From: Daniel Jurgens
Add a type and access vector for PKeys. Implement the ib_pkey_access
hook to check that the caller has permission to access the PKey on the
given subnet prefix. Add an interface to get the PKey SID. Walk the PKey
ocontexts to find an entry for the given
From: Daniel Jurgens
Implement and attach hooks to allocate and free Infiniband object
security structures.
Signed-off-by: Daniel Jurgens
---
v2:
- Use void * blobs for security structs. Paul Moore
- Shorten ib_end_port to ib_port. Paul Moore
-
From: Daniel Jurgens
It is likely that the SID for the same PKey will be requested many
times. To reduce the time to modify QPs and process MADs use a cache to
store PKey SIDs.
This code is heavily based on the "netif" and "netport" concept
originally developed by James
From: Daniel Jurgens
Allocate and free a security context when creating and destroying a MAD
agent. This context is used for controlling access to PKeys and sending
and receiving SMPs.
When sending or receiving a MAD check that the agent has permission to
access the PKey
From: Daniel Jurgens
Support for Infiniband requires the addition of two new object contexts,
one for infiniband PKeys and another IB Ports. Added handlers to read
and write the new ocontext types when reading or writing a binary policy
representation.
Signed-off-by:
From: Daniel Jurgens
Add new LSM hooks to allocate and free security contexts and check for
permission to access a PKey.
Allocate and free a security context when creating and destroying a QP.
This context is used for controlling access to PKeys.
When a request is made to
From: Daniel Jurgens
Add a generic notificaiton mechanism in the LSM. Interested consumers
can register a callback with the LSM and security modules can produce
events.
Because access to Infiniband QPs are enforced in the setup phase of a
connection security should be
From: Daniel Jurgens
Cache the subnet prefix and add a function to access it. Enforcing
security requires frequent queries of the subnet prefix and the pkeys in
the pkey table.
Also removed an unneded pr_warn about memory allocation failure.
Signed-off-by: Daniel Jurgens
From: Daniel Jurgens
The selinux next tree is missing some patches for IB/core. This series
applies cleanly to ib-next, and should apply cleanly to selinux-next once
the IB patches are merged.
Currently there is no way to provide granular access control to an
Infiniband
On Fri, Jul 29, 2016 at 9:45 AM, Stephen Smalley wrote:
> On 07/29/2016 09:39 AM, Paul Moore wrote:
>> On Thu, Jul 28, 2016 at 10:43 AM, Stephen Smalley wrote:
>>> Test execstack permission checking for thread stacks.
>>> The test is conditional on Linux
On 07/29/2016 09:39 AM, Paul Moore wrote:
> On Thu, Jul 28, 2016 at 10:43 AM, Stephen Smalley wrote:
>> Test execstack permission checking for thread stacks.
>> The test is conditional on Linux >= 4.7.
>>
>> Signed-off-by: Stephen Smalley
>> ---
>> Revised
On Thu, Jul 28, 2016 at 10:43 AM, Stephen Smalley wrote:
> Test execstack permission checking for thread stacks.
> The test is conditional on Linux >= 4.7.
>
> Signed-off-by: Stephen Smalley
> ---
> Revised to make it conditional on the kernel version in
12 matches
Mail list logo