ibpkey.c 5.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Pkey table
  4. *
  5. * SELinux must keep a mapping of Infinband PKEYs to labels/SIDs. This
  6. * mapping is maintained as part of the normal policy but a fast cache is
  7. * needed to reduce the lookup overhead.
  8. *
  9. * This code is heavily based on the "netif" and "netport" concept originally
  10. * developed by
  11. * James Morris <[email protected]> and
  12. * Paul Moore <[email protected]>
  13. * (see security/selinux/netif.c and security/selinux/netport.c for more
  14. * information)
  15. */
  16. /*
  17. * (c) Mellanox Technologies, 2016
  18. */
  19. #include <linux/types.h>
  20. #include <linux/rcupdate.h>
  21. #include <linux/list.h>
  22. #include <linux/spinlock.h>
  23. #include "ibpkey.h"
  24. #include "objsec.h"
  25. #define SEL_PKEY_HASH_SIZE 256
  26. #define SEL_PKEY_HASH_BKT_LIMIT 16
  27. struct sel_ib_pkey_bkt {
  28. int size;
  29. struct list_head list;
  30. };
  31. struct sel_ib_pkey {
  32. struct pkey_security_struct psec;
  33. struct list_head list;
  34. struct rcu_head rcu;
  35. };
  36. static DEFINE_SPINLOCK(sel_ib_pkey_lock);
  37. static struct sel_ib_pkey_bkt sel_ib_pkey_hash[SEL_PKEY_HASH_SIZE];
  38. /**
  39. * sel_ib_pkey_hashfn - Hashing function for the pkey table
  40. * @pkey: pkey number
  41. *
  42. * Description:
  43. * This is the hashing function for the pkey table, it returns the bucket
  44. * number for the given pkey.
  45. *
  46. */
  47. static unsigned int sel_ib_pkey_hashfn(u16 pkey)
  48. {
  49. return (pkey & (SEL_PKEY_HASH_SIZE - 1));
  50. }
  51. /**
  52. * sel_ib_pkey_find - Search for a pkey record
  53. * @subnet_prefix: subnet_prefix
  54. * @pkey_num: pkey_num
  55. *
  56. * Description:
  57. * Search the pkey table and return the matching record. If an entry
  58. * can not be found in the table return NULL.
  59. *
  60. */
  61. static struct sel_ib_pkey *sel_ib_pkey_find(u64 subnet_prefix, u16 pkey_num)
  62. {
  63. unsigned int idx;
  64. struct sel_ib_pkey *pkey;
  65. idx = sel_ib_pkey_hashfn(pkey_num);
  66. list_for_each_entry_rcu(pkey, &sel_ib_pkey_hash[idx].list, list) {
  67. if (pkey->psec.pkey == pkey_num &&
  68. pkey->psec.subnet_prefix == subnet_prefix)
  69. return pkey;
  70. }
  71. return NULL;
  72. }
  73. /**
  74. * sel_ib_pkey_insert - Insert a new pkey into the table
  75. * @pkey: the new pkey record
  76. *
  77. * Description:
  78. * Add a new pkey record to the hash table.
  79. *
  80. */
  81. static void sel_ib_pkey_insert(struct sel_ib_pkey *pkey)
  82. {
  83. unsigned int idx;
  84. /* we need to impose a limit on the growth of the hash table so check
  85. * this bucket to make sure it is within the specified bounds
  86. */
  87. idx = sel_ib_pkey_hashfn(pkey->psec.pkey);
  88. list_add_rcu(&pkey->list, &sel_ib_pkey_hash[idx].list);
  89. if (sel_ib_pkey_hash[idx].size == SEL_PKEY_HASH_BKT_LIMIT) {
  90. struct sel_ib_pkey *tail;
  91. tail = list_entry(
  92. rcu_dereference_protected(
  93. list_tail_rcu(&sel_ib_pkey_hash[idx].list),
  94. lockdep_is_held(&sel_ib_pkey_lock)),
  95. struct sel_ib_pkey, list);
  96. list_del_rcu(&tail->list);
  97. kfree_rcu(tail, rcu);
  98. } else {
  99. sel_ib_pkey_hash[idx].size++;
  100. }
  101. }
  102. /**
  103. * sel_ib_pkey_sid_slow - Lookup the SID of a pkey using the policy
  104. * @subnet_prefix: subnet prefix
  105. * @pkey_num: pkey number
  106. * @sid: pkey SID
  107. *
  108. * Description:
  109. * This function determines the SID of a pkey by querying the security
  110. * policy. The result is added to the pkey table to speedup future
  111. * queries. Returns zero on success, negative values on failure.
  112. *
  113. */
  114. static int sel_ib_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid)
  115. {
  116. int ret;
  117. struct sel_ib_pkey *pkey;
  118. struct sel_ib_pkey *new = NULL;
  119. unsigned long flags;
  120. spin_lock_irqsave(&sel_ib_pkey_lock, flags);
  121. pkey = sel_ib_pkey_find(subnet_prefix, pkey_num);
  122. if (pkey) {
  123. *sid = pkey->psec.sid;
  124. spin_unlock_irqrestore(&sel_ib_pkey_lock, flags);
  125. return 0;
  126. }
  127. ret = security_ib_pkey_sid(&selinux_state, subnet_prefix, pkey_num,
  128. sid);
  129. if (ret)
  130. goto out;
  131. /* If this memory allocation fails still return 0. The SID
  132. * is valid, it just won't be added to the cache.
  133. */
  134. new = kzalloc(sizeof(*new), GFP_ATOMIC);
  135. if (!new) {
  136. ret = -ENOMEM;
  137. goto out;
  138. }
  139. new->psec.subnet_prefix = subnet_prefix;
  140. new->psec.pkey = pkey_num;
  141. new->psec.sid = *sid;
  142. sel_ib_pkey_insert(new);
  143. out:
  144. spin_unlock_irqrestore(&sel_ib_pkey_lock, flags);
  145. return ret;
  146. }
  147. /**
  148. * sel_ib_pkey_sid - Lookup the SID of a PKEY
  149. * @subnet_prefix: subnet_prefix
  150. * @pkey_num: pkey number
  151. * @sid: pkey SID
  152. *
  153. * Description:
  154. * This function determines the SID of a PKEY using the fastest method
  155. * possible. First the pkey table is queried, but if an entry can't be found
  156. * then the policy is queried and the result is added to the table to speedup
  157. * future queries. Returns zero on success, negative values on failure.
  158. *
  159. */
  160. int sel_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *sid)
  161. {
  162. struct sel_ib_pkey *pkey;
  163. rcu_read_lock();
  164. pkey = sel_ib_pkey_find(subnet_prefix, pkey_num);
  165. if (pkey) {
  166. *sid = pkey->psec.sid;
  167. rcu_read_unlock();
  168. return 0;
  169. }
  170. rcu_read_unlock();
  171. return sel_ib_pkey_sid_slow(subnet_prefix, pkey_num, sid);
  172. }
  173. /**
  174. * sel_ib_pkey_flush - Flush the entire pkey table
  175. *
  176. * Description:
  177. * Remove all entries from the pkey table
  178. *
  179. */
  180. void sel_ib_pkey_flush(void)
  181. {
  182. unsigned int idx;
  183. struct sel_ib_pkey *pkey, *pkey_tmp;
  184. unsigned long flags;
  185. spin_lock_irqsave(&sel_ib_pkey_lock, flags);
  186. for (idx = 0; idx < SEL_PKEY_HASH_SIZE; idx++) {
  187. list_for_each_entry_safe(pkey, pkey_tmp,
  188. &sel_ib_pkey_hash[idx].list, list) {
  189. list_del_rcu(&pkey->list);
  190. kfree_rcu(pkey, rcu);
  191. }
  192. sel_ib_pkey_hash[idx].size = 0;
  193. }
  194. spin_unlock_irqrestore(&sel_ib_pkey_lock, flags);
  195. }
  196. static __init int sel_ib_pkey_init(void)
  197. {
  198. int iter;
  199. if (!selinux_enabled_boot)
  200. return 0;
  201. for (iter = 0; iter < SEL_PKEY_HASH_SIZE; iter++) {
  202. INIT_LIST_HEAD(&sel_ib_pkey_hash[iter].list);
  203. sel_ib_pkey_hash[iter].size = 0;
  204. }
  205. return 0;
  206. }
  207. subsys_initcall(sel_ib_pkey_init);