/linux/drivers/net/ethernet/marvell/prestera/ |
H A D | prestera_acl.c | 140 struct prestera_acl_ruleset *ruleset; in prestera_acl_ruleset_create() local 147 ruleset = kzalloc(sizeof(*ruleset), GFP_KERNEL); in prestera_acl_ruleset_create() 148 if (!ruleset) in prestera_acl_ruleset_create() 151 ruleset->acl = acl; in prestera_acl_ruleset_create() 152 ruleset->ingress = block->ingress; in prestera_acl_ruleset_create() 153 ruleset->ht_key.block = block; in prestera_acl_ruleset_create() 154 ruleset->ht_key.chain_index = chain_index; in prestera_acl_ruleset_create() 155 refcount_set(&ruleset->refcount, 1); in prestera_acl_ruleset_create() 157 err = rhashtable_init(&ruleset->rule_ht, &prestera_acl_rule_ht_params); in prestera_acl_ruleset_create() 166 ruleset->pcl_id = PRESTERA_ACL_PCL_ID_MAKE((u8)uid, chain_index); in prestera_acl_ruleset_create() [all …]
|
H A D | prestera_flower.c | 11 struct prestera_acl_ruleset *ruleset; member 19 prestera_acl_ruleset_put(template->ruleset); in prestera_flower_template_free() 39 struct prestera_acl_ruleset *ruleset; in prestera_flower_parse_goto_action() local 48 ruleset = prestera_acl_ruleset_get(block->sw->acl, block, in prestera_flower_parse_goto_action() 50 if (IS_ERR(ruleset)) in prestera_flower_parse_goto_action() 51 return PTR_ERR(ruleset); in prestera_flower_parse_goto_action() 54 rule->re_arg.jump.i.index = prestera_acl_ruleset_index_get(ruleset); in prestera_flower_parse_goto_action() 56 rule->jump_ruleset = ruleset; in prestera_flower_parse_goto_action() 407 struct prestera_acl_ruleset *ruleset; in prestera_flower_prio_get() local 409 ruleset = prestera_acl_ruleset_lookup(block->sw->acl, block, chain_index); in prestera_flower_prio_get() [all …]
|
H A D | prestera_acl.h | 130 struct prestera_acl_ruleset *ruleset; member 156 prestera_acl_rule_create(struct prestera_acl_ruleset *ruleset, 162 prestera_acl_rule_lookup(struct prestera_acl_ruleset *ruleset, 188 int prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset, 190 bool prestera_acl_ruleset_is_offload(struct prestera_acl_ruleset *ruleset); 191 int prestera_acl_ruleset_offload(struct prestera_acl_ruleset *ruleset); 192 void prestera_acl_ruleset_put(struct prestera_acl_ruleset *ruleset); 193 int prestera_acl_ruleset_bind(struct prestera_acl_ruleset *ruleset, 195 int prestera_acl_ruleset_unbind(struct prestera_acl_ruleset *ruleset, 197 u32 prestera_acl_ruleset_index_get(const struct prestera_acl_ruleset *ruleset); [all …]
|
/linux/security/landlock/ |
H A D | syscalls.c | 120 struct landlock_ruleset *ruleset = filp->private_data; in fop_ruleset_release() local 122 landlock_put_ruleset(ruleset); in fop_ruleset_release() 184 struct landlock_ruleset *ruleset; in SYSCALL_DEFINE3() local 223 ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs, in SYSCALL_DEFINE3() 226 if (IS_ERR(ruleset)) in SYSCALL_DEFINE3() 227 return PTR_ERR(ruleset); in SYSCALL_DEFINE3() 231 ruleset, O_RDWR | O_CLOEXEC); in SYSCALL_DEFINE3() 233 landlock_put_ruleset(ruleset); in SYSCALL_DEFINE3() 245 struct landlock_ruleset *ruleset; in get_ruleset_from_fd() local 255 ruleset = fd_file(ruleset_f)->private_data; in get_ruleset_from_fd() [all …]
|
H A D | ruleset.h | 252 void landlock_put_ruleset(struct landlock_ruleset *const ruleset); 253 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset); 255 int landlock_insert_rule(struct landlock_ruleset *const ruleset, 261 struct landlock_ruleset *const ruleset); 264 landlock_find_rule(const struct landlock_ruleset *const ruleset, 267 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) in landlock_get_ruleset() argument 269 if (ruleset) in landlock_get_ruleset() 270 refcount_inc(&ruleset->usage); in landlock_get_ruleset() 329 landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, in landlock_add_fs_access_mask() argument 337 ruleset->access_masks[layer_level].fs |= fs_mask; in landlock_add_fs_access_mask() [all …]
|
H A D | ruleset.c | 140 static struct rb_root *get_root(struct landlock_ruleset *const ruleset, in get_root() argument 145 return &ruleset->root_inode; in get_root() 149 return &ruleset->root_net_port; in get_root() 171 const struct landlock_ruleset ruleset = { in build_check_ruleset() local 176 BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES); in build_check_ruleset() 177 BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS); in build_check_ruleset() 198 static int insert_rule(struct landlock_ruleset *const ruleset, in insert_rule() argument 209 lockdep_assert_held(&ruleset->lock); in insert_rule() 216 root = get_root(ruleset, id.type); in insert_rule() 270 if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES) in insert_rule() [all …]
|
H A D | net.c | 20 int landlock_append_net_rule(struct landlock_ruleset *const ruleset, in landlock_append_net_rule() argument 33 ~landlock_get_net_access_mask(ruleset, 0); in landlock_append_net_rule() 35 mutex_lock(&ruleset->lock); in landlock_append_net_rule() 36 err = landlock_insert_rule(ruleset, id, access_rights); in landlock_append_net_rule() 37 mutex_unlock(&ruleset->lock); in landlock_append_net_rule()
|
H A D | net.h | 18 int landlock_append_net_rule(struct landlock_ruleset *const ruleset, 26 landlock_append_net_rule(struct landlock_ruleset *const ruleset, const u16 port, in landlock_append_net_rule() argument
|
H A D | Makefile | 3 landlock-y := setup.o syscalls.o object.o ruleset.o \
|
H A D | fs.h | 98 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
|
H A D | fs.c | 317 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, in landlock_append_fs_rule() argument 330 if (WARN_ON_ONCE(ruleset->num_layers != 1)) in landlock_append_fs_rule() 335 ~landlock_get_fs_access_mask(ruleset, 0); in landlock_append_fs_rule() 339 mutex_lock(&ruleset->lock); in landlock_append_fs_rule() 340 err = landlock_insert_rule(ruleset, id, access_rights); in landlock_append_fs_rule() 341 mutex_unlock(&ruleset->lock); in landlock_append_fs_rule()
|
/linux/drivers/net/ethernet/mellanox/mlxsw/ |
H A D | spectrum_acl.c | 70 struct mlxsw_sp_acl_ruleset *ruleset; member 100 mlxsw_sp_acl_ruleset_is_singular(const struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp_acl_ruleset_is_singular() argument 103 return refcount_read(&ruleset->ref_count) == 2; in mlxsw_sp_acl_ruleset_is_singular() 110 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_bind() local 111 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_bind() 113 return ops->ruleset_bind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_bind() 121 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_unbind() local 122 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_unbind() 124 ops->ruleset_unbind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_unbind() 130 struct mlxsw_sp_acl_ruleset *ruleset, in mlxsw_sp_acl_ruleset_block_bind() argument [all …]
|
H A D | spectrum_flower.c | 131 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_parse_actions() local 134 ruleset = mlxsw_sp_acl_ruleset_lookup(mlxsw_sp, block, in mlxsw_sp_flower_parse_actions() 137 if (IS_ERR(ruleset)) in mlxsw_sp_flower_parse_actions() 138 return PTR_ERR(ruleset); in mlxsw_sp_flower_parse_actions() 140 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp_flower_parse_actions() 735 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_replace() local 743 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, in mlxsw_sp_flower_replace() 746 if (IS_ERR(ruleset)) in mlxsw_sp_flower_replace() 747 return PTR_ERR(ruleset); in mlxsw_sp_flower_replace() 749 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, f->cookie, NULL, in mlxsw_sp_flower_replace() [all …]
|
H A D | spectrum2_mr_tcam.c | 36 struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp2_mr_tcam_bind_group() argument 41 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp2_mr_tcam_bind_group() 218 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_create() local 223 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_create() 224 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_create() 227 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_create() 251 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_destroy() local 254 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_destroy() 255 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_destroy() 258 rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_destroy() [all …]
|
H A D | spectrum_acl_tcam.c | 1695 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_add() local 1697 return mlxsw_sp_acl_tcam_vgroup_add(mlxsw_sp, tcam, &ruleset->vgroup, in mlxsw_sp_acl_tcam_flower_ruleset_add() 1708 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_del() local 1710 mlxsw_sp_acl_tcam_vgroup_del(&ruleset->vgroup); in mlxsw_sp_acl_tcam_flower_ruleset_del() 1719 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_bind() local 1721 return mlxsw_sp_acl_tcam_group_bind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_bind() 1731 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_unbind() local 1733 mlxsw_sp_acl_tcam_group_unbind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_unbind() 1740 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_group_id() local 1742 return mlxsw_sp_acl_tcam_group_id(&ruleset->vgroup.group); in mlxsw_sp_acl_tcam_flower_ruleset_group_id() [all …]
|
/linux/Documentation/userspace-api/ |
H A D | landlock.rst | 33 perform. A set of rules is aggregated in a ruleset, which can then restrict 50 We first need to define the ruleset that will contain our rules. 52 For this example, the ruleset will contain rules that only allow filesystem 56 The ruleset then needs to handle both these kinds of actions. This is 132 This enables the creation of an inclusive ruleset that will contain our rules. 140 perror("Failed to create a ruleset"); 144 We can now add a new rule to this ruleset thanks to the returned file 145 descriptor referring to this ruleset. The rule will only allow reading the 147 denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the 171 perror("Failed to update ruleset"); [all …]
|
/linux/Documentation/security/ |
H A D | landlock.rst | 42 * Computation related to Landlock operations (e.g. enforcing a ruleset) shall 112 A domain is a read-only ruleset tied to a set of subjects (i.e. tasks' 113 credentials). Each time a ruleset is enforced on a task, the current domain is 114 duplicated and the ruleset is imported as a new layer of rules in the new 119 of a ruleset provided by the task. 124 .. kernel-doc:: security/landlock/ruleset.h
|
/linux/tools/testing/selftests/net/netfilter/ |
H A D | nft_queue.sh | 254 ip netns exec "$nsrouter" nft list ruleset 317 flush ruleset 362 flush ruleset 388 ip netns exec "$ns1" nft list ruleset 423 flush ruleset 500 flush ruleset 569 flush ruleset 585 ip netns exec "$ns1" nft flush ruleset 633 ip netns exec "$ns1" nft flush ruleset
|
H A D | conntrack_vrf.sh | 133 ip netns exec "$ns0" nft list ruleset 152 flush ruleset 199 flush ruleset 225 flush ruleset
|
H A D | nft_fib.sh | 201 ip netns exec "$ns1" nft flush ruleset 202 ip netns exec "$ns2" nft flush ruleset 203 ip netns exec "$nsrouter" nft flush ruleset 228 ip -net "$nsrouter" nft list ruleset
|
H A D | nft_flowtable.sh | 464 ip netns exec "$nsr1" nft list ruleset 499 ip netns exec "$nsr1" nft list ruleset 519 ip netns exec "$nsr1" nft list ruleset 557 ip netns exec "$nsr1" nft list ruleset 581 ip netns exec "$nsr1" nft list ruleset 651 ip netns exec "$nsr1" nft list ruleset 1>&2
|
H A D | br_netfilter.sh | 33 ip netns exec "$ns0" nft list ruleset 50 ip netns exec "$ns0" nft list ruleset
|
/linux/include/linux/crush/ |
H A D | mapper.h | 14 extern int crush_find_rule(const struct crush_map *map, int ruleset, int type, int size);
|
/linux/security/safesetid/ |
H A D | securityfs.c | 264 … size_t len, loff_t *ppos, struct mutex *policy_update_lock, struct __rcu setid_ruleset* ruleset) in safesetid_file_read() argument 271 pol = rcu_dereference_protected(ruleset, lockdep_is_held(policy_update_lock)); in safesetid_file_read()
|
/linux/tools/testing/selftests/net/mptcp/ |
H A D | mptcp_connect.sh | 696 flush ruleset 722 ip netns exec "$listener_ns" nft flush ruleset 730 ip netns exec "$listener_ns" nft flush ruleset 746 ip netns exec "$listener_ns" nft flush ruleset
|