Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1769376pxb; Mon, 11 Oct 2021 12:43:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLxpUbtbqoyK4saPJzY4RWgYKv6Ukq0nCPL9nzVuTyPhaXE7NM72So762PMR1ZYXnBMLNm X-Received: by 2002:a17:90a:1548:: with SMTP id y8mr1038287pja.151.1633981398565; Mon, 11 Oct 2021 12:43:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633981398; cv=none; d=google.com; s=arc-20160816; b=uYldm6W0HmYTdkQ8WuIcww4gdgr40Q+ynwQJMbomCnMfgO00xkWIKEmsHn73h+w9YX tZmejOt33RLOYAzh/yxUG6uOa2emLi1AFjHj0Md7A2xnW6C4nzwqfzLPDHZy5p0Ya0Eg 4sId5MRQYf9uqRes8/rlFMEauPi69DXQwbduX+ZE/fFcKGckoeLfk3PsTd1zvKDi8xgB GXp+KHIQQLDoJpiK4drJigE7NBz0D7DQgWMXfLrhq0yNi5iP3O84Nw7oWDcKZyV6B75j 3/I/lTw/Hi5C2pxH6YBRcDQ+zw0YFxbX+HGkR45R/D9ZCP0bMneCRUlKzYFyXqpcJ+Qx oSFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=/P5eDqGnkFMTqei8W8cogBr/ACT6bEHAZxYeHLGkxbo=; b=cGHlJ4DgyUO+5n18YkOe7pm7BImaEbb5Y58DTfa0J8Bb4ABPj+q/9l6vfcKt9qjVfM vVToBftTPI03KnGfZ1AyOmokKYdmmfJl8c1cH9rBKrwD17ogk0qSIvFpmgVge1xUlCw5 w+tOvTb4h0NHxkQm62PLJ48wccfNUZD/x66/Sa7YjvFAYM0B2YQ5ZA1mCbiLkFiq1rOF Rf/KoDoVqK4gWptRM+CDIIZD/yjPVU3jqvKMHyK2INNPbXpswchYc0TSpJEf4U1mPcu0 crHc0GvF/DL5u+KOY/kvHl2Wc3jvygicoYdAcFLxfVCgMU/zOKFNX/e9q54kgGacvnIX bUKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=loJIvZ+1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 38si12274826pgm.639.2021.10.11.12.43.05; Mon, 11 Oct 2021 12:43:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=loJIvZ+1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234679AbhJKTnP (ORCPT + 99 others); Mon, 11 Oct 2021 15:43:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60064 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234676AbhJKTnO (ORCPT ); Mon, 11 Oct 2021 15:43:14 -0400 Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0E7AC061570 for ; Mon, 11 Oct 2021 12:41:13 -0700 (PDT) Received: by mail-ed1-x534.google.com with SMTP id y12so58999537eda.4 for ; Mon, 11 Oct 2021 12:41:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/P5eDqGnkFMTqei8W8cogBr/ACT6bEHAZxYeHLGkxbo=; b=loJIvZ+1+KR0wvzPV64nR6JXN+d/9JTySVorg05IenNO25iBHQRhdOJbA6PiU95u51 eXvP76F492Qdmx5aWBRQ/3RdNZJa3w5jSWNyQuVrkptiu3JixLdGZRJsEkmLXZabKNJe htOKRauVdSEop0Wp/GHLvktm9a6C1cQpsKNdWa+jROz7Ta8s622aVm3oyXXe2MX8/ltg hTItuzcbjdLCatXI/NokSFFjJfzo/MeuOZR0pJH+nWSYtJkic4Fok/wTlVfN0dMVqaDW dapSC3SPE5RYiMtaIPi41GhikpxIp1SASq9zlBjks7R1RJLXlRa0f6uTGSVHKq1y7/9a GUJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/P5eDqGnkFMTqei8W8cogBr/ACT6bEHAZxYeHLGkxbo=; b=LIz92dVflTjwQIck2RKpOApYJugFJRbFbITexBSSt2B+7MccUSSY1RDO9wGCRDmxwU 9V2L5JJ+5sjfgNLw4tBNCq2fHCZ518Zt8YmA293qJ58HfjoOgFhjoszEHGZv1uxXZmeV rrs206xapRvQuhtuPySmaOoMPB4SDO1yITRVjSPh5/hXvu9Hmpi9zmhy1XjrdwcK8P5n gwj3afWng8X2XqW18ipjUYqS5AfasE2yrkI7DtJYGEnz5R0UhKVGxu/yTuQCDtcb5oJj IU0dBddrAmPyB0KluGRO0tODw2NFotLVLHKoz7GtJT1wtfOI5k6mDu7sbyWVVroHl+aQ HMOQ== X-Gm-Message-State: AOAM5326P+b9JTrGyflqkbIygGUYLDkcEaj/tOiPG2eLPCPI4QQXohIh bIyANU/QOfFERiGr8c7TVSQCTpwfPPnYcaFOcUo0 X-Received: by 2002:a05:6402:5114:: with SMTP id m20mr44167328edd.256.1633981272402; Mon, 11 Oct 2021 12:41:12 -0700 (PDT) MIME-Version: 1.0 References: <20211011142416.26798-1-fw@strlen.de> In-Reply-To: From: Paul Moore Date: Mon, 11 Oct 2021 15:41:01 -0400 Message-ID: Subject: Re: [PATCH v2 selinux] selinux: remove unneeded ipv6 hook wrappers To: Ondrej Mosnacek Cc: Florian Westphal , SElinux list , Stephen Smalley , Eric Paris , Linux kernel mailing list Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 11, 2021 at 2:21 PM Ondrej Mosnacek wrote: > > On Mon, Oct 11, 2021 at 7:10 PM Paul Moore wrote: > > On Mon, Oct 11, 2021 at 10:25 AM Florian Westphal wrote: > > > > > > Netfilter places the protocol number the hook function is getting called > > > from in state->pf, so we can use that instead of an extra wrapper. > > > > > > Signed-off-by: Florian Westphal > > > --- > > > v2: add back '#endif /* CONFIG_NETFILTER */' erronously axed in v1. > > > Applies to 'next' branch of > > > https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/ > > > > > > security/selinux/hooks.c | 52 ++++++++++------------------------------ > > > 1 file changed, 12 insertions(+), 40 deletions(-) > > > > ... > > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > > index e7ebd45ca345..831b857d5dd7 100644 > > > --- a/security/selinux/hooks.c > > > +++ b/security/selinux/hooks.c > > > @@ -7470,38 +7442,38 @@ DEFINE_LSM(selinux) = { > > > > > > static const struct nf_hook_ops selinux_nf_ops[] = { > > > { > > > - .hook = selinux_ipv4_postroute, > > > + .hook = selinux_hook_postroute, > > > .pf = NFPROTO_IPV4, > > > .hooknum = NF_INET_POST_ROUTING, > > > .priority = NF_IP_PRI_SELINUX_LAST, > > > }, > > > > Thanks for the patch Florian, although the name "selinux_hook_*" seems > > a bit ambiguous to me, after all we have a little more than 200 > > "hooks" in the SELinux LSM implementation. Would you be okay with > > calling the netfilter hook functions "selinux_nf_*" or something > > similar? If you don't have time I can do the rename during the merge > > assuming we can all agree on a name. > > Since selinux_ip_forward() and selinux_ip_postroute() are used only in > the hook functions, how about changing their signature and using them > as hooks directly? That would solve the naming and also remove a few > extra lines of boilerplate. No argument against that from me, although you should be able to do the same for selinux_ip_output() as well unless I missed a caller. -- paul moore www.paul-moore.com