xref: /aosp_15_r20/external/selinux/secilc/docs/cil_infiniband_statements.md (revision 2d543d20722ada2425b5bdab9d0d1d29470e7bba) 
1*2d543d20SAndroid Build Coastguard WorkerInfiniband Statements
2*2d543d20SAndroid Build Coastguard Worker=====================
3*2d543d20SAndroid Build Coastguard Worker
4*2d543d20SAndroid Build Coastguard WorkerTo support access control for InfiniBand (IB) partitions and subnet management, security contexts are provided for: Partition Keys (Pkey) that are 16 bit numbers assigned to subnets and their IB end ports. An overview of the SELinux IB implementation can be found at: [http://marc.info/?l=selinux&m=149519833917911&w=2](http://marc.info/?l=selinux&m=149519833917911&w=2).
5*2d543d20SAndroid Build Coastguard Worker
6*2d543d20SAndroid Build Coastguard Workeribpkeycon
7*2d543d20SAndroid Build Coastguard Worker---------
8*2d543d20SAndroid Build Coastguard Worker
9*2d543d20SAndroid Build Coastguard WorkerLabel IB partition keys. This may be a single key or a range.
10*2d543d20SAndroid Build Coastguard Worker
11*2d543d20SAndroid Build Coastguard Worker**Statement definition:**
12*2d543d20SAndroid Build Coastguard Worker
13*2d543d20SAndroid Build Coastguard Worker```secil
14*2d543d20SAndroid Build Coastguard Worker    (ibpkeycon subnet pkey|(pkey_low pkey_high)  context_id)
15*2d543d20SAndroid Build Coastguard Worker```
16*2d543d20SAndroid Build Coastguard Worker
17*2d543d20SAndroid Build Coastguard Worker**Where:**
18*2d543d20SAndroid Build Coastguard Worker
19*2d543d20SAndroid Build Coastguard Worker<table>
20*2d543d20SAndroid Build Coastguard Worker<colgroup>
21*2d543d20SAndroid Build Coastguard Worker<col width="25%" />
22*2d543d20SAndroid Build Coastguard Worker<col width="75%" />
23*2d543d20SAndroid Build Coastguard Worker</colgroup>
24*2d543d20SAndroid Build Coastguard Worker<tbody>
25*2d543d20SAndroid Build Coastguard Worker<tr class="odd">
26*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>ibpkeycon</code></p></td>
27*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>ibpkeycon</code> keyword.</p></td>
28*2d543d20SAndroid Build Coastguard Worker</tr>
29*2d543d20SAndroid Build Coastguard Worker<tr class="even">
30*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>subnet</code></p>
31*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>IP address in IPv6 format.</p>
32*2d543d20SAndroid Build Coastguard Worker</tr>
33*2d543d20SAndroid Build Coastguard Worker<tr class="odd">
34*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>pkey | (pkey_low pkey_high)</code></p>
35*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A single partition key or a range of partition keys.</p>
36*2d543d20SAndroid Build Coastguard Worker</tr>
37*2d543d20SAndroid Build Coastguard Worker<tr class="even">
38*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>context_id</code></p></td>
39*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
40*2d543d20SAndroid Build Coastguard Worker</tr>
41*2d543d20SAndroid Build Coastguard Worker</tbody>
42*2d543d20SAndroid Build Coastguard Worker</table>
43*2d543d20SAndroid Build Coastguard Worker
44*2d543d20SAndroid Build Coastguard Worker**Example:**
45*2d543d20SAndroid Build Coastguard Worker
46*2d543d20SAndroid Build Coastguard WorkerAn anonymous context for a partition key range of `0x0-0x10` assigned to an IPv6 subnet:
47*2d543d20SAndroid Build Coastguard Worker
48*2d543d20SAndroid Build Coastguard Worker```secil
49*2d543d20SAndroid Build Coastguard Worker    (ibpkeycon fe80:: (0 0x10) (system_u system_r kernel_t (low (s3 (cats01 cats02)))))
50*2d543d20SAndroid Build Coastguard Worker```
51*2d543d20SAndroid Build Coastguard Worker
52*2d543d20SAndroid Build Coastguard Workeribendportcon
53*2d543d20SAndroid Build Coastguard Worker------------
54*2d543d20SAndroid Build Coastguard Worker
55*2d543d20SAndroid Build Coastguard WorkerLabel IB end ports.
56*2d543d20SAndroid Build Coastguard Worker
57*2d543d20SAndroid Build Coastguard Worker**Statement definition:**
58*2d543d20SAndroid Build Coastguard Worker
59*2d543d20SAndroid Build Coastguard Worker```secil
60*2d543d20SAndroid Build Coastguard Worker    (ibendportcon device_id port context_id)
61*2d543d20SAndroid Build Coastguard Worker```
62*2d543d20SAndroid Build Coastguard Worker
63*2d543d20SAndroid Build Coastguard Worker**Where:**
64*2d543d20SAndroid Build Coastguard Worker
65*2d543d20SAndroid Build Coastguard Worker<table>
66*2d543d20SAndroid Build Coastguard Worker<colgroup>
67*2d543d20SAndroid Build Coastguard Worker<col width="27%" />
68*2d543d20SAndroid Build Coastguard Worker<col width="72%" />
69*2d543d20SAndroid Build Coastguard Worker</colgroup>
70*2d543d20SAndroid Build Coastguard Worker<tbody>
71*2d543d20SAndroid Build Coastguard Worker<tr class="odd">
72*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>ibendportcon</code></p></td>
73*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>The <code>ibendportcon</code> keyword.</p></td>
74*2d543d20SAndroid Build Coastguard Worker</tr>
75*2d543d20SAndroid Build Coastguard Worker<tr class="even">
76*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>device_id</code></p>
77*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A single device identifier.</p>
78*2d543d20SAndroid Build Coastguard Worker</tr>
79*2d543d20SAndroid Build Coastguard Worker<tr class="odd">
80*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>port</code></p>
81*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A single port number.</p>
82*2d543d20SAndroid Build Coastguard Worker</tr>
83*2d543d20SAndroid Build Coastguard Worker<tr class="even">
84*2d543d20SAndroid Build Coastguard Worker<td align="left"><p><code>context_id</code></p></td>
85*2d543d20SAndroid Build Coastguard Worker<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
86*2d543d20SAndroid Build Coastguard Worker</tr>
87*2d543d20SAndroid Build Coastguard Worker</tbody>
88*2d543d20SAndroid Build Coastguard Worker</table>
89*2d543d20SAndroid Build Coastguard Worker
90*2d543d20SAndroid Build Coastguard Worker**Example:**
91*2d543d20SAndroid Build Coastguard Worker
92*2d543d20SAndroid Build Coastguard WorkerA named context for device `mlx5_0` on port `1`:
93*2d543d20SAndroid Build Coastguard Worker
94*2d543d20SAndroid Build Coastguard Worker```secil
95*2d543d20SAndroid Build Coastguard Worker    (ibendportcon mlx5_0 1 system_u_bin_t_l2h)
96*2d543d20SAndroid Build Coastguard Worker```
97