Received: by 10.213.65.68 with SMTP id h4csp1789610imn; Mon, 19 Mar 2018 13:19:15 -0700 (PDT) X-Google-Smtp-Source: AG47ELuIxAiyC+07exiAhPo5AgRQAjMFPPfd6jPv405wfdmZLrrM5+cVkx1VKgSv/QFrvhQ+8aAB X-Received: by 2002:a17:902:4103:: with SMTP id e3-v6mr13778529pld.172.1521490755116; Mon, 19 Mar 2018 13:19:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521490755; cv=none; d=google.com; s=arc-20160816; b=hT9PdCup+5mpIHIuK7MQ29qWbtyx3vo7SAYlDqLvuSmzFmuSIWBqJoS8KGmsscQLs/ P2sEy7aaSBE7Hi7Kk7BoXp5cHlqCMMlJHNb+9vpsm/ZrppHfGtE/WKungXYSkm5fGWhC 1flKk31SBd1ORqrZctzZY32jzOLe8HLF86VdZGn35Rve9pz9NLjDqc29SV/kpsWRovBo N7A+4gO30PqvYLd7boVLsWCjj4Y+z9LTS05WqL1GFQ0vGcY+lujBxGMdkVBNmYk42u6m f21hrY1+ZIhRRaoG6JPJnTm4b4wkOz40EdrP+ehP32ddUcoifcfXuiop0NE/YTZHOpyZ xhyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=fQHCQiF7PGlaEAx2QMjdrF5ff9lwvW5J6dsyr2TI2+I=; b=1Khz3/Xw4qocImtO2WJ9U1rYRBZLRjYjq05A8OS0OPagWJxtx9vhhN3xd0dRKDUgQ6 qsYPlaPiMWabRr8QGuhDsA6eEtaABAF51/kbD8ffQL5b6H7fMlw8tUnsARVGiDPbGcE7 LDK7gGDkEy8UhC1L/F8r9N42ht4H5P9An5qZ9LBY4Ih5LQFC3yfu678qsTFIJ4kfHLHm rTmQcpcUiNmURQsXb9XquYhvE4LJx1N4e2wsRU1bsrdSUcnUlEzwFc3h+0ofwWTDkIkT RaOD2Vz9SfNY78SJsugkcmFXa4dtcd7zUSQhavzLdwY2MrHIIX7r3dk+OAxvvy/eNRqF cRsA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 85si4679pfz.271.2018.03.19.13.19.00; Mon, 19 Mar 2018 13:19:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S968990AbeCSSPm (ORCPT + 99 others); Mon, 19 Mar 2018 14:15:42 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:44642 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S968955AbeCSSPd (ORCPT ); Mon, 19 Mar 2018 14:15:33 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 055BAFE3; Mon, 19 Mar 2018 18:15:32 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lorenzo Colitti , Steffen Klassert , Sasha Levin Subject: [PATCH 4.4 086/134] net: xfrm: allow clearing socket xfrm policies. Date: Mon, 19 Mar 2018 19:06:09 +0100 Message-Id: <20180319171901.737465095@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180319171849.024066323@linuxfoundation.org> References: <20180319171849.024066323@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lorenzo Colitti [ Upstream commit be8f8284cd897af2482d4e54fbc2bdfc15557259 ] Currently it is possible to add or update socket policies, but not clear them. Therefore, once a socket policy has been applied, the socket cannot be used for unencrypted traffic. This patch allows (privileged) users to clear socket policies by passing in a NULL pointer and zero length argument to the {IP,IPV6}_{IPSEC,XFRM}_POLICY setsockopts. This results in both the incoming and outgoing policies being cleared. The simple approach taken in this patch cannot clear socket policies in only one direction. If desired this could be added in the future, for example by continuing to pass in a length of zero (which currently is guaranteed to return EMSGSIZE) and making the policy be a pointer to an integer that contains one of the XFRM_POLICY_{IN,OUT} enum values. An alternative would have been to interpret the length as a signed integer and use XFRM_POLICY_IN (i.e., 0) to clear the input policy and -XFRM_POLICY_OUT (i.e., -1) to clear the output policy. Tested: https://android-review.googlesource.com/539816 Signed-off-by: Lorenzo Colitti Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_policy.c | 2 +- net/xfrm/xfrm_state.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1313,7 +1313,7 @@ EXPORT_SYMBOL(xfrm_policy_delete); int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol) { - struct net *net = xp_net(pol); + struct net *net = sock_net(sk); struct xfrm_policy *old_pol; #ifdef CONFIG_XFRM_SUB_POLICY --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -1845,6 +1845,13 @@ int xfrm_user_policy(struct sock *sk, in struct xfrm_mgr *km; struct xfrm_policy *pol = NULL; + if (!optval && !optlen) { + xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL); + xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL); + __sk_dst_reset(sk); + return 0; + } + if (optlen <= 0 || optlen > PAGE_SIZE) return -EMSGSIZE;