* [PATCH 0/4] Make xfrm usable by 32-bit programs
@ 2017-01-21 0:05 Kevin Cernekee
2017-01-21 0:05 ` [PATCH 1/4] xfrm: Constify xfrm_user arguments and xfrm_mgr callback APIs Kevin Cernekee
` (5 more replies)
0 siblings, 6 replies; 10+ messages in thread
From: Kevin Cernekee @ 2017-01-21 0:05 UTC (permalink / raw)
To: steffen.klassert, herbert, davem, paul, sds, eparis
Cc: linux-kernel, netdev, selinux, fw, fan.du, dianders, dtor
Several of the xfrm netlink and setsockopt() interfaces are not usable
from a 32-bit binary running on a 64-bit kernel due to struct padding
differences. This has been the case for many, many years[0]. This
patch series deprecates the broken netlink messages and replaces them
with packed structs that are compatible between 64-bit and 32-bit
programs. It retains support for legacy user programs (i.e. anything
that is currently working today), and allows legacy support to be
compiled out via CONFIG_XFRM_USER_LEGACY if it becomes unnecessary in
the future.
Earlier attempts at fixing the problem had implemented a compat layer.
A compat layer is helpful because it avoids the need to recompile old
user binaries, but there are many challenges involved in implementing
it. I believe a compat layer is of limited value in this instance
because anybody who really needed to solve the problem without
recompiling their binaries has almost certainly found another solution
in the ~7 years since the compat patches were first proposed.
A benefit of this approach is that long-term, the broken netlink messages
will no longer be used. A drawback is that in the short term, user
programs that want to adopt the new message formats will require a
modern kernel. Projects like strongSwan and iproute2 bundle the xfrm.h
header inside their own source trees, so they will need to make a
judgment call on when to remove support for kernels that do not support
the new messages. And programs built against the new kernel headers
will not work on old kernels. (Perhaps this is an argument for naming
the new messages _NEW, rather than renaming the old messages to
_LEGACY.)
The following netlink messages are affected:
XFRM_MSG_NEWSA
XFRM_MSG_UPDSA
XFRM_MSG_DELSA
XFRM_MSG_GETSA
XFRM_MSG_NEWPOLICY
XFRM_MSG_UPDPOLICY
XFRM_MSG_DELPOLICY
XFRM_MSG_GETPOLICY
XFRM_MSG_ALLOCSPI
XFRM_MSG_ACQUIRE
XFRM_MSG_EXPIRE
XFRM_MSG_POLEXPIRE
The following setsockopt() settings are affected:
IP_XFRM_POLICY
IPV6_XFRM_POLICY
The root cause of the problem involves padding and alignment
incompatibilities in the following structs:
xfrm_usersa_info 220 bytes on i386 -> 224 bytes on amd64
xfrm_userpolicy_info 164 -> 168
xfrm_userspi_info 228 -> 232, offset mismatch on min
xfrm_user_acquire 276 -> 280, offset mismatch on aalgos
xfrm_user_expire 224 -> 232, offset mismatch on hard
xfrm_user_polexpire 168 -> 176, offset mismatch on hard
Most xfrm netlink messages consist of an xfrm_* struct followed by
additional attributes (struct nlattr TLV), so even cases where the
struct layout (sans padding) is identical will result in incompatible
messages.
Some possible tweaks to this approach:
a) Name the new messages _NEW instead of renaming the old messages
_LEGACY. This fixes the "new binary on old kernel" problem, but it
means that callers need to change every call site in their programs
to explicitly request the new interface.
b) Tweak xfrm.h so that user programs build against the legacy
interfaces by default, but can alter that behavior using a #define
flag. Maybe in a few years, assume that everyone is running a modern
kernel and make the new interface the default.
[0] https://www.spinics.net/lists/netdev/msg126176.html
Kevin Cernekee (4):
xfrm: Constify xfrm_user arguments and xfrm_mgr callback APIs
xfrm_user: Allow common functions to be called from another file
xfrm_user: Initial commit of xfrm_user_legacy.c
xfrm_user: Add new 32/64-agnostic netlink messages
include/net/xfrm.h | 36 +-
include/uapi/linux/xfrm.h | 152 ++++--
net/key/af_key.c | 34 +-
net/xfrm/Kconfig | 14 +
net/xfrm/Makefile | 8 +-
net/xfrm/xfrm_policy.c | 8 +-
net/xfrm/xfrm_state.c | 2 +-
net/xfrm/xfrm_user.c | 587 +++++++++++++---------
net/xfrm/xfrm_user.h | 165 +++++++
net/xfrm/xfrm_user_legacy.c | 1140 +++++++++++++++++++++++++++++++++++++++++++
security/selinux/nlmsgtab.c | 61 ++-
11 files changed, 1890 insertions(+), 317 deletions(-)
create mode 100644 net/xfrm/xfrm_user.h
create mode 100644 net/xfrm/xfrm_user_legacy.c
--
2.11.0.483.g087da7b7c-goog
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/4] xfrm: Constify xfrm_user arguments and xfrm_mgr callback APIs
2017-01-21 0:05 [PATCH 0/4] Make xfrm usable by 32-bit programs Kevin Cernekee
@ 2017-01-21 0:05 ` Kevin Cernekee
2017-01-21 0:05 ` [PATCH 2/4] xfrm_user: Allow common functions to be called from another file Kevin Cernekee
` (4 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Kevin Cernekee @ 2017-01-21 0:05 UTC (permalink / raw)
To: steffen.klassert, herbert, davem, paul, sds, eparis
Cc: linux-kernel, netdev, selinux, fw, fan.du, dianders, dtor
This provides a better sense of the data flow and inputs/outputs. No
change to code size or functionality.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
---
include/net/xfrm.h | 36 ++++--
net/key/af_key.c | 34 +++--
net/xfrm/xfrm_policy.c | 8 +-
net/xfrm/xfrm_state.c | 2 +-
net/xfrm/xfrm_user.c | 342 +++++++++++++++++++++++++++++--------------------
5 files changed, 253 insertions(+), 169 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 31947b9c21d6..34298d78ba45 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -228,7 +228,7 @@ struct xfrm_state {
void *data;
};
-static inline struct net *xs_net(struct xfrm_state *x)
+static inline struct net *xs_net(const struct xfrm_state *x)
{
return read_pnet(&x->xs_net);
}
@@ -587,12 +587,23 @@ struct xfrm_migrate {
struct xfrm_mgr {
struct list_head list;
char *id;
- int (*notify)(struct xfrm_state *x, const struct km_event *c);
- int (*acquire)(struct xfrm_state *x, struct xfrm_tmpl *, struct xfrm_policy *xp);
- struct xfrm_policy *(*compile_policy)(struct sock *sk, int opt, u8 *data, int len, int *dir);
- int (*new_mapping)(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
- int (*notify_policy)(struct xfrm_policy *x, int dir, const struct km_event *c);
- int (*report)(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr);
+ int (*notify)(const struct xfrm_state *x,
+ const struct km_event *c);
+ int (*acquire)(struct xfrm_state *x,
+ const struct xfrm_tmpl *,
+ const struct xfrm_policy *xp);
+ struct xfrm_policy *(*compile_policy)(struct sock *sk,
+ int opt, u8 *data,
+ int len, int *dir);
+ int (*new_mapping)(struct xfrm_state *x,
+ const xfrm_address_t *ipaddr,
+ __be16 sport);
+ int (*notify_policy)(const struct xfrm_policy *x,
+ int dir,
+ const struct km_event *c);
+ int (*report)(struct net *net, u8 proto,
+ const struct xfrm_selector *sel,
+ const xfrm_address_t *addr);
int (*migrate)(const struct xfrm_selector *sel,
u8 dir, u8 type,
const struct xfrm_migrate *m,
@@ -1432,7 +1443,7 @@ static inline void xfrm_sysctl_fini(struct net *net)
void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
struct xfrm_address_filter *filter);
int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
- int (*func)(struct xfrm_state *, int, void*), void *);
+ int (*func)(const struct xfrm_state *, int, void*), void *);
void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
struct xfrm_state *xfrm_state_alloc(struct net *net);
struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
@@ -1584,13 +1595,13 @@ struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp);
void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
- int (*func)(struct xfrm_policy *, int, int, void*),
+ int (*func)(const struct xfrm_policy *, int, int, void*),
void *);
void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
u8 type, int dir,
- struct xfrm_selector *sel,
+ const struct xfrm_selector *sel,
struct xfrm_sec_ctx *ctx, int delete,
int *err);
struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8, int dir,
@@ -1695,7 +1706,7 @@ static inline int xfrm_acquire_is_on(struct net *net)
}
#endif
-static inline int aead_len(struct xfrm_algo_aead *alg)
+static inline int aead_len(const struct xfrm_algo_aead *alg)
{
return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
}
@@ -1710,7 +1721,8 @@ static inline int xfrm_alg_auth_len(const struct xfrm_algo_auth *alg)
return sizeof(*alg) + ((alg->alg_key_len + 7) / 8);
}
-static inline int xfrm_replay_state_esn_len(struct xfrm_replay_state_esn *replay_esn)
+static inline int xfrm_replay_state_esn_len(
+ const struct xfrm_replay_state_esn *replay_esn)
{
return sizeof(*replay_esn) + replay_esn->bmp_len * sizeof(__u32);
}
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c6252ed42c1d..b09a48c4c1fb 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1433,7 +1433,7 @@ static inline int event2keytype(int event)
}
/* ADD/UPD/DEL */
-static int key_notify_sa(struct xfrm_state *x, const struct km_event *c)
+static int key_notify_sa(const struct xfrm_state *x, const struct km_event *c)
{
struct sk_buff *skb;
struct sadb_msg *hdr;
@@ -1744,7 +1744,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
return 0;
}
-static int dump_sa(struct xfrm_state *x, int count, void *ptr)
+static int dump_sa(const struct xfrm_state *x, int count, void *ptr)
{
struct pfkey_sock *pfk = ptr;
struct sk_buff *out_skb;
@@ -1851,7 +1851,8 @@ static int pfkey_promisc(struct sock *sk, struct sk_buff *skb, const struct sadb
return 0;
}
-static int check_reqid(struct xfrm_policy *xp, int dir, int count, void *ptr)
+static int check_reqid(const struct xfrm_policy *xp, int dir, int count,
+ void *ptr)
{
int i;
u32 reqid = *(u32*)ptr;
@@ -2157,7 +2158,9 @@ static int pfkey_xfrm_policy2msg(struct sk_buff *skb, const struct xfrm_policy *
return 0;
}
-static int key_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c)
+static int key_notify_policy(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
{
struct sk_buff *out_skb;
struct sadb_msg *out_hdr;
@@ -2628,7 +2631,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_
return err;
}
-static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
+static int dump_sp(const struct xfrm_policy *xp, int dir, int count, void *ptr)
{
struct pfkey_sock *pfk = ptr;
struct sk_buff *out_skb;
@@ -2961,12 +2964,14 @@ static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
}
}
-static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c)
+static int key_notify_policy_expire(const struct xfrm_policy *xp,
+ const struct km_event *c)
{
return 0;
}
-static int key_notify_sa_expire(struct xfrm_state *x, const struct km_event *c)
+static int key_notify_sa_expire(const struct xfrm_state *x,
+ const struct km_event *c)
{
struct sk_buff *out_skb;
struct sadb_msg *out_hdr;
@@ -2996,7 +3001,8 @@ static int key_notify_sa_expire(struct xfrm_state *x, const struct km_event *c)
return 0;
}
-static int pfkey_send_notify(struct xfrm_state *x, const struct km_event *c)
+static int pfkey_send_notify(const struct xfrm_state *x,
+ const struct km_event *c)
{
struct net *net = x ? xs_net(x) : c->net;
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
@@ -3023,7 +3029,9 @@ static int pfkey_send_notify(struct xfrm_state *x, const struct km_event *c)
return 0;
}
-static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
+static int pfkey_send_policy_notify(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
{
if (xp && xp->type != XFRM_POLICY_TYPE_MAIN)
return 0;
@@ -3076,7 +3084,9 @@ static bool pfkey_is_alive(const struct km_event *c)
return is_alive;
}
-static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *xp)
+static int pfkey_send_acquire(struct xfrm_state *x,
+ const struct xfrm_tmpl *t,
+ const struct xfrm_policy *xp)
{
struct sk_buff *skb;
struct sadb_msg *hdr;
@@ -3273,7 +3283,9 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
return NULL;
}
-static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
+static int pfkey_send_new_mapping(struct xfrm_state *x,
+ const xfrm_address_t *ipaddr,
+ __be16 sport)
{
struct sk_buff *skb;
struct sadb_msg *hdr;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 177e208e8ff5..dc51dec54043 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -709,7 +709,8 @@ static u32 xfrm_gen_index(struct net *net, int dir, u32 index)
}
}
-static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
+static inline int selector_cmp(const struct xfrm_selector *s1,
+ const struct xfrm_selector *s2)
{
u32 *p1 = (u32 *) s1;
u32 *p2 = (u32 *) s2;
@@ -833,7 +834,8 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
EXPORT_SYMBOL(xfrm_policy_insert);
struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type,
- int dir, struct xfrm_selector *sel,
+ int dir,
+ const struct xfrm_selector *sel,
struct xfrm_sec_ctx *ctx, int delete,
int *err)
{
@@ -1016,7 +1018,7 @@ int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
EXPORT_SYMBOL(xfrm_policy_flush);
int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
- int (*func)(struct xfrm_policy *, int, int, void*),
+ int (*func)(const struct xfrm_policy *, int, int, void*),
void *data)
{
struct xfrm_policy *pol;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 64e3c82eedf6..4513a621b0d5 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1642,7 +1642,7 @@ static bool __xfrm_state_filter_match(struct xfrm_state *x,
}
int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
- int (*func)(struct xfrm_state *, int, void*),
+ int (*func)(const struct xfrm_state *, int, void*),
void *data)
{
struct xfrm_state *state;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 9705c279494b..ed389aad4994 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -115,7 +115,7 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
return 0;
}
-static inline int verify_replay(struct xfrm_usersa_info *p,
+static inline int verify_replay(const struct xfrm_usersa_info *p,
struct nlattr **attrs)
{
struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
@@ -148,7 +148,7 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
return 0;
}
-static int verify_newsa_info(struct xfrm_usersa_info *p,
+static int verify_newsa_info(const struct xfrm_usersa_info *p,
struct nlattr **attrs)
{
int err;
@@ -264,11 +264,14 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
return err;
}
-static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
- struct xfrm_algo_desc *(*get_byname)(const char *, int),
- struct nlattr *rta)
+static int attach_one_algo(
+ struct xfrm_algo **algpp,
+ u8 *props,
+ struct xfrm_algo_desc *(*get_byname)(const char *, int),
+ const struct nlattr *rta)
{
- struct xfrm_algo *p, *ualg;
+ const struct xfrm_algo *ualg;
+ struct xfrm_algo *p;
struct xfrm_algo_desc *algo;
if (!rta)
@@ -290,9 +293,10 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
return 0;
}
-static int attach_crypt(struct xfrm_state *x, struct nlattr *rta)
+static int attach_crypt(struct xfrm_state *x, const struct nlattr *rta)
{
- struct xfrm_algo *p, *ualg;
+ const struct xfrm_algo *ualg;
+ struct xfrm_algo *p;
struct xfrm_algo_desc *algo;
if (!rta)
@@ -316,9 +320,9 @@ static int attach_crypt(struct xfrm_state *x, struct nlattr *rta)
}
static int attach_auth(struct xfrm_algo_auth **algpp, u8 *props,
- struct nlattr *rta)
+ const struct nlattr *rta)
{
- struct xfrm_algo *ualg;
+ const struct xfrm_algo *ualg;
struct xfrm_algo_auth *p;
struct xfrm_algo_desc *algo;
@@ -346,9 +350,10 @@ static int attach_auth(struct xfrm_algo_auth **algpp, u8 *props,
}
static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props,
- struct nlattr *rta)
+ const struct nlattr *rta)
{
- struct xfrm_algo_auth *p, *ualg;
+ const struct xfrm_algo_auth *ualg;
+ struct xfrm_algo_auth *p;
struct xfrm_algo_desc *algo;
if (!rta)
@@ -375,9 +380,10 @@ static int attach_auth_trunc(struct xfrm_algo_auth **algpp, u8 *props,
return 0;
}
-static int attach_aead(struct xfrm_state *x, struct nlattr *rta)
+static int attach_aead(struct xfrm_state *x, const struct nlattr *rta)
{
- struct xfrm_algo_aead *p, *ualg;
+ const struct xfrm_algo_aead *ualg;
+ struct xfrm_algo_aead *p;
struct xfrm_algo_desc *algo;
if (!rta)
@@ -400,10 +406,11 @@ static int attach_aead(struct xfrm_state *x, struct nlattr *rta)
return 0;
}
-static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
- struct nlattr *rp)
+static inline int xfrm_replay_verify_len(
+ const struct xfrm_replay_state_esn *replay_esn,
+ const struct nlattr *rp)
{
- struct xfrm_replay_state_esn *up;
+ const struct xfrm_replay_state_esn *up;
int ulen;
if (!replay_esn || !rp)
@@ -418,11 +425,13 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
return 0;
}
-static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
- struct xfrm_replay_state_esn **preplay_esn,
- struct nlattr *rta)
+static int xfrm_alloc_replay_state_esn(
+ struct xfrm_replay_state_esn **replay_esn,
+ struct xfrm_replay_state_esn **preplay_esn,
+ const struct nlattr *rta)
{
- struct xfrm_replay_state_esn *p, *pp, *up;
+ struct xfrm_replay_state_esn *p, *pp;
+ const struct xfrm_replay_state_esn *up;
int klen, ulen;
if (!rta)
@@ -451,7 +460,7 @@ static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn
return 0;
}
-static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx)
+static inline int xfrm_user_sec_ctx_size(const struct xfrm_sec_ctx *xfrm_ctx)
{
int len = 0;
@@ -462,7 +471,8 @@ static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx)
return len;
}
-static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
+static void copy_from_user_state(struct xfrm_state *x,
+ const struct xfrm_usersa_info *p)
{
memcpy(&x->id, &p->id, sizeof(x->id));
memcpy(&x->sel, &p->sel, sizeof(x->sel));
@@ -484,17 +494,19 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
* somehow made shareable and move it to xfrm_state.c - JHS
*
*/
-static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
+static void xfrm_update_ae_params(struct xfrm_state *x,
+ struct nlattr **attrs,
int update_esn)
{
- struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
- struct nlattr *re = update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL;
- struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
- struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
- struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
+ const struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
+ const struct nlattr *re =
+ update_esn ? attrs[XFRMA_REPLAY_ESN_VAL] : NULL;
+ const struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
+ const struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
+ const struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
if (re) {
- struct xfrm_replay_state_esn *replay_esn;
+ const struct xfrm_replay_state_esn *replay_esn;
replay_esn = nla_data(re);
memcpy(x->replay_esn, replay_esn,
xfrm_replay_state_esn_len(replay_esn));
@@ -503,14 +515,14 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
}
if (rp) {
- struct xfrm_replay_state *replay;
+ const struct xfrm_replay_state *replay;
replay = nla_data(rp);
memcpy(&x->replay, replay, sizeof(*replay));
memcpy(&x->preplay, replay, sizeof(*replay));
}
if (lt) {
- struct xfrm_lifetime_cur *ltime;
+ const struct xfrm_lifetime_cur *ltime;
ltime = nla_data(lt);
x->curlft.bytes = ltime->bytes;
x->curlft.packets = ltime->packets;
@@ -526,7 +538,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
}
static struct xfrm_state *xfrm_state_construct(struct net *net,
- struct xfrm_usersa_info *p,
+ const struct xfrm_usersa_info *p,
struct nlattr **attrs,
int *errp)
{
@@ -613,11 +625,11 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
return NULL;
}
-static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_add_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
- struct xfrm_usersa_info *p = nlmsg_data(nlh);
+ const struct xfrm_usersa_info *p = nlmsg_data(nlh);
struct xfrm_state *x;
int err;
struct km_event c;
@@ -655,7 +667,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
}
static struct xfrm_state *xfrm_user_state_lookup(struct net *net,
- struct xfrm_usersa_id *p,
+ const struct xfrm_usersa_id *p,
struct nlattr **attrs,
int *errp)
{
@@ -688,14 +700,14 @@ static struct xfrm_state *xfrm_user_state_lookup(struct net *net,
return x;
}
-static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_del_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_state *x;
int err = -ESRCH;
struct km_event c;
- struct xfrm_usersa_id *p = nlmsg_data(nlh);
+ const struct xfrm_usersa_id *p = nlmsg_data(nlh);
x = xfrm_user_state_lookup(net, p, attrs, &err);
if (x == NULL)
@@ -725,7 +737,8 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
return err;
}
-static void copy_to_user_state(struct xfrm_state *x, struct xfrm_usersa_info *p)
+static void copy_to_user_state(const struct xfrm_state *x,
+ struct xfrm_usersa_info *p)
{
memset(p, 0, sizeof(*p));
memcpy(&p->id, &x->id, sizeof(p->id));
@@ -751,7 +764,7 @@ struct xfrm_dump_info {
u16 nlmsg_flags;
};
-static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb)
+static int copy_sec_ctx(const struct xfrm_sec_ctx *s, struct sk_buff *skb)
{
struct xfrm_user_sec_ctx *uctx;
struct nlattr *attr;
@@ -772,7 +785,8 @@ static int copy_sec_ctx(struct xfrm_sec_ctx *s, struct sk_buff *skb)
return 0;
}
-static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
+static int copy_to_user_auth(const struct xfrm_algo_auth *auth,
+ struct sk_buff *skb)
{
struct xfrm_algo *algo;
struct nlattr *nla;
@@ -791,7 +805,7 @@ static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
}
/* Don't change this without updating xfrm_sa_len! */
-static int copy_to_user_state_extra(struct xfrm_state *x,
+static int copy_to_user_state_extra(const struct xfrm_state *x,
struct xfrm_usersa_info *p,
struct sk_buff *skb)
{
@@ -868,7 +882,7 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
return ret;
}
-static int dump_one_state(struct xfrm_state *x, int count, void *ptr)
+static int dump_one_state(const struct xfrm_state *x, int count, void *ptr)
{
struct xfrm_dump_info *sp = ptr;
struct sk_buff *in_skb = sp->in_skb;
@@ -950,7 +964,8 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
}
static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
- struct xfrm_state *x, u32 seq)
+ const struct xfrm_state *x,
+ u32 seq)
{
struct xfrm_dump_info info;
struct sk_buff *skb;
@@ -1050,7 +1065,7 @@ static int build_spdinfo(struct sk_buff *skb, struct net *net,
return 0;
}
-static int xfrm_set_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh,
+static int xfrm_set_spdinfo(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
@@ -1095,12 +1110,12 @@ static int xfrm_set_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh,
return 0;
}
-static int xfrm_get_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_get_spdinfo(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct sk_buff *r_skb;
- u32 *flags = nlmsg_data(nlh);
+ const u32 *flags = nlmsg_data(nlh);
u32 sportid = NETLINK_CB(skb).portid;
u32 seq = nlh->nlmsg_seq;
@@ -1153,12 +1168,12 @@ static int build_sadinfo(struct sk_buff *skb, struct net *net,
return 0;
}
-static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_get_sadinfo(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct sk_buff *r_skb;
- u32 *flags = nlmsg_data(nlh);
+ const u32 *flags = nlmsg_data(nlh);
u32 sportid = NETLINK_CB(skb).portid;
u32 seq = nlh->nlmsg_seq;
@@ -1172,11 +1187,11 @@ static int xfrm_get_sadinfo(struct sk_buff *skb, struct nlmsghdr *nlh,
return nlmsg_unicast(net->xfrm.nlsk, r_skb, sportid);
}
-static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_get_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
- struct xfrm_usersa_id *p = nlmsg_data(nlh);
+ const struct xfrm_usersa_id *p = nlmsg_data(nlh);
struct xfrm_state *x;
struct sk_buff *resp_skb;
int err = -ESRCH;
@@ -1196,14 +1211,14 @@ static int xfrm_get_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
return err;
}
-static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_alloc_userspi(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_state *x;
- struct xfrm_userspi_info *p;
+ const struct xfrm_userspi_info *p;
struct sk_buff *resp_skb;
- xfrm_address_t *daddr;
+ const xfrm_address_t *daddr;
int family;
int err;
u32 mark;
@@ -1286,7 +1301,7 @@ static int verify_policy_type(u8 type)
return 0;
}
-static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
+static int verify_newpolicy_info(const struct xfrm_userpolicy_info *p)
{
int ret;
@@ -1346,7 +1361,8 @@ static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct nlattr **attrs
return security_xfrm_policy_alloc(&pol->security, uctx, GFP_KERNEL);
}
-static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
+static void copy_templates(struct xfrm_policy *xp,
+ const struct xfrm_user_tmpl *ut,
int nr)
{
int i;
@@ -1444,7 +1460,8 @@ static int copy_from_user_policy_type(u8 *tp, struct nlattr **attrs)
return 0;
}
-static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p)
+static void copy_from_user_policy(struct xfrm_policy *xp,
+ const struct xfrm_userpolicy_info *p)
{
xp->priority = p->priority;
xp->index = p->index;
@@ -1456,7 +1473,9 @@ static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy
/* XXX xp->share = p->share; */
}
-static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p, int dir)
+static void copy_to_user_policy(const struct xfrm_policy *xp,
+ struct xfrm_userpolicy_info *p,
+ int dir)
{
memset(p, 0, sizeof(*p));
memcpy(&p->sel, &xp->selector, sizeof(p->sel));
@@ -1471,7 +1490,11 @@ static void copy_to_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_i
p->share = XFRM_SHARE_ANY; /* XXX xp->share */
}
-static struct xfrm_policy *xfrm_policy_construct(struct net *net, struct xfrm_userpolicy_info *p, struct nlattr **attrs, int *errp)
+static struct xfrm_policy *xfrm_policy_construct(
+ struct net *net,
+ const struct xfrm_userpolicy_info *p,
+ struct nlattr **attrs,
+ int *errp)
{
struct xfrm_policy *xp = xfrm_policy_alloc(net, GFP_KERNEL);
int err;
@@ -1502,11 +1525,11 @@ static struct xfrm_policy *xfrm_policy_construct(struct net *net, struct xfrm_us
return NULL;
}
-static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_add_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
- struct xfrm_userpolicy_info *p = nlmsg_data(nlh);
+ const struct xfrm_userpolicy_info *p = nlmsg_data(nlh);
struct xfrm_policy *xp;
struct km_event c;
int err;
@@ -1547,7 +1570,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
return 0;
}
-static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
+static int copy_to_user_tmpl(const struct xfrm_policy *xp, struct sk_buff *skb)
{
struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
int i;
@@ -1557,7 +1580,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
for (i = 0; i < xp->xfrm_nr; i++) {
struct xfrm_user_tmpl *up = &vec[i];
- struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
+ const struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
memset(up, 0, sizeof(*up));
memcpy(&up->id, &kp->id, sizeof(up->id));
@@ -1576,7 +1599,8 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr, vec);
}
-static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buff *skb)
+static inline int copy_to_user_state_sec_ctx(const struct xfrm_state *x,
+ struct sk_buff *skb)
{
if (x->security) {
return copy_sec_ctx(x->security, skb);
@@ -1584,7 +1608,8 @@ static inline int copy_to_user_state_sec_ctx(struct xfrm_state *x, struct sk_buf
return 0;
}
-static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *skb)
+static inline int copy_to_user_sec_ctx(const struct xfrm_policy *xp,
+ struct sk_buff *skb)
{
if (xp->security)
return copy_sec_ctx(xp->security, skb);
@@ -1616,7 +1641,10 @@ static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
}
#endif
-static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr)
+static int dump_one_policy(const struct xfrm_policy *xp,
+ int dir,
+ int count,
+ void *ptr)
{
struct xfrm_dump_info *sp = ptr;
struct xfrm_userpolicy_info *p;
@@ -1681,8 +1709,9 @@ static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
}
static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
- struct xfrm_policy *xp,
- int dir, u32 seq)
+ const struct xfrm_policy *xp,
+ int dir,
+ u32 seq)
{
struct xfrm_dump_info info;
struct sk_buff *skb;
@@ -1706,12 +1735,12 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
return skb;
}
-static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_get_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_policy *xp;
- struct xfrm_userpolicy_id *p;
+ const struct xfrm_userpolicy_id *p;
u8 type = XFRM_POLICY_TYPE_MAIN;
int err;
struct km_event c;
@@ -1785,12 +1814,12 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
return err;
}
-static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_flush_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct km_event c;
- struct xfrm_usersa_flush *p = nlmsg_data(nlh);
+ const struct xfrm_usersa_flush *p = nlmsg_data(nlh);
int err;
err = xfrm_state_flush(net, p->proto, true);
@@ -1809,7 +1838,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
return 0;
}
-static inline size_t xfrm_aevent_msgsize(struct xfrm_state *x)
+static inline size_t xfrm_aevent_msgsize(const struct xfrm_state *x)
{
size_t replay_size = x->replay_esn ?
xfrm_replay_state_esn_len(x->replay_esn) :
@@ -1823,7 +1852,9 @@ static inline size_t xfrm_aevent_msgsize(struct xfrm_state *x)
+ nla_total_size(4); /* XFRM_AE_ETHR */
}
-static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
+static int build_aevent(struct sk_buff *skb,
+ const struct xfrm_state *x,
+ const struct km_event *c)
{
struct xfrm_aevent_id *id;
struct nlmsghdr *nlh;
@@ -1880,8 +1911,8 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct
return err;
}
-static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_get_ae(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_state *x;
@@ -1890,8 +1921,8 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
struct km_event c;
u32 mark;
struct xfrm_mark m;
- struct xfrm_aevent_id *p = nlmsg_data(nlh);
- struct xfrm_usersa_id *id = &p->sa_id;
+ const struct xfrm_aevent_id *p = nlmsg_data(nlh);
+ const struct xfrm_usersa_id *id = &p->sa_id;
mark = xfrm_mark_get(attrs, &m);
@@ -1923,8 +1954,8 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
return err;
}
-static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_new_ae(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_state *x;
@@ -1932,12 +1963,12 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
int err = -EINVAL;
u32 mark = 0;
struct xfrm_mark m;
- struct xfrm_aevent_id *p = nlmsg_data(nlh);
- struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
- struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
- struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
- struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
- struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
+ const struct xfrm_aevent_id *p = nlmsg_data(nlh);
+ const struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
+ const struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
+ const struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
+ const struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
+ const struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
if (!lt && !rp && !re && !et && !rt)
return err;
@@ -1974,8 +2005,8 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
return err;
}
-static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_flush_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct km_event c;
@@ -2002,13 +2033,13 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
return 0;
}
-static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_add_pol_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_policy *xp;
- struct xfrm_user_polexpire *up = nlmsg_data(nlh);
- struct xfrm_userpolicy_info *p = &up->pol;
+ const struct xfrm_user_polexpire *up = nlmsg_data(nlh);
+ const struct xfrm_userpolicy_info *p = &up->pol;
u8 type = XFRM_POLICY_TYPE_MAIN;
int err = -ENOENT;
struct xfrm_mark m;
@@ -2062,14 +2093,14 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
return err;
}
-static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_add_sa_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_state *x;
int err;
- struct xfrm_user_expire *ue = nlmsg_data(nlh);
- struct xfrm_usersa_info *p = &ue->state;
+ const struct xfrm_user_expire *ue = nlmsg_data(nlh);
+ const struct xfrm_usersa_info *p = &ue->state;
struct xfrm_mark m;
u32 mark = xfrm_mark_get(attrs, &m);
@@ -2096,8 +2127,8 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
return err;
}
-static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
- struct nlattr **attrs)
+static int xfrm_add_acquire(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_policy *xp;
@@ -2106,7 +2137,7 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
struct nlattr *rt = attrs[XFRMA_TMPL];
struct xfrm_mark mark;
- struct xfrm_user_acquire *ua = nlmsg_data(nlh);
+ const struct xfrm_user_acquire *ua = nlmsg_data(nlh);
struct xfrm_state *x = xfrm_state_alloc(net);
int err = -ENOMEM;
@@ -2160,12 +2191,12 @@ static int copy_from_user_migrate(struct xfrm_migrate *ma,
struct xfrm_kmaddress *k,
struct nlattr **attrs, int *num)
{
- struct nlattr *rt = attrs[XFRMA_MIGRATE];
- struct xfrm_user_migrate *um;
+ const struct nlattr *rt = attrs[XFRMA_MIGRATE];
+ const struct xfrm_user_migrate *um;
int i, num_migrate;
if (k != NULL) {
- struct xfrm_user_kmaddress *uk;
+ const struct xfrm_user_kmaddress *uk;
uk = nla_data(attrs[XFRMA_KMADDRESS]);
memcpy(&k->local, &uk->local, sizeof(k->local));
@@ -2198,10 +2229,10 @@ static int copy_from_user_migrate(struct xfrm_migrate *ma,
return 0;
}
-static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
+static int xfrm_do_migrate(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
- struct xfrm_userpolicy_id *pi = nlmsg_data(nlh);
+ const struct xfrm_userpolicy_id *pi = nlmsg_data(nlh);
struct xfrm_migrate m[XFRM_MAX_DEPTH];
struct xfrm_kmaddress km, *kmp;
u8 type;
@@ -2230,7 +2261,7 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
return 0;
}
#else
-static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
+static int xfrm_do_migrate(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
return -ENOPROTOOPT;
@@ -2238,7 +2269,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
#endif
#ifdef CONFIG_XFRM_MIGRATE
-static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb)
+static int copy_to_user_migrate(const struct xfrm_migrate *m,
+ struct sk_buff *skb)
{
struct xfrm_user_migrate um;
@@ -2256,7 +2288,8 @@ static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *sk
return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um);
}
-static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb)
+static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k,
+ struct sk_buff *skb)
{
struct xfrm_user_kmaddress uk;
@@ -2407,7 +2440,9 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {
};
static const struct xfrm_link {
- int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
+ int (*doit)(struct sk_buff *,
+ const struct nlmsghdr *,
+ struct nlattr **);
int (*dump)(struct sk_buff *, struct netlink_callback *);
int (*done)(struct netlink_callback *);
const struct nla_policy *nla_pol;
@@ -2506,7 +2541,9 @@ static inline size_t xfrm_expire_msgsize(void)
+ nla_total_size(sizeof(struct xfrm_mark));
}
-static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
+static int build_expire(struct sk_buff *skb,
+ const struct xfrm_state *x,
+ const struct km_event *c)
{
struct xfrm_user_expire *ue;
struct nlmsghdr *nlh;
@@ -2528,7 +2565,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct
return 0;
}
-static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c)
+static int xfrm_exp_state_notify(const struct xfrm_state *x,
+ const struct km_event *c)
{
struct net *net = xs_net(x);
struct sk_buff *skb;
@@ -2545,7 +2583,8 @@ static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c)
return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE);
}
-static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c)
+static int xfrm_aevent_state_notify(const struct xfrm_state *x,
+ const struct km_event *c)
{
struct net *net = xs_net(x);
struct sk_buff *skb;
@@ -2586,7 +2625,7 @@ static int xfrm_notify_sa_flush(const struct km_event *c)
return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA);
}
-static inline size_t xfrm_sa_len(struct xfrm_state *x)
+static inline size_t xfrm_sa_len(const struct xfrm_state *x)
{
size_t l = 0;
if (x->aead)
@@ -2622,7 +2661,7 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
return l;
}
-static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
+static int xfrm_notify_sa(const struct xfrm_state *x, const struct km_event *c)
{
struct net *net = xs_net(x);
struct xfrm_usersa_info *p;
@@ -2679,7 +2718,8 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
return err;
}
-static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c)
+static int xfrm_send_state_notify(const struct xfrm_state *x,
+ const struct km_event *c)
{
switch (c->event) {
@@ -2703,8 +2743,8 @@ static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c
}
-static inline size_t xfrm_acquire_msgsize(struct xfrm_state *x,
- struct xfrm_policy *xp)
+static inline size_t xfrm_acquire_msgsize(const struct xfrm_state *x,
+ const struct xfrm_policy *xp)
{
return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire))
+ nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr)
@@ -2713,8 +2753,10 @@ static inline size_t xfrm_acquire_msgsize(struct xfrm_state *x,
+ userpolicy_type_attrsize();
}
-static int build_acquire(struct sk_buff *skb, struct xfrm_state *x,
- struct xfrm_tmpl *xt, struct xfrm_policy *xp)
+static int build_acquire(struct sk_buff *skb,
+ struct xfrm_state *x,
+ const struct xfrm_tmpl *xt,
+ const struct xfrm_policy *xp)
{
__u32 seq = xfrm_get_acqseq();
struct xfrm_user_acquire *ua;
@@ -2751,8 +2793,9 @@ static int build_acquire(struct sk_buff *skb, struct xfrm_state *x,
return 0;
}
-static int xfrm_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *xt,
- struct xfrm_policy *xp)
+static int xfrm_send_acquire(struct xfrm_state *x,
+ const struct xfrm_tmpl *xt,
+ const struct xfrm_policy *xp)
{
struct net *net = xs_net(x);
struct sk_buff *skb;
@@ -2774,7 +2817,8 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
u8 *data, int len, int *dir)
{
struct net *net = sock_net(sk);
- struct xfrm_userpolicy_info *p = (struct xfrm_userpolicy_info *)data;
+ const struct xfrm_userpolicy_info *p =
+ (struct xfrm_userpolicy_info *)data;
struct xfrm_user_tmpl *ut = (struct xfrm_user_tmpl *) (p + 1);
struct xfrm_policy *xp;
int nr;
@@ -2827,7 +2871,7 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
return xp;
}
-static inline size_t xfrm_polexpire_msgsize(struct xfrm_policy *xp)
+static inline size_t xfrm_polexpire_msgsize(const struct xfrm_policy *xp)
{
return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire))
+ nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr)
@@ -2836,8 +2880,10 @@ static inline size_t xfrm_polexpire_msgsize(struct xfrm_policy *xp)
+ userpolicy_type_attrsize();
}
-static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp,
- int dir, const struct km_event *c)
+static int build_polexpire(struct sk_buff *skb,
+ const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
{
struct xfrm_user_polexpire *upe;
int hard = c->data.hard;
@@ -2867,7 +2913,9 @@ static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp,
return 0;
}
-static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
+static int xfrm_exp_policy_notify(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
{
struct net *net = xp_net(xp);
struct sk_buff *skb;
@@ -2882,7 +2930,9 @@ static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct
return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE);
}
-static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c)
+static int xfrm_notify_policy(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
{
int len = nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr);
struct net *net = xp_net(xp);
@@ -2976,7 +3026,9 @@ static int xfrm_notify_policy_flush(const struct km_event *c)
return err;
}
-static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
+static int xfrm_send_policy_notify(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
{
switch (c->event) {
@@ -3003,7 +3055,8 @@ static inline size_t xfrm_report_msgsize(void)
}
static int build_report(struct sk_buff *skb, u8 proto,
- struct xfrm_selector *sel, xfrm_address_t *addr)
+ const struct xfrm_selector *sel,
+ const xfrm_address_t *addr)
{
struct xfrm_user_report *ur;
struct nlmsghdr *nlh;
@@ -3027,8 +3080,10 @@ static int build_report(struct sk_buff *skb, u8 proto,
return 0;
}
-static int xfrm_send_report(struct net *net, u8 proto,
- struct xfrm_selector *sel, xfrm_address_t *addr)
+static int xfrm_send_report(struct net *net,
+ u8 proto,
+ const struct xfrm_selector *sel,
+ const xfrm_address_t *addr)
{
struct sk_buff *skb;
@@ -3047,8 +3102,10 @@ static inline size_t xfrm_mapping_msgsize(void)
return NLMSG_ALIGN(sizeof(struct xfrm_user_mapping));
}
-static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
- xfrm_address_t *new_saddr, __be16 new_sport)
+static int build_mapping(struct sk_buff *skb,
+ const struct xfrm_state *x,
+ const xfrm_address_t *new_saddr,
+ __be16 new_sport)
{
struct xfrm_user_mapping *um;
struct nlmsghdr *nlh;
@@ -3073,7 +3130,8 @@ static int build_mapping(struct sk_buff *skb, struct xfrm_state *x,
return 0;
}
-static int xfrm_send_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
+static int xfrm_send_mapping(struct xfrm_state *x,
+ const xfrm_address_t *ipaddr,
__be16 sport)
{
struct net *net = xs_net(x);
--
2.11.0.483.g087da7b7c-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/4] xfrm_user: Allow common functions to be called from another file
2017-01-21 0:05 [PATCH 0/4] Make xfrm usable by 32-bit programs Kevin Cernekee
2017-01-21 0:05 ` [PATCH 1/4] xfrm: Constify xfrm_user arguments and xfrm_mgr callback APIs Kevin Cernekee
@ 2017-01-21 0:05 ` Kevin Cernekee
2017-01-21 0:05 ` [PATCH 3/4] xfrm_user: Initial commit of xfrm_user_legacy.c Kevin Cernekee
` (3 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Kevin Cernekee @ 2017-01-21 0:05 UTC (permalink / raw)
To: steffen.klassert, herbert, davem, paul, sds, eparis
Cc: linux-kernel, netdev, selinux, fw, fan.du, dianders, dtor
xfrm_user_legacy.c will need to call a few common functions. Make
sure them have an "xfrm_" prefix, and declare them in a new xfrm_user.h
header.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
---
net/xfrm/xfrm_user.c | 147 +++++++++++++++++----------------------------------
net/xfrm/xfrm_user.h | 90 +++++++++++++++++++++++++++++++
2 files changed, 138 insertions(+), 99 deletions(-)
create mode 100644 net/xfrm/xfrm_user.h
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index ed389aad4994..4d733f02c3a1 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -32,6 +32,7 @@
#include <linux/in6.h>
#endif
#include <asm/unaligned.h>
+#include "xfrm_user.h"
static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type)
{
@@ -100,7 +101,7 @@ static void verify_one_addr(struct nlattr **attrs, enum xfrm_attr_type_t type,
*addrp = nla_data(rt);
}
-static inline int verify_sec_ctx_len(struct nlattr **attrs)
+int xfrm_verify_sec_ctx_len(struct nlattr **attrs)
{
struct nlattr *rt = attrs[XFRMA_SEC_CTX];
struct xfrm_user_sec_ctx *uctx;
@@ -148,8 +149,8 @@ static inline int verify_replay(const struct xfrm_usersa_info *p,
return 0;
}
-static int verify_newsa_info(const struct xfrm_usersa_info *p,
- struct nlattr **attrs)
+int xfrm_verify_newsa_info(const struct xfrm_usersa_info *p,
+ struct nlattr **attrs)
{
int err;
@@ -241,7 +242,7 @@ static int verify_newsa_info(const struct xfrm_usersa_info *p,
goto out;
if ((err = verify_one_alg(attrs, XFRMA_ALG_COMP)))
goto out;
- if ((err = verify_sec_ctx_len(attrs)))
+ if ((err = xfrm_verify_sec_ctx_len(attrs)))
goto out;
if ((err = verify_replay(p, attrs)))
goto out;
@@ -460,17 +461,6 @@ static int xfrm_alloc_replay_state_esn(
return 0;
}
-static inline int xfrm_user_sec_ctx_size(const struct xfrm_sec_ctx *xfrm_ctx)
-{
- int len = 0;
-
- if (xfrm_ctx) {
- len += sizeof(struct xfrm_user_sec_ctx);
- len += xfrm_ctx->ctx_len;
- }
- return len;
-}
-
static void copy_from_user_state(struct xfrm_state *x,
const struct xfrm_usersa_info *p)
{
@@ -537,10 +527,10 @@ static void xfrm_update_ae_params(struct xfrm_state *x,
x->replay_maxdiff = nla_get_u32(rt);
}
-static struct xfrm_state *xfrm_state_construct(struct net *net,
- const struct xfrm_usersa_info *p,
- struct nlattr **attrs,
- int *errp)
+struct xfrm_state *xfrm_state_construct(struct net *net,
+ const struct xfrm_usersa_info *p,
+ struct nlattr **attrs,
+ int *errp)
{
struct xfrm_state *x = xfrm_state_alloc(net);
int err = -ENOMEM;
@@ -634,7 +624,7 @@ static int xfrm_add_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
int err;
struct km_event c;
- err = verify_newsa_info(p, attrs);
+ err = xfrm_verify_newsa_info(p, attrs);
if (err)
return err;
@@ -666,10 +656,10 @@ static int xfrm_add_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
return err;
}
-static struct xfrm_state *xfrm_user_state_lookup(struct net *net,
- const struct xfrm_usersa_id *p,
- struct nlattr **attrs,
- int *errp)
+struct xfrm_state *xfrm_user_state_lookup(struct net *net,
+ const struct xfrm_usersa_id *p,
+ struct nlattr **attrs,
+ int *errp)
{
struct xfrm_state *x = NULL;
struct xfrm_mark m;
@@ -757,14 +747,7 @@ static void copy_to_user_state(const struct xfrm_state *x,
p->seq = x->km.seq;
}
-struct xfrm_dump_info {
- struct sk_buff *in_skb;
- struct sk_buff *out_skb;
- u32 nlmsg_seq;
- u16 nlmsg_flags;
-};
-
-static int copy_sec_ctx(const struct xfrm_sec_ctx *s, struct sk_buff *skb)
+int xfrm_copy_sec_ctx(const struct xfrm_sec_ctx *s, struct sk_buff *skb)
{
struct xfrm_user_sec_ctx *uctx;
struct nlattr *attr;
@@ -785,8 +768,8 @@ static int copy_sec_ctx(const struct xfrm_sec_ctx *s, struct sk_buff *skb)
return 0;
}
-static int copy_to_user_auth(const struct xfrm_algo_auth *auth,
- struct sk_buff *skb)
+int xfrm_copy_to_user_auth(const struct xfrm_algo_auth *auth,
+ struct sk_buff *skb)
{
struct xfrm_algo *algo;
struct nlattr *nla;
@@ -837,7 +820,7 @@ static int copy_to_user_state_extra(const struct xfrm_state *x,
goto out;
}
if (x->aalg) {
- ret = copy_to_user_auth(x->aalg, skb);
+ ret = xfrm_copy_to_user_auth(x->aalg, skb);
if (!ret)
ret = nla_put(skb, XFRMA_ALG_AUTH_TRUNC,
xfrm_alg_auth_len(x->aalg), x->aalg);
@@ -877,7 +860,7 @@ static int copy_to_user_state_extra(const struct xfrm_state *x,
if (ret)
goto out;
if (x->security)
- ret = copy_sec_ctx(x->security, skb);
+ ret = xfrm_copy_sec_ctx(x->security, skb);
out:
return ret;
}
@@ -992,8 +975,8 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
/* A wrapper for nlmsg_multicast() checking that nlsk is still available.
* Must be called with RCU read lock.
*/
-static inline int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb,
- u32 pid, unsigned int group)
+int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb,
+ u32 pid, unsigned int group)
{
struct sock *nlsk = rcu_dereference(net->xfrm.nlsk);
@@ -1270,7 +1253,7 @@ static int xfrm_alloc_userspi(struct sk_buff *skb, const struct nlmsghdr *nlh,
return err;
}
-static int verify_policy_dir(u8 dir)
+int xfrm_verify_policy_dir(u8 dir)
{
switch (dir) {
case XFRM_POLICY_IN:
@@ -1301,7 +1284,7 @@ static int verify_policy_type(u8 type)
return 0;
}
-static int verify_newpolicy_info(const struct xfrm_userpolicy_info *p)
+int xfrm_verify_newpolicy_info(const struct xfrm_userpolicy_info *p)
{
int ret;
@@ -1340,7 +1323,7 @@ static int verify_newpolicy_info(const struct xfrm_userpolicy_info *p)
return -EINVAL;
}
- ret = verify_policy_dir(p->dir);
+ ret = xfrm_verify_policy_dir(p->dir);
if (ret)
return ret;
if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir))
@@ -1440,7 +1423,7 @@ static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs)
return 0;
}
-static int copy_from_user_policy_type(u8 *tp, struct nlattr **attrs)
+int xfrm_copy_from_user_policy_type(u8 *tp, struct nlattr **attrs)
{
struct nlattr *rt = attrs[XFRMA_POLICY_TYPE];
struct xfrm_userpolicy_type *upt;
@@ -1490,11 +1473,10 @@ static void copy_to_user_policy(const struct xfrm_policy *xp,
p->share = XFRM_SHARE_ANY; /* XXX xp->share */
}
-static struct xfrm_policy *xfrm_policy_construct(
- struct net *net,
- const struct xfrm_userpolicy_info *p,
- struct nlattr **attrs,
- int *errp)
+struct xfrm_policy *xfrm_policy_construct(struct net *net,
+ const struct xfrm_userpolicy_info *p,
+ struct nlattr **attrs,
+ int *errp)
{
struct xfrm_policy *xp = xfrm_policy_alloc(net, GFP_KERNEL);
int err;
@@ -1506,7 +1488,7 @@ static struct xfrm_policy *xfrm_policy_construct(
copy_from_user_policy(xp, p);
- err = copy_from_user_policy_type(&xp->type, attrs);
+ err = xfrm_copy_from_user_policy_type(&xp->type, attrs);
if (err)
goto error;
@@ -1535,10 +1517,10 @@ static int xfrm_add_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
int err;
int excl;
- err = verify_newpolicy_info(p);
+ err = xfrm_verify_newpolicy_info(p);
if (err)
return err;
- err = verify_sec_ctx_len(attrs);
+ err = xfrm_verify_sec_ctx_len(attrs);
if (err)
return err;
@@ -1570,7 +1552,7 @@ static int xfrm_add_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
return 0;
}
-static int copy_to_user_tmpl(const struct xfrm_policy *xp, struct sk_buff *skb)
+int xfrm_copy_to_user_tmpl(const struct xfrm_policy *xp, struct sk_buff *skb)
{
struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
int i;
@@ -1599,22 +1581,6 @@ static int copy_to_user_tmpl(const struct xfrm_policy *xp, struct sk_buff *skb)
sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr, vec);
}
-static inline int copy_to_user_state_sec_ctx(const struct xfrm_state *x,
- struct sk_buff *skb)
-{
- if (x->security) {
- return copy_sec_ctx(x->security, skb);
- }
- return 0;
-}
-
-static inline int copy_to_user_sec_ctx(const struct xfrm_policy *xp,
- struct sk_buff *skb)
-{
- if (xp->security)
- return copy_sec_ctx(xp->security, skb);
- return 0;
-}
static inline size_t userpolicy_type_attrsize(void)
{
#ifdef CONFIG_XFRM_SUB_POLICY
@@ -1624,23 +1590,6 @@ static inline size_t userpolicy_type_attrsize(void)
#endif
}
-#ifdef CONFIG_XFRM_SUB_POLICY
-static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
-{
- struct xfrm_userpolicy_type upt = {
- .type = type,
- };
-
- return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
-}
-
-#else
-static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
-{
- return 0;
-}
-#endif
-
static int dump_one_policy(const struct xfrm_policy *xp,
int dir,
int count,
@@ -1660,7 +1609,7 @@ static int dump_one_policy(const struct xfrm_policy *xp,
p = nlmsg_data(nlh);
copy_to_user_policy(xp, p, dir);
- err = copy_to_user_tmpl(xp, skb);
+ err = xfrm_copy_to_user_tmpl(xp, skb);
if (!err)
err = copy_to_user_sec_ctx(xp, skb);
if (!err)
@@ -1751,11 +1700,11 @@ static int xfrm_get_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
p = nlmsg_data(nlh);
delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY;
- err = copy_from_user_policy_type(&type, attrs);
+ err = xfrm_copy_from_user_policy_type(&type, attrs);
if (err)
return err;
- err = verify_policy_dir(p->dir);
+ err = xfrm_verify_policy_dir(p->dir);
if (err)
return err;
@@ -1765,7 +1714,7 @@ static int xfrm_get_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr *rt = attrs[XFRMA_SEC_CTX];
struct xfrm_sec_ctx *ctx;
- err = verify_sec_ctx_len(attrs);
+ err = xfrm_verify_sec_ctx_len(attrs);
if (err)
return err;
@@ -2013,7 +1962,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
u8 type = XFRM_POLICY_TYPE_MAIN;
int err;
- err = copy_from_user_policy_type(&type, attrs);
+ err = xfrm_copy_from_user_policy_type(&type, attrs);
if (err)
return err;
@@ -2045,11 +1994,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct xfrm_mark m;
u32 mark = xfrm_mark_get(attrs, &m);
- err = copy_from_user_policy_type(&type, attrs);
+ err = xfrm_copy_from_user_policy_type(&type, attrs);
if (err)
return err;
- err = verify_policy_dir(p->dir);
+ err = xfrm_verify_policy_dir(p->dir);
if (err)
return err;
@@ -2059,7 +2008,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr *rt = attrs[XFRMA_SEC_CTX];
struct xfrm_sec_ctx *ctx;
- err = verify_sec_ctx_len(attrs);
+ err = xfrm_verify_sec_ctx_len(attrs);
if (err)
return err;
@@ -2146,7 +2095,7 @@ static int xfrm_add_acquire(struct sk_buff *skb, const struct nlmsghdr *nlh,
xfrm_mark_get(attrs, &mark);
- err = verify_newpolicy_info(&ua->policy);
+ err = xfrm_verify_newpolicy_info(&ua->policy);
if (err)
goto free_state;
@@ -2245,7 +2194,7 @@ static int xfrm_do_migrate(struct sk_buff *skb, const struct nlmsghdr *nlh,
kmp = attrs[XFRMA_KMADDRESS] ? &km : NULL;
- err = copy_from_user_policy_type(&type, attrs);
+ err = xfrm_copy_from_user_policy_type(&type, attrs);
if (err)
return err;
@@ -2625,7 +2574,7 @@ static int xfrm_notify_sa_flush(const struct km_event *c)
return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA);
}
-static inline size_t xfrm_sa_len(const struct xfrm_state *x)
+size_t xfrm_sa_len(const struct xfrm_state *x)
{
size_t l = 0;
if (x->aead)
@@ -2777,7 +2726,7 @@ static int build_acquire(struct sk_buff *skb,
ua->calgos = xt->calgos;
ua->seq = x->km.seq = seq;
- err = copy_to_user_tmpl(xp, skb);
+ err = xfrm_copy_to_user_tmpl(xp, skb);
if (!err)
err = copy_to_user_state_sec_ctx(x, skb);
if (!err)
@@ -2846,7 +2795,7 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
*dir = -EINVAL;
if (len < sizeof(*p) ||
- verify_newpolicy_info(p))
+ xfrm_verify_newpolicy_info(p))
return NULL;
nr = ((len - sizeof(*p)) / sizeof(*ut));
@@ -2896,7 +2845,7 @@ static int build_polexpire(struct sk_buff *skb,
upe = nlmsg_data(nlh);
copy_to_user_policy(xp, &upe->pol, dir);
- err = copy_to_user_tmpl(xp, skb);
+ err = xfrm_copy_to_user_tmpl(xp, skb);
if (!err)
err = copy_to_user_sec_ctx(xp, skb);
if (!err)
@@ -2981,7 +2930,7 @@ static int xfrm_notify_policy(const struct xfrm_policy *xp,
}
copy_to_user_policy(xp, p, dir);
- err = copy_to_user_tmpl(xp, skb);
+ err = xfrm_copy_to_user_tmpl(xp, skb);
if (!err)
err = copy_to_user_policy_type(xp->type, skb);
if (!err)
diff --git a/net/xfrm/xfrm_user.h b/net/xfrm/xfrm_user.h
new file mode 100644
index 000000000000..29bab2ebee83
--- /dev/null
+++ b/net/xfrm/xfrm_user.h
@@ -0,0 +1,90 @@
+#ifndef _XFRM_USER_H
+#define _XFRM_USER_H
+
+#include <linux/netlink.h>
+#include <linux/skbuff.h>
+#include <linux/types.h>
+#include <linux/xfrm.h>
+#include <net/net_namespace.h>
+
+struct xfrm_dump_info {
+ struct sk_buff *in_skb;
+ struct sk_buff *out_skb;
+ u32 nlmsg_seq;
+ u16 nlmsg_flags;
+};
+
+/* Common functions */
+
+int xfrm_copy_sec_ctx(const struct xfrm_sec_ctx *s, struct sk_buff *skb);
+int xfrm_copy_to_user_auth(const struct xfrm_algo_auth *auth,
+ struct sk_buff *skb);
+int xfrm_verify_newpolicy_info(const struct xfrm_userpolicy_info *p);
+struct xfrm_policy *xfrm_policy_construct(struct net *net,
+ const struct xfrm_userpolicy_info *p,
+ struct nlattr **attrs,
+ int *errp);
+int xfrm_copy_from_user_policy_type(u8 *tp, struct nlattr **attrs);
+int xfrm_verify_policy_dir(u8 dir);
+int xfrm_verify_sec_ctx_len(struct nlattr **attrs);
+int xfrm_nlmsg_multicast(struct net *net, struct sk_buff *skb,
+ u32 pid, unsigned int group);
+int xfrm_copy_to_user_tmpl(const struct xfrm_policy *xp, struct sk_buff *skb);
+size_t xfrm_sa_len(const struct xfrm_state *x);
+int xfrm_verify_newsa_info(const struct xfrm_usersa_info *p,
+ struct nlattr **attrs);
+struct xfrm_state *xfrm_state_construct(struct net *net,
+ const struct xfrm_usersa_info *p,
+ struct nlattr **attrs,
+ int *errp);
+struct xfrm_state *xfrm_user_state_lookup(struct net *net,
+ const struct xfrm_usersa_id *p,
+ struct nlattr **attrs,
+ int *errp);
+
+#ifdef CONFIG_XFRM_SUB_POLICY
+static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
+{
+ struct xfrm_userpolicy_type upt = {
+ .type = type,
+ };
+
+ return nla_put(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
+}
+
+#else
+static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
+{
+ return 0;
+}
+#endif
+
+static inline int copy_to_user_sec_ctx(const struct xfrm_policy *xp,
+ struct sk_buff *skb)
+{
+ if (xp->security)
+ return xfrm_copy_sec_ctx(xp->security, skb);
+ return 0;
+}
+
+static inline int xfrm_user_sec_ctx_size(const struct xfrm_sec_ctx *xfrm_ctx)
+{
+ int len = 0;
+
+ if (xfrm_ctx) {
+ len += sizeof(struct xfrm_user_sec_ctx);
+ len += xfrm_ctx->ctx_len;
+ }
+ return len;
+}
+
+static inline int copy_to_user_state_sec_ctx(const struct xfrm_state *x,
+ struct sk_buff *skb)
+{
+ if (x->security) {
+ return xfrm_copy_sec_ctx(x->security, skb);
+ }
+ return 0;
+}
+
+#endif /* _XFRM_USER_H */
--
2.11.0.483.g087da7b7c-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 3/4] xfrm_user: Initial commit of xfrm_user_legacy.c
2017-01-21 0:05 [PATCH 0/4] Make xfrm usable by 32-bit programs Kevin Cernekee
2017-01-21 0:05 ` [PATCH 1/4] xfrm: Constify xfrm_user arguments and xfrm_mgr callback APIs Kevin Cernekee
2017-01-21 0:05 ` [PATCH 2/4] xfrm_user: Allow common functions to be called from another file Kevin Cernekee
@ 2017-01-21 0:05 ` Kevin Cernekee
2017-01-21 0:05 ` [PATCH 4/4] xfrm_user: Add new 32/64-agnostic netlink messages Kevin Cernekee
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Kevin Cernekee @ 2017-01-21 0:05 UTC (permalink / raw)
To: steffen.klassert, herbert, davem, paul, sds, eparis
Cc: linux-kernel, netdev, selinux, fw, fan.du, dianders, dtor
Several xfrm_* structs are incompatible between 32bit and 64bit builds:
xfrm_usersa_info 220 bytes on i386 -> 224 bytes on amd64
xfrm_userpolicy_info 164 -> 168
xfrm_userspi_info 228 -> 232, offset mismatch on min
xfrm_user_acquire 276 -> 280, offset mismatch on aalgos
xfrm_user_expire 224 -> 232, offset mismatch on hard
xfrm_user_polexpire 168 -> 176, offset mismatch on hard
Fork all of the functions that handle these structs into a new file so
that it is possible to support both legacy + new layouts.
This commit contains an exact copy of the necessary functions from
xfrm_user.c, for ease of reviewing. The next commit will contain all
of the changes needed to make these functions handle legacy messages
correctly.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
---
net/xfrm/Kconfig | 14 +
net/xfrm/Makefile | 8 +-
net/xfrm/xfrm_user_legacy.c | 1091 +++++++++++++++++++++++++++++++++++++++++++
3 files changed, 1112 insertions(+), 1 deletion(-)
create mode 100644 net/xfrm/xfrm_user_legacy.c
diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
index bda1a13628a8..317dcc411345 100644
--- a/net/xfrm/Kconfig
+++ b/net/xfrm/Kconfig
@@ -20,6 +20,20 @@ config XFRM_USER
If unsure, say Y.
+config XFRM_USER_LEGACY
+ tristate "Legacy transformation user configuration interface"
+ depends on XFRM_USER
+ default y
+ ---help---
+ The original Transformation(XFRM) netlink messages were not
+ compatible between 32-bit programs and 64-bit kernels, so they
+ have been deprecated. Enable this option if you have existing
+ binaries that rely on the old format messages. Disable this
+ option if you know that all users of the interface have been
+ built against recent kernel headers.
+
+ If unsure, say Y.
+
config XFRM_SUB_POLICY
bool "Transformation sub policy support"
depends on XFRM
diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile
index c0e961983f17..6cf6f8da3dc8 100644
--- a/net/xfrm/Makefile
+++ b/net/xfrm/Makefile
@@ -7,5 +7,11 @@ obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \
xfrm_sysctl.o xfrm_replay.o
obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o
obj-$(CONFIG_XFRM_ALGO) += xfrm_algo.o
-obj-$(CONFIG_XFRM_USER) += xfrm_user.o
+
+xfrm-user-objs := xfrm_user.o
+ifneq ($(CONFIG_XFRM_USER_LEGACY),)
+xfrm-user-objs += xfrm_user_legacy.o
+endif
+obj-$(CONFIG_XFRM_USER) += xfrm-user.o
+
obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o
diff --git a/net/xfrm/xfrm_user_legacy.c b/net/xfrm/xfrm_user_legacy.c
new file mode 100644
index 000000000000..058accfefc83
--- /dev/null
+++ b/net/xfrm/xfrm_user_legacy.c
@@ -0,0 +1,1091 @@
+/* xfrm_user.c: User interface to configure xfrm engine.
+ *
+ * Copyright (C) 2002 David S. Miller (davem@redhat.com)
+ *
+ * Changes:
+ * Mitsuru KANDA @USAGI
+ * Kazunori MIYAZAWA @USAGI
+ * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
+ * IPv6 support
+ *
+ */
+
+#include <linux/crypto.h>
+#include <linux/kernel.h>
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/socket.h>
+#include <linux/string.h>
+#include <linux/net.h>
+#include <linux/skbuff.h>
+#include <linux/pfkeyv2.h>
+#include <linux/ipsec.h>
+#include <linux/security.h>
+#include <net/sock.h>
+#include <net/xfrm.h>
+#include <net/netlink.h>
+#include <net/ah.h>
+#include <linux/uaccess.h>
+#include <asm/unaligned.h>
+#include "xfrm_user.h"
+
+static int xfrm_add_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+{
+ struct net *net = sock_net(skb->sk);
+ const struct xfrm_usersa_info *p = nlmsg_data(nlh);
+ struct xfrm_state *x;
+ int err;
+ struct km_event c;
+
+ err = xfrm_verify_newsa_info(p, attrs);
+ if (err)
+ return err;
+
+ x = xfrm_state_construct(net, p, attrs, &err);
+ if (!x)
+ return err;
+
+ xfrm_state_hold(x);
+ if (nlh->nlmsg_type == XFRM_MSG_NEWSA)
+ err = xfrm_state_add(x);
+ else
+ err = xfrm_state_update(x);
+
+ xfrm_audit_state_add(x, err ? 0 : 1, true);
+
+ if (err < 0) {
+ x->km.state = XFRM_STATE_DEAD;
+ __xfrm_state_put(x);
+ goto out;
+ }
+
+ c.seq = nlh->nlmsg_seq;
+ c.portid = nlh->nlmsg_pid;
+ c.event = nlh->nlmsg_type;
+
+ km_state_notify(x, &c);
+out:
+ xfrm_state_put(x);
+ return err;
+}
+
+static int xfrm_del_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+{
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_state *x;
+ int err = -ESRCH;
+ struct km_event c;
+ const struct xfrm_usersa_id *p = nlmsg_data(nlh);
+
+ x = xfrm_user_state_lookup(net, p, attrs, &err);
+ if (x == NULL)
+ return err;
+
+ if ((err = security_xfrm_state_delete(x)) != 0)
+ goto out;
+
+ if (xfrm_state_kern(x)) {
+ err = -EPERM;
+ goto out;
+ }
+
+ err = xfrm_state_delete(x);
+
+ if (err < 0)
+ goto out;
+
+ c.seq = nlh->nlmsg_seq;
+ c.portid = nlh->nlmsg_pid;
+ c.event = nlh->nlmsg_type;
+ km_state_notify(x, &c);
+
+out:
+ xfrm_audit_state_delete(x, err ? 0 : 1, true);
+ xfrm_state_put(x);
+ return err;
+}
+
+static void copy_to_user_state(const struct xfrm_state *x,
+ struct xfrm_usersa_info *p)
+{
+ memset(p, 0, sizeof(*p));
+ memcpy(&p->id, &x->id, sizeof(p->id));
+ memcpy(&p->sel, &x->sel, sizeof(p->sel));
+ memcpy(&p->lft, &x->lft, sizeof(p->lft));
+ memcpy(&p->curlft, &x->curlft, sizeof(p->curlft));
+ put_unaligned(x->stats.replay_window, &p->stats.replay_window);
+ put_unaligned(x->stats.replay, &p->stats.replay);
+ put_unaligned(x->stats.integrity_failed, &p->stats.integrity_failed);
+ memcpy(&p->saddr, &x->props.saddr, sizeof(p->saddr));
+ p->mode = x->props.mode;
+ p->replay_window = x->props.replay_window;
+ p->reqid = x->props.reqid;
+ p->family = x->props.family;
+ p->flags = x->props.flags;
+ p->seq = x->km.seq;
+}
+
+static int copy_to_user_state_extra(const struct xfrm_state *x,
+ struct xfrm_usersa_info *p,
+ struct sk_buff *skb)
+{
+ int ret = 0;
+
+ copy_to_user_state(x, p);
+
+ if (x->props.extra_flags) {
+ ret = nla_put_u32(skb, XFRMA_SA_EXTRA_FLAGS,
+ x->props.extra_flags);
+ if (ret)
+ goto out;
+ }
+
+ if (x->coaddr) {
+ ret = nla_put(skb, XFRMA_COADDR, sizeof(*x->coaddr), x->coaddr);
+ if (ret)
+ goto out;
+ }
+ if (x->lastused) {
+ ret = nla_put_u64_64bit(skb, XFRMA_LASTUSED, x->lastused,
+ XFRMA_PAD);
+ if (ret)
+ goto out;
+ }
+ if (x->aead) {
+ ret = nla_put(skb, XFRMA_ALG_AEAD, aead_len(x->aead), x->aead);
+ if (ret)
+ goto out;
+ }
+ if (x->aalg) {
+ ret = xfrm_copy_to_user_auth(x->aalg, skb);
+ if (!ret)
+ ret = nla_put(skb, XFRMA_ALG_AUTH_TRUNC,
+ xfrm_alg_auth_len(x->aalg), x->aalg);
+ if (ret)
+ goto out;
+ }
+ if (x->ealg) {
+ ret = nla_put(skb, XFRMA_ALG_CRYPT, xfrm_alg_len(x->ealg), x->ealg);
+ if (ret)
+ goto out;
+ }
+ if (x->calg) {
+ ret = nla_put(skb, XFRMA_ALG_COMP, sizeof(*(x->calg)), x->calg);
+ if (ret)
+ goto out;
+ }
+ if (x->encap) {
+ ret = nla_put(skb, XFRMA_ENCAP, sizeof(*x->encap), x->encap);
+ if (ret)
+ goto out;
+ }
+ if (x->tfcpad) {
+ ret = nla_put_u32(skb, XFRMA_TFCPAD, x->tfcpad);
+ if (ret)
+ goto out;
+ }
+ ret = xfrm_mark_put(skb, &x->mark);
+ if (ret)
+ goto out;
+ if (x->replay_esn)
+ ret = nla_put(skb, XFRMA_REPLAY_ESN_VAL,
+ xfrm_replay_state_esn_len(x->replay_esn),
+ x->replay_esn);
+ else
+ ret = nla_put(skb, XFRMA_REPLAY_VAL, sizeof(x->replay),
+ &x->replay);
+ if (ret)
+ goto out;
+ if (x->security)
+ ret = xfrm_copy_sec_ctx(x->security, skb);
+out:
+ return ret;
+}
+
+static int dump_one_state(const struct xfrm_state *x, int count, void *ptr)
+{
+ struct xfrm_dump_info *sp = ptr;
+ struct sk_buff *in_skb = sp->in_skb;
+ struct sk_buff *skb = sp->out_skb;
+ struct xfrm_usersa_info *p;
+ struct nlmsghdr *nlh;
+ int err;
+
+ nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq,
+ XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags);
+ if (nlh == NULL)
+ return -EMSGSIZE;
+
+ p = nlmsg_data(nlh);
+
+ err = copy_to_user_state_extra(x, p, skb);
+ if (err) {
+ nlmsg_cancel(skb, nlh);
+ return err;
+ }
+ nlmsg_end(skb, nlh);
+ return 0;
+}
+
+static int xfrm_dump_sa_done(struct netlink_callback *cb)
+{
+ struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1];
+ struct sock *sk = cb->skb->sk;
+ struct net *net = sock_net(sk);
+
+ if (cb->args[0])
+ xfrm_state_walk_done(walk, net);
+ return 0;
+}
+
+static const struct nla_policy xfrma_policy[XFRMA_MAX+1];
+static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
+{
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1];
+ struct xfrm_dump_info info;
+
+ BUILD_BUG_ON(sizeof(struct xfrm_state_walk) >
+ sizeof(cb->args) - sizeof(cb->args[0]));
+
+ info.in_skb = cb->skb;
+ info.out_skb = skb;
+ info.nlmsg_seq = cb->nlh->nlmsg_seq;
+ info.nlmsg_flags = NLM_F_MULTI;
+
+ if (!cb->args[0]) {
+ struct nlattr *attrs[XFRMA_MAX+1];
+ struct xfrm_address_filter *filter = NULL;
+ u8 proto = 0;
+ int err;
+
+ err = nlmsg_parse(cb->nlh, 0, attrs, XFRMA_MAX,
+ xfrma_policy);
+ if (err < 0)
+ return err;
+
+ if (attrs[XFRMA_ADDRESS_FILTER]) {
+ filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]),
+ sizeof(*filter), GFP_KERNEL);
+ if (filter == NULL)
+ return -ENOMEM;
+ }
+
+ if (attrs[XFRMA_PROTO])
+ proto = nla_get_u8(attrs[XFRMA_PROTO]);
+
+ xfrm_state_walk_init(walk, proto, filter);
+ cb->args[0] = 1;
+ }
+
+ (void) xfrm_state_walk(net, walk, dump_one_state, &info);
+
+ return skb->len;
+}
+
+static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
+ const struct xfrm_state *x,
+ u32 seq)
+{
+ struct xfrm_dump_info info;
+ struct sk_buff *skb;
+ int err;
+
+ skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
+ if (!skb)
+ return ERR_PTR(-ENOMEM);
+
+ info.in_skb = in_skb;
+ info.out_skb = skb;
+ info.nlmsg_seq = seq;
+ info.nlmsg_flags = 0;
+
+ err = dump_one_state(x, 0, &info);
+ if (err) {
+ kfree_skb(skb);
+ return ERR_PTR(err);
+ }
+
+ return skb;
+}
+
+static int xfrm_get_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+{
+ struct net *net = sock_net(skb->sk);
+ const struct xfrm_usersa_id *p = nlmsg_data(nlh);
+ struct xfrm_state *x;
+ struct sk_buff *resp_skb;
+ int err = -ESRCH;
+
+ x = xfrm_user_state_lookup(net, p, attrs, &err);
+ if (x == NULL)
+ goto out_noput;
+
+ resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq);
+ if (IS_ERR(resp_skb)) {
+ err = PTR_ERR(resp_skb);
+ } else {
+ err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid);
+ }
+ xfrm_state_put(x);
+out_noput:
+ return err;
+}
+
+static int xfrm_alloc_userspi(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+{
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_state *x;
+ const struct xfrm_userspi_info *p;
+ struct sk_buff *resp_skb;
+ const xfrm_address_t *daddr;
+ int family;
+ int err;
+ u32 mark;
+ struct xfrm_mark m;
+
+ p = nlmsg_data(nlh);
+ err = verify_spi_info(p->info.id.proto, p->min, p->max);
+ if (err)
+ goto out_noput;
+
+ family = p->info.family;
+ daddr = &p->info.id.daddr;
+
+ x = NULL;
+
+ mark = xfrm_mark_get(attrs, &m);
+ if (p->info.seq) {
+ x = xfrm_find_acq_byseq(net, mark, p->info.seq);
+ if (x && !xfrm_addr_equal(&x->id.daddr, daddr, family)) {
+ xfrm_state_put(x);
+ x = NULL;
+ }
+ }
+
+ if (!x)
+ x = xfrm_find_acq(net, &m, p->info.mode, p->info.reqid,
+ p->info.id.proto, daddr,
+ &p->info.saddr, 1,
+ family);
+ err = -ENOENT;
+ if (x == NULL)
+ goto out_noput;
+
+ err = xfrm_alloc_spi(x, p->min, p->max);
+ if (err)
+ goto out;
+
+ resp_skb = xfrm_state_netlink(skb, x, nlh->nlmsg_seq);
+ if (IS_ERR(resp_skb)) {
+ err = PTR_ERR(resp_skb);
+ goto out;
+ }
+
+ err = nlmsg_unicast(net->xfrm.nlsk, resp_skb, NETLINK_CB(skb).portid);
+
+out:
+ xfrm_state_put(x);
+out_noput:
+ return err;
+}
+
+static void copy_to_user_policy(const struct xfrm_policy *xp,
+ struct xfrm_userpolicy_info *p,
+ int dir)
+{
+ memset(p, 0, sizeof(*p));
+ memcpy(&p->sel, &xp->selector, sizeof(p->sel));
+ memcpy(&p->lft, &xp->lft, sizeof(p->lft));
+ memcpy(&p->curlft, &xp->curlft, sizeof(p->curlft));
+ p->priority = xp->priority;
+ p->index = xp->index;
+ p->sel.family = xp->family;
+ p->dir = dir;
+ p->action = xp->action;
+ p->flags = xp->flags;
+ p->share = XFRM_SHARE_ANY; /* XXX xp->share */
+}
+
+static int xfrm_add_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+{
+ struct net *net = sock_net(skb->sk);
+ const struct xfrm_userpolicy_info *p = nlmsg_data(nlh);
+ struct xfrm_policy *xp;
+ struct km_event c;
+ int err;
+ int excl;
+
+ err = xfrm_verify_newpolicy_info(p);
+ if (err)
+ return err;
+ err = xfrm_verify_sec_ctx_len(attrs);
+ if (err)
+ return err;
+
+ xp = xfrm_policy_construct(net, p, attrs, &err);
+ if (!xp)
+ return err;
+
+ /* shouldn't excl be based on nlh flags??
+ * Aha! this is anti-netlink really i.e more pfkey derived
+ * in netlink excl is a flag and you wouldnt need
+ * a type XFRM_MSG_UPDPOLICY - JHS */
+ excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
+ err = xfrm_policy_insert(p->dir, xp, excl);
+ xfrm_audit_policy_add(xp, err ? 0 : 1, true);
+
+ if (err) {
+ security_xfrm_policy_free(xp->security);
+ kfree(xp);
+ return err;
+ }
+
+ c.event = nlh->nlmsg_type;
+ c.seq = nlh->nlmsg_seq;
+ c.portid = nlh->nlmsg_pid;
+ km_policy_notify(xp, p->dir, &c);
+
+ xfrm_pol_put(xp);
+
+ return 0;
+}
+
+static inline size_t userpolicy_type_attrsize(void)
+{
+#ifdef CONFIG_XFRM_SUB_POLICY
+ return nla_total_size(sizeof(struct xfrm_userpolicy_type));
+#else
+ return 0;
+#endif
+}
+
+static int dump_one_policy(const struct xfrm_policy *xp,
+ int dir,
+ int count,
+ void *ptr)
+{
+ struct xfrm_dump_info *sp = ptr;
+ struct xfrm_userpolicy_info *p;
+ struct sk_buff *in_skb = sp->in_skb;
+ struct sk_buff *skb = sp->out_skb;
+ struct nlmsghdr *nlh;
+ int err;
+
+ nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq,
+ XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags);
+ if (nlh == NULL)
+ return -EMSGSIZE;
+
+ p = nlmsg_data(nlh);
+ copy_to_user_policy(xp, p, dir);
+ err = xfrm_copy_to_user_tmpl(xp, skb);
+ if (!err)
+ err = copy_to_user_sec_ctx(xp, skb);
+ if (!err)
+ err = copy_to_user_policy_type(xp->type, skb);
+ if (!err)
+ err = xfrm_mark_put(skb, &xp->mark);
+ if (err) {
+ nlmsg_cancel(skb, nlh);
+ return err;
+ }
+ nlmsg_end(skb, nlh);
+ return 0;
+}
+
+static int xfrm_dump_policy_done(struct netlink_callback *cb)
+{
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct net *net = sock_net(cb->skb->sk);
+
+ xfrm_policy_walk_done(walk, net);
+ return 0;
+}
+
+static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
+{
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct xfrm_dump_info info;
+
+ BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
+ sizeof(cb->args) - sizeof(cb->args[0]));
+
+ info.in_skb = cb->skb;
+ info.out_skb = skb;
+ info.nlmsg_seq = cb->nlh->nlmsg_seq;
+ info.nlmsg_flags = NLM_F_MULTI;
+
+ if (!cb->args[0]) {
+ cb->args[0] = 1;
+ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
+ }
+
+ (void) xfrm_policy_walk(net, walk, dump_one_policy, &info);
+
+ return skb->len;
+}
+
+static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
+ const struct xfrm_policy *xp,
+ int dir,
+ u32 seq)
+{
+ struct xfrm_dump_info info;
+ struct sk_buff *skb;
+ int err;
+
+ skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ if (!skb)
+ return ERR_PTR(-ENOMEM);
+
+ info.in_skb = in_skb;
+ info.out_skb = skb;
+ info.nlmsg_seq = seq;
+ info.nlmsg_flags = 0;
+
+ err = dump_one_policy(xp, dir, 0, &info);
+ if (err) {
+ kfree_skb(skb);
+ return ERR_PTR(err);
+ }
+
+ return skb;
+}
+
+static int xfrm_get_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+{
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_policy *xp;
+ const struct xfrm_userpolicy_id *p;
+ u8 type = XFRM_POLICY_TYPE_MAIN;
+ int err;
+ struct km_event c;
+ int delete;
+ struct xfrm_mark m;
+ u32 mark = xfrm_mark_get(attrs, &m);
+
+ p = nlmsg_data(nlh);
+ delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY;
+
+ err = xfrm_copy_from_user_policy_type(&type, attrs);
+ if (err)
+ return err;
+
+ err = xfrm_verify_policy_dir(p->dir);
+ if (err)
+ return err;
+
+ if (p->index)
+ xp = xfrm_policy_byid(net, mark, type, p->dir, p->index, delete, &err);
+ else {
+ struct nlattr *rt = attrs[XFRMA_SEC_CTX];
+ struct xfrm_sec_ctx *ctx;
+
+ err = xfrm_verify_sec_ctx_len(attrs);
+ if (err)
+ return err;
+
+ ctx = NULL;
+ if (rt) {
+ struct xfrm_user_sec_ctx *uctx = nla_data(rt);
+
+ err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL);
+ if (err)
+ return err;
+ }
+ xp = xfrm_policy_bysel_ctx(net, mark, type, p->dir, &p->sel,
+ ctx, delete, &err);
+ security_xfrm_policy_free(ctx);
+ }
+ if (xp == NULL)
+ return -ENOENT;
+
+ if (!delete) {
+ struct sk_buff *resp_skb;
+
+ resp_skb = xfrm_policy_netlink(skb, xp, p->dir, nlh->nlmsg_seq);
+ if (IS_ERR(resp_skb)) {
+ err = PTR_ERR(resp_skb);
+ } else {
+ err = nlmsg_unicast(net->xfrm.nlsk, resp_skb,
+ NETLINK_CB(skb).portid);
+ }
+ } else {
+ xfrm_audit_policy_delete(xp, err ? 0 : 1, true);
+
+ if (err != 0)
+ goto out;
+
+ c.data.byid = p->index;
+ c.event = nlh->nlmsg_type;
+ c.seq = nlh->nlmsg_seq;
+ c.portid = nlh->nlmsg_pid;
+ km_policy_notify(xp, p->dir, &c);
+ }
+
+out:
+ xfrm_pol_put(xp);
+ if (delete && err == 0)
+ xfrm_garbage_collect(net);
+ return err;
+}
+
+static int xfrm_add_pol_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+{
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_policy *xp;
+ const struct xfrm_user_polexpire *up = nlmsg_data(nlh);
+ const struct xfrm_userpolicy_info *p = &up->pol;
+ u8 type = XFRM_POLICY_TYPE_MAIN;
+ int err = -ENOENT;
+ struct xfrm_mark m;
+ u32 mark = xfrm_mark_get(attrs, &m);
+
+ err = xfrm_copy_from_user_policy_type(&type, attrs);
+ if (err)
+ return err;
+
+ err = xfrm_verify_policy_dir(p->dir);
+ if (err)
+ return err;
+
+ if (p->index)
+ xp = xfrm_policy_byid(net, mark, type, p->dir, p->index, 0, &err);
+ else {
+ struct nlattr *rt = attrs[XFRMA_SEC_CTX];
+ struct xfrm_sec_ctx *ctx;
+
+ err = xfrm_verify_sec_ctx_len(attrs);
+ if (err)
+ return err;
+
+ ctx = NULL;
+ if (rt) {
+ struct xfrm_user_sec_ctx *uctx = nla_data(rt);
+
+ err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL);
+ if (err)
+ return err;
+ }
+ xp = xfrm_policy_bysel_ctx(net, mark, type, p->dir,
+ &p->sel, ctx, 0, &err);
+ security_xfrm_policy_free(ctx);
+ }
+ if (xp == NULL)
+ return -ENOENT;
+
+ if (unlikely(xp->walk.dead))
+ goto out;
+
+ err = 0;
+ if (up->hard) {
+ xfrm_policy_delete(xp, p->dir);
+ xfrm_audit_policy_delete(xp, 1, true);
+ }
+ km_policy_expired(xp, p->dir, up->hard, nlh->nlmsg_pid);
+
+out:
+ xfrm_pol_put(xp);
+ return err;
+}
+
+static int xfrm_add_sa_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+{
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_state *x;
+ int err;
+ const struct xfrm_user_expire *ue = nlmsg_data(nlh);
+ const struct xfrm_usersa_info *p = &ue->state;
+ struct xfrm_mark m;
+ u32 mark = xfrm_mark_get(attrs, &m);
+
+ x = xfrm_state_lookup(net, mark, &p->id.daddr, p->id.spi, p->id.proto, p->family);
+
+ err = -ENOENT;
+ if (x == NULL)
+ return err;
+
+ spin_lock_bh(&x->lock);
+ err = -EINVAL;
+ if (x->km.state != XFRM_STATE_VALID)
+ goto out;
+ km_state_expired(x, ue->hard, nlh->nlmsg_pid);
+
+ if (ue->hard) {
+ __xfrm_state_delete(x);
+ xfrm_audit_state_delete(x, 1, true);
+ }
+ err = 0;
+out:
+ spin_unlock_bh(&x->lock);
+ xfrm_state_put(x);
+ return err;
+}
+
+static int xfrm_add_acquire(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+{
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_policy *xp;
+ struct xfrm_user_tmpl *ut;
+ int i;
+ struct nlattr *rt = attrs[XFRMA_TMPL];
+ struct xfrm_mark mark;
+
+ const struct xfrm_user_acquire *ua = nlmsg_data(nlh);
+ struct xfrm_state *x = xfrm_state_alloc(net);
+ int err = -ENOMEM;
+
+ if (!x)
+ goto nomem;
+
+ xfrm_mark_get(attrs, &mark);
+
+ err = xfrm_verify_newpolicy_info(&ua->policy);
+ if (err)
+ goto free_state;
+
+ /* build an XP */
+ xp = xfrm_policy_construct(net, &ua->policy, attrs, &err);
+ if (!xp)
+ goto free_state;
+
+ memcpy(&x->id, &ua->id, sizeof(ua->id));
+ memcpy(&x->props.saddr, &ua->saddr, sizeof(ua->saddr));
+ memcpy(&x->sel, &ua->sel, sizeof(ua->sel));
+ xp->mark.m = x->mark.m = mark.m;
+ xp->mark.v = x->mark.v = mark.v;
+ ut = nla_data(rt);
+ /* extract the templates and for each call km_key */
+ for (i = 0; i < xp->xfrm_nr; i++, ut++) {
+ struct xfrm_tmpl *t = &xp->xfrm_vec[i];
+ memcpy(&x->id, &t->id, sizeof(x->id));
+ x->props.mode = t->mode;
+ x->props.reqid = t->reqid;
+ x->props.family = ut->family;
+ t->aalgos = ua->aalgos;
+ t->ealgos = ua->ealgos;
+ t->calgos = ua->calgos;
+ err = km_query(x, t, xp);
+
+ }
+
+ kfree(x);
+ kfree(xp);
+
+ return 0;
+
+free_state:
+ kfree(x);
+nomem:
+ return err;
+}
+
+static inline size_t xfrm_expire_msgsize(void)
+{
+ return NLMSG_ALIGN(sizeof(struct xfrm_user_expire))
+ + nla_total_size(sizeof(struct xfrm_mark));
+}
+
+static int build_expire(struct sk_buff *skb,
+ const struct xfrm_state *x,
+ const struct km_event *c)
+{
+ struct xfrm_user_expire *ue;
+ struct nlmsghdr *nlh;
+ int err;
+
+ nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0);
+ if (nlh == NULL)
+ return -EMSGSIZE;
+
+ ue = nlmsg_data(nlh);
+ copy_to_user_state(x, &ue->state);
+ ue->hard = (c->data.hard != 0) ? 1 : 0;
+
+ err = xfrm_mark_put(skb, &x->mark);
+ if (err)
+ return err;
+
+ nlmsg_end(skb, nlh);
+ return 0;
+}
+
+static int xfrm_exp_state_notify(const struct xfrm_state *x,
+ const struct km_event *c)
+{
+ struct net *net = xs_net(x);
+ struct sk_buff *skb;
+
+ skb = nlmsg_new(xfrm_expire_msgsize(), GFP_ATOMIC);
+ if (skb == NULL)
+ return -ENOMEM;
+
+ if (build_expire(skb, x, c) < 0) {
+ kfree_skb(skb);
+ return -EMSGSIZE;
+ }
+
+ return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE);
+}
+
+static int xfrm_notify_sa(const struct xfrm_state *x, const struct km_event *c)
+{
+ struct net *net = xs_net(x);
+ struct xfrm_usersa_info *p;
+ struct xfrm_usersa_id *id;
+ struct nlmsghdr *nlh;
+ struct sk_buff *skb;
+ int len = xfrm_sa_len(x);
+ int headlen, err;
+
+ headlen = sizeof(*p);
+ if (c->event == XFRM_MSG_DELSA) {
+ len += nla_total_size(headlen);
+ headlen = sizeof(*id);
+ len += nla_total_size(sizeof(struct xfrm_mark));
+ }
+ len += NLMSG_ALIGN(headlen);
+
+ skb = nlmsg_new(len, GFP_ATOMIC);
+ if (skb == NULL)
+ return -ENOMEM;
+
+ nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0);
+ err = -EMSGSIZE;
+ if (nlh == NULL)
+ goto out_free_skb;
+
+ p = nlmsg_data(nlh);
+ if (c->event == XFRM_MSG_DELSA) {
+ struct nlattr *attr;
+
+ id = nlmsg_data(nlh);
+ memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr));
+ id->spi = x->id.spi;
+ id->family = x->props.family;
+ id->proto = x->id.proto;
+
+ attr = nla_reserve(skb, XFRMA_SA, sizeof(*p));
+ err = -EMSGSIZE;
+ if (attr == NULL)
+ goto out_free_skb;
+
+ p = nla_data(attr);
+ }
+ err = copy_to_user_state_extra(x, p, skb);
+ if (err)
+ goto out_free_skb;
+
+ nlmsg_end(skb, nlh);
+
+ return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA);
+
+out_free_skb:
+ kfree_skb(skb);
+ return err;
+}
+
+static inline size_t xfrm_acquire_msgsize(const struct xfrm_state *x,
+ const struct xfrm_policy *xp)
+{
+ return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire))
+ + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr)
+ + nla_total_size(sizeof(struct xfrm_mark))
+ + nla_total_size(xfrm_user_sec_ctx_size(x->security))
+ + userpolicy_type_attrsize();
+}
+
+static int build_acquire(struct sk_buff *skb,
+ struct xfrm_state *x,
+ const struct xfrm_tmpl *xt,
+ const struct xfrm_policy *xp)
+{
+ __u32 seq = xfrm_get_acqseq();
+ struct xfrm_user_acquire *ua;
+ struct nlmsghdr *nlh;
+ int err;
+
+ nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0);
+ if (nlh == NULL)
+ return -EMSGSIZE;
+
+ ua = nlmsg_data(nlh);
+ memcpy(&ua->id, &x->id, sizeof(ua->id));
+ memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr));
+ memcpy(&ua->sel, &x->sel, sizeof(ua->sel));
+ copy_to_user_policy(xp, &ua->policy, XFRM_POLICY_OUT);
+ ua->aalgos = xt->aalgos;
+ ua->ealgos = xt->ealgos;
+ ua->calgos = xt->calgos;
+ ua->seq = x->km.seq = seq;
+
+ err = xfrm_copy_to_user_tmpl(xp, skb);
+ if (!err)
+ err = copy_to_user_state_sec_ctx(x, skb);
+ if (!err)
+ err = copy_to_user_policy_type(xp->type, skb);
+ if (!err)
+ err = xfrm_mark_put(skb, &xp->mark);
+ if (err) {
+ nlmsg_cancel(skb, nlh);
+ return err;
+ }
+
+ nlmsg_end(skb, nlh);
+ return 0;
+}
+
+static int xfrm_send_acquire(struct xfrm_state *x,
+ const struct xfrm_tmpl *xt,
+ const struct xfrm_policy *xp)
+{
+ struct net *net = xs_net(x);
+ struct sk_buff *skb;
+
+ skb = nlmsg_new(xfrm_acquire_msgsize(x, xp), GFP_ATOMIC);
+ if (skb == NULL)
+ return -ENOMEM;
+
+ if (build_acquire(skb, x, xt, xp) < 0)
+ BUG();
+
+ return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_ACQUIRE);
+}
+
+static inline size_t xfrm_polexpire_msgsize(const struct xfrm_policy *xp)
+{
+ return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire))
+ + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr)
+ + nla_total_size(xfrm_user_sec_ctx_size(xp->security))
+ + nla_total_size(sizeof(struct xfrm_mark))
+ + userpolicy_type_attrsize();
+}
+
+static int build_polexpire(struct sk_buff *skb,
+ const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
+{
+ struct xfrm_user_polexpire *upe;
+ int hard = c->data.hard;
+ struct nlmsghdr *nlh;
+ int err;
+
+ nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0);
+ if (nlh == NULL)
+ return -EMSGSIZE;
+
+ upe = nlmsg_data(nlh);
+ copy_to_user_policy(xp, &upe->pol, dir);
+ err = xfrm_copy_to_user_tmpl(xp, skb);
+ if (!err)
+ err = copy_to_user_sec_ctx(xp, skb);
+ if (!err)
+ err = copy_to_user_policy_type(xp->type, skb);
+ if (!err)
+ err = xfrm_mark_put(skb, &xp->mark);
+ if (err) {
+ nlmsg_cancel(skb, nlh);
+ return err;
+ }
+ upe->hard = !!hard;
+
+ nlmsg_end(skb, nlh);
+ return 0;
+}
+
+static int xfrm_exp_policy_notify(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
+{
+ struct net *net = xp_net(xp);
+ struct sk_buff *skb;
+
+ skb = nlmsg_new(xfrm_polexpire_msgsize(xp), GFP_ATOMIC);
+ if (skb == NULL)
+ return -ENOMEM;
+
+ if (build_polexpire(skb, xp, dir, c) < 0)
+ BUG();
+
+ return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE);
+}
+
+static int xfrm_notify_policy(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
+{
+ int len = nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr);
+ struct net *net = xp_net(xp);
+ struct xfrm_userpolicy_info *p;
+ struct xfrm_userpolicy_id *id;
+ struct nlmsghdr *nlh;
+ struct sk_buff *skb;
+ int headlen, err;
+
+ headlen = sizeof(*p);
+ if (c->event == XFRM_MSG_DELPOLICY) {
+ len += nla_total_size(headlen);
+ headlen = sizeof(*id);
+ }
+ len += userpolicy_type_attrsize();
+ len += nla_total_size(sizeof(struct xfrm_mark));
+ len += NLMSG_ALIGN(headlen);
+
+ skb = nlmsg_new(len, GFP_ATOMIC);
+ if (skb == NULL)
+ return -ENOMEM;
+
+ nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0);
+ err = -EMSGSIZE;
+ if (nlh == NULL)
+ goto out_free_skb;
+
+ p = nlmsg_data(nlh);
+ if (c->event == XFRM_MSG_DELPOLICY) {
+ struct nlattr *attr;
+
+ id = nlmsg_data(nlh);
+ memset(id, 0, sizeof(*id));
+ id->dir = dir;
+ if (c->data.byid)
+ id->index = xp->index;
+ else
+ memcpy(&id->sel, &xp->selector, sizeof(id->sel));
+
+ attr = nla_reserve(skb, XFRMA_POLICY, sizeof(*p));
+ err = -EMSGSIZE;
+ if (attr == NULL)
+ goto out_free_skb;
+
+ p = nla_data(attr);
+ }
+
+ copy_to_user_policy(xp, p, dir);
+ err = xfrm_copy_to_user_tmpl(xp, skb);
+ if (!err)
+ err = copy_to_user_policy_type(xp->type, skb);
+ if (!err)
+ err = xfrm_mark_put(skb, &xp->mark);
+ if (err)
+ goto out_free_skb;
+
+ nlmsg_end(skb, nlh);
+
+ return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY);
+
+out_free_skb:
+ kfree_skb(skb);
+ return err;
+}
--
2.11.0.483.g087da7b7c-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 4/4] xfrm_user: Add new 32/64-agnostic netlink messages
2017-01-21 0:05 [PATCH 0/4] Make xfrm usable by 32-bit programs Kevin Cernekee
` (2 preceding siblings ...)
2017-01-21 0:05 ` [PATCH 3/4] xfrm_user: Initial commit of xfrm_user_legacy.c Kevin Cernekee
@ 2017-01-21 0:05 ` Kevin Cernekee
2017-01-21 8:21 ` kbuild test robot
2017-01-23 9:35 ` [PATCH 0/4] Make xfrm usable by 32-bit programs Steffen Klassert
2017-01-23 16:45 ` David Laight
5 siblings, 1 reply; 10+ messages in thread
From: Kevin Cernekee @ 2017-01-21 0:05 UTC (permalink / raw)
To: steffen.klassert, herbert, davem, paul, sds, eparis
Cc: linux-kernel, netdev, selinux, fw, fan.du, dianders, dtor
Add several new message types to address longstanding 32-bit/64-bit
compatibility issues. Use xfrm_user_legacy to handle the existing
message types, which will retain the old IDs for compatibility with
existing binaries.
For user->kernel messages, the nlmsg_type will determine whether to use
the old format or the new format (for both requests and replies). For
kernel->user multicasts, both types will be sent.
setsockopt() will deduce the format from the length.
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
---
include/uapi/linux/xfrm.h | 152 ++++++++++++++++++++++++++++++---------
net/xfrm/xfrm_user.c | 136 ++++++++++++++++++++++++++++++++---
net/xfrm/xfrm_user.h | 75 ++++++++++++++++++++
net/xfrm/xfrm_user_legacy.c | 169 ++++++++++++++++++++++++++++----------------
security/selinux/nlmsgtab.c | 61 +++++++++-------
5 files changed, 466 insertions(+), 127 deletions(-)
diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index 1fc62b239f1b..ae5f97681989 100644
--- a/include/uapi/linux/xfrm.h
+++ b/include/uapi/linux/xfrm.h
@@ -1,6 +1,7 @@
#ifndef _LINUX_XFRM_H
#define _LINUX_XFRM_H
+#include <linux/compiler.h>
#include <linux/in6.h>
#include <linux/types.h>
@@ -157,34 +158,34 @@ enum {
enum {
XFRM_MSG_BASE = 0x10,
- XFRM_MSG_NEWSA = 0x10,
-#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
- XFRM_MSG_DELSA,
-#define XFRM_MSG_DELSA XFRM_MSG_DELSA
- XFRM_MSG_GETSA,
-#define XFRM_MSG_GETSA XFRM_MSG_GETSA
-
- XFRM_MSG_NEWPOLICY,
-#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
- XFRM_MSG_DELPOLICY,
-#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
- XFRM_MSG_GETPOLICY,
-#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
-
- XFRM_MSG_ALLOCSPI,
-#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
- XFRM_MSG_ACQUIRE,
-#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
- XFRM_MSG_EXPIRE,
-#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
-
- XFRM_MSG_UPDPOLICY,
-#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
- XFRM_MSG_UPDSA,
-#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
-
- XFRM_MSG_POLEXPIRE,
-#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
+ XFRM_MSG_NEWSA_LEGACY = 0x10,
+#define XFRM_MSG_NEWSA_LEGACY XFRM_MSG_NEWSA_LEGACY
+ XFRM_MSG_DELSA_LEGACY,
+#define XFRM_MSG_DELSA_LEGACY XFRM_MSG_DELSA_LEGACY
+ XFRM_MSG_GETSA_LEGACY,
+#define XFRM_MSG_GETSA_LEGACY XFRM_MSG_GETSA_LEGACY
+
+ XFRM_MSG_NEWPOLICY_LEGACY,
+#define XFRM_MSG_NEWPOLICY_LEGACY XFRM_MSG_NEWPOLICY_LEGACY
+ XFRM_MSG_DELPOLICY_LEGACY,
+#define XFRM_MSG_DELPOLICY_LEGACY XFRM_MSG_DELPOLICY_LEGACY
+ XFRM_MSG_GETPOLICY_LEGACY,
+#define XFRM_MSG_GETPOLICY_LEGACY XFRM_MSG_GETPOLICY_LEGACY
+
+ XFRM_MSG_ALLOCSPI_LEGACY,
+#define XFRM_MSG_ALLOCSPI_LEGACY XFRM_MSG_ALLOCSPI_LEGACY
+ XFRM_MSG_ACQUIRE_LEGACY,
+#define XFRM_MSG_ACQUIRE_LEGACY XFRM_MSG_ACQUIRE_LEGACY
+ XFRM_MSG_EXPIRE_LEGACY,
+#define XFRM_MSG_EXPIRE_LEGACY XFRM_MSG_EXPIRE_LEGACY
+
+ XFRM_MSG_UPDPOLICY_LEGACY,
+#define XFRM_MSG_UPDPOLICY_LEGACY XFRM_MSG_UPDPOLICY_LEGACY
+ XFRM_MSG_UPDSA_LEGACY,
+#define XFRM_MSG_UPDSA_LEGACY XFRM_MSG_UPDSA_LEGACY
+
+ XFRM_MSG_POLEXPIRE_LEGACY,
+#define XFRM_MSG_POLEXPIRE_LEGACY XFRM_MSG_POLEXPIRE_LEGACY
XFRM_MSG_FLUSHSA,
#define XFRM_MSG_FLUSHSA XFRM_MSG_FLUSHSA
@@ -214,6 +215,34 @@ enum {
XFRM_MSG_MAPPING,
#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
+
+ XFRM_MSG_ALLOCSPI,
+#define XFRM_MSG_ALLOCSPI XFRM_MSG_ALLOCSPI
+ XFRM_MSG_ACQUIRE,
+#define XFRM_MSG_ACQUIRE XFRM_MSG_ACQUIRE
+ XFRM_MSG_EXPIRE,
+#define XFRM_MSG_EXPIRE XFRM_MSG_EXPIRE
+ XFRM_MSG_POLEXPIRE,
+#define XFRM_MSG_POLEXPIRE XFRM_MSG_POLEXPIRE
+
+ XFRM_MSG_NEWSA,
+#define XFRM_MSG_NEWSA XFRM_MSG_NEWSA
+ XFRM_MSG_UPDSA,
+#define XFRM_MSG_UPDSA XFRM_MSG_UPDSA
+ XFRM_MSG_DELSA,
+#define XFRM_MSG_DELSA XFRM_MSG_DELSA
+ XFRM_MSG_GETSA,
+#define XFRM_MSG_GETSA XFRM_MSG_GETSA
+
+ XFRM_MSG_NEWPOLICY,
+#define XFRM_MSG_NEWPOLICY XFRM_MSG_NEWPOLICY
+ XFRM_MSG_UPDPOLICY,
+#define XFRM_MSG_UPDPOLICY XFRM_MSG_UPDPOLICY
+ XFRM_MSG_DELPOLICY,
+#define XFRM_MSG_DELPOLICY XFRM_MSG_DELPOLICY
+ XFRM_MSG_GETPOLICY,
+#define XFRM_MSG_GETPOLICY XFRM_MSG_GETPOLICY
+
__XFRM_MSG_MAX
};
#define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
@@ -221,7 +250,7 @@ enum {
#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)
/*
- * Generic LSM security context for comunicating to user space
+ * Generic LSM security context for communicating to user space
* NOTE: Same format as sadb_x_sec_ctx
*/
struct xfrm_user_sec_ctx {
@@ -357,6 +386,22 @@ struct xfrmu_spdhthresh {
__u8 rbits;
};
+/* Legacy structs are incompatible between 32-bit and 64-bit. */
+struct xfrm_usersa_info_legacy {
+ struct xfrm_selector sel;
+ struct xfrm_id id;
+ xfrm_address_t saddr;
+ struct xfrm_lifetime_cfg lft;
+ struct xfrm_lifetime_cur curlft;
+ struct xfrm_stats stats;
+ __u32 seq;
+ __u32 reqid;
+ __u16 family;
+ __u8 mode; /* XFRM_MODE_xxx */
+ __u8 replay_window;
+ __u8 flags;
+};
+
struct xfrm_usersa_info {
struct xfrm_selector sel;
struct xfrm_id id;
@@ -378,7 +423,8 @@ struct xfrm_usersa_info {
#define XFRM_STATE_AF_UNSPEC 32
#define XFRM_STATE_ALIGN4 64
#define XFRM_STATE_ESN 128
-};
+ __u8 reserved[7];
+} __packed;
#define XFRM_SA_XFLAG_DONT_ENCAP_DSCP 1
@@ -396,10 +442,28 @@ struct xfrm_aevent_id {
__u32 reqid;
};
+struct xfrm_userspi_info_legacy {
+ struct xfrm_usersa_info_legacy info;
+ __u32 min;
+ __u32 max;
+};
+
struct xfrm_userspi_info {
struct xfrm_usersa_info info;
__u32 min;
__u32 max;
+} __packed;
+
+struct xfrm_userpolicy_info_legacy {
+ struct xfrm_selector sel;
+ struct xfrm_lifetime_cfg lft;
+ struct xfrm_lifetime_cur curlft;
+ __u32 priority;
+ __u32 index;
+ __u8 dir;
+ __u8 action;
+ __u8 flags;
+ __u8 share;
};
struct xfrm_userpolicy_info {
@@ -417,7 +481,8 @@ struct xfrm_userpolicy_info {
/* Automatically expand selector to include matching ICMP payloads. */
#define XFRM_POLICY_ICMP 2
__u8 share;
-};
+ __u8 reserved[4];
+} __packed;
struct xfrm_userpolicy_id {
struct xfrm_selector sel;
@@ -425,6 +490,17 @@ struct xfrm_userpolicy_id {
__u8 dir;
};
+struct xfrm_user_acquire_legacy {
+ struct xfrm_id id;
+ xfrm_address_t saddr;
+ struct xfrm_selector sel;
+ struct xfrm_userpolicy_info_legacy policy;
+ __u32 aalgos;
+ __u32 ealgos;
+ __u32 calgos;
+ __u32 seq;
+};
+
struct xfrm_user_acquire {
struct xfrm_id id;
xfrm_address_t saddr;
@@ -434,17 +510,29 @@ struct xfrm_user_acquire {
__u32 ealgos;
__u32 calgos;
__u32 seq;
+} __packed;
+
+struct xfrm_user_expire_legacy {
+ struct xfrm_usersa_info_legacy state;
+ __u8 hard;
};
struct xfrm_user_expire {
struct xfrm_usersa_info state;
__u8 hard;
+ __u8 reserved[7];
+} __packed;
+
+struct xfrm_user_polexpire_legacy {
+ struct xfrm_userpolicy_info_legacy pol;
+ __u8 hard;
};
struct xfrm_user_polexpire {
struct xfrm_userpolicy_info pol;
__u8 hard;
-};
+ __u8 reserved[7];
+} __packed;
struct xfrm_usersa_flush {
__u8 proto;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 4d733f02c3a1..5456dde974bc 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2350,6 +2350,32 @@ static const int xfrm_msg_min[XFRM_NR_MSGTYPES] = {
[XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32),
[XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
[XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
+
+ [XFRM_MSG_ALLOCSPI_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_userspi_info_legacy),
+ [XFRM_MSG_ACQUIRE_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_user_acquire_legacy),
+ [XFRM_MSG_EXPIRE_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_user_expire_legacy),
+ [XFRM_MSG_POLEXPIRE_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_user_polexpire_legacy),
+
+ [XFRM_MSG_NEWSA_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_usersa_info_legacy),
+ [XFRM_MSG_UPDSA_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_usersa_info_legacy),
+ [XFRM_MSG_DELSA_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_usersa_id),
+ [XFRM_MSG_GETSA_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_usersa_id),
+ [XFRM_MSG_NEWPOLICY_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_userpolicy_info_legacy),
+ [XFRM_MSG_UPDPOLICY_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_userpolicy_info_legacy),
+ [XFRM_MSG_DELPOLICY_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_userpolicy_id),
+ [XFRM_MSG_GETPOLICY_LEGACY - XFRM_MSG_BASE] =
+ XMSGSIZE(xfrm_userpolicy_id),
};
#undef XMSGSIZE
@@ -2396,6 +2422,7 @@ static const struct xfrm_link {
int (*done)(struct netlink_callback *);
const struct nla_policy *nla_pol;
int nla_max;
+ bool legacy;
} xfrm_dispatch[XFRM_NR_MSGTYPES] = {
[XFRM_MSG_NEWSA - XFRM_MSG_BASE] = { .doit = xfrm_add_sa },
[XFRM_MSG_DELSA - XFRM_MSG_BASE] = { .doit = xfrm_del_sa },
@@ -2423,6 +2450,62 @@ static const struct xfrm_link {
.nla_pol = xfrma_spd_policy,
.nla_max = XFRMA_SPD_MAX },
[XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo },
+
+#ifdef CONFIG_XFRM_USER_LEGACY
+ [XFRM_MSG_ALLOCSPI_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_alloc_userspi_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_ACQUIRE_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_add_acquire_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_EXPIRE_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_add_sa_expire_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_POLEXPIRE_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_add_pol_expire_legacy,
+ .legacy = true,
+ },
+
+ [XFRM_MSG_NEWSA_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_add_sa_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_UPDSA_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_add_sa_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_DELSA_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_del_sa_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_GETSA_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_get_sa_legacy,
+ .dump = xfrm_dump_sa_legacy,
+ .done = xfrm_dump_sa_done_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_NEWPOLICY_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_add_policy_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_UPDPOLICY_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_add_policy_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_DELPOLICY_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_get_policy_legacy,
+ .legacy = true,
+ },
+ [XFRM_MSG_GETPOLICY_LEGACY - XFRM_MSG_BASE] = {
+ .doit = xfrm_get_policy_legacy,
+ .dump = xfrm_dump_policy_legacy,
+ .done = xfrm_dump_policy_done_legacy,
+ .legacy = true,
+ },
+#endif /* CONFIG_XFRM_USER_LEGACY */
};
static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
@@ -2432,11 +2515,6 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
const struct xfrm_link *link;
int type, err;
-#ifdef CONFIG_COMPAT
- if (in_compat_syscall())
- return -EOPNOTSUPP;
-#endif
-
type = nlh->nlmsg_type;
if (type > XFRM_MSG_MAX)
return -EINVAL;
@@ -2444,12 +2522,19 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
type -= XFRM_MSG_BASE;
link = &xfrm_dispatch[type];
+#ifdef CONFIG_COMPAT
+ if (link->legacy && in_compat_syscall())
+ return -EOPNOTSUPP;
+#endif
+
/* All operations require privileges, even GET */
if (!netlink_net_capable(skb, CAP_NET_ADMIN))
return -EPERM;
if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
- type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE)) &&
+ type == (XFRM_MSG_GETPOLICY - XFRM_MSG_BASE) ||
+ type == (XFRM_MSG_GETSA_LEGACY - XFRM_MSG_BASE) ||
+ type == (XFRM_MSG_GETPOLICY_LEGACY - XFRM_MSG_BASE)) &&
(nlh->nlmsg_flags & NLM_F_DUMP)) {
if (link->dump == NULL)
return -EINVAL;
@@ -2670,16 +2755,23 @@ static int xfrm_notify_sa(const struct xfrm_state *x, const struct km_event *c)
static int xfrm_send_state_notify(const struct xfrm_state *x,
const struct km_event *c)
{
+ int err;
switch (c->event) {
case XFRM_MSG_EXPIRE:
- return xfrm_exp_state_notify(x, c);
+ err = xfrm_exp_state_notify(x, c);
+ if (err)
+ return err;
+ return xfrm_exp_state_notify_legacy(x, c);
case XFRM_MSG_NEWAE:
return xfrm_aevent_state_notify(x, c);
case XFRM_MSG_DELSA:
case XFRM_MSG_UPDSA:
case XFRM_MSG_NEWSA:
- return xfrm_notify_sa(x, c);
+ err = xfrm_notify_sa(x, c);
+ if (err)
+ return err;
+ return xfrm_notify_sa_legacy(x, c);
case XFRM_MSG_FLUSHSA:
return xfrm_notify_sa_flush(c);
default:
@@ -2748,6 +2840,7 @@ static int xfrm_send_acquire(struct xfrm_state *x,
{
struct net *net = xs_net(x);
struct sk_buff *skb;
+ int err;
skb = nlmsg_new(xfrm_acquire_msgsize(x, xp), GFP_ATOMIC);
if (skb == NULL)
@@ -2756,7 +2849,11 @@ static int xfrm_send_acquire(struct xfrm_state *x,
if (build_acquire(skb, x, xt, xp) < 0)
BUG();
- return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_ACQUIRE);
+ err = xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_ACQUIRE);
+ if (err)
+ return err;
+
+ return xfrm_send_acquire_legacy(x, xt, xp);
}
/* User gives us xfrm_user_policy_info followed by an array of 0
@@ -2799,6 +2896,16 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
return NULL;
nr = ((len - sizeof(*p)) / sizeof(*ut));
+ if (len == (nr + 1) * sizeof(*ut) + sizeof(*p) - sizeof(u32)) {
+ /* The user passed a legacy xfrm_userpolicy_info struct whose
+ * length is padded to 32 bits instead of 64, so the above
+ * division had a remainder. Adjust the start address and
+ * count accordingly.
+ */
+ ut = (void *)data + sizeof(*p) - sizeof(u32);
+ nr++;
+ }
+
if (validate_tmpl(nr, ut, p->sel.family))
return NULL;
@@ -2979,16 +3086,23 @@ static int xfrm_send_policy_notify(const struct xfrm_policy *xp,
int dir,
const struct km_event *c)
{
+ int err;
switch (c->event) {
case XFRM_MSG_NEWPOLICY:
case XFRM_MSG_UPDPOLICY:
case XFRM_MSG_DELPOLICY:
- return xfrm_notify_policy(xp, dir, c);
+ err = xfrm_notify_policy(xp, dir, c);
+ if (err)
+ return err;
+ return xfrm_notify_policy_legacy(xp, dir, c);
case XFRM_MSG_FLUSHPOLICY:
return xfrm_notify_policy_flush(c);
case XFRM_MSG_POLEXPIRE:
- return xfrm_exp_policy_notify(xp, dir, c);
+ err = xfrm_exp_policy_notify(xp, dir, c);
+ if (err)
+ return err;
+ return xfrm_exp_policy_notify_legacy(xp, dir, c);
default:
printk(KERN_NOTICE "xfrm_user: Unknown Policy event %d\n",
c->event);
diff --git a/net/xfrm/xfrm_user.h b/net/xfrm/xfrm_user.h
index 29bab2ebee83..78627d1c1cec 100644
--- a/net/xfrm/xfrm_user.h
+++ b/net/xfrm/xfrm_user.h
@@ -1,6 +1,7 @@
#ifndef _XFRM_USER_H
#define _XFRM_USER_H
+#include <linux/errno.h>
#include <linux/netlink.h>
#include <linux/skbuff.h>
#include <linux/types.h>
@@ -87,4 +88,78 @@ static inline int copy_to_user_state_sec_ctx(const struct xfrm_state *x,
return 0;
}
+/* Legacy functions */
+
+#ifdef CONFIG_XFRM_USER_LEGACY
+int xfrm_alloc_userspi_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs);
+int xfrm_add_pol_expire_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs);
+int xfrm_add_sa_expire_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs);
+int xfrm_add_acquire_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs);
+
+int xfrm_add_sa_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs);
+int xfrm_del_sa_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs);
+int xfrm_dump_sa_done_legacy(struct netlink_callback *cb);
+int xfrm_dump_sa_legacy(struct sk_buff *skb, struct netlink_callback *cb);
+int xfrm_get_sa_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs);
+int xfrm_add_policy_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs);
+int xfrm_dump_policy_done_legacy(struct netlink_callback *cb);
+int xfrm_dump_policy_legacy(struct sk_buff *skb, struct netlink_callback *cb);
+int xfrm_get_policy_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+ struct nlattr **attrs);
+
+int xfrm_exp_state_notify_legacy(const struct xfrm_state *x,
+ const struct km_event *c);
+int xfrm_notify_sa_legacy(const struct xfrm_state *x, const struct km_event *c);
+int xfrm_send_acquire_legacy(struct xfrm_state *x,
+ const struct xfrm_tmpl *xt,
+ const struct xfrm_policy *xp);
+int xfrm_exp_policy_notify_legacy(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c);
+int xfrm_notify_policy_legacy(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c);
+#else /* CONFIG_XFRM_USER_LEGACY */
+static inline int xfrm_exp_state_notify_legacy(const struct xfrm_state *x,
+ const struct km_event *c)
+{
+ return 0;
+}
+
+static inline int xfrm_notify_sa_legacy(const struct xfrm_state *x,
+ const struct km_event *c)
+{
+ return 0;
+}
+
+static inline int xfrm_send_acquire_legacy(struct xfrm_state *x,
+ const struct xfrm_tmpl *xt,
+ const struct xfrm_policy *xp)
+{
+ return 0;
+}
+
+static inline int xfrm_exp_policy_notify_legacy(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
+{
+ return 0;
+}
+
+static inline int xfrm_notify_policy_legacy(const struct xfrm_policy *xp,
+ int dir,
+ const struct km_event *c)
+{
+ return 0;
+}
+#endif /* CONFIG_XFRM_USER_LEGACY */
+
#endif /* _XFRM_USER_H */
diff --git a/net/xfrm/xfrm_user_legacy.c b/net/xfrm/xfrm_user_legacy.c
index 058accfefc83..aa48845b47fa 100644
--- a/net/xfrm/xfrm_user_legacy.c
+++ b/net/xfrm/xfrm_user_legacy.c
@@ -29,28 +29,33 @@
#include <asm/unaligned.h>
#include "xfrm_user.h"
-static int xfrm_add_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+int xfrm_add_sa_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
- const struct xfrm_usersa_info *p = nlmsg_data(nlh);
+ const struct xfrm_usersa_info_legacy *p = nlmsg_data(nlh);
struct xfrm_state *x;
int err;
struct km_event c;
- err = xfrm_verify_newsa_info(p, attrs);
+ /* This cast is safe because the only difference is end padding. */
+ err = xfrm_verify_newsa_info((const struct xfrm_usersa_info *)p, attrs);
if (err)
return err;
- x = xfrm_state_construct(net, p, attrs, &err);
+ x = xfrm_state_construct(net, (const struct xfrm_usersa_info *)p,
+ attrs, &err);
if (!x)
return err;
xfrm_state_hold(x);
- if (nlh->nlmsg_type == XFRM_MSG_NEWSA)
+ if (nlh->nlmsg_type == XFRM_MSG_NEWSA_LEGACY) {
err = xfrm_state_add(x);
- else
+ c.event = XFRM_MSG_NEWSA;
+ } else {
err = xfrm_state_update(x);
+ c.event = XFRM_MSG_UPDSA;
+ }
xfrm_audit_state_add(x, err ? 0 : 1, true);
@@ -62,7 +67,6 @@ static int xfrm_add_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
c.seq = nlh->nlmsg_seq;
c.portid = nlh->nlmsg_pid;
- c.event = nlh->nlmsg_type;
km_state_notify(x, &c);
out:
@@ -70,7 +74,7 @@ static int xfrm_add_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
return err;
}
-static int xfrm_del_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+int xfrm_del_sa_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
@@ -98,7 +102,7 @@ static int xfrm_del_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
c.seq = nlh->nlmsg_seq;
c.portid = nlh->nlmsg_pid;
- c.event = nlh->nlmsg_type;
+ c.event = XFRM_MSG_DELSA;
km_state_notify(x, &c);
out:
@@ -108,7 +112,7 @@ static int xfrm_del_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
}
static void copy_to_user_state(const struct xfrm_state *x,
- struct xfrm_usersa_info *p)
+ struct xfrm_usersa_info_legacy *p)
{
memset(p, 0, sizeof(*p));
memcpy(&p->id, &x->id, sizeof(p->id));
@@ -128,7 +132,7 @@ static void copy_to_user_state(const struct xfrm_state *x,
}
static int copy_to_user_state_extra(const struct xfrm_state *x,
- struct xfrm_usersa_info *p,
+ struct xfrm_usersa_info_legacy *p,
struct sk_buff *skb)
{
int ret = 0;
@@ -209,12 +213,12 @@ static int dump_one_state(const struct xfrm_state *x, int count, void *ptr)
struct xfrm_dump_info *sp = ptr;
struct sk_buff *in_skb = sp->in_skb;
struct sk_buff *skb = sp->out_skb;
- struct xfrm_usersa_info *p;
+ struct xfrm_usersa_info_legacy *p;
struct nlmsghdr *nlh;
int err;
nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq,
- XFRM_MSG_NEWSA, sizeof(*p), sp->nlmsg_flags);
+ XFRM_MSG_NEWSA_LEGACY, sizeof(*p), sp->nlmsg_flags);
if (nlh == NULL)
return -EMSGSIZE;
@@ -229,7 +233,7 @@ static int dump_one_state(const struct xfrm_state *x, int count, void *ptr)
return 0;
}
-static int xfrm_dump_sa_done(struct netlink_callback *cb)
+int xfrm_dump_sa_done_legacy(struct netlink_callback *cb)
{
struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1];
struct sock *sk = cb->skb->sk;
@@ -241,7 +245,7 @@ static int xfrm_dump_sa_done(struct netlink_callback *cb)
}
static const struct nla_policy xfrma_policy[XFRMA_MAX+1];
-static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
+int xfrm_dump_sa_legacy(struct sk_buff *skb, struct netlink_callback *cb)
{
struct net *net = sock_net(skb->sk);
struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1];
@@ -311,7 +315,7 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
return skb;
}
-static int xfrm_get_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
+int xfrm_get_sa_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
@@ -335,12 +339,12 @@ static int xfrm_get_sa(struct sk_buff *skb, const struct nlmsghdr *nlh,
return err;
}
-static int xfrm_alloc_userspi(struct sk_buff *skb, const struct nlmsghdr *nlh,
+int xfrm_alloc_userspi_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_state *x;
- const struct xfrm_userspi_info *p;
+ const struct xfrm_userspi_info_legacy *p;
struct sk_buff *resp_skb;
const xfrm_address_t *daddr;
int family;
@@ -395,7 +399,7 @@ static int xfrm_alloc_userspi(struct sk_buff *skb, const struct nlmsghdr *nlh,
}
static void copy_to_user_policy(const struct xfrm_policy *xp,
- struct xfrm_userpolicy_info *p,
+ struct xfrm_userpolicy_info_legacy *p,
int dir)
{
memset(p, 0, sizeof(*p));
@@ -411,24 +415,27 @@ static void copy_to_user_policy(const struct xfrm_policy *xp,
p->share = XFRM_SHARE_ANY; /* XXX xp->share */
}
-static int xfrm_add_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+int xfrm_add_policy_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
- const struct xfrm_userpolicy_info *p = nlmsg_data(nlh);
+ const struct xfrm_userpolicy_info_legacy *p = nlmsg_data(nlh);
struct xfrm_policy *xp;
struct km_event c;
int err;
int excl;
- err = xfrm_verify_newpolicy_info(p);
+ /* This cast is safe because the only difference is end padding. */
+ err = xfrm_verify_newpolicy_info(
+ (const struct xfrm_userpolicy_info *)p);
if (err)
return err;
err = xfrm_verify_sec_ctx_len(attrs);
if (err)
return err;
- xp = xfrm_policy_construct(net, p, attrs, &err);
+ xp = xfrm_policy_construct(net, (const struct xfrm_userpolicy_info *)p,
+ attrs, &err);
if (!xp)
return err;
@@ -436,7 +443,13 @@ static int xfrm_add_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
* Aha! this is anti-netlink really i.e more pfkey derived
* in netlink excl is a flag and you wouldnt need
* a type XFRM_MSG_UPDPOLICY - JHS */
- excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
+ if (nlh->nlmsg_type == XFRM_MSG_NEWPOLICY_LEGACY) {
+ excl = 1;
+ c.event = XFRM_MSG_NEWPOLICY;
+ } else {
+ excl = 0;
+ c.event = XFRM_MSG_UPDPOLICY;
+ }
err = xfrm_policy_insert(p->dir, xp, excl);
xfrm_audit_policy_add(xp, err ? 0 : 1, true);
@@ -446,7 +459,6 @@ static int xfrm_add_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
return err;
}
- c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;
c.portid = nlh->nlmsg_pid;
km_policy_notify(xp, p->dir, &c);
@@ -471,14 +483,14 @@ static int dump_one_policy(const struct xfrm_policy *xp,
void *ptr)
{
struct xfrm_dump_info *sp = ptr;
- struct xfrm_userpolicy_info *p;
+ struct xfrm_userpolicy_info_legacy *p;
struct sk_buff *in_skb = sp->in_skb;
struct sk_buff *skb = sp->out_skb;
struct nlmsghdr *nlh;
int err;
nlh = nlmsg_put(skb, NETLINK_CB(in_skb).portid, sp->nlmsg_seq,
- XFRM_MSG_NEWPOLICY, sizeof(*p), sp->nlmsg_flags);
+ XFRM_MSG_NEWPOLICY_LEGACY, sizeof(*p), sp->nlmsg_flags);
if (nlh == NULL)
return -EMSGSIZE;
@@ -499,7 +511,7 @@ static int dump_one_policy(const struct xfrm_policy *xp,
return 0;
}
-static int xfrm_dump_policy_done(struct netlink_callback *cb)
+int xfrm_dump_policy_done_legacy(struct netlink_callback *cb)
{
struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
struct net *net = sock_net(cb->skb->sk);
@@ -508,7 +520,7 @@ static int xfrm_dump_policy_done(struct netlink_callback *cb)
return 0;
}
-static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
+int xfrm_dump_policy_legacy(struct sk_buff *skb, struct netlink_callback *cb)
{
struct net *net = sock_net(skb->sk);
struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
@@ -559,7 +571,7 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
return skb;
}
-static int xfrm_get_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
+int xfrm_get_policy_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
@@ -573,7 +585,13 @@ static int xfrm_get_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
u32 mark = xfrm_mark_get(attrs, &m);
p = nlmsg_data(nlh);
- delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY;
+ if (nlh->nlmsg_type == XFRM_MSG_DELPOLICY_LEGACY) {
+ delete = 1;
+ c.event = XFRM_MSG_DELPOLICY;
+ } else {
+ delete = 0;
+ c.event = XFRM_MSG_GETPOLICY;
+ }
err = xfrm_copy_from_user_policy_type(&type, attrs);
if (err)
@@ -625,7 +643,6 @@ static int xfrm_get_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
goto out;
c.data.byid = p->index;
- c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq;
c.portid = nlh->nlmsg_pid;
km_policy_notify(xp, p->dir, &c);
@@ -638,13 +655,13 @@ static int xfrm_get_policy(struct sk_buff *skb, const struct nlmsghdr *nlh,
return err;
}
-static int xfrm_add_pol_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
+int xfrm_add_pol_expire_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_policy *xp;
- const struct xfrm_user_polexpire *up = nlmsg_data(nlh);
- const struct xfrm_userpolicy_info *p = &up->pol;
+ const struct xfrm_user_polexpire_legacy *up = nlmsg_data(nlh);
+ const struct xfrm_userpolicy_info_legacy *p = &up->pol;
u8 type = XFRM_POLICY_TYPE_MAIN;
int err = -ENOENT;
struct xfrm_mark m;
@@ -698,14 +715,14 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
return err;
}
-static int xfrm_add_sa_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
+int xfrm_add_sa_expire_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
struct xfrm_state *x;
int err;
- const struct xfrm_user_expire *ue = nlmsg_data(nlh);
- const struct xfrm_usersa_info *p = &ue->state;
+ const struct xfrm_user_expire_legacy *ue = nlmsg_data(nlh);
+ const struct xfrm_usersa_info_legacy *p = &ue->state;
struct xfrm_mark m;
u32 mark = xfrm_mark_get(attrs, &m);
@@ -732,7 +749,7 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, const struct nlmsghdr *nlh,
return err;
}
-static int xfrm_add_acquire(struct sk_buff *skb, const struct nlmsghdr *nlh,
+int xfrm_add_acquire_legacy(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr **attrs)
{
struct net *net = sock_net(skb->sk);
@@ -742,7 +759,7 @@ static int xfrm_add_acquire(struct sk_buff *skb, const struct nlmsghdr *nlh,
struct nlattr *rt = attrs[XFRMA_TMPL];
struct xfrm_mark mark;
- const struct xfrm_user_acquire *ua = nlmsg_data(nlh);
+ const struct xfrm_user_acquire_legacy *ua = nlmsg_data(nlh);
struct xfrm_state *x = xfrm_state_alloc(net);
int err = -ENOMEM;
@@ -751,12 +768,15 @@ static int xfrm_add_acquire(struct sk_buff *skb, const struct nlmsghdr *nlh,
xfrm_mark_get(attrs, &mark);
- err = xfrm_verify_newpolicy_info(&ua->policy);
+ /* This cast is safe because the only difference is end padding. */
+ err = xfrm_verify_newpolicy_info(
+ (const struct xfrm_userpolicy_info *)&ua->policy);
if (err)
goto free_state;
/* build an XP */
- xp = xfrm_policy_construct(net, &ua->policy, attrs, &err);
+ xp = xfrm_policy_construct(net, (const struct xfrm_userpolicy_info *)
+ &ua->policy, attrs, &err);
if (!xp)
goto free_state;
@@ -793,7 +813,7 @@ static int xfrm_add_acquire(struct sk_buff *skb, const struct nlmsghdr *nlh,
static inline size_t xfrm_expire_msgsize(void)
{
- return NLMSG_ALIGN(sizeof(struct xfrm_user_expire))
+ return NLMSG_ALIGN(sizeof(struct xfrm_user_expire_legacy))
+ nla_total_size(sizeof(struct xfrm_mark));
}
@@ -801,11 +821,12 @@ static int build_expire(struct sk_buff *skb,
const struct xfrm_state *x,
const struct km_event *c)
{
- struct xfrm_user_expire *ue;
+ struct xfrm_user_expire_legacy *ue;
struct nlmsghdr *nlh;
int err;
- nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_EXPIRE, sizeof(*ue), 0);
+ nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_EXPIRE_LEGACY,
+ sizeof(*ue), 0);
if (nlh == NULL)
return -EMSGSIZE;
@@ -821,7 +842,7 @@ static int build_expire(struct sk_buff *skb,
return 0;
}
-static int xfrm_exp_state_notify(const struct xfrm_state *x,
+int xfrm_exp_state_notify_legacy(const struct xfrm_state *x,
const struct km_event *c)
{
struct net *net = xs_net(x);
@@ -839,15 +860,16 @@ static int xfrm_exp_state_notify(const struct xfrm_state *x,
return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE);
}
-static int xfrm_notify_sa(const struct xfrm_state *x, const struct km_event *c)
+int xfrm_notify_sa_legacy(const struct xfrm_state *x, const struct km_event *c)
{
struct net *net = xs_net(x);
- struct xfrm_usersa_info *p;
+ struct xfrm_usersa_info_legacy *p;
struct xfrm_usersa_id *id;
struct nlmsghdr *nlh;
struct sk_buff *skb;
int len = xfrm_sa_len(x);
int headlen, err;
+ u32 event = 0;
headlen = sizeof(*p);
if (c->event == XFRM_MSG_DELSA) {
@@ -861,7 +883,19 @@ static int xfrm_notify_sa(const struct xfrm_state *x, const struct km_event *c)
if (skb == NULL)
return -ENOMEM;
- nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0);
+ switch (c->event) {
+ case XFRM_MSG_NEWSA:
+ event = XFRM_MSG_NEWSA_LEGACY;
+ break;
+ case XFRM_MSG_UPDSA:
+ event = XFRM_MSG_UPDSA_LEGACY;
+ break;
+ case XFRM_MSG_DELSA:
+ event = XFRM_MSG_DELSA_LEGACY;
+ break;
+ }
+
+ nlh = nlmsg_put(skb, c->portid, c->seq, event, headlen, 0);
err = -EMSGSIZE;
if (nlh == NULL)
goto out_free_skb;
@@ -899,7 +933,7 @@ static int xfrm_notify_sa(const struct xfrm_state *x, const struct km_event *c)
static inline size_t xfrm_acquire_msgsize(const struct xfrm_state *x,
const struct xfrm_policy *xp)
{
- return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire))
+ return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire_legacy))
+ nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr)
+ nla_total_size(sizeof(struct xfrm_mark))
+ nla_total_size(xfrm_user_sec_ctx_size(x->security))
@@ -912,11 +946,11 @@ static int build_acquire(struct sk_buff *skb,
const struct xfrm_policy *xp)
{
__u32 seq = xfrm_get_acqseq();
- struct xfrm_user_acquire *ua;
+ struct xfrm_user_acquire_legacy *ua;
struct nlmsghdr *nlh;
int err;
- nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE, sizeof(*ua), 0);
+ nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE_LEGACY, sizeof(*ua), 0);
if (nlh == NULL)
return -EMSGSIZE;
@@ -946,7 +980,7 @@ static int build_acquire(struct sk_buff *skb,
return 0;
}
-static int xfrm_send_acquire(struct xfrm_state *x,
+int xfrm_send_acquire_legacy(struct xfrm_state *x,
const struct xfrm_tmpl *xt,
const struct xfrm_policy *xp)
{
@@ -965,7 +999,7 @@ static int xfrm_send_acquire(struct xfrm_state *x,
static inline size_t xfrm_polexpire_msgsize(const struct xfrm_policy *xp)
{
- return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire))
+ return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire_legacy))
+ nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr)
+ nla_total_size(xfrm_user_sec_ctx_size(xp->security))
+ nla_total_size(sizeof(struct xfrm_mark))
@@ -977,12 +1011,13 @@ static int build_polexpire(struct sk_buff *skb,
int dir,
const struct km_event *c)
{
- struct xfrm_user_polexpire *upe;
+ struct xfrm_user_polexpire_legacy *upe;
int hard = c->data.hard;
struct nlmsghdr *nlh;
int err;
- nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_POLEXPIRE, sizeof(*upe), 0);
+ nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_POLEXPIRE_LEGACY,
+ sizeof(*upe), 0);
if (nlh == NULL)
return -EMSGSIZE;
@@ -1005,7 +1040,7 @@ static int build_polexpire(struct sk_buff *skb,
return 0;
}
-static int xfrm_exp_policy_notify(const struct xfrm_policy *xp,
+int xfrm_exp_policy_notify_legacy(const struct xfrm_policy *xp,
int dir,
const struct km_event *c)
{
@@ -1022,19 +1057,21 @@ static int xfrm_exp_policy_notify(const struct xfrm_policy *xp,
return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE);
}
-static int xfrm_notify_policy(const struct xfrm_policy *xp,
+int xfrm_notify_policy_legacy(const struct xfrm_policy *xp,
int dir,
const struct km_event *c)
{
int len = nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr);
struct net *net = xp_net(xp);
- struct xfrm_userpolicy_info *p;
+ struct xfrm_userpolicy_info_legacy *p;
struct xfrm_userpolicy_id *id;
struct nlmsghdr *nlh;
struct sk_buff *skb;
int headlen, err;
+ u32 event = 0;
headlen = sizeof(*p);
+
if (c->event == XFRM_MSG_DELPOLICY) {
len += nla_total_size(headlen);
headlen = sizeof(*id);
@@ -1047,7 +1084,19 @@ static int xfrm_notify_policy(const struct xfrm_policy *xp,
if (skb == NULL)
return -ENOMEM;
- nlh = nlmsg_put(skb, c->portid, c->seq, c->event, headlen, 0);
+ switch (c->event) {
+ case XFRM_MSG_NEWPOLICY:
+ event = XFRM_MSG_NEWPOLICY_LEGACY;
+ break;
+ case XFRM_MSG_UPDPOLICY:
+ event = XFRM_MSG_UPDPOLICY_LEGACY;
+ break;
+ case XFRM_MSG_DELPOLICY:
+ event = XFRM_MSG_DELPOLICY_LEGACY;
+ break;
+ }
+
+ nlh = nlmsg_put(skb, c->portid, c->seq, event, headlen, 0);
err = -EMSGSIZE;
if (nlh == NULL)
goto out_free_skb;
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 2ca9cde939d4..15e8b1381c13 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -90,29 +90,42 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
static struct nlmsg_perm nlmsg_xfrm_perms[] =
{
- { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ },
- { XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ },
- { XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
- { XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
- { XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
- { XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
- { XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
- { XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
- { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_NEWSA_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_DELSA_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_GETSA_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_NEWPOLICY_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_DELPOLICY_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_GETPOLICY_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_ALLOCSPI_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_ACQUIRE_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_EXPIRE_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_UPDPOLICY_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_UPDSA_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_POLEXPIRE_LEGACY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ },
+ { XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
+ { XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ },
};
static struct nlmsg_perm nlmsg_audit_perms[] =
@@ -168,7 +181,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
break;
case SECCLASS_NETLINK_XFRM_SOCKET:
- BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_MAPPING);
+ BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_GETPOLICY);
err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,
sizeof(nlmsg_xfrm_perms));
break;
--
2.11.0.483.g087da7b7c-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 4/4] xfrm_user: Add new 32/64-agnostic netlink messages
2017-01-21 0:05 ` [PATCH 4/4] xfrm_user: Add new 32/64-agnostic netlink messages Kevin Cernekee
@ 2017-01-21 8:21 ` kbuild test robot
0 siblings, 0 replies; 10+ messages in thread
From: kbuild test robot @ 2017-01-21 8:21 UTC (permalink / raw)
To: Kevin Cernekee
Cc: kbuild-all, steffen.klassert, herbert, davem, paul, sds, eparis,
linux-kernel, netdev, selinux, fw, fan.du, dianders, dtor
[-- Attachment #1: Type: text/plain, Size: 9722 bytes --]
Hi Kevin,
[auto build test ERROR on ipsec-next/master]
[also build test ERROR on v4.10-rc4 next-20170120]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Kevin-Cernekee/Make-xfrm-usable-by-32-bit-programs/20170121-150712
base: https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git master
config: ia64-allmodconfig (attached as .config)
compiler: ia64-linux-gcc (GCC) 6.2.0
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=ia64
All errors (new ones prefixed by >>):
>> net/xfrm/xfrm_user_legacy.c:845:5: error: redefinition of 'xfrm_exp_state_notify_legacy'
int xfrm_exp_state_notify_legacy(const struct xfrm_state *x,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from net/xfrm/xfrm_user_legacy.c:30:0:
net/xfrm/xfrm_user.h:131:19: note: previous definition of 'xfrm_exp_state_notify_legacy' was here
static inline int xfrm_exp_state_notify_legacy(const struct xfrm_state *x,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> net/xfrm/xfrm_user_legacy.c:863:5: error: redefinition of 'xfrm_notify_sa_legacy'
int xfrm_notify_sa_legacy(const struct xfrm_state *x, const struct km_event *c)
^~~~~~~~~~~~~~~~~~~~~
In file included from net/xfrm/xfrm_user_legacy.c:30:0:
net/xfrm/xfrm_user.h:137:19: note: previous definition of 'xfrm_notify_sa_legacy' was here
static inline int xfrm_notify_sa_legacy(const struct xfrm_state *x,
^~~~~~~~~~~~~~~~~~~~~
>> net/xfrm/xfrm_user_legacy.c:983:5: error: redefinition of 'xfrm_send_acquire_legacy'
int xfrm_send_acquire_legacy(struct xfrm_state *x,
^~~~~~~~~~~~~~~~~~~~~~~~
In file included from net/xfrm/xfrm_user_legacy.c:30:0:
net/xfrm/xfrm_user.h:143:19: note: previous definition of 'xfrm_send_acquire_legacy' was here
static inline int xfrm_send_acquire_legacy(struct xfrm_state *x,
^~~~~~~~~~~~~~~~~~~~~~~~
>> net/xfrm/xfrm_user_legacy.c:1043:5: error: redefinition of 'xfrm_exp_policy_notify_legacy'
int xfrm_exp_policy_notify_legacy(const struct xfrm_policy *xp,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from net/xfrm/xfrm_user_legacy.c:30:0:
net/xfrm/xfrm_user.h:150:19: note: previous definition of 'xfrm_exp_policy_notify_legacy' was here
static inline int xfrm_exp_policy_notify_legacy(const struct xfrm_policy *xp,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> net/xfrm/xfrm_user_legacy.c:1060:5: error: redefinition of 'xfrm_notify_policy_legacy'
int xfrm_notify_policy_legacy(const struct xfrm_policy *xp,
^~~~~~~~~~~~~~~~~~~~~~~~~
In file included from net/xfrm/xfrm_user_legacy.c:30:0:
net/xfrm/xfrm_user.h:157:19: note: previous definition of 'xfrm_notify_policy_legacy' was here
static inline int xfrm_notify_policy_legacy(const struct xfrm_policy *xp,
^~~~~~~~~~~~~~~~~~~~~~~~~
vim +/xfrm_exp_state_notify_legacy +845 net/xfrm/xfrm_user_legacy.c
839 return err;
840
841 nlmsg_end(skb, nlh);
842 return 0;
843 }
844
> 845 int xfrm_exp_state_notify_legacy(const struct xfrm_state *x,
846 const struct km_event *c)
847 {
848 struct net *net = xs_net(x);
849 struct sk_buff *skb;
850
851 skb = nlmsg_new(xfrm_expire_msgsize(), GFP_ATOMIC);
852 if (skb == NULL)
853 return -ENOMEM;
854
855 if (build_expire(skb, x, c) < 0) {
856 kfree_skb(skb);
857 return -EMSGSIZE;
858 }
859
860 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_EXPIRE);
861 }
862
> 863 int xfrm_notify_sa_legacy(const struct xfrm_state *x, const struct km_event *c)
864 {
865 struct net *net = xs_net(x);
866 struct xfrm_usersa_info_legacy *p;
867 struct xfrm_usersa_id *id;
868 struct nlmsghdr *nlh;
869 struct sk_buff *skb;
870 int len = xfrm_sa_len(x);
871 int headlen, err;
872 u32 event = 0;
873
874 headlen = sizeof(*p);
875 if (c->event == XFRM_MSG_DELSA) {
876 len += nla_total_size(headlen);
877 headlen = sizeof(*id);
878 len += nla_total_size(sizeof(struct xfrm_mark));
879 }
880 len += NLMSG_ALIGN(headlen);
881
882 skb = nlmsg_new(len, GFP_ATOMIC);
883 if (skb == NULL)
884 return -ENOMEM;
885
886 switch (c->event) {
887 case XFRM_MSG_NEWSA:
888 event = XFRM_MSG_NEWSA_LEGACY;
889 break;
890 case XFRM_MSG_UPDSA:
891 event = XFRM_MSG_UPDSA_LEGACY;
892 break;
893 case XFRM_MSG_DELSA:
894 event = XFRM_MSG_DELSA_LEGACY;
895 break;
896 }
897
898 nlh = nlmsg_put(skb, c->portid, c->seq, event, headlen, 0);
899 err = -EMSGSIZE;
900 if (nlh == NULL)
901 goto out_free_skb;
902
903 p = nlmsg_data(nlh);
904 if (c->event == XFRM_MSG_DELSA) {
905 struct nlattr *attr;
906
907 id = nlmsg_data(nlh);
908 memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr));
909 id->spi = x->id.spi;
910 id->family = x->props.family;
911 id->proto = x->id.proto;
912
913 attr = nla_reserve(skb, XFRMA_SA, sizeof(*p));
914 err = -EMSGSIZE;
915 if (attr == NULL)
916 goto out_free_skb;
917
918 p = nla_data(attr);
919 }
920 err = copy_to_user_state_extra(x, p, skb);
921 if (err)
922 goto out_free_skb;
923
924 nlmsg_end(skb, nlh);
925
926 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_SA);
927
928 out_free_skb:
929 kfree_skb(skb);
930 return err;
931 }
932
933 static inline size_t xfrm_acquire_msgsize(const struct xfrm_state *x,
934 const struct xfrm_policy *xp)
935 {
936 return NLMSG_ALIGN(sizeof(struct xfrm_user_acquire_legacy))
937 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr)
938 + nla_total_size(sizeof(struct xfrm_mark))
939 + nla_total_size(xfrm_user_sec_ctx_size(x->security))
940 + userpolicy_type_attrsize();
941 }
942
943 static int build_acquire(struct sk_buff *skb,
944 struct xfrm_state *x,
945 const struct xfrm_tmpl *xt,
946 const struct xfrm_policy *xp)
947 {
948 __u32 seq = xfrm_get_acqseq();
949 struct xfrm_user_acquire_legacy *ua;
950 struct nlmsghdr *nlh;
951 int err;
952
953 nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_ACQUIRE_LEGACY, sizeof(*ua), 0);
954 if (nlh == NULL)
955 return -EMSGSIZE;
956
957 ua = nlmsg_data(nlh);
958 memcpy(&ua->id, &x->id, sizeof(ua->id));
959 memcpy(&ua->saddr, &x->props.saddr, sizeof(ua->saddr));
960 memcpy(&ua->sel, &x->sel, sizeof(ua->sel));
961 copy_to_user_policy(xp, &ua->policy, XFRM_POLICY_OUT);
962 ua->aalgos = xt->aalgos;
963 ua->ealgos = xt->ealgos;
964 ua->calgos = xt->calgos;
965 ua->seq = x->km.seq = seq;
966
967 err = xfrm_copy_to_user_tmpl(xp, skb);
968 if (!err)
969 err = copy_to_user_state_sec_ctx(x, skb);
970 if (!err)
971 err = copy_to_user_policy_type(xp->type, skb);
972 if (!err)
973 err = xfrm_mark_put(skb, &xp->mark);
974 if (err) {
975 nlmsg_cancel(skb, nlh);
976 return err;
977 }
978
979 nlmsg_end(skb, nlh);
980 return 0;
981 }
982
> 983 int xfrm_send_acquire_legacy(struct xfrm_state *x,
984 const struct xfrm_tmpl *xt,
985 const struct xfrm_policy *xp)
986 {
987 struct net *net = xs_net(x);
988 struct sk_buff *skb;
989
990 skb = nlmsg_new(xfrm_acquire_msgsize(x, xp), GFP_ATOMIC);
991 if (skb == NULL)
992 return -ENOMEM;
993
994 if (build_acquire(skb, x, xt, xp) < 0)
995 BUG();
996
997 return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_ACQUIRE);
998 }
999
1000 static inline size_t xfrm_polexpire_msgsize(const struct xfrm_policy *xp)
1001 {
1002 return NLMSG_ALIGN(sizeof(struct xfrm_user_polexpire_legacy))
1003 + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr)
1004 + nla_total_size(xfrm_user_sec_ctx_size(xp->security))
1005 + nla_total_size(sizeof(struct xfrm_mark))
1006 + userpolicy_type_attrsize();
1007 }
1008
1009 static int build_polexpire(struct sk_buff *skb,
1010 const struct xfrm_policy *xp,
1011 int dir,
1012 const struct km_event *c)
1013 {
1014 struct xfrm_user_polexpire_legacy *upe;
1015 int hard = c->data.hard;
1016 struct nlmsghdr *nlh;
1017 int err;
1018
1019 nlh = nlmsg_put(skb, c->portid, 0, XFRM_MSG_POLEXPIRE_LEGACY,
1020 sizeof(*upe), 0);
1021 if (nlh == NULL)
1022 return -EMSGSIZE;
1023
1024 upe = nlmsg_data(nlh);
1025 copy_to_user_policy(xp, &upe->pol, dir);
1026 err = xfrm_copy_to_user_tmpl(xp, skb);
1027 if (!err)
1028 err = copy_to_user_sec_ctx(xp, skb);
1029 if (!err)
1030 err = copy_to_user_policy_type(xp->type, skb);
1031 if (!err)
1032 err = xfrm_mark_put(skb, &xp->mark);
1033 if (err) {
1034 nlmsg_cancel(skb, nlh);
1035 return err;
1036 }
1037 upe->hard = !!hard;
1038
1039 nlmsg_end(skb, nlh);
1040 return 0;
1041 }
1042
> 1043 int xfrm_exp_policy_notify_legacy(const struct xfrm_policy *xp,
1044 int dir,
1045 const struct km_event *c)
1046 {
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 45848 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/4] Make xfrm usable by 32-bit programs
2017-01-21 0:05 [PATCH 0/4] Make xfrm usable by 32-bit programs Kevin Cernekee
` (3 preceding siblings ...)
2017-01-21 0:05 ` [PATCH 4/4] xfrm_user: Add new 32/64-agnostic netlink messages Kevin Cernekee
@ 2017-01-23 9:35 ` Steffen Klassert
2017-01-23 15:47 ` David Miller
2017-01-23 16:45 ` David Laight
5 siblings, 1 reply; 10+ messages in thread
From: Steffen Klassert @ 2017-01-23 9:35 UTC (permalink / raw)
To: Kevin Cernekee
Cc: herbert, davem, paul, sds, eparis, linux-kernel, netdev, selinux,
fw, fan.du, dianders, dtor
On Fri, Jan 20, 2017 at 04:05:03PM -0800, Kevin Cernekee wrote:
> Several of the xfrm netlink and setsockopt() interfaces are not usable
> from a 32-bit binary running on a 64-bit kernel due to struct padding
> differences. This has been the case for many, many years[0]. This
> patch series deprecates the broken netlink messages and replaces them
> with packed structs that are compatible between 64-bit and 32-bit
> programs. It retains support for legacy user programs (i.e. anything
> that is currently working today), and allows legacy support to be
> compiled out via CONFIG_XFRM_USER_LEGACY if it becomes unnecessary in
> the future.
This would mean that we have to maintain two APIs from now on.
This is something I really want to avoid because it is almost
impossible to get rid of the old one.
>
> Earlier attempts at fixing the problem had implemented a compat layer.
> A compat layer is helpful because it avoids the need to recompile old
> user binaries, but there are many challenges involved in implementing
> it. I believe a compat layer is of limited value in this instance
> because anybody who really needed to solve the problem without
> recompiling their binaries has almost certainly found another solution
> in the ~7 years since the compat patches were first proposed.
>
> A benefit of this approach is that long-term, the broken netlink messages
> will no longer be used. A drawback is that in the short term, user
> programs that want to adopt the new message formats will require a
> modern kernel. Projects like strongSwan and iproute2 bundle the xfrm.h
> header inside their own source trees, so they will need to make a
> judgment call on when to remove support for kernels that do not support
> the new messages. And programs built against the new kernel headers
> will not work on old kernels.
So this creates new incompatibilities what is another argument against
this approach. If you really need this, try to implement a full compat
layer. I think this is the only sane solution for this.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/4] Make xfrm usable by 32-bit programs
2017-01-23 9:35 ` [PATCH 0/4] Make xfrm usable by 32-bit programs Steffen Klassert
@ 2017-01-23 15:47 ` David Miller
0 siblings, 0 replies; 10+ messages in thread
From: David Miller @ 2017-01-23 15:47 UTC (permalink / raw)
To: steffen.klassert
Cc: cernekee, herbert, paul, sds, eparis, linux-kernel, netdev,
selinux, fw, fan.du, dianders, dtor
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Mon, 23 Jan 2017 10:35:17 +0100
> So this creates new incompatibilities what is another argument against
> this approach. If you really need this, try to implement a full compat
> layer. I think this is the only sane solution for this.
A full compat layer is the only reasonable solution to this problem.
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: [PATCH 0/4] Make xfrm usable by 32-bit programs
2017-01-21 0:05 [PATCH 0/4] Make xfrm usable by 32-bit programs Kevin Cernekee
` (4 preceding siblings ...)
2017-01-23 9:35 ` [PATCH 0/4] Make xfrm usable by 32-bit programs Steffen Klassert
@ 2017-01-23 16:45 ` David Laight
2017-01-23 16:57 ` David Miller
5 siblings, 1 reply; 10+ messages in thread
From: David Laight @ 2017-01-23 16:45 UTC (permalink / raw)
To: 'Kevin Cernekee',
steffen.klassert, herbert, davem, paul, sds, eparis
Cc: linux-kernel, netdev, selinux, fw, fan.du, dianders, dtor
From: Kevin Cernekee
> Sent: 21 January 2017 00:05
> Several of the xfrm netlink and setsockopt() interfaces are not usable
> from a 32-bit binary running on a 64-bit kernel due to struct padding
> differences. This has been the case for many, many years[0]. This
> patch series deprecates the broken netlink messages and replaces them
> with packed structs that are compatible between 64-bit and 32-bit
> programs.
Do you mean '__packed' or just structures with no holes?
The latter is really the best.
You can add a compile time assert on the structure sizes to ensure
that the user API is never accidentally broken.
I can't imagine any reason to change the 64bit structures except
(maybe) to make any padding explicit.
> It retains support for legacy user programs (i.e. anything
> that is currently working today), and allows legacy support to be
> compiled out via CONFIG_XFRM_USER_LEGACY if it becomes unnecessary in
> the future.
...
Isn't that effectively the same as doing a compat layer?
Otherwise you can't build a 32bit app that will work with an 'old'
32bit kernel and a new 64bit one.
Provided you've got the length of the user's buffer the compat code
ought to be trivial (if tedious).
David
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 0/4] Make xfrm usable by 32-bit programs
2017-01-23 16:45 ` David Laight
@ 2017-01-23 16:57 ` David Miller
0 siblings, 0 replies; 10+ messages in thread
From: David Miller @ 2017-01-23 16:57 UTC (permalink / raw)
To: David.Laight
Cc: cernekee, steffen.klassert, herbert, paul, sds, eparis,
linux-kernel, netdev, selinux, fw, fan.du, dianders, dtor
From: David Laight <David.Laight@ACULAB.COM>
Date: Mon, 23 Jan 2017 16:45:39 +0000
> Provided you've got the length of the user's buffer the compat code
> ought to be trivial (if tedious).
Wireless guys had to deal with a similar problem with nl80211.
You don't know who is going to get the message when you build it,
because you can't possibly know what applications are listening
on the netlink sockets for notifications and even if you did
that set changes dynamically and could be different by the time
the notification is delivered.
The long and short of it is that you must always generate both the
native 64-bit as well as the 32-bit compat version of every message,
then at delivery time you enqueue the appropriate one to each
receiving socket.
This is how nl80211 solved the problem, and it's what XFRM should do
as well.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-01-23 16:57 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-21 0:05 [PATCH 0/4] Make xfrm usable by 32-bit programs Kevin Cernekee
2017-01-21 0:05 ` [PATCH 1/4] xfrm: Constify xfrm_user arguments and xfrm_mgr callback APIs Kevin Cernekee
2017-01-21 0:05 ` [PATCH 2/4] xfrm_user: Allow common functions to be called from another file Kevin Cernekee
2017-01-21 0:05 ` [PATCH 3/4] xfrm_user: Initial commit of xfrm_user_legacy.c Kevin Cernekee
2017-01-21 0:05 ` [PATCH 4/4] xfrm_user: Add new 32/64-agnostic netlink messages Kevin Cernekee
2017-01-21 8:21 ` kbuild test robot
2017-01-23 9:35 ` [PATCH 0/4] Make xfrm usable by 32-bit programs Steffen Klassert
2017-01-23 15:47 ` David Miller
2017-01-23 16:45 ` David Laight
2017-01-23 16:57 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).