Re: [PATCH] skb hook documentation

From: Stephen Smalley (sdsat_private)
Date: Tue Sep 11 2001 - 10:30:02 PDT

  • Next message: Stephen Smalley: "Re: quotactl hook"

    These look fine to me.
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    On Tue, 11 Sep 2001, James Morris wrote:
    
    > The patch below adds some documentation for the skb hooks.
    > 
    > Any suggestions for improvement to this are welcome.
    > 
    > I'll attempt to push it into bitkeeper later Tues (US time) if there are
    > no objections.
    > 
    > - James
    > -- 
    > James Morris
    > <jmorrisat_private>
    > 
    > --- lsm/include/linux/security.h	Tue Sep 11 15:03:22 2001
    > +++ lsm-w1/include/linux/security.h	Tue Sep 11 16:02:41 2001
    > @@ -200,11 +200,63 @@
    >  	int (* unix_may_send)		(struct socket *sock, struct socket *other);
    >  };
    > 
    > +/**
    > + * Lifecycle hooks for network buffers.
    > + *
    > + * These hooks are used to help manage the lifecycle of security blobs for
    > + * &sk_buff structures, and are not intended to be used for access decisions.
    > + */
    >  struct skb_security_ops {
    > -	int (* alloc_security)		(struct sk_buff *skb);
    > -	void (* clone)			(struct sk_buff *newskb, const struct sk_buff *oldskb);
    > -	void (* copy)			(struct sk_buff *newskb, const struct sk_buff *oldskb);
    > -	void (* free_security)		(struct sk_buff *skb);
    > +	/**
    > +	 * alloc_security - new buffer allocation hook
    > +	 * @skb: the buffer being allocated
    > +	 *
    > +	 * called: alloc_skb <net/core/skbuff.c>
    > +	 *
    > +	 * This hook is called by the &sk_buff allocator when a new
    > +	 * buffer is being allocated.  An LSM module may allocate and
    > +	 * assign a new security blob for the &sk_buff via this hook.
    > +	 *
    > +	 * Return 0 if successful, or -ENOMEM on out of memory condition.
    > +	 */
    > +	int (* alloc_security) (struct sk_buff *skb);
    > +
    > +	/**
    > +	 * clone - sk_buff clone hook
    > +	 * @newskb: the newly cloned buffer
    > +	 * @oldskb: the buffer being cloned
    > +	 *
    > +	 * called: skb_clone <net/core/skbuff.c>
    > +	 *
    > +	 * This hook is called when an &sk_buff is being cloned, and may
    > +	 * be used, for example, to increment a reference count on the
    > +	 * associated security blob.
    > +	 */
    > +	void (* clone) (struct sk_buff *newskb, const struct sk_buff *oldskb);
    > +
    > +	/**
    > +	 * copy - sk_buff copy hook
    > +	 * @newskb: the newly copied buffer
    > +	 * @oldskb: the buffer being copied
    > +	 *
    > +	 * called: copy_skb_header <net/core/skbuff.c>
    > +	 *
    > +	 * This hook is called when an &sk_buff header is being copied,
    > +	 * which occurs during the skb_copy() and pskb_copy() functions in
    > +	 * <net/core/skbuff.c>
    > +	 */
    > +	void (* copy) (struct sk_buff *newskb, const struct sk_buff *oldskb);
    > +
    > +	/**
    > +	 * free_security - sk_buff destruction hook
    > +	 * @skb: the buffer being destroyed
    > +	 *
    > +	 * called: __kfree_skb <net/core/skbuff.c>
    > +	 *
    > +	 * This hook is called when an &sk_buff is being destroyed, and
    > +	 * should be used to free any associated security blob.
    > +	 */
    > +	void (* free_security) (struct sk_buff *skb);
    >  };
    > 
    >  struct net_device;
    > 
    > 
    > 
    > _______________________________________________
    > linux-security-module mailing list
    > linux-security-moduleat_private
    > http://mail.wirex.com/mailman/listinfo/linux-security-module
    > 
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 10:31:39 PDT