Received: by 10.213.65.68 with SMTP id h4csp1754868imn; Mon, 19 Mar 2018 12:21:18 -0700 (PDT) X-Google-Smtp-Source: AG47ELuRhZp1TERHWTddHcQIHB0PKfKEEMI5C3q8JNCdsZKvAitIZNKOgVc3IZt2QT7e3otRi3QY X-Received: by 10.98.99.196 with SMTP id x187mr11250222pfb.182.1521487278574; Mon, 19 Mar 2018 12:21:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521487278; cv=none; d=google.com; s=arc-20160816; b=f47Q4t88dpTurV5YchdBD7eGa8+JHWOjiLR2mRClJd1F9gBigwk/sVy3oxGAedJSES 8nsDKZHsf5TrEjY2RFrfYaljg00g2U47GDsKmBWjBQxAVyXxe72eZ3DPPyuR4fHdnJkh 6EbvJcV+iEJboFw2JPHk6kUobsdgQktbWg+AZxF50YIKF6kzIQnZH5IfzqrM1JHTkWgd VVDCqgKm/wTckvV901IIlqFuI4Lt6f7fR/G4w+/hibUJEP+BdbHesynWOsmMu+xtKahA T9MhJMkLnJ5D4CZP1+8hstWchxh7mZxzZuwkSaO9ClD2++91FOqKJgmlOBfr4Tvi+IlG 25bA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=YTpbEoBqg1NhI0I/V8iJRBlRdQzc5UH01vIIKklp3AA=; b=q7DTPzxx2i7BMVgoAO1cgghJhy2OHxLwS+n+1l+lBwhAFusQBUXTEnH12y66+sYNrs qmatuJ2zHmAnNmY4UwaHIiI99mcfLRmq5gxC0tq9SOcdBPJ1pvSApnyt4IzqTU+gb4cn xYU6B3lb8LwYeY6nqmMT9AR9J3Enz6BeFJZgXna9C5+BjxdFX9Tt/0+0zcR+Ak9Bn5Yn p53Wvbu/gbARwViokW5ZhNn8h6usFj7vt9PpCE9SosTI0UsCeQwKxYFAwm+V6vXeUP16 +lkeuPV9soC6M9K+H4+SD0BI/XUS4zSVaObfgbRjNm1TtAvFkB6cbA2jihP6Xj3xfT0z bjFQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s3-v6si514861plb.4.2018.03.19.12.21.04; Mon, 19 Mar 2018 12:21:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S969840AbeCSS0C (ORCPT + 99 others); Mon, 19 Mar 2018 14:26:02 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:50558 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S969779AbeCSSZr (ORCPT ); Mon, 19 Mar 2018 14:25:47 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 782E2F91; Mon, 19 Mar 2018 18:25:46 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lorenzo Colitti , Steffen Klassert , Sasha Levin Subject: [PATCH 4.9 174/241] net: xfrm: allow clearing socket xfrm policies. Date: Mon, 19 Mar 2018 19:07:19 +0100 Message-Id: <20180319180758.357688090@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180319180751.172155436@linuxfoundation.org> References: <20180319180751.172155436@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lorenzo Colitti [ Upstream commit be8f8284cd897af2482d4e54fbc2bdfc15557259 ] Currently it is possible to add or update socket policies, but not clear them. Therefore, once a socket policy has been applied, the socket cannot be used for unencrypted traffic. This patch allows (privileged) users to clear socket policies by passing in a NULL pointer and zero length argument to the {IP,IPV6}_{IPSEC,XFRM}_POLICY setsockopts. This results in both the incoming and outgoing policies being cleared. The simple approach taken in this patch cannot clear socket policies in only one direction. If desired this could be added in the future, for example by continuing to pass in a length of zero (which currently is guaranteed to return EMSGSIZE) and making the policy be a pointer to an integer that contains one of the XFRM_POLICY_{IN,OUT} enum values. An alternative would have been to interpret the length as a signed integer and use XFRM_POLICY_IN (i.e., 0) to clear the input policy and -XFRM_POLICY_OUT (i.e., -1) to clear the output policy. Tested: https://android-review.googlesource.com/539816 Signed-off-by: Lorenzo Colitti Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_policy.c | 2 +- net/xfrm/xfrm_state.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1346,7 +1346,7 @@ EXPORT_SYMBOL(xfrm_policy_delete); int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol) { - struct net *net = xp_net(pol); + struct net *net = sock_net(sk); struct xfrm_policy *old_pol; #ifdef CONFIG_XFRM_SUB_POLICY --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -1883,6 +1883,13 @@ int xfrm_user_policy(struct sock *sk, in struct xfrm_mgr *km; struct xfrm_policy *pol = NULL; + if (!optval && !optlen) { + xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL); + xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL); + __sk_dst_reset(sk); + return 0; + } + if (optlen <= 0 || optlen > PAGE_SIZE) return -EMSGSIZE;