From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 23 May 2017 20:28:24 -0400
Subject: [refpolicy] [PATCH v1 1/1] refpolicy: Infiniband pkeys and
	endports
In-Reply-To: <1495550661-1518-1-git-send-email-danielj@mellanox.com>
References: <1495550661-1518-1-git-send-email-danielj@mellanox.com>
Message-ID: <45d60463-1c36-38d9-022c-86f0bd3fcb04@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/23/2017 10:44 AM, Dan Jurgens wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
>
> Every Infiniband network will have a default pkey, so that is labeled.
> The rest of the pkey configuration is network specific. The policy allows
> access to the default and unlabeled pkeys for sysadm and staff users.
> kernel_t is allowed access to all pkeys, which it needs to process and
> route management datagrams.
>
> Endports are all unlabeled by default, sysadm users are allowed to
> manage the subnet on unlabeled endports. kernel_t is allowed to manage
> the subnet on all ibendports, which is required for configuring the HCA.
>
> This patch requires selinux series: "SELinux user space support for
> Infiniband RDMA", due to the new ipkeycon labeling mechanism.
>
> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>
> ---
>
> v1:
> Myself:
> - Changed default PKey label from s1 to s0.
>
> Chris PeBenito:
> - Shorted interface names to corenet_ib_*
> - Remove direct referenc to to unlabeled_t in corenet interface file,
> now it calls new kernel_ib interfaces.
> - Change corenet_ib_*all* interfaces allow for the typeattribute only,
> and not unlabeled as well.
> - Eliminate unneccesary braces on single access vectors.
>
> ---
>  Makefile                                |   4 +-
>  Rules.modular                           |   2 +
>  Rules.monolithic                        |   2 +
>  policy/flask/access_vectors             |  10 +++
>  policy/flask/security_classes           |   4 ++
>  policy/modules/kernel/corenetwork.if.in | 118 ++++++++++++++++++++++++++++++++
>  policy/modules/kernel/corenetwork.if.m4 |  64 +++++++++++++++++
>  policy/modules/kernel/corenetwork.te.in |  19 +++++
>  policy/modules/kernel/corenetwork.te.m4 |  26 +++++++
>  policy/modules/kernel/kernel.if         |  37 ++++++++++
>  policy/modules/kernel/kernel.te         |   7 ++
>  policy/modules/roles/staff.te           |   4 ++
>  policy/modules/roles/sysadm.te          |   5 ++
>  support/comment_move_decl.sed           |   2 +-
>  14 files changed, 301 insertions(+), 3 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index d19985eb..1804108e 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -76,7 +76,7 @@ SED ?= sed
>  SORT ?= LC_ALL=C sort
>  UMASK ?= umask
>
> -CFLAGS += -Wall -Wextra -Werror -O2
> +CFLAGS += -Wno-implicit-fallthrough -Wall -Wextra -Werror -O2
>
>  # policy source layout
>  poldir := policy
> @@ -370,7 +370,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
>  	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
>  	@echo "#" >> $@
>  	$(verbose) cat $@.in >> $@
> -	$(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
> +	$(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \
>  		| $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
>  		| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
>
> diff --git a/Rules.modular b/Rules.modular
> index 49d3cca9..331a979d 100644
> --- a/Rules.modular
> +++ b/Rules.modular
> @@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
>  	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
>  	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
>  	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
> +	$(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
> +	$(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
>
>  $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
>  	$(verbose) $(comment_move_decl) $^ > $@
> diff --git a/Rules.monolithic b/Rules.monolithic
> index ce112d78..80e00821 100644
> --- a/Rules.monolithic
> +++ b/Rules.monolithic
> @@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con
>  	$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
>  	$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
>  	$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
> +	$(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
> +	$(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true
>
>  $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
>  	$(verbose) $(comment_move_decl) $^ > $@
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 69f69af8..520a3c28 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -926,6 +926,16 @@ inherits database
>  	set_value
>  }
>
> +class infiniband_pkey
> +{
> +	access
> +}
> +
> +class infiniband_endport
> +{
> +	manage_subnet
> +}
> +
>  class db_language
>  inherits database
>  {
> diff --git a/policy/flask/security_classes b/policy/flask/security_classes
> index 18f18fd8..393621bf 100644
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -139,6 +139,10 @@ class netlink_crypto_socket
>  class x_pointer			# userspace
>  class x_keyboard		# userspace
>
> +# Infiniband
> +class infiniband_pkey
> +class infiniband_endport
> +
>  # More Database stuff
>  class db_schema			# userspace
>  class db_view			# userspace
> diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
> index 2101ea1b..ff3048de 100644
> --- a/policy/modules/kernel/corenetwork.if.in
> +++ b/policy/modules/kernel/corenetwork.if.in
> @@ -3134,3 +3134,121 @@ interface(`corenet_unconfined',`
>
>  	typeattribute $1 corenet_unconfined_type;
>  ')
> +
> +########################################
> +## <summary>
> +##	Define type to be an infiniband pkey type
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Define type to be an infiniband pkey type
> +##	</p>
> +##	<p>
> +##	This is for supporting third party modules and its
> +##	use is not allowed in upstream reference policy.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Type to be used for infiniband pkeys.
> +##	</summary>
> +## </param>
> +#
> +interface(`corenet_ib_pkey',`
> +	gen_require(`
> +		attribute ibpkey_type;
> +	')
> +
> +	typeattribute $1 ibpkey_type;
> +')
> +
> +########################################
> +## <summary>
> +##	Access unlabeled infiniband pkeys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`corenet_ib_access_unlabeled_pkeys',`
> +	kernel_ib_access_unlabeled_pkeys($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Access all labeled infiniband pkeys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`corenet_ib_access_all_pkeys',`
> +	gen_require(`
> +		attribute ibpkey_type;
> +	')
> +
> +	allow $1 ibpkey_type:infiniband_pkey access;
> +')
> +
> +########################################
> +## <summary>
> +##	Define type to be an infiniband endport
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Define type to be an infiniband endport
> +##	</p>
> +##	<p>
> +##	This is for supporting third party modules and its
> +##	use is not allowed in upstream reference policy.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Type to be used for infiniband endports.
> +##	</summary>
> +## </param>
> +#
> +interface(`corenet_ib_endport',`
> +	gen_require(`
> +		attribute ibendport_type;
> +	')
> +
> +	typeattribute $1 ibendport_type;
> +')
> +
> +########################################
> +## <summary>
> +##	Manage subnets on all labeled Infiniband endports
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`corenet_ib_manage_subnet_all_endports',`
> +	gen_require(`
> +		attribute ibendport_type;
> +	')
> +
> +	allow $1 ibendport_type:infiniband_endport manage_subnet;
> +')
> +
> +########################################
> +## <summary>
> +##	Manage subnet on all unlabeled Infiniband endports
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`corenet_ib_manage_subnet_unlabeled_endports',`
> +	kernel_ib_manage_subnet_unlabeled_endports($1)
> +')
> diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
> index 468fb344..fad84ca9 100644
> --- a/policy/modules/kernel/corenetwork.if.m4
> +++ b/policy/modules/kernel/corenetwork.if.m4
> @@ -776,6 +776,48 @@ interface(`corenet_relabelto_$1_packets',`
>  ')
>  '') dnl end create_port_interfaces
>
> +define(`create_ibpkey_interfaces',``
> +########################################
> +## <summary>
> +##	Access the infiniband fabric on the $1 ibpkey.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_ib_access_$1_pkey',`
> +	gen_require(`
> +		$3 $1_$2;
> +	')
> +
> +	allow dollarsone $1_$2:infiniband_pkey access;
> +')
> +'') dnl end create_ibpkey_interfaces
> +
> +define(`create_ibendport_interfaces',``
> +########################################
> +## <summary>
> +##	Manage the subnet on $1 ibendport.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_ib_manage_subnet_$1_endport',`
> +	gen_require(`
> +		$3 $1_$2;
> +	')
> +
> +	allow dollarsone $1_$2:infiniband_endport manage_subnet;
> +')
> +'') dnl end create_ibendport_interfaces
> +
>  #
>  # create_netif_*_interfaces(linux_interfacename)
>  #
> @@ -851,3 +893,25 @@ define(`network_packet',`
>  create_packet_interfaces($1_client)
>  create_packet_interfaces($1_server)
>  ')
> +
> +# create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity)
> +# (these wrap create_port_interfaces to handle attributes and types)
> +define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))')
> +
> +#
> +# ib_pkey(name,subnet_prefix pkeynum mls_sensitivity)
> +#
> +define(`ib_pkey',`
> +create_ibpkey_type_interfaces($*)
> +')
> +
> +# create_ibendport_*_interfaces(name, devname, portnum,mls_sensitivity)
> +# (these wrap create_port_interfaces to handle attributes and types)
> +define(`create_ibendport_type_interfaces',`create_ibendport_interfaces($1,ibendport_t,type,determine_reserved_capability(shift($*)))')
> +
> +#
> +# ib_endport(name,device_name, portnum mls_sensitivity)
> +#
> +define(`ib_endport',`
> +create_ibendport_type_interfaces($*)
> +')
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index 1ca96d38..138d147f 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -16,6 +16,8 @@ attribute port_type;
>  attribute reserved_port_type;
>  attribute rpc_port_type;
>  attribute server_packet_type;
> +attribute ibpkey_type;
> +attribute ibendport_type;
>  # This is an optimization for { port_type -reserved_port_type }
>  attribute unreserved_port_type;
>
> @@ -346,6 +348,15 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
>
>  ########################################
>  #
> +# Infiniband Pkeys
> +#
> +#
> +# unlabeled_t is the default type of infiniband pkeys.
> +#
> +ib_pkey(default, fe80::,0xFFFF,s0)
> +
> +########################################
> +#
>  # Unconfined access to this module
>  #
>
> @@ -358,3 +369,11 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
>  # Bind to any network address.
>  allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
>  allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
> +
> +# Infiniband
> +optional_policy(`
> +	corenet_ib_access_all_pkeys(corenet_unconfined_type)
> +	corenet_ib_manage_subnet_all_endports(corenet_unconfined_type)
> +	corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type)
> +	corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type)
> +')

This shouldn't be optional, as this is referencing its own module, so it 
will always be included.  The corenet_ib_* calls below don't need to be 
optional either as corenet is required for all policies.


> diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
> index 3f6e1688..380e64f3 100644
> --- a/policy/modules/kernel/corenetwork.te.m4
> +++ b/policy/modules/kernel/corenetwork.te.m4
> @@ -111,3 +111,29 @@ define(`network_packet',`
>  type $1_client_packet_t, packet_type, client_packet_type;
>  type $1_server_packet_t, packet_type, server_packet_type;
>  ')
> +
> +define(`declare_ibpkeycons',`dnl
> +ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
> +ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
> +')
> +
> +#
> +# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
> +#
> +define(`ib_pkey',`
> +type $1_ibpkey_t, ibpkey_type;
> +ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
> +')
> +
> +define(`declare_ibendportcons',`dnl
> +ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)
> +ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
> +')
> +
> +#
> +# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])
> +#
> +define(`ib_endport',`
> +type $1_ibendport_t, ibendport_type;
> +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
> +')
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 8d23e58c..75d7c477 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -3535,3 +3535,40 @@ interface(`kernel_rw_vm_overcommit_sysctl',`
>  	kernel_search_vm_sysctl($1)
>  	allow $1 sysctl_vm_overcommit_t:file rw_file_perms;
>  ')
> +
> +########################################
> +## <summary>
> +##	Access unlabeled infiniband pkeys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_ib_access_unlabeled_pkeys',`
> +	gen_require(`
> +		type unlabeled_t;
> +	')
> +
> +	allow $1 unlabeled_t:infiniband_pkey access;
> +')
> +
> +########################################
> +## <summary>
> +##	Manage subnet on unlabeled Infiniband endports.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`kernel_ib_manage_subnet_unlabeled_endports',`
> +	gen_require(`
> +		type unlabeled_t;
> +	')
> +
> +	allow $1 unlabeled_t:infiniband_endport manage_subnet;
> +')
> +
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 89923242..ee89949a 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -449,6 +449,13 @@ optional_policy(`
>  	unconfined_domain_noaudit(kernel_t)
>  ')
>
> +optional_policy(`
> +	corenet_ib_access_all_pkeys(kernel_t)
> +	corenet_ib_access_unlabeled_pkeys(kernel_t)
> +	corenet_ib_manage_subnet_all_endports(kernel_t)
> +	corenet_ib_manage_subnet_unlabeled_endports(kernel_t)
> +')
> +
>  ########################################
>  #
>  # Unlabeled process local policy
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 27c2fffa..8c1ad8b8 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
>  #
>
>  optional_policy(`
> +	corenet_ib_access_unlabeled_pkeys(staff_t)
> +')
> +
> +optional_policy(`
>  	apache_role(staff_r, staff_t)
>  ')
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 54df4354..21081094 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -277,6 +277,11 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	corenet_ib_access_unlabeled_pkeys(sysadm_t)
> +	corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
> +')
> +
> +optional_policy(`
>  	couchdb_admin(sysadm_t, sysadm_r)
>  ')
>
> diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
> index 00b94b6a..90813480 100644
> --- a/support/comment_move_decl.sed
> +++ b/support/comment_move_decl.sed
> @@ -6,7 +6,7 @@
>  /optional \{/,/} # end optional/b nextline
>
>  /^[[:blank:]]*(attribute(_role)?|type(alias)?) /s/^/# this line was moved by the build process: &/
> -/^[[:blank:]]*(port|node|netif|genfs)con /s/^/# this line was moved by the build process: &/
> +/^[[:blank:]]*(port|node|netif|genfs|ibpkey|ibendport)con /s/^/# this line was moved by the build process: &/
>  /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
>  /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
>  /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
>


-- 
Chris PeBenito