Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8f408ab6 authored by Daniel Jurgens's avatar Daniel Jurgens Committed by Paul Moore
Browse files

selinux lsm IB/core: Implement LSM notification system 



Add a generic notificaiton mechanism in the LSM. Interested consumers
can register a callback with the LSM and security modules can produce
events.

Because access to Infiniband QPs are enforced in the setup phase of a
connection security should be enforced again if the policy changes.
Register infiniband devices for policy change notification and check all
QPs on that device when the notification is received.

Add a call to the notification mechanism from SELinux when the AVC
cache changes or setenforce is cleared.

Signed-off-by: default avatarDaniel Jurgens <danielj@mellanox.com>
Acked-by: default avatarJames Morris <james.l.morris@oracle.com>
Acked-by: default avatarDoug Ledford <dledford@redhat.com>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent d291f1a6

drivers/infiniband/core/device.c

+53 −0
Original line number Diff line number Diff line
@@ -39,6 +39,8 @@ 
#include <linux/init.h>

#include <linux/mutex.h>

#include <linux/netdevice.h>

#include <linux/security.h>

#include <linux/notifier.h>

#include <rdma/rdma_netlink.h>

#include <rdma/ib_addr.h>

#include <rdma/ib_cache.h>
@@ -82,6 +84,14 @@ static LIST_HEAD(client_list); 
static DEFINE_MUTEX(device_mutex);

static DECLARE_RWSEM(lists_rwsem);



static int ib_security_change(struct notifier_block *nb, unsigned long event,

			      void *lsm_data);

static void ib_policy_change_task(struct work_struct *work);

static DECLARE_WORK(ib_policy_change_work, ib_policy_change_task);



static struct notifier_block ibdev_lsm_nb = {

	.notifier_call = ib_security_change,

};



static int ib_device_check_mandatory(struct ib_device *device)

{
@@ -349,6 +359,40 @@ static int setup_port_pkey_list(struct ib_device *device) 
	return 0;

}



static void ib_policy_change_task(struct work_struct *work)

{

	struct ib_device *dev;



	down_read(&lists_rwsem);

	list_for_each_entry(dev, &device_list, core_list) {

		int i;



		for (i = rdma_start_port(dev); i <= rdma_end_port(dev); i++) {

			u64 sp;

			int ret = ib_get_cached_subnet_prefix(dev,

							      i,

							      &sp);



			WARN_ONCE(ret,

				  "ib_get_cached_subnet_prefix err: %d, this should never happen here\n",

				  ret);

			ib_security_cache_change(dev, i, sp);

		}

	}

	up_read(&lists_rwsem);

}



static int ib_security_change(struct notifier_block *nb, unsigned long event,

			      void *lsm_data)

{

	if (event != LSM_POLICY_CHANGE)

		return NOTIFY_DONE;



	schedule_work(&ib_policy_change_work);



	return NOTIFY_OK;

}



/**

 * ib_register_device - Register an IB device with IB core

 * @device:Device to register
@@ -1115,10 +1159,18 @@ static int __init ib_core_init(void) 
		goto err_sa;

	}



	ret = register_lsm_notifier(&ibdev_lsm_nb);

	if (ret) {

		pr_warn("Couldn't register LSM notifier. ret %d\n", ret);

		goto err_ibnl_clients;

	}



	ib_cache_setup();



	return 0;



err_ibnl_clients:

	ib_remove_ibnl_clients();

err_sa:

	ib_sa_cleanup();

err_mad:
@@ -1138,6 +1190,7 @@ static int __init ib_core_init(void) 


static void __exit ib_core_cleanup(void)

{

	unregister_lsm_notifier(&ibdev_lsm_nb);

	ib_cache_cleanup();

	ib_remove_ibnl_clients();

	ib_sa_cleanup();

include/linux/security.h

+23 −0
Original line number Diff line number Diff line
@@ -69,6 +69,10 @@ struct audit_krule; 
struct user_namespace;

struct timezone;



enum lsm_event {

	LSM_POLICY_CHANGE,

};



/* These functions are in security/commoncap.c */

extern int cap_capable(const struct cred *cred, struct user_namespace *ns,

		       int cap, int audit);
@@ -164,6 +168,10 @@ struct security_mnt_opts { 
	int num_mnt_opts;

};



int call_lsm_notifier(enum lsm_event event, void *data);

int register_lsm_notifier(struct notifier_block *nb);

int unregister_lsm_notifier(struct notifier_block *nb);



static inline void security_init_mnt_opts(struct security_mnt_opts *opts)

{

	opts->mnt_opts = NULL;
@@ -382,6 +390,21 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); 
struct security_mnt_opts {

};



static inline int call_lsm_notifier(enum lsm_event event, void *data)

{

	return 0;

}



static inline int register_lsm_notifier(struct notifier_block *nb)

{

	return 0;

}



static inline  int unregister_lsm_notifier(struct notifier_block *nb)

{

	return 0;

}



static inline void security_init_mnt_opts(struct security_mnt_opts *opts)

{

}

security/security.c

+20 −0
Original line number Diff line number Diff line
@@ -35,6 +35,8 @@ 
#define SECURITY_NAME_MAX	10



struct security_hook_heads security_hook_heads __lsm_ro_after_init;

static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);



char *lsm_names;

/* Boot-time LSM user choice */

static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
@@ -166,6 +168,24 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, 
		panic("%s - Cannot get early memory.\n", __func__);

}



int call_lsm_notifier(enum lsm_event event, void *data)

{

	return atomic_notifier_call_chain(&lsm_notifier_chain, event, data);

}

EXPORT_SYMBOL(call_lsm_notifier);



int register_lsm_notifier(struct notifier_block *nb)

{

	return atomic_notifier_chain_register(&lsm_notifier_chain, nb);

}

EXPORT_SYMBOL(register_lsm_notifier);



int unregister_lsm_notifier(struct notifier_block *nb)

{

	return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);

}

EXPORT_SYMBOL(unregister_lsm_notifier);



/*

 * Hook list operation macros.

 *

security/selinux/hooks.c

+11 −0
Original line number Diff line number Diff line
@@ -171,6 +171,14 @@ static int selinux_netcache_avc_callback(u32 event) 
	return 0;

}



static int selinux_lsm_notifier_avc_callback(u32 event)

{

	if (event == AVC_CALLBACK_RESET)

		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);



	return 0;

}



/*

 * initialise the security for the init task

 */
@@ -6387,6 +6395,9 @@ static __init int selinux_init(void) 
	if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))

		panic("SELinux: Unable to register AVC netcache callback\n");



	if (avc_add_callback(selinux_lsm_notifier_avc_callback, AVC_CALLBACK_RESET))

		panic("SELinux: Unable to register AVC LSM notifier callback\n");



	if (selinux_enforcing)

		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");

	else

security/selinux/selinuxfs.c

+2 −0
Original line number Diff line number Diff line
@@ -154,6 +154,8 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, 
			avc_ss_reset(0);

		selnl_notify_setenforce(selinux_enforcing);

		selinux_status_update_setenforce(selinux_enforcing);

		if (!selinux_enforcing)

			call_lsm_notifier(LSM_POLICY_CHANGE, NULL);

	}

	length = count;

out: