[PATCH security-next 0/2]: switch selinux and smack to pernet ops

[PATCH security-next 0/2]: switch selinux and smack to pernet ops

[Florian Westphal]

Back in the day we only had global netfilter hooks.

Nowadays netfilter hooks are per net namespace, but we still provide the old
'nf_register_hook' api, which will place the hooks in all current and future
net namespaces.

smack and selinux are among the last users of the old api, this
switches both over to pernet_ops.

This would also allow to only enable hooks in a netns when
they are needed in that namespace, but this isn't done here.

The old api makes it necessary to keep rather ugly code in
the netfilter core (e.g. iterating net namespaces under rtnl mutex...)
and it has a race w. rmmod. We'd like to remove it.

If you prefer this gets merged via nf-next tree please ack and I'll
resubmit (with acks) to netfilter-devel@ list.

 selinux/hooks.c         |   24 ++++++++++++++++++++----
 smack/smack_netfilter.c |   26 ++++++++++++++++++--------
 2 files changed, 38 insertions(+), 12 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 1/2] smack: use pernet operations for hook registration

[Florian Westphal]

It will allow us to remove the old netfilter hook api in the near future.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 security/smack/smack_netfilter.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 205b785fb400..cdeb0f3243dd 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -18,6 +18,7 @@
 #include <linux/netfilter_ipv6.h>
 #include <linux/netdevice.h>
 #include <net/inet_sock.h>
+#include <net/net_namespace.h>
 #include "smack.h"
 
 #if IS_ENABLED(CONFIG_IPV6)
@@ -74,20 +75,29 @@ static struct nf_hook_ops smack_nf_ops[] = {
 #endif	/* IPV6 */
 };
 
-static int __init smack_nf_ip_init(void)
+static int __net_init smack_nf_register(struct net *net)
+{
+	return nf_register_net_hooks(net, smack_nf_ops,
+				     ARRAY_SIZE(smack_nf_ops));
+}
+
+static void __net_exit smack_nf_unregister(struct net *net)
 {
-	int err;
+	nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
+}
 
+static struct pernet_operations smack_net_ops = {
+	.init = smack_nf_register,
+	.exit = smack_nf_unregister,
+};
+
+static int __init smack_nf_ip_init(void)
+{
 	if (smack_enabled == 0)
 		return 0;
 
 	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
-
-	err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
-	if (err)
-		pr_info("Smack: nf_register_hooks: error %d\n", err);
-
-	return 0;
+	return register_pernet_subsys(&smack_net_ops);
 }
 
 __initcall(smack_nf_ip_init);
-- 
2.10.2

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 1/2] smack: use pernet operations for hook registration

[Casey Schaufler]

On 4/21/2017 2:49 AM, Florian Westphal wrote:
> It will allow us to remove the old netfilter hook api in the near future.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>

I will test out this patch and report back.
If all goes well I will include it in the Smack
tree for 4.13.

> ---
>  security/smack/smack_netfilter.c | 26 ++++++++++++++++++--------
>  1 file changed, 18 insertions(+), 8 deletions(-)
>
> diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
> index 205b785fb400..cdeb0f3243dd 100644
> --- a/security/smack/smack_netfilter.c
> +++ b/security/smack/smack_netfilter.c
> @@ -18,6 +18,7 @@
>  #include <linux/netfilter_ipv6.h>
>  #include <linux/netdevice.h>
>  #include <net/inet_sock.h>
> +#include <net/net_namespace.h>
>  #include "smack.h"
>  
>  #if IS_ENABLED(CONFIG_IPV6)
> @@ -74,20 +75,29 @@ static struct nf_hook_ops smack_nf_ops[] = {
>  #endif	/* IPV6 */
>  };
>  
> -static int __init smack_nf_ip_init(void)
> +static int __net_init smack_nf_register(struct net *net)
> +{
> +	return nf_register_net_hooks(net, smack_nf_ops,
> +				     ARRAY_SIZE(smack_nf_ops));
> +}
> +
> +static void __net_exit smack_nf_unregister(struct net *net)
>  {
> -	int err;
> +	nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
> +}
>  
> +static struct pernet_operations smack_net_ops = {
> +	.init = smack_nf_register,
> +	.exit = smack_nf_unregister,
> +};
> +
> +static int __init smack_nf_ip_init(void)
> +{
>  	if (smack_enabled == 0)
>  		return 0;
>  
>  	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
> -
> -	err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
> -	if (err)
> -		pr_info("Smack: nf_register_hooks: error %d\n", err);
> -
> -	return 0;
> +	return register_pernet_subsys(&smack_net_ops);
>  }
>  
>  __initcall(smack_nf_ip_init);

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 1/2] smack: use pernet operations for hook registration

[Casey Schaufler]

On 4/21/2017 2:49 AM, Florian Westphal wrote:
> It will allow us to remove the old netfilter hook api in the near future.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

I will take this patch into the Smack tree from 4.13.

Thank you.

> ---
>  security/smack/smack_netfilter.c | 26 ++++++++++++++++++--------
>  1 file changed, 18 insertions(+), 8 deletions(-)
>
> diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
> index 205b785fb400..cdeb0f3243dd 100644
> --- a/security/smack/smack_netfilter.c
> +++ b/security/smack/smack_netfilter.c
> @@ -18,6 +18,7 @@
>  #include <linux/netfilter_ipv6.h>
>  #include <linux/netdevice.h>
>  #include <net/inet_sock.h>
> +#include <net/net_namespace.h>
>  #include "smack.h"
>  
>  #if IS_ENABLED(CONFIG_IPV6)
> @@ -74,20 +75,29 @@ static struct nf_hook_ops smack_nf_ops[] = {
>  #endif	/* IPV6 */
>  };
>  
> -static int __init smack_nf_ip_init(void)
> +static int __net_init smack_nf_register(struct net *net)
> +{
> +	return nf_register_net_hooks(net, smack_nf_ops,
> +				     ARRAY_SIZE(smack_nf_ops));
> +}
> +
> +static void __net_exit smack_nf_unregister(struct net *net)
>  {
> -	int err;
> +	nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
> +}
>  
> +static struct pernet_operations smack_net_ops = {
> +	.init = smack_nf_register,
> +	.exit = smack_nf_unregister,
> +};
> +
> +static int __init smack_nf_ip_init(void)
> +{
>  	if (smack_enabled == 0)
>  		return 0;
>  
>  	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
> -
> -	err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
> -	if (err)
> -		pr_info("Smack: nf_register_hooks: error %d\n", err);
> -
> -	return 0;
> +	return register_pernet_subsys(&smack_net_ops);
>  }
>  
>  __initcall(smack_nf_ip_init);

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 1/2] smack: use pernet operations for hook registration

[Casey Schaufler]

On 4/21/2017 2:49 AM, Florian Westphal wrote:
> It will allow us to remove the old netfilter hook api in the near future.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>

I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13


> ---
>  security/smack/smack_netfilter.c | 26 ++++++++++++++++++--------
>  1 file changed, 18 insertions(+), 8 deletions(-)
>
> diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
> index 205b785fb400..cdeb0f3243dd 100644
> --- a/security/smack/smack_netfilter.c
> +++ b/security/smack/smack_netfilter.c
> @@ -18,6 +18,7 @@
>  #include <linux/netfilter_ipv6.h>
>  #include <linux/netdevice.h>
>  #include <net/inet_sock.h>
> +#include <net/net_namespace.h>
>  #include "smack.h"
>  
>  #if IS_ENABLED(CONFIG_IPV6)
> @@ -74,20 +75,29 @@ static struct nf_hook_ops smack_nf_ops[] = {
>  #endif	/* IPV6 */
>  };
>  
> -static int __init smack_nf_ip_init(void)
> +static int __net_init smack_nf_register(struct net *net)
> +{
> +	return nf_register_net_hooks(net, smack_nf_ops,
> +				     ARRAY_SIZE(smack_nf_ops));
> +}
> +
> +static void __net_exit smack_nf_unregister(struct net *net)
>  {
> -	int err;
> +	nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
> +}
>  
> +static struct pernet_operations smack_net_ops = {
> +	.init = smack_nf_register,
> +	.exit = smack_nf_unregister,
> +};
> +
> +static int __init smack_nf_ip_init(void)
> +{
>  	if (smack_enabled == 0)
>  		return 0;
>  
>  	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
> -
> -	err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
> -	if (err)
> -		pr_info("Smack: nf_register_hooks: error %d\n", err);
> -
> -	return 0;
> +	return register_pernet_subsys(&smack_net_ops);
>  }
>  
>  __initcall(smack_nf_ip_init);

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 1/2] smack: use pernet operations for hook registration

[Pablo Neira Ayuso]

On Thu, Jun 01, 2017 at 09:44:05AM -0700, Casey Schaufler wrote:
> On 4/21/2017 2:49 AM, Florian Westphal wrote:
> > It will allow us to remove the old netfilter hook api in the near future.
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> 
> I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13

Thanks Casey.

We're very much looking forward to getting rid of all these
nf_register_hooks() calls all over the tree. This patch helps us going
in that direction.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 1/2] smack: use pernet operations for hook registration

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Thu, Jun 01, 2017 at 09:44:05AM -0700, Casey Schaufler wrote:
> > On 4/21/2017 2:49 AM, Florian Westphal wrote:
> > > It will allow us to remove the old netfilter hook api in the near future.
> > >
> > > Signed-off-by: Florian Westphal <fw@strlen.de>
> > 
> > I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13
> 
> Thanks Casey.
> 
> We're very much looking forward to getting rid of all these
> nf_register_hooks() calls all over the tree. This patch helps us going
> in that direction.

selinux is the last user of this api left in the tree.
Once Paul applies my patch to convert to pernet_ops we only have to wait until
all the changes are in linus tree.

Then you only need to merge linus tree into nf.git and then I will
submit the the removal patch.

I think we can get rid of old api in 4.13.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 1/2] smack: use pernet operations for hook registration

[Pablo Neira Ayuso]

On Fri, Jun 02, 2017 at 10:48:09AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Thu, Jun 01, 2017 at 09:44:05AM -0700, Casey Schaufler wrote:
> > > On 4/21/2017 2:49 AM, Florian Westphal wrote:
> > > > It will allow us to remove the old netfilter hook api in the near future.
> > > >
> > > > Signed-off-by: Florian Westphal <fw@strlen.de>
> > > 
> > > I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13
> > 
> > Thanks Casey.
> > 
> > We're very much looking forward to getting rid of all these
> > nf_register_hooks() calls all over the tree. This patch helps us going
> > in that direction.
> 
> selinux is the last user of this api left in the tree.
> Once Paul applies my patch to convert to pernet_ops we only have to wait until
> all the changes are in linus tree.
> 
> Then you only need to merge linus tree into nf.git and then I will
> submit the the removal patch.
> 
> I think we can get rid of old api in 4.13.

Great news.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 1/2] smack: use pernet operations for hook registration

[Paul Moore]

On Fri, Jun 2, 2017 at 4:48 AM, Florian Westphal <fw@strlen.de> wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> On Thu, Jun 01, 2017 at 09:44:05AM -0700, Casey Schaufler wrote:
>> > On 4/21/2017 2:49 AM, Florian Westphal wrote:
>> > > It will allow us to remove the old netfilter hook api in the near future.
>> > >
>> > > Signed-off-by: Florian Westphal <fw@strlen.de>
>> >
>> > I have applied this to git://github.com/cschaufler/smack-next#smack-for-4.13
>>
>> Thanks Casey.
>>
>> We're very much looking forward to getting rid of all these
>> nf_register_hooks() calls all over the tree. This patch helps us going
>> in that direction.
>
> selinux is the last user of this api left in the tree.
> Once Paul applies my patch to convert to pernet_ops we only have to wait until
> all the changes are in linus tree.

Thanks for the reminder, since the SELinux patch didn't go to the
SELinux mailing list it got "lost" during the post-merge-window merge.
Regardless, it's merged into selinux/next and it should go upstream
during the next merge window.

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 2/2] selinux: use pernet operations for hook registration

[Florian Westphal]

It will allow us to remove the old netfilter hook api in the near future.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 security/selinux/hooks.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e67a526d1f30..3aa4268525e2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6448,6 +6448,23 @@ static struct nf_hook_ops selinux_nf_ops[] = {
 #endif	/* IPV6 */
 };
 
+static int __net_init selinux_nf_register(struct net *net)
+{
+	return nf_register_net_hooks(net, selinux_nf_ops,
+				     ARRAY_SIZE(selinux_nf_ops));
+}
+
+static void __net_exit selinux_nf_unregister(struct net *net)
+{
+	nf_unregister_net_hooks(net, selinux_nf_ops,
+				ARRAY_SIZE(selinux_nf_ops));
+}
+
+static struct pernet_operations selinux_net_ops = {
+	.init = selinux_nf_register,
+	.exit = selinux_nf_unregister,
+};
+
 static int __init selinux_nf_ip_init(void)
 {
 	int err;
@@ -6457,13 +6474,12 @@ static int __init selinux_nf_ip_init(void)
 
 	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
 
-	err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
+	err = register_pernet_subsys(&selinux_net_ops);
 	if (err)
-		panic("SELinux: nf_register_hooks: error %d\n", err);
+		panic("SELinux: register_pernet_subsys: error %d\n", err);
 
 	return 0;
 }
-
 __initcall(selinux_nf_ip_init);
 
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
@@ -6471,7 +6487,7 @@ static void selinux_nf_ip_exit(void)
 {
 	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
 
-	nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
+	unregister_pernet_subsys(&selinux_net_ops);
 }
 #endif
 
-- 
2.10.2

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH security-next 2/2] selinux: use pernet operations for hook registration

[Paul Moore]

On Fri, Apr 21, 2017 at 5:49 AM, Florian Westphal <fw@strlen.de> wrote:
> It will allow us to remove the old netfilter hook api in the near future.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  security/selinux/hooks.c | 24 ++++++++++++++++++++----
>  1 file changed, 20 insertions(+), 4 deletions(-)

Looks fine to me, I'm going to queue this up for after the v4.12 merge window.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index e67a526d1f30..3aa4268525e2 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6448,6 +6448,23 @@ static struct nf_hook_ops selinux_nf_ops[] = {
>  #endif /* IPV6 */
>  };
>
> +static int __net_init selinux_nf_register(struct net *net)
> +{
> +       return nf_register_net_hooks(net, selinux_nf_ops,
> +                                    ARRAY_SIZE(selinux_nf_ops));
> +}
> +
> +static void __net_exit selinux_nf_unregister(struct net *net)
> +{
> +       nf_unregister_net_hooks(net, selinux_nf_ops,
> +                               ARRAY_SIZE(selinux_nf_ops));
> +}
> +
> +static struct pernet_operations selinux_net_ops = {
> +       .init = selinux_nf_register,
> +       .exit = selinux_nf_unregister,
> +};
> +
>  static int __init selinux_nf_ip_init(void)
>  {
>         int err;
> @@ -6457,13 +6474,12 @@ static int __init selinux_nf_ip_init(void)
>
>         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
>
> -       err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
> +       err = register_pernet_subsys(&selinux_net_ops);
>         if (err)
> -               panic("SELinux: nf_register_hooks: error %d\n", err);
> +               panic("SELinux: register_pernet_subsys: error %d\n", err);
>
>         return 0;
>  }
> -
>  __initcall(selinux_nf_ip_init);
>
>  #ifdef CONFIG_SECURITY_SELINUX_DISABLE
> @@ -6471,7 +6487,7 @@ static void selinux_nf_ip_exit(void)
>  {
>         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
>
> -       nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
> +       unregister_pernet_subsys(&selinux_net_ops);
>  }
>  #endif
>
> --
> 2.10.2
>



-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH security-next 2/2] selinux: use pernet operations for hook registration

[Paul Moore]

On Wed, Apr 26, 2017 at 4:46 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Apr 21, 2017 at 5:49 AM, Florian Westphal <fw@strlen.de> wrote:
>> It will allow us to remove the old netfilter hook api in the near future.
>>
>> Signed-off-by: Florian Westphal <fw@strlen.de>
>> ---
>>  security/selinux/hooks.c | 24 ++++++++++++++++++++----
>>  1 file changed, 20 insertions(+), 4 deletions(-)
>
> Looks fine to me, I'm going to queue this up for after the v4.12 merge window.

... and I just realized that the SELinux list wasn't CC'd on this
patch, fixing that now.

>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index e67a526d1f30..3aa4268525e2 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -6448,6 +6448,23 @@ static struct nf_hook_ops selinux_nf_ops[] = {
>>  #endif /* IPV6 */
>>  };
>>
>> +static int __net_init selinux_nf_register(struct net *net)
>> +{
>> +       return nf_register_net_hooks(net, selinux_nf_ops,
>> +                                    ARRAY_SIZE(selinux_nf_ops));
>> +}
>> +
>> +static void __net_exit selinux_nf_unregister(struct net *net)
>> +{
>> +       nf_unregister_net_hooks(net, selinux_nf_ops,
>> +                               ARRAY_SIZE(selinux_nf_ops));
>> +}
>> +
>> +static struct pernet_operations selinux_net_ops = {
>> +       .init = selinux_nf_register,
>> +       .exit = selinux_nf_unregister,
>> +};
>> +
>>  static int __init selinux_nf_ip_init(void)
>>  {
>>         int err;
>> @@ -6457,13 +6474,12 @@ static int __init selinux_nf_ip_init(void)
>>
>>         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
>>
>> -       err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
>> +       err = register_pernet_subsys(&selinux_net_ops);
>>         if (err)
>> -               panic("SELinux: nf_register_hooks: error %d\n", err);
>> +               panic("SELinux: register_pernet_subsys: error %d\n", err);
>>
>>         return 0;
>>  }
>> -
>>  __initcall(selinux_nf_ip_init);
>>
>>  #ifdef CONFIG_SECURITY_SELINUX_DISABLE
>> @@ -6471,7 +6487,7 @@ static void selinux_nf_ip_exit(void)
>>  {
>>         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
>>
>> -       nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
>> +       unregister_pernet_subsys(&selinux_net_ops);
>>  }
>>  #endif
>>
>> --
>> 2.10.2
>>
>
>
>
> --
> paul moore
> www.paul-moore.com



-- 
paul moore
www.paul-moore.com

[PATCH security-next 2/2] selinux: use pernet operations for hook registration

[Paul Moore]

On Wed, Apr 26, 2017 at 4:46 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Fri, Apr 21, 2017 at 5:49 AM, Florian Westphal <fw@strlen.de> wrote:
>> It will allow us to remove the old netfilter hook api in the near future.
>>
>> Signed-off-by: Florian Westphal <fw@strlen.de>
>> ---
>>  security/selinux/hooks.c | 24 ++++++++++++++++++++----
>>  1 file changed, 20 insertions(+), 4 deletions(-)
>
> Looks fine to me, I'm going to queue this up for after the v4.12 merge window.

... and I just realized that the SELinux list wasn't CC'd on this
patch, fixing that now.

>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index e67a526d1f30..3aa4268525e2 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -6448,6 +6448,23 @@ static struct nf_hook_ops selinux_nf_ops[] = {
>>  #endif /* IPV6 */
>>  };
>>
>> +static int __net_init selinux_nf_register(struct net *net)
>> +{
>> +       return nf_register_net_hooks(net, selinux_nf_ops,
>> +                                    ARRAY_SIZE(selinux_nf_ops));
>> +}
>> +
>> +static void __net_exit selinux_nf_unregister(struct net *net)
>> +{
>> +       nf_unregister_net_hooks(net, selinux_nf_ops,
>> +                               ARRAY_SIZE(selinux_nf_ops));
>> +}
>> +
>> +static struct pernet_operations selinux_net_ops = {
>> +       .init = selinux_nf_register,
>> +       .exit = selinux_nf_unregister,
>> +};
>> +
>>  static int __init selinux_nf_ip_init(void)
>>  {
>>         int err;
>> @@ -6457,13 +6474,12 @@ static int __init selinux_nf_ip_init(void)
>>
>>         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
>>
>> -       err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
>> +       err = register_pernet_subsys(&selinux_net_ops);
>>         if (err)
>> -               panic("SELinux: nf_register_hooks: error %d\n", err);
>> +               panic("SELinux: register_pernet_subsys: error %d\n", err);
>>
>>         return 0;
>>  }
>> -
>>  __initcall(selinux_nf_ip_init);
>>
>>  #ifdef CONFIG_SECURITY_SELINUX_DISABLE
>> @@ -6471,7 +6487,7 @@ static void selinux_nf_ip_exit(void)
>>  {
>>         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
>>
>> -       nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops));
>> +       unregister_pernet_subsys(&selinux_net_ops);
>>  }
>>  #endif
>>
>> --
>> 2.10.2
>>
>
>
>
> --
> paul moore
> www.paul-moore.com



-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH security-next 2/2] selinux: use pernet operations for hook registration

[Paul Moore]

On Wed, Apr 26, 2017 at 4:47 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Apr 26, 2017 at 4:46 PM, Paul Moore <paul@paul-moore.com> wrote:
>> On Fri, Apr 21, 2017 at 5:49 AM, Florian Westphal <fw@strlen.de> wrote:
>>> It will allow us to remove the old netfilter hook api in the near future.
>>>
>>> Signed-off-by: Florian Westphal <fw@strlen.de>
>>> ---
>>>  security/selinux/hooks.c | 24 ++++++++++++++++++++----
>>>  1 file changed, 20 insertions(+), 4 deletions(-)
>>
>> Looks fine to me, I'm going to queue this up for after the v4.12 merge window.
>
> ... and I just realized that the SELinux list wasn't CC'd on this
> patch, fixing that now.

Merged, thanks.

-- 
paul moore
www.paul-moore.com

[PATCH security-next 2/2] selinux: use pernet operations for hook registration

[Paul Moore]

On Wed, Apr 26, 2017 at 4:47 PM, Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Apr 26, 2017 at 4:46 PM, Paul Moore <paul@paul-moore.com> wrote:
>> On Fri, Apr 21, 2017 at 5:49 AM, Florian Westphal <fw@strlen.de> wrote:
>>> It will allow us to remove the old netfilter hook api in the near future.
>>>
>>> Signed-off-by: Florian Westphal <fw@strlen.de>
>>> ---
>>>  security/selinux/hooks.c | 24 ++++++++++++++++++++----
>>>  1 file changed, 20 insertions(+), 4 deletions(-)
>>
>> Looks fine to me, I'm going to queue this up for after the v4.12 merge window.
>
> ... and I just realized that the SELinux list wasn't CC'd on this
> patch, fixing that now.

Merged, thanks.

-- 
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html