| /linux/drivers/net/ethernet/marvell/prestera/ |
| H A D | prestera_acl.c | 140 struct prestera_acl_ruleset *ruleset; in prestera_acl_ruleset_create() local
147 ruleset = kzalloc_obj(*ruleset); in prestera_acl_ruleset_create()
148 if (!ruleset) in prestera_acl_ruleset_create()
151 ruleset->acl = acl; in prestera_acl_ruleset_create()
152 ruleset->ingress = block->ingress; in prestera_acl_ruleset_create()
153 ruleset->ht_key.block = block; in prestera_acl_ruleset_create()
154 ruleset->ht_key.chain_index = chain_index; in prestera_acl_ruleset_create()
155 refcount_set(&ruleset->refcount, 1); in prestera_acl_ruleset_create()
157 err = rhashtable_init(&ruleset->rule_ht, &prestera_acl_rule_ht_params); in prestera_acl_ruleset_create()
166 ruleset->pcl_id = PRESTERA_ACL_PCL_ID_MAKE((u8)uid, chain_index); in prestera_acl_ruleset_create()
[all …]
|
| H A D | prestera_flower.c | 11 struct prestera_acl_ruleset *ruleset; member
19 prestera_acl_ruleset_put(template->ruleset); in prestera_flower_template_free()
39 struct prestera_acl_ruleset *ruleset; in prestera_flower_parse_goto_action() local
48 ruleset = prestera_acl_ruleset_get(block->sw->acl, block, in prestera_flower_parse_goto_action()
50 if (IS_ERR(ruleset)) in prestera_flower_parse_goto_action()
51 return PTR_ERR(ruleset); in prestera_flower_parse_goto_action()
54 rule->re_arg.jump.i.index = prestera_acl_ruleset_index_get(ruleset); in prestera_flower_parse_goto_action()
56 rule->jump_ruleset = ruleset; in prestera_flower_parse_goto_action()
407 struct prestera_acl_ruleset *ruleset; in prestera_flower_prio_get() local
409 ruleset = prestera_acl_ruleset_lookup(block->sw->acl, block, chain_index); in prestera_flower_prio_get()
[all …]
|
| H A D | prestera_acl.h | 130 struct prestera_acl_ruleset *ruleset; member
156 prestera_acl_rule_create(struct prestera_acl_ruleset *ruleset,
162 prestera_acl_rule_lookup(struct prestera_acl_ruleset *ruleset,
188 int prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset,
190 bool prestera_acl_ruleset_is_offload(struct prestera_acl_ruleset *ruleset);
191 int prestera_acl_ruleset_offload(struct prestera_acl_ruleset *ruleset);
192 void prestera_acl_ruleset_put(struct prestera_acl_ruleset *ruleset);
193 int prestera_acl_ruleset_bind(struct prestera_acl_ruleset *ruleset,
195 int prestera_acl_ruleset_unbind(struct prestera_acl_ruleset *ruleset,
197 u32 prestera_acl_ruleset_index_get(const struct prestera_acl_ruleset *ruleset);
[all …]
|
| /linux/drivers/net/ethernet/mellanox/mlxsw/ |
| H A D | spectrum_acl.c | 70 struct mlxsw_sp_acl_ruleset *ruleset; member
100 mlxsw_sp_acl_ruleset_is_singular(const struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp_acl_ruleset_is_singular() argument
103 return refcount_read(&ruleset->ref_count) == 2; in mlxsw_sp_acl_ruleset_is_singular()
110 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_bind() local
111 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_bind()
113 return ops->ruleset_bind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_bind()
121 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_unbind() local
122 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_unbind()
124 ops->ruleset_unbind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_unbind()
130 struct mlxsw_sp_acl_ruleset *ruleset, in mlxsw_sp_acl_ruleset_block_bind() argument
[all …]
|
| H A D | spectrum_flower.c | 131 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_parse_actions() local
134 ruleset = mlxsw_sp_acl_ruleset_lookup(mlxsw_sp, block, in mlxsw_sp_flower_parse_actions()
137 if (IS_ERR(ruleset)) in mlxsw_sp_flower_parse_actions()
138 return PTR_ERR(ruleset); in mlxsw_sp_flower_parse_actions()
140 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp_flower_parse_actions()
745 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_replace() local
753 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, in mlxsw_sp_flower_replace()
756 if (IS_ERR(ruleset)) in mlxsw_sp_flower_replace()
757 return PTR_ERR(ruleset); in mlxsw_sp_flower_replace()
759 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, f->cookie, NULL, in mlxsw_sp_flower_replace()
[all …]
|
| H A D | spectrum2_mr_tcam.c | 36 struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp2_mr_tcam_bind_group() argument
41 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp2_mr_tcam_bind_group()
218 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_create() local
223 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_create()
224 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_create()
227 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_create()
251 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_destroy() local
254 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_destroy()
255 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_destroy()
258 rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_destroy()
[all …]
|
| H A D | spectrum_acl_tcam.c | 1696 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_add() local
1698 return mlxsw_sp_acl_tcam_vgroup_add(mlxsw_sp, tcam, &ruleset->vgroup, in mlxsw_sp_acl_tcam_flower_ruleset_add()
1709 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_del() local
1711 mlxsw_sp_acl_tcam_vgroup_del(&ruleset->vgroup); in mlxsw_sp_acl_tcam_flower_ruleset_del()
1720 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_bind() local
1722 return mlxsw_sp_acl_tcam_group_bind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_bind()
1732 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_unbind() local
1734 mlxsw_sp_acl_tcam_group_unbind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_unbind()
1741 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_group_id() local
1743 return mlxsw_sp_acl_tcam_group_id(&ruleset->vgroup.group); in mlxsw_sp_acl_tcam_flower_ruleset_group_id()
[all …]
|
| /linux/security/landlock/ |
| H A D | ruleset.h | 41 * union landlock_key - Key of a ruleset's red-black tree
72 * struct landlock_id - Unique rule identifier for a ruleset
91 * @node: Node in the ruleset's red-black tree.
97 * for this ruleset element. The pointer is set once and never
114 * struct landlock_ruleset - Landlock ruleset
122 * landlock_rule nodes with inode object. Once a ruleset is tied to a
131 * landlock_rule nodes with network port. Once a ruleset is tied to a
145 * @work_free: Enables to free a ruleset within a lockless
160 * descriptors referencing this ruleset.
165 * the same object) rules in this ruleset
215 landlock_get_ruleset(struct landlock_ruleset * const ruleset) landlock_get_ruleset() argument
247 landlock_add_fs_access_mask(struct landlock_ruleset * const ruleset,const access_mask_t fs_access_mask,const u16 layer_level) landlock_add_fs_access_mask() argument
259 landlock_add_net_access_mask(struct landlock_ruleset * const ruleset,const access_mask_t net_access_mask,const u16 layer_level) landlock_add_net_access_mask() argument
271 landlock_add_scope_mask(struct landlock_ruleset * const ruleset,const access_mask_t scope_mask,const u16 layer_level) landlock_add_scope_mask() argument
282 landlock_get_fs_access_mask(const struct landlock_ruleset * const ruleset,const u16 layer_level) landlock_get_fs_access_mask() argument
291 landlock_get_net_access_mask(const struct landlock_ruleset * const ruleset,const u16 layer_level) landlock_get_net_access_mask() argument
298 landlock_get_scope_mask(const struct landlock_ruleset * const ruleset,const u16 layer_level) landlock_get_scope_mask() argument
[all...] |
| H A D | syscalls.c | 37 #include "ruleset.h"
127 struct landlock_ruleset *ruleset = filp->private_data; in fop_ruleset_release()
129 landlock_put_ruleset(ruleset);
149 * A ruleset file descriptor enables to build a ruleset by adding (i.e.
151 * reentrant design is also used in a read way to enforce the ruleset on the
172 * sys_landlock_create_ruleset - Create a new ruleset
175 * the new ruleset.
183 * This system call enables to create a new Landlock ruleset.
188 * Return: The ruleset fil
124 struct landlock_ruleset *ruleset = filp->private_data; fop_ruleset_release() local
200 struct landlock_ruleset *ruleset; SYSCALL_DEFINE3() local
267 struct landlock_ruleset *ruleset; get_ruleset_from_fd() local
314 add_rule_path_beneath(struct landlock_ruleset * const ruleset,const void __user * const rule_attr) add_rule_path_beneath() argument
352 add_rule_net_port(struct landlock_ruleset * ruleset,const void __user * const rule_attr) add_rule_net_port() argument
[all...] |
| H A D | ruleset.c | 147 static struct rb_root *get_root(struct landlock_ruleset *const ruleset, in get_root() argument
152 return &ruleset->root_inode; in get_root()
156 return &ruleset->root_net_port; in get_root()
178 const struct landlock_ruleset ruleset = { in build_check_ruleset() local
183 BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES); in build_check_ruleset()
184 BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS); in build_check_ruleset()
207 static int insert_rule(struct landlock_ruleset *const ruleset, in insert_rule() argument
218 lockdep_assert_held(&ruleset->lock); in insert_rule()
225 root = get_root(ruleset, id.type); in insert_rule()
279 if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES) in insert_rule()
[all …]
|
| H A D | net.c | 22 int landlock_append_net_rule(struct landlock_ruleset *const ruleset, in landlock_append_net_rule() argument
35 ~landlock_get_net_access_mask(ruleset, 0); in landlock_append_net_rule()
37 mutex_lock(&ruleset->lock); in landlock_append_net_rule()
38 err = landlock_insert_rule(ruleset, id, access_rights); in landlock_append_net_rule()
39 mutex_unlock(&ruleset->lock); in landlock_append_net_rule()
|
| H A D | net.h | 18 int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
26 landlock_append_net_rule(struct landlock_ruleset *const ruleset, const u16 port, in landlock_append_net_rule() argument
|
| H A D | Makefile | 7 ruleset.o \
|
| H A D | fs.h | 20 #include "ruleset.h"
127 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
|
| H A D | fs.c | 52 #include "ruleset.h"
303 * shutdown, or by release_inode() when no more ruleset references the in get_inode_object()
326 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, in landlock_append_fs_rule()
339 if (WARN_ON_ONCE(ruleset->num_layers != 1)) in landlock_append_fs_rule()
344 ~landlock_get_fs_access_mask(ruleset, 0); in landlock_append_fs_rule()
348 mutex_lock(&ruleset->lock); in landlock_append_fs_rule()
349 err = landlock_insert_rule(ruleset, id, access_rights); in landlock_append_fs_rule()
350 mutex_unlock(&ruleset->lock); in landlock_append_fs_rule()
539 * be inconsistent compared to domain 1's ruleset alone (e.g. it might in test_no_more_access()
540 * be denied to link/rename with domain 1's ruleset, wherea in test_no_more_access()
323 landlock_append_fs_rule(struct landlock_ruleset * const ruleset,const struct path * const path,access_mask_t access_rights) landlock_append_fs_rule() argument
[all...] |
| /linux/Documentation/userspace-api/ |
| H A D | landlock.rst | 33 perform. A set of rules is aggregated in a ruleset, which can then restrict
50 We first need to define the ruleset that will contain our rules.
52 For this example, the ruleset will contain rules that only allow filesystem
56 The ruleset then needs to handle both these kinds of actions. This is
137 This enables the creation of an inclusive ruleset that will contain our rules.
145 perror("Failed to create a ruleset");
149 We can now add a new rule to this ruleset thanks to the returned file
150 descriptor referring to this ruleset. The rule will allow reading and
152 would then be denied by the ruleset. To add ``/usr`` to the ruleset, we open
176 perror("Failed to update ruleset");
[all …]
|
| /linux/tools/testing/selftests/net/netfilter/ |
| H A D | nft_queue.sh | 257 ip netns exec "$nsrouter" nft list ruleset
323 flush ruleset
368 flush ruleset
394 ip netns exec "$ns1" nft list ruleset
446 flush ruleset
525 flush ruleset
600 flush ruleset
747 flush ruleset
796 flush ruleset
812 ip netns exec "$ns1" nft flush ruleset
[all …]
|
| H A D | conntrack_vrf.sh | 84 # as decided by the first iteration of the ruleset.
122 ip netns exec "$ns0" nft list ruleset
141 flush ruleset
188 flush ruleset
|
| H A D | nft_flowtable.sh | 190 echo "SKIP: Could not load nft ruleset"
210 echo -n "SKIP: Could not load ruleset: "
507 ip netns exec "$nsr1" nft list ruleset
515 ip netns exec "$nsr1" nft list ruleset
551 ip netns exec "$nsr1" nft list ruleset
579 ip netns exec "$nsr1" nft list ruleset
627 ip netns exec "$nsr1" nft list ruleset
635 ip netns exec "$nsr1" nft list ruleset
681 ip netns exec "$nsr1" nft list ruleset
689 ip netns exec "$nsr1" nft list ruleset
[all...] |
| H A D | br_netfilter.sh | 39 ip netns exec "$ns0" nft list ruleset
56 ip netns exec "$ns0" nft list ruleset
135 echo "SKIP: could not add nftables ruleset"
|
| H A D | nft_audit.sh | 82 nft flush ruleset
|
| /linux/include/linux/crush/ |
| H A D | mapper.h | 14 extern int crush_find_rule(const struct crush_map *map, int ruleset, int type, int size);
|
| H A D | crush.h | 81 __u8 ruleset; member
|
| /linux/security/safesetid/ |
| H A D | securityfs.c | 267 … size_t len, loff_t *ppos, struct mutex *policy_update_lock, struct __rcu setid_ruleset* ruleset) in safesetid_file_read() argument
274 pol = rcu_dereference_protected(ruleset, lockdep_is_held(policy_update_lock)); in safesetid_file_read()
|
| /linux/tools/testing/selftests/net/mptcp/ |
| H A D | mptcp_connect.sh | 687 flush ruleset
713 ip netns exec "$listener_ns" nft flush ruleset
721 ip netns exec "$listener_ns" nft flush ruleset
737 ip netns exec "$listener_ns" nft flush ruleset
|