summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSerge Hallyn <serue@us.ibm.com>2007-10-20 00:53:30 +0200
committerAdrian Bunk <bunk@kernel.org>2007-10-20 00:53:30 +0200
commit6da34bae29f51c35b300d89c1bbfe96cdf44d4d5 (patch)
treef89fe161a27bdd010c6016b54e9104730169c85f
parent118e78d1cd7023c3b155f861072ba10df0265fda (diff)
fix up security_socket_getpeersec_* documentation
Update the security_socket_peersec documentation in include/linux/security.h. security_socket_peersec has been split into two functions - _stream and _dgram, with new capabilities. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Adrian Bunk <bunk@kernel.org>
-rw-r--r--include/linux/security.h17
1 files changed, 15 insertions, 2 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index ff3f857f6957..ac050830a873 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -832,9 +832,11 @@ struct request_sock;
* incoming sk_buff @skb has been associated with a particular socket, @sk.
* @sk contains the sock (not socket) associated with the incoming sk_buff.
* @skb contains the incoming network data.
- * @socket_getpeersec:
+ * @socket_getpeersec_stream:
* This hook allows the security module to provide peer socket security
- * state to userspace via getsockopt SO_GETPEERSEC.
+ * state for unix or connected tcp sockets to userspace via getsockopt
+ * SO_GETPEERSEC. For tcp sockets this can be meaningful if the
+ * socket is associated with an ipsec SA.
* @sock is the local socket.
* @optval userspace memory where the security state is to be copied.
* @optlen userspace int where the module should copy the actual length
@@ -843,6 +845,17 @@ struct request_sock;
* by the caller.
* Return 0 if all is well, otherwise, typical getsockopt return
* values.
+ * @socket_getpeersec_dgram:
+ * This hook allows the security module to provide peer socket security
+ * state for udp sockets on a per-packet basis to userspace via
+ * getsockopt SO_GETPEERSEC. The application must first have indicated
+ * the IP_PASSSEC option via getsockopt. It can then retrieve the
+ * security state returned by this hook for a packet via the SCM_SECURITY
+ * ancillary message type.
+ * @skb is the skbuff for the packet being queried
+ * @secdata is a pointer to a buffer in which to copy the security data
+ * @seclen is the maximum length for @secdata
+ * Return 0 on success, error on failure.
* @sk_alloc_security:
* Allocate and attach a security structure to the sk->sk_security field,
* which is used to copy security attributes between local stream sockets.