Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f7b6983f authored by Masahide NAKAMURA's avatar Masahide NAKAMURA Committed by David S. Miller
Browse files

[XFRM] POLICY: Support netlink socket interface for sub policy.



Sub policy can be used through netlink socket.
PF_KEY uses main only and it is TODO to support sub.

Signed-off-by: default avatarMasahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 41a49cc3
Loading
Loading
Loading
Loading
+7 −0
Original line number Diff line number Diff line
@@ -230,6 +230,12 @@ enum xfrm_ae_ftype_t {
#define XFRM_AE_MAX (__XFRM_AE_MAX - 1)
};

struct xfrm_userpolicy_type {
	__u8		type;
	__u16		reserved1;
	__u8		reserved2;
};

/* Netlink message attributes.  */
enum xfrm_attr_type_t {
	XFRMA_UNSPEC,
@@ -248,6 +254,7 @@ enum xfrm_attr_type_t {
	XFRMA_SRCADDR,		/* xfrm_address_t */
	XFRMA_COADDR,		/* xfrm_address_t */
	XFRMA_LASTUSED,
	XFRMA_POLICY_TYPE,	/* struct xfrm_userpolicy_type */
	__XFRMA_MAX

#define XFRMA_MAX (__XFRMA_MAX - 1)
+1 −0
Original line number Diff line number Diff line
@@ -203,6 +203,7 @@ struct km_event
		u32 proto;
		u32 byid;
		u32 aevent;
		u32 type;
	} data;

	u32	seq;
+13 −5
Original line number Diff line number Diff line
@@ -1731,7 +1731,8 @@ static u32 gen_reqid(void)
		++reqid;
		if (reqid == 0)
			reqid = IPSEC_MANUAL_REQID_MAX+1;
		if (xfrm_policy_walk(check_reqid, (void*)&reqid) != -EEXIST)
		if (xfrm_policy_walk(XFRM_POLICY_TYPE_MAIN, check_reqid,
				     (void*)&reqid) != -EEXIST)
			return reqid;
	} while (reqid != start);
	return 0;
@@ -2268,7 +2269,8 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
			return err;
	}

	xp = xfrm_policy_bysel_ctx(pol->sadb_x_policy_dir-1, &sel, tmp.security, 1);
	xp = xfrm_policy_bysel_ctx(XFRM_POLICY_TYPE_MAIN, pol->sadb_x_policy_dir-1,
				   &sel, tmp.security, 1);
	security_xfrm_policy_free(&tmp);
	if (xp == NULL)
		return -ENOENT;
@@ -2330,7 +2332,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
	if (dir >= XFRM_POLICY_MAX)
		return -EINVAL;

	xp = xfrm_policy_byid(dir, pol->sadb_x_policy_id,
	xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir, pol->sadb_x_policy_id,
			      hdr->sadb_msg_type == SADB_X_SPDDELETE2);
	if (xp == NULL)
		return -ENOENT;
@@ -2378,7 +2380,7 @@ static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, struct sadb_msg *
{
	struct pfkey_dump_data data = { .skb = skb, .hdr = hdr, .sk = sk };

	return xfrm_policy_walk(dump_sp, &data);
	return xfrm_policy_walk(XFRM_POLICY_TYPE_MAIN, dump_sp, &data);
}

static int key_notify_policy_flush(struct km_event *c)
@@ -2405,7 +2407,8 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
{
	struct km_event c;

	xfrm_policy_flush();
	xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN);
	c.data.type = XFRM_POLICY_TYPE_MAIN;
	c.event = XFRM_MSG_FLUSHPOLICY;
	c.pid = hdr->sadb_msg_pid;
	c.seq = hdr->sadb_msg_seq;
@@ -2667,6 +2670,9 @@ static int pfkey_send_notify(struct xfrm_state *x, struct km_event *c)

static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
{
	if (xp && xp->type != XFRM_POLICY_TYPE_MAIN)
		return 0;

	switch (c->event) {
	case XFRM_MSG_POLEXPIRE:
		return key_notify_policy_expire(xp, c);
@@ -2675,6 +2681,8 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_e
	case XFRM_MSG_UPDPOLICY:
		return key_notify_policy(xp, dir, c);
	case XFRM_MSG_FLUSHPOLICY:
		if (c->data.type != XFRM_POLICY_TYPE_MAIN)
			break;
		return key_notify_policy_flush(c);
	default:
		printk("pfkey: Unknown policy event %d\n", c->event);
+121 −13
Original line number Diff line number Diff line
@@ -786,6 +786,22 @@ static int verify_policy_dir(__u8 dir)
	return 0;
}

static int verify_policy_type(__u8 type)
{
	switch (type) {
	case XFRM_POLICY_TYPE_MAIN:
#ifdef CONFIG_XFRM_SUB_POLICY
	case XFRM_POLICY_TYPE_SUB:
#endif
		break;

	default:
		return -EINVAL;
	};

	return 0;
}

static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
{
	switch (p->share) {
@@ -879,6 +895,29 @@ static int copy_from_user_tmpl(struct xfrm_policy *pol, struct rtattr **xfrma)
	return 0;
}

static int copy_from_user_policy_type(u8 *tp, struct rtattr **xfrma)
{
	struct rtattr *rt = xfrma[XFRMA_POLICY_TYPE-1];
	struct xfrm_userpolicy_type *upt;
	__u8 type = XFRM_POLICY_TYPE_MAIN;
	int err;

	if (rt) {
		if (rt->rta_len < sizeof(*upt))
			return -EINVAL;

		upt = RTA_DATA(rt);
		type = upt->type;
	}

	err = verify_policy_type(type);
	if (err)
		return err;

	*tp = type;
	return 0;
}

static void copy_from_user_policy(struct xfrm_policy *xp, struct xfrm_userpolicy_info *p)
{
	xp->priority = p->priority;
@@ -917,16 +956,20 @@ static struct xfrm_policy *xfrm_policy_construct(struct xfrm_userpolicy_info *p,

	copy_from_user_policy(xp, p);

	err = copy_from_user_policy_type(&xp->type, xfrma);
	if (err)
		goto error;

	if (!(err = copy_from_user_tmpl(xp, xfrma)))
		err = copy_from_user_sec_ctx(xp, xfrma);
	if (err)
		goto error;

	if (err) {
	return xp;
 error:
	*errp = err;
	kfree(xp);
		xp = NULL;
	}

	return xp;
	return NULL;
}

static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
@@ -1037,6 +1080,29 @@ static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *s
	return 0;
}

#ifdef CONFIG_XFRM_SUB_POLICY
static int copy_to_user_policy_type(struct xfrm_policy *xp, struct sk_buff *skb)
{
	struct xfrm_userpolicy_type upt;

	memset(&upt, 0, sizeof(upt));
	upt.type = xp->type;

	RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);

	return 0;

rtattr_failure:
	return -1;
}

#else
static inline int copy_to_user_policy_type(struct xfrm_policy *xp, struct sk_buff *skb)
{
	return 0;
}
#endif

static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr)
{
	struct xfrm_dump_info *sp = ptr;
@@ -1060,6 +1126,8 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr
		goto nlmsg_failure;
	if (copy_to_user_sec_ctx(xp, skb))
		goto nlmsg_failure;
	if (copy_to_user_policy_type(xp, skb) < 0)
		goto nlmsg_failure;

	nlh->nlmsg_len = skb->tail - b;
out:
@@ -1081,7 +1149,10 @@ static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
	info.nlmsg_flags = NLM_F_MULTI;
	info.this_idx = 0;
	info.start_idx = cb->args[0];
	(void) xfrm_policy_walk(dump_one_policy, &info);
	(void) xfrm_policy_walk(XFRM_POLICY_TYPE_MAIN, dump_one_policy, &info);
#ifdef CONFIG_XFRM_SUB_POLICY
	(void) xfrm_policy_walk(XFRM_POLICY_TYPE_SUB, dump_one_policy, &info);
#endif
	cb->args[0] = info.this_idx;

	return skb->len;
@@ -1117,6 +1188,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
{
	struct xfrm_policy *xp;
	struct xfrm_userpolicy_id *p;
	__u8 type = XFRM_POLICY_TYPE_MAIN;
	int err;
	struct km_event c;
	int delete;
@@ -1124,12 +1196,16 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
	p = NLMSG_DATA(nlh);
	delete = nlh->nlmsg_type == XFRM_MSG_DELPOLICY;

	err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
	if (err)
		return err;

	err = verify_policy_dir(p->dir);
	if (err)
		return err;

	if (p->index)
		xp = xfrm_policy_byid(p->dir, p->index, delete);
		xp = xfrm_policy_byid(type, p->dir, p->index, delete);
	else {
		struct rtattr **rtattrs = (struct rtattr **)xfrma;
		struct rtattr *rt = rtattrs[XFRMA_SEC_CTX-1];
@@ -1146,7 +1222,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
			if ((err = security_xfrm_policy_alloc(&tmp, uctx)))
				return err;
		}
		xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, delete);
		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
		security_xfrm_policy_free(&tmp);
	}
	if (xp == NULL)
@@ -1330,8 +1406,15 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
{
	struct km_event c;
	__u8 type = XFRM_POLICY_TYPE_MAIN;
	int err;

	xfrm_policy_flush();
	err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
	if (err)
		return err;

	xfrm_policy_flush(type);
	c.data.type = type;
	c.event = nlh->nlmsg_type;
	c.seq = nlh->nlmsg_seq;
	c.pid = nlh->nlmsg_pid;
@@ -1344,10 +1427,15 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void *
	struct xfrm_policy *xp;
	struct xfrm_user_polexpire *up = NLMSG_DATA(nlh);
	struct xfrm_userpolicy_info *p = &up->pol;
	__u8 type = XFRM_POLICY_TYPE_MAIN;
	int err = -ENOENT;

	err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
	if (err)
		return err;

	if (p->index)
		xp = xfrm_policy_byid(p->dir, p->index, 0);
		xp = xfrm_policy_byid(type, p->dir, p->index, 0);
	else {
		struct rtattr **rtattrs = (struct rtattr **)xfrma;
		struct rtattr *rt = rtattrs[XFRMA_SEC_CTX-1];
@@ -1364,7 +1452,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void *
			if ((err = security_xfrm_policy_alloc(&tmp, uctx)))
				return err;
		}
		xp = xfrm_policy_bysel_ctx(p->dir, &p->sel, tmp.security, 0);
		xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, 0);
		security_xfrm_policy_free(&tmp);
	}

@@ -1818,6 +1906,8 @@ static int build_acquire(struct sk_buff *skb, struct xfrm_state *x,
		goto nlmsg_failure;
	if (copy_to_user_state_sec_ctx(x, skb))
		goto nlmsg_failure;
	if (copy_to_user_policy_type(xp, skb) < 0)
		goto nlmsg_failure;

	nlh->nlmsg_len = skb->tail - b;
	return skb->len;
@@ -1898,6 +1988,7 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
	}

	copy_from_user_policy(xp, p);
	xp->type = XFRM_POLICY_TYPE_MAIN;
	copy_templates(xp, ut, nr);

	if (!xp->security) {
@@ -1931,6 +2022,8 @@ static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp,
		goto nlmsg_failure;
	if (copy_to_user_sec_ctx(xp, skb))
		goto nlmsg_failure;
	if (copy_to_user_policy_type(xp, skb) < 0)
		goto nlmsg_failure;
	upe->hard = !!hard;

	nlh->nlmsg_len = skb->tail - b;
@@ -2002,6 +2095,8 @@ static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *
	copy_to_user_policy(xp, p, dir);
	if (copy_to_user_tmpl(xp, skb) < 0)
		goto nlmsg_failure;
	if (copy_to_user_policy_type(xp, skb) < 0)
		goto nlmsg_failure;

	nlh->nlmsg_len = skb->tail - b;

@@ -2019,6 +2114,9 @@ static int xfrm_notify_policy_flush(struct km_event *c)
	struct nlmsghdr *nlh;
	struct sk_buff *skb;
	unsigned char *b;
#ifdef CONFIG_XFRM_SUB_POLICY
	struct xfrm_userpolicy_type upt;
#endif
	int len = NLMSG_LENGTH(0);

	skb = alloc_skb(len, GFP_ATOMIC);
@@ -2028,6 +2126,13 @@ static int xfrm_notify_policy_flush(struct km_event *c)


	nlh = NLMSG_PUT(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0);
	nlh->nlmsg_flags = 0;

#ifdef CONFIG_XFRM_SUB_POLICY
	memset(&upt, 0, sizeof(upt));
	upt.type = c->data.type;
	RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
#endif

	nlh->nlmsg_len = skb->tail - b;

@@ -2035,6 +2140,9 @@ static int xfrm_notify_policy_flush(struct km_event *c)
	return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC);

nlmsg_failure:
#ifdef CONFIG_XFRM_SUB_POLICY
rtattr_failure:
#endif
	kfree_skb(skb);
	return -1;
}