summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorDavid Ahern <dsahern@gmail.com>2019-05-25 00:43:03 +0300
committerDavid S. Miller <davem@davemloft.net>2019-05-29 07:37:30 +0300
commit65ee00a9409f751188a8cdc0988167858eb4a536 (patch)
tree8adc885214044ce8f710b2e4fa5d19c2b5e08d9a /security
parent602e0f295a91813c9a15938f2a292b9c60a416d9 (diff)
downloadlinux-65ee00a9409f751188a8cdc0988167858eb4a536.tar.xz
net: nexthop uapi
New UAPI for nexthops as standalone objects: - defines netlink ancillary header, struct nhmsg - RTM commands for nexthop objects, RTM_*NEXTHOP, - RTNLGRP for nexthop notifications, RTNLGRP_NEXTHOP, - Attributes for creating nexthops, NHA_* - Attribute for route specs to specify a nexthop by id, RTA_NH_ID. The nexthop attributes and semantics follow the route and RTA ones for device, gateway and lwt encap. Unique to nexthop objects are a blackhole and a group which contains references to other nexthop objects. With the exception of blackhole and group, nexthop objects MUST contain a device. Gateway and encap are optional. Nexthop groups can only reference other pre-existing nexthops by id. If the NHA_ID attribute is present that id is used for the nexthop. If not specified, one is auto assigned. Dump requests can include attributes: - NHA_GROUPS to return only nexthop groups, - NHA_MASTER to limit dumps to nexthops with devices enslaved to the given master (e.g., VRF) - NHA_OIF to limit dumps to nexthops using given device nlmsg_route_perms in selinux code is updated for the new RTM comands. Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/nlmsgtab.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 9cec81209617..2c75d823d8e2 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -83,6 +83,9 @@ static const struct nlmsg_perm nlmsg_route_perms[] =
{ RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
+ { RTM_NEWNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+ { RTM_DELNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+ { RTM_GETNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_READ },
};
static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
@@ -166,7 +169,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
* structures at the top of this file with the new mappings
* before updating the BUILD_BUG_ON() macro!
*/
- BUILD_BUG_ON(RTM_MAX != (RTM_NEWCHAIN + 3));
+ BUILD_BUG_ON(RTM_MAX != (RTM_NEWNEXTHOP + 3));
err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
sizeof(nlmsg_route_perms));
break;