From patchwork Tue Nov 8 21:06:23 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Jurgens X-Patchwork-Id: 9418163 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CADD060459 for ; Tue, 8 Nov 2016 21:08:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB870288EB for ; Tue, 8 Nov 2016 21:08:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B023E288F8; Tue, 8 Nov 2016 21:08:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 00B22288EB for ; Tue, 8 Nov 2016 21:08:47 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.31,611,1473120000"; d="scan'208";a="749873" IronPort-PHdr: =?us-ascii?q?9a23=3AgEEzWRHLgMdgDZfUvAw+wJ1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ74oMSwAkXT6L1XgUPTWs2DsrQf2rCQ4v+rBDFIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TWM5DIfUi/yKRBy?= =?us-ascii?q?brysXNWD1YLmiKvvptX6WEZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu?= =?us-ascii?q?5blitCLFOXmAvgtI/rpMYwuxlKv7od0+IIEeCjJ+VrBYBfWT8mKWEu++XwsgTY?= =?us-ascii?q?CBCI4j0bSGpS2gJBHgzt9BjnWtL0tSzgu6x23yzeddb6VpgoSD+i6OFtUxauhy?= =?us-ascii?q?AZc3Y06GjNi9dYlKtBoQm5oxV0zsjTeo7RfPZ6c6/TeskWbXBMUsZYS2pKBYb4?= =?us-ascii?q?J5ACBuxHPetWs5jVpl0SoB/4Dg6pQKvvwzsOnHjt0Kshz+MqEinJ2QUhG5QFt3?= =?us-ascii?q?GHgs/yMfI+WOb97rTSwjjFdLsC1T776YXMcDgkrPWIVLR3YYzazkx5RFCNtUmZ?= =?us-ascii?q?tYGwZ2Dd7e8KqWXOqrM4WA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HdBABJPiJY/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgwQ?= =?us-ascii?q?BAQEBAR+BV6Q+llQliBtTAQEBAQEBAQECAQJfKIIzBAMTBYIQAgQBAiQTFCALA?= =?us-ascii?q?wMJAQEXCCEICAMBLRURBwcLBRgEiDsEs3tSOAKLEQEBCAEBAQEjjy8RAYV8BY5?= =?us-ascii?q?Zi1aQSooNhgWRNlVWJBuDFhyBX3CFDXiBNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 08 Nov 2016 21:08:46 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uA8L8kHD002873; Tue, 8 Nov 2016 16:08:46 -0500 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id uA8L7BTg246468 for ; Tue, 8 Nov 2016 16:07:11 -0500 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id uA8L7Aqn002527 for ; Tue, 8 Nov 2016 16:07:11 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1B4BAAnPiJY/4GlL8FdHAEBBAEBCgEBgy8BAQEBAYF2pD6SRIQXhiQCgmYBAgEBAQEBAmIohGICBCdSEBgIMVcHEohgs3pSi0sBAQEHAiWVPQWOWYtWkEqQEpE2VXqDMRyBXzw0hzoBAQE X-IPAS-Result: A1B4BAAnPiJY/4GlL8FdHAEBBAEBCgEBgy8BAQEBAYF2pD6SRIQXhiQCgmYBAgEBAQEBAmIohGICBCdSEBgIMVcHEohgs3pSi0sBAQEHAiWVPQWOWYtWkEqQEpE2VXqDMRyBXzw0hzoBAQE X-IronPort-AV: E=Sophos;i="5.31,611,1473134400"; d="scan'208";a="5812096" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 08 Nov 2016 16:07:11 -0500 IronPort-PHdr: =?us-ascii?q?9a23=3AeTuCyBQIF9KbKKkZg/+wgILSXdpsv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa65bBGN2/xhgRfzUJnB7Loc0qyN4vqmCDNLvMvJmUtBWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?= =?us-ascii?q?Ov7yUtaLyZ/mjabjpNaOPk1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFmrPHs4BLD?= =?us-ascii?q?VwqU+VMHVXgN1wFPB07C9h6+Fo/4ry/SruNg3GyfOsrsQPY/XjHmp7xnUzf0mS?= =?us-ascii?q?wHMHg/62iRhctuyOpWuBu7pgdX24fOYZqNMPN1c+XaZ9xeDWZFU8pfUDZNKpmx?= =?us-ascii?q?Y4sGE6wKOuMc55Lwrl1IrRawGRiEBeXzxzsOjXjzmeU62uBnCwbd0Qo7A9UFs1?= =?us-ascii?q?zbqdz0MOEZVuXm4rPPyGDvZvUe+yrn54XOaVh1rfiKXL90c+LUxE0rHgXCnhOb?= =?us-ascii?q?romzbGDd7fgEr2XOt7kobumokWNy7lgp+jU=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0F6BABJPiJY/4GlL8FdHAEBBAEBCgEBG?= =?us-ascii?q?AEFAQsBgwQBAQEBAYF2pD6SRIQXhiQCgmYBAQEBAQEBAQIBAl8ogjMEARUBBII?= =?us-ascii?q?QAgQnUhAYCDFXBxKIYLN7UotLAQEBBwIllT0FjlmLVpBKkBKRNlV6gzEcgV88N?= =?us-ascii?q?IVsgU4BAQE?= X-IPAS-Result: =?us-ascii?q?A0F6BABJPiJY/4GlL8FdHAEBBAEBCgEBGAEFAQsBgwQBAQE?= =?us-ascii?q?BAYF2pD6SRIQXhiQCgmYBAQEBAQEBAQIBAl8ogjMEARUBBIIQAgQnUhAYCDFXB?= =?us-ascii?q?xKIYLN7UotLAQEBBwIllT0FjlmLVpBKkBKRNlV6gzEcgV88NIVsgU4BAQE?= X-IronPort-AV: E=Sophos;i="5.31,611,1473120000"; d="scan'208";a="749745" Received: from mail-il-dmz.mellanox.com (HELO mellanox.co.il) ([193.47.165.129]) by emsm-gh1-uea10.nsa.gov with ESMTP; 08 Nov 2016 21:06:58 +0000 Received: from Internal Mail-Server by MTLPINE1 (envelope-from danielj@mellanox.com) with ESMTPS (AES256-SHA encrypted); 8 Nov 2016 23:06:55 +0200 Received: from x-vnc01.mtx.labs.mlnx. (x-vnc01.mtx.labs.mlnx [10.12.150.16]) by labmailer.mlnx (8.13.8/8.13.8) with ESMTP id uA8L6Se7009889; Tue, 8 Nov 2016 23:06:52 +0200 From: Dan Jurgens To: chrisw@sous-sol.org, paul@paul-moore.com, sds@tycho.nsa.gov, eparis@parisplace.org, dledford@redhat.com, sean.hefty@intel.com, hal.rosenstock@gmail.com Subject: [PATCH v4 7/9] selinux: Implement Infiniband PKey "Access" access vector Date: Tue, 8 Nov 2016 23:06:23 +0200 Message-Id: <1478639185-47521-8-git-send-email-danielj@mellanox.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1478639185-47521-1-git-send-email-danielj@mellanox.com> References: <1478639185-47521-1-git-send-email-danielj@mellanox.com> X-Mailman-Approved-At: Tue, 08 Nov 2016 16:07:39 -0500 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: liranl@mellanox.com, leonro@mellanox.com, linux-rdma@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel Jurgens Add a type and access vector for PKeys. Implement the ib_pkey_access hook to check that the caller has permission to access the PKey on the given subnet prefix. Add an interface to get the PKey SID. Walk the PKey ocontexts to find an entry for the given subnet prefix and pkey. issue: 736423 Change-Id: Ib3f7df9b5f98da77a6048855d146f9dcaceba336 Signed-off-by: Daniel Jurgens --- v2: - Use void* blobs for security structs. Paul Moore - Add pkey specific data to the audit log. Paul Moore - Don't introduce a new initial sid, use unlabeled. Stephen Smalley v3: - Reorder parameters to pkey_access hook. Paul Moore Signed-off-by: Daniel Jurgens --- include/linux/lsm_audit.h | 7 +++++++ security/lsm_audit.c | 13 ++++++++++++ security/selinux/hooks.c | 23 +++++++++++++++++++++ security/selinux/include/classmap.h | 2 ++ security/selinux/include/security.h | 2 ++ security/selinux/ss/services.c | 41 +++++++++++++++++++++++++++++++++++++ 6 files changed, 88 insertions(+) diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index e58e577..402b770 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -45,6 +45,11 @@ struct lsm_ioctlop_audit { u16 cmd; }; +struct lsm_pkey_audit { + u64 subnet_prefix; + u16 pkey; +}; + /* Auxiliary data to use in generating the audit record. */ struct common_audit_data { char type; @@ -60,6 +65,7 @@ struct common_audit_data { #define LSM_AUDIT_DATA_DENTRY 10 #define LSM_AUDIT_DATA_IOCTL_OP 11 #define LSM_AUDIT_DATA_FILE 12 +#define LSM_AUDIT_DATA_PKEY 13 union { struct path path; struct dentry *dentry; @@ -77,6 +83,7 @@ struct common_audit_data { char *kmod_name; struct lsm_ioctlop_audit *op; struct file *file; + struct lsm_pkey_audit *pkey; } u; /* this union contains LSM specific data */ union { diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 37f04da..b18d277 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -410,6 +410,19 @@ static void dump_common_audit_data(struct audit_buffer *ab, audit_log_format(ab, " kmod="); audit_log_untrustedstring(ab, a->u.kmod_name); break; + case LSM_AUDIT_DATA_PKEY: { + struct in6_addr sbn_pfx; + + memset(&sbn_pfx.s6_addr, 0, + sizeof(sbn_pfx.s6_addr)); + + memcpy(&sbn_pfx.s6_addr, &a->u.pkey->subnet_prefix, + sizeof(a->u.pkey->subnet_prefix)); + + audit_log_format(ab, " pkey=0x%x subnet_prefix=%pI6c", + a->u.pkey->pkey, &sbn_pfx); + break; + } } /* switch (a->type) */ } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f48759d..20fb292 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6086,6 +6086,28 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer) #endif #ifdef CONFIG_SECURITY_INFINIBAND +static int selinux_ib_pkey_access(void *ib_sec, u64 subnet_prefix, u16 pkey_val) +{ + struct common_audit_data ad; + int err; + u32 sid = 0; + struct ib_security_struct *sec = ib_sec; + struct lsm_pkey_audit pkey; + + err = security_pkey_sid(subnet_prefix, pkey_val, &sid); + + if (err) + return err; + + ad.type = LSM_AUDIT_DATA_PKEY; + pkey.subnet_prefix = subnet_prefix; + pkey.pkey = pkey_val; + ad.u.pkey = &pkey; + return avc_has_perm(sec->sid, sid, + SECCLASS_INFINIBAND_PKEY, + INFINIBAND_PKEY__ACCESS, &ad); +} + static int selinux_ib_alloc_security(void **ib_sec) { struct ib_security_struct *sec; @@ -6290,6 +6312,7 @@ static void selinux_ib_free_security(void *ib_sec) LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open), #ifdef CONFIG_SECURITY_INFINIBAND + LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), LSM_HOOK_INIT(ib_alloc_security, selinux_ib_alloc_security), LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), #endif diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 1f1f4b2..d42dd4d 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -165,5 +165,7 @@ struct security_class_mapping secclass_map[] = { { COMMON_CAP_PERMS, NULL } }, { "cap2_userns", { COMMON_CAP2_PERMS, NULL } }, + { "infiniband_pkey", + { "access", NULL } }, { NULL } }; diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index 6bb9b0a..17afb7c 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -176,6 +176,8 @@ int security_get_user_sids(u32 callsid, char *username, int security_port_sid(u8 protocol, u16 port, u32 *out_sid); +int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid); + int security_netif_sid(char *name, u32 *if_sid); int security_node_sid(u16 domain, void *addr, u32 addrlen, diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 082b20c..085c54b 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2203,6 +2203,47 @@ int security_port_sid(u8 protocol, u16 port, u32 *out_sid) } /** + * security_pkey_sid - Obtain the SID for a pkey. + * @subnet_prefix: Subnet Prefix + * @pkey_num: pkey number + * @out_sid: security identifier + */ +int security_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid) +{ + struct ocontext *c; + int rc = 0; + + read_lock(&policy_rwlock); + + c = policydb.ocontexts[OCON_PKEY]; + while (c) { + if (c->u.pkey.low_pkey <= pkey_num && + c->u.pkey.high_pkey >= pkey_num && + c->u.pkey.subnet_prefix == subnet_prefix) + break; + + c = c->next; + } + + if (c) { + if (!c->sid[0]) { + rc = sidtab_context_to_sid(&sidtab, + &c->context[0], + &c->sid[0]); + if (rc) + goto out; + } + *out_sid = c->sid[0]; + } else { + *out_sid = SECINITSID_UNLABELED; + } + +out: + read_unlock(&policy_rwlock); + return rc; +} + +/** * security_netif_sid - Obtain the SID for a network interface. * @name: interface name * @if_sid: interface SID