tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selinux: register nf hooks with single nf_register_hooks call

Push ipv4 and ipv6 nf hooks into single array and register/unregister
them via single call.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Paul Moore <pmoore@redhat.com>

authored by

Jiri Pirko and committed by
Paul Moore 25db6bea a7a91a19

+10 -25
+10 -25
security/selinux/hooks.c
··· 6071 6071 6072 6072 #if defined(CONFIG_NETFILTER) 6073 6073 6074 - static struct nf_hook_ops selinux_ipv4_ops[] = { 6074 + static struct nf_hook_ops selinux_nf_ops[] = { 6075 6075 { 6076 6076 .hook = selinux_ipv4_postroute, 6077 6077 .owner = THIS_MODULE, ··· 6092 6092 .pf = NFPROTO_IPV4, 6093 6093 .hooknum = NF_INET_LOCAL_OUT, 6094 6094 .priority = NF_IP_PRI_SELINUX_FIRST, 6095 - } 6096 - }; 6097 - 6095 + }, 6098 6096 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 6099 - 6100 - static struct nf_hook_ops selinux_ipv6_ops[] = { 6101 6097 { 6102 6098 .hook = selinux_ipv6_postroute, 6103 6099 .owner = THIS_MODULE, ··· 6107 6111 .pf = NFPROTO_IPV6, 6108 6112 .hooknum = NF_INET_FORWARD, 6109 6113 .priority = NF_IP6_PRI_SELINUX_FIRST, 6110 - } 6111 - }; 6112 - 6114 + }, 6113 6115 #endif /* IPV6 */ 6116 + }; 6114 6117 6115 6118 static int __init selinux_nf_ip_init(void) 6116 6119 { 6117 - int err = 0; 6120 + int err; 6118 6121 6119 6122 if (!selinux_enabled) 6120 - goto out; 6123 + return 0; 6121 6124 6122 6125 printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); 6123 6126 6124 - err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 6127 + err = nf_register_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); 6125 6128 if (err) 6126 - panic("SELinux: nf_register_hooks for IPv4: error %d\n", err); 6129 + panic("SELinux: nf_register_hooks: error %d\n", err); 6127 6130 6128 - #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 6129 - err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 6130 - if (err) 6131 - panic("SELinux: nf_register_hooks for IPv6: error %d\n", err); 6132 - #endif /* IPV6 */ 6133 - 6134 - out: 6135 - return err; 6131 + return 0; 6136 6132 } 6137 6133 6138 6134 __initcall(selinux_nf_ip_init); ··· 6134 6146 { 6135 6147 printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); 6136 6148 6137 - nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops)); 6138 - #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) 6139 - nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops)); 6140 - #endif /* IPV6 */ 6149 + nf_unregister_hooks(selinux_nf_ops, ARRAY_SIZE(selinux_nf_ops)); 6141 6150 } 6142 6151 #endif 6143 6152