refpolicy: Infiniband pkeys and endports

Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>

Makefile

@@ -370,7 +370,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
 	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
 	@echo "#" >> $@
 	$(verbose) cat $@.in >> $@
-	$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+	$(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \
 		| $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
 		| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
 

Rules.modular

@@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
 	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
 	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
 	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+	$(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
+	$(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
 
 $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
 	$(verbose) $(comment_move_decl) $^ > $@

Rules.monolithic

@@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
 	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
 	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
 	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+	$(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
+	$(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
 
 $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
 	$(verbose) $(comment_move_decl) $^ > $@

policy/flask/access_vectors

@@ -927,6 +927,16 @@ inherits database
 	set_value
 }
 
+class infiniband_pkey
+{
+	access
+}
+
+class infiniband_endport
+{
+	manage_subnet
+}
+
 class db_language
 inherits database
 {

policy/flask/security_classes

@@ -139,6 +139,10 @@ class netlink_crypto_socket
 class x_pointer			# userspace
 class x_keyboard		# userspace
 
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
 # More Database stuff
 class db_schema			# userspace
 class db_view			# userspace

policy/modules/kernel/corenetwork.if.in

@@ -3134,3 +3134,121 @@ interface(`corenet_unconfined',`
 
 	typeattribute $1 corenet_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Define type to be an infiniband pkey type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be an infiniband pkey type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for infiniband pkeys.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_pkey',`
+	gen_require(`
+		attribute ibpkey_type;
+	')
+
+	typeattribute $1 ibpkey_type;
+')
+
+########################################
+## <summary>
+##	Access unlabeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_access_unlabeled_pkeys',`
+	kernel_ib_access_unlabeled_pkeys($1)
+')
+
+########################################
+## <summary>
+##	Access all labeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_access_all_pkeys',`
+	gen_require(`
+		attribute ibpkey_type;
+	')
+
+	allow $1 ibpkey_type:infiniband_pkey access;
+')
+
+########################################
+## <summary>
+##	Define type to be an infiniband endport
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be an infiniband endport
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for infiniband endports.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_endport',`
+	gen_require(`
+		attribute ibendport_type;
+	')
+
+	typeattribute $1 ibendport_type;
+')
+
+########################################
+## <summary>
+##	Manage subnets on all labeled Infiniband endports
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_manage_subnet_all_endports',`
+	gen_require(`
+		attribute ibendport_type;
+	')
+
+	allow $1 ibendport_type:infiniband_endport manage_subnet;
+')
+
+########################################
+## <summary>
+##	Manage subnet on all unlabeled Infiniband endports
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_manage_subnet_unlabeled_endports',`
+	kernel_ib_manage_subnet_unlabeled_endports($1)
+')

policy/modules/kernel/corenetwork.if.m4

@@ -776,6 +776,48 @@ interface(`corenet_relabelto_$1_packets',`
 ')
 '') dnl end create_port_interfaces
 
+define(`create_ibpkey_interfaces',``
+########################################
+## <summary>
+##	Access the infiniband fabric on the $1 ibpkey.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_ib_access_$1_pkey',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:infiniband_pkey access;
+')
+'') dnl end create_ibpkey_interfaces
+
+define(`create_ibendport_interfaces',``
+########################################
+## <summary>
+##	Manage the subnet on $1 ibendport.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_ib_manage_subnet_$1_endport',`
+	gen_require(`
+		$3 $1_$2;
+	')
+
+	allow dollarsone $1_$2:infiniband_endport manage_subnet;
+')
+'') dnl end create_ibendport_interfaces
+
 #
 # create_netif_*_interfaces(linux_interfacename)
 #
@@ -851,3 +893,25 @@ define(`network_packet',`
 create_packet_interfaces($1_client)
 create_packet_interfaces($1_server)
 ')
+
+# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity)
+# (these wrap create_port_interfaces to handle attributes and types)
+define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))')
+
+#
+# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity)
+#
+define(`ib_pkey',`
+create_ibpkey_type_interfaces($*)
+')
+
+# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity)
+# (these wrap create_port_interfaces to handle attributes and types)
+define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))')
+
+#
+# ib_endport(name,device_name, portnum mls_sensitivity)
+#
+define(`ib_endport',`
+create_ibendport_type_interfaces($*)
+')

policy/modules/kernel/corenetwork.te.in

@@ -16,6 +16,8 @@ attribute port_type;
 attribute reserved_port_type;
 attribute rpc_port_type;
 attribute server_packet_type;
+attribute ibpkey_type;
+attribute ibendport_type;
 # This is an optimization for { port_type -reserved_port_type }
 attribute unreserved_port_type;
 
@@ -358,3 +360,9 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 # Bind to any network address.
 allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
 allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+
+# Infiniband
+corenet_ib_access_all_pkeys(corenet_unconfined_type)
+corenet_ib_manage_subnet_all_endports(corenet_unconfined_type)
+corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type)
+corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type)

policy/modules/kernel/corenetwork.te.m4

@@ -111,3 +111,29 @@ define(`network_packet',`
 type $1_client_packet_t, packet_type, client_packet_type;
 type $1_server_packet_t, packet_type, server_packet_type;
 ')
+
+define(`declare_ibpkeycons',`dnl
+ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
+')
+
+#
+# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
+#
+define(`ib_pkey',`
+type $1_ibpkey_t, ibpkey_type;
+ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
+')
+
+define(`declare_ibendportcons',`dnl
+ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
+')
+
+#
+# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])
+#
+define(`ib_endport',`
+type $1_ibendport_t, ibendport_type;
+ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
+')

policy/modules/kernel/kernel.if

@@ -3535,3 +3535,40 @@ interface(`kernel_rw_vm_overcommit_sysctl',`
 	kernel_search_vm_sysctl($1)
 	allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Access unlabeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_ib_access_unlabeled_pkeys',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:infiniband_pkey access;
+')
+
+########################################
+## <summary>
+##	Manage subnet on unlabeled Infiniband endports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_ib_manage_subnet_unlabeled_endports',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:infiniband_endport manage_subnet;
+')
+

policy/modules/kernel/kernel.te

@@ -259,6 +259,11 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_send_all_packets(kernel_t)
 
+corenet_ib_access_all_pkeys(kernel_t)
+corenet_ib_access_unlabeled_pkeys(kernel_t)
+corenet_ib_manage_subnet_all_endports(kernel_t)
+corenet_ib_manage_subnet_unlabeled_endports(kernel_t)
+
 dev_mounton_sysfs(kernel_t)
 dev_read_sysfs(kernel_t)
 dev_search_usbfs(kernel_t)

policy/modules/roles/staff.te

@@ -13,6 +13,7 @@ userdom_unpriv_user_template(staff)
 #
 # Local policy
 #
+corenet_ib_access_unlabeled_pkeys(staff_t)
 
 optional_policy(`
 	apache_role(staff_r, staff_t)

policy/modules/roles/sysadm.te

@@ -46,6 +46,9 @@ selinux_read_policy(sysadm_t)
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
 
+corenet_ib_access_unlabeled_pkeys(sysadm_t)
+corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
+
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
 		init_run_daemon(sysadm_t, sysadm_r)

support/comment_move_decl.sed

@@ -6,7 +6,7 @@
 /optional \{/,/} # end optional/b nextline
 
 /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
-/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/
 /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
 /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
 /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/