Skip to content

Commit 4342f70

Browse files
Florian Westphalpcmoore
Florian Westphal
authored and
pcmoore
committed
selinux: remove unneeded ipv6 hook wrappers
Netfilter places the protocol number the hook function is getting called from in state->pf, so we can use that instead of an extra wrapper. While at it, remove one-line wrappers too and make selinux_ip_{out,forward,postroute} useable as hook function. Signed-off-by: Florian Westphal <[email protected]> Message-Id: <[email protected]> Signed-off-by: Paul Moore <[email protected]>
1 parent f5d0e5e commit 4342f70

File tree

1 file changed

+18
-62
lines changed

1 file changed

+18
-62
lines changed

security/selinux/hooks.c

Lines changed: 18 additions & 62 deletions
Original file line numberDiff line numberDiff line change
@@ -5689,10 +5689,11 @@ static int selinux_tun_dev_open(void *security)
56895689

56905690
#ifdef CONFIG_NETFILTER
56915691

5692-
static unsigned int selinux_ip_forward(struct sk_buff *skb,
5693-
const struct net_device *indev,
5694-
u16 family)
5692+
static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
5693+
const struct nf_hook_state *state)
56955694
{
5695+
const struct net_device *indev = state->in;
5696+
u16 family = state->pf;
56965697
int err;
56975698
char *addrp;
56985699
u32 peer_sid;
@@ -5747,25 +5748,10 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb,
57475748
return NF_ACCEPT;
57485749
}
57495750

5750-
static unsigned int selinux_ipv4_forward(void *priv,
5751-
struct sk_buff *skb,
5752-
const struct nf_hook_state *state)
5753-
{
5754-
return selinux_ip_forward(skb, state->in, PF_INET);
5755-
}
5756-
5757-
#if IS_ENABLED(CONFIG_IPV6)
5758-
static unsigned int selinux_ipv6_forward(void *priv,
5759-
struct sk_buff *skb,
5760-
const struct nf_hook_state *state)
5761-
{
5762-
return selinux_ip_forward(skb, state->in, PF_INET6);
5763-
}
5764-
#endif /* IPV6 */
5765-
5766-
static unsigned int selinux_ip_output(struct sk_buff *skb,
5767-
u16 family)
5751+
static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
5752+
const struct nf_hook_state *state)
57685753
{
5754+
u16 family = state->pf;
57695755
struct sock *sk;
57705756
u32 sid;
57715757

@@ -5805,21 +5791,6 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
58055791
return NF_ACCEPT;
58065792
}
58075793

5808-
static unsigned int selinux_ipv4_output(void *priv,
5809-
struct sk_buff *skb,
5810-
const struct nf_hook_state *state)
5811-
{
5812-
return selinux_ip_output(skb, PF_INET);
5813-
}
5814-
5815-
#if IS_ENABLED(CONFIG_IPV6)
5816-
static unsigned int selinux_ipv6_output(void *priv,
5817-
struct sk_buff *skb,
5818-
const struct nf_hook_state *state)
5819-
{
5820-
return selinux_ip_output(skb, PF_INET6);
5821-
}
5822-
#endif /* IPV6 */
58235794

58245795
static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
58255796
int ifindex,
@@ -5855,10 +5826,12 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
58555826
return NF_ACCEPT;
58565827
}
58575828

5858-
static unsigned int selinux_ip_postroute(struct sk_buff *skb,
5859-
const struct net_device *outdev,
5860-
u16 family)
5829+
static unsigned int selinux_ip_postroute(void *priv,
5830+
struct sk_buff *skb,
5831+
const struct nf_hook_state *state)
58615832
{
5833+
const struct net_device *outdev = state->out;
5834+
u16 family = state->pf;
58625835
u32 secmark_perm;
58635836
u32 peer_sid;
58645837
int ifindex = outdev->ifindex;
@@ -5994,23 +5967,6 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb,
59945967

59955968
return NF_ACCEPT;
59965969
}
5997-
5998-
static unsigned int selinux_ipv4_postroute(void *priv,
5999-
struct sk_buff *skb,
6000-
const struct nf_hook_state *state)
6001-
{
6002-
return selinux_ip_postroute(skb, state->out, PF_INET);
6003-
}
6004-
6005-
#if IS_ENABLED(CONFIG_IPV6)
6006-
static unsigned int selinux_ipv6_postroute(void *priv,
6007-
struct sk_buff *skb,
6008-
const struct nf_hook_state *state)
6009-
{
6010-
return selinux_ip_postroute(skb, state->out, PF_INET6);
6011-
}
6012-
#endif /* IPV6 */
6013-
60145970
#endif /* CONFIG_NETFILTER */
60155971

60165972
static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
@@ -7475,38 +7431,38 @@ DEFINE_LSM(selinux) = {
74757431

74767432
static const struct nf_hook_ops selinux_nf_ops[] = {
74777433
{
7478-
.hook = selinux_ipv4_postroute,
7434+
.hook = selinux_ip_postroute,
74797435
.pf = NFPROTO_IPV4,
74807436
.hooknum = NF_INET_POST_ROUTING,
74817437
.priority = NF_IP_PRI_SELINUX_LAST,
74827438
},
74837439
{
7484-
.hook = selinux_ipv4_forward,
7440+
.hook = selinux_ip_forward,
74857441
.pf = NFPROTO_IPV4,
74867442
.hooknum = NF_INET_FORWARD,
74877443
.priority = NF_IP_PRI_SELINUX_FIRST,
74887444
},
74897445
{
7490-
.hook = selinux_ipv4_output,
7446+
.hook = selinux_ip_output,
74917447
.pf = NFPROTO_IPV4,
74927448
.hooknum = NF_INET_LOCAL_OUT,
74937449
.priority = NF_IP_PRI_SELINUX_FIRST,
74947450
},
74957451
#if IS_ENABLED(CONFIG_IPV6)
74967452
{
7497-
.hook = selinux_ipv6_postroute,
7453+
.hook = selinux_ip_postroute,
74987454
.pf = NFPROTO_IPV6,
74997455
.hooknum = NF_INET_POST_ROUTING,
75007456
.priority = NF_IP6_PRI_SELINUX_LAST,
75017457
},
75027458
{
7503-
.hook = selinux_ipv6_forward,
7459+
.hook = selinux_ip_forward,
75047460
.pf = NFPROTO_IPV6,
75057461
.hooknum = NF_INET_FORWARD,
75067462
.priority = NF_IP6_PRI_SELINUX_FIRST,
75077463
},
75087464
{
7509-
.hook = selinux_ipv6_output,
7465+
.hook = selinux_ip_output,
75107466
.pf = NFPROTO_IPV6,
75117467
.hooknum = NF_INET_LOCAL_OUT,
75127468
.priority = NF_IP6_PRI_SELINUX_FIRST,

0 commit comments

Comments
 (0)