Home
last modified time | relevance | path

Searched refs:ruleset (Results 1 – 25 of 26) sorted by relevance

12

/Linux-v5.15/security/landlock/
Dsyscalls.c98 struct landlock_ruleset *ruleset = filp->private_data; in fop_ruleset_release() local
100 landlock_put_ruleset(ruleset); in fop_ruleset_release()
161 struct landlock_ruleset *ruleset; in SYSCALL_DEFINE3() local
190 ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs); in SYSCALL_DEFINE3()
191 if (IS_ERR(ruleset)) in SYSCALL_DEFINE3()
192 return PTR_ERR(ruleset); in SYSCALL_DEFINE3()
196 ruleset, O_RDWR | O_CLOEXEC); in SYSCALL_DEFINE3()
198 landlock_put_ruleset(ruleset); in SYSCALL_DEFINE3()
210 struct landlock_ruleset *ruleset; in get_ruleset_from_fd() local
218 ruleset = ERR_PTR(-EBADFD); in get_ruleset_from_fd()
[all …]
Druleset.c115 const struct landlock_ruleset ruleset = { in build_check_ruleset() local
119 typeof(ruleset.fs_access_masks[0]) fs_access_mask = ~0; in build_check_ruleset()
121 BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES); in build_check_ruleset()
122 BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS); in build_check_ruleset()
144 static int insert_rule(struct landlock_ruleset *const ruleset, in insert_rule() argument
154 lockdep_assert_held(&ruleset->lock); in insert_rule()
157 walker_node = &(ruleset->root.rb_node); in insert_rule()
200 rb_replace_node(&this->node, &new_rule->node, &ruleset->root); in insert_rule()
207 if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES) in insert_rule()
213 rb_insert_color(&new_rule->node, &ruleset->root); in insert_rule()
[all …]
Druleset.h145 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
146 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
148 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
153 struct landlock_ruleset *const ruleset);
156 const struct landlock_ruleset *const ruleset,
159 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) in landlock_get_ruleset() argument
161 if (ruleset) in landlock_get_ruleset()
162 refcount_inc(&ruleset->usage); in landlock_get_ruleset()
Dfs.c152 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, in landlock_append_fs_rule() argument
162 if (WARN_ON_ONCE(ruleset->num_layers != 1)) in landlock_append_fs_rule()
166 access_rights |= LANDLOCK_MASK_ACCESS_FS & ~ruleset->fs_access_masks[0]; in landlock_append_fs_rule()
170 mutex_lock(&ruleset->lock); in landlock_append_fs_rule()
171 err = landlock_insert_rule(ruleset, object, access_rights); in landlock_append_fs_rule()
172 mutex_unlock(&ruleset->lock); in landlock_append_fs_rule()
DMakefile3 landlock-y := setup.o syscalls.o object.o ruleset.o \
Dfs.h67 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
/Linux-v5.15/drivers/net/ethernet/mellanox/mlxsw/
Dspectrum_acl.c64 struct mlxsw_sp_acl_ruleset *ruleset; member
94 mlxsw_sp_acl_ruleset_is_singular(const struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp_acl_ruleset_is_singular() argument
97 return ruleset->ref_count == 2; in mlxsw_sp_acl_ruleset_is_singular()
104 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_bind() local
105 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_bind()
107 return ops->ruleset_bind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_bind()
115 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_unbind() local
116 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_unbind()
118 ops->ruleset_unbind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_unbind()
124 struct mlxsw_sp_acl_ruleset *ruleset, in mlxsw_sp_acl_ruleset_block_bind() argument
[all …]
Dspectrum_flower.c91 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_parse_actions() local
94 ruleset = mlxsw_sp_acl_ruleset_lookup(mlxsw_sp, block, in mlxsw_sp_flower_parse_actions()
97 if (IS_ERR(ruleset)) in mlxsw_sp_flower_parse_actions()
98 return PTR_ERR(ruleset); in mlxsw_sp_flower_parse_actions()
100 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp_flower_parse_actions()
588 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_replace() local
596 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, in mlxsw_sp_flower_replace()
599 if (IS_ERR(ruleset)) in mlxsw_sp_flower_replace()
600 return PTR_ERR(ruleset); in mlxsw_sp_flower_replace()
602 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, f->cookie, NULL, in mlxsw_sp_flower_replace()
[all …]
Dspectrum2_mr_tcam.c36 struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp2_mr_tcam_bind_group() argument
41 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp2_mr_tcam_bind_group()
214 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_create() local
219 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_create()
220 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_create()
223 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_create()
247 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_destroy() local
250 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_destroy()
251 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_destroy()
254 rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_destroy()
[all …]
Dspectrum_acl_tcam.c1613 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_add() local
1615 return mlxsw_sp_acl_tcam_vgroup_add(mlxsw_sp, tcam, &ruleset->vgroup, in mlxsw_sp_acl_tcam_flower_ruleset_add()
1626 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_del() local
1628 mlxsw_sp_acl_tcam_vgroup_del(&ruleset->vgroup); in mlxsw_sp_acl_tcam_flower_ruleset_del()
1637 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_bind() local
1639 return mlxsw_sp_acl_tcam_group_bind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_bind()
1649 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_unbind() local
1651 mlxsw_sp_acl_tcam_group_unbind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_unbind()
1658 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_group_id() local
1660 return mlxsw_sp_acl_tcam_group_id(&ruleset->vgroup.group); in mlxsw_sp_acl_tcam_flower_ruleset_group_id()
[all …]
Dspectrum.h925 struct mlxsw_sp_acl_ruleset *ruleset);
926 u16 mlxsw_sp_acl_ruleset_group_id(struct mlxsw_sp_acl_ruleset *ruleset);
927 void mlxsw_sp_acl_ruleset_prio_get(struct mlxsw_sp_acl_ruleset *ruleset,
996 struct mlxsw_sp_acl_ruleset *ruleset,
1011 struct mlxsw_sp_acl_ruleset *ruleset,
/Linux-v5.15/drivers/net/ethernet/marvell/prestera/
Dprestera_acl.c45 struct prestera_acl_ruleset *ruleset; in prestera_acl_ruleset_create() local
48 ruleset = kzalloc(sizeof(*ruleset), GFP_KERNEL); in prestera_acl_ruleset_create()
49 if (!ruleset) in prestera_acl_ruleset_create()
52 err = rhashtable_init(&ruleset->rule_ht, &prestera_acl_rule_ht_params); in prestera_acl_ruleset_create()
56 err = prestera_hw_acl_ruleset_create(sw, &ruleset->id); in prestera_acl_ruleset_create()
60 ruleset->sw = sw; in prestera_acl_ruleset_create()
62 return ruleset; in prestera_acl_ruleset_create()
65 rhashtable_destroy(&ruleset->rule_ht); in prestera_acl_ruleset_create()
67 kfree(ruleset); in prestera_acl_ruleset_create()
71 static void prestera_acl_ruleset_destroy(struct prestera_acl_ruleset *ruleset) in prestera_acl_ruleset_destroy() argument
[all …]
Dprestera_acl.h46 struct prestera_acl_ruleset *ruleset; member
114 prestera_acl_rule_lookup(struct prestera_acl_ruleset *ruleset,
/Linux-v5.15/Documentation/userspace-api/
Dlandlock.rst26 rights`_. A set of rules is aggregated in a ruleset, which can then restrict
32 We first need to create the ruleset that will contain our rules. For this
33 example, the ruleset will contain rules that only allow read actions, but write
34 actions will be denied. The ruleset then needs to handle both of these kind of
59 perror("Failed to create a ruleset");
63 We can now add a new rule to this ruleset thanks to the returned file
64 descriptor referring to this ruleset. The rule will only allow reading the
66 denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
90 perror("Failed to update ruleset");
95 We now have a ruleset with one rule allowing read access to ``/usr`` while
[all …]
/Linux-v5.15/Documentation/security/
Dlandlock.rst42 * Computation related to Landlock operations (e.g. enforcing a ruleset) shall
69 A domain is a read-only ruleset tied to a set of subjects (i.e. tasks'
70 credentials). Each time a ruleset is enforced on a task, the current domain is
71 duplicated and the ruleset is imported as a new layer of rules in the new
76 of a ruleset provided by the task.
81 .. kernel-doc:: security/landlock/ruleset.h
/Linux-v5.15/tools/testing/selftests/netfilter/
Dnft_flowtable.sh319 ip netns exec nsr1 nft list ruleset
350 ip netns exec nsr1 nft list ruleset
370 ip netns exec nsr1 nft list ruleset
405 ip netns exec nsr1 nft list ruleset
430 ip netns exec nsr1 nft list ruleset
498 ip netns exec nsr1 nft list ruleset 1>&2
Dnft_zones_many.sh41 flush ruleset
Dnft_queue.sh247 ip netns exec ${nsrouter} nft list ruleset
298 flush ruleset
Dnft_concat_range.sh906 nft flush ruleset >/dev/null 2>&1
1288 nft flush ruleset
1455 nft flush ruleset
/Linux-v5.15/include/linux/crush/
Dmapper.h14 extern int crush_find_rule(const struct crush_map *map, int ruleset, int type, int size);
Dcrush.h81 __u8 ruleset; member
/Linux-v5.15/security/safesetid/
Dsecurityfs.c264 … size_t len, loff_t *ppos, struct mutex *policy_update_lock, struct __rcu setid_ruleset* ruleset) in safesetid_file_read() argument
271 pol = rcu_dereference_protected(ruleset, lockdep_is_held(policy_update_lock)); in safesetid_file_read()
/Linux-v5.15/net/ceph/crush/
Dmapper.c42 int crush_find_rule(const struct crush_map *map, int ruleset, int type, int size) in crush_find_rule() argument
48 map->rules[i]->mask.ruleset == ruleset && in crush_find_rule()
/Linux-v5.15/Documentation/networking/
Dtproxy.rst67 add rules like this to the iptables ruleset above::
Dnf_flowtable.rst17 flowtable through your ruleset. The flowtable infrastructure provides a rule

12