?u4RUBncPalFodds2eRMI4yCsMrRydyvz03zKYavpW4VCcPwZUjgRXYbq+paY+N?= =?us-ascii?q?tz7qUq6zPC13iXR+MOazjhCz/Eyi4ujxUs291lFa6CFCl4+f5Tg2yxXP553fGb?= =?us-ascii?q?NG9UC71GPKjlje?= X-IPAS-Result: =?us-ascii?q?A2EqBQB+2IhX/wHyM5BcHAEBgyCBUrplH4cxTAEBAQEBAQI?= =?us-ascii?q?CYieCMgQDEIIUAgQBAiQTDAgCHgsDAwECBgEBFwghCAgDAS0VEQcHCwUWAgSID?= =?us-ascii?q?wS/cwEBAQEGAgEkjwkRAYV3BY55iiiJDoVPgWmHfAyFQoZdihKDdmuFHoE1AQE?= =?us-ascii?q?B?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 15 Jul 2016 12:36:24 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6FCZmsl024573; Fri, 15 Jul 2016 08:35:50 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u6EMvuPO072623 for ; Thu, 14 Jul 2016 18:57:56 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6EMvuwf030383 for ; Thu, 14 Jul 2016 18:57:56 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CeBACpF4hX/4GlL8FcHQGEcrZhhAqGGQKBewEBAQEBAWYnhF0CBCdSEBgIMVcHEhuIGcBiAQEIJ5USBY54iieJDYVOgWmIB4U/hl2JPFSDdDkyh24BAQE X-IPAS-Result: A1CeBACpF4hX/4GlL8FcHQGEcrZhhAqGGQKBewEBAQEBAWYnhF0CBCdSEBgIMVcHEhuIGcBiAQEIJ5USBY54iieJDYVOgWmIB4U/hl2JPFSDdDkyh24BAQE X-IronPort-AV: E=Sophos;i="5.28,365,1464667200"; d="scan'208";a="5582145" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 14 Jul 2016 18:57:55 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AN8VWTRK/kZIyiB2iLtmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgVIvnxwZ3uMQTl6Ol3ixeRBMOAuqoC17Gd6fiocFdDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIs?= =?us-ascii?q?YL+kQsiO1I/tj6ibwN76W01wnj2zYLd/fl2djD76kY0ou7ZkMbs70RDTo3FFKK?= =?us-ascii?q?x8zGJsIk+PzV6nvp/jtLYqySlbuuog+shcSu26Ov1gFf0LRAghZms1/szwqjHY?= =?us-ascii?q?ShaUo2AbViMRiBUMSxDM8RXSRp7stm7/se1n1W+ROsiyBas4Qhy+/qxrT1nuky?= =?us-ascii?q?5BODkntCnaksVqjblzuBu7pgdnx4ffbceSLvU6Nq/ZcN8UQnBNdtxcWyxIHsW3?= =?us-ascii?q?aI5LR/EMNOAer4Tzu0omrB2iCA3qD+TqjndIj3uwx6oh3uI6DQbN3yQvGtsPtD?= =?us-ascii?q?Lfq9CmGr0VVLWZxa+A7yjZYP5Qwn+p5IHOcx0lo9mJULZ0eMzW2Q8kEAaT3QbY?= =?us-ascii?q?kpDsIz7AjrdFiGOc9ec1ELv302M=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GfBAAZGIhX/4GlL8FcHQGEcrZhhAqGG?= =?us-ascii?q?QKBewEBAQEBAQICYieCMgQBEgGCEwIEJ1IQGAgxVwcSG4gZwGIBAQgnlRIFjni?= =?us-ascii?q?KJ4kNhU6BaYgHhT+GXYk8VIN0OTKHbgEBAQ?= X-IPAS-Result: =?us-ascii?q?A0GfBAAZGIhX/4GlL8FcHQGEcrZhhAqGGQKBewEBAQEBAQI?= =?us-ascii?q?CYieCMgQBEgGCEwIEJ1IQGAgxVwcSG4gZwGIBAQgnlRIFjniKJ4kNhU6BaYgHh?= =?us-ascii?q?T+GXYk8VIN0OTKHbgEBAQ?= X-IronPort-AV: E=Sophos;i="5.28,365,1464652800"; d="scan'208";a="15600676" Received: from mail-il-dmz.mellanox.com (HELO mellanox.co.il) ([193.47.165.129]) by emsm-gh1-uea10.nsa.gov with ESMTP; 14 Jul 2016 22:57:52 +0000 Received: from Internal Mail-Server by MTLPINE1 (envelope-from danielj@mellanox.com) with ESMTPS (AES256-SHA encrypted); 15 Jul 2016 01:57:47 +0300 Received: from x-vnc01.mtx.labs.mlnx (x-vnc01.mtx.labs.mlnx [10.12.150.16]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id u6EMv9u6030854; Fri, 15 Jul 2016 01:57:44 +0300 From: Dan Jurgens To: chrisw@sous-sol.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, dledford@redhat.com, sean.hefty@intel.com, hal.rosenstock@gmail.com Subject: [PATCH v2 5/9] selinux: Create policydb version for Infiniband support Date: Fri, 15 Jul 2016 01:56:47 +0300 Message-Id: <1468537011-20407-6-git-send-email-danielj@mellanox.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1468537011-20407-1-git-send-email-danielj@mellanox.com> References: <1468537011-20407-1-git-send-email-danielj@mellanox.com> X-Mailman-Approved-At: Fri, 15 Jul 2016 08:13:30 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-rdma@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel Jurgens Support for Infiniband requires the addition of two new object contexts, one for infiniband PKeys and another IB Ports. Added handlers to read and write the new ocontext types when reading or writing a binary policy representation. Signed-off-by: Daniel Jurgens Reviewed-by: Eli Cohen --- v2: - Shorten ib_end_port to ib_port. Paul Moore - Added bounds checking to port number. Paul Moore - Eliminated {} in OCON_PKEY case statement. Yuval Shaia --- security/selinux/include/security.h | 3 +- security/selinux/ss/policydb.c | 130 +++++++++++++++++++++++++++++++---- security/selinux/ss/policydb.h | 27 +++++-- 3 files changed, 136 insertions(+), 24 deletions(-) diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 38feb55..a7e6ed2 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -36,13 +36,14 @@ #define POLICYDB_VERSION_DEFAULT_TYPE 28 #define POLICYDB_VERSION_CONSTRAINT_NAMES 29 #define POLICYDB_VERSION_XPERMS_IOCTL 30 +#define POLICYDB_VERSION_INFINIBAND 31 /* Range of policy versions we understand*/ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE #else -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_XPERMS_IOCTL +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND #endif /* Mask for just the mount related flags */ diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 992a315..3aea761 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -17,6 +17,11 @@ * * Added support for the policy capability bitmap * + * Update: Mellanox Techonologies + * + * Added Infiniband support + * + * Copyright (C) 2016 Mellanox Techonologies * Copyright (C) 2007 Hewlett-Packard Development Company, L.P. * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. * Copyright (C) 2003 - 2004 Tresys Technology, LLC @@ -76,81 +81,86 @@ static struct policydb_compat_info policydb_compat[] = { { .version = POLICYDB_VERSION_BASE, .sym_num = SYM_NUM - 3, - .ocon_num = OCON_NUM - 1, + .ocon_num = OCON_NUM - 3, }, { .version = POLICYDB_VERSION_BOOL, .sym_num = SYM_NUM - 2, - .ocon_num = OCON_NUM - 1, + .ocon_num = OCON_NUM - 3, }, { .version = POLICYDB_VERSION_IPV6, .sym_num = SYM_NUM - 2, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_NLCLASS, .sym_num = SYM_NUM - 2, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_MLS, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_AVTAB, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_RANGETRANS, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_POLCAP, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_PERMISSIVE, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_BOUNDARY, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_FILENAME_TRANS, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_ROLETRANS, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_DEFAULT_TYPE, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_CONSTRAINT_NAMES, .sym_num = SYM_NUM, - .ocon_num = OCON_NUM, + .ocon_num = OCON_NUM - 2, }, { .version = POLICYDB_VERSION_XPERMS_IOCTL, .sym_num = SYM_NUM, + .ocon_num = OCON_NUM - 2, + }, + { + .version = POLICYDB_VERSION_INFINIBAND, + .sym_num = SYM_NUM, .ocon_num = OCON_NUM, }, }; @@ -2219,6 +2229,61 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, goto out; break; } + case OCON_PKEY: { + rc = next_entry(nodebuf, fp, sizeof(u32) * 6); + if (rc) + goto out; + + c->u.pkey.subnet_prefix = be64_to_cpu(*((__be64 *)nodebuf)); + /* The subnet prefix is stored as an IPv6 + * address in the policy. + * + * Check that the lower 2 DWORDS are 0. + */ + if (nodebuf[2] || nodebuf[3]) { + rc = -EINVAL; + goto out; + } + + if (nodebuf[4] > 0xffff || + nodebuf[5] > 0xffff) { + rc = -EINVAL; + goto out; + } + + c->u.pkey.low_pkey = le32_to_cpu(nodebuf[4]); + c->u.pkey.high_pkey = le32_to_cpu(nodebuf[5]); + + rc = context_read_and_validate(&c->context[0], + p, + fp); + if (rc) + goto out; + break; + } + case OCON_IB_PORT: + rc = next_entry(buf, fp, sizeof(u32) * 2); + if (rc) + goto out; + len = le32_to_cpu(buf[0]); + + rc = str_read(&c->u.ib_port.dev_name, GFP_KERNEL, fp, len); + if (rc) + goto out; + + if (buf[1] > 0xff || buf[1] == 0) { + rc = -EINVAL; + goto out; + } + + c->u.ib_port.port = le32_to_cpu(buf[1]); + + rc = context_read_and_validate(&c->context[0], + p, + fp); + if (rc) + goto out; + break; } } } @@ -3147,6 +3212,41 @@ static int ocontext_write(struct policydb *p, struct policydb_compat_info *info, if (rc) return rc; break; + case OCON_PKEY: + *((__be64 *)nodebuf) = cpu_to_be64(c->u.pkey.subnet_prefix); + + /* + * The low order 2 bits were confirmed to be 0 + * when the policy was loaded. Write them out + * as zero + */ + nodebuf[2] = 0; + nodebuf[3] = 0; + + nodebuf[4] = cpu_to_le32(c->u.pkey.low_pkey); + nodebuf[5] = cpu_to_le32(c->u.pkey.high_pkey); + + rc = put_entry(nodebuf, sizeof(u32), 6, fp); + if (rc) + return rc; + rc = context_write(p, &c->context[0], fp); + if (rc) + return rc; + break; + case OCON_IB_PORT: + len = strlen(c->u.ib_port.dev_name); + buf[0] = cpu_to_le32(len); + buf[1] = cpu_to_le32(c->u.ib_port.port); + rc = put_entry(buf, sizeof(u32), 2, fp); + if (rc) + return rc; + rc = put_entry(c->u.ib_port.dev_name, 1, len, fp); + if (rc) + return rc; + rc = context_write(p, &c->context[0], fp); + if (rc) + return rc; + break; } } } diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 725d594..9f20774 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -187,6 +187,15 @@ struct ocontext { u32 addr[4]; u32 mask[4]; } node6; /* IPv6 node information */ + struct { + u64 subnet_prefix; + u16 low_pkey; + u16 high_pkey; + } pkey; + struct { + char *dev_name; + u8 port; + } ib_port; } u; union { u32 sclass; /* security class for genfs */ @@ -215,14 +224,16 @@ struct genfs { #define SYM_NUM 8 /* object context array indices */ -#define OCON_ISID 0 /* initial SIDs */ -#define OCON_FS 1 /* unlabeled file systems */ -#define OCON_PORT 2 /* TCP and UDP port numbers */ -#define OCON_NETIF 3 /* network interfaces */ -#define OCON_NODE 4 /* nodes */ -#define OCON_FSUSE 5 /* fs_use */ -#define OCON_NODE6 6 /* IPv6 nodes */ -#define OCON_NUM 7 +#define OCON_ISID 0 /* initial SIDs */ +#define OCON_FS 1 /* unlabeled file systems */ +#define OCON_PORT 2 /* TCP and UDP port numbers */ +#define OCON_NETIF 3 /* network interfaces */ +#define OCON_NODE 4 /* nodes */ +#define OCON_FSUSE 5 /* fs_use */ +#define OCON_NODE6 6 /* IPv6 nodes */ +#define OCON_PKEY 7 /* Infiniband PKeys */ +#define OCON_IB_PORT 8 /* Infiniband ports */ +#define OCON_NUM 9 /* The policy database */ struct policydb {