[PATCH v5 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

2016-11-22 Thread Dan Jurgens 
From: Daniel Jurgens 

It is likely that the SID for the same PKey will be requested many
times. To reduce the time to modify QPs and process MADs use a cache to
store PKey SIDs.

This code is heavily based on the "netif" and "netport" concept
originally developed by James Morris  and Paul Moore
 (see security/selinux/netif.c and
security/selinux/netport.c for more information)

Signed-off-by: Daniel Jurgens 

---
v2:
- Renamed the files to ibpkey. Paul Moore
- Fixed a braket indentation mismatch in sel_pkey_find. Yuval Shaia
- Change spin_lock_bh to spin_lock_irqsave to resolve HARDIRQ lockdep
  warning.  Dan Jurgens
---
 security/selinux/Makefile |   2 +-
 security/selinux/hooks.c  |   7 +-
 security/selinux/ibpkey.c | 245 ++
 security/selinux/include/ibpkey.h |  31 +
 security/selinux/include/objsec.h |   6 +
 5 files changed, 288 insertions(+), 3 deletions(-)
 create mode 100644 security/selinux/ibpkey.c
 create mode 100644 security/selinux/include/ibpkey.h

diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 3411c33..ff5895e 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -5,7 +5,7 @@
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
 
 selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
-netnode.o netport.o exports.o \
+netnode.o netport.o ibpkey.o exports.o \
 ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
 ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0954dfe..2fe4320 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -90,6 +90,7 @@
 #include "netif.h"
 #include "netnode.h"
 #include "netport.h"
+#include "ibpkey.h"
 #include "xfrm.h"
 #include "netlabel.h"
 #include "audit.h"
@@ -173,8 +174,10 @@ static int selinux_netcache_avc_callback(u32 event)
 
 static int selinux_lsm_notifier_avc_callback(u32 event)
 {
-   if (event == AVC_CALLBACK_RESET)
+   if (event == AVC_CALLBACK_RESET) {
+   sel_pkey_flush();
call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
+   }
 
return 0;
 }
@@ -6094,7 +6097,7 @@ static int selinux_ib_pkey_access(void *ib_sec, u64 
subnet_prefix, u16 pkey_val)
struct ib_security_struct *sec = ib_sec;
struct lsm_pkey_audit pkey;
 
-   err = security_pkey_sid(subnet_prefix, pkey_val, &sid);
+   err = sel_pkey_sid(subnet_prefix, pkey_val, &sid);
 
if (err)
return err;
diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c
new file mode 100644
index 000..6e52c54
--- /dev/null
+++ b/security/selinux/ibpkey.c
@@ -0,0 +1,245 @@
+/*
+ * Pkey table
+ *
+ * SELinux must keep a mapping of Infinband PKEYs to labels/SIDs.  This
+ * mapping is maintained as part of the normal policy but a fast cache is
+ * needed to reduce the lookup overhead.
+ *
+ * This code is heavily based on the "netif" and "netport" concept originally
+ * developed by
+ * James Morris  and
+ * Paul Moore 
+ *   (see security/selinux/netif.c and security/selinux/netport.c for more
+ *   information)
+ *
+ */
+
+/*
+ * (c) Mellanox Technologies, 2016
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ */
+
+#include 
+#include 
+#include 
+#include 
+
+#include "ibpkey.h"
+#include "objsec.h"
+
+#define SEL_PKEY_HASH_SIZE   256
+#define SEL_PKEY_HASH_BKT_LIMIT   16
+
+struct sel_pkey_bkt {
+   int size;
+   struct list_head list;
+};
+
+struct sel_pkey {
+   struct pkey_security_struct psec;
+   struct list_head list;
+   struct rcu_head rcu;
+};
+
+static LIST_HEAD(sel_pkey_list);
+static DEFINE_SPINLOCK(sel_pkey_lock);
+static struct sel_pkey_bkt sel_pkey_hash[SEL_PKEY_HASH_SIZE];
+
+/**
+ * sel_pkey_hashfn - Hashing function for the pkey table
+ * @pkey: pkey number
+ *
+ * Description:
+ * This is the hashing function for the pkey table, it returns the bucket
+ * number for the given pkey.
+ *
+ */
+static unsigned int sel_pkey_hashfn(u16 pkey)
+{
+   return (pkey & (SEL_PKEY_HASH_SIZE - 1));
+}
+
+/**
+ * sel_pkey_find - Search for a pkey record
+ * @subnet_prefix: subnet_prefix
+ * @pkey_num: pkey_num
+ *
+ * Description:
+ * Search the pkey table and return the matching record.  If an entry
+ * can not be found in the table return NULL.
+ *
+ */
+static struct sel_pkey *sel_pkey_find(u64 subnet_prefix, u16 pkey_num)
+{
+   unsigned int idx;
+   struct sel_pkey *pkey;
+
+   idx = s

Re: [PATCH v5 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

2016-11-23 Thread Daniel Jurgens 
On 11/22/2016 4:53 PM, James Morris wrote:
> On Tue, 22 Nov 2016, Dan Jurgens wrote:
>
>> +static int sel_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid)
>> +{
>> +int ret = -ENOMEM;
>> +struct sel_pkey *pkey;
>> +struct sel_pkey *new = NULL;
>> +unsigned long flags;
>> +
>> +spin_lock_irqsave(&sel_pkey_lock, flags);
>> +pkey = sel_pkey_find(subnet_prefix, pkey_num);
>> +if (pkey) {
>> +*sid = pkey->psec.sid;
>> +spin_unlock_irqrestore(&sel_pkey_lock, flags);
>> +return 0;
>> +}
>> +
>> +ret = security_pkey_sid(subnet_prefix, pkey_num, sid);
>> +if (ret != 0)
>> +goto out;
>> +
>> +new = kzalloc(sizeof(*new), GFP_ATOMIC);
>> +if (!new)
>> +goto out;
>> +
>> +new->psec.subnet_prefix = subnet_prefix;
>> +new->psec.pkey = pkey_num;
>> +new->psec.sid = *sid;
>> +sel_pkey_insert(new);
>> +
>> +out:
>> +spin_unlock_irqrestore(&sel_pkey_lock, flags);
>> +if (unlikely(ret))
>> +kfree(new);
>> +
>> +return ret;
> The error handling is messed up here.
>
> You'll return 0 on kzalloc failure.
>
> Also, if security_pkey_sid fails, you'll attempt to kfree 'new', and you 
> don't need an unlikely() in a slow path.
>
>
Right.  I'll remove the if/kfree in the out path completely.  There's no way 
ret becomes non-zero after the kzalloc.  If the kzalloc fails I'll still have 
it return 0, the SID retrieved is valid, it just won't be added the cache so 
returning with an error is overkill.

Thank you for your review.


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.