diff options
| author | Eric Paris <eparis@redhat.com> | 2010-10-13 16:25:00 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-10-20 19:12:52 -0400 |
| commit | 1ae4de0cdf855305765592647025bde55e85e451 (patch) | |
| tree | b0e4392dea4fe14c562f7e61c2aecdddfdbb0cec | |
| parent | 1cc63249adfa957b34ca51effdee90ff8261d63f (diff) | |
secmark: export secctx, drop secmark in procfs
The current secmark code exports a secmark= field which just indicates if
there is special labeling on a packet or not. We drop this field as it
isn't particularly useful and instead export a new field secctx= which is
the actual human readable text label.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: James Morris <jmorris@namei.org>
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 28 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_standalone.c | 28 |
2 files changed, 50 insertions, 6 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c index 244f7cb08d68..37f8adb68c79 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | |||
| @@ -11,6 +11,7 @@ | |||
| 11 | #include <linux/proc_fs.h> | 11 | #include <linux/proc_fs.h> |
| 12 | #include <linux/seq_file.h> | 12 | #include <linux/seq_file.h> |
| 13 | #include <linux/percpu.h> | 13 | #include <linux/percpu.h> |
| 14 | #include <linux/security.h> | ||
| 14 | #include <net/net_namespace.h> | 15 | #include <net/net_namespace.h> |
| 15 | 16 | ||
| 16 | #include <linux/netfilter.h> | 17 | #include <linux/netfilter.h> |
| @@ -87,6 +88,29 @@ static void ct_seq_stop(struct seq_file *s, void *v) | |||
| 87 | rcu_read_unlock(); | 88 | rcu_read_unlock(); |
| 88 | } | 89 | } |
| 89 | 90 | ||
| 91 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 92 | static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) | ||
| 93 | { | ||
| 94 | int ret; | ||
| 95 | u32 len; | ||
| 96 | char *secctx; | ||
| 97 | |||
| 98 | ret = security_secid_to_secctx(ct->secmark, &secctx, &len); | ||
| 99 | if (ret) | ||
| 100 | return ret; | ||
| 101 | |||
| 102 | ret = seq_printf(s, "secctx=%s ", secctx); | ||
| 103 | |||
| 104 | security_release_secctx(secctx, len); | ||
| 105 | return ret; | ||
| 106 | } | ||
| 107 | #else | ||
| 108 | static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) | ||
| 109 | { | ||
| 110 | return 0; | ||
| 111 | } | ||
| 112 | #endif | ||
| 113 | |||
| 90 | static int ct_seq_show(struct seq_file *s, void *v) | 114 | static int ct_seq_show(struct seq_file *s, void *v) |
| 91 | { | 115 | { |
| 92 | struct nf_conntrack_tuple_hash *hash = v; | 116 | struct nf_conntrack_tuple_hash *hash = v; |
| @@ -148,10 +172,8 @@ static int ct_seq_show(struct seq_file *s, void *v) | |||
| 148 | goto release; | 172 | goto release; |
| 149 | #endif | 173 | #endif |
| 150 | 174 | ||
| 151 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | 175 | if (ct_show_secctx(s, ct)) |
| 152 | if (seq_printf(s, "secmark=%u ", ct->secmark)) | ||
| 153 | goto release; | 176 | goto release; |
| 154 | #endif | ||
| 155 | 177 | ||
| 156 | if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use))) | 178 | if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use))) |
| 157 | goto release; | 179 | goto release; |
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index eb973fcd67ab..0fb65705b44b 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c | |||
| @@ -15,6 +15,7 @@ | |||
| 15 | #include <linux/seq_file.h> | 15 | #include <linux/seq_file.h> |
| 16 | #include <linux/percpu.h> | 16 | #include <linux/percpu.h> |
| 17 | #include <linux/netdevice.h> | 17 | #include <linux/netdevice.h> |
| 18 | #include <linux/security.h> | ||
| 18 | #include <net/net_namespace.h> | 19 | #include <net/net_namespace.h> |
| 19 | #ifdef CONFIG_SYSCTL | 20 | #ifdef CONFIG_SYSCTL |
| 20 | #include <linux/sysctl.h> | 21 | #include <linux/sysctl.h> |
| @@ -108,6 +109,29 @@ static void ct_seq_stop(struct seq_file *s, void *v) | |||
| 108 | rcu_read_unlock(); | 109 | rcu_read_unlock(); |
| 109 | } | 110 | } |
| 110 | 111 | ||
| 112 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | ||
| 113 | static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) | ||
| 114 | { | ||
| 115 | int ret; | ||
| 116 | u32 len; | ||
| 117 | char *secctx; | ||
| 118 | |||
| 119 | ret = security_secid_to_secctx(ct->secmark, &secctx, &len); | ||
| 120 | if (ret) | ||
| 121 | return ret; | ||
| 122 | |||
| 123 | ret = seq_printf(s, "secctx=%s ", secctx); | ||
| 124 | |||
| 125 | security_release_secctx(secctx, len); | ||
| 126 | return ret; | ||
| 127 | } | ||
| 128 | #else | ||
| 129 | static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) | ||
| 130 | { | ||
| 131 | return 0; | ||
| 132 | } | ||
| 133 | #endif | ||
| 134 | |||
| 111 | /* return 0 on success, 1 in case of error */ | 135 | /* return 0 on success, 1 in case of error */ |
| 112 | static int ct_seq_show(struct seq_file *s, void *v) | 136 | static int ct_seq_show(struct seq_file *s, void *v) |
| 113 | { | 137 | { |
| @@ -168,10 +192,8 @@ static int ct_seq_show(struct seq_file *s, void *v) | |||
| 168 | goto release; | 192 | goto release; |
| 169 | #endif | 193 | #endif |
| 170 | 194 | ||
| 171 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | 195 | if (ct_show_secctx(s, ct)) |
| 172 | if (seq_printf(s, "secmark=%u ", ct->secmark)) | ||
| 173 | goto release; | 196 | goto release; |
| 174 | #endif | ||
| 175 | 197 | ||
| 176 | #ifdef CONFIG_NF_CONNTRACK_ZONES | 198 | #ifdef CONFIG_NF_CONNTRACK_ZONES |
| 177 | if (seq_printf(s, "zone=%u ", nf_ct_zone(ct))) | 199 | if (seq_printf(s, "zone=%u ", nf_ct_zone(ct))) |