From: "Ravi Kumar Siddojigari" <rsiddoji@codeaurora.org>
To: "'Paul Moore'" <paul@paul-moore.com>
Cc: <selinux@vger.kernel.org>, "'Stephen Smalley'" <sds@tycho.nsa.gov>
Subject: RE: [PATCH] selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.
Date: Thu, 19 Dec 2019 19:48:47 +0530 [thread overview]
Message-ID: <000101d5b677$3cbb50d0$b631f270$@codeaurora.org> (raw)
In-Reply-To: <CAHC9VhRqsGQfO-7EYctCmcjXbPznh=+xm7OJ_oN1RLGWaywGag@mail.gmail.com>
Updated the path , moved header file also under the config key which was missed out in earlier patch.
--
From a53941d36621ccb53fba900cb9a762dded41dc96 Mon Sep 17 00:00:00 2001
From: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Date: Wed, 11 Dec 2019 19:57:24 +0530
Subject: [PATCH] selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.
Move cache based pkey sid retrieval code which was added
with Commit 409dcf31. under CONFIG_SECURITY_INFINIBAND.
As its going to alloc a new cache which may impact
low ram devices which was enabled by default.
Change-Id: I80a13fb7bce8723c8c880cb77cbaee42db413a7a
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
---
security/selinux/Makefile | 4 +++-
security/selinux/hooks.c | 6 ++++++
security/selinux/include/ibpkey.h | 2 ++
security/selinux/include/objsec.h | 2 ++
4 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index c7161f8..bf67fc8 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -6,12 +6,14 @@
obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
- netnode.o netport.o ibpkey.o exports.o \
+ netnode.o netport.o exports.o \
ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o
selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
+selinux-$(CONFIG_SECURITY_INFINIBAND) += ibpkey.o
+
selinux-$(CONFIG_NETLABEL) += netlabel.o
ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b1a9ac9..157faaf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -94,7 +94,11 @@
#include "netif.h"
#include "netnode.h"
#include "netport.h"
+
+#ifdef CONFIG_SECURITY_INFINIBAND
#include "ibpkey.h"
+#endif
+
#include "xfrm.h"
#include "netlabel.h"
#include "audit.h"
@@ -198,7 +202,9 @@ static int selinux_netcache_avc_callback(u32 event)
static int selinux_lsm_notifier_avc_callback(u32 event)
{
if (event == AVC_CALLBACK_RESET) {
+#ifdef CONFIG_SECURITY_INFINIBAND
sel_ib_pkey_flush();
+#endif
call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
}
diff --git a/security/selinux/include/ibpkey.h b/security/selinux/include/ibpkey.h
index b17a19e..c90251b 100644
--- a/security/selinux/include/ibpkey.h
+++ b/security/selinux/include/ibpkey.h
@@ -24,8 +24,10 @@
#ifndef _SELINUX_IB_PKEY_H
#define _SELINUX_IB_PKEY_H
+#ifdef CONFIG_SECURITY_INFINIBAND
void sel_ib_pkey_flush(void);
int sel_ib_pkey_sid(u64 subnet_prefix, u16 pkey, u32 *sid);
#endif
+#endif
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 4b0da5f..94e6322 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -149,11 +149,13 @@ struct ib_security_struct {
u32 sid; /* SID of the queue pair or MAD agent */
};
+#ifdef CONFIG_SECURITY_INFINIBAND
struct pkey_security_struct {
u64 subnet_prefix; /* Port subnet prefix */
u16 pkey; /* PKey number */
u32 sid; /* SID of pkey */
};
+#endif
struct bpf_security_struct {
u32 sid; /*SID of bpf obj creater*/
--
1.9.1
Br,
-----Original Message-----
From: Paul Moore <paul@paul-moore.com>
Sent: Thursday, December 19, 2019 7:39 AM
To: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Cc: selinux@vger.kernel.org; Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.
On Wed, Dec 18, 2019 at 1:01 AM Ravi Kumar Siddojigari <rsiddoji@codeaurora.org> wrote:
> -----Original Message-----
> From: selinux-owner@vger.kernel.org <selinux-owner@vger.kernel.org> On
> Behalf Of Ravi Kumar Siddojigari
> Sent: Tuesday, December 17, 2019 8:42 PM
> To: 'Paul Moore' <paul@paul-moore.com>
> Cc: selinux@vger.kernel.org
> Subject: RE: [PATCH] selinux: move pkey sid cache based retrieval
> under defconfig
>
> Yes Paul, it should be under CONFIG_SECURITY_INFINIBAND thanks for correcting this .
> Hope we can taken it fwd as all the targets with disabled InfiniBand can be gained .
> Please find the updated path for review .
>
> From 6a8c60eacd0b6e5189722bb1823864b6728c2e34 Mon Sep 17 00:00:00 2001
> From: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
> Date: Wed, 11 Dec 2019 19:57:24 +0530
> Subject: [PATCH] selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.
>
> Move cache based pkey sid retrieval code which was added with Commit 409dcf31. under CONFIG_SECURITY_INFINIBAND.
> As its going to alloc a new cache which may impact low ram devices which was enabled by default.
>
> Change-Id: I80a13fb7bce8723c8c880cb77cbaee42db413a7a
> Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
> ---
> security/selinux/Makefile | 4 +++-
> security/selinux/hooks.c | 6 ++++++
> security/selinux/include/objsec.h | 2 ++
> 3 files changed, 11 insertions(+), 1 deletion(-)
...
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index
> b1a9ac9..157faaf 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -94,7 +94,11 @@
> #include "netif.h"
> #include "netnode.h"
> #include "netport.h"
> +
> +#ifdef CONFIG_SECURITY_INFINIBAND
> #include "ibpkey.h"
> +#endif
See the comments below ...
> #include "xfrm.h"
> #include "netlabel.h"
> #include "audit.h"
> @@ -198,7 +202,9 @@ static int selinux_netcache_avc_callback(u32 event) static int selinux_lsm_notifier_avc_callback(u32 event) {
> if (event == AVC_CALLBACK_RESET) {
> +#ifdef CONFIG_SECURITY_INFINIBAND
> sel_ib_pkey_flush();
> +#endif
> call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> }
In cases like the you see directly above, and in the #include further up, the kernel usually solves this by creating dummy function in the header file. In this case, ibpkey.h would look something like this:
>>>
/* header comments, blah blah blah */
#ifndef _SELINUX_IB_PKEY_H
#define _SELINUX_IB_PKEY_H
#ifdef CONFIG_SECURITY_INFINIBAND
void sel_ib_pkey_flush(void);
int sel_ib_pkey_sid(u64 subnet_prefix, u16 pkey, u32 *sid); #else static inline void sel_ib_pkey_flush(void) {
return;
}
static inline int sel_ib_pkey_sid(u64 subnet_prefix, u16 pkey, u32 *sid) {
*sid = SECINITSID_UNLABELED;
return 0;
}
#endif
#endif
>>>
Does that make sense?
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2019-12-19 14:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-18 6:00 [PATCH] selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND Ravi Kumar Siddojigari
2019-12-19 2:08 ` Paul Moore
2019-12-19 14:18 ` Ravi Kumar Siddojigari [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='000101d5b677$3cbb50d0$b631f270$@codeaurora.org' \
--to=rsiddoji@codeaurora.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.