diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2014-12-12 17:08:40 -0800 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2015-01-20 16:34:25 -0800 |
| commit | 69f287ae6fc8357e0bc561353a2d585b89ee8cdc (patch) | |
| tree | a717c525b47790cab2d437e0e16e11728394b97c /security/smack/smack.h | |
| parent | 5e7270a6dd14fa6e3bb10128f200305b4a75f350 (diff) | |
| download | linux-stable-69f287ae6fc8357e0bc561353a2d585b89ee8cdc.tar.gz linux-stable-69f287ae6fc8357e0bc561353a2d585b89ee8cdc.tar.bz2 linux-stable-69f287ae6fc8357e0bc561353a2d585b89ee8cdc.zip | |
Smack: secmark support for netfilter
Smack uses CIPSO to label internet packets and thus provide
for access control on delivery of packets. The netfilter facility
was not used to allow for Smack to work properly without netfilter
configuration. Smack does not need netfilter, however there are
cases where it would be handy.
As a side effect, the labeling of local IPv4 packets can be optimized
and the handling of local IPv6 packets is just all out better.
The best part is that the netfilter tools use "contexts" that
are just strings, and they work just as well for Smack as they
do for SELinux.
All of the conditional compilation for IPv6 was implemented
by Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smack.h')
| -rw-r--r-- | security/smack/smack.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index b828a379377c..7629eaeb1fb2 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -248,6 +248,7 @@ struct smack_known *smk_find_entry(const char *); /* * Shared data. */ +extern int smack_enabled; extern int smack_cipso_direct; extern int smack_cipso_mapped; extern struct smack_known *smack_net_ambient; |