| Message ID | 20170421094909.28961-2-fw@strlen.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 4/21/2017 2:49 AM, Florian Westphal wrote: > It will allow us to remove the old netfilter hook api in the near future. > > Signed-off-by: Florian Westphal <fw@strlen.de> I will test out this patch and report back. If all goes well I will include it in the Smack tree for 4.13. > --- > security/smack/smack_netfilter.c | 26 ++++++++++++++++++-------- > 1 file changed, 18 insertions(+), 8 deletions(-) > > diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c > index 205b785fb400..cdeb0f3243dd 100644 > --- a/security/smack/smack_netfilter.c > +++ b/security/smack/smack_netfilter.c > @@ -18,6 +18,7 @@ > #include <linux/netfilter_ipv6.h> > #include <linux/netdevice.h> > #include <net/inet_sock.h> > +#include <net/net_namespace.h> > #include "smack.h" > > #if IS_ENABLED(CONFIG_IPV6) > @@ -74,20 +75,29 @@ static struct nf_hook_ops smack_nf_ops[] = { > #endif /* IPV6 */ > }; > > -static int __init smack_nf_ip_init(void) > +static int __net_init smack_nf_register(struct net *net) > +{ > + return nf_register_net_hooks(net, smack_nf_ops, > + ARRAY_SIZE(smack_nf_ops)); > +} > + > +static void __net_exit smack_nf_unregister(struct net *net) > { > - int err; > + nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); > +} > > +static struct pernet_operations smack_net_ops = { > + .init = smack_nf_register, > + .exit = smack_nf_unregister, > +}; > + > +static int __init smack_nf_ip_init(void) > +{ > if (smack_enabled == 0) > return 0; > > printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); > - > - err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); > - if (err) > - pr_info("Smack: nf_register_hooks: error %d\n", err); > - > - return 0; > + return register_pernet_subsys(&smack_net_ops); > } > > __initcall(smack_nf_ip_init); -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 4/21/2017 2:49 AM, Florian Westphal wrote: > It will allow us to remove the old netfilter hook api in the near future. > > Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Casey Schaufler <casey@schaufler-ca.com> I will take this patch into the Smack tree from 4.13. Thank you. > --- > security/smack/smack_netfilter.c | 26 ++++++++++++++++++-------- > 1 file changed, 18 insertions(+), 8 deletions(-) > > diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c > index 205b785fb400..cdeb0f3243dd 100644 > --- a/security/smack/smack_netfilter.c > +++ b/security/smack/smack_netfilter.c > @@ -18,6 +18,7 @@ > #include <linux/netfilter_ipv6.h> > #include <linux/netdevice.h> > #include <net/inet_sock.h> > +#include <net/net_namespace.h> > #include "smack.h" > > #if IS_ENABLED(CONFIG_IPV6) > @@ -74,20 +75,29 @@ static struct nf_hook_ops smack_nf_ops[] = { > #endif /* IPV6 */ > }; > > -static int __init smack_nf_ip_init(void) > +static int __net_init smack_nf_register(struct net *net) > +{ > + return nf_register_net_hooks(net, smack_nf_ops, > + ARRAY_SIZE(smack_nf_ops)); > +} > + > +static void __net_exit smack_nf_unregister(struct net *net) > { > - int err; > + nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); > +} > > +static struct pernet_operations smack_net_ops = { > + .init = smack_nf_register, > + .exit = smack_nf_unregister, > +}; > + > +static int __init smack_nf_ip_init(void) > +{ > if (smack_enabled == 0) > return 0; > > printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); > - > - err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); > - if (err) > - pr_info("Smack: nf_register_hooks: error %d\n", err); > - > - return 0; > + return register_pernet_subsys(&smack_net_ops); > } > > __initcall(smack_nf_ip_init); -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 4/21/2017 2:49 AM, Florian Westphal wrote: > It will allow us to remove the old netfilter hook api in the near future. > > Signed-off-by: Florian Westphal <fw@strlen.de> I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13 > --- > security/smack/smack_netfilter.c | 26 ++++++++++++++++++-------- > 1 file changed, 18 insertions(+), 8 deletions(-) > > diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c > index 205b785fb400..cdeb0f3243dd 100644 > --- a/security/smack/smack_netfilter.c > +++ b/security/smack/smack_netfilter.c > @@ -18,6 +18,7 @@ > #include <linux/netfilter_ipv6.h> > #include <linux/netdevice.h> > #include <net/inet_sock.h> > +#include <net/net_namespace.h> > #include "smack.h" > > #if IS_ENABLED(CONFIG_IPV6) > @@ -74,20 +75,29 @@ static struct nf_hook_ops smack_nf_ops[] = { > #endif /* IPV6 */ > }; > > -static int __init smack_nf_ip_init(void) > +static int __net_init smack_nf_register(struct net *net) > +{ > + return nf_register_net_hooks(net, smack_nf_ops, > + ARRAY_SIZE(smack_nf_ops)); > +} > + > +static void __net_exit smack_nf_unregister(struct net *net) > { > - int err; > + nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); > +} > > +static struct pernet_operations smack_net_ops = { > + .init = smack_nf_register, > + .exit = smack_nf_unregister, > +}; > + > +static int __init smack_nf_ip_init(void) > +{ > if (smack_enabled == 0) > return 0; > > printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); > - > - err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); > - if (err) > - pr_info("Smack: nf_register_hooks: error %d\n", err); > - > - return 0; > + return register_pernet_subsys(&smack_net_ops); > } > > __initcall(smack_nf_ip_init); -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jun 01, 2017 at 09:44:05AM -0700, Casey Schaufler wrote: > On 4/21/2017 2:49 AM, Florian Westphal wrote: > > It will allow us to remove the old netfilter hook api in the near future. > > > > Signed-off-by: Florian Westphal <fw@strlen.de> > > I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13 Thanks Casey. We're very much looking forward to getting rid of all these nf_register_hooks() calls all over the tree. This patch helps us going in that direction. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Thu, Jun 01, 2017 at 09:44:05AM -0700, Casey Schaufler wrote: > > On 4/21/2017 2:49 AM, Florian Westphal wrote: > > > It will allow us to remove the old netfilter hook api in the near future. > > > > > > Signed-off-by: Florian Westphal <fw@strlen.de> > > > > I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13 > > Thanks Casey. > > We're very much looking forward to getting rid of all these > nf_register_hooks() calls all over the tree. This patch helps us going > in that direction. selinux is the last user of this api left in the tree. Once Paul applies my patch to convert to pernet_ops we only have to wait until all the changes are in linus tree. Then you only need to merge linus tree into nf.git and then I will submit the the removal patch. I think we can get rid of old api in 4.13. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Jun 02, 2017 at 10:48:09AM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Thu, Jun 01, 2017 at 09:44:05AM -0700, Casey Schaufler wrote: > > > On 4/21/2017 2:49 AM, Florian Westphal wrote: > > > > It will allow us to remove the old netfilter hook api in the near future. > > > > > > > > Signed-off-by: Florian Westphal <fw@strlen.de> > > > > > > I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13 > > > > Thanks Casey. > > > > We're very much looking forward to getting rid of all these > > nf_register_hooks() calls all over the tree. This patch helps us going > > in that direction. > > selinux is the last user of this api left in the tree. > Once Paul applies my patch to convert to pernet_ops we only have to wait until > all the changes are in linus tree. > > Then you only need to merge linus tree into nf.git and then I will > submit the the removal patch. > > I think we can get rid of old api in 4.13. Great news. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Jun 2, 2017 at 4:48 AM, Florian Westphal <fw@strlen.de> wrote: > Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> On Thu, Jun 01, 2017 at 09:44:05AM -0700, Casey Schaufler wrote: >> > On 4/21/2017 2:49 AM, Florian Westphal wrote: >> > > It will allow us to remove the old netfilter hook api in the near future. >> > > >> > > Signed-off-by: Florian Westphal <fw@strlen.de> >> > >> > I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13 >> >> Thanks Casey. >> >> We're very much looking forward to getting rid of all these >> nf_register_hooks() calls all over the tree. This patch helps us going >> in that direction. > > selinux is the last user of this api left in the tree. > Once Paul applies my patch to convert to pernet_ops we only have to wait until > all the changes are in linus tree. Thanks for the reminder, since the SELinux patch didn't go to the SELinux mailing list it got "lost" during the post-merge-window merge. Regardless, it's merged into selinux/next and it should go upstream during the next merge window.
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index 205b785fb400..cdeb0f3243dd 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -18,6 +18,7 @@ #include <linux/netfilter_ipv6.h> #include <linux/netdevice.h> #include <net/inet_sock.h> +#include <net/net_namespace.h> #include "smack.h" #if IS_ENABLED(CONFIG_IPV6) @@ -74,20 +75,29 @@ static struct nf_hook_ops smack_nf_ops[] = { #endif /* IPV6 */ }; -static int __init smack_nf_ip_init(void) +static int __net_init smack_nf_register(struct net *net) +{ + return nf_register_net_hooks(net, smack_nf_ops, + ARRAY_SIZE(smack_nf_ops)); +} + +static void __net_exit smack_nf_unregister(struct net *net) { - int err; + nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); +} +static struct pernet_operations smack_net_ops = { + .init = smack_nf_register, + .exit = smack_nf_unregister, +}; + +static int __init smack_nf_ip_init(void) +{ if (smack_enabled == 0) return 0; printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); - - err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); - if (err) - pr_info("Smack: nf_register_hooks: error %d\n", err); - - return 0; + return register_pernet_subsys(&smack_net_ops); } __initcall(smack_nf_ip_init);
It will allow us to remove the old netfilter hook api in the near future. Signed-off-by: Florian Westphal <fw@strlen.de> --- security/smack/smack_netfilter.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-)