SELinux: Add a network node caching mechanism similar to the sel_netif_*() functions
This patch adds a SELinux IP address/node SID caching mechanism similar to the sel_netif_*() functions. The node SID queries in the SELinux hooks files are also modified to take advantage of this new functionality. In addition, remove the address length information from the sk_buff parsing routines as it is redundant since we already have the address family. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Paul Moore
James Morris
32
security/selinux/include/netnode.h
Normal file
32
security/selinux/include/netnode.h
Normal file
@@ -0,0 +1,32 @@
|
||||
/*
|
||||
* Network node table
|
||||
*
|
||||
* SELinux must keep a mapping of network nodes to labels/SIDs. This
|
||||
* mapping is maintained as part of the normal policy but a fast cache is
|
||||
* needed to reduce the lookup overhead since most of these queries happen on
|
||||
* a per-packet basis.
|
||||
*
|
||||
* Author: Paul Moore <paul.moore@hp.com>
|
||||
*
|
||||
*/
|
||||
|
||||
/*
|
||||
* (c) Copyright Hewlett-Packard Development Company, L.P., 2007
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of version 2 of the GNU General Public License as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef _SELINUX_NETNODE_H
|
||||
#define _SELINUX_NETNODE_H
|
||||
|
||||
int sel_netnode_sid(void *addr, u16 family, u32 *sid);
|
||||
|
||||
#endif
|
||||
Reference in New Issue
Block a user