summaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
authorDaniel Jurgens <danielj@mellanox.com>2017-05-19 15:48:54 +0300
committerPaul Moore <paul@paul-moore.com>2017-05-23 12:27:21 -0400
commit47a2b338fe63200d716d2e24131cdb49f17c77da (patch)
tree2214ac893b108716acf44eb4098686fc34e48b03 /include/linux/security.h
parent8f408ab64be6319cb7736cbc6982838dcc362306 (diff)
downloadlinux-stable-47a2b338fe63200d716d2e24131cdb49f17c77da.tar.gz
linux-stable-47a2b338fe63200d716d2e24131cdb49f17c77da.tar.bz2
linux-stable-47a2b338fe63200d716d2e24131cdb49f17c77da.zip
IB/core: Enforce security on management datagrams
Allocate and free a security context when creating and destroying a MAD agent. This context is used for controlling access to PKeys and sending and receiving SMPs. When sending or receiving a MAD check that the agent has permission to access the PKey for the Subnet Prefix of the port. During MAD and snoop agent registration for SMI QPs check that the calling process has permission to access the manage the subnet and register a callback with the LSM to be notified of policy changes. When notificaiton of a policy change occurs recheck permission and set a flag indicating sending and receiving SMPs is allowed. When sending and receiving MADs check that the agent has access to the SMI if it's on an SMI QP. Because security policy can change it's possible permission was allowed when creating the agent, but no longer is. Signed-off-by: Daniel Jurgens <danielj@mellanox.com> Acked-by: Doug Ledford <dledford@redhat.com> [PM: remove the LSM hook init code] Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h6
1 files changed, 6 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index f96e333f6042..549cb828a888 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1432,6 +1432,7 @@ static inline int security_tun_dev_open(void *security)
#ifdef CONFIG_SECURITY_INFINIBAND
int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey);
+int security_ib_endport_manage_subnet(void *sec, const char *name, u8 port_num);
int security_ib_alloc_security(void **sec);
void security_ib_free_security(void *sec);
#else /* CONFIG_SECURITY_INFINIBAND */
@@ -1440,6 +1441,11 @@ static inline int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey
return 0;
}
+static inline int security_ib_endport_manage_subnet(void *sec, const char *dev_name, u8 port_num)
+{
+ return 0;
+}
+
static inline int security_ib_alloc_security(void **sec)
{
return 0;