IB/core: Enforce security on management datagrams

#include <linux/cgroup_rdma.h>

#include <rdma/ib_verbs.h>

#include <rdma/ib_mad.h>

#include "mad_priv.h"

struct pkey_index_qp_list {

	struct list_head    pkey_index_list;

				u64              *sn_pfx);

#ifdef CONFIG_SECURITY_INFINIBAND

int ib_security_pkey_access(struct ib_device *dev,

			    u8 port_num,

			    u16 pkey_index,

			    void *sec);

void ib_security_destroy_port_pkey_list(struct ib_device *device);

void ib_security_cache_change(struct ib_device *device,

void ib_destroy_qp_security_end(struct ib_qp_security *sec);

int ib_open_shared_qp_security(struct ib_qp *qp, struct ib_device *dev);

void ib_close_shared_qp_security(struct ib_qp_security *sec);

int ib_mad_agent_security_setup(struct ib_mad_agent *agent,

				enum ib_qp_type qp_type);

void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent);

int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index);

#else

static inline int ib_security_pkey_access(struct ib_device *dev,

					  u8 port_num,

					  u16 pkey_index,

					  void *sec)

{

	return 0;

}

static inline void ib_security_destroy_port_pkey_list(struct ib_device *device)

{

}

static inline void ib_close_shared_qp_security(struct ib_qp_security *sec)

{

}

static inline int ib_mad_agent_security_setup(struct ib_mad_agent *agent,

					      enum ib_qp_type qp_type)

{

	return 0;

}

static inline void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)

{

}

static inline int ib_mad_enforce_security(struct ib_mad_agent_private *map,

					  u16 pkey_index)

{

	return 0;

}

#endif

#endif /* _CORE_PRIV_H */

#include <linux/dma-mapping.h>

#include <linux/slab.h>

#include <linux/module.h>

#include <linux/security.h>

#include <rdma/ib_cache.h>

#include "mad_priv.h"

#include "core_priv.h"

#include "mad_rmpp.h"

#include "smi.h"

#include "opa_smi.h"

	atomic_set(&mad_agent_priv->refcount, 1);

	init_completion(&mad_agent_priv->comp);

	ret2 = ib_mad_agent_security_setup(&mad_agent_priv->agent, qp_type);

	if (ret2) {

		ret = ERR_PTR(ret2);

		goto error4;

	}

	spin_lock_irqsave(&port_priv->reg_lock, flags);

	mad_agent_priv->agent.hi_tid = ++ib_mad_client_id;

				if (method) {

					if (method_in_use(&method,

							   mad_reg_req))

						goto error4;

						goto error5;

				}

			}

			ret2 = add_nonoui_reg_req(mad_reg_req, mad_agent_priv,

					if (is_vendor_method_in_use(

							vendor_class,

							mad_reg_req))

						goto error4;

						goto error5;

				}

			}

			ret2 = add_oui_reg_req(mad_reg_req, mad_agent_priv);

		}

		if (ret2) {

			ret = ERR_PTR(ret2);

			goto error4;

			goto error5;

		}

	}

	spin_unlock_irqrestore(&port_priv->reg_lock, flags);

	return &mad_agent_priv->agent;

error4:

error5:

	spin_unlock_irqrestore(&port_priv->reg_lock, flags);

	ib_mad_agent_security_cleanup(&mad_agent_priv->agent);

error4:

	kfree(reg_req);

error3:

	kfree(mad_agent_priv);

	struct ib_mad_agent *ret;

	struct ib_mad_snoop_private *mad_snoop_priv;

	int qpn;

	int err;

	/* Validate parameters */

	if ((is_snooping_sends(mad_snoop_flags) && !snoop_handler) ||

	mad_snoop_priv->agent.port_num = port_num;

	mad_snoop_priv->mad_snoop_flags = mad_snoop_flags;

	init_completion(&mad_snoop_priv->comp);

	err = ib_mad_agent_security_setup(&mad_snoop_priv->agent, qp_type);

	if (err) {

		ret = ERR_PTR(err);

		goto error2;

	}

	mad_snoop_priv->snoop_index = register_snoop_agent(

						&port_priv->qp_info[qpn],

						mad_snoop_priv);

	if (mad_snoop_priv->snoop_index < 0) {

		ret = ERR_PTR(mad_snoop_priv->snoop_index);

		goto error2;

		goto error3;

	}

	atomic_set(&mad_snoop_priv->refcount, 1);

	return &mad_snoop_priv->agent;

error3:

	ib_mad_agent_security_cleanup(&mad_snoop_priv->agent);

error2:

	kfree(mad_snoop_priv);

error1:

	deref_mad_agent(mad_agent_priv);

	wait_for_completion(&mad_agent_priv->comp);

	ib_mad_agent_security_cleanup(&mad_agent_priv->agent);

	kfree(mad_agent_priv->reg_req);

	kfree(mad_agent_priv);

}

	deref_snoop_agent(mad_snoop_priv);

	wait_for_completion(&mad_snoop_priv->comp);

	ib_mad_agent_security_cleanup(&mad_snoop_priv->agent);

	kfree(mad_snoop_priv);

}

	/* Walk list of send WRs and post each on send list */

	for (; send_buf; send_buf = next_send_buf) {

		mad_send_wr = container_of(send_buf,

					   struct ib_mad_send_wr_private,

					   send_buf);

		mad_agent_priv = mad_send_wr->mad_agent_priv;

		ret = ib_mad_enforce_security(mad_agent_priv,

					      mad_send_wr->send_wr.pkey_index);

		if (ret)

			goto error;

		if (!send_buf->mad_agent->send_handler ||

		    (send_buf->timeout_ms &&

		     !send_buf->mad_agent->recv_handler)) {

	struct ib_mad_send_wr_private *mad_send_wr;

	struct ib_mad_send_wc mad_send_wc;

	unsigned long flags;

	int ret;

	ret = ib_mad_enforce_security(mad_agent_priv,

				      mad_recv_wc->wc->pkey_index);

	if (ret) {

		ib_free_recv_mad(mad_recv_wc);

		deref_mad_agent(mad_agent_priv);

	}

	INIT_LIST_HEAD(&mad_recv_wc->rmpp_list);

	list_add(&mad_recv_wc->recv_buf.list, &mad_recv_wc->rmpp_list);

						   mad_recv_wc);

		deref_mad_agent(mad_agent_priv);

	}

	return;

}

static enum smi_action handle_ib_smi(const struct ib_mad_port_private *port_priv,

#include <rdma/ib_verbs.h>

#include <rdma/ib_cache.h>

#include "core_priv.h"

#include "mad_priv.h"

static struct pkey_index_qp_list *get_pkey_idx_qp_list(struct ib_port_pkey *pp)

{

}

EXPORT_SYMBOL(ib_security_modify_qp);

int ib_security_pkey_access(struct ib_device *dev,

			    u8 port_num,

			    u16 pkey_index,

			    void *sec)

{

	u64 subnet_prefix;

	u16 pkey;

	int ret;

	ret = ib_get_cached_pkey(dev, port_num, pkey_index, &pkey);

	if (ret)

		return ret;

	ret = ib_get_cached_subnet_prefix(dev, port_num, &subnet_prefix);

	if (ret)

		return ret;

	return security_ib_pkey_access(sec, subnet_prefix, pkey);

}

EXPORT_SYMBOL(ib_security_pkey_access);

static int ib_mad_agent_security_change(struct notifier_block *nb,

					unsigned long event,

					void *data)

{

	struct ib_mad_agent *ag = container_of(nb, struct ib_mad_agent, lsm_nb);

	if (event != LSM_POLICY_CHANGE)

		return NOTIFY_DONE;

	ag->smp_allowed = !security_ib_endport_manage_subnet(ag->security,

							     ag->device->name,

							     ag->port_num);

	return NOTIFY_OK;

}

int ib_mad_agent_security_setup(struct ib_mad_agent *agent,

				enum ib_qp_type qp_type)

{

	int ret;

	ret = security_ib_alloc_security(&agent->security);

	if (ret)

		return ret;

	if (qp_type != IB_QPT_SMI)

		return 0;

	ret = security_ib_endport_manage_subnet(agent->security,

						agent->device->name,

						agent->port_num);

	if (ret)

		return ret;

	agent->lsm_nb.notifier_call = ib_mad_agent_security_change;

	ret = register_lsm_notifier(&agent->lsm_nb);

	if (ret)

		return ret;

	agent->smp_allowed = true;

	agent->lsm_nb_reg = true;

	return 0;

}

void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)

{

	security_ib_free_security(agent->security);

	if (agent->lsm_nb_reg)

		unregister_lsm_notifier(&agent->lsm_nb);

}

int ib_mad_enforce_security(struct ib_mad_agent_private *map, u16 pkey_index)

{

	int ret;

	if (map->agent.qp->qp_type == IB_QPT_SMI && !map->agent.smp_allowed)

		return -EACCES;

	ret = ib_security_pkey_access(map->agent.device,

				      map->agent.port_num,

				      pkey_index,

				      map->agent.security);

	if (ret)

		return ret;

	return 0;

}

#endif /* CONFIG_SECURITY_INFINIBAND */

 *	@subnet_prefix the subnet prefix of the port being used.

 *	@pkey the pkey to be accessed.

 *	@sec pointer to a security structure.

 * @ib_endport_manage_subnet:

 *	Check permissions to send and receive SMPs on a end port.

 *	@dev_name the IB device name (i.e. mlx4_0).

 *	@port_num the port number.

 *	@sec pointer to a security structure.

 * @ib_alloc_security:

 *	Allocate a security structure for Infiniband objects.

 *	@sec pointer to a security structure pointer.

#ifdef CONFIG_SECURITY_INFINIBAND

	int (*ib_pkey_access)(void *sec, u64 subnet_prefix, u16 pkey);

	int (*ib_endport_manage_subnet)(void *sec, const char *dev_name,

					u8 port_num);

	int (*ib_alloc_security)(void **sec);

	void (*ib_free_security)(void *sec);

#endif	/* CONFIG_SECURITY_INFINIBAND */

#endif	/* CONFIG_SECURITY_NETWORK */

#ifdef CONFIG_SECURITY_INFINIBAND

	struct list_head ib_pkey_access;

	struct list_head ib_endport_manage_subnet;

	struct list_head ib_alloc_security;

	struct list_head ib_free_security;

#endif	/* CONFIG_SECURITY_INFINIBAND */

#ifdef CONFIG_SECURITY_INFINIBAND

int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey);

int security_ib_endport_manage_subnet(void *sec, const char *name, u8 port_num);

int security_ib_alloc_security(void **sec);

void security_ib_free_security(void *sec);

#else	/* CONFIG_SECURITY_INFINIBAND */

	return 0;

}

static inline int security_ib_endport_manage_subnet(void *sec, const char *dev_name, u8 port_num)

{

	return 0;

}

static inline int security_ib_alloc_security(void **sec)

{

	return 0;