[PATCH 06/12] selinux: Add IB End Port SMP access vector

[Dan Jurgens]

From: Daniel Jurgens 

Add a type for Infiniband end ports and an access vector for subnet
management packets. Implement the ib_end_port_smp hook to check that the
caller has permission to send and receive SMPs on the end port specified
by the device name and port.  Add interface to query the SID for a IB
end port, which walks the IB_END_PORT ocontexts to find an entry for the
given name and port.

Signed-off-by: Daniel Jurgens 
Reviewed-by: Eli Cohen 
---
 include/linux/lsm_audit.h| 32 +++---
 security/selinux/hooks.c | 27 +++
 security/selinux/include/classmap.h  |  2 ++
 security/selinux/include/initial_sid_to_string.h |  1 +
 security/selinux/include/security.h  |  2 ++
 security/selinux/ss/services.c   | 43 
 6 files changed, 95 insertions(+), 12 deletions(-)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 8ff7eae..acf6de7 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -21,6 +21,7 @@
 #include 
 #include 
 #include 
+#include 
 
 struct lsm_network_audit {
int netif;
@@ -50,21 +51,27 @@ struct lsm_pkey_audit {
u16 pkey;
 };
 
+struct lsm_ib_end_port_audit {
+   chardev_name[IB_DEVICE_NAME_MAX];
+   u8  port;
+};
+
 /* Auxiliary data to use in generating the audit record. */
 struct common_audit_data {
char type;
-#define LSM_AUDIT_DATA_PATH1
-#define LSM_AUDIT_DATA_NET 2
-#define LSM_AUDIT_DATA_CAP 3
-#define LSM_AUDIT_DATA_IPC 4
-#define LSM_AUDIT_DATA_TASK5
-#define LSM_AUDIT_DATA_KEY 6
-#define LSM_AUDIT_DATA_NONE7
-#define LSM_AUDIT_DATA_KMOD8
-#define LSM_AUDIT_DATA_INODE   9
-#define LSM_AUDIT_DATA_DENTRY  10
-#define LSM_AUDIT_DATA_IOCTL_OP11
-#define LSM_AUDIT_DATA_PKEY12
+#define LSM_AUDIT_DATA_PATH1
+#define LSM_AUDIT_DATA_NET 2
+#define LSM_AUDIT_DATA_CAP 3
+#define LSM_AUDIT_DATA_IPC 4
+#define LSM_AUDIT_DATA_TASK5
+#define LSM_AUDIT_DATA_KEY 6
+#define LSM_AUDIT_DATA_NONE7
+#define LSM_AUDIT_DATA_KMOD8
+#define LSM_AUDIT_DATA_INODE   9
+#define LSM_AUDIT_DATA_DENTRY  10
+#define LSM_AUDIT_DATA_IOCTL_OP11
+#define LSM_AUDIT_DATA_PKEY12
+#define LSM_AUDIT_DATA_IB_END_PORT 13
union   {
struct path path;
struct dentry *dentry;
@@ -82,6 +89,7 @@ struct common_audit_data {
char *kmod_name;
struct lsm_ioctlop_audit *op;
struct lsm_pkey_audit *pkey;
+   struct lsm_ib_end_port_audit *ib_end_port;
} u;
/* this union contains LSM specific data */
union {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5a40b10..fc44542 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6056,6 +6056,32 @@ static int selinux_ib_mad_agent_pkey_access(u64 
subnet_prefix, u16 pkey_val,
mad_agent->m_security);
 }
 
+static int selinux_ib_end_port_smp(const char *dev_name, u8 port,
+  struct ib_mad_agent *mad_agent)
+{
+   struct common_audit_data ad;
+   int err;
+   u32 sid = 0;
+   struct ib_security_struct *sec = mad_agent->m_security;
+   struct lsm_ib_end_port_audit ib_end_port;
+
+   err = security_ib_end_port_sid(dev_name, port, );
+
+   if (err)
+   goto out;
+
+   ad.type = LSM_AUDIT_DATA_IB_END_PORT;
+   strncpy(ib_end_port.dev_name, dev_name, sizeof(ib_end_port.dev_name));
+   ib_end_port.port = port;
+   ad.u.ib_end_port = _end_port;
+   err = avc_has_perm(sec->sid, sid,
+  SECCLASS_INFINIBAND_END_PORT,
+  INFINIBAND_END_PORT__SMP, );
+
+out:
+   return err;
+}
+
 static int selinux_ib_qp_alloc_security(struct ib_qp_security *qp_sec)
 {
struct ib_security_struct *sec;
@@ -6289,6 +6315,7 @@ static struct security_hook_list selinux_hooks[] = {
LSM_HOOK_INIT(ib_qp_pkey_access, selinux_ib_qp_pkey_access),
LSM_HOOK_INIT(ib_mad_agent_pkey_access,
  selinux_ib_mad_agent_pkey_access),
+   LSM_HOOK_INIT(ib_end_port_smp, selinux_ib_end_port_smp),
LSM_HOOK_INIT(ib_qp_alloc_security,
  selinux_ib_qp_alloc_security),
LSM_HOOK_INIT(ib_qp_free_security,
diff --git a/security/selinux/include/classmap.h 
b/security/selinux/include/classmap.h
index d42dd4d..21972c8 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -167,5 +167,7 @@ struct security_class_mapping secclass_map[] = {
  { COMMON_CAP2_PERMS, NULL } },
{ "infiniband_pkey",
  { "access", NULL } },
+  

[PATCH 04/12] selinux: Allocate and free infiniband security hooks

[Dan Jurgens]

From: Daniel Jurgens 

Implement and attach hooks to allocate and free Infiniband QP and MAD
agent security structures.

Signed-off-by: Daniel Jurgens 
Reviewed-by: Eli Cohen 
---
 include/rdma/ib_mad.h |  1 +
 include/rdma/ib_verbs.h   |  1 +
 security/selinux/hooks.c  | 53 +++
 security/selinux/include/objsec.h |  5 
 4 files changed, 60 insertions(+)

diff --git a/include/rdma/ib_mad.h b/include/rdma/ib_mad.h
index c8a773f..a1ed025 100644
--- a/include/rdma/ib_mad.h
+++ b/include/rdma/ib_mad.h
@@ -537,6 +537,7 @@ struct ib_mad_agent {
u32 flags;
u8  port_num;
u8  rmpp_version;
+   void*m_security;
 };
 
 /**
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
index 3f6780b..e522acb 100644
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -1454,6 +1454,7 @@ struct ib_qp {
void   *qp_context;
u32 qp_num;
enum ib_qp_type qp_type;
+   struct ib_qp_security  *qp_sec;
 };
 
 struct ib_mr {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6a8841d..4f13ea4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -17,6 +17,7 @@
  * Paul Moore 
  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
  *Yuichi Nakamura 
+ *  Copyright (C) 2016 Mellanox Technologies
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -83,6 +84,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 
 #include "avc.h"
 #include "objsec.h"
@@ -6015,6 +6018,47 @@ static void selinux_unregister_ib_flush_callback(void)
mutex_unlock(_flush_mutex);
 }
 
+static int selinux_ib_qp_alloc_security(struct ib_qp_security *qp_sec)
+{
+   struct ib_security_struct *sec;
+
+   sec = kzalloc(sizeof(*sec), GFP_ATOMIC);
+   if (!sec)
+   return -ENOMEM;
+   sec->sid = current_sid();
+
+   qp_sec->q_security = sec;
+   return 0;
+}
+
+static void selinux_ib_qp_free_security(struct ib_qp_security *qp_sec)
+{
+   struct ib_security_struct *sec = qp_sec->q_security;
+
+   qp_sec->q_security = NULL;
+   kfree(sec);
+}
+
+static int selinux_ib_mad_agent_alloc_security(struct ib_mad_agent *mad_agent)
+{
+   struct ib_security_struct *sec;
+
+   sec = kzalloc(sizeof(*sec), GFP_ATOMIC);
+   if (!sec)
+   return -ENOMEM;
+   sec->sid = current_sid();
+
+   mad_agent->m_security = sec;
+   return 0;
+}
+
+static void selinux_ib_mad_agent_free_security(struct ib_mad_agent *mad_agent)
+{
+   struct ib_security_struct *sec = mad_agent->m_security;
+
+   mad_agent->m_security = NULL;
+   kfree(sec);
+}
 #endif
 
 static struct security_hook_list selinux_hooks[] = {
@@ -6198,11 +6242,20 @@ static struct security_hook_list selinux_hooks[] = {
LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),
LSM_HOOK_INIT(tun_dev_open, selinux_tun_dev_open),
+
 #ifdef CONFIG_SECURITY_INFINIBAND
LSM_HOOK_INIT(register_ib_flush_callback,
  selinux_register_ib_flush_callback),
LSM_HOOK_INIT(unregister_ib_flush_callback,
  selinux_unregister_ib_flush_callback),
+   LSM_HOOK_INIT(ib_qp_alloc_security,
+ selinux_ib_qp_alloc_security),
+   LSM_HOOK_INIT(ib_qp_free_security,
+ selinux_ib_qp_free_security),
+   LSM_HOOK_INIT(ib_mad_agent_alloc_security,
+ selinux_ib_mad_agent_alloc_security),
+   LSM_HOOK_INIT(ib_mad_agent_free_security,
+ selinux_ib_mad_agent_free_security),
 #endif
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
diff --git a/security/selinux/include/objsec.h 
b/security/selinux/include/objsec.h
index c21e135..8e7db43 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -10,6 +10,7 @@
  *
  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
  *  Copyright (C) 2003 Red Hat, Inc., James Morris 
+ *  Copyright (C) 2016 Mellanox Technologies
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2,
@@ -128,6 +129,10 @@ struct key_security_struct {
u32 sid;/* SID of key */
 };
 
+struct ib_security_struct {
+   u32 sid;/* SID of the queue pair or MAD agent */
+};
+
 extern unsigned int selinux_checkreqprot;
 
 #endif /* _SELINUX_OBJSEC_H_ */
-- 
1.8.3.1

___

[PATCH 10/12] IB/core: Enforce PKey security on management datagrams

[Dan Jurgens]

From: Daniel Jurgens 

Allocate and free a security context when creating and destroying a MAD
agent.  This context is used for controlling access to PKeys.

When sending or receiving a MAD check that the agent has permission to
access the PKey for the Subnet Prefix of the port.

Signed-off-by: Daniel Jurgens 
Reviewed-by: Eli Cohen 
Reviewed-by: Leon Romanovsky 
---
 drivers/infiniband/core/core_priv.h | 13 
 drivers/infiniband/core/mad.c   | 63 -
 drivers/infiniband/core/security.c  | 24 ++
 3 files changed, 93 insertions(+), 7 deletions(-)

diff --git a/drivers/infiniband/core/core_priv.h 
b/drivers/infiniband/core/core_priv.h
index 68e3de0..8ab8d58 100644
--- a/drivers/infiniband/core/core_priv.h
+++ b/drivers/infiniband/core/core_priv.h
@@ -166,6 +166,11 @@ int ib_get_cached_subnet_prefix(struct ib_device *device,
u64  *sn_pfx);
 
 #ifdef CONFIG_SECURITY_INFINIBAND
+int ib_security_ma_pkey_access(struct ib_device *dev,
+  u8 port_num,
+  u16 pkey_index,
+  struct ib_mad_agent *mad_agent);
+
 void ib_security_destroy_port_pkey_list(struct ib_device *device);
 
 void ib_security_cache_change(struct ib_device *device,
@@ -184,6 +189,14 @@ void ib_destroy_qp_security_end(struct ib_qp_security 
*sec);
 int ib_open_shared_qp_security(struct ib_qp *qp, struct ib_device *dev);
 void ib_close_shared_qp_security(struct ib_qp_security *sec);
 #else
+static inline int ib_security_ma_pkey_access(struct ib_device *dev,
+u8 port_num,
+u16 pkey_index,
+struct ib_mad_agent *mad_agent)
+{
+   return 0;
+}
+
 static inline void ib_security_destroy_port_pkey_list(struct ib_device *device)
 {
 }
diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
index 82fb511..975b472 100644
--- a/drivers/infiniband/core/mad.c
+++ b/drivers/infiniband/core/mad.c
@@ -40,9 +40,11 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 
 #include "mad_priv.h"
+#include "core_priv.h"
 #include "mad_rmpp.h"
 #include "smi.h"
 #include "opa_smi.h"
@@ -337,11 +339,17 @@ struct ib_mad_agent *ib_register_mad_agent(struct 
ib_device *device,
goto error1;
}
 
+   ret2 = security_ib_mad_agent_alloc_security(_agent_priv->agent);
+   if (ret2) {
+   ret = ERR_PTR(ret2);
+   goto error3;
+   }
+
if (mad_reg_req) {
reg_req = kmemdup(mad_reg_req, sizeof *reg_req, GFP_KERNEL);
if (!reg_req) {
ret = ERR_PTR(-ENOMEM);
-   goto error3;
+   goto error4;
}
}
 
@@ -384,7 +392,7 @@ struct ib_mad_agent *ib_register_mad_agent(struct ib_device 
*device,
if (method) {
if (method_in_use(,
   mad_reg_req))
-   goto error4;
+   goto error5;
}
}
ret2 = add_nonoui_reg_req(mad_reg_req, mad_agent_priv,
@@ -400,14 +408,14 @@ struct ib_mad_agent *ib_register_mad_agent(struct 
ib_device *device,
if (is_vendor_method_in_use(
vendor_class,
mad_reg_req))
-   goto error4;
+   goto error5;
}
}
ret2 = add_oui_reg_req(mad_reg_req, mad_agent_priv);
}
if (ret2) {
ret = ERR_PTR(ret2);
-   goto error4;
+   goto error5;
}
}
 
@@ -417,9 +425,11 @@ struct ib_mad_agent *ib_register_mad_agent(struct 
ib_device *device,
 
return _agent_priv->agent;
 
-error4:
+error5:
spin_unlock_irqrestore(_priv->reg_lock, flags);
kfree(reg_req);
+error4:
+   security_ib_mad_agent_free_security(_agent_priv->agent);
 error3:
kfree(mad_agent_priv);
 error1:
@@ -489,6 +499,7 @@ struct ib_mad_agent *ib_register_mad_snoop(struct ib_device 
*device,
struct ib_mad_agent *ret;
struct ib_mad_snoop_private *mad_snoop_priv;
int qpn;
+   int err;
 
/* Validate parameters */
if ((is_snooping_sends(mad_snoop_flags) && !snoop_handler) ||
@@ -513,6 +524,13 @@ struct ib_mad_agent *ib_register_mad_snoop(struct 

[PATCH 08/12] IB/core: IB cache enhancements to support Infiniband security

[Dan Jurgens]

From: Daniel Jurgens 

Cache the subnet prefix and add a function to access it. Enforcing
security requires frequent queries of the subnet prefix and the pkeys in
the pkey table.

Also removed an unneded pr_warn about memory allocation failure.

Signed-off-by: Daniel Jurgens 
Reviewed-by: Eli Cohen 
Reviewed-by: Leon Romanovsky 
---
 drivers/infiniband/core/cache.c | 35 +--
 drivers/infiniband/core/core_priv.h |  3 +++
 include/rdma/ib_verbs.h |  1 +
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index c2e257d..4894e21 100644
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -926,6 +926,25 @@ int ib_get_cached_pkey(struct ib_device *device,
 }
 EXPORT_SYMBOL(ib_get_cached_pkey);
 
+int ib_get_cached_subnet_prefix(struct ib_device *device,
+   u8port_num,
+   u64  *sn_pfx)
+{
+   unsigned long flags;
+   int p = port_num - rdma_start_port(device);
+
+   if (port_num < rdma_start_port(device) ||
+   port_num > rdma_end_port(device))
+   return -EINVAL;
+
+   read_lock_irqsave(>cache.lock, flags);
+   *sn_pfx = device->cache.subnet_prefix_cache[p];
+   read_unlock_irqrestore(>cache.lock, flags);
+
+   return 0;
+}
+EXPORT_SYMBOL(ib_get_cached_subnet_prefix);
+
 int ib_find_cached_pkey(struct ib_device *device,
u8port_num,
u16   pkey,
@@ -1102,6 +1121,8 @@ static void ib_cache_update(struct ib_device *device,
 
device->cache.lmc_cache[port - rdma_start_port(device)] = tprops->lmc;
 
+   device->cache.subnet_prefix_cache[port - rdma_start_port(device)] =
+   tprops->subnet_prefix;
write_unlock_irq(>cache.lock);
 
kfree(gid_cache);
@@ -1160,9 +1181,18 @@ int ib_cache_setup_one(struct ib_device *device)
  (rdma_end_port(device) -
   rdma_start_port(device) + 1),
  GFP_KERNEL);
+
+   device->cache.subnet_prefix_cache = kcalloc((rdma_end_port(device) -
+rdma_start_port(device) + 
1),
+   
sizeof(*device->cache.subnet_prefix_cache),
+   GFP_KERNEL);
+
if (!device->cache.pkey_cache ||
-   !device->cache.lmc_cache) {
-   pr_warn("Couldn't allocate cache for %s\n", device->name);
+   !device->cache.lmc_cache ||
+   !device->cache.subnet_prefix_cache) {
+   kfree(device->cache.pkey_cache);
+   kfree(device->cache.lmc_cache);
+   kfree(device->cache.subnet_prefix_cache);
return -ENOMEM;
}
 
@@ -1205,6 +1235,7 @@ void ib_cache_release_one(struct ib_device *device)
gid_table_release_one(device);
kfree(device->cache.pkey_cache);
kfree(device->cache.lmc_cache);
+   kfree(device->cache.subnet_prefix_cache);
 }
 
 void ib_cache_cleanup_one(struct ib_device *device)
diff --git a/drivers/infiniband/core/core_priv.h 
b/drivers/infiniband/core/core_priv.h
index 19d499d..ce826e4 100644
--- a/drivers/infiniband/core/core_priv.h
+++ b/drivers/infiniband/core/core_priv.h
@@ -153,4 +153,7 @@ int ib_nl_handle_set_timeout(struct sk_buff *skb,
 int ib_nl_handle_ip_res_resp(struct sk_buff *skb,
 struct netlink_callback *cb);
 
+int ib_get_cached_subnet_prefix(struct ib_device *device,
+   u8port_num,
+   u64  *sn_pfx);
 #endif /* _CORE_PRIV_H */
diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
index e522acb..c00b6b1 100644
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -1637,6 +1637,7 @@ struct ib_cache {
struct ib_pkey_cache  **pkey_cache;
struct ib_gid_table   **gid_cache;
u8 *lmc_cache;
+   u64*subnet_prefix_cache;
 };
 
 struct ib_dma_mapping_ops {
-- 
1.8.3.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 02/12] selinux: Create policydb version for Infiniband support

[Dan Jurgens]

From: Daniel Jurgens 

Support for Infiniband requires the addition of two new object contexts,
one for infiniband PKeys and another IB End Ports.  Added handlers to read
and write the new ocontext types when reading or writing a binary policy
representation.

Signed-off-by: Daniel Jurgens 
Reviewed-by: Eli Cohen 
---
 security/selinux/include/security.h |   3 +-
 security/selinux/ss/policydb.c  | 129 +++-
 security/selinux/ss/policydb.h  |  27 +---
 3 files changed, 135 insertions(+), 24 deletions(-)

diff --git a/security/selinux/include/security.h 
b/security/selinux/include/security.h
index 38feb55..a7e6ed2 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -36,13 +36,14 @@
 #define POLICYDB_VERSION_DEFAULT_TYPE  28
 #define POLICYDB_VERSION_CONSTRAINT_NAMES  29
 #define POLICYDB_VERSION_XPERMS_IOCTL  30
+#define POLICYDB_VERSION_INFINIBAND31
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX   
CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_XPERMS_IOCTL
+#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_INFINIBAND
 #endif
 
 /* Mask for just the mount related flags */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 992a315..78b819c 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -17,6 +17,11 @@
  *
  *  Added support for the policy capability bitmap
  *
+ * Update: Mellanox Techonologies
+ *
+ * Added Infiniband support
+ *
+ * Copyright (C) 2016 Mellanox Techonologies
  * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.
  * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
  * Copyright (C) 2003 - 2004 Tresys Technology, LLC
@@ -76,81 +81,86 @@ static struct policydb_compat_info policydb_compat[] = {
{
.version= POLICYDB_VERSION_BASE,
.sym_num= SYM_NUM - 3,
-   .ocon_num   = OCON_NUM - 1,
+   .ocon_num   = OCON_NUM - 3,
},
{
.version= POLICYDB_VERSION_BOOL,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM - 1,
+   .ocon_num   = OCON_NUM - 3,
},
{
.version= POLICYDB_VERSION_IPV6,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_NLCLASS,
.sym_num= SYM_NUM - 2,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_MLS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_AVTAB,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_RANGETRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_POLCAP,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_PERMISSIVE,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_BOUNDARY,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_FILENAME_TRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_ROLETRANS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS,
.sym_num= SYM_NUM,
-   .ocon_num   = OCON_NUM,
+   .ocon_num   = OCON_NUM - 2,
},
{
.version= 

Re: New rules on restrict kernel module loading

[Stephen Smalley]

On 06/22/2016 03:02 PM, Jeffrey Vander Stoep wrote:
> selinux@tycho.nsa.gov  to bcc
> 
> Hi Ravi,
> 
> The intent is not to restrict which processes may load modules, but to
> place restrictions on the origin of the module itself. Modules, like the
> kernel, should live on a verity protected partition.
> 
> If you want system apps to load a kernel module from the system
> partition you just need to add an allow rule. e.g.
> 
> # system_app loads /system/lib/module/wlan.ko
> allow system_app system_file:system module_load;
> 
> Similar rules may be added for platform_app or system_server. 

Actually, that probably won't work for any app domains, as they can't
pass the sys_module capability check.  So hopefully you only truly need
it for system_server.



___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: New rules on restrict kernel module loading

[Stephen Smalley]

On 06/23/2016 01:01 PM, Ravi Kumar wrote:
> Hi Jeffrey,
> I tried to do the same , 
> added the allow rule in system_server as 
> / allow system_server system_file:system module_load;/
> 
> But still seeing issue  as of the wlan.ko is a symlink as below  
> wlan.ko -> /system/lib/modules/vendor_wlan.ko 
> 
> Wlan.ko   or  vendor_wlan.ko are with   u:object_r:system_file:s0
> 
> But still  i see there is some issue where it show up this denial .
> 
> W WifiStateMachin: type=1400 audit(0.0:2074): avc: denied { module_load
> } for scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0
> tclass=system permissive=0
> in the above denial  i see the tcontext as system_server.
> 
> I had not debugged much into will do  but looks like there is some thing
> which we are missing . 

hardware/libhardware_legacy/wifi/wifi.c needs to be updated to use
open() + finit_module() rather than load_file() + init_module().

And bionic needs to export finit_module?



___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: compare absolute pathname in matchpathcon -V

[Stephen Smalley]

On 06/20/2016 10:10 AM, Petr Lautrbach wrote:
> filepath needs to be resolved first in order to be correctly found by
> selabel_lookup_raw()
> 
> Fixes:
> $ matchpathcon -V passwd
> passwd has context system_u:object_r:passwd_file_t:s0, should be
> system_u:object_r:passwd_file_t:s0
> 
> $ echo $?
> 1
> 
> Signed-off-by: Petr Lautrbach 

Thanks, applied.

> ---
>  libselinux/src/matchpathcon.c | 11 +++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
> index 3868711..a2f2c3e 100644
> --- a/libselinux/src/matchpathcon.c
> +++ b/libselinux/src/matchpathcon.c
> @@ -471,6 +471,17 @@ int selinux_file_context_verify(const char *path, mode_t 
> mode)
>   char * con = NULL;
>   char * fcontext = NULL;
>   int rc = 0;
> + char stackpath[PATH_MAX + 1];
> + char *p = NULL;
> +
> + if (S_ISLNK(mode)) {
> + if (!realpath_not_final(path, stackpath))
> + path = stackpath;
> + } else {
> + p = realpath(path, stackpath);
> + if (p)
> + path = p;
> + }
>  
>   rc = lgetfilecon_raw(path, );
>   if (rc == -1) {
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: add selinux_snapperd_contexts_path()

[Stephen Smalley]

On 06/20/2016 07:09 AM, Petr Lautrbach wrote:
> Snapper needs a way how to set a proper selinux context on btrfs
> subvolumes originating in snapshot create command. Fs can't handle it on
> its own so snapper will enforce .snapshots subvolume relabeling
> according to a file returned by selinux_snapperd_contexts_path().
> 
> The format of the file will be similar to other contexts file:
> 
> snapperd_data = system_u:object_r:snapperd_data_t:s0
> 
> Fixes:
> https://bugzilla.redhat.com/show_bug.cgi?id=1247530
> https://bugzilla.redhat.com/show_bug.cgi?id=1247532

Thanks, applied.  I would recommend that a bug be opened against the
kernel / btrfs about the fact that the inodes are initially unlabeled,
as otherwise snapper will always need permissions to relabel unlabeled
files and generally we would prefer that unlabeled be inaccessible.

> 
> Signed-off-by: Petr Lautrbach 
> ---
>  libselinux/include/selinux/selinux.h |  1 +
>  libselinux/src/file_path_suffixes.h  |  1 +
>  libselinux/src/selinux_config.c  | 10 +-
>  libselinux/src/selinux_internal.h|  1 +
>  4 files changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/libselinux/include/selinux/selinux.h 
> b/libselinux/include/selinux/selinux.h
> index 2262086..3d8673f 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -544,6 +544,7 @@ extern const char *selinux_lxc_contexts_path(void);
>  extern const char *selinux_x_context_path(void);
>  extern const char *selinux_sepgsql_context_path(void);
>  extern const char *selinux_openssh_contexts_path(void);
> +extern const char *selinux_snapperd_contexts_path(void);
>  extern const char *selinux_systemd_contexts_path(void);
>  extern const char *selinux_contexts_path(void);
>  extern const char *selinux_securetty_types_path(void);
> diff --git a/libselinux/src/file_path_suffixes.h 
> b/libselinux/src/file_path_suffixes.h
> index d1f9b48..95b228b 100644
> --- a/libselinux/src/file_path_suffixes.h
> +++ b/libselinux/src/file_path_suffixes.h
> @@ -24,6 +24,7 @@ S_(BINPOLICY, "/policy/policy")
>  S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
>  S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
>  S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
> +S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts")
>  S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
>  S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
>  S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
> diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
> index bec5f3b..c519a77 100644
> --- a/libselinux/src/selinux_config.c
> +++ b/libselinux/src/selinux_config.c
> @@ -50,7 +50,8 @@
>  #define BOOLEAN_SUBS  27
>  #define OPENSSH_CONTEXTS  28
>  #define SYSTEMD_CONTEXTS  29
> -#define NEL   30
> +#define SNAPPERD_CONTEXTS 30
> +#define NEL   31
>  
>  /* Part of one-time lazy init */
>  static pthread_once_t once = PTHREAD_ONCE_INIT;
> @@ -499,6 +500,13 @@ const char *selinux_openssh_contexts_path(void)
>  
>  hidden_def(selinux_openssh_contexts_path)
>  
> +const char *selinux_snapperd_contexts_path(void)
> +{
> +return get_path(SNAPPERD_CONTEXTS);
> +}
> +
> +hidden_def(selinux_snapperd_contexts_path)
> +
>  const char *selinux_systemd_contexts_path(void)
>  {
>   return get_path(SYSTEMD_CONTEXTS);
> diff --git a/libselinux/src/selinux_internal.h 
> b/libselinux/src/selinux_internal.h
> index 46566f6..9b9145c 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -84,6 +84,7 @@ hidden_proto(selinux_mkload_policy)
>  hidden_proto(selinux_x_context_path)
>  hidden_proto(selinux_sepgsql_context_path)
>  hidden_proto(selinux_openssh_contexts_path)
> +hidden_proto(selinux_snapperd_contexts_path)
>  hidden_proto(selinux_systemd_contexts_path)
>  hidden_proto(selinux_path)
>  hidden_proto(selinux_check_passwd_access)
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] checkpolicy: Fix typos in test/dispol

[Stephen Smalley]

On 06/20/2016 07:50 AM, Petr Lautrbach wrote:
> Reported-By: Milos Malik 
> Signed-off-by: Petr Lautrbach 
> ---
>  checkpolicy/test/dispol.c | 8 
>  1 file changed, 4 insertions(+), 4 deletions(-)

Thanks, applied.

> 
> diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
> index 86f5688..a78ce81 100644
> --- a/checkpolicy/test/dispol.c
> +++ b/checkpolicy/test/dispol.c
> @@ -252,11 +252,11 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
>  int display_handle_unknown(policydb_t * p, FILE * out_fp)
>  {
>   if (p->handle_unknown == ALLOW_UNKNOWN)
> - fprintf(out_fp, "Allow unknown classes and permisions\n");
> + fprintf(out_fp, "Allow unknown classes and permissions\n");
>   else if (p->handle_unknown == DENY_UNKNOWN)
> - fprintf(out_fp, "Deny unknown classes and permisions\n");
> + fprintf(out_fp, "Deny unknown classes and permissions\n");
>   else if (p->handle_unknown == REJECT_UNKNOWN)
> - fprintf(out_fp, "Reject unknown classes and permisions\n");
> + fprintf(out_fp, "Reject unknown classes and permissions\n");
>   return 0;
>  }
>  
> @@ -349,7 +349,7 @@ int menu(void)
>   printf("\nSelect a command:\n");
>   printf("1)  display unconditional AVTAB\n");
>   printf("2)  display conditional AVTAB (entirely)\n");
> - printf("3)  display conditional AVTAG (only ENABLED rules)\n");
> + printf("3)  display conditional AVTAB (only ENABLED rules)\n");
>   printf("4)  display conditional AVTAB (only DISABLED rules)\n");
>   printf("5)  display conditional bools\n");
>   printf("6)  display conditional expressions\n");
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 2/2] libselinux: man: Clarify is_selinux_mls_enabled() description

[Stephen Smalley]

On 06/20/2016 11:41 AM, Petr Lautrbach wrote:
> From: David King 
> 
> Improve the description by mentioning that if is_selinux_mls_enabled(),
> it simply means that the kernel has MLS support and the policy contains
> MLS features. To check whether MLS support is enabled on the running
> system, use selinux_getpolicytype().
> 
> Signed-off-by: David King 

Thanks, applied both.

> ---
>  libselinux/man/man3/is_selinux_enabled.3 | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libselinux/man/man3/is_selinux_enabled.3 
> b/libselinux/man/man3/is_selinux_enabled.3
> index b2df562..df62c22 100644
> --- a/libselinux/man/man3/is_selinux_enabled.3
> +++ b/libselinux/man/man3/is_selinux_enabled.3
> @@ -18,7 +18,9 @@ returns 1 if SELinux is running or 0 if it is not.
>  On error, \-1 is returned.
>  
>  .BR is_selinux_mls_enabled ()
> -returns 1 if SELinux is running in MLS mode or 0 if it is not. 
> +returns 1 if SELinux is capable of running in MLS mode or 0 if it is not. To
> +determine the policy in use on the system, use
> +.BR selinux_getpolicytype (3).
>  .
>  .SH "SEE ALSO"
>  .BR selinux "(8)"
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: New rules on restrict kernel module loading

[Ravi Kumar]

Hi Jeffrey,
I tried to do the same ,
added the allow rule in system_server as
* allow system_server system_file:system module_load;*

But still seeing issue  as of the wlan.ko is a symlink as below
wlan.ko -> /system/lib/modules/vendor_wlan.ko

Wlan.ko   or  vendor_wlan.ko are with   u:object_r:system_file:s0

But still  i see there is some issue where it show up this denial .

W WifiStateMachin: type=1400 audit(0.0:2074): avc: denied { module_load }
for scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0
tclass=system permissive=0
in the above denial  i see the tcontext as system_server.

I had not debugged much into will do  but looks like there is some thing
which we are missing .

Regards,
Ravi


On Thu, Jun 23, 2016 at 12:32 AM, Jeffrey Vander Stoep 
wrote:

> selinux@tycho.nsa.gov to bcc
>
> Hi Ravi,
>
> The intent is not to restrict which processes may load modules, but to
> place restrictions on the origin of the module itself. Modules, like the
> kernel, should live on a verity protected partition.
>
> If you want system apps to load a kernel module from the system partition
> you just need to add an allow rule. e.g.
>
> # system_app loads /system/lib/module/wlan.ko
> allow system_app system_file:system module_load;
>
> Similar rules may be added for platform_app or system_server.
>
> On Wed, Jun 22, 2016 at 10:43 AM Ravi Kumar  wrote:
>
>> Hi team ,
>>
>> I see some new changes  both in kernel and sepolicy project on
>> restricting the load of kernel module  .
>>
>> https://android-review.googlesource.com/#/c/213758/ -- kernel change  on
>> check for moudle_load request  by Jeff
>> https://android-review.googlesource.com/#/c/214021/-- sepolicy change
>> adding the neverallow  on module_load request  by Jeff .
>>
>> As most of the  SoC /OEM has there own KO  which are loaded on run-time
>> detection an mostly running in system_app/system_server/platfrom_app  are
>> there any special guideline here .
>>
>> As an good example  wlan.ko  .
>>
>>
>> Regard,
>> Ravi
>> ___
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> selinux-requ...@tycho.nsa.gov.
>
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.