| hooks.c (c5c34f5793f384ed2895584c6e2350b059c3f161) | hooks.c (4342f70538b929b188c6e370fe24a155e6532eb2) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 746 unchanged lines hidden (view full) --- 755 756 if (strcmp(sb->s_type->name, "proc") == 0) 757 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 758 759 if (!strcmp(sb->s_type->name, "debugfs") || 760 !strcmp(sb->s_type->name, "tracefs") || 761 !strcmp(sb->s_type->name, "binder") || 762 !strcmp(sb->s_type->name, "bpf") || | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * NSA Security-Enhanced Linux (SELinux) security module 4 * 5 * This file contains the SELinux hook function implementations. 6 * 7 * Authors: Stephen Smalley, <sds@tycho.nsa.gov> 8 * Chris Vance, <cvance@nai.com> --- 746 unchanged lines hidden (view full) --- 755 756 if (strcmp(sb->s_type->name, "proc") == 0) 757 sbsec->flags |= SE_SBPROC | SE_SBGENFS; 758 759 if (!strcmp(sb->s_type->name, "debugfs") || 760 !strcmp(sb->s_type->name, "tracefs") || 761 !strcmp(sb->s_type->name, "binder") || 762 !strcmp(sb->s_type->name, "bpf") || |
| 763 !strcmp(sb->s_type->name, "pstore")) | 763 !strcmp(sb->s_type->name, "pstore") || 764 !strcmp(sb->s_type->name, "securityfs")) |
| 764 sbsec->flags |= SE_SBGENFS; 765 766 if (!strcmp(sb->s_type->name, "sysfs") || 767 !strcmp(sb->s_type->name, "cgroup") || 768 !strcmp(sb->s_type->name, "cgroup2")) 769 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 770 771 if (!sbsec->behavior) { --- 1380 unchanged lines hidden (view full) --- 2152 2153 return avc_has_perm(&selinux_state, 2154 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2155} 2156 2157static int selinux_ptrace_traceme(struct task_struct *parent) 2158{ 2159 return avc_has_perm(&selinux_state, | 765 sbsec->flags |= SE_SBGENFS; 766 767 if (!strcmp(sb->s_type->name, "sysfs") || 768 !strcmp(sb->s_type->name, "cgroup") || 769 !strcmp(sb->s_type->name, "cgroup2")) 770 sbsec->flags |= SE_SBGENFS | SE_SBGENFS_XATTR; 771 772 if (!sbsec->behavior) { --- 1380 unchanged lines hidden (view full) --- 2153 2154 return avc_has_perm(&selinux_state, 2155 sid, csid, SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2156} 2157 2158static int selinux_ptrace_traceme(struct task_struct *parent) 2159{ 2160 return avc_has_perm(&selinux_state, |
| 2160 task_sid_obj(parent), task_sid_obj(current), | 2161 task_sid_subj(parent), task_sid_obj(current), |
| 2161 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2162} 2163 2164static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2165 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2166{ 2167 return avc_has_perm(&selinux_state, 2168 current_sid(), task_sid_obj(target), SECCLASS_PROCESS, --- 3514 unchanged lines hidden (view full) --- 5683 return err; 5684 tunsec->sid = sid; 5685 5686 return 0; 5687} 5688 5689#ifdef CONFIG_NETFILTER 5690 | 2162 SECCLASS_PROCESS, PROCESS__PTRACE, NULL); 2163} 2164 2165static int selinux_capget(struct task_struct *target, kernel_cap_t *effective, 2166 kernel_cap_t *inheritable, kernel_cap_t *permitted) 2167{ 2168 return avc_has_perm(&selinux_state, 2169 current_sid(), task_sid_obj(target), SECCLASS_PROCESS, --- 3514 unchanged lines hidden (view full) --- 5684 return err; 5685 tunsec->sid = sid; 5686 5687 return 0; 5688} 5689 5690#ifdef CONFIG_NETFILTER 5691 |
| 5691static unsigned int selinux_ip_forward(struct sk_buff *skb, 5692 const struct net_device *indev, 5693 u16 family) | 5692static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5693 const struct nf_hook_state *state) |
| 5694{ | 5694{ |
| 5695 const struct net_device *indev = state->in; 5696 u16 family = state->pf; |
|
| 5695 int err; 5696 char *addrp; 5697 u32 peer_sid; 5698 struct common_audit_data ad; 5699 struct lsm_network_audit net = {0,}; 5700 u8 secmark_active; 5701 u8 netlbl_active; 5702 u8 peerlbl_active; --- 38 unchanged lines hidden (view full) --- 5741 * labeling before IPsec is applied so we can leverage AH 5742 * protection */ 5743 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5744 return NF_DROP; 5745 5746 return NF_ACCEPT; 5747} 5748 | 5697 int err; 5698 char *addrp; 5699 u32 peer_sid; 5700 struct common_audit_data ad; 5701 struct lsm_network_audit net = {0,}; 5702 u8 secmark_active; 5703 u8 netlbl_active; 5704 u8 peerlbl_active; --- 38 unchanged lines hidden (view full) --- 5743 * labeling before IPsec is applied so we can leverage AH 5744 * protection */ 5745 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0) 5746 return NF_DROP; 5747 5748 return NF_ACCEPT; 5749} 5750 |
| 5749static unsigned int selinux_ipv4_forward(void *priv, 5750 struct sk_buff *skb, 5751 const struct nf_hook_state *state) | 5751static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5752 const struct nf_hook_state *state) |
| 5752{ | 5753{ |
| 5753 return selinux_ip_forward(skb, state->in, PF_INET); 5754} 5755 5756#if IS_ENABLED(CONFIG_IPV6) 5757static unsigned int selinux_ipv6_forward(void *priv, 5758 struct sk_buff *skb, 5759 const struct nf_hook_state *state) 5760{ 5761 return selinux_ip_forward(skb, state->in, PF_INET6); 5762} 5763#endif /* IPV6 */ 5764 5765static unsigned int selinux_ip_output(struct sk_buff *skb, 5766 u16 family) 5767{ | 5754 u16 family = state->pf; |
| 5768 struct sock *sk; 5769 u32 sid; 5770 5771 if (!netlbl_enabled()) 5772 return NF_ACCEPT; 5773 5774 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5775 * because we want to make sure we apply the necessary labeling --- 23 unchanged lines hidden (view full) --- 5799 } else 5800 sid = SECINITSID_KERNEL; 5801 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5802 return NF_DROP; 5803 5804 return NF_ACCEPT; 5805} 5806 | 5755 struct sock *sk; 5756 u32 sid; 5757 5758 if (!netlbl_enabled()) 5759 return NF_ACCEPT; 5760 5761 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path 5762 * because we want to make sure we apply the necessary labeling --- 23 unchanged lines hidden (view full) --- 5786 } else 5787 sid = SECINITSID_KERNEL; 5788 if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5789 return NF_DROP; 5790 5791 return NF_ACCEPT; 5792} 5793 |
| 5807static unsigned int selinux_ipv4_output(void *priv, 5808 struct sk_buff *skb, 5809 const struct nf_hook_state *state) 5810{ 5811 return selinux_ip_output(skb, PF_INET); 5812} | |
| 5813 | 5794 |
| 5814#if IS_ENABLED(CONFIG_IPV6) 5815static unsigned int selinux_ipv6_output(void *priv, 5816 struct sk_buff *skb, 5817 const struct nf_hook_state *state) 5818{ 5819 return selinux_ip_output(skb, PF_INET6); 5820} 5821#endif /* IPV6 */ 5822 | |
| 5823static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5824 int ifindex, 5825 u16 family) 5826{ 5827 struct sock *sk = skb_to_full_sk(skb); 5828 struct sk_security_struct *sksec; 5829 struct common_audit_data ad; 5830 struct lsm_network_audit net = {0,}; --- 18 unchanged lines hidden (view full) --- 5849 return NF_DROP_ERR(-ECONNREFUSED); 5850 5851 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5852 return NF_DROP_ERR(-ECONNREFUSED); 5853 5854 return NF_ACCEPT; 5855} 5856 | 5795static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5796 int ifindex, 5797 u16 family) 5798{ 5799 struct sock *sk = skb_to_full_sk(skb); 5800 struct sk_security_struct *sksec; 5801 struct common_audit_data ad; 5802 struct lsm_network_audit net = {0,}; --- 18 unchanged lines hidden (view full) --- 5821 return NF_DROP_ERR(-ECONNREFUSED); 5822 5823 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto)) 5824 return NF_DROP_ERR(-ECONNREFUSED); 5825 5826 return NF_ACCEPT; 5827} 5828 |
| 5857static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5858 const struct net_device *outdev, 5859 u16 family) | 5829static unsigned int selinux_ip_postroute(void *priv, 5830 struct sk_buff *skb, 5831 const struct nf_hook_state *state) |
| 5860{ | 5832{ |
| 5833 const struct net_device *outdev = state->out; 5834 u16 family = state->pf; |
|
| 5861 u32 secmark_perm; 5862 u32 peer_sid; 5863 int ifindex = outdev->ifindex; 5864 struct sock *sk; 5865 struct common_audit_data ad; 5866 struct lsm_network_audit net = {0,}; 5867 char *addrp; 5868 u8 secmark_active; --- 119 unchanged lines hidden (view full) --- 5988 if (avc_has_perm(&selinux_state, 5989 peer_sid, node_sid, 5990 SECCLASS_NODE, NODE__SENDTO, &ad)) 5991 return NF_DROP_ERR(-ECONNREFUSED); 5992 } 5993 5994 return NF_ACCEPT; 5995} | 5835 u32 secmark_perm; 5836 u32 peer_sid; 5837 int ifindex = outdev->ifindex; 5838 struct sock *sk; 5839 struct common_audit_data ad; 5840 struct lsm_network_audit net = {0,}; 5841 char *addrp; 5842 u8 secmark_active; --- 119 unchanged lines hidden (view full) --- 5962 if (avc_has_perm(&selinux_state, 5963 peer_sid, node_sid, 5964 SECCLASS_NODE, NODE__SENDTO, &ad)) 5965 return NF_DROP_ERR(-ECONNREFUSED); 5966 } 5967 5968 return NF_ACCEPT; 5969} |
| 5996 5997static unsigned int selinux_ipv4_postroute(void *priv, 5998 struct sk_buff *skb, 5999 const struct nf_hook_state *state) 6000{ 6001 return selinux_ip_postroute(skb, state->out, PF_INET); 6002} 6003 6004#if IS_ENABLED(CONFIG_IPV6) 6005static unsigned int selinux_ipv6_postroute(void *priv, 6006 struct sk_buff *skb, 6007 const struct nf_hook_state *state) 6008{ 6009 return selinux_ip_postroute(skb, state->out, PF_INET6); 6010} 6011#endif /* IPV6 */ 6012 | |
| 6013#endif /* CONFIG_NETFILTER */ 6014 6015static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 6016{ 6017 int rc = 0; 6018 unsigned int msg_len; 6019 unsigned int data_len = skb->len; 6020 unsigned char *data = skb->data; --- 196 unchanged lines hidden (view full) --- 6217 6218static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6219 struct task_struct *target, 6220 long type, int mode) 6221{ 6222 struct ipc_security_struct *isec; 6223 struct msg_security_struct *msec; 6224 struct common_audit_data ad; | 5970#endif /* CONFIG_NETFILTER */ 5971 5972static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) 5973{ 5974 int rc = 0; 5975 unsigned int msg_len; 5976 unsigned int data_len = skb->len; 5977 unsigned char *data = skb->data; --- 196 unchanged lines hidden (view full) --- 6174 6175static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 6176 struct task_struct *target, 6177 long type, int mode) 6178{ 6179 struct ipc_security_struct *isec; 6180 struct msg_security_struct *msec; 6181 struct common_audit_data ad; |
| 6225 u32 sid = task_sid_obj(target); | 6182 u32 sid = task_sid_subj(target); |
| 6226 int rc; 6227 6228 isec = selinux_ipc(msq); 6229 msec = selinux_msg_msg(msg); 6230 6231 ad.type = LSM_AUDIT_DATA_IPC; 6232 ad.u.ipc_id = msq->key; 6233 --- 774 unchanged lines hidden (view full) --- 7008{ 7009 struct bpf_security_struct *bpfsec = aux->security; 7010 7011 aux->security = NULL; 7012 kfree(bpfsec); 7013} 7014#endif 7015 | 6183 int rc; 6184 6185 isec = selinux_ipc(msq); 6186 msec = selinux_msg_msg(msg); 6187 6188 ad.type = LSM_AUDIT_DATA_IPC; 6189 ad.u.ipc_id = msq->key; 6190 --- 774 unchanged lines hidden (view full) --- 6965{ 6966 struct bpf_security_struct *bpfsec = aux->security; 6967 6968 aux->security = NULL; 6969 kfree(bpfsec); 6970} 6971#endif 6972 |
| 7016static int selinux_lockdown(enum lockdown_reason what) 7017{ 7018 struct common_audit_data ad; 7019 u32 sid = current_sid(); 7020 int invalid_reason = (what <= LOCKDOWN_NONE) || 7021 (what == LOCKDOWN_INTEGRITY_MAX) || 7022 (what >= LOCKDOWN_CONFIDENTIALITY_MAX); 7023 7024 if (WARN(invalid_reason, "Invalid lockdown reason")) { 7025 audit_log(audit_context(), 7026 GFP_ATOMIC, AUDIT_SELINUX_ERR, 7027 "lockdown_reason=invalid"); 7028 return -EINVAL; 7029 } 7030 7031 ad.type = LSM_AUDIT_DATA_LOCKDOWN; 7032 ad.u.reason = what; 7033 7034 if (what <= LOCKDOWN_INTEGRITY_MAX) 7035 return avc_has_perm(&selinux_state, 7036 sid, sid, SECCLASS_LOCKDOWN, 7037 LOCKDOWN__INTEGRITY, &ad); 7038 else 7039 return avc_has_perm(&selinux_state, 7040 sid, sid, SECCLASS_LOCKDOWN, 7041 LOCKDOWN__CONFIDENTIALITY, &ad); 7042} 7043 | |
| 7044struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 7045 .lbs_cred = sizeof(struct task_security_struct), 7046 .lbs_file = sizeof(struct file_security_struct), 7047 .lbs_inode = sizeof(struct inode_security_struct), 7048 .lbs_ipc = sizeof(struct ipc_security_struct), 7049 .lbs_msg_msg = sizeof(struct msg_security_struct), 7050 .lbs_superblock = sizeof(struct superblock_security_struct), 7051}; --- 54 unchanged lines hidden (view full) --- 7106 struct perf_event_security_struct *perfsec = event->security; 7107 u32 sid = current_sid(); 7108 7109 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7110 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7111} 7112#endif 7113 | 6973struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 6974 .lbs_cred = sizeof(struct task_security_struct), 6975 .lbs_file = sizeof(struct file_security_struct), 6976 .lbs_inode = sizeof(struct inode_security_struct), 6977 .lbs_ipc = sizeof(struct ipc_security_struct), 6978 .lbs_msg_msg = sizeof(struct msg_security_struct), 6979 .lbs_superblock = sizeof(struct superblock_security_struct), 6980}; --- 54 unchanged lines hidden (view full) --- 7035 struct perf_event_security_struct *perfsec = event->security; 7036 u32 sid = current_sid(); 7037 7038 return avc_has_perm(&selinux_state, sid, perfsec->sid, 7039 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7040} 7041#endif 7042 |
| 7043#ifdef CONFIG_IO_URING 7044/** 7045 * selinux_uring_override_creds - check the requested cred override 7046 * @new: the target creds 7047 * 7048 * Check to see if the current task is allowed to override it's credentials 7049 * to service an io_uring operation. 7050 */ 7051static int selinux_uring_override_creds(const struct cred *new) 7052{ 7053 return avc_has_perm(&selinux_state, current_sid(), cred_sid(new), 7054 SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7055} 7056 7057/** 7058 * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7059 * 7060 * Check to see if the current task is allowed to create a new io_uring 7061 * kernel polling thread. 7062 */ 7063static int selinux_uring_sqpoll(void) 7064{ 7065 int sid = current_sid(); 7066 7067 return avc_has_perm(&selinux_state, sid, sid, 7068 SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7069} 7070#endif /* CONFIG_IO_URING */ 7071 |
|
| 7114/* 7115 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7116 * 1. any hooks that don't belong to (2.) or (3.) below, 7117 * 2. hooks that both access structures allocated by other hooks, and allocate 7118 * structures that can be later accessed by other hooks (mostly "cloning" 7119 * hooks), 7120 * 3. hooks that only allocate structures that can be later accessed by other 7121 * hooks ("allocating" hooks). --- 222 unchanged lines hidden (view full) --- 7344 7345#ifdef CONFIG_PERF_EVENTS 7346 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7347 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7348 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7349 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7350#endif 7351 | 7072/* 7073 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: 7074 * 1. any hooks that don't belong to (2.) or (3.) below, 7075 * 2. hooks that both access structures allocated by other hooks, and allocate 7076 * structures that can be later accessed by other hooks (mostly "cloning" 7077 * hooks), 7078 * 3. hooks that only allocate structures that can be later accessed by other 7079 * hooks ("allocating" hooks). --- 222 unchanged lines hidden (view full) --- 7302 7303#ifdef CONFIG_PERF_EVENTS 7304 LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), 7305 LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), 7306 LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), 7307 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7308#endif 7309 |
| 7352 LSM_HOOK_INIT(locked_down, selinux_lockdown), | 7310#ifdef CONFIG_IO_URING 7311 LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7312 LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7313#endif |
| 7353 7354 /* 7355 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7356 */ 7357 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7358 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7359 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7360 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), --- 104 unchanged lines hidden (view full) --- 7465 .blobs = &selinux_blob_sizes, 7466 .init = selinux_init, 7467}; 7468 7469#if defined(CONFIG_NETFILTER) 7470 7471static const struct nf_hook_ops selinux_nf_ops[] = { 7472 { | 7314 7315 /* 7316 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE 7317 */ 7318 LSM_HOOK_INIT(fs_context_dup, selinux_fs_context_dup), 7319 LSM_HOOK_INIT(fs_context_parse_param, selinux_fs_context_parse_param), 7320 LSM_HOOK_INIT(sb_eat_lsm_opts, selinux_sb_eat_lsm_opts), 7321 LSM_HOOK_INIT(sb_add_mnt_opt, selinux_add_mnt_opt), --- 104 unchanged lines hidden (view full) --- 7426 .blobs = &selinux_blob_sizes, 7427 .init = selinux_init, 7428}; 7429 7430#if defined(CONFIG_NETFILTER) 7431 7432static const struct nf_hook_ops selinux_nf_ops[] = { 7433 { |
| 7473 .hook = selinux_ipv4_postroute, | 7434 .hook = selinux_ip_postroute, |
| 7474 .pf = NFPROTO_IPV4, 7475 .hooknum = NF_INET_POST_ROUTING, 7476 .priority = NF_IP_PRI_SELINUX_LAST, 7477 }, 7478 { | 7435 .pf = NFPROTO_IPV4, 7436 .hooknum = NF_INET_POST_ROUTING, 7437 .priority = NF_IP_PRI_SELINUX_LAST, 7438 }, 7439 { |
| 7479 .hook = selinux_ipv4_forward, | 7440 .hook = selinux_ip_forward, |
| 7480 .pf = NFPROTO_IPV4, 7481 .hooknum = NF_INET_FORWARD, 7482 .priority = NF_IP_PRI_SELINUX_FIRST, 7483 }, 7484 { | 7441 .pf = NFPROTO_IPV4, 7442 .hooknum = NF_INET_FORWARD, 7443 .priority = NF_IP_PRI_SELINUX_FIRST, 7444 }, 7445 { |
| 7485 .hook = selinux_ipv4_output, | 7446 .hook = selinux_ip_output, |
| 7486 .pf = NFPROTO_IPV4, 7487 .hooknum = NF_INET_LOCAL_OUT, 7488 .priority = NF_IP_PRI_SELINUX_FIRST, 7489 }, 7490#if IS_ENABLED(CONFIG_IPV6) 7491 { | 7447 .pf = NFPROTO_IPV4, 7448 .hooknum = NF_INET_LOCAL_OUT, 7449 .priority = NF_IP_PRI_SELINUX_FIRST, 7450 }, 7451#if IS_ENABLED(CONFIG_IPV6) 7452 { |
| 7492 .hook = selinux_ipv6_postroute, | 7453 .hook = selinux_ip_postroute, |
| 7493 .pf = NFPROTO_IPV6, 7494 .hooknum = NF_INET_POST_ROUTING, 7495 .priority = NF_IP6_PRI_SELINUX_LAST, 7496 }, 7497 { | 7454 .pf = NFPROTO_IPV6, 7455 .hooknum = NF_INET_POST_ROUTING, 7456 .priority = NF_IP6_PRI_SELINUX_LAST, 7457 }, 7458 { |
| 7498 .hook = selinux_ipv6_forward, | 7459 .hook = selinux_ip_forward, |
| 7499 .pf = NFPROTO_IPV6, 7500 .hooknum = NF_INET_FORWARD, 7501 .priority = NF_IP6_PRI_SELINUX_FIRST, 7502 }, 7503 { | 7460 .pf = NFPROTO_IPV6, 7461 .hooknum = NF_INET_FORWARD, 7462 .priority = NF_IP6_PRI_SELINUX_FIRST, 7463 }, 7464 { |
| 7504 .hook = selinux_ipv6_output, | 7465 .hook = selinux_ip_output, |
| 7505 .pf = NFPROTO_IPV6, 7506 .hooknum = NF_INET_LOCAL_OUT, 7507 .priority = NF_IP6_PRI_SELINUX_FIRST, 7508 }, 7509#endif /* IPV6 */ 7510}; 7511 7512static int __net_init selinux_nf_register(struct net *net) --- 85 unchanged lines hidden --- | 7466 .pf = NFPROTO_IPV6, 7467 .hooknum = NF_INET_LOCAL_OUT, 7468 .priority = NF_IP6_PRI_SELINUX_FIRST, 7469 }, 7470#endif /* IPV6 */ 7471}; 7472 7473static int __net_init selinux_nf_register(struct net *net) --- 85 unchanged lines hidden --- |