• Daniel Jurgens's avatar
    IB/core: Enforce security on management datagrams · 47a2b338
    Daniel Jurgens authored
    Allocate and free a security context when creating and destroying a MAD
    agent.  This context is used for controlling access to PKeys and sending
    and receiving SMPs.
    
    When sending or receiving a MAD check that the agent has permission to
    access the PKey for the Subnet Prefix of the port.
    
    During MAD and snoop agent registration for SMI QPs check that the
    calling process has permission to access the manage the subnet  and
    register a callback with the LSM to be notified of policy changes. When
    notificaiton of a policy change occurs recheck permission and set a flag
    indicating sending and receiving SMPs is allowed.
    
    When sending and receiving MADs check that the agent has access to the
    SMI if it's on an SMI QP.  Because security policy can change it's
    possible permission was allowed when creating the agent, but no longer
    is.
    Signed-off-by: default avatarDaniel Jurgens <danielj@mellanox.com>
    Acked-by: Doug Ledford's avatarDoug Ledford <dledford@redhat.com>
    [PM: remove the LSM hook init code]
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    47a2b338
security.c 42.8 KB