security/selinux/ibpkey.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * Pkey table
0004  *
0005  * SELinux must keep a mapping of Infinband PKEYs to labels/SIDs.  This
0006  * mapping is maintained as part of the normal policy but a fast cache is
0007  * needed to reduce the lookup overhead.
0008  *
0009  * This code is heavily based on the "netif" and "netport" concept originally
0010  * developed by
0011  * James Morris <jmorris@redhat.com> and
0012  * Paul Moore <paul@paul-moore.com>
0013  *   (see security/selinux/netif.c and security/selinux/netport.c for more
0014  *   information)
0015  */
0016
0017 /*
0018  * (c) Mellanox Technologies, 2016
0019  */
0020
0021 #include <linux/types.h>
0022 #include <linux/rcupdate.h>
0023 #include <linux/list.h>
0024 #include <linux/spinlock.h>
0025
0026 #include "ibpkey.h"
0027 #include "objsec.h"
0028
0029 #define SEL_PKEY_HASH_SIZE       256
0030 #define SEL_PKEY_HASH_BKT_LIMIT   16
0031
0032 struct sel_ib_pkey_bkt {
0033     int size;
0034     struct list_head list;
0035 };
0036
0037 struct sel_ib_pkey {
0038     struct pkey_security_struct psec;
0039     struct list_head list;
0040     struct rcu_head rcu;
0041 };
0042
0043 static DEFINE_SPINLOCK(sel_ib_pkey_lock);
0044 static struct sel_ib_pkey_bkt sel_ib_pkey_hash[SEL_PKEY_HASH_SIZE];
0045
0046 /**
0047  * sel_ib_pkey_hashfn - Hashing function for the pkey table
0048  * @pkey: pkey number
0049  *
0050  * Description:
0051  * This is the hashing function for the pkey table, it returns the bucket
0052  * number for the given pkey.
0053  *
0054  */
0055 static unsigned int sel_ib_pkey_hashfn(u16 pkey)
0056 {
0057     return (pkey & (SEL_PKEY_HASH_SIZE - 1));
0058 }
0059
0060 /**
0061  * sel_ib_pkey_find - Search for a pkey record
0062  * @subnet_prefix: subnet_prefix
0063  * @pkey_num: pkey_num
0064  *
0065  * Description:
0066  * Search the pkey table and return the matching record.  If an entry
0067  * can not be found in the table return NULL.
0068  *
0069  */
0070 static struct sel_ib_pkey *sel_ib_pkey_find(u64 subnet_prefix, u16 pkey_num)
0071 {
0072     unsigned int idx;
0073     struct sel_ib_pkey *pkey;
0074
0075     idx = sel_ib_pkey_hashfn(pkey_num);
0076     list_for_each_entry_rcu(pkey, &sel_ib_pkey_hash[idx].list, list) {
0077         if (pkey->psec.pkey == pkey_num &&
0078             pkey->psec.subnet_prefix == subnet_prefix)
0079             return pkey;
0080     }
0081
0082     return NULL;
0083 }
0084
0085 /**
0086  * sel_ib_pkey_insert - Insert a new pkey into the table
0087  * @pkey: the new pkey record
0088  *
0089  * Description:
0090  * Add a new pkey record to the hash table.
0091  *
0092  */
0093 static void sel_ib_pkey_insert(struct sel_ib_pkey *pkey)
0094 {
0095     unsigned int idx;
0096
0097     /* we need to impose a limit on the growth of the hash table so check
0098      * this bucket to make sure it is within the specified bounds
0099      */
0100     idx = sel_ib_pkey_hashfn(pkey->psec.pkey);
0101     list_add_rcu(&pkey->list, &sel_ib_pkey_hash[idx].list);
0102     if (sel_ib_pkey_hash[idx].size == SEL_PKEY_HASH_BKT_LIMIT) {
0103         struct sel_ib_pkey *tail;
0104
0105         tail = list_entry(
0106             rcu_dereference_protected(
0107                 list_tail_rcu(&sel_ib_pkey_hash[idx].list),
0108                 lockdep_is_held(&sel_ib_pkey_lock)),
0109             struct sel_ib_pkey, list);
0110         list_del_rcu(&tail->list);
0111         kfree_rcu(tail, rcu);
0112     } else {
0113         sel_ib_pkey_hash[idx].size++;
0114     }
0115 }
0116
0117 /**
0118  * sel_ib_pkey_sid_slow - Lookup the SID of a pkey using the policy
0119  * @subnet_prefix: subnet prefix
0120  * @pkey_num: pkey number
0121  * @sid: pkey SID
0122  *
0123  * Description:
0124  * This function determines the SID of a pkey by querying the security
0125  * policy.  The result is added to the pkey table to speedup future
0126  * queries.  Returns zero on success, negative values on failure.
0127  *
0128  */
0129 static int sel_ib_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid)
0130 {
0131     int ret;
0132     struct sel_ib_pkey *pkey;
0133     struct sel_ib_pkey *new = NULL;
0134     unsigned long flags;
0135
0136     spin_lock_irqsave(&sel_ib_pkey_lock, flags);
0137     pkey = sel_ib_pkey_find(subnet_prefix, pkey_num);
0138     if (pkey) {
0139         *sid = pkey->psec.sid;
0140         spin_unlock_irqrestore(&sel_ib_pkey_lock, flags);
0141         return 0;
0142     }
0143
0144     ret = security_ib_pkey_sid(&selinux_state, subnet_prefix, pkey_num,
0145                    sid);
0146     if (ret)
0147         goto out;
0148
0149     /* If this memory allocation fails still return 0. The SID
0150      * is valid, it just won't be added to the cache.
0151      */
0152     new = kzalloc(sizeof(*new), GFP_ATOMIC);
0153     if (!new) {
0154         ret = -ENOMEM;
0155         goto out;
0156     }
0157
0158     new->psec.subnet_prefix = subnet_prefix;
0159     new->psec.pkey = pkey_num;
0160     new->psec.sid = *sid;
0161     sel_ib_pkey_insert(new);
0162
0163 out:
0164     spin_unlock_irqrestore(&sel_ib_pkey_lock, flags);
0165     return ret;
0166 }
0167
0168 /**
0169  * sel_ib_pkey_sid - Lookup the SID of a PKEY
0170  * @subnet_prefix: subnet_prefix
0171  * @pkey_num: pkey number
0172  * @sid: pkey SID
0173  *
0174  * Description:
0175  * This function determines the SID of a PKEY using the fastest method
0176  * possible.  First the pkey table is queried, but if an entry can't be found
0177  * then the policy is queried and the result is added to the table to speedup
0178  * future queries.  Returns zero on success, negative values on failure.
0179  *
0180  */
0181 int sel_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *sid)
0182 {
0183     struct sel_ib_pkey *pkey;
0184
0185     rcu_read_lock();
0186     pkey = sel_ib_pkey_find(subnet_prefix, pkey_num);
0187     if (pkey) {
0188         *sid = pkey->psec.sid;
0189         rcu_read_unlock();
0190         return 0;
0191     }
0192     rcu_read_unlock();
0193
0194     return sel_ib_pkey_sid_slow(subnet_prefix, pkey_num, sid);
0195 }
0196
0197 /**
0198  * sel_ib_pkey_flush - Flush the entire pkey table
0199  *
0200  * Description:
0201  * Remove all entries from the pkey table
0202  *
0203  */
0204 void sel_ib_pkey_flush(void)
0205 {
0206     unsigned int idx;
0207     struct sel_ib_pkey *pkey, *pkey_tmp;
0208     unsigned long flags;
0209
0210     spin_lock_irqsave(&sel_ib_pkey_lock, flags);
0211     for (idx = 0; idx < SEL_PKEY_HASH_SIZE; idx++) {
0212         list_for_each_entry_safe(pkey, pkey_tmp,
0213                      &sel_ib_pkey_hash[idx].list, list) {
0214             list_del_rcu(&pkey->list);
0215             kfree_rcu(pkey, rcu);
0216         }
0217         sel_ib_pkey_hash[idx].size = 0;
0218     }
0219     spin_unlock_irqrestore(&sel_ib_pkey_lock, flags);
0220 }
0221
0222 static __init int sel_ib_pkey_init(void)
0223 {
0224     int iter;
0225
0226     if (!selinux_enabled_boot)
0227         return 0;
0228
0229     for (iter = 0; iter < SEL_PKEY_HASH_SIZE; iter++) {
0230         INIT_LIST_HEAD(&sel_ib_pkey_hash[iter].list);
0231         sel_ib_pkey_hash[iter].size = 0;
0232     }
0233
0234     return 0;
0235 }
0236
0237 subsys_initcall(sel_ib_pkey_init);