| /openbmc/linux/drivers/net/ethernet/marvell/prestera/ |
| H A D | prestera_acl.c | 140 struct prestera_acl_ruleset *ruleset; in prestera_acl_ruleset_create() local
147 ruleset = kzalloc(sizeof(*ruleset), GFP_KERNEL); in prestera_acl_ruleset_create()
148 if (!ruleset) in prestera_acl_ruleset_create()
151 ruleset->acl = acl; in prestera_acl_ruleset_create()
152 ruleset->ingress = block->ingress; in prestera_acl_ruleset_create()
153 ruleset->ht_key.block = block; in prestera_acl_ruleset_create()
154 ruleset->ht_key.chain_index = chain_index; in prestera_acl_ruleset_create()
155 refcount_set(&ruleset->refcount, 1); in prestera_acl_ruleset_create()
157 err = rhashtable_init(&ruleset->rule_ht, &prestera_acl_rule_ht_params); in prestera_acl_ruleset_create()
166 ruleset->pcl_id = PRESTERA_ACL_PCL_ID_MAKE((u8)uid, chain_index); in prestera_acl_ruleset_create()
[all …]
|
| H A D | prestera_flower.c | 11 struct prestera_acl_ruleset *ruleset; member
19 prestera_acl_ruleset_put(template->ruleset); in prestera_flower_template_free()
39 struct prestera_acl_ruleset *ruleset; in prestera_flower_parse_goto_action() local
48 ruleset = prestera_acl_ruleset_get(block->sw->acl, block, in prestera_flower_parse_goto_action()
50 if (IS_ERR(ruleset)) in prestera_flower_parse_goto_action()
51 return PTR_ERR(ruleset); in prestera_flower_parse_goto_action()
54 rule->re_arg.jump.i.index = prestera_acl_ruleset_index_get(ruleset); in prestera_flower_parse_goto_action()
56 rule->jump_ruleset = ruleset; in prestera_flower_parse_goto_action()
403 struct prestera_acl_ruleset *ruleset; in prestera_flower_prio_get() local
405 ruleset = prestera_acl_ruleset_lookup(block->sw->acl, block, chain_index); in prestera_flower_prio_get()
[all …]
|
| H A D | prestera_acl.h | 130 struct prestera_acl_ruleset *ruleset; member
156 prestera_acl_rule_create(struct prestera_acl_ruleset *ruleset,
162 prestera_acl_rule_lookup(struct prestera_acl_ruleset *ruleset,
188 int prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset,
190 bool prestera_acl_ruleset_is_offload(struct prestera_acl_ruleset *ruleset);
191 int prestera_acl_ruleset_offload(struct prestera_acl_ruleset *ruleset);
192 void prestera_acl_ruleset_put(struct prestera_acl_ruleset *ruleset);
193 int prestera_acl_ruleset_bind(struct prestera_acl_ruleset *ruleset,
195 int prestera_acl_ruleset_unbind(struct prestera_acl_ruleset *ruleset,
197 u32 prestera_acl_ruleset_index_get(const struct prestera_acl_ruleset *ruleset);
[all …]
|
| /openbmc/linux/security/landlock/ |
| H A D | syscalls.c | 111 struct landlock_ruleset *ruleset = filp->private_data; in fop_ruleset_release() local
113 landlock_put_ruleset(ruleset); in fop_ruleset_release()
174 struct landlock_ruleset *ruleset; in SYSCALL_DEFINE3() local
204 ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs); in SYSCALL_DEFINE3()
205 if (IS_ERR(ruleset)) in SYSCALL_DEFINE3()
206 return PTR_ERR(ruleset); in SYSCALL_DEFINE3()
210 ruleset, O_RDWR | O_CLOEXEC); in SYSCALL_DEFINE3()
212 landlock_put_ruleset(ruleset); in SYSCALL_DEFINE3()
224 struct landlock_ruleset *ruleset; in get_ruleset_from_fd() local
232 ruleset = ERR_PTR(-EBADFD); in get_ruleset_from_fd()
[all …]
|
| H A D | ruleset.c | 116 const struct landlock_ruleset ruleset = { in build_check_ruleset() local
120 typeof(ruleset.fs_access_masks[0]) fs_access_mask = ~0; in build_check_ruleset()
122 BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES); in build_check_ruleset()
123 BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS); in build_check_ruleset()
145 static int insert_rule(struct landlock_ruleset *const ruleset, in insert_rule() argument
155 lockdep_assert_held(&ruleset->lock); in insert_rule()
158 walker_node = &(ruleset->root.rb_node); in insert_rule()
201 rb_replace_node(&this->node, &new_rule->node, &ruleset->root); in insert_rule()
208 if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES) in insert_rule()
214 rb_insert_color(&new_rule->node, &ruleset->root); in insert_rule()
[all …]
|
| H A D | ruleset.h | 159 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
160 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
162 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
168 struct landlock_ruleset *const ruleset);
171 landlock_find_rule(const struct landlock_ruleset *const ruleset,
174 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) in landlock_get_ruleset() argument
176 if (ruleset) in landlock_get_ruleset()
177 refcount_inc(&ruleset->usage); in landlock_get_ruleset()
|
| H A D | fs.c | 166 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, in landlock_append_fs_rule() argument
177 if (WARN_ON_ONCE(ruleset->num_layers != 1)) in landlock_append_fs_rule()
183 ~(ruleset->fs_access_masks[0] | ACCESS_INITIALLY_DENIED); in landlock_append_fs_rule()
187 mutex_lock(&ruleset->lock); in landlock_append_fs_rule()
188 err = landlock_insert_rule(ruleset, object, access_rights); in landlock_append_fs_rule()
189 mutex_unlock(&ruleset->lock); in landlock_append_fs_rule()
|
| H A D | Makefile | 3 landlock-y := setup.o syscalls.o object.o ruleset.o \
|
| H A D | fs.h | 91 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
|
| /openbmc/openbmc/meta-ampere/meta-common/recipes-extended/rsyslog/rsyslog/ |
| H A D | hostconsole.conf | 7 ruleset(name="ConsoleCPURuleset") {
10 ruleset(name="ConsoleATFRuleset") {
13 ruleset(name="ConsoleSECPRO0Ruleset") {
16 ruleset(name="ConsoleSECPRO1Ruleset") {
19 ruleset(name="ConsoleMPRO0Ruleset") {
22 ruleset(name="ConsoleMPRO1Ruleset") {
25 ruleset(name="ConsoleSCP0Ruleset") {
28 ruleset(name="ConsoleSCP1Ruleset") {
38 ruleset="ConsoleCPURuleset")
45 ruleset="ConsoleATFRuleset")
[all …]
|
| /openbmc/linux/drivers/net/ethernet/mellanox/mlxsw/ |
| H A D | spectrum_acl.c | 70 struct mlxsw_sp_acl_ruleset *ruleset; member
100 mlxsw_sp_acl_ruleset_is_singular(const struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp_acl_ruleset_is_singular() argument
103 return refcount_read(&ruleset->ref_count) == 2; in mlxsw_sp_acl_ruleset_is_singular()
110 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_bind() local
111 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_bind()
113 return ops->ruleset_bind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_bind()
121 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_unbind() local
122 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_unbind()
124 ops->ruleset_unbind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_unbind()
130 struct mlxsw_sp_acl_ruleset *ruleset, in mlxsw_sp_acl_ruleset_block_bind() argument
[all …]
|
| H A D | spectrum_flower.c | 131 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_parse_actions() local
134 ruleset = mlxsw_sp_acl_ruleset_lookup(mlxsw_sp, block, in mlxsw_sp_flower_parse_actions()
137 if (IS_ERR(ruleset)) in mlxsw_sp_flower_parse_actions()
138 return PTR_ERR(ruleset); in mlxsw_sp_flower_parse_actions()
140 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp_flower_parse_actions()
731 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_replace() local
739 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, in mlxsw_sp_flower_replace()
742 if (IS_ERR(ruleset)) in mlxsw_sp_flower_replace()
743 return PTR_ERR(ruleset); in mlxsw_sp_flower_replace()
745 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, f->cookie, NULL, in mlxsw_sp_flower_replace()
[all …]
|
| H A D | spectrum2_mr_tcam.c | 36 struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp2_mr_tcam_bind_group() argument
41 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp2_mr_tcam_bind_group()
218 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_create() local
223 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_create()
224 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_create()
227 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_create()
251 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_destroy() local
254 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_destroy()
255 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_destroy()
258 rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_destroy()
[all …]
|
| H A D | spectrum_acl_tcam.c | 1694 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_add() local
1696 return mlxsw_sp_acl_tcam_vgroup_add(mlxsw_sp, tcam, &ruleset->vgroup, in mlxsw_sp_acl_tcam_flower_ruleset_add()
1707 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_del() local
1709 mlxsw_sp_acl_tcam_vgroup_del(&ruleset->vgroup); in mlxsw_sp_acl_tcam_flower_ruleset_del()
1718 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_bind() local
1720 return mlxsw_sp_acl_tcam_group_bind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_bind()
1730 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_unbind() local
1732 mlxsw_sp_acl_tcam_group_unbind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_unbind()
1739 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_group_id() local
1741 return mlxsw_sp_acl_tcam_group_id(&ruleset->vgroup.group); in mlxsw_sp_acl_tcam_flower_ruleset_group_id()
[all …]
|
| /openbmc/linux/Documentation/userspace-api/ |
| H A D | landlock.rst | 33 rights`_. A set of rules is aggregated in a ruleset, which can then restrict
39 We first need to define the ruleset that will contain our rules. For this
40 example, the ruleset will contain rules that only allow read actions, but write
41 actions will be denied. The ruleset then needs to handle both of these kind of
97 This enables to create an inclusive ruleset that will contain our rules.
105 perror("Failed to create a ruleset");
109 We can now add a new rule to this ruleset thanks to the returned file
110 descriptor referring to this ruleset. The rule will only allow reading the
112 denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
136 perror("Failed to update ruleset");
[all …]
|
| /openbmc/linux/Documentation/security/ |
| H A D | landlock.rst | 42 * Computation related to Landlock operations (e.g. enforcing a ruleset) shall
112 A domain is a read-only ruleset tied to a set of subjects (i.e. tasks'
113 credentials). Each time a ruleset is enforced on a task, the current domain is
114 duplicated and the ruleset is imported as a new layer of rules in the new
119 of a ruleset provided by the task.
124 .. kernel-doc:: security/landlock/ruleset.h
|
| /openbmc/linux/tools/testing/selftests/netfilter/ |
| H A D | conntrack_vrf.sh | 143 ip netns exec $ns0 nft list ruleset
162 flush ruleset
211 flush ruleset
|
| H A D | nft_fib.sh | 238 ip netns exec ${ns1} nft flush ruleset
239 ip netns exec ${ns2} nft flush ruleset
240 ip netns exec ${nsrouter} nft flush ruleset
267 ip -net ${nsrouter} nft list ruleset
|
| H A D | nft_flowtable.sh | 488 ip netns exec $nsr1 nft list ruleset
523 ip netns exec $nsr1 nft list ruleset
543 ip netns exec $nsr1 nft list ruleset
576 ip netns exec $nsr1 nft list ruleset
600 ip netns exec $nsr1 nft list ruleset
668 ip netns exec $nsr1 nft list ruleset 1>&2
|
| H A D | nft_queue.sh | 252 ip netns exec ${nsrouter} nft list ruleset
320 flush ruleset
369 flush ruleset
394 ip netns exec ${ns1} nft list ruleset
|
| H A D | nft_audit.sh | 59 nft flush ruleset
|
| /openbmc/openbmc/meta-google/recipes-google/nftables/files/ |
| H A D | nftables.service | 9 ExecStop=/usr/sbin/nft flush ruleset
|
| /openbmc/linux/include/linux/crush/ |
| H A D | mapper.h | 14 extern int crush_find_rule(const struct crush_map *map, int ruleset, int type, int size);
|
| /openbmc/linux/security/safesetid/ |
| H A D | securityfs.c | 267 … size_t len, loff_t *ppos, struct mutex *policy_update_lock, struct __rcu setid_ruleset* ruleset) in safesetid_file_read() argument
274 pol = rcu_dereference_protected(ruleset, lockdep_is_held(policy_update_lock)); in safesetid_file_read()
|
| /openbmc/linux/tools/testing/selftests/net/mptcp/ |
| H A D | mptcp_connect.sh | 737 flush ruleset
763 ip netns exec "$listener_ns" nft flush ruleset
771 ip netns exec "$listener_ns" nft flush ruleset
787 ip netns exec "$listener_ns" nft flush ruleset
|