diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | Rules.modular | 2 | ||||
| -rw-r--r-- | Rules.monolithic | 2 | ||||
| -rw-r--r-- | policy/flask/access_vectors | 10 | ||||
| -rw-r--r-- | policy/flask/security_classes | 4 | ||||
| -rw-r--r-- | policy/modules/kernel/corenetwork.if.in | 118 | ||||
| -rw-r--r-- | policy/modules/kernel/corenetwork.if.m4 | 64 | ||||
| -rw-r--r-- | policy/modules/kernel/corenetwork.te.in | 8 | ||||
| -rw-r--r-- | policy/modules/kernel/corenetwork.te.m4 | 26 | ||||
| -rw-r--r-- | policy/modules/kernel/kernel.if | 37 | ||||
| -rw-r--r-- | policy/modules/kernel/kernel.te | 5 | ||||
| -rw-r--r-- | policy/modules/roles/staff.te | 1 | ||||
| -rw-r--r-- | policy/modules/roles/sysadm.te | 3 | ||||
| -rw-r--r-- | support/comment_move_decl.sed | 2 |
14 files changed, 282 insertions, 2 deletions
@@ -372,7 +372,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ @echo "#" >> $@ $(verbose) cat $@.in >> $@ - $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \ + $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \ | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ diff --git a/Rules.modular b/Rules.modular index 49d3cca91..331a979de 100644 --- a/Rules.modular +++ b/Rules.modular @@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf $(verbose) $(comment_move_decl) $^ > $@ diff --git a/Rules.monolithic b/Rules.monolithic index ce112d788..80e008213 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf $(verbose) $(comment_move_decl) $^ > $@ diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 7652a313f..f20e5c1e9 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -927,6 +927,16 @@ inherits database set_value } +class infiniband_pkey +{ + access +} + +class infiniband_endport +{ + manage_subnet +} + class db_language inherits database { diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 18c4f9748..ce3268da0 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -139,6 +139,10 @@ class netlink_crypto_socket class x_pointer # userspace class x_keyboard # userspace +# Infiniband +class infiniband_pkey +class infiniband_endport + # More Database stuff class db_schema # userspace class db_view # userspace diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 4babd24f6..46fc4f11d 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -3153,3 +3153,121 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') + +######################################## +## <summary> +## Define type to be an infiniband pkey type +## </summary> +## <desc> +## <p> +## Define type to be an infiniband pkey type +## </p> +## <p> +## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Type to be used for infiniband pkeys. +## </summary> +## </param> +# +interface(`corenet_ib_pkey',` + gen_require(` + attribute ibpkey_type; + ') + + typeattribute $1 ibpkey_type; +') + +######################################## +## <summary> +## Access unlabeled infiniband pkeys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_ib_access_unlabeled_pkeys',` + kernel_ib_access_unlabeled_pkeys($1) +') + +######################################## +## <summary> +## Access all labeled infiniband pkeys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_ib_access_all_pkeys',` + gen_require(` + attribute ibpkey_type; + ') + + allow $1 ibpkey_type:infiniband_pkey access; +') + +######################################## +## <summary> +## Define type to be an infiniband endport +## </summary> +## <desc> +## <p> +## Define type to be an infiniband endport +## </p> +## <p> +## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Type to be used for infiniband endports. +## </summary> +## </param> +# +interface(`corenet_ib_endport',` + gen_require(` + attribute ibendport_type; + ') + + typeattribute $1 ibendport_type; +') + +######################################## +## <summary> +## Manage subnets on all labeled Infiniband endports +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_ib_manage_subnet_all_endports',` + gen_require(` + attribute ibendport_type; + ') + + allow $1 ibendport_type:infiniband_endport manage_subnet; +') + +######################################## +## <summary> +## Manage subnet on all unlabeled Infiniband endports +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_ib_manage_subnet_unlabeled_endports',` + kernel_ib_manage_subnet_unlabeled_endports($1) +') diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4 index 468fb3449..fad84ca98 100644 --- a/policy/modules/kernel/corenetwork.if.m4 +++ b/policy/modules/kernel/corenetwork.if.m4 @@ -776,6 +776,48 @@ interface(`corenet_relabelto_$1_packets',` ') '') dnl end create_port_interfaces +define(`create_ibpkey_interfaces',`` +######################################## +## <summary> +## Access the infiniband fabric on the $1 ibpkey. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <infoflow type="both" weight="10"/> +# +interface(`corenet_ib_access_$1_pkey',` + gen_require(` + $3 $1_$2; + ') + + allow dollarsone $1_$2:infiniband_pkey access; +') +'') dnl end create_ibpkey_interfaces + +define(`create_ibendport_interfaces',`` +######################################## +## <summary> +## Manage the subnet on $1 ibendport. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <infoflow type="both" weight="10"/> +# +interface(`corenet_ib_manage_subnet_$1_endport',` + gen_require(` + $3 $1_$2; + ') + + allow dollarsone $1_$2:infiniband_endport manage_subnet; +') +'') dnl end create_ibendport_interfaces + # # create_netif_*_interfaces(linux_interfacename) # @@ -851,3 +893,25 @@ define(`network_packet',` create_packet_interfaces($1_client) create_packet_interfaces($1_server) ') + +# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity) +# (these wrap create_port_interfaces to handle attributes and types) +define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))') + +# +# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity) +# +define(`ib_pkey',` +create_ibpkey_type_interfaces($*) +') + +# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity) +# (these wrap create_port_interfaces to handle attributes and types) +define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))') + +# +# ib_endport(name,device_name, portnum mls_sensitivity) +# +define(`ib_endport',` +create_ibendport_type_interfaces($*) +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index b3db0139a..dbe009c88 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,8 @@ attribute port_type; attribute reserved_port_type; attribute rpc_port_type; attribute server_packet_type; +attribute ibpkey_type; +attribute ibendport_type; # This is an optimization for { port_type -reserved_port_type } attribute unreserved_port_type; @@ -364,3 +366,9 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; + +# Infiniband +corenet_ib_access_all_pkeys(corenet_unconfined_type) +corenet_ib_manage_subnet_all_endports(corenet_unconfined_type) +corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type) +corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type) diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 3f6e16889..380e64f31 100644 --- a/policy/modules/kernel/corenetwork.te.m4 +++ b/policy/modules/kernel/corenetwork.te.m4 @@ -111,3 +111,29 @@ define(`network_packet',` type $1_client_packet_t, packet_type, client_packet_type; type $1_server_packet_t, packet_type, server_packet_type; ') + +define(`declare_ibpkeycons',`dnl +ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4) +ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl +') + +# +# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]]) +# +define(`ib_pkey',` +type $1_ibpkey_t, ibpkey_type; +ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl +') + +define(`declare_ibendportcons',`dnl +ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4) +ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl +') + +# +# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]]) +# +define(`ib_endport',` +type $1_ibendport_t, ibendport_type; +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl +') diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index cecf5d866..d6705437b 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3553,3 +3553,40 @@ interface(`kernel_rw_vm_overcommit_sysctl',` kernel_search_vm_sysctl($1) allow $1 sysctl_vm_overcommit_t:file rw_file_perms; ') + +######################################## +## <summary> +## Access unlabeled infiniband pkeys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_ib_access_unlabeled_pkeys',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:infiniband_pkey access; +') + +######################################## +## <summary> +## Manage subnet on unlabeled Infiniband endports. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_ib_manage_subnet_unlabeled_endports',` + gen_require(` + type unlabeled_t; + ') + + allow $1 unlabeled_t:infiniband_endport manage_subnet; +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index a2869be75..b9ae4b6a4 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -259,6 +259,11 @@ corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) +corenet_ib_access_all_pkeys(kernel_t) +corenet_ib_access_unlabeled_pkeys(kernel_t) +corenet_ib_manage_subnet_all_endports(kernel_t) +corenet_ib_manage_subnet_unlabeled_endports(kernel_t) + dev_mounton_sysfs(kernel_t) dev_read_sysfs(kernel_t) dev_search_usbfs(kernel_t) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 06e5087cf..c19212c11 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -13,6 +13,7 @@ userdom_unpriv_user_template(staff) # # Local policy # +corenet_ib_access_unlabeled_pkeys(staff_t) optional_policy(` apache_role(staff_r, staff_t) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index baebc901f..aa687f787 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -46,6 +46,9 @@ selinux_read_policy(sysadm_t) userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) +corenet_ib_access_unlabeled_pkeys(sysadm_t) +corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) + ifdef(`direct_sysadm_daemon',` optional_policy(` init_run_daemon(sysadm_t, sysadm_r) diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed index 00b94b6ad..90813480d 100644 --- a/support/comment_move_decl.sed +++ b/support/comment_move_decl.sed @@ -6,7 +6,7 @@ /optional \{/,/} # end optional/b nextline /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/ -/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/ +/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/ /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/ /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/ /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/ |