From: Florian Westphal <fw@strlen.de>
To: Paul Moore <paul@paul-moore.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>,
Florian Westphal <fw@strlen.de>,
SElinux list <selinux@vger.kernel.org>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
Linux kernel mailing list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 selinux] selinux: remove unneeded ipv6 hook wrappers
Date: Mon, 11 Oct 2021 22:06:17 +0200 [thread overview]
Message-ID: <20211011200617.GA2942@breakpoint.cc> (raw)
In-Reply-To: <CAHC9VhTW9dPDN1F2o7S8cmgU_9yBZCNmzC_-9bKXTTX6zT=Jyg@mail.gmail.com>
Paul Moore <paul@paul-moore.com> wrote:
> On Mon, Oct 11, 2021 at 2:21 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > On Mon, Oct 11, 2021 at 7:10 PM Paul Moore <paul@paul-moore.com> wrote:
> > > On Mon, Oct 11, 2021 at 10:25 AM Florian Westphal <fw@strlen.de> wrote:
> > > > Netfilter places the protocol number the hook function is getting called
> > > > from in state->pf, so we can use that instead of an extra wrapper.
> > > >
> > > > Signed-off-by: Florian Westphal <fw@strlen.de>
> > > > ---
> > > > v2: add back '#endif /* CONFIG_NETFILTER */' erronously axed in v1.
> > > > Applies to 'next' branch of
> > > > https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/
> > > >
> > > > security/selinux/hooks.c | 52 ++++++++++------------------------------
> > > > 1 file changed, 12 insertions(+), 40 deletions(-)
> > >
> > > ...
> > >
> > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > > > index e7ebd45ca345..831b857d5dd7 100644
> > > > --- a/security/selinux/hooks.c
> > > > +++ b/security/selinux/hooks.c
> > > > @@ -7470,38 +7442,38 @@ DEFINE_LSM(selinux) = {
> > > >
> > > > static const struct nf_hook_ops selinux_nf_ops[] = {
> > > > {
> > > > - .hook = selinux_ipv4_postroute,
> > > > + .hook = selinux_hook_postroute,
> > > > .pf = NFPROTO_IPV4,
> > > > .hooknum = NF_INET_POST_ROUTING,
> > > > .priority = NF_IP_PRI_SELINUX_LAST,
> > > > },
> > >
> > > Thanks for the patch Florian, although the name "selinux_hook_*" seems
> > > a bit ambiguous to me, after all we have a little more than 200
> > > "hooks" in the SELinux LSM implementation. Would you be okay with
> > > calling the netfilter hook functions "selinux_nf_*" or something
> > > similar?
Absolutely.
> > > If you don't have time I can do the rename during the merge
> > > assuming we can all agree on a name.
I'll submit a v3.
> > Since selinux_ip_forward() and selinux_ip_postroute() are used only in
> > the hook functions, how about changing their signature and using them
> > as hooks directly? That would solve the naming and also remove a few
> > extra lines of boilerplate.
>
> No argument against that from me, although you should be able to do
> the same for selinux_ip_output() as well unless I missed a caller.
I'll have a look, thanks for the pointers.
prev parent reply other threads:[~2021-10-11 20:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-11 14:24 [PATCH v2 selinux] selinux: remove unneeded ipv6 hook wrappers Florian Westphal
2021-10-11 17:09 ` Paul Moore
2021-10-11 18:20 ` Ondrej Mosnacek
2021-10-11 19:41 ` Paul Moore
2021-10-11 20:06 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211011200617.GA2942@breakpoint.cc \
--to=fw@strlen.de \
--cc=eparis@parisplace.org \
--cc=linux-kernel@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.