Home
last modified time | relevance | path

Searched refs:ruleset (Results 1 – 25 of 37) sorted by relevance

12

/linux/drivers/net/ethernet/marvell/prestera/
H A Dprestera_acl.c140 struct prestera_acl_ruleset *ruleset; in prestera_acl_ruleset_create() local
147 ruleset = kzalloc(sizeof(*ruleset), GFP_KERNEL); in prestera_acl_ruleset_create()
148 if (!ruleset) in prestera_acl_ruleset_create()
151 ruleset->acl = acl; in prestera_acl_ruleset_create()
152 ruleset->ingress = block->ingress; in prestera_acl_ruleset_create()
153 ruleset->ht_key.block = block; in prestera_acl_ruleset_create()
154 ruleset->ht_key.chain_index = chain_index; in prestera_acl_ruleset_create()
155 refcount_set(&ruleset->refcount, 1); in prestera_acl_ruleset_create()
157 err = rhashtable_init(&ruleset->rule_ht, &prestera_acl_rule_ht_params); in prestera_acl_ruleset_create()
166 ruleset->pcl_id = PRESTERA_ACL_PCL_ID_MAKE((u8)uid, chain_index); in prestera_acl_ruleset_create()
[all …]
H A Dprestera_flower.c11 struct prestera_acl_ruleset *ruleset; member
19 prestera_acl_ruleset_put(template->ruleset); in prestera_flower_template_free()
39 struct prestera_acl_ruleset *ruleset; in prestera_flower_parse_goto_action() local
48 ruleset = prestera_acl_ruleset_get(block->sw->acl, block, in prestera_flower_parse_goto_action()
50 if (IS_ERR(ruleset)) in prestera_flower_parse_goto_action()
51 return PTR_ERR(ruleset); in prestera_flower_parse_goto_action()
54 rule->re_arg.jump.i.index = prestera_acl_ruleset_index_get(ruleset); in prestera_flower_parse_goto_action()
56 rule->jump_ruleset = ruleset; in prestera_flower_parse_goto_action()
407 struct prestera_acl_ruleset *ruleset; in prestera_flower_prio_get() local
409 ruleset = prestera_acl_ruleset_lookup(block->sw->acl, block, chain_index); in prestera_flower_prio_get()
[all …]
H A Dprestera_acl.h130 struct prestera_acl_ruleset *ruleset; member
156 prestera_acl_rule_create(struct prestera_acl_ruleset *ruleset,
162 prestera_acl_rule_lookup(struct prestera_acl_ruleset *ruleset,
188 int prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset,
190 bool prestera_acl_ruleset_is_offload(struct prestera_acl_ruleset *ruleset);
191 int prestera_acl_ruleset_offload(struct prestera_acl_ruleset *ruleset);
192 void prestera_acl_ruleset_put(struct prestera_acl_ruleset *ruleset);
193 int prestera_acl_ruleset_bind(struct prestera_acl_ruleset *ruleset,
195 int prestera_acl_ruleset_unbind(struct prestera_acl_ruleset *ruleset,
197 u32 prestera_acl_ruleset_index_get(const struct prestera_acl_ruleset *ruleset);
[all …]
/linux/security/landlock/
H A Dsyscalls.c120 struct landlock_ruleset *ruleset = filp->private_data; in fop_ruleset_release() local
122 landlock_put_ruleset(ruleset); in fop_ruleset_release()
184 struct landlock_ruleset *ruleset; in SYSCALL_DEFINE3() local
223 ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs, in SYSCALL_DEFINE3()
226 if (IS_ERR(ruleset)) in SYSCALL_DEFINE3()
227 return PTR_ERR(ruleset); in SYSCALL_DEFINE3()
231 ruleset, O_RDWR | O_CLOEXEC); in SYSCALL_DEFINE3()
233 landlock_put_ruleset(ruleset); in SYSCALL_DEFINE3()
245 struct landlock_ruleset *ruleset; in get_ruleset_from_fd() local
255 ruleset = fd_file(ruleset_f)->private_data; in get_ruleset_from_fd()
[all …]
H A Druleset.h252 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
253 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
255 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
261 struct landlock_ruleset *const ruleset);
264 landlock_find_rule(const struct landlock_ruleset *const ruleset,
267 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) in landlock_get_ruleset() argument
269 if (ruleset) in landlock_get_ruleset()
270 refcount_inc(&ruleset->usage); in landlock_get_ruleset()
329 landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, in landlock_add_fs_access_mask() argument
337 ruleset->access_masks[layer_level].fs |= fs_mask; in landlock_add_fs_access_mask()
[all …]
H A Druleset.c140 static struct rb_root *get_root(struct landlock_ruleset *const ruleset, in get_root() argument
145 return &ruleset->root_inode; in get_root()
149 return &ruleset->root_net_port; in get_root()
171 const struct landlock_ruleset ruleset = { in build_check_ruleset() local
176 BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES); in build_check_ruleset()
177 BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS); in build_check_ruleset()
198 static int insert_rule(struct landlock_ruleset *const ruleset, in insert_rule() argument
209 lockdep_assert_held(&ruleset->lock); in insert_rule()
216 root = get_root(ruleset, id.type); in insert_rule()
270 if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES) in insert_rule()
[all …]
H A Dnet.c20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset, in landlock_append_net_rule() argument
33 ~landlock_get_net_access_mask(ruleset, 0); in landlock_append_net_rule()
35 mutex_lock(&ruleset->lock); in landlock_append_net_rule()
36 err = landlock_insert_rule(ruleset, id, access_rights); in landlock_append_net_rule()
37 mutex_unlock(&ruleset->lock); in landlock_append_net_rule()
H A Dnet.h18 int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
26 landlock_append_net_rule(struct landlock_ruleset *const ruleset, const u16 port, in landlock_append_net_rule() argument
H A DMakefile3 landlock-y := setup.o syscalls.o object.o ruleset.o \
H A Dfs.h98 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
H A Dfs.c317 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, in landlock_append_fs_rule() argument
330 if (WARN_ON_ONCE(ruleset->num_layers != 1)) in landlock_append_fs_rule()
335 ~landlock_get_fs_access_mask(ruleset, 0); in landlock_append_fs_rule()
339 mutex_lock(&ruleset->lock); in landlock_append_fs_rule()
340 err = landlock_insert_rule(ruleset, id, access_rights); in landlock_append_fs_rule()
341 mutex_unlock(&ruleset->lock); in landlock_append_fs_rule()
/linux/drivers/net/ethernet/mellanox/mlxsw/
H A Dspectrum_acl.c70 struct mlxsw_sp_acl_ruleset *ruleset; member
100 mlxsw_sp_acl_ruleset_is_singular(const struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp_acl_ruleset_is_singular() argument
103 return refcount_read(&ruleset->ref_count) == 2; in mlxsw_sp_acl_ruleset_is_singular()
110 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_bind() local
111 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_bind()
113 return ops->ruleset_bind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_bind()
121 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_unbind() local
122 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_unbind()
124 ops->ruleset_unbind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_unbind()
130 struct mlxsw_sp_acl_ruleset *ruleset, in mlxsw_sp_acl_ruleset_block_bind() argument
[all …]
H A Dspectrum_flower.c131 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_parse_actions() local
134 ruleset = mlxsw_sp_acl_ruleset_lookup(mlxsw_sp, block, in mlxsw_sp_flower_parse_actions()
137 if (IS_ERR(ruleset)) in mlxsw_sp_flower_parse_actions()
138 return PTR_ERR(ruleset); in mlxsw_sp_flower_parse_actions()
140 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp_flower_parse_actions()
735 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_replace() local
743 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, in mlxsw_sp_flower_replace()
746 if (IS_ERR(ruleset)) in mlxsw_sp_flower_replace()
747 return PTR_ERR(ruleset); in mlxsw_sp_flower_replace()
749 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, f->cookie, NULL, in mlxsw_sp_flower_replace()
[all …]
H A Dspectrum2_mr_tcam.c36 struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp2_mr_tcam_bind_group() argument
41 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp2_mr_tcam_bind_group()
218 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_create() local
223 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_create()
224 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_create()
227 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_create()
251 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_destroy() local
254 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_destroy()
255 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_destroy()
258 rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_destroy()
[all …]
H A Dspectrum_acl_tcam.c1695 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_add() local
1697 return mlxsw_sp_acl_tcam_vgroup_add(mlxsw_sp, tcam, &ruleset->vgroup, in mlxsw_sp_acl_tcam_flower_ruleset_add()
1708 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_del() local
1710 mlxsw_sp_acl_tcam_vgroup_del(&ruleset->vgroup); in mlxsw_sp_acl_tcam_flower_ruleset_del()
1719 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_bind() local
1721 return mlxsw_sp_acl_tcam_group_bind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_bind()
1731 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_unbind() local
1733 mlxsw_sp_acl_tcam_group_unbind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_unbind()
1740 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_group_id() local
1742 return mlxsw_sp_acl_tcam_group_id(&ruleset->vgroup.group); in mlxsw_sp_acl_tcam_flower_ruleset_group_id()
[all …]
/linux/Documentation/userspace-api/
H A Dlandlock.rst33 perform. A set of rules is aggregated in a ruleset, which can then restrict
50 We first need to define the ruleset that will contain our rules.
52 For this example, the ruleset will contain rules that only allow filesystem
56 The ruleset then needs to handle both these kinds of actions. This is
132 This enables the creation of an inclusive ruleset that will contain our rules.
140 perror("Failed to create a ruleset");
144 We can now add a new rule to this ruleset thanks to the returned file
145 descriptor referring to this ruleset. The rule will only allow reading the
147 denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
171 perror("Failed to update ruleset");
[all …]
/linux/Documentation/security/
H A Dlandlock.rst42 * Computation related to Landlock operations (e.g. enforcing a ruleset) shall
112 A domain is a read-only ruleset tied to a set of subjects (i.e. tasks'
113 credentials). Each time a ruleset is enforced on a task, the current domain is
114 duplicated and the ruleset is imported as a new layer of rules in the new
119 of a ruleset provided by the task.
124 .. kernel-doc:: security/landlock/ruleset.h
/linux/tools/testing/selftests/net/netfilter/
H A Dnft_queue.sh254 ip netns exec "$nsrouter" nft list ruleset
317 flush ruleset
362 flush ruleset
388 ip netns exec "$ns1" nft list ruleset
423 flush ruleset
500 flush ruleset
569 flush ruleset
585 ip netns exec "$ns1" nft flush ruleset
633 ip netns exec "$ns1" nft flush ruleset
H A Dconntrack_vrf.sh133 ip netns exec "$ns0" nft list ruleset
152 flush ruleset
199 flush ruleset
225 flush ruleset
H A Dnft_fib.sh201 ip netns exec "$ns1" nft flush ruleset
202 ip netns exec "$ns2" nft flush ruleset
203 ip netns exec "$nsrouter" nft flush ruleset
228 ip -net "$nsrouter" nft list ruleset
H A Dnft_flowtable.sh464 ip netns exec "$nsr1" nft list ruleset
499 ip netns exec "$nsr1" nft list ruleset
519 ip netns exec "$nsr1" nft list ruleset
557 ip netns exec "$nsr1" nft list ruleset
581 ip netns exec "$nsr1" nft list ruleset
651 ip netns exec "$nsr1" nft list ruleset 1>&2
H A Dbr_netfilter.sh33 ip netns exec "$ns0" nft list ruleset
50 ip netns exec "$ns0" nft list ruleset
/linux/include/linux/crush/
H A Dmapper.h14 extern int crush_find_rule(const struct crush_map *map, int ruleset, int type, int size);
/linux/security/safesetid/
H A Dsecurityfs.c264 … size_t len, loff_t *ppos, struct mutex *policy_update_lock, struct __rcu setid_ruleset* ruleset) in safesetid_file_read() argument
271 pol = rcu_dereference_protected(ruleset, lockdep_is_held(policy_update_lock)); in safesetid_file_read()
/linux/tools/testing/selftests/net/mptcp/
H A Dmptcp_connect.sh696 flush ruleset
722 ip netns exec "$listener_ns" nft flush ruleset
730 ip netns exec "$listener_ns" nft flush ruleset
746 ip netns exec "$listener_ns" nft flush ruleset

12