These look fine to me. -- Stephen D. Smalley, NAI Labs ssmalleyat_private On Tue, 11 Sep 2001, James Morris wrote: > The patch below adds some documentation for the skb hooks. > > Any suggestions for improvement to this are welcome. > > I'll attempt to push it into bitkeeper later Tues (US time) if there are > no objections. > > - James > -- > James Morris > <jmorrisat_private> > > --- lsm/include/linux/security.h Tue Sep 11 15:03:22 2001 > +++ lsm-w1/include/linux/security.h Tue Sep 11 16:02:41 2001 > @@ -200,11 +200,63 @@ > int (* unix_may_send) (struct socket *sock, struct socket *other); > }; > > +/** > + * Lifecycle hooks for network buffers. > + * > + * These hooks are used to help manage the lifecycle of security blobs for > + * &sk_buff structures, and are not intended to be used for access decisions. > + */ > struct skb_security_ops { > - int (* alloc_security) (struct sk_buff *skb); > - void (* clone) (struct sk_buff *newskb, const struct sk_buff *oldskb); > - void (* copy) (struct sk_buff *newskb, const struct sk_buff *oldskb); > - void (* free_security) (struct sk_buff *skb); > + /** > + * alloc_security - new buffer allocation hook > + * @skb: the buffer being allocated > + * > + * called: alloc_skb <net/core/skbuff.c> > + * > + * This hook is called by the &sk_buff allocator when a new > + * buffer is being allocated. An LSM module may allocate and > + * assign a new security blob for the &sk_buff via this hook. > + * > + * Return 0 if successful, or -ENOMEM on out of memory condition. > + */ > + int (* alloc_security) (struct sk_buff *skb); > + > + /** > + * clone - sk_buff clone hook > + * @newskb: the newly cloned buffer > + * @oldskb: the buffer being cloned > + * > + * called: skb_clone <net/core/skbuff.c> > + * > + * This hook is called when an &sk_buff is being cloned, and may > + * be used, for example, to increment a reference count on the > + * associated security blob. > + */ > + void (* clone) (struct sk_buff *newskb, const struct sk_buff *oldskb); > + > + /** > + * copy - sk_buff copy hook > + * @newskb: the newly copied buffer > + * @oldskb: the buffer being copied > + * > + * called: copy_skb_header <net/core/skbuff.c> > + * > + * This hook is called when an &sk_buff header is being copied, > + * which occurs during the skb_copy() and pskb_copy() functions in > + * <net/core/skbuff.c> > + */ > + void (* copy) (struct sk_buff *newskb, const struct sk_buff *oldskb); > + > + /** > + * free_security - sk_buff destruction hook > + * @skb: the buffer being destroyed > + * > + * called: __kfree_skb <net/core/skbuff.c> > + * > + * This hook is called when an &sk_buff is being destroyed, and > + * should be used to free any associated security blob. > + */ > + void (* free_security) (struct sk_buff *skb); > }; > > struct net_device; > > > > _______________________________________________ > linux-security-module mailing list > linux-security-moduleat_private > http://mail.wirex.com/mailman/listinfo/linux-security-module > _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 10:31:39 PDT