Home
last modified time | relevance | path

Searched refs:ruleset (Results 1 – 25 of 31) sorted by relevance

12

/linux-6.1.9/drivers/net/ethernet/marvell/prestera/
Dprestera_acl.c140 struct prestera_acl_ruleset *ruleset; in prestera_acl_ruleset_create() local
147 ruleset = kzalloc(sizeof(*ruleset), GFP_KERNEL); in prestera_acl_ruleset_create()
148 if (!ruleset) in prestera_acl_ruleset_create()
151 ruleset->acl = acl; in prestera_acl_ruleset_create()
152 ruleset->ingress = block->ingress; in prestera_acl_ruleset_create()
153 ruleset->ht_key.block = block; in prestera_acl_ruleset_create()
154 ruleset->ht_key.chain_index = chain_index; in prestera_acl_ruleset_create()
155 refcount_set(&ruleset->refcount, 1); in prestera_acl_ruleset_create()
157 err = rhashtable_init(&ruleset->rule_ht, &prestera_acl_rule_ht_params); in prestera_acl_ruleset_create()
166 ruleset->pcl_id = PRESTERA_ACL_PCL_ID_MAKE((u8)uid, chain_index); in prestera_acl_ruleset_create()
[all …]
Dprestera_flower.c11 struct prestera_acl_ruleset *ruleset; member
19 prestera_acl_ruleset_put(template->ruleset); in prestera_flower_template_free()
39 struct prestera_acl_ruleset *ruleset; in prestera_flower_parse_goto_action() local
48 ruleset = prestera_acl_ruleset_get(block->sw->acl, block, in prestera_flower_parse_goto_action()
50 if (IS_ERR(ruleset)) in prestera_flower_parse_goto_action()
51 return PTR_ERR(ruleset); in prestera_flower_parse_goto_action()
54 rule->re_arg.jump.i.index = prestera_acl_ruleset_index_get(ruleset); in prestera_flower_parse_goto_action()
56 rule->jump_ruleset = ruleset; in prestera_flower_parse_goto_action()
397 struct prestera_acl_ruleset *ruleset; in prestera_flower_prio_get() local
399 ruleset = prestera_acl_ruleset_lookup(block->sw->acl, block, chain_index); in prestera_flower_prio_get()
[all …]
Dprestera_acl.h130 struct prestera_acl_ruleset *ruleset; member
156 prestera_acl_rule_create(struct prestera_acl_ruleset *ruleset,
162 prestera_acl_rule_lookup(struct prestera_acl_ruleset *ruleset,
188 int prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset,
190 bool prestera_acl_ruleset_is_offload(struct prestera_acl_ruleset *ruleset);
191 int prestera_acl_ruleset_offload(struct prestera_acl_ruleset *ruleset);
192 void prestera_acl_ruleset_put(struct prestera_acl_ruleset *ruleset);
193 int prestera_acl_ruleset_bind(struct prestera_acl_ruleset *ruleset,
195 int prestera_acl_ruleset_unbind(struct prestera_acl_ruleset *ruleset,
197 u32 prestera_acl_ruleset_index_get(const struct prestera_acl_ruleset *ruleset);
[all …]
/linux-6.1.9/security/landlock/
Dsyscalls.c99 struct landlock_ruleset *ruleset = filp->private_data; in fop_ruleset_release() local
101 landlock_put_ruleset(ruleset); in fop_ruleset_release()
162 struct landlock_ruleset *ruleset; in SYSCALL_DEFINE3() local
192 ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs); in SYSCALL_DEFINE3()
193 if (IS_ERR(ruleset)) in SYSCALL_DEFINE3()
194 return PTR_ERR(ruleset); in SYSCALL_DEFINE3()
198 ruleset, O_RDWR | O_CLOEXEC); in SYSCALL_DEFINE3()
200 landlock_put_ruleset(ruleset); in SYSCALL_DEFINE3()
212 struct landlock_ruleset *ruleset; in get_ruleset_from_fd() local
220 ruleset = ERR_PTR(-EBADFD); in get_ruleset_from_fd()
[all …]
Druleset.c116 const struct landlock_ruleset ruleset = { in build_check_ruleset() local
120 typeof(ruleset.fs_access_masks[0]) fs_access_mask = ~0; in build_check_ruleset()
122 BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES); in build_check_ruleset()
123 BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS); in build_check_ruleset()
145 static int insert_rule(struct landlock_ruleset *const ruleset, in insert_rule() argument
155 lockdep_assert_held(&ruleset->lock); in insert_rule()
158 walker_node = &(ruleset->root.rb_node); in insert_rule()
201 rb_replace_node(&this->node, &new_rule->node, &ruleset->root); in insert_rule()
208 if (ruleset->num_rules >= LANDLOCK_MAX_NUM_RULES) in insert_rule()
214 rb_insert_color(&new_rule->node, &ruleset->root); in insert_rule()
[all …]
Druleset.h159 void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
160 void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
162 int landlock_insert_rule(struct landlock_ruleset *const ruleset,
168 struct landlock_ruleset *const ruleset);
171 landlock_find_rule(const struct landlock_ruleset *const ruleset,
174 static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) in landlock_get_ruleset() argument
176 if (ruleset) in landlock_get_ruleset()
177 refcount_inc(&ruleset->usage); in landlock_get_ruleset()
Dfs.c165 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, in landlock_append_fs_rule() argument
176 if (WARN_ON_ONCE(ruleset->num_layers != 1)) in landlock_append_fs_rule()
182 ~(ruleset->fs_access_masks[0] | ACCESS_INITIALLY_DENIED); in landlock_append_fs_rule()
186 mutex_lock(&ruleset->lock); in landlock_append_fs_rule()
187 err = landlock_insert_rule(ruleset, object, access_rights); in landlock_append_fs_rule()
188 mutex_unlock(&ruleset->lock); in landlock_append_fs_rule()
DMakefile3 landlock-y := setup.o syscalls.o object.o ruleset.o \
Dfs.h67 int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
/linux-6.1.9/drivers/net/ethernet/mellanox/mlxsw/
Dspectrum_acl.c64 struct mlxsw_sp_acl_ruleset *ruleset; member
94 mlxsw_sp_acl_ruleset_is_singular(const struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp_acl_ruleset_is_singular() argument
97 return ruleset->ref_count == 2; in mlxsw_sp_acl_ruleset_is_singular()
104 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_bind() local
105 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_bind()
107 return ops->ruleset_bind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_bind()
115 struct mlxsw_sp_acl_ruleset *ruleset = block->ruleset_zero; in mlxsw_sp_acl_ruleset_unbind() local
116 const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; in mlxsw_sp_acl_ruleset_unbind()
118 ops->ruleset_unbind(mlxsw_sp, ruleset->priv, in mlxsw_sp_acl_ruleset_unbind()
124 struct mlxsw_sp_acl_ruleset *ruleset, in mlxsw_sp_acl_ruleset_block_bind() argument
[all …]
Dspectrum_flower.c131 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_parse_actions() local
134 ruleset = mlxsw_sp_acl_ruleset_lookup(mlxsw_sp, block, in mlxsw_sp_flower_parse_actions()
137 if (IS_ERR(ruleset)) in mlxsw_sp_flower_parse_actions()
138 return PTR_ERR(ruleset); in mlxsw_sp_flower_parse_actions()
140 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp_flower_parse_actions()
634 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp_flower_replace() local
642 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, in mlxsw_sp_flower_replace()
645 if (IS_ERR(ruleset)) in mlxsw_sp_flower_replace()
646 return PTR_ERR(ruleset); in mlxsw_sp_flower_replace()
648 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, f->cookie, NULL, in mlxsw_sp_flower_replace()
[all …]
Dspectrum2_mr_tcam.c36 struct mlxsw_sp_acl_ruleset *ruleset) in mlxsw_sp2_mr_tcam_bind_group() argument
41 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); in mlxsw_sp2_mr_tcam_bind_group()
214 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_create() local
219 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_create()
220 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_create()
223 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_create()
247 struct mlxsw_sp_acl_ruleset *ruleset; in mlxsw_sp2_mr_tcam_route_destroy() local
250 ruleset = mlxsw_sp2_mr_tcam_proto_ruleset(mr_tcam, key->proto); in mlxsw_sp2_mr_tcam_route_destroy()
251 if (WARN_ON(!ruleset)) in mlxsw_sp2_mr_tcam_route_destroy()
254 rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, in mlxsw_sp2_mr_tcam_route_destroy()
[all …]
Dspectrum_acl_tcam.c1610 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_add() local
1612 return mlxsw_sp_acl_tcam_vgroup_add(mlxsw_sp, tcam, &ruleset->vgroup, in mlxsw_sp_acl_tcam_flower_ruleset_add()
1623 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_del() local
1625 mlxsw_sp_acl_tcam_vgroup_del(&ruleset->vgroup); in mlxsw_sp_acl_tcam_flower_ruleset_del()
1634 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_bind() local
1636 return mlxsw_sp_acl_tcam_group_bind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_bind()
1646 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_unbind() local
1648 mlxsw_sp_acl_tcam_group_unbind(mlxsw_sp, &ruleset->vgroup.group, in mlxsw_sp_acl_tcam_flower_ruleset_unbind()
1655 struct mlxsw_sp_acl_tcam_flower_ruleset *ruleset = ruleset_priv; in mlxsw_sp_acl_tcam_flower_ruleset_group_id() local
1657 return mlxsw_sp_acl_tcam_group_id(&ruleset->vgroup.group); in mlxsw_sp_acl_tcam_flower_ruleset_group_id()
[all …]
/linux-6.1.9/Documentation/userspace-api/
Dlandlock.rst33 rights`_. A set of rules is aggregated in a ruleset, which can then restrict
39 We first need to define the ruleset that will contain our rules. For this
40 example, the ruleset will contain rules that only allow read actions, but write
41 actions will be denied. The ruleset then needs to handle both of these kind of
84 This enables to create an inclusive ruleset that will contain our rules.
92 perror("Failed to create a ruleset");
96 We can now add a new rule to this ruleset thanks to the returned file
97 descriptor referring to this ruleset. The rule will only allow reading the
99 denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
123 perror("Failed to update ruleset");
[all …]
/linux-6.1.9/Documentation/security/
Dlandlock.rst42 * Computation related to Landlock operations (e.g. enforcing a ruleset) shall
84 A domain is a read-only ruleset tied to a set of subjects (i.e. tasks'
85 credentials). Each time a ruleset is enforced on a task, the current domain is
86 duplicated and the ruleset is imported as a new layer of rules in the new
91 of a ruleset provided by the task.
96 .. kernel-doc:: security/landlock/ruleset.h
/linux-6.1.9/tools/testing/selftests/netfilter/
Dconntrack_vrf.sh143 ip netns exec $ns0 nft list ruleset
162 flush ruleset
211 flush ruleset
Dnft_fib.sh238 ip netns exec ${ns1} nft flush ruleset
239 ip netns exec ${ns2} nft flush ruleset
240 ip netns exec ${nsrouter} nft flush ruleset
267 ip -net ${nsrouter} nft list ruleset
Dnft_flowtable.sh360 ip netns exec $nsr1 nft list ruleset
390 ip netns exec $nsr1 nft list ruleset
410 ip netns exec $nsr1 nft list ruleset
443 ip netns exec $nsr1 nft list ruleset
467 ip netns exec $nsr1 nft list ruleset
535 ip netns exec $nsr1 nft list ruleset 1>&2
Dnft_queue.sh252 ip netns exec ${nsrouter} nft list ruleset
320 flush ruleset
369 flush ruleset
394 ip netns exec ${ns1} nft list ruleset
Dnft_zones_many.sh47 flush ruleset
Dnft_synproxy.sh112 ip netns exec $nsr nft list ruleset
/linux-6.1.9/include/linux/crush/
Dmapper.h14 extern int crush_find_rule(const struct crush_map *map, int ruleset, int type, int size);
Dcrush.h81 __u8 ruleset; member
/linux-6.1.9/security/safesetid/
Dsecurityfs.c264 … size_t len, loff_t *ppos, struct mutex *policy_update_lock, struct __rcu setid_ruleset* ruleset) in safesetid_file_read() argument
271 pol = rcu_dereference_protected(ruleset, lockdep_is_held(policy_update_lock)); in safesetid_file_read()
/linux-6.1.9/tools/testing/selftests/net/mptcp/
Dmptcp_connect.sh696 flush ruleset
721 ip netns exec "$listener_ns" nft flush ruleset
728 ip netns exec "$listener_ns" nft flush ruleset
742 ip netns exec "$listener_ns" nft flush ruleset

12