Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/flask/, policy/modules/roles/, policy/modules/kernel/, /, support/
Date: Thu, 25 May 2017 17:08:37
Message-Id: 1495729949.51ed8963a91ca0cf0263995205ce5e7ca47d53c2.perfinion@gentoo
1 commit: 51ed8963a91ca0cf0263995205ce5e7ca47d53c2
2 Author: Daniel Jurgens <danielj <AT> mellanox <DOT> com>
3 AuthorDate: Wed May 24 14:14:59 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Thu May 25 16:32:29 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51ed8963
7
8 refpolicy: Infiniband pkeys and endports
9
10 Every Infiniband network will have a default pkey, so that is labeled.
11 The rest of the pkey configuration is network specific. The policy allows
12 access to the default and unlabeled pkeys for sysadm and staff users.
13 kernel_t is allowed access to all pkeys, which it needs to process and
14 route management datagrams.
15
16 Endports are all unlabeled by default, sysadm users are allowed to
17 manage the subnet on unlabeled endports. kernel_t is allowed to manage
18 the subnet on all ibendports, which is required for configuring the HCA.
19
20 This patch requires selinux series: "SELinux user space support for
21 Infiniband RDMA", due to the new ipkeycon labeling mechanism.
22
23 Signed-off-by: Daniel Jurgens <danielj <AT> mellanox.com>
24
25 Makefile | 2 +-
26 Rules.modular | 2 +
27 Rules.monolithic | 2 +
28 policy/flask/access_vectors | 10 +++
29 policy/flask/security_classes | 4 ++
30 policy/modules/kernel/corenetwork.if.in | 118 ++++++++++++++++++++++++++++++++
31 policy/modules/kernel/corenetwork.if.m4 | 64 +++++++++++++++++
32 policy/modules/kernel/corenetwork.te.in | 8 +++
33 policy/modules/kernel/corenetwork.te.m4 | 26 +++++++
34 policy/modules/kernel/kernel.if | 37 ++++++++++
35 policy/modules/kernel/kernel.te | 5 ++
36 policy/modules/roles/staff.te | 1 +
37 policy/modules/roles/sysadm.te | 3 +
38 support/comment_move_decl.sed | 2 +-
39 14 files changed, 282 insertions(+), 2 deletions(-)
40
41 diff --git a/Makefile b/Makefile
42 index ed3453e0..89387367 100644
43 --- a/Makefile
44 +++ b/Makefile
45 @@ -372,7 +372,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
46 @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
47 @echo "#" >> $@
48 $(verbose) cat $@.in >> $@
49 - $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
50 + $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \
51 | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
52 | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
53
54
55 diff --git a/Rules.modular b/Rules.modular
56 index 49d3cca9..331a979d 100644
57 --- a/Rules.modular
58 +++ b/Rules.modular
59 @@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
60 $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
61 $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
62 $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
63 + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
64 + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
65
66 $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
67 $(verbose) $(comment_move_decl) $^ > $@
68
69 diff --git a/Rules.monolithic b/Rules.monolithic
70 index ce112d78..80e00821 100644
71 --- a/Rules.monolithic
72 +++ b/Rules.monolithic
73 @@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
74 $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
75 $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
76 $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
77 + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
78 + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
79
80 $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
81 $(verbose) $(comment_move_decl) $^ > $@
82
83 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
84 index 7652a313..f20e5c1e 100644
85 --- a/policy/flask/access_vectors
86 +++ b/policy/flask/access_vectors
87 @@ -927,6 +927,16 @@ inherits database
88 set_value
89 }
90
91 +class infiniband_pkey
92 +{
93 + access
94 +}
95 +
96 +class infiniband_endport
97 +{
98 + manage_subnet
99 +}
100 +
101 class db_language
102 inherits database
103 {
104
105 diff --git a/policy/flask/security_classes b/policy/flask/security_classes
106 index 18c4f974..ce3268da 100644
107 --- a/policy/flask/security_classes
108 +++ b/policy/flask/security_classes
109 @@ -139,6 +139,10 @@ class netlink_crypto_socket
110 class x_pointer # userspace
111 class x_keyboard # userspace
112
113 +# Infiniband
114 +class infiniband_pkey
115 +class infiniband_endport
116 +
117 # More Database stuff
118 class db_schema # userspace
119 class db_view # userspace
120
121 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
122 index 4babd24f..46fc4f11 100644
123 --- a/policy/modules/kernel/corenetwork.if.in
124 +++ b/policy/modules/kernel/corenetwork.if.in
125 @@ -3153,3 +3153,121 @@ interface(`corenet_unconfined',`
126
127 typeattribute $1 corenet_unconfined_type;
128 ')
129 +
130 +########################################
131 +## <summary>
132 +## Define type to be an infiniband pkey type
133 +## </summary>
134 +## <desc>
135 +## <p>
136 +## Define type to be an infiniband pkey type
137 +## </p>
138 +## <p>
139 +## This is for supporting third party modules and its
140 +## use is not allowed in upstream reference policy.
141 +## </p>
142 +## </desc>
143 +## <param name="domain">
144 +## <summary>
145 +## Type to be used for infiniband pkeys.
146 +## </summary>
147 +## </param>
148 +#
149 +interface(`corenet_ib_pkey',`
150 + gen_require(`
151 + attribute ibpkey_type;
152 + ')
153 +
154 + typeattribute $1 ibpkey_type;
155 +')
156 +
157 +########################################
158 +## <summary>
159 +## Access unlabeled infiniband pkeys.
160 +## </summary>
161 +## <param name="domain">
162 +## <summary>
163 +## Domain allowed access.
164 +## </summary>
165 +## </param>
166 +#
167 +interface(`corenet_ib_access_unlabeled_pkeys',`
168 + kernel_ib_access_unlabeled_pkeys($1)
169 +')
170 +
171 +########################################
172 +## <summary>
173 +## Access all labeled infiniband pkeys.
174 +## </summary>
175 +## <param name="domain">
176 +## <summary>
177 +## Domain allowed access.
178 +## </summary>
179 +## </param>
180 +#
181 +interface(`corenet_ib_access_all_pkeys',`
182 + gen_require(`
183 + attribute ibpkey_type;
184 + ')
185 +
186 + allow $1 ibpkey_type:infiniband_pkey access;
187 +')
188 +
189 +########################################
190 +## <summary>
191 +## Define type to be an infiniband endport
192 +## </summary>
193 +## <desc>
194 +## <p>
195 +## Define type to be an infiniband endport
196 +## </p>
197 +## <p>
198 +## This is for supporting third party modules and its
199 +## use is not allowed in upstream reference policy.
200 +## </p>
201 +## </desc>
202 +## <param name="domain">
203 +## <summary>
204 +## Type to be used for infiniband endports.
205 +## </summary>
206 +## </param>
207 +#
208 +interface(`corenet_ib_endport',`
209 + gen_require(`
210 + attribute ibendport_type;
211 + ')
212 +
213 + typeattribute $1 ibendport_type;
214 +')
215 +
216 +########################################
217 +## <summary>
218 +## Manage subnets on all labeled Infiniband endports
219 +## </summary>
220 +## <param name="domain">
221 +## <summary>
222 +## Domain allowed access.
223 +## </summary>
224 +## </param>
225 +#
226 +interface(`corenet_ib_manage_subnet_all_endports',`
227 + gen_require(`
228 + attribute ibendport_type;
229 + ')
230 +
231 + allow $1 ibendport_type:infiniband_endport manage_subnet;
232 +')
233 +
234 +########################################
235 +## <summary>
236 +## Manage subnet on all unlabeled Infiniband endports
237 +## </summary>
238 +## <param name="domain">
239 +## <summary>
240 +## Domain allowed access.
241 +## </summary>
242 +## </param>
243 +#
244 +interface(`corenet_ib_manage_subnet_unlabeled_endports',`
245 + kernel_ib_manage_subnet_unlabeled_endports($1)
246 +')
247
248 diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
249 index 468fb344..fad84ca9 100644
250 --- a/policy/modules/kernel/corenetwork.if.m4
251 +++ b/policy/modules/kernel/corenetwork.if.m4
252 @@ -776,6 +776,48 @@ interface(`corenet_relabelto_$1_packets',`
253 ')
254 '') dnl end create_port_interfaces
255
256 +define(`create_ibpkey_interfaces',``
257 +########################################
258 +## <summary>
259 +## Access the infiniband fabric on the $1 ibpkey.
260 +## </summary>
261 +## <param name="domain">
262 +## <summary>
263 +## Domain allowed access.
264 +## </summary>
265 +## </param>
266 +## <infoflow type="both" weight="10"/>
267 +#
268 +interface(`corenet_ib_access_$1_pkey',`
269 + gen_require(`
270 + $3 $1_$2;
271 + ')
272 +
273 + allow dollarsone $1_$2:infiniband_pkey access;
274 +')
275 +'') dnl end create_ibpkey_interfaces
276 +
277 +define(`create_ibendport_interfaces',``
278 +########################################
279 +## <summary>
280 +## Manage the subnet on $1 ibendport.
281 +## </summary>
282 +## <param name="domain">
283 +## <summary>
284 +## Domain allowed access.
285 +## </summary>
286 +## </param>
287 +## <infoflow type="both" weight="10"/>
288 +#
289 +interface(`corenet_ib_manage_subnet_$1_endport',`
290 + gen_require(`
291 + $3 $1_$2;
292 + ')
293 +
294 + allow dollarsone $1_$2:infiniband_endport manage_subnet;
295 +')
296 +'') dnl end create_ibendport_interfaces
297 +
298 #
299 # create_netif_*_interfaces(linux_interfacename)
300 #
301 @@ -851,3 +893,25 @@ define(`network_packet',`
302 create_packet_interfaces($1_client)
303 create_packet_interfaces($1_server)
304 ')
305 +
306 +# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity)
307 +# (these wrap create_port_interfaces to handle attributes and types)
308 +define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))')
309 +
310 +#
311 +# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity)
312 +#
313 +define(`ib_pkey',`
314 +create_ibpkey_type_interfaces($*)
315 +')
316 +
317 +# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity)
318 +# (these wrap create_port_interfaces to handle attributes and types)
319 +define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))')
320 +
321 +#
322 +# ib_endport(name,device_name, portnum mls_sensitivity)
323 +#
324 +define(`ib_endport',`
325 +create_ibendport_type_interfaces($*)
326 +')
327
328 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
329 index b3db0139..dbe009c8 100644
330 --- a/policy/modules/kernel/corenetwork.te.in
331 +++ b/policy/modules/kernel/corenetwork.te.in
332 @@ -16,6 +16,8 @@ attribute port_type;
333 attribute reserved_port_type;
334 attribute rpc_port_type;
335 attribute server_packet_type;
336 +attribute ibpkey_type;
337 +attribute ibendport_type;
338 # This is an optimization for { port_type -reserved_port_type }
339 attribute unreserved_port_type;
340
341 @@ -364,3 +366,9 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
342 # Bind to any network address.
343 allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
344 allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
345 +
346 +# Infiniband
347 +corenet_ib_access_all_pkeys(corenet_unconfined_type)
348 +corenet_ib_manage_subnet_all_endports(corenet_unconfined_type)
349 +corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type)
350 +corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type)
351
352 diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
353 index 3f6e1688..380e64f3 100644
354 --- a/policy/modules/kernel/corenetwork.te.m4
355 +++ b/policy/modules/kernel/corenetwork.te.m4
356 @@ -111,3 +111,29 @@ define(`network_packet',`
357 type $1_client_packet_t, packet_type, client_packet_type;
358 type $1_server_packet_t, packet_type, server_packet_type;
359 ')
360 +
361 +define(`declare_ibpkeycons',`dnl
362 +ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
363 +ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
364 +')
365 +
366 +#
367 +# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
368 +#
369 +define(`ib_pkey',`
370 +type $1_ibpkey_t, ibpkey_type;
371 +ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
372 +')
373 +
374 +define(`declare_ibendportcons',`dnl
375 +ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)
376 +ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
377 +')
378 +
379 +#
380 +# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])
381 +#
382 +define(`ib_endport',`
383 +type $1_ibendport_t, ibendport_type;
384 +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
385 +')
386
387 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
388 index cecf5d86..d6705437 100644
389 --- a/policy/modules/kernel/kernel.if
390 +++ b/policy/modules/kernel/kernel.if
391 @@ -3553,3 +3553,40 @@ interface(`kernel_rw_vm_overcommit_sysctl',`
392 kernel_search_vm_sysctl($1)
393 allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
394 ')
395 +
396 +########################################
397 +## <summary>
398 +## Access unlabeled infiniband pkeys.
399 +## </summary>
400 +## <param name="domain">
401 +## <summary>
402 +## Domain allowed access.
403 +## </summary>
404 +## </param>
405 +#
406 +interface(`kernel_ib_access_unlabeled_pkeys',`
407 + gen_require(`
408 + type unlabeled_t;
409 + ')
410 +
411 + allow $1 unlabeled_t:infiniband_pkey access;
412 +')
413 +
414 +########################################
415 +## <summary>
416 +## Manage subnet on unlabeled Infiniband endports.
417 +## </summary>
418 +## <param name="domain">
419 +## <summary>
420 +## Domain allowed access.
421 +## </summary>
422 +## </param>
423 +#
424 +interface(`kernel_ib_manage_subnet_unlabeled_endports',`
425 + gen_require(`
426 + type unlabeled_t;
427 + ')
428 +
429 + allow $1 unlabeled_t:infiniband_endport manage_subnet;
430 +')
431 +
432
433 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
434 index a2869be7..b9ae4b6a 100644
435 --- a/policy/modules/kernel/kernel.te
436 +++ b/policy/modules/kernel/kernel.te
437 @@ -259,6 +259,11 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
438 corenet_raw_send_generic_node(kernel_t)
439 corenet_send_all_packets(kernel_t)
440
441 +corenet_ib_access_all_pkeys(kernel_t)
442 +corenet_ib_access_unlabeled_pkeys(kernel_t)
443 +corenet_ib_manage_subnet_all_endports(kernel_t)
444 +corenet_ib_manage_subnet_unlabeled_endports(kernel_t)
445 +
446 dev_mounton_sysfs(kernel_t)
447 dev_read_sysfs(kernel_t)
448 dev_search_usbfs(kernel_t)
449
450 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
451 index 06e5087c..c19212c1 100644
452 --- a/policy/modules/roles/staff.te
453 +++ b/policy/modules/roles/staff.te
454 @@ -13,6 +13,7 @@ userdom_unpriv_user_template(staff)
455 #
456 # Local policy
457 #
458 +corenet_ib_access_unlabeled_pkeys(staff_t)
459
460 optional_policy(`
461 apache_role(staff_r, staff_t)
462
463 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
464 index baebc901..aa687f78 100644
465 --- a/policy/modules/roles/sysadm.te
466 +++ b/policy/modules/roles/sysadm.te
467 @@ -46,6 +46,9 @@ selinux_read_policy(sysadm_t)
468 userdom_manage_user_home_dirs(sysadm_t)
469 userdom_home_filetrans_user_home_dir(sysadm_t)
470
471 +corenet_ib_access_unlabeled_pkeys(sysadm_t)
472 +corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
473 +
474 ifdef(`direct_sysadm_daemon',`
475 optional_policy(`
476 init_run_daemon(sysadm_t, sysadm_r)
477
478 diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
479 index 00b94b6a..90813480 100644
480 --- a/support/comment_move_decl.sed
481 +++ b/support/comment_move_decl.sed
482 @@ -6,7 +6,7 @@
483 /optional \{/,/} # end optional/b nextline
484
485 /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
486 -/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
487 +/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/
488 /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
489 /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
490 /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
Report Message
Find on MARC Find on Google Groups