From patchwork Thu Jul 14 22:56:50 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Jurgens X-Patchwork-Id: 9231891 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 444BC60574 for ; Fri, 15 Jul 2016 12:40:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3278E27F94 for ; Fri, 15 Jul 2016 12:40:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2487B2832B; Fri, 15 Jul 2016 12:40:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id DFD6627F94 for ; Fri, 15 Jul 2016 12:40:09 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,368,1464652800"; d="scan'208";a="15610547" IronPort-PHdr: =?us-ascii?q?9a23=3AJ5xIShJQrqr/FI0r1dmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgTK/7xwZ3uMQTl6Ol3ixeRBMOAuqoC17ad7viocFdDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIs?= =?us-ascii?q?YL+kQsiO04/qj6ibwN76W01wnj2zYLd/fl2djD76kY0ou7ZkMbs70RDTo3FFKK?= =?us-ascii?q?x8zGJsIk+PzV6nvp/jtKN592xsn95pt4sZCeSpN5k+VqFSWTQ6L3hno4rzrx7G?= =?us-ascii?q?QBeP62YHFGQQnB1TDgOD8ADxXpC3tCDhvax42S3dOMT3SbU9X3Ol97tqTxnzzz?= =?us-ascii?q?wKMz8/7XGEt8prkagOpRugowB4kZXZZICTKeo7ZK7EYN4BWUJdT81RUGpHGYr6?= =?us-ascii?q?YIwRWPEcN+RVpJWoul0VsBGlDhOtDu689jgdjX/s3LYl+/8mDBqDxwskWdUUvz?= =?us-ascii?q?CctNzoMI8KWP2xiazPyi/OKfhR3HO184TTWgwwqvGLG7RreIzezldrXw7dh0+R?= =?us-ascii?q?sqT9NimUzfwJumOWqe16Wqbnh2oqpw92uDSH3MogioDVwIkSzxSM7ihwxsA1KN?= =?us-ascii?q?OkWWZ6Z8KpFN1bsCTef4t/RoU4RHplvj0mzbYFkZG+dSkOjp8gwk3xcfuCJqSB?= =?us-ascii?q?5FrBSfyeLDFjzCZpcbS+ihKw2U2tzun1UM6kll1Nq3wWwZH3qnkR2kmLuYC8Qf?= =?us-ascii?q?xn8xLkgG6C?= X-IPAS-Result: =?us-ascii?q?A2EqBQCm2IhX/wHyM5BcHAEBgyCBUrplH4cxTAEBAQEBAQI?= =?us-ascii?q?CYieCMgQDEIIUAgQBAiQTDAgCHgsDAwECBgEBFwghCAgDAS0VEQcHCwUYBIgPB?= =?us-ascii?q?L9yAQEBAQYCASSPCREBhXcFiB2Fa3GKKI5diWWFTpBvggscgU9rhR6BNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 15 Jul 2016 12:40:01 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6FCe0vp024971; Fri, 15 Jul 2016 08:40:01 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u6EMw9de072638 for ; Thu, 14 Jul 2016 18:58:09 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6EMw8mA030544 for ; Thu, 14 Jul 2016 18:58:09 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CeBACpF4hX/4GlL8FcHQGEcrZhhAqGGQKBewEBAQEBAWYnhF0CBCdSEBgIMVcHEog0wGIBAQgnlRIFiByFa3GKJ45bjy+QGVSCCRyBTzkyh24BAQE X-IPAS-Result: A1CeBACpF4hX/4GlL8FcHQGEcrZhhAqGGQKBewEBAQEBAWYnhF0CBCdSEBgIMVcHEog0wGIBAQgnlRIFiByFa3GKJ45bjy+QGVSCCRyBTzkyh24BAQE X-IronPort-AV: E=Sophos;i="5.28,365,1464667200"; d="scan'208";a="5582155" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 14 Jul 2016 18:58:08 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AMBVSORB4cDPNqbcYRgBoUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSP/zosbcNUDSrc9gkEXOFd2CrakV06yK6Ou6ASQp2tWoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?= =?us-ascii?q?fr2zQd+KyZjsnLrqs7ToICxwzAKnZr1zKBjk5S7wjeIxxbVYF6Aq1xHSqWFJce?= =?us-ascii?q?kFjUlhJFaUggqurpzopM0r221qtvkg789NV7nhN+R9FOQATWduD2dg783xtALc?= =?us-ascii?q?ZRCI+2BZSWIS1B1SDEyN9BjnWr/puzb+8+963zOXe8bxSPR8Qji5x7t6Qx/vzi?= =?us-ascii?q?EcPng293+TwsFohbhauzq5rgZ+2JbQaYqYcv1kceeVcdcXSWRGRMp5TSFNAoqg?= =?us-ascii?q?KYAICq5JJutRqc/9qlUSvDO/AxWhAKXkzToMzn//2esg1P8sFxra2wcjN90LuX?= =?us-ascii?q?XQ6t7yMfQ8S+ewmYXBy33hculZ1DHmoNzEexYgrPWOdbd9dc7Yz04/UQjCiwPD?= =?us-ascii?q?+sTeIzqJ27FV4CCg5O16WLfq0jZ/pg=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GfBADVF4hX/4GlL8FcHQGEcrZhhAqGG?= =?us-ascii?q?QKBewEBAQEBAQICYieCMgQBEgGCEwIEJ1IQGAgxVwcSiDTAYgEBCCeVEgWIHIV?= =?us-ascii?q?rcYonjluPL5AZVIIJHIFPOTKHbgEBAQ?= X-IPAS-Result: =?us-ascii?q?A0GfBADVF4hX/4GlL8FcHQGEcrZhhAqGGQKBewEBAQEBAQI?= =?us-ascii?q?CYieCMgQBEgGCEwIEJ1IQGAgxVwcSiDTAYgEBCCeVEgWIHIVrcYonjluPL5AZV?= =?us-ascii?q?IIJHIFPOTKHbgEBAQ?= X-IronPort-AV: E=Sophos;i="5.28,365,1464652800"; d="scan'208";a="17666578" Received: from mail-il-dmz.mellanox.com (HELO mellanox.co.il) ([193.47.165.129]) by emsm-gh1-uea11.nsa.gov with ESMTP; 14 Jul 2016 22:58:07 +0000 Received: from Internal Mail-Server by MTLPINE1 (envelope-from danielj@mellanox.com) with ESMTPS (AES256-SHA encrypted); 15 Jul 2016 01:58:03 +0300 Received: from x-vnc01.mtx.labs.mlnx (x-vnc01.mtx.labs.mlnx [10.12.150.16]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id u6EMv9u9030854; Fri, 15 Jul 2016 01:58:00 +0300 From: Dan Jurgens To: chrisw@sous-sol.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, dledford@redhat.com, sean.hefty@intel.com, hal.rosenstock@gmail.com Subject: [PATCH v2 8/9] selinux: Add IB Port SMP access vector Date: Fri, 15 Jul 2016 01:56:50 +0300 Message-Id: <1468537011-20407-9-git-send-email-danielj@mellanox.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1468537011-20407-1-git-send-email-danielj@mellanox.com> References: <1468537011-20407-1-git-send-email-danielj@mellanox.com> X-Mailman-Approved-At: Fri, 15 Jul 2016 08:13:30 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-rdma@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel Jurgens Add a type for Infiniband ports and an access vector for subnet management packets. Implement the ib_port_smp hook to check that the caller has permission to send and receive SMPs on the end port specified by the device name and port. Add interface to query the SID for a IB port, which walks the IB_PORT ocontexts to find an entry for the given name and port. Signed-off-by: Daniel Jurgens --- v2: - Shorted ib_end_port. Paul Moore - Pass void blobs to security hooks. Paul Moore - Log specific IB port info in audit log. Paul Moore - Don't create a new intial sid, use unlabeled. Stephen Smalley - Changed "smp" to "manage_subnet". Paul Moore --- include/linux/lsm_audit.h | 32 ++++++++++++++++---------- security/lsm_audit.c | 5 ++++ security/selinux/hooks.c | 23 +++++++++++++++++++ security/selinux/include/classmap.h | 2 + security/selinux/include/security.h | 2 + security/selinux/ss/services.c | 42 +++++++++++++++++++++++++++++++++++ 6 files changed, 94 insertions(+), 12 deletions(-) diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 8ff7eae..d2f6bda 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -21,6 +21,7 @@ #include #include #include +#include struct lsm_network_audit { int netif; @@ -50,21 +51,27 @@ struct lsm_pkey_audit { u16 pkey; }; +struct lsm_ib_port_audit { + char dev_name[IB_DEVICE_NAME_MAX]; + u8 port; +}; + /* Auxiliary data to use in generating the audit record. */ struct common_audit_data { char type; -#define LSM_AUDIT_DATA_PATH 1 -#define LSM_AUDIT_DATA_NET 2 -#define LSM_AUDIT_DATA_CAP 3 -#define LSM_AUDIT_DATA_IPC 4 -#define LSM_AUDIT_DATA_TASK 5 -#define LSM_AUDIT_DATA_KEY 6 -#define LSM_AUDIT_DATA_NONE 7 -#define LSM_AUDIT_DATA_KMOD 8 -#define LSM_AUDIT_DATA_INODE 9 -#define LSM_AUDIT_DATA_DENTRY 10 -#define LSM_AUDIT_DATA_IOCTL_OP 11 -#define LSM_AUDIT_DATA_PKEY 12 +#define LSM_AUDIT_DATA_PATH 1 +#define LSM_AUDIT_DATA_NET 2 +#define LSM_AUDIT_DATA_CAP 3 +#define LSM_AUDIT_DATA_IPC 4 +#define LSM_AUDIT_DATA_TASK 5 +#define LSM_AUDIT_DATA_KEY 6 +#define LSM_AUDIT_DATA_NONE 7 +#define LSM_AUDIT_DATA_KMOD 8 +#define LSM_AUDIT_DATA_INODE 9 +#define LSM_AUDIT_DATA_DENTRY 10 +#define LSM_AUDIT_DATA_IOCTL_OP 11 +#define LSM_AUDIT_DATA_PKEY 12 +#define LSM_AUDIT_DATA_IB_PORT 13 union { struct path path; struct dentry *dentry; @@ -82,6 +89,7 @@ struct common_audit_data { char *kmod_name; struct lsm_ioctlop_audit *op; struct lsm_pkey_audit *pkey; + struct lsm_ib_port_audit *ib_port; } u; /* this union contains LSM specific data */ union { diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 2546d82..95632a9 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -410,6 +410,11 @@ static void dump_common_audit_data(struct audit_buffer *ab, a->u.pkey->pkey, &sbn_pfx); break; } + case LSM_AUDIT_DATA_IB_PORT: + audit_log_format(ab, " device="); + audit_log_untrustedstring(ab, a->u.ib_port->dev_name); + audit_log_format(ab, " port=%u", a->u.ib_port->port); + break; } /* switch (a->type) */ } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index d9c4bfa..40ad0e8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6017,6 +6017,28 @@ static int selinux_ib_pkey_access(u64 subnet_prefix, u16 pkey_val, void *ib_sec) INFINIBAND_PKEY__ACCESS, &ad); } +static int selinux_ib_port_manage_subnet(const char *dev_name, u8 port, void *ib_sec) +{ + struct common_audit_data ad; + int err; + u32 sid = 0; + struct ib_security_struct *sec = ib_sec; + struct lsm_ib_port_audit ib_port; + + err = security_ib_port_sid(dev_name, port, &sid); + + if (err) + return err; + + ad.type = LSM_AUDIT_DATA_IB_PORT; + strncpy(ib_port.dev_name, dev_name, sizeof(ib_port.dev_name)); + ib_port.port = port; + ad.u.ib_port = &ib_port; + return avc_has_perm(sec->sid, sid, + SECCLASS_INFINIBAND_PORT, + INFINIBAND_PORT__MANAGE_SUBNET, &ad); +} + static int selinux_ib_alloc_security(void **ib_sec) { struct ib_security_struct *sec; @@ -6219,6 +6241,7 @@ static struct security_hook_list selinux_hooks[] = { LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), #ifdef CONFIG_SECURITY_INFINIBAND LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), + LSM_HOOK_INIT(ib_port_manage_subnet, selinux_ib_port_manage_subnet), LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), #endif diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index d42dd4d..9ba1238 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -167,5 +167,7 @@ struct security_class_mapping secclass_map[] = { { COMMON_CAP2_PERMS, NULL } }, { "infiniband_pkey", { "access", NULL } }, + { "infiniband_port", + { "manage_subnet", NULL } }, { NULL } }; diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 8f1a66e..1d58583 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -182,6 +182,8 @@ int security_port_sid(u8 protocol, u16 port, u32 *out_sid); int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid); +int security_ib_port_sid(const char *dev_name, u8 port, u32 *out_sid); + int security_netif_sid(char *name, u32 *if_sid); int security_node_sid(u16 domain, void *addr, u32 addrlen, diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index ba346da..4c97952 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2270,6 +2270,48 @@ out: } /** + * security_ib_port_sid - Obtain the SID for a subnet management interface. + * @dev_name: device name + * @port: port number + * @out_sid: security identifier + */ +int security_ib_port_sid(const char *dev_name, u8 port, u32 *out_sid) +{ + struct ocontext *c; + int rc = 0; + + read_lock(&policy_rwlock); + + c = policydb.ocontexts[OCON_IB_PORT]; + while (c) { + if (c->u.ib_port.port == port && + !strncmp(c->u.ib_port.dev_name, + dev_name, + IB_DEVICE_NAME_MAX)) + break; + + c = c->next; + } + + if (c) { + if (!c->sid[0]) { + rc = sidtab_context_to_sid(&sidtab, + &c->context[0], + &c->sid[0]); + if (rc) + goto out; + } + *out_sid = c->sid[0]; + } else { + *out_sid = SECINITSID_UNLABELED; + } + +out: + read_unlock(&policy_rwlock); + return rc; +} + +/** * security_netif_sid - Obtain the SID for a network interface. * @name: interface name * @if_sid: interface SID