From: Daniel Jurgens
Cache the subnet prefix and add a function to access it. Enforcing
security requires frequent queries of the subnet prefix and the pkeys in
the pkey table.
Also removed an unneded pr_warn about memory allocation failure.
Signed-off-by: Daniel Jurgens
Reviewed-by: Eli Cohen
From: Daniel Jurgens
The selinux next tree is missing some patches for IB/core. This series
applies cleanly to ib-next, and should apply cleanly to selinux-next once
the IB patches are merged.
Currently there is no way to provide granular access control to an
Infiniband fabric. By providing an
From: Daniel Jurgens
Add a generic notificaiton mechanism in the LSM. Interested consumers
can register a callback with the LSM and security modules can produce
events.
Because access to Infiniband QPs are enforced in the setup phase of a
connection security should be enforced again if the polic
From: Daniel Jurgens
Add new LSM hooks to allocate and free security contexts and check for
permission to access a PKey.
Allocate and free a security context when creating and destroying a QP.
This context is used for controlling access to PKeys.
When a request is made to modify a QP that chang
From: Daniel Jurgens
Allocate and free a security context when creating and destroying a MAD
agent. This context is used for controlling access to PKeys and sending
and receiving SMPs.
When sending or receiving a MAD check that the agent has permission to
access the PKey for the Subnet Prefix o
From: Daniel Jurgens
Support for Infiniband requires the addition of two new object contexts,
one for infiniband PKeys and another IB Ports. Added handlers to read
and write the new ocontext types when reading or writing a binary policy
representation.
Signed-off-by: Daniel Jurgens
Reviewed-by:
From: Daniel Jurgens
Implement and attach hooks to allocate and free Infiniband object
security structures.
Signed-off-by: Daniel Jurgens
---
v2:
- Use void * blobs for security structs. Paul Moore
- Shorten ib_end_port to ib_port. Paul Moore
- Allocate memory for security struct with GFP_KE
From: Daniel Jurgens
Add a type and access vector for PKeys. Implement the ib_pkey_access
hook to check that the caller has permission to access the PKey on the
given subnet prefix. Add an interface to get the PKey SID. Walk the PKey
ocontexts to find an entry for the given subnet prefix and pkey
From: Daniel Jurgens
Add a type for Infiniband ports and an access vector for subnet
management packets. Implement the ib_port_smp hook to check that the
caller has permission to send and receive SMPs on the end port specified
by the device name and port. Add interface to query the SID for a IB
p
From: Daniel Jurgens
It is likely that the SID for the same PKey will be requested many
times. To reduce the time to modify QPs and process MADs use a cache to
store PKey SIDs.
This code is heavily based on the "netif" and "netport" concept
originally developed by James Morris and Paul Moore
(
/SELinux-support-for-Infiniband-RDMA/20160715-122805
reproduce:
# apt-get install sparse
make ARCH=x86_64 allmodconfig
make C=1 CF=-D__CHECK_ENDIAN__
sparse warnings: (new ones prefixed by >>)
include/linux/compiler.h:232:8: sparse: attribute 'no_sanit
/SELinux-support-for-Infiniband-RDMA/20160715-122805
config: ia64-defconfig (attached as .config)
compiler: ia64-linux-gcc (GCC) 4.9.0
reproduce:
wget
https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross
-O ~/bin/make.cross
chmod +x ~/bin/make.cross
Hello Paul,
On 07/14/2016 06:06 PM, Paul Moore wrote:
[snip]
>
> I think it's a reasonable patch and I'm at that point in the day where
> I'm looking for distractions so I just added it to the selinux#next
> queue; once the merge window closes I'll rotate this into my next
> branch.
>
Great,
On Thu, Jul 14, 2016 at 7:33 PM, William Roberts
wrote:
> On Thu, Jul 14, 2016 at 4:18 PM, William Roberts wrote:
>> On Thu, Jul 14, 2016 at 3:17 PM, Paul Moore wrote:
>>> On Thu, Jul 14, 2016 at 3:29 PM, wrote:
>>> > From: William Roberts
>>> >
>>> > ioctlcmd is currently printing hex numbers
On Fri, Jul 15, 2016 at 10:51 AM, Nick Kralevich wrote:
> On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote:
>> As requested, this patch implements a task_settimerslack LSM hook
>> so that the /proc//timerslack_ns interface can have finer
>> grained security policies applied to it.
>>
>> Don't
On Fri, Jul 15, 2016 at 10:51 AM, Nick Kralevich wrote:
> On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote:
>> + if (!capable(CAP_SYS_NICE))
>> + return -EPERM;
>> +
>
> Since you're going the LSM route (from your second patch of this
Well, you suggested it, so I sent out
On Thursday, July 14, 2016 6:17:32 PM EDT Paul Moore wrote:
> Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
> From: Paul Moore
> To: william.c.robe...@intel.com
> CC: selinux@tycho.nsa.gov, seandroid-l...@tycho.nsa.gov, Stephen Smalley
> , Me, linux-au...@redhat.com Date:Yes
On Fri, Jul 15, 2016 at 11:42 AM, John Stultz wrote:
> On Fri, Jul 15, 2016 at 10:51 AM, Nick Kralevich wrote:
>> On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote:
>>> + if (!capable(CAP_SYS_NICE))
>>> + return -EPERM;
>>> +
>>
>> Since you're going the LSM route (from you
On Fri, Jul 15, 2016 at 2:54 PM, Steve Grubb wrote:
> On Thursday, July 14, 2016 6:17:32 PM EDT Paul Moore wrote:
>> Re: [PATCH] selinux: print leading 0x on ioctlcmd audits
>> From: Paul Moore
>> To: william.c.robe...@intel.com
>> CC: selinux@tycho.nsa.gov, seandroid-l...@tycho.nsa.gov, Step
> -Original Message-
> From: Steve Grubb [mailto:sgr...@redhat.com]
> Sent: Friday, July 15, 2016 11:54 AM
> To: Paul Moore
> Cc: Roberts, William C ; selinux@tycho.nsa.gov;
> seandroid-l...@tycho.nsa.gov; Stephen Smalley ; linux-
> au...@redhat.com
> Subject: Re: [PATCH] selinux: print
> > This is important so that people don't make up new ones that do the
> > same thing. The ioctlcmd field name should be recorded. Are there more
> > that need documenting?
>
> Steve/William, one of you want to send a patch/PR for the field dictionary?
I'll send it over.
__
On Fri, Jul 15, 2016 at 3:31 PM, Roberts, William C
wrote:
> Does this mean then the patch will be applied?
As I mentioned earlier, I added it to the SELinux next queue, as soon
as the merge window closes (approx two weeks from this weekend) I will
rotate the patch into the SELinux next branch.
> -Original Message-
> From: Steve Grubb [mailto:sgr...@redhat.com]
> Sent: Friday, July 15, 2016 12:42 PM
> To: Roberts, William C
> Cc: Paul Moore ; William Roberts
> ; seandroid-l...@tycho.nsa.gov;
> selinux@tycho.nsa.gov; linux-au...@redhat.com
> Subject: Re: [PATCH] selinux: print l
From: William Roberts
Per-request ioctlcmd controls were added to SE Linux, however
the audit field dictionary was not updated.
This patch updates that dictionary.
Signed-off-by: William Roberts
---
specs/fields/field-dictionary.csv | 1 +
1 file changed, 1 insertion(+)
diff --git a/specs/fi
A quick google search didn't yield much, neither did a grep of the
selinux-testsuite, but is their currently any fuzzing work being done on the
selinux interfaces?
Also, I noticed that the test suite has some ToDo's and I didn't see tests
surrounding ioctlcmd there, are their some implemented?
On Wed, Jul 13, 2016 at 10:52:49PM +0200, Petr Lautrbach wrote:
> None of *.in and POTFILES* files is used in current build process.
There is a rule here to generate the Makefile Tho? isnt it used once in a while?
Arnt we better off updating this makefile? gettext is supposed to honour
LINGUAS an
26 matches
Mail list logo
