[PATCH smack] smack: remove duplicated hook function
Casey Schaufler
casey at schaufler-ca.com
Tue Oct 12 14:38:14 UTC 2021
On 10/11/2021 7:33 AM, Florian Westphal wrote:
> ipv4 and ipv6 hook functions are identical, remove one.
>
> Signed-off-by: Florian Westphal <fw at strlen.de>
Looks fine, with the one change I've noted below. If you're
OK with that change I can take it for smack-next.
> ---
> patch targets next branch of
> git://github.com/cschaufler/smack-next.
>
> security/smack/smack_netfilter.c | 26 +++-----------------------
> 1 file changed, 3 insertions(+), 23 deletions(-)
>
> diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
> index fc7399b45373..a7ef2e2abc8a 100644
> --- a/security/smack/smack_netfilter.c
> +++ b/security/smack/smack_netfilter.c
> @@ -18,27 +18,7 @@
> #include <net/net_namespace.h>
> #include "smack.h"
>
> -#if IS_ENABLED(CONFIG_IPV6)
> -
> -static unsigned int smack_ipv6_output(void *priv,
> - struct sk_buff *skb,
> - const struct nf_hook_state *state)
> -{
> - struct sock *sk = skb_to_full_sk(skb);
> - struct socket_smack *ssp;
> - struct smack_known *skp;
> -
> - if (sk && sk->sk_security) {
> - ssp = sk->sk_security;
> - skp = ssp->smk_out;
> - skb->secmark = skp->smk_secid;
> - }
> -
> - return NF_ACCEPT;
> -}
> -#endif /* IPV6 */
> -
> -static unsigned int smack_ipv4_output(void *priv,
> +static unsigned int smack_hook_output(void *priv,
I would prefer smack_ip_output() to smack_hook_output().
> struct sk_buff *skb,
> const struct nf_hook_state *state)
> {
> @@ -57,14 +37,14 @@ static unsigned int smack_ipv4_output(void *priv,
>
> static const struct nf_hook_ops smack_nf_ops[] = {
> {
> - .hook = smack_ipv4_output,
> + .hook = smack_hook_output,
> .pf = NFPROTO_IPV4,
> .hooknum = NF_INET_LOCAL_OUT,
> .priority = NF_IP_PRI_SELINUX_FIRST,
> },
> #if IS_ENABLED(CONFIG_IPV6)
> {
> - .hook = smack_ipv6_output,
> + .hook = smack_hook_output,
> .pf = NFPROTO_IPV6,
> .hooknum = NF_INET_LOCAL_OUT,
> .priority = NF_IP6_PRI_SELINUX_FIRST,
More information about the Linux-security-module-archive
mailing list