[PATCH v3 7/9] selinux: Implement Infiniband PKey "Access" access vector

From: Daniel Jurgens Add a type and access vector for PKeys. Implement the ib_pkey_access hook to check that the caller has permission to access the PKey on the given subnet prefix. Add an interface to get the PKey SID. Walk the PKey ocontexts to find an entry for the given

[PATCH v3 6/9] selinux: Allocate and free infiniband security hooks

From: Daniel Jurgens Implement and attach hooks to allocate and free Infiniband object security structures. Signed-off-by: Daniel Jurgens --- v2: - Use void * blobs for security structs. Paul Moore - Shorten ib_end_port to ib_port. Paul Moore -

[PATCH v3 9/9] selinux: Add a cache for quicker retreival of PKey SIDs

From: Daniel Jurgens It is likely that the SID for the same PKey will be requested many times. To reduce the time to modify QPs and process MADs use a cache to store PKey SIDs. This code is heavily based on the "netif" and "netport" concept originally developed by James

[PATCH v3 4/9] IB/core: Enforce security on management datagrams

From: Daniel Jurgens Allocate and free a security context when creating and destroying a MAD agent. This context is used for controlling access to PKeys and sending and receiving SMPs. When sending or receiving a MAD check that the agent has permission to access the PKey

[PATCH v3 5/9] selinux: Create policydb version for Infiniband support

From: Daniel Jurgens Support for Infiniband requires the addition of two new object contexts, one for infiniband PKeys and another IB Ports. Added handlers to read and write the new ocontext types when reading or writing a binary policy representation. Signed-off-by:

[PATCH v3 2/9] IB/core: Enforce PKey security on QPs

From: Daniel Jurgens Add new LSM hooks to allocate and free security contexts and check for permission to access a PKey. Allocate and free a security context when creating and destroying a QP. This context is used for controlling access to PKeys. When a request is made to

[PATCH v3 3/9] selinux lsm IB/core: Implement LSM notification system

From: Daniel Jurgens Add a generic notificaiton mechanism in the LSM. Interested consumers can register a callback with the LSM and security modules can produce events. Because access to Infiniband QPs are enforced in the setup phase of a connection security should be

[PATCH v3 1/9] IB/core: IB cache enhancements to support Infiniband security

From: Daniel Jurgens Cache the subnet prefix and add a function to access it. Enforcing security requires frequent queries of the subnet prefix and the pkeys in the pkey table. Also removed an unneded pr_warn about memory allocation failure. Signed-off-by: Daniel Jurgens

[PATCH v3 0/9] SELinux support for Infiniband RDMA

From: Daniel Jurgens The selinux next tree is missing some patches for IB/core. This series applies cleanly to ib-next, and should apply cleanly to selinux-next once the IB patches are merged. Currently there is no way to provide granular access control to an Infiniband

Re: [PATCH] selinux-testsuite: Add test for execstack on thread stacks.

On Fri, Jul 29, 2016 at 9:45 AM, Stephen Smalley wrote: > On 07/29/2016 09:39 AM, Paul Moore wrote: >> On Thu, Jul 28, 2016 at 10:43 AM, Stephen Smalley wrote: >>> Test execstack permission checking for thread stacks. >>> The test is conditional on Linux

Re: [PATCH] selinux-testsuite: Add test for execstack on thread stacks.

On 07/29/2016 09:39 AM, Paul Moore wrote: > On Thu, Jul 28, 2016 at 10:43 AM, Stephen Smalley wrote: >> Test execstack permission checking for thread stacks. >> The test is conditional on Linux >= 4.7. >> >> Signed-off-by: Stephen Smalley >> --- >> Revised

Re: [PATCH] selinux-testsuite: Add test for execstack on thread stacks.

On Thu, Jul 28, 2016 at 10:43 AM, Stephen Smalley wrote: > Test execstack permission checking for thread stacks. > The test is conditional on Linux >= 4.7. > > Signed-off-by: Stephen Smalley > --- > Revised to make it conditional on the kernel version in