diff options
| author | Eric Paris <eparis@redhat.com> | 2010-10-13 16:25:00 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-10-20 19:12:52 -0400 |
| commit | 1ae4de0cdf855305765592647025bde55e85e451 (patch) | |
| tree | b0e4392dea4fe14c562f7e61c2aecdddfdbb0cec /net/ipv4 | |
| parent | 1cc63249adfa957b34ca51effdee90ff8261d63f (diff) | |
secmark: export secctx, drop secmark in procfs
The current secmark code exports a secmark= field which just indicates if
there is special labeling on a packet or not. We drop this field as it
isn't particularly useful and instead export a new field secctx= which is
the actual human readable text label.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c index 244f7cb08d6..37f8adb68c7 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | |||
| @@ -11,6 +11,7 @@ | |||
| 11 | #include <linux/proc_fs.h> | 11 | #include <linux/proc_fs.h> |
| 12 | #include <linux/seq_file.h> | 12 | #include <linux/seq_file.h> |
| 13 | #include <linux/percpu.h> | 13 | #include <linux/percpu.h> |
| 14 | #include <linux/security.h> | ||
| 14 | #include <net/net_namespace.h> | 15 | #include <net/net_namespace.h> |
| 15 | 16 | ||
| 16 | #include <linux/netfilter.h> | 17 | #include <linux/netfilter.h> |
| @@ -87,6 +88,29 @@ static void ct_seq_stop(struct seq_file *s, void *v) | |||
| 87 | rcu_read_unlock(); | 88 | rcu_read_unlock(); |
| 88 | } | 89 | } |
| 89 | 90 | ||
| 91 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 92 | static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) | ||
| 93 | { | ||
| 94 | int ret; | ||
| 95 | u32 len; | ||
| 96 | char *secctx; | ||
| 97 | |||
| 98 | ret = security_secid_to_secctx(ct->secmark, &secctx, &len); | ||
| 99 | if (ret) | ||
| 100 | return ret; | ||
| 101 | |||
| 102 | ret = seq_printf(s, "secctx=%s ", secctx); | ||
| 103 | |||
| 104 | security_release_secctx(secctx, len); | ||
| 105 | return ret; | ||
| 106 | } | ||
| 107 | #else | ||
| 108 | static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) | ||
| 109 | { | ||
| 110 | return 0; | ||
| 111 | } | ||
| 112 | #endif | ||
| 113 | |||
| 90 | static int ct_seq_show(struct seq_file *s, void *v) | 114 | static int ct_seq_show(struct seq_file *s, void *v) |
| 91 | { | 115 | { |
| 92 | struct nf_conntrack_tuple_hash *hash = v; | 116 | struct nf_conntrack_tuple_hash *hash = v; |
| @@ -148,10 +172,8 @@ static int ct_seq_show(struct seq_file *s, void *v) | |||
| 148 | goto release; | 172 | goto release; |
| 149 | #endif | 173 | #endif |
| 150 | 174 | ||
| 151 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | 175 | if (ct_show_secctx(s, ct)) |
| 152 | if (seq_printf(s, "secmark=%u ", ct->secmark)) | ||
| 153 | goto release; | 176 | goto release; |
| 154 | #endif | ||
| 155 | 177 | ||
| 156 | if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use))) | 178 | if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use))) |
| 157 | goto release; | 179 | goto release; |