Received: by 10.223.185.116 with SMTP id b49csp1069578wrg; Sat, 3 Mar 2018 14:41:43 -0800 (PST) X-Google-Smtp-Source: AG47ELujCt/w/zmVUAsf/GjKkV7Ve1LYsgh4ANESokIB6kYKDELr/RSQ2+UMBoFHEb61JK2AZvlj X-Received: by 10.99.125.19 with SMTP id y19mr8066378pgc.285.1520116903803; Sat, 03 Mar 2018 14:41:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520116903; cv=none; d=google.com; s=arc-20160816; b=tFhJSNXWkY8vk5HQWhDDEmxfAWrW6lNzoprCTszS16gjx9ztbYgQJRytwYQyxcB2Qv E3nbGw5tCEkjHh2Z36ZUy/4ushUzPL8RxtrVsxE17DYB9g7WvwhszDNNdJgy/xmEVyXv J9UIm4ev+MHs6MgVgmHG9GODyjG/gRQBuW9enxpAIe03IfzYXwbczJJaQOQweTmh3U1k pFsDiZpvEMdJS7xralZm8EZyap/+4vTxHHh0fiwkWYwHJBr/WOaIoxa008tWzmsUc7tB RAHdpM3LxITRpRHGmUgfVx4Kk50nL6IqT/DyZwDPtDEieqPQep8QE5y51E+zXqb7oYZj M+ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=iapRRCztOCaBAO1JNQOD8RPqREPwxVxIIpazv3kssKQ=; b=tyc045Ij6MSRVvggnuAQFC7WAjBGPxtiU/QdxFeHK6/NV+pYF4AswTJYjyRjqq4TB9 XMVeVhoaZx/6gzd6QJfjY2+fYjtDgKKTlX3iBqTTWEvkTr9Rs3rY/xYhMua5R3TmovsW HG9rnpB/tGDN/8cN/A3ltIXqaG4OL8LxKis/sgjdg490RHC/WGjO+9+mRrZdOotp3IS2 YNqIX0EqsPZvykqGhVGp+5Y6uUgnBTKreH/thUQIRB6uGAZRdjMZSZPPbQqlxTN7uNTR sva8k9IAIF9J13SEiTcsnv9u7XyLnJ4rr3DcRa/JlO86OBjApvQEEw5IQ4gdT4yToywg yvcw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=DvMSHrao; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b24-v6si6835382pls.222.2018.03.03.14.41.29; Sat, 03 Mar 2018 14:41:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=DvMSHrao; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935360AbeCCWk7 (ORCPT + 99 others); Sat, 3 Mar 2018 17:40:59 -0500 Received: from mail-co1nam03on0111.outbound.protection.outlook.com ([104.47.40.111]:9680 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932652AbeCCWko (ORCPT ); Sat, 3 Mar 2018 17:40:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=iapRRCztOCaBAO1JNQOD8RPqREPwxVxIIpazv3kssKQ=; b=DvMSHrao8EvmbHkwilsESWKgwI3t1aU3UQpNA9WatOKozEFc8cj6Ea3sKAax4InqLKYhmhyu/FX4r3DUOTTqe3PiYCkqunC9U++hAlpaLDXcAO7EFcaQZhCNCC42pphJ57iA+Mg0cylg78e7IyOPBLL2oq7YcfIUip9WCk9tP1k= Received: from MW2PR2101MB1034.namprd21.prod.outlook.com (52.132.149.10) by MW2PR2101MB0939.namprd21.prod.outlook.com (52.132.146.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.5; Sat, 3 Mar 2018 22:40:42 +0000 Received: from MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0]) by MW2PR2101MB1034.namprd21.prod.outlook.com ([fe80::1d56:338f:e2b:cec0%3]) with mapi id 15.20.0567.006; Sat, 3 Mar 2018 22:40:42 +0000 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Lorenzo Colitti , Steffen Klassert , Sasha Levin Subject: [PATCH AUTOSEL for 4.4 091/115] net: xfrm: allow clearing socket xfrm policies. Thread-Topic: [PATCH AUTOSEL for 4.4 091/115] net: xfrm: allow clearing socket xfrm policies. Thread-Index: AQHTsz9oU6x/JyizskWwLbEMmR/nUw== Date: Sat, 3 Mar 2018 22:31:43 +0000 Message-ID: <20180303223010.27106-91-alexander.levin@microsoft.com> References: <20180303223010.27106-1-alexander.levin@microsoft.com> In-Reply-To: <20180303223010.27106-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MW2PR2101MB0939;7:hyNdFqOAamft7uZN6OxuXjoGc6rKgNRcXD21Zu7crv+ArchIFtm/CpC0IHxtsLg2aZrdu/WEGCRb5p/pn9zlXjGBCwUIMu8ByBv2+uwhQRYeqLPMXpo1lJbCmnS4jy1iyPoq9D9N+J49WLkKJHsEh62Qh7MeAXwCbutTqMwe2c+Ae9TE+odZsjWfp1xN2kvE5qWLVLrrCs1bQEQeBdG1OcqSMG5qESxPz2Vf2PdXAYYIDYLTzEQPQKSAMnICgGmP x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 2d814222-b700-4ab0-6b5a-08d58157cbf0 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7193020);SRVR:MW2PR2101MB0939; x-ms-traffictypediagnostic: MW2PR2101MB0939: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171)(211936372134217)(153496737603132); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040501)(2401047)(8121501046)(5005006)(3231220)(944501244)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(61426038)(61427038)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(6072148)(201708071742011);SRVR:MW2PR2101MB0939;BCL:0;PCL:0;RULEID:;SRVR:MW2PR2101MB0939; x-forefront-prvs: 0600F93FE1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(346002)(366004)(376002)(39380400002)(39860400002)(189003)(199004)(86612001)(76176011)(478600001)(81166006)(81156014)(72206003)(5660300001)(8936002)(25786009)(966005)(59450400001)(26005)(6506007)(102836004)(316002)(22452003)(6486002)(8676002)(14454004)(4326008)(6436002)(107886003)(10090500001)(6512007)(6306002)(53936002)(36756003)(10290500003)(86362001)(2900100001)(3660700001)(305945005)(2950100002)(5250100002)(99286004)(3280700002)(97736004)(54906003)(110136005)(2501003)(186003)(106356001)(7736002)(66066001)(3846002)(2906002)(6116002)(105586002)(68736007)(1076002)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR2101MB0939;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: 2bH2eFmtuLdvAQ7goC6PqtNKTjPJrOxxSzikOrMEhxTKDOjZb6IcrW3IQoO/FPPqFuh+1br5NBmddpz/eqKuc5MOhD0XaYpxlY5P+vpRPFtEsxPsiAnC6N50zS9tYBwvkfnUs76FQUfA7Zfw6atBipIGssHIKI60bjpgs5y9Y2I= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2d814222-b700-4ab0-6b5a-08d58157cbf0 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2018 22:31:44.0114 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB0939 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lorenzo Colitti [ Upstream commit be8f8284cd897af2482d4e54fbc2bdfc15557259 ] Currently it is possible to add or update socket policies, but not clear them. Therefore, once a socket policy has been applied, the socket cannot be used for unencrypted traffic. This patch allows (privileged) users to clear socket policies by passing in a NULL pointer and zero length argument to the {IP,IPV6}_{IPSEC,XFRM}_POLICY setsockopts. This results in both the incoming and outgoing policies being cleared. The simple approach taken in this patch cannot clear socket policies in only one direction. If desired this could be added in the future, for example by continuing to pass in a length of zero (which currently is guaranteed to return EMSGSIZE) and making the policy be a pointer to an integer that contains one of the XFRM_POLICY_{IN,OUT} enum values. An alternative would have been to interpret the length as a signed integer and use XFRM_POLICY_IN (i.e., 0) to clear the input policy and -XFRM_POLICY_OUT (i.e., -1) to clear the output policy. Tested: https://android-review.googlesource.com/539816 Signed-off-by: Lorenzo Colitti Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/xfrm/xfrm_policy.c | 2 +- net/xfrm/xfrm_state.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 4b09a9eaa35f..d95cb69460f0 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1313,7 +1313,7 @@ EXPORT_SYMBOL(xfrm_policy_delete); =20 int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *po= l) { - struct net *net =3D xp_net(pol); + struct net *net =3D sock_net(sk); struct xfrm_policy *old_pol; =20 #ifdef CONFIG_XFRM_SUB_POLICY diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 9895a8c56d8c..96d664e198bf 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -1845,6 +1845,13 @@ int xfrm_user_policy(struct sock *sk, int optname, u= 8 __user *optval, int optlen struct xfrm_mgr *km; struct xfrm_policy *pol =3D NULL; =20 + if (!optval && !optlen) { + xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL); + xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL); + __sk_dst_reset(sk); + return 0; + } + if (optlen <=3D 0 || optlen > PAGE_SIZE) return -EMSGSIZE; =20 --=20 2.14.1