From patchwork Tue Nov 8 21:06:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Jurgens X-Patchwork-Id: 9418161 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2A8F660459 for ; Tue, 8 Nov 2016 21:08:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 182FE288EB for ; Tue, 8 Nov 2016 21:08:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0D3A5288F8; Tue, 8 Nov 2016 21:08:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 168CA288EB for ; Tue, 8 Nov 2016 21:08:44 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.31,611,1473120000"; d="scan'208";a="749856" IronPort-PHdr: =?us-ascii?q?9a23=3AfiMRpxY0Vctp2S45ncCaplT/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZpMuybnLW6fgltlLVR4KTs6sC0LuM9fG/EjFdqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZv?= =?us-ascii?q?IaytQ8iJ3p7xhr/5psCbSj4LrQL1Wal1IhSyoFeZnegtqqwmFJwMzADUqGBDYe?= =?us-ascii?q?VcyDAgD1uSmxHh+pX4p8Y7oGxtofZpy+psGeW/Jvx5HvRkC2EtM3o0/9LDrh7e?= =?us-ascii?q?Vk6U4X9aVX8Z1lJQChXBxAnzQ5O0tyz9rOc70y6feYXtQascRSWp76AtTgThzi?= =?us-ascii?q?gAKXpx/XnekM1rpLpSuhO6vxh2yIOSZ5uacLJyeq7Rc9QASUJbU8pRXjAHCYS5?= =?us-ascii?q?K8MUAuMHe+ZVoZXsj1oIsRa6QwKrAaenyjZMwGXxxqA8yPgmGgLu0wkpHtZIu3?= =?us-ascii?q?PR//vvM6JHfemzhIvV1zrOaegejTv07onFdhIJpPyIWbt2dtqXwk4qQVCWxm6M?= =?us-ascii?q?oJDoamvGnt8GtHKWuq85De8=3D?= X-IPAS-Result: =?us-ascii?q?A2HgBABJPiJY/wHyM5BdHAEBBAEBCgEBGAEFAQsBgwQBAQE?= =?us-ascii?q?BAR+BV6Q+llciglCDLIIfUwEBAQEBAQEBAgECXyiCMwQDEwWCEAIEAQIkExQgC?= =?us-ascii?q?wMDCQEBFwghCAgDAS0VEQcHCwUYBIg7BLN7UjgCixELAQEBI48vCwYBhXwFmWd?= =?us-ascii?q?IkEqKDYYFjTCEBlVWJBuDFQEcgV9whH8OF2GBNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 08 Nov 2016 21:08:42 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uA8L8f2g002842; Tue, 8 Nov 2016 16:08:42 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id uA8L7Alu246465 for ; Tue, 8 Nov 2016 16:07:10 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uA8L7Aqm002527 for ; Tue, 8 Nov 2016 16:07:10 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CoBAAnPiJY/4GlL8FdHQEFAQsBgy8BAQEBAYF2pD6SRIQXgm6DNgKCZgECAQEBAQECYiiEYgIEJ1IQGAgxVwcSiGCzelKLSwELJY86hgMFmWdIkEqQEo0whAZVehuDFQEcgV88NIR/gjsBAQE X-IPAS-Result: A1CoBAAnPiJY/4GlL8FdHQEFAQsBgy8BAQEBAYF2pD6SRIQXgm6DNgKCZgECAQEBAQECYiiEYgIEJ1IQGAgxVwcSiGCzelKLSwELJY86hgMFmWdIkEqQEo0whAZVehuDFQEcgV88NIR/gjsBAQE X-IronPort-AV: E=Sophos;i="5.31,611,1473134400"; d="scan'208";a="5812094" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 08 Nov 2016 16:07:08 -0500 IronPort-PHdr: =?us-ascii?q?9a23=3Azey/RBzlnEQse/vXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0OITIJqq85mqBkHD//Il1AaPBtSBraMbwLeL+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwu?= =?us-ascii?q?d76zS9GZ0pn//tvx0qWbWx9Piju5bOE6BzSNhiKViPMrh5B/IL060BrDrygAUe?= =?us-ascii?q?1XwWR1OQDbxE6ktY+YtaRu+CVIuv8n69UIEeCjJ/x5HvRkC2EtM3o0/9LDrh7e?= =?us-ascii?q?Vk6U4X9aVX8Z1lJQChXBxAnzQ5O0tyz9rOc70y6feYXtQascRSWp76AtTgThzi?= =?us-ascii?q?gAKXpx/XnekM1rpLpSuhO6vxh2yIOSZ5uacLJyeq7Rc9QASUJbU8pRXjAHCYS5?= =?us-ascii?q?K8MUAuMHe+ZVoZXsj1oIsRa6QwKrAaenyjZMwGXxxqA8yPgmGgLu0wkpHtZIu3?= =?us-ascii?q?PR//vvM6JHfemzhIvV1zrOaegejTv07onFdhIJpPyIWbt2dtqXwk4qQVCWxm6M?= =?us-ascii?q?oJDoamvGnt8GtHKWuq85Dbqi?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GqBABJPiJY/4GlL8FdHQEFAQsBGQYMg?= =?us-ascii?q?wQBAQEBAYF2pD6SRIQXgm6DNgKCZgEBAQEBAQEBAgECXyiCMwQBFQEEghACBCd?= =?us-ascii?q?SEBgIMVcHEohgs3tSi0sBCyWPOoYDBZlnSJBKkBKNMIQGVXobgxUBHIFfPDSEf?= =?us-ascii?q?22BTgEBAQ?= X-IPAS-Result: =?us-ascii?q?A0GqBABJPiJY/4GlL8FdHQEFAQsBGQYMgwQBAQEBAYF2pD6?= =?us-ascii?q?SRIQXgm6DNgKCZgEBAQEBAQEBAgECXyiCMwQBFQEEghACBCdSEBgIMVcHEohgs?= =?us-ascii?q?3tSi0sBCyWPOoYDBZlnSJBKkBKNMIQGVXobgxUBHIFfPDSEf22BTgEBAQ?= X-IronPort-AV: E=Sophos;i="5.31,611,1473120000"; d="scan'208";a="606475" Received: from mail-il-dmz.mellanox.com (HELO mellanox.co.il) ([193.47.165.129]) by emsm-gh1-uea11.nsa.gov with ESMTP; 08 Nov 2016 21:07:07 +0000 Received: from Internal Mail-Server by MTLPINE1 (envelope-from danielj@mellanox.com) with ESMTPS (AES256-SHA encrypted); 8 Nov 2016 23:07:03 +0200 Received: from x-vnc01.mtx.labs.mlnx. (x-vnc01.mtx.labs.mlnx [10.12.150.16]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id uA8L6Se9009889; Tue, 8 Nov 2016 23:06:59 +0200 From: Dan Jurgens To: chrisw@sous-sol.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, dledford@redhat.com, sean.hefty@intel.com, hal.rosenstock@gmail.com Subject: [PATCH v4 9/9] selinux: Add a cache for quicker retreival of PKey SIDs Date: Tue, 8 Nov 2016 23:06:25 +0200 Message-Id: <1478639185-47521-10-git-send-email-danielj@mellanox.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1478639185-47521-1-git-send-email-danielj@mellanox.com> References: <1478639185-47521-1-git-send-email-danielj@mellanox.com> X-Mailman-Approved-At: Tue, 08 Nov 2016 16:07:39 -0500 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: liranl@mellanox.com, leonro@mellanox.com, linux-rdma@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel Jurgens It is likely that the SID for the same PKey will be requested many times. To reduce the time to modify QPs and process MADs use a cache to store PKey SIDs. This code is heavily based on the "netif" and "netport" concept originally developed by James Morris and Paul Moore (see security/selinux/netif.c and security/selinux/netport.c for more information) issue: 736423 Change-Id: I176c3079d5d84d06839b4f750100ac47a6081e94 Signed-off-by: Daniel Jurgens --- v2: - Renamed the files to ibpkey. Paul Moore - Fixed a braket indentation mismatch in sel_pkey_find. Yuval Shaia - Change spin_lock_bh to spin_lock_irqsave to resolve HARDIRQ lockdep warning. Dan Jurgens Signed-off-by: Daniel Jurgens --- security/selinux/Makefile | 2 +- security/selinux/hooks.c | 4 +- security/selinux/ibpkey.c | 245 ++++++++++++++++++++++++++++++++++++++ security/selinux/include/ibpkey.h | 31 +++++ security/selinux/include/objsec.h | 6 + 5 files changed, 286 insertions(+), 2 deletions(-) create mode 100644 security/selinux/ibpkey.c create mode 100644 security/selinux/include/ibpkey.h diff --git a/security/selinux/Makefile b/security/selinux/Makefile index 3411c33..ff5895e 100644 --- a/security/selinux/Makefile +++ b/security/selinux/Makefile @@ -5,7 +5,7 @@ obj-$(CONFIG_SECURITY_SELINUX) := selinux.o selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ - netnode.o netport.o exports.o \ + netnode.o netport.o ibpkey.o exports.o \ ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \ ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ea3f6d0..619d2ea 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -90,6 +90,7 @@ #include "netif.h" #include "netnode.h" #include "netport.h" +#include "ibpkey.h" #include "xfrm.h" #include "netlabel.h" #include "audit.h" @@ -174,6 +175,7 @@ static int selinux_netcache_avc_callback(u32 event) static int selinux_lsm_notifier_avc_callback(u32 event) { if (event == AVC_CALLBACK_RESET) { + sel_pkey_flush(); call_lsm_notifier(LSM_POLICY_CHANGE, NULL); } return 0; @@ -6094,7 +6096,7 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) struct ib_security_struct *sec = ib_sec; struct lsm_pkey_audit pkey; - err = security_pkey_sid(subnet_prefix, pkey_val, &sid); + err = sel_pkey_sid(subnet_prefix, pkey_val, &sid); if (err) return err; diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c new file mode 100644 index 0000000..6e52c54 --- /dev/null +++ b/security/selinux/ibpkey.c @@ -0,0 +1,245 @@ +/* + * Pkey table + * + * SELinux must keep a mapping of Infinband PKEYs to labels/SIDs. This + * mapping is maintained as part of the normal policy but a fast cache is + * needed to reduce the lookup overhead. + * + * This code is heavily based on the "netif" and "netport" concept originally + * developed by + * James Morris and + * Paul Moore + * (see security/selinux/netif.c and security/selinux/netport.c for more + * information) + * + */ + +/* + * (c) Mellanox Technologies, 2016 + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + */ + +#include +#include +#include +#include + +#include "ibpkey.h" +#include "objsec.h" + +#define SEL_PKEY_HASH_SIZE 256 +#define SEL_PKEY_HASH_BKT_LIMIT 16 + +struct sel_pkey_bkt { + int size; + struct list_head list; +}; + +struct sel_pkey { + struct pkey_security_struct psec; + struct list_head list; + struct rcu_head rcu; +}; + +static LIST_HEAD(sel_pkey_list); +static DEFINE_SPINLOCK(sel_pkey_lock); +static struct sel_pkey_bkt sel_pkey_hash[SEL_PKEY_HASH_SIZE]; + +/** + * sel_pkey_hashfn - Hashing function for the pkey table + * @pkey: pkey number + * + * Description: + * This is the hashing function for the pkey table, it returns the bucket + * number for the given pkey. + * + */ +static unsigned int sel_pkey_hashfn(u16 pkey) +{ + return (pkey & (SEL_PKEY_HASH_SIZE - 1)); +} + +/** + * sel_pkey_find - Search for a pkey record + * @subnet_prefix: subnet_prefix + * @pkey_num: pkey_num + * + * Description: + * Search the pkey table and return the matching record. If an entry + * can not be found in the table return NULL. + * + */ +static struct sel_pkey *sel_pkey_find(u64 subnet_prefix, u16 pkey_num) +{ + unsigned int idx; + struct sel_pkey *pkey; + + idx = sel_pkey_hashfn(pkey_num); + list_for_each_entry_rcu(pkey, &sel_pkey_hash[idx].list, list) { + if (pkey->psec.pkey == pkey_num && + pkey->psec.subnet_prefix == subnet_prefix) + return pkey; + } + + return NULL; +} + +/** + * sel_pkey_insert - Insert a new pkey into the table + * @pkey: the new pkey record + * + * Description: + * Add a new pkey record to the hash table. + * + */ +static void sel_pkey_insert(struct sel_pkey *pkey) +{ + unsigned int idx; + + /* we need to impose a limit on the growth of the hash table so check + * this bucket to make sure it is within the specified bounds + */ + idx = sel_pkey_hashfn(pkey->psec.pkey); + list_add_rcu(&pkey->list, &sel_pkey_hash[idx].list); + if (sel_pkey_hash[idx].size == SEL_PKEY_HASH_BKT_LIMIT) { + struct sel_pkey *tail; + + tail = list_entry( + rcu_dereference_protected( + sel_pkey_hash[idx].list.prev, + lockdep_is_held(&sel_pkey_lock)), + struct sel_pkey, list); + list_del_rcu(&tail->list); + kfree_rcu(tail, rcu); + } else { + sel_pkey_hash[idx].size++; + } +} + +/** + * sel_pkey_sid_slow - Lookup the SID of a pkey using the policy + * @subnet_prefix: subnet prefix + * @pkey_num: pkey number + * @sid: pkey SID + * + * Description: + * This function determines the SID of a pkey by querying the security + * policy. The result is added to the pkey table to speedup future + * queries. Returns zero on success, negative values on failure. + * + */ +static int sel_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid) +{ + int ret = -ENOMEM; + struct sel_pkey *pkey; + struct sel_pkey *new = NULL; + unsigned long flags; + + spin_lock_irqsave(&sel_pkey_lock, flags); + pkey = sel_pkey_find(subnet_prefix, pkey_num); + if (pkey) { + *sid = pkey->psec.sid; + spin_unlock_irqrestore(&sel_pkey_lock, flags); + return 0; + } + + ret = security_pkey_sid(subnet_prefix, pkey_num, sid); + if (ret != 0) + goto out; + + new = kzalloc(sizeof(*new), GFP_ATOMIC); + if (!new) + goto out; + + new->psec.subnet_prefix = subnet_prefix; + new->psec.pkey = pkey_num; + new->psec.sid = *sid; + sel_pkey_insert(new); + +out: + spin_unlock_irqrestore(&sel_pkey_lock, flags); + if (unlikely(ret)) + kfree(new); + + return ret; +} + +/** + * sel_pkey_sid - Lookup the SID of a PKEY + * @subnet_prefix: subnet_prefix + * @pkey_num: pkey number + * @sid: pkey SID + * + * Description: + * This function determines the SID of a PKEY using the fastest method + * possible. First the pkey table is queried, but if an entry can't be found + * then the policy is queried and the result is added to the table to speedup + * future queries. Returns zero on success, negative values on failure. + * + */ +int sel_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *sid) +{ + struct sel_pkey *pkey; + + rcu_read_lock(); + pkey = sel_pkey_find(subnet_prefix, pkey_num); + if (pkey) { + *sid = pkey->psec.sid; + rcu_read_unlock(); + return 0; + } + rcu_read_unlock(); + + return sel_pkey_sid_slow(subnet_prefix, pkey_num, sid); +} + +/** + * sel_pkey_flush - Flush the entire pkey table + * + * Description: + * Remove all entries from the pkey table + * + */ +void sel_pkey_flush(void) +{ + unsigned int idx; + struct sel_pkey *pkey, *pkey_tmp; + unsigned long flags; + + spin_lock_irqsave(&sel_pkey_lock, flags); + for (idx = 0; idx < SEL_PKEY_HASH_SIZE; idx++) { + list_for_each_entry_safe(pkey, pkey_tmp, + &sel_pkey_hash[idx].list, list) { + list_del_rcu(&pkey->list); + kfree_rcu(pkey, rcu); + } + sel_pkey_hash[idx].size = 0; + } + spin_unlock_irqrestore(&sel_pkey_lock, flags); +} + +static __init int sel_pkey_init(void) +{ + int iter; + + if (!selinux_enabled) + return 0; + + for (iter = 0; iter < SEL_PKEY_HASH_SIZE; iter++) { + INIT_LIST_HEAD(&sel_pkey_hash[iter].list); + sel_pkey_hash[iter].size = 0; + } + + return 0; +} + +subsys_initcall(sel_pkey_init); diff --git a/security/selinux/include/ibpkey.h b/security/selinux/include/ibpkey.h new file mode 100644 index 0000000..387885a --- /dev/null +++ b/security/selinux/include/ibpkey.h @@ -0,0 +1,31 @@ +/* + * pkey table + * + * SELinux must keep a mapping of pkeys to labels/SIDs. This + * mapping is maintained as part of the normal policy but a fast cache is + * needed to reduce the lookup overhead. + * + */ + +/* + * (c) Mellanox Technologies, 2016 + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + */ + +#ifndef _SELINUX_IB_PKEY_H +#define _SELINUX_IB_PKEY_H + +void sel_pkey_flush(void); + +int sel_pkey_sid(u64 subnet_prefix, u16 pkey, u32 *sid); + +#endif diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 8e7db43..4139f28 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -133,6 +133,12 @@ struct ib_security_struct { u32 sid; /* SID of the queue pair or MAD agent */ }; +struct pkey_security_struct { + u64 subnet_prefix; /* Port subnet prefix */ + u16 pkey; /* PKey number */ + u32 sid; /* SID of pkey */ +}; + extern unsigned int selinux_checkreqprot; #endif /* _SELINUX_OBJSEC_H_ */