2019-05-27 06:55:01 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
* net/key/af_key.c An implementation of PF_KEYv2 sockets.
|
|
|
|
*
|
|
|
|
* Authors: Maxim Giryaev <gem@asplinux.ru>
|
|
|
|
* David S. Miller <davem@redhat.com>
|
|
|
|
* Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
|
|
|
|
* Kunihiro Ishiguro <kunihiro@ipinfusion.com>
|
|
|
|
* Kazunori MIYAZAWA / USAGI Project <miyazawa@linux-ipv6.org>
|
|
|
|
* Derek Atkins <derek@ihtfp.com>
|
|
|
|
*/
|
|
|
|
|
2006-01-11 20:17:47 +00:00
|
|
|
#include <linux/capability.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/socket.h>
|
|
|
|
#include <linux/pfkeyv2.h>
|
|
|
|
#include <linux/ipsec.h>
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/rtnetlink.h>
|
|
|
|
#include <linux/in.h>
|
|
|
|
#include <linux/in6.h>
|
|
|
|
#include <linux/proc_fs.h>
|
|
|
|
#include <linux/init.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
2007-09-12 10:01:34 +00:00
|
|
|
#include <net/net_namespace.h>
|
2008-11-26 01:58:07 +00:00
|
|
|
#include <net/netns/generic.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <net/xfrm.h>
|
|
|
|
|
|
|
|
#include <net/sock.h>
|
|
|
|
|
|
|
|
#define _X2KEY(x) ((x) == XFRM_INF ? 0 : (x))
|
|
|
|
#define _KEY2X(x) ((x) == 0 ? XFRM_INF : (x))
|
|
|
|
|
netns: make struct pernet_operations::id unsigned int
Make struct pernet_operations::id unsigned.
There are 2 reasons to do so:
1)
This field is really an index into an zero based array and
thus is unsigned entity. Using negative value is out-of-bound
access by definition.
2)
On x86_64 unsigned 32-bit data which are mixed with pointers
via array indexing or offsets added or subtracted to pointers
are preffered to signed 32-bit data.
"int" being used as an array index needs to be sign-extended
to 64-bit before being used.
void f(long *p, int i)
{
g(p[i]);
}
roughly translates to
movsx rsi, esi
mov rdi, [rsi+...]
call g
MOVSX is 3 byte instruction which isn't necessary if the variable is
unsigned because x86_64 is zero extending by default.
Now, there is net_generic() function which, you guessed it right, uses
"int" as an array index:
static inline void *net_generic(const struct net *net, int id)
{
...
ptr = ng->ptr[id - 1];
...
}
And this function is used a lot, so those sign extensions add up.
Patch snipes ~1730 bytes on allyesconfig kernel (without all junk
messing with code generation):
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
Unfortunately some functions actually grow bigger.
This is a semmingly random artefact of code generation with register
allocator being used differently. gcc decides that some variable
needs to live in new r8+ registers and every access now requires REX
prefix. Or it is shifted into r12, so [r12+0] addressing mode has to be
used which is longer than [r8]
However, overall balance is in negative direction:
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
function old new delta
nfsd4_lock 3886 3959 +73
tipc_link_build_proto_msg 1096 1140 +44
mac80211_hwsim_new_radio 2776 2808 +32
tipc_mon_rcv 1032 1058 +26
svcauth_gss_legacy_init 1413 1429 +16
tipc_bcbase_select_primary 379 392 +13
nfsd4_exchange_id 1247 1260 +13
nfsd4_setclientid_confirm 782 793 +11
...
put_client_renew_locked 494 480 -14
ip_set_sockfn_get 730 716 -14
geneve_sock_add 829 813 -16
nfsd4_sequence_done 721 703 -18
nlmclnt_lookup_host 708 686 -22
nfsd4_lockt 1085 1063 -22
nfs_get_client 1077 1050 -27
tcf_bpf_init 1106 1076 -30
nfsd4_encode_fattr 5997 5930 -67
Total: Before=154856051, After=154854321, chg -0.00%
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-11-17 01:58:21 +00:00
|
|
|
static unsigned int pfkey_net_id __read_mostly;
|
2008-11-26 01:58:07 +00:00
|
|
|
struct netns_pfkey {
|
|
|
|
/* List of all pfkey sockets. */
|
|
|
|
struct hlist_head table;
|
|
|
|
atomic_t socks_nr;
|
|
|
|
};
|
2010-02-22 07:57:19 +00:00
|
|
|
static DEFINE_MUTEX(pfkey_mutex);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-02-23 00:20:22 +00:00
|
|
|
#define DUMMY_MARK 0
|
2013-06-26 21:56:58 +00:00
|
|
|
static const struct xfrm_mark dummy_mark = {0, 0};
|
2005-04-16 22:20:36 +00:00
|
|
|
struct pfkey_sock {
|
|
|
|
/* struct sock must be the first member of struct pfkey_sock */
|
|
|
|
struct sock sk;
|
|
|
|
int registered;
|
|
|
|
int promisc;
|
2008-03-04 07:40:12 +00:00
|
|
|
|
|
|
|
struct {
|
|
|
|
uint8_t msg_version;
|
2012-09-07 20:12:54 +00:00
|
|
|
uint32_t msg_portid;
|
2008-03-04 07:40:12 +00:00
|
|
|
int (*dump)(struct pfkey_sock *sk);
|
|
|
|
void (*done)(struct pfkey_sock *sk);
|
|
|
|
union {
|
|
|
|
struct xfrm_policy_walk policy;
|
|
|
|
struct xfrm_state_walk state;
|
|
|
|
} u;
|
2008-10-01 14:03:24 +00:00
|
|
|
struct sk_buff *skb;
|
2008-03-04 07:40:12 +00:00
|
|
|
} dump;
|
2017-03-31 07:10:20 +00:00
|
|
|
struct mutex dump_lock;
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
2017-04-13 10:35:59 +00:00
|
|
|
static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
|
|
|
|
xfrm_address_t *saddr, xfrm_address_t *daddr,
|
|
|
|
u16 *family);
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static inline struct pfkey_sock *pfkey_sk(struct sock *sk)
|
|
|
|
{
|
|
|
|
return (struct pfkey_sock *)sk;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_can_dump(const struct sock *sk)
|
2008-03-04 07:40:12 +00:00
|
|
|
{
|
|
|
|
if (3 * atomic_read(&sk->sk_rmem_alloc) <= 2 * sk->sk_rcvbuf)
|
|
|
|
return 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-10-01 12:17:54 +00:00
|
|
|
static void pfkey_terminate_dump(struct pfkey_sock *pfk)
|
2008-03-04 07:40:12 +00:00
|
|
|
{
|
2008-10-01 12:17:54 +00:00
|
|
|
if (pfk->dump.dump) {
|
2008-10-01 14:03:24 +00:00
|
|
|
if (pfk->dump.skb) {
|
|
|
|
kfree_skb(pfk->dump.skb);
|
|
|
|
pfk->dump.skb = NULL;
|
|
|
|
}
|
2008-10-01 12:17:54 +00:00
|
|
|
pfk->dump.done(pfk);
|
|
|
|
pfk->dump.dump = NULL;
|
|
|
|
pfk->dump.done = NULL;
|
|
|
|
}
|
2008-03-04 07:40:12 +00:00
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static void pfkey_sock_destruct(struct sock *sk)
|
|
|
|
{
|
2008-11-26 01:58:07 +00:00
|
|
|
struct net *net = sock_net(sk);
|
|
|
|
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
|
|
|
|
|
2008-10-01 12:17:54 +00:00
|
|
|
pfkey_terminate_dump(pfkey_sk(sk));
|
2005-04-16 22:20:36 +00:00
|
|
|
skb_queue_purge(&sk->sk_receive_queue);
|
|
|
|
|
|
|
|
if (!sock_flag(sk, SOCK_DEAD)) {
|
2010-05-12 06:37:07 +00:00
|
|
|
pr_err("Attempt to release alive pfkey socket: %p\n", sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2008-07-26 04:43:18 +00:00
|
|
|
WARN_ON(atomic_read(&sk->sk_rmem_alloc));
|
2017-06-30 10:08:00 +00:00
|
|
|
WARN_ON(refcount_read(&sk->sk_wmem_alloc));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-11-26 01:58:07 +00:00
|
|
|
atomic_dec(&net_pfkey->socks_nr);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2005-12-22 20:49:22 +00:00
|
|
|
static const struct proto_ops pfkey_ops;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
static void pfkey_insert(struct sock *sk)
|
|
|
|
{
|
2008-11-26 01:58:07 +00:00
|
|
|
struct net *net = sock_net(sk);
|
|
|
|
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
|
|
|
|
|
2010-02-22 07:57:19 +00:00
|
|
|
mutex_lock(&pfkey_mutex);
|
|
|
|
sk_add_node_rcu(sk, &net_pfkey->table);
|
|
|
|
mutex_unlock(&pfkey_mutex);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void pfkey_remove(struct sock *sk)
|
|
|
|
{
|
2010-02-22 07:57:19 +00:00
|
|
|
mutex_lock(&pfkey_mutex);
|
|
|
|
sk_del_node_init_rcu(sk);
|
|
|
|
mutex_unlock(&pfkey_mutex);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct proto key_proto = {
|
|
|
|
.name = "KEY",
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
.obj_size = sizeof(struct pfkey_sock),
|
|
|
|
};
|
|
|
|
|
2009-11-06 06:18:14 +00:00
|
|
|
static int pfkey_create(struct net *net, struct socket *sock, int protocol,
|
|
|
|
int kern)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:07 +00:00
|
|
|
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sock *sk;
|
2017-03-31 07:10:20 +00:00
|
|
|
struct pfkey_sock *pfk;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2012-11-16 03:03:07 +00:00
|
|
|
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EPERM;
|
|
|
|
if (sock->type != SOCK_RAW)
|
|
|
|
return -ESOCKTNOSUPPORT;
|
|
|
|
if (protocol != PF_KEY_V2)
|
|
|
|
return -EPROTONOSUPPORT;
|
|
|
|
|
2015-05-09 02:09:13 +00:00
|
|
|
sk = sk_alloc(net, PF_KEY, GFP_KERNEL, &key_proto, kern);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (sk == NULL)
|
2021-05-14 07:55:13 +00:00
|
|
|
return -ENOMEM;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2017-03-31 07:10:20 +00:00
|
|
|
pfk = pfkey_sk(sk);
|
|
|
|
mutex_init(&pfk->dump_lock);
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
sock->ops = &pfkey_ops;
|
|
|
|
sock_init_data(sock, sk);
|
|
|
|
|
|
|
|
sk->sk_family = PF_KEY;
|
|
|
|
sk->sk_destruct = pfkey_sock_destruct;
|
|
|
|
|
2008-11-26 01:58:07 +00:00
|
|
|
atomic_inc(&net_pfkey->socks_nr);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
pfkey_insert(sk);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int pfkey_release(struct socket *sock)
|
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
|
|
|
|
if (!sk)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
pfkey_remove(sk);
|
|
|
|
|
|
|
|
sock_orphan(sk);
|
|
|
|
sock->sk = NULL;
|
|
|
|
skb_queue_purge(&sk->sk_write_queue);
|
2010-02-22 07:57:19 +00:00
|
|
|
|
|
|
|
synchronize_rcu();
|
2005-04-16 22:20:36 +00:00
|
|
|
sock_put(sk);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-02-07 20:33:21 +00:00
|
|
|
static int pfkey_broadcast_one(struct sk_buff *skb, gfp_t allocation,
|
|
|
|
struct sock *sk)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
int err = -ENOBUFS;
|
|
|
|
|
2019-02-07 20:33:21 +00:00
|
|
|
if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
skb = skb_clone(skb, allocation);
|
|
|
|
|
|
|
|
if (skb) {
|
|
|
|
skb_set_owner_r(skb, sk);
|
|
|
|
skb_queue_tail(&sk->sk_receive_queue, skb);
|
|
|
|
sk->sk_data_ready(sk);
|
|
|
|
err = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Send SKB to all pfkey sockets matching selected criteria. */
|
|
|
|
#define BROADCAST_ALL 0
|
|
|
|
#define BROADCAST_ONE 1
|
|
|
|
#define BROADCAST_REGISTERED 2
|
|
|
|
#define BROADCAST_PROMISC_ONLY 4
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
|
2008-11-26 01:58:31 +00:00
|
|
|
int broadcast_flags, struct sock *one_sk,
|
|
|
|
struct net *net)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:07 +00:00
|
|
|
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sock *sk;
|
|
|
|
int err = -ESRCH;
|
|
|
|
|
|
|
|
/* XXX Do we need something like netlink_overrun? I think
|
|
|
|
* XXX PF_KEY socket apps will not mind current behavior.
|
|
|
|
*/
|
|
|
|
if (!skb)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2010-02-22 07:57:19 +00:00
|
|
|
rcu_read_lock();
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 01:06:00 +00:00
|
|
|
sk_for_each_rcu(sk, &net_pfkey->table) {
|
2005-04-16 22:20:36 +00:00
|
|
|
struct pfkey_sock *pfk = pfkey_sk(sk);
|
|
|
|
int err2;
|
|
|
|
|
|
|
|
/* Yes, it means that if you are meant to receive this
|
|
|
|
* pfkey message you receive it twice as promiscuous
|
|
|
|
* socket.
|
|
|
|
*/
|
|
|
|
if (pfk->promisc)
|
2019-02-07 20:33:21 +00:00
|
|
|
pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
/* the exact target will be processed later */
|
|
|
|
if (sk == one_sk)
|
|
|
|
continue;
|
|
|
|
if (broadcast_flags != BROADCAST_ALL) {
|
|
|
|
if (broadcast_flags & BROADCAST_PROMISC_ONLY)
|
|
|
|
continue;
|
|
|
|
if ((broadcast_flags & BROADCAST_REGISTERED) &&
|
|
|
|
!pfk->registered)
|
|
|
|
continue;
|
|
|
|
if (broadcast_flags & BROADCAST_ONE)
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2019-02-07 20:33:21 +00:00
|
|
|
err2 = pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2015-10-22 03:35:05 +00:00
|
|
|
/* Error is cleared after successful sending to at least one
|
2005-04-16 22:20:36 +00:00
|
|
|
* registered KM */
|
|
|
|
if ((broadcast_flags & BROADCAST_REGISTERED) && err)
|
|
|
|
err = err2;
|
|
|
|
}
|
2010-02-22 07:57:19 +00:00
|
|
|
rcu_read_unlock();
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (one_sk != NULL)
|
2019-02-07 20:33:21 +00:00
|
|
|
err = pfkey_broadcast_one(skb, allocation, one_sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
kfree_skb(skb);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2008-10-01 12:17:54 +00:00
|
|
|
static int pfkey_do_dump(struct pfkey_sock *pfk)
|
|
|
|
{
|
2008-10-01 14:03:24 +00:00
|
|
|
struct sadb_msg *hdr;
|
2008-10-01 12:17:54 +00:00
|
|
|
int rc;
|
|
|
|
|
2017-03-31 07:10:20 +00:00
|
|
|
mutex_lock(&pfk->dump_lock);
|
|
|
|
if (!pfk->dump.dump) {
|
|
|
|
rc = 0;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2008-10-01 12:17:54 +00:00
|
|
|
rc = pfk->dump.dump(pfk);
|
2017-03-31 07:10:20 +00:00
|
|
|
if (rc == -ENOBUFS) {
|
|
|
|
rc = 0;
|
|
|
|
goto out;
|
|
|
|
}
|
2008-10-01 12:17:54 +00:00
|
|
|
|
2008-10-01 14:03:24 +00:00
|
|
|
if (pfk->dump.skb) {
|
2017-03-31 07:10:20 +00:00
|
|
|
if (!pfkey_can_dump(&pfk->sk)) {
|
|
|
|
rc = 0;
|
|
|
|
goto out;
|
|
|
|
}
|
2008-10-01 14:03:24 +00:00
|
|
|
|
|
|
|
hdr = (struct sadb_msg *) pfk->dump.skb->data;
|
|
|
|
hdr->sadb_msg_seq = 0;
|
|
|
|
hdr->sadb_msg_errno = rc;
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
|
2008-11-26 01:58:31 +00:00
|
|
|
&pfk->sk, sock_net(&pfk->sk));
|
2008-10-01 14:03:24 +00:00
|
|
|
pfk->dump.skb = NULL;
|
|
|
|
}
|
|
|
|
|
2008-10-01 12:17:54 +00:00
|
|
|
pfkey_terminate_dump(pfk);
|
2017-03-31 07:10:20 +00:00
|
|
|
|
|
|
|
out:
|
|
|
|
mutex_unlock(&pfk->dump_lock);
|
2008-10-01 12:17:54 +00:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static inline void pfkey_hdr_dup(struct sadb_msg *new,
|
|
|
|
const struct sadb_msg *orig)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
*new = *orig;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_error(const struct sadb_msg *orig, int err, struct sock *sk)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_KERNEL);
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
|
|
|
|
if (!skb)
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
|
|
|
/* Woe be to the platform trying to support PFKEY yet
|
|
|
|
* having normal errnos outside the 1-255 range, inclusive.
|
|
|
|
*/
|
|
|
|
err = -err;
|
|
|
|
if (err == ERESTARTSYS ||
|
|
|
|
err == ERESTARTNOHAND ||
|
|
|
|
err == ERESTARTNOINTR)
|
|
|
|
err = EINTR;
|
|
|
|
if (err >= 512)
|
|
|
|
err = EINVAL;
|
2006-01-09 06:24:28 +00:00
|
|
|
BUG_ON(err <= 0 || err >= 256);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
hdr = skb_put(skb, sizeof(struct sadb_msg));
|
2005-04-16 22:20:36 +00:00
|
|
|
pfkey_hdr_dup(hdr, orig);
|
|
|
|
hdr->sadb_msg_errno = (uint8_t) err;
|
|
|
|
hdr->sadb_msg_len = (sizeof(struct sadb_msg) /
|
|
|
|
sizeof(uint64_t));
|
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ONE, sk, sock_net(sk));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-06-26 21:56:59 +00:00
|
|
|
static const u8 sadb_ext_min_len[] = {
|
2005-04-16 22:20:36 +00:00
|
|
|
[SADB_EXT_RESERVED] = (u8) 0,
|
|
|
|
[SADB_EXT_SA] = (u8) sizeof(struct sadb_sa),
|
|
|
|
[SADB_EXT_LIFETIME_CURRENT] = (u8) sizeof(struct sadb_lifetime),
|
|
|
|
[SADB_EXT_LIFETIME_HARD] = (u8) sizeof(struct sadb_lifetime),
|
|
|
|
[SADB_EXT_LIFETIME_SOFT] = (u8) sizeof(struct sadb_lifetime),
|
|
|
|
[SADB_EXT_ADDRESS_SRC] = (u8) sizeof(struct sadb_address),
|
|
|
|
[SADB_EXT_ADDRESS_DST] = (u8) sizeof(struct sadb_address),
|
|
|
|
[SADB_EXT_ADDRESS_PROXY] = (u8) sizeof(struct sadb_address),
|
|
|
|
[SADB_EXT_KEY_AUTH] = (u8) sizeof(struct sadb_key),
|
|
|
|
[SADB_EXT_KEY_ENCRYPT] = (u8) sizeof(struct sadb_key),
|
|
|
|
[SADB_EXT_IDENTITY_SRC] = (u8) sizeof(struct sadb_ident),
|
|
|
|
[SADB_EXT_IDENTITY_DST] = (u8) sizeof(struct sadb_ident),
|
|
|
|
[SADB_EXT_SENSITIVITY] = (u8) sizeof(struct sadb_sens),
|
|
|
|
[SADB_EXT_PROPOSAL] = (u8) sizeof(struct sadb_prop),
|
|
|
|
[SADB_EXT_SUPPORTED_AUTH] = (u8) sizeof(struct sadb_supported),
|
|
|
|
[SADB_EXT_SUPPORTED_ENCRYPT] = (u8) sizeof(struct sadb_supported),
|
|
|
|
[SADB_EXT_SPIRANGE] = (u8) sizeof(struct sadb_spirange),
|
|
|
|
[SADB_X_EXT_KMPRIVATE] = (u8) sizeof(struct sadb_x_kmprivate),
|
|
|
|
[SADB_X_EXT_POLICY] = (u8) sizeof(struct sadb_x_policy),
|
|
|
|
[SADB_X_EXT_SA2] = (u8) sizeof(struct sadb_x_sa2),
|
|
|
|
[SADB_X_EXT_NAT_T_TYPE] = (u8) sizeof(struct sadb_x_nat_t_type),
|
|
|
|
[SADB_X_EXT_NAT_T_SPORT] = (u8) sizeof(struct sadb_x_nat_t_port),
|
|
|
|
[SADB_X_EXT_NAT_T_DPORT] = (u8) sizeof(struct sadb_x_nat_t_port),
|
|
|
|
[SADB_X_EXT_NAT_T_OA] = (u8) sizeof(struct sadb_address),
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
[SADB_X_EXT_SEC_CTX] = (u8) sizeof(struct sadb_x_sec_ctx),
|
2008-10-05 20:33:42 +00:00
|
|
|
[SADB_X_EXT_KMADDRESS] = (u8) sizeof(struct sadb_x_kmaddress),
|
2014-02-20 13:52:41 +00:00
|
|
|
[SADB_X_EXT_FILTER] = (u8) sizeof(struct sadb_x_filter),
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
/* Verify sadb_address_{len,prefixlen} against sa_family. */
|
2011-02-26 02:07:06 +00:00
|
|
|
static int verify_address_len(const void *p)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_address *sp = p;
|
|
|
|
const struct sockaddr *addr = (const struct sockaddr *)(sp + 1);
|
|
|
|
const struct sockaddr_in *sin;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sockaddr_in6 *sin6;
|
2005-04-16 22:20:36 +00:00
|
|
|
#endif
|
|
|
|
int len;
|
|
|
|
|
2017-12-30 00:13:05 +00:00
|
|
|
if (sp->sadb_address_len <
|
|
|
|
DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),
|
|
|
|
sizeof(uint64_t)))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
switch (addr->sa_family) {
|
|
|
|
case AF_INET:
|
2007-08-25 06:00:31 +00:00
|
|
|
len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));
|
2005-04-16 22:20:36 +00:00
|
|
|
if (sp->sadb_address_len != len ||
|
|
|
|
sp->sadb_address_prefixlen > 32)
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2005-04-16 22:20:36 +00:00
|
|
|
case AF_INET6:
|
2007-08-25 06:00:31 +00:00
|
|
|
len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin6), sizeof(uint64_t));
|
2005-04-16 22:20:36 +00:00
|
|
|
if (sp->sadb_address_len != len ||
|
|
|
|
sp->sadb_address_prefixlen > 128)
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
default:
|
|
|
|
/* It is user using kernel to keep track of security
|
|
|
|
* associations for another protocol, such as
|
|
|
|
* OSPF/RSVP/RIPV2/MIP. It is user's job to verify
|
|
|
|
* lengths.
|
|
|
|
*
|
|
|
|
* XXX Actually, association/policy database is not yet
|
|
|
|
* XXX able to cope with arbitrary sockaddr families.
|
|
|
|
* XXX When it can, remove this -EINVAL. -DaveM
|
|
|
|
*/
|
|
|
|
return -EINVAL;
|
2007-04-21 00:09:22 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-04-07 15:40:33 +00:00
|
|
|
static inline int sadb_key_len(const struct sadb_key *key)
|
|
|
|
{
|
|
|
|
int key_bytes = DIV_ROUND_UP(key->sadb_key_bits, 8);
|
|
|
|
|
|
|
|
return DIV_ROUND_UP(sizeof(struct sadb_key) + key_bytes,
|
|
|
|
sizeof(uint64_t));
|
|
|
|
}
|
|
|
|
|
|
|
|
static int verify_key_len(const void *p)
|
|
|
|
{
|
|
|
|
const struct sadb_key *key = p;
|
|
|
|
|
|
|
|
if (sadb_key_len(key) > key->sadb_key_len)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static inline int pfkey_sec_ctx_len(const struct sadb_x_sec_ctx *sec_ctx)
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
{
|
2007-08-25 06:00:31 +00:00
|
|
|
return DIV_ROUND_UP(sizeof(struct sadb_x_sec_ctx) +
|
|
|
|
sec_ctx->sadb_x_ctx_len,
|
|
|
|
sizeof(uint64_t));
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static inline int verify_sec_ctx_len(const void *p)
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
{
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_x_sec_ctx *sec_ctx = p;
|
2007-10-31 06:57:05 +00:00
|
|
|
int len = sec_ctx->sadb_x_ctx_len;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
2007-10-31 06:57:05 +00:00
|
|
|
if (len > PAGE_SIZE)
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
len = pfkey_sec_ctx_len(sec_ctx);
|
|
|
|
|
|
|
|
if (sec_ctx->sadb_x_sec_len != len)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-03-07 11:44:18 +00:00
|
|
|
static inline struct xfrm_user_sec_ctx *pfkey_sadb2xfrm_user_sec_ctx(const struct sadb_x_sec_ctx *sec_ctx,
|
|
|
|
gfp_t gfp)
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
{
|
|
|
|
struct xfrm_user_sec_ctx *uctx = NULL;
|
|
|
|
int ctx_size = sec_ctx->sadb_x_ctx_len;
|
|
|
|
|
2014-03-07 11:44:18 +00:00
|
|
|
uctx = kmalloc((sizeof(*uctx)+ctx_size), gfp);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
|
|
|
if (!uctx)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
uctx->len = pfkey_sec_ctx_len(sec_ctx);
|
|
|
|
uctx->exttype = sec_ctx->sadb_x_sec_exttype;
|
|
|
|
uctx->ctx_doi = sec_ctx->sadb_x_ctx_doi;
|
|
|
|
uctx->ctx_alg = sec_ctx->sadb_x_ctx_alg;
|
|
|
|
uctx->ctx_len = sec_ctx->sadb_x_ctx_len;
|
|
|
|
memcpy(uctx + 1, sec_ctx + 1,
|
|
|
|
uctx->ctx_len);
|
|
|
|
|
|
|
|
return uctx;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int present_and_same_family(const struct sadb_address *src,
|
|
|
|
const struct sadb_address *dst)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sockaddr *s_addr, *d_addr;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (!src || !dst)
|
|
|
|
return 0;
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
s_addr = (const struct sockaddr *)(src + 1);
|
|
|
|
d_addr = (const struct sockaddr *)(dst + 1);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (s_addr->sa_family != d_addr->sa_family)
|
|
|
|
return 0;
|
|
|
|
if (s_addr->sa_family != AF_INET
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2005-04-16 22:20:36 +00:00
|
|
|
&& s_addr->sa_family != AF_INET6
|
|
|
|
#endif
|
|
|
|
)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void **ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2011-02-26 02:07:06 +00:00
|
|
|
const char *p = (char *) hdr;
|
2005-04-16 22:20:36 +00:00
|
|
|
int len = skb->len;
|
|
|
|
|
|
|
|
len -= sizeof(*hdr);
|
|
|
|
p += sizeof(*hdr);
|
|
|
|
while (len > 0) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_ext *ehdr = (const struct sadb_ext *) p;
|
2005-04-16 22:20:36 +00:00
|
|
|
uint16_t ext_type;
|
|
|
|
int ext_len;
|
|
|
|
|
2017-12-30 00:15:23 +00:00
|
|
|
if (len < sizeof(*ehdr))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
ext_len = ehdr->sadb_ext_len;
|
|
|
|
ext_len *= sizeof(uint64_t);
|
|
|
|
ext_type = ehdr->sadb_ext_type;
|
|
|
|
if (ext_len < sizeof(uint64_t) ||
|
|
|
|
ext_len > len ||
|
|
|
|
ext_type == SADB_EXT_RESERVED)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (ext_type <= SADB_EXT_MAX) {
|
|
|
|
int min = (int) sadb_ext_min_len[ext_type];
|
|
|
|
if (ext_len < min)
|
|
|
|
return -EINVAL;
|
|
|
|
if (ext_hdrs[ext_type-1] != NULL)
|
|
|
|
return -EINVAL;
|
2018-04-07 15:40:33 +00:00
|
|
|
switch (ext_type) {
|
|
|
|
case SADB_EXT_ADDRESS_SRC:
|
|
|
|
case SADB_EXT_ADDRESS_DST:
|
|
|
|
case SADB_EXT_ADDRESS_PROXY:
|
|
|
|
case SADB_X_EXT_NAT_T_OA:
|
2005-04-16 22:20:36 +00:00
|
|
|
if (verify_address_len(p))
|
|
|
|
return -EINVAL;
|
2018-04-07 15:40:33 +00:00
|
|
|
break;
|
|
|
|
case SADB_X_EXT_SEC_CTX:
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
if (verify_sec_ctx_len(p))
|
|
|
|
return -EINVAL;
|
2018-04-07 15:40:33 +00:00
|
|
|
break;
|
|
|
|
case SADB_EXT_KEY_AUTH:
|
|
|
|
case SADB_EXT_KEY_ENCRYPT:
|
|
|
|
if (verify_key_len(p))
|
|
|
|
return -EINVAL;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
}
|
2011-02-26 02:07:06 +00:00
|
|
|
ext_hdrs[ext_type-1] = (void *) p;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
p += ext_len;
|
|
|
|
len -= ext_len;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static uint16_t
|
|
|
|
pfkey_satype2proto(uint8_t satype)
|
|
|
|
{
|
|
|
|
switch (satype) {
|
|
|
|
case SADB_SATYPE_UNSPEC:
|
|
|
|
return IPSEC_PROTO_ANY;
|
|
|
|
case SADB_SATYPE_AH:
|
|
|
|
return IPPROTO_AH;
|
|
|
|
case SADB_SATYPE_ESP:
|
|
|
|
return IPPROTO_ESP;
|
|
|
|
case SADB_X_SATYPE_IPCOMP:
|
|
|
|
return IPPROTO_COMP;
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
/* NOTREACHED */
|
|
|
|
}
|
|
|
|
|
|
|
|
static uint8_t
|
|
|
|
pfkey_proto2satype(uint16_t proto)
|
|
|
|
{
|
|
|
|
switch (proto) {
|
|
|
|
case IPPROTO_AH:
|
|
|
|
return SADB_SATYPE_AH;
|
|
|
|
case IPPROTO_ESP:
|
|
|
|
return SADB_SATYPE_ESP;
|
|
|
|
case IPPROTO_COMP:
|
|
|
|
return SADB_X_SATYPE_IPCOMP;
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
/* NOTREACHED */
|
|
|
|
}
|
|
|
|
|
|
|
|
/* BTW, this scheme means that there is no way with PFKEY2 sockets to
|
|
|
|
* say specifically 'just raw sockets' as we encode them as 255.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static uint8_t pfkey_proto_to_xfrm(uint8_t proto)
|
|
|
|
{
|
2010-09-22 20:43:57 +00:00
|
|
|
return proto == IPSEC_PROTO_ANY ? 0 : proto;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static uint8_t pfkey_proto_from_xfrm(uint8_t proto)
|
|
|
|
{
|
2010-09-22 20:43:57 +00:00
|
|
|
return proto ? proto : IPSEC_PROTO_ANY;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2008-04-27 15:50:45 +00:00
|
|
|
static inline int pfkey_sockaddr_len(sa_family_t family)
|
|
|
|
{
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
return sizeof(struct sockaddr_in);
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2008-04-27 15:50:45 +00:00
|
|
|
case AF_INET6:
|
|
|
|
return sizeof(struct sockaddr_in6);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-04-27 17:46:24 +00:00
|
|
|
static
|
|
|
|
int pfkey_sockaddr_extract(const struct sockaddr *sa, xfrm_address_t *xaddr)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-04-27 17:46:24 +00:00
|
|
|
switch (sa->sa_family) {
|
2005-04-16 22:20:36 +00:00
|
|
|
case AF_INET:
|
2007-02-09 14:24:58 +00:00
|
|
|
xaddr->a4 =
|
2008-04-27 17:46:24 +00:00
|
|
|
((struct sockaddr_in *)sa)->sin_addr.s_addr;
|
2005-04-16 22:20:36 +00:00
|
|
|
return AF_INET;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2005-04-16 22:20:36 +00:00
|
|
|
case AF_INET6:
|
2007-02-09 14:24:58 +00:00
|
|
|
memcpy(xaddr->a6,
|
2008-04-27 17:46:24 +00:00
|
|
|
&((struct sockaddr_in6 *)sa)->sin6_addr,
|
2005-04-16 22:20:36 +00:00
|
|
|
sizeof(struct in6_addr));
|
|
|
|
return AF_INET6;
|
|
|
|
#endif
|
|
|
|
}
|
2008-04-27 17:46:24 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static
|
2011-02-26 02:07:06 +00:00
|
|
|
int pfkey_sadb_addr2xfrm_addr(const struct sadb_address *addr, xfrm_address_t *xaddr)
|
2008-04-27 17:46:24 +00:00
|
|
|
{
|
|
|
|
return pfkey_sockaddr_extract((struct sockaddr *)(addr + 1),
|
|
|
|
xaddr);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static struct xfrm_state *pfkey_xfrm_state_lookup(struct net *net, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_sa *sa;
|
|
|
|
const struct sadb_address *addr;
|
2005-04-16 22:20:36 +00:00
|
|
|
uint16_t proto;
|
|
|
|
unsigned short family;
|
|
|
|
xfrm_address_t *xaddr;
|
|
|
|
|
2011-06-13 16:21:26 +00:00
|
|
|
sa = ext_hdrs[SADB_EXT_SA - 1];
|
2005-04-16 22:20:36 +00:00
|
|
|
if (sa == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
proto = pfkey_satype2proto(hdr->sadb_msg_satype);
|
|
|
|
if (proto == 0)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/* sadb_address_len should be checked by caller */
|
2011-06-13 16:21:26 +00:00
|
|
|
addr = ext_hdrs[SADB_EXT_ADDRESS_DST - 1];
|
2005-04-16 22:20:36 +00:00
|
|
|
if (addr == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
family = ((const struct sockaddr *)(addr + 1))->sa_family;
|
2005-04-16 22:20:36 +00:00
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
2011-02-26 02:07:06 +00:00
|
|
|
xaddr = (xfrm_address_t *)&((const struct sockaddr_in *)(addr + 1))->sin_addr;
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2005-04-16 22:20:36 +00:00
|
|
|
case AF_INET6:
|
2011-02-26 02:07:06 +00:00
|
|
|
xaddr = (xfrm_address_t *)&((const struct sockaddr_in6 *)(addr + 1))->sin6_addr;
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
default:
|
|
|
|
xaddr = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!xaddr)
|
|
|
|
return NULL;
|
|
|
|
|
2010-02-23 00:20:22 +00:00
|
|
|
return xfrm_state_lookup(net, DUMMY_MARK, xaddr, sa->sadb_sa_spi, proto, family);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#define PFKEY_ALIGN8(a) (1 + (((a) - 1) | (8 - 1)))
|
2008-04-27 15:50:45 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static int
|
|
|
|
pfkey_sockaddr_size(sa_family_t family)
|
|
|
|
{
|
2008-04-27 15:50:45 +00:00
|
|
|
return PFKEY_ALIGN8(pfkey_sockaddr_len(family));
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2007-04-17 19:32:20 +00:00
|
|
|
static inline int pfkey_mode_from_xfrm(int mode)
|
|
|
|
{
|
|
|
|
switch(mode) {
|
|
|
|
case XFRM_MODE_TRANSPORT:
|
|
|
|
return IPSEC_MODE_TRANSPORT;
|
|
|
|
case XFRM_MODE_TUNNEL:
|
|
|
|
return IPSEC_MODE_TUNNEL;
|
|
|
|
case XFRM_MODE_BEET:
|
|
|
|
return IPSEC_MODE_BEET;
|
|
|
|
default:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int pfkey_mode_to_xfrm(int mode)
|
|
|
|
{
|
|
|
|
switch(mode) {
|
|
|
|
case IPSEC_MODE_ANY: /*XXX*/
|
|
|
|
case IPSEC_MODE_TRANSPORT:
|
|
|
|
return XFRM_MODE_TRANSPORT;
|
|
|
|
case IPSEC_MODE_TUNNEL:
|
|
|
|
return XFRM_MODE_TUNNEL;
|
|
|
|
case IPSEC_MODE_BEET:
|
|
|
|
return XFRM_MODE_BEET;
|
|
|
|
default:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-02-24 05:28:01 +00:00
|
|
|
static unsigned int pfkey_sockaddr_fill(const xfrm_address_t *xaddr, __be16 port,
|
2011-02-26 02:07:06 +00:00
|
|
|
struct sockaddr *sa,
|
|
|
|
unsigned short family)
|
2008-04-27 16:46:41 +00:00
|
|
|
{
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
{
|
|
|
|
struct sockaddr_in *sin = (struct sockaddr_in *)sa;
|
|
|
|
sin->sin_family = AF_INET;
|
|
|
|
sin->sin_port = port;
|
|
|
|
sin->sin_addr.s_addr = xaddr->a4;
|
|
|
|
memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
|
|
|
|
return 32;
|
|
|
|
}
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2008-04-27 16:46:41 +00:00
|
|
|
case AF_INET6:
|
|
|
|
{
|
|
|
|
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sa;
|
|
|
|
sin6->sin6_family = AF_INET6;
|
|
|
|
sin6->sin6_port = port;
|
|
|
|
sin6->sin6_flowinfo = 0;
|
2015-03-29 14:59:24 +00:00
|
|
|
sin6->sin6_addr = xaddr->in6;
|
2008-04-27 16:46:41 +00:00
|
|
|
sin6->sin6_scope_id = 0;
|
|
|
|
return 128;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static struct sk_buff *__pfkey_xfrm_state2msg(const struct xfrm_state *x,
|
2007-10-09 20:31:47 +00:00
|
|
|
int add_keys, int hsc)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
struct sadb_sa *sa;
|
|
|
|
struct sadb_lifetime *lifetime;
|
|
|
|
struct sadb_address *addr;
|
|
|
|
struct sadb_key *key;
|
|
|
|
struct sadb_x_sa2 *sa2;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
struct sadb_x_sec_ctx *sec_ctx;
|
|
|
|
struct xfrm_sec_ctx *xfrm_ctx;
|
|
|
|
int ctx_size = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
int size;
|
|
|
|
int auth_key_size = 0;
|
|
|
|
int encrypt_key_size = 0;
|
|
|
|
int sockaddr_size;
|
|
|
|
struct xfrm_encap_tmpl *natt = NULL;
|
2007-04-17 19:32:20 +00:00
|
|
|
int mode;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
/* address family check */
|
|
|
|
sockaddr_size = pfkey_sockaddr_size(x->props.family);
|
|
|
|
if (!sockaddr_size)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
/* base, SA, (lifetime (HSC),) address(SD), (address(P),)
|
|
|
|
key(AE), (identity(SD),) (sensitivity)> */
|
2007-02-09 14:24:58 +00:00
|
|
|
size = sizeof(struct sadb_msg) +sizeof(struct sadb_sa) +
|
2005-04-16 22:20:36 +00:00
|
|
|
sizeof(struct sadb_lifetime) +
|
|
|
|
((hsc & 1) ? sizeof(struct sadb_lifetime) : 0) +
|
|
|
|
((hsc & 2) ? sizeof(struct sadb_lifetime) : 0) +
|
2007-02-09 14:24:58 +00:00
|
|
|
sizeof(struct sadb_address)*2 +
|
2005-04-16 22:20:36 +00:00
|
|
|
sockaddr_size*2 +
|
|
|
|
sizeof(struct sadb_x_sa2);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
|
|
|
if ((xfrm_ctx = x->security)) {
|
|
|
|
ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len);
|
|
|
|
size += sizeof(struct sadb_x_sec_ctx) + ctx_size;
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* identity & sensitivity */
|
2013-01-29 12:48:50 +00:00
|
|
|
if (!xfrm_addr_equal(&x->sel.saddr, &x->props.saddr, x->props.family))
|
2005-04-16 22:20:36 +00:00
|
|
|
size += sizeof(struct sadb_address) + sockaddr_size;
|
|
|
|
|
|
|
|
if (add_keys) {
|
|
|
|
if (x->aalg && x->aalg->alg_key_len) {
|
2007-02-09 14:24:58 +00:00
|
|
|
auth_key_size =
|
|
|
|
PFKEY_ALIGN8((x->aalg->alg_key_len + 7) / 8);
|
2005-04-16 22:20:36 +00:00
|
|
|
size += sizeof(struct sadb_key) + auth_key_size;
|
|
|
|
}
|
|
|
|
if (x->ealg && x->ealg->alg_key_len) {
|
2007-02-09 14:24:58 +00:00
|
|
|
encrypt_key_size =
|
|
|
|
PFKEY_ALIGN8((x->ealg->alg_key_len+7) / 8);
|
2005-04-16 22:20:36 +00:00
|
|
|
size += sizeof(struct sadb_key) + encrypt_key_size;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (x->encap)
|
|
|
|
natt = x->encap;
|
|
|
|
|
|
|
|
if (natt && natt->encap_type) {
|
|
|
|
size += sizeof(struct sadb_x_nat_t_type);
|
|
|
|
size += sizeof(struct sadb_x_nat_t_port);
|
|
|
|
size += sizeof(struct sadb_x_nat_t_port);
|
|
|
|
}
|
|
|
|
|
|
|
|
skb = alloc_skb(size + 16, GFP_ATOMIC);
|
|
|
|
if (skb == NULL)
|
|
|
|
return ERR_PTR(-ENOBUFS);
|
|
|
|
|
|
|
|
/* call should fill header later */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
hdr = skb_put(skb, sizeof(struct sadb_msg));
|
2005-04-16 22:20:36 +00:00
|
|
|
memset(hdr, 0, size); /* XXX do we need this ? */
|
|
|
|
hdr->sadb_msg_len = size / sizeof(uint64_t);
|
|
|
|
|
|
|
|
/* sa */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
sa = skb_put(skb, sizeof(struct sadb_sa));
|
2005-04-16 22:20:36 +00:00
|
|
|
sa->sadb_sa_len = sizeof(struct sadb_sa)/sizeof(uint64_t);
|
|
|
|
sa->sadb_sa_exttype = SADB_EXT_SA;
|
|
|
|
sa->sadb_sa_spi = x->id.spi;
|
|
|
|
sa->sadb_sa_replay = x->props.replay_window;
|
2005-06-19 05:43:43 +00:00
|
|
|
switch (x->km.state) {
|
|
|
|
case XFRM_STATE_VALID:
|
|
|
|
sa->sadb_sa_state = x->km.dying ?
|
|
|
|
SADB_SASTATE_DYING : SADB_SASTATE_MATURE;
|
|
|
|
break;
|
|
|
|
case XFRM_STATE_ACQ:
|
2005-04-16 22:20:36 +00:00
|
|
|
sa->sadb_sa_state = SADB_SASTATE_LARVAL;
|
2005-06-19 05:43:43 +00:00
|
|
|
break;
|
|
|
|
default:
|
2005-04-16 22:20:36 +00:00
|
|
|
sa->sadb_sa_state = SADB_SASTATE_DEAD;
|
2005-06-19 05:43:43 +00:00
|
|
|
break;
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
sa->sadb_sa_auth = 0;
|
|
|
|
if (x->aalg) {
|
|
|
|
struct xfrm_algo_desc *a = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
|
2013-01-31 10:40:38 +00:00
|
|
|
sa->sadb_sa_auth = (a && a->pfkey_supported) ?
|
|
|
|
a->desc.sadb_alg_id : 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
sa->sadb_sa_encrypt = 0;
|
|
|
|
BUG_ON(x->ealg && x->calg);
|
|
|
|
if (x->ealg) {
|
|
|
|
struct xfrm_algo_desc *a = xfrm_ealg_get_byname(x->ealg->alg_name, 0);
|
2013-01-31 10:40:38 +00:00
|
|
|
sa->sadb_sa_encrypt = (a && a->pfkey_supported) ?
|
|
|
|
a->desc.sadb_alg_id : 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
/* KAME compatible: sadb_sa_encrypt is overloaded with calg id */
|
|
|
|
if (x->calg) {
|
|
|
|
struct xfrm_algo_desc *a = xfrm_calg_get_byname(x->calg->alg_name, 0);
|
2013-01-31 10:40:38 +00:00
|
|
|
sa->sadb_sa_encrypt = (a && a->pfkey_supported) ?
|
|
|
|
a->desc.sadb_alg_id : 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
sa->sadb_sa_flags = 0;
|
|
|
|
if (x->props.flags & XFRM_STATE_NOECN)
|
|
|
|
sa->sadb_sa_flags |= SADB_SAFLAGS_NOECN;
|
|
|
|
if (x->props.flags & XFRM_STATE_DECAP_DSCP)
|
|
|
|
sa->sadb_sa_flags |= SADB_SAFLAGS_DECAP_DSCP;
|
2005-06-20 20:21:43 +00:00
|
|
|
if (x->props.flags & XFRM_STATE_NOPMTUDISC)
|
|
|
|
sa->sadb_sa_flags |= SADB_SAFLAGS_NOPMTUDISC;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
/* hard time */
|
|
|
|
if (hsc & 2) {
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
lifetime = skb_put(skb, sizeof(struct sadb_lifetime));
|
2005-04-16 22:20:36 +00:00
|
|
|
lifetime->sadb_lifetime_len =
|
|
|
|
sizeof(struct sadb_lifetime)/sizeof(uint64_t);
|
|
|
|
lifetime->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
|
|
|
|
lifetime->sadb_lifetime_allocations = _X2KEY(x->lft.hard_packet_limit);
|
|
|
|
lifetime->sadb_lifetime_bytes = _X2KEY(x->lft.hard_byte_limit);
|
|
|
|
lifetime->sadb_lifetime_addtime = x->lft.hard_add_expires_seconds;
|
|
|
|
lifetime->sadb_lifetime_usetime = x->lft.hard_use_expires_seconds;
|
|
|
|
}
|
|
|
|
/* soft time */
|
|
|
|
if (hsc & 1) {
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
lifetime = skb_put(skb, sizeof(struct sadb_lifetime));
|
2005-04-16 22:20:36 +00:00
|
|
|
lifetime->sadb_lifetime_len =
|
|
|
|
sizeof(struct sadb_lifetime)/sizeof(uint64_t);
|
|
|
|
lifetime->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
|
|
|
|
lifetime->sadb_lifetime_allocations = _X2KEY(x->lft.soft_packet_limit);
|
|
|
|
lifetime->sadb_lifetime_bytes = _X2KEY(x->lft.soft_byte_limit);
|
|
|
|
lifetime->sadb_lifetime_addtime = x->lft.soft_add_expires_seconds;
|
|
|
|
lifetime->sadb_lifetime_usetime = x->lft.soft_use_expires_seconds;
|
|
|
|
}
|
|
|
|
/* current time */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
lifetime = skb_put(skb, sizeof(struct sadb_lifetime));
|
2005-04-16 22:20:36 +00:00
|
|
|
lifetime->sadb_lifetime_len =
|
|
|
|
sizeof(struct sadb_lifetime)/sizeof(uint64_t);
|
|
|
|
lifetime->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
|
|
|
|
lifetime->sadb_lifetime_allocations = x->curlft.packets;
|
|
|
|
lifetime->sadb_lifetime_bytes = x->curlft.bytes;
|
|
|
|
lifetime->sadb_lifetime_addtime = x->curlft.add_time;
|
|
|
|
lifetime->sadb_lifetime_usetime = x->curlft.use_time;
|
|
|
|
/* src address */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);
|
2007-02-09 14:24:58 +00:00
|
|
|
addr->sadb_address_len =
|
2005-04-16 22:20:36 +00:00
|
|
|
(sizeof(struct sadb_address)+sockaddr_size)/
|
|
|
|
sizeof(uint64_t);
|
|
|
|
addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
|
2007-02-09 14:24:58 +00:00
|
|
|
/* "if the ports are non-zero, then the sadb_address_proto field,
|
|
|
|
normally zero, MUST be filled in with the transport
|
2005-04-16 22:20:36 +00:00
|
|
|
protocol's number." - RFC2367 */
|
2007-02-09 14:24:58 +00:00
|
|
|
addr->sadb_address_proto = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
addr->sadb_address_reserved = 0;
|
|
|
|
|
2008-04-27 16:46:41 +00:00
|
|
|
addr->sadb_address_prefixlen =
|
|
|
|
pfkey_sockaddr_fill(&x->props.saddr, 0,
|
|
|
|
(struct sockaddr *) (addr + 1),
|
|
|
|
x->props.family);
|
2019-06-08 09:00:50 +00:00
|
|
|
BUG_ON(!addr->sadb_address_prefixlen);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
/* dst address */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);
|
2007-02-09 14:24:58 +00:00
|
|
|
addr->sadb_address_len =
|
2005-04-16 22:20:36 +00:00
|
|
|
(sizeof(struct sadb_address)+sockaddr_size)/
|
|
|
|
sizeof(uint64_t);
|
|
|
|
addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
|
2007-02-09 14:24:58 +00:00
|
|
|
addr->sadb_address_proto = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
addr->sadb_address_reserved = 0;
|
|
|
|
|
2008-04-27 16:46:41 +00:00
|
|
|
addr->sadb_address_prefixlen =
|
|
|
|
pfkey_sockaddr_fill(&x->id.daddr, 0,
|
|
|
|
(struct sockaddr *) (addr + 1),
|
|
|
|
x->props.family);
|
2019-06-08 09:00:50 +00:00
|
|
|
BUG_ON(!addr->sadb_address_prefixlen);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-01-29 12:48:50 +00:00
|
|
|
if (!xfrm_addr_equal(&x->sel.saddr, &x->props.saddr,
|
|
|
|
x->props.family)) {
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb,
|
|
|
|
sizeof(struct sadb_address) + sockaddr_size);
|
2008-04-27 16:46:41 +00:00
|
|
|
addr->sadb_address_len =
|
|
|
|
(sizeof(struct sadb_address)+sockaddr_size)/
|
|
|
|
sizeof(uint64_t);
|
|
|
|
addr->sadb_address_exttype = SADB_EXT_ADDRESS_PROXY;
|
|
|
|
addr->sadb_address_proto =
|
|
|
|
pfkey_proto_from_xfrm(x->sel.proto);
|
|
|
|
addr->sadb_address_prefixlen = x->sel.prefixlen_s;
|
|
|
|
addr->sadb_address_reserved = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-04-27 16:46:41 +00:00
|
|
|
pfkey_sockaddr_fill(&x->sel.saddr, x->sel.sport,
|
|
|
|
(struct sockaddr *) (addr + 1),
|
|
|
|
x->props.family);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* auth key */
|
|
|
|
if (add_keys && auth_key_size) {
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
key = skb_put(skb, sizeof(struct sadb_key) + auth_key_size);
|
2005-04-16 22:20:36 +00:00
|
|
|
key->sadb_key_len = (sizeof(struct sadb_key) + auth_key_size) /
|
|
|
|
sizeof(uint64_t);
|
|
|
|
key->sadb_key_exttype = SADB_EXT_KEY_AUTH;
|
|
|
|
key->sadb_key_bits = x->aalg->alg_key_len;
|
|
|
|
key->sadb_key_reserved = 0;
|
|
|
|
memcpy(key + 1, x->aalg->alg_key, (x->aalg->alg_key_len+7)/8);
|
|
|
|
}
|
|
|
|
/* encrypt key */
|
|
|
|
if (add_keys && encrypt_key_size) {
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
key = skb_put(skb, sizeof(struct sadb_key) + encrypt_key_size);
|
2007-02-09 14:24:58 +00:00
|
|
|
key->sadb_key_len = (sizeof(struct sadb_key) +
|
2005-04-16 22:20:36 +00:00
|
|
|
encrypt_key_size) / sizeof(uint64_t);
|
|
|
|
key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT;
|
|
|
|
key->sadb_key_bits = x->ealg->alg_key_len;
|
|
|
|
key->sadb_key_reserved = 0;
|
2007-02-09 14:24:58 +00:00
|
|
|
memcpy(key + 1, x->ealg->alg_key,
|
2005-04-16 22:20:36 +00:00
|
|
|
(x->ealg->alg_key_len+7)/8);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* sa */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
sa2 = skb_put(skb, sizeof(struct sadb_x_sa2));
|
2005-04-16 22:20:36 +00:00
|
|
|
sa2->sadb_x_sa2_len = sizeof(struct sadb_x_sa2)/sizeof(uint64_t);
|
|
|
|
sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
|
2007-04-17 19:32:20 +00:00
|
|
|
if ((mode = pfkey_mode_from_xfrm(x->props.mode)) < 0) {
|
|
|
|
kfree_skb(skb);
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
}
|
|
|
|
sa2->sadb_x_sa2_mode = mode;
|
2005-04-16 22:20:36 +00:00
|
|
|
sa2->sadb_x_sa2_reserved1 = 0;
|
|
|
|
sa2->sadb_x_sa2_reserved2 = 0;
|
|
|
|
sa2->sadb_x_sa2_sequence = 0;
|
|
|
|
sa2->sadb_x_sa2_reqid = x->props.reqid;
|
|
|
|
|
|
|
|
if (natt && natt->encap_type) {
|
|
|
|
struct sadb_x_nat_t_type *n_type;
|
|
|
|
struct sadb_x_nat_t_port *n_port;
|
|
|
|
|
|
|
|
/* type */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
n_type = skb_put(skb, sizeof(*n_type));
|
2005-04-16 22:20:36 +00:00
|
|
|
n_type->sadb_x_nat_t_type_len = sizeof(*n_type)/sizeof(uint64_t);
|
|
|
|
n_type->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
|
|
|
|
n_type->sadb_x_nat_t_type_type = natt->encap_type;
|
|
|
|
n_type->sadb_x_nat_t_type_reserved[0] = 0;
|
|
|
|
n_type->sadb_x_nat_t_type_reserved[1] = 0;
|
|
|
|
n_type->sadb_x_nat_t_type_reserved[2] = 0;
|
|
|
|
|
|
|
|
/* source port */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
n_port = skb_put(skb, sizeof(*n_port));
|
2005-04-16 22:20:36 +00:00
|
|
|
n_port->sadb_x_nat_t_port_len = sizeof(*n_port)/sizeof(uint64_t);
|
|
|
|
n_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
|
|
|
|
n_port->sadb_x_nat_t_port_port = natt->encap_sport;
|
|
|
|
n_port->sadb_x_nat_t_port_reserved = 0;
|
|
|
|
|
|
|
|
/* dest port */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
n_port = skb_put(skb, sizeof(*n_port));
|
2005-04-16 22:20:36 +00:00
|
|
|
n_port->sadb_x_nat_t_port_len = sizeof(*n_port)/sizeof(uint64_t);
|
|
|
|
n_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
|
|
|
|
n_port->sadb_x_nat_t_port_port = natt->encap_dport;
|
|
|
|
n_port->sadb_x_nat_t_port_reserved = 0;
|
|
|
|
}
|
|
|
|
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
/* security context */
|
|
|
|
if (xfrm_ctx) {
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
sec_ctx = skb_put(skb,
|
|
|
|
sizeof(struct sadb_x_sec_ctx) + ctx_size);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
sec_ctx->sadb_x_sec_len =
|
|
|
|
(sizeof(struct sadb_x_sec_ctx) + ctx_size) / sizeof(uint64_t);
|
|
|
|
sec_ctx->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX;
|
|
|
|
sec_ctx->sadb_x_ctx_doi = xfrm_ctx->ctx_doi;
|
|
|
|
sec_ctx->sadb_x_ctx_alg = xfrm_ctx->ctx_alg;
|
|
|
|
sec_ctx->sadb_x_ctx_len = xfrm_ctx->ctx_len;
|
|
|
|
memcpy(sec_ctx + 1, xfrm_ctx->ctx_str,
|
|
|
|
xfrm_ctx->ctx_len);
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return skb;
|
|
|
|
}
|
|
|
|
|
2007-10-09 20:31:47 +00:00
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static inline struct sk_buff *pfkey_xfrm_state2msg(const struct xfrm_state *x)
|
2007-10-09 20:31:47 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
|
|
|
|
skb = __pfkey_xfrm_state2msg(x, 1, 3);
|
|
|
|
|
|
|
|
return skb;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static inline struct sk_buff *pfkey_xfrm_state2msg_expire(const struct xfrm_state *x,
|
2007-10-09 20:31:47 +00:00
|
|
|
int hsc)
|
|
|
|
{
|
|
|
|
return __pfkey_xfrm_state2msg(x, 0, hsc);
|
|
|
|
}
|
|
|
|
|
2008-11-26 01:58:31 +00:00
|
|
|
static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_msg *hdr,
|
|
|
|
void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-02-09 14:24:58 +00:00
|
|
|
struct xfrm_state *x;
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_lifetime *lifetime;
|
|
|
|
const struct sadb_sa *sa;
|
|
|
|
const struct sadb_key *key;
|
|
|
|
const struct sadb_x_sec_ctx *sec_ctx;
|
2005-04-16 22:20:36 +00:00
|
|
|
uint16_t proto;
|
|
|
|
int err;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-06-13 16:21:26 +00:00
|
|
|
sa = ext_hdrs[SADB_EXT_SA - 1];
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!sa ||
|
|
|
|
!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
|
|
|
|
ext_hdrs[SADB_EXT_ADDRESS_DST-1]))
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
if (hdr->sadb_msg_satype == SADB_SATYPE_ESP &&
|
|
|
|
!ext_hdrs[SADB_EXT_KEY_ENCRYPT-1])
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
if (hdr->sadb_msg_satype == SADB_SATYPE_AH &&
|
|
|
|
!ext_hdrs[SADB_EXT_KEY_AUTH-1])
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
if (!!ext_hdrs[SADB_EXT_LIFETIME_HARD-1] !=
|
|
|
|
!!ext_hdrs[SADB_EXT_LIFETIME_SOFT-1])
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
proto = pfkey_satype2proto(hdr->sadb_msg_satype);
|
|
|
|
if (proto == 0)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
|
|
|
/* default error is no buffer space */
|
|
|
|
err = -ENOBUFS;
|
|
|
|
|
|
|
|
/* RFC2367:
|
|
|
|
|
|
|
|
Only SADB_SASTATE_MATURE SAs may be submitted in an SADB_ADD message.
|
|
|
|
SADB_SASTATE_LARVAL SAs are created by SADB_GETSPI and it is not
|
|
|
|
sensible to add a new SA in the DYING or SADB_SASTATE_DEAD state.
|
|
|
|
Therefore, the sadb_sa_state field of all submitted SAs MUST be
|
|
|
|
SADB_SASTATE_MATURE and the kernel MUST return an error if this is
|
|
|
|
not true.
|
|
|
|
|
2007-02-09 14:24:58 +00:00
|
|
|
However, KAME setkey always uses SADB_SASTATE_LARVAL.
|
2005-04-16 22:20:36 +00:00
|
|
|
Hence, we have to _ignore_ sadb_sa_state, which is also reasonable.
|
|
|
|
*/
|
|
|
|
if (sa->sadb_sa_auth > SADB_AALG_MAX ||
|
|
|
|
(hdr->sadb_msg_satype == SADB_X_SATYPE_IPCOMP &&
|
|
|
|
sa->sadb_sa_encrypt > SADB_X_CALG_MAX) ||
|
|
|
|
sa->sadb_sa_encrypt > SADB_EALG_MAX)
|
|
|
|
return ERR_PTR(-EINVAL);
|
2011-06-13 16:21:26 +00:00
|
|
|
key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
|
2005-04-16 22:20:36 +00:00
|
|
|
if (key != NULL &&
|
|
|
|
sa->sadb_sa_auth != SADB_X_AALG_NULL &&
|
2018-04-07 15:40:33 +00:00
|
|
|
key->sadb_key_bits == 0)
|
2005-04-16 22:20:36 +00:00
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
key = ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];
|
|
|
|
if (key != NULL &&
|
|
|
|
sa->sadb_sa_encrypt != SADB_EALG_NULL &&
|
2018-04-07 15:40:33 +00:00
|
|
|
key->sadb_key_bits == 0)
|
2005-04-16 22:20:36 +00:00
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
2008-11-26 01:58:31 +00:00
|
|
|
x = xfrm_state_alloc(net);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (x == NULL)
|
|
|
|
return ERR_PTR(-ENOBUFS);
|
|
|
|
|
|
|
|
x->id.proto = proto;
|
|
|
|
x->id.spi = sa->sadb_sa_spi;
|
2013-09-17 07:14:13 +00:00
|
|
|
x->props.replay_window = min_t(unsigned int, sa->sadb_sa_replay,
|
|
|
|
(sizeof(x->replay.bitmap) * 8));
|
2005-04-16 22:20:36 +00:00
|
|
|
if (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN)
|
|
|
|
x->props.flags |= XFRM_STATE_NOECN;
|
|
|
|
if (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP)
|
|
|
|
x->props.flags |= XFRM_STATE_DECAP_DSCP;
|
2005-06-20 20:21:43 +00:00
|
|
|
if (sa->sadb_sa_flags & SADB_SAFLAGS_NOPMTUDISC)
|
|
|
|
x->props.flags |= XFRM_STATE_NOPMTUDISC;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-06-13 16:21:26 +00:00
|
|
|
lifetime = ext_hdrs[SADB_EXT_LIFETIME_HARD - 1];
|
2005-04-16 22:20:36 +00:00
|
|
|
if (lifetime != NULL) {
|
|
|
|
x->lft.hard_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);
|
|
|
|
x->lft.hard_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);
|
|
|
|
x->lft.hard_add_expires_seconds = lifetime->sadb_lifetime_addtime;
|
|
|
|
x->lft.hard_use_expires_seconds = lifetime->sadb_lifetime_usetime;
|
|
|
|
}
|
2011-06-13 16:21:26 +00:00
|
|
|
lifetime = ext_hdrs[SADB_EXT_LIFETIME_SOFT - 1];
|
2005-04-16 22:20:36 +00:00
|
|
|
if (lifetime != NULL) {
|
|
|
|
x->lft.soft_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);
|
|
|
|
x->lft.soft_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);
|
|
|
|
x->lft.soft_add_expires_seconds = lifetime->sadb_lifetime_addtime;
|
|
|
|
x->lft.soft_use_expires_seconds = lifetime->sadb_lifetime_usetime;
|
|
|
|
}
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
2011-06-13 16:21:26 +00:00
|
|
|
sec_ctx = ext_hdrs[SADB_X_EXT_SEC_CTX - 1];
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
if (sec_ctx != NULL) {
|
2014-03-07 11:44:18 +00:00
|
|
|
struct xfrm_user_sec_ctx *uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_KERNEL);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
|
|
|
if (!uctx)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
err = security_xfrm_state_alloc(x, uctx);
|
|
|
|
kfree(uctx);
|
|
|
|
|
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2017-06-14 10:35:37 +00:00
|
|
|
err = -ENOBUFS;
|
2011-06-13 16:21:26 +00:00
|
|
|
key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
|
2005-04-16 22:20:36 +00:00
|
|
|
if (sa->sadb_sa_auth) {
|
|
|
|
int keysize = 0;
|
|
|
|
struct xfrm_algo_desc *a = xfrm_aalg_get_byid(sa->sadb_sa_auth);
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!a || !a->pfkey_supported) {
|
2005-04-16 22:20:36 +00:00
|
|
|
err = -ENOSYS;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if (key)
|
|
|
|
keysize = (key->sadb_key_bits + 7) / 8;
|
|
|
|
x->aalg = kmalloc(sizeof(*x->aalg) + keysize, GFP_KERNEL);
|
2017-06-14 10:34:05 +00:00
|
|
|
if (!x->aalg) {
|
|
|
|
err = -ENOMEM;
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
2017-06-14 10:34:05 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
strcpy(x->aalg->alg_name, a->name);
|
|
|
|
x->aalg->alg_key_len = 0;
|
|
|
|
if (key) {
|
|
|
|
x->aalg->alg_key_len = key->sadb_key_bits;
|
|
|
|
memcpy(x->aalg->alg_key, key+1, keysize);
|
|
|
|
}
|
2009-12-09 06:11:15 +00:00
|
|
|
x->aalg->alg_trunc_len = a->uinfo.auth.icv_truncbits;
|
2005-04-16 22:20:36 +00:00
|
|
|
x->props.aalgo = sa->sadb_sa_auth;
|
|
|
|
/* x->algo.flags = sa->sadb_sa_flags; */
|
|
|
|
}
|
|
|
|
if (sa->sadb_sa_encrypt) {
|
|
|
|
if (hdr->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
|
|
|
|
struct xfrm_algo_desc *a = xfrm_calg_get_byid(sa->sadb_sa_encrypt);
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!a || !a->pfkey_supported) {
|
2005-04-16 22:20:36 +00:00
|
|
|
err = -ENOSYS;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
x->calg = kmalloc(sizeof(*x->calg), GFP_KERNEL);
|
2017-06-14 10:34:05 +00:00
|
|
|
if (!x->calg) {
|
|
|
|
err = -ENOMEM;
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
2017-06-14 10:34:05 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
strcpy(x->calg->alg_name, a->name);
|
|
|
|
x->props.calgo = sa->sadb_sa_encrypt;
|
|
|
|
} else {
|
|
|
|
int keysize = 0;
|
|
|
|
struct xfrm_algo_desc *a = xfrm_ealg_get_byid(sa->sadb_sa_encrypt);
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!a || !a->pfkey_supported) {
|
2005-04-16 22:20:36 +00:00
|
|
|
err = -ENOSYS;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
key = (struct sadb_key*) ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];
|
|
|
|
if (key)
|
|
|
|
keysize = (key->sadb_key_bits + 7) / 8;
|
|
|
|
x->ealg = kmalloc(sizeof(*x->ealg) + keysize, GFP_KERNEL);
|
2017-06-14 10:34:05 +00:00
|
|
|
if (!x->ealg) {
|
|
|
|
err = -ENOMEM;
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
2017-06-14 10:34:05 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
strcpy(x->ealg->alg_name, a->name);
|
|
|
|
x->ealg->alg_key_len = 0;
|
|
|
|
if (key) {
|
|
|
|
x->ealg->alg_key_len = key->sadb_key_bits;
|
|
|
|
memcpy(x->ealg->alg_key, key+1, keysize);
|
|
|
|
}
|
|
|
|
x->props.ealgo = sa->sadb_sa_encrypt;
|
2015-05-27 08:03:45 +00:00
|
|
|
x->geniv = a->uinfo.encr.geniv;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
/* x->algo.flags = sa->sadb_sa_flags; */
|
|
|
|
|
2007-02-09 14:24:58 +00:00
|
|
|
x->props.family = pfkey_sadb_addr2xfrm_addr((struct sadb_address *) ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
|
2005-04-16 22:20:36 +00:00
|
|
|
&x->props.saddr);
|
2007-02-09 14:24:58 +00:00
|
|
|
pfkey_sadb_addr2xfrm_addr((struct sadb_address *) ext_hdrs[SADB_EXT_ADDRESS_DST-1],
|
2005-04-16 22:20:36 +00:00
|
|
|
&x->id.daddr);
|
|
|
|
|
|
|
|
if (ext_hdrs[SADB_X_EXT_SA2-1]) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_x_sa2 *sa2 = ext_hdrs[SADB_X_EXT_SA2-1];
|
2007-04-17 19:32:20 +00:00
|
|
|
int mode = pfkey_mode_to_xfrm(sa2->sadb_x_sa2_mode);
|
|
|
|
if (mode < 0) {
|
|
|
|
err = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
x->props.mode = mode;
|
2005-04-16 22:20:36 +00:00
|
|
|
x->props.reqid = sa2->sadb_x_sa2_reqid;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ext_hdrs[SADB_EXT_ADDRESS_PROXY-1]) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_address *addr = ext_hdrs[SADB_EXT_ADDRESS_PROXY-1];
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
/* Nobody uses this, but we try. */
|
|
|
|
x->sel.family = pfkey_sadb_addr2xfrm_addr(addr, &x->sel.saddr);
|
|
|
|
x->sel.prefixlen_s = addr->sadb_address_prefixlen;
|
|
|
|
}
|
|
|
|
|
2008-05-21 20:26:11 +00:00
|
|
|
if (!x->sel.family)
|
2007-08-03 02:25:43 +00:00
|
|
|
x->sel.family = x->props.family;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_x_nat_t_type* n_type;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_encap_tmpl *natt;
|
|
|
|
|
|
|
|
x->encap = kmalloc(sizeof(*x->encap), GFP_KERNEL);
|
2017-06-14 10:34:05 +00:00
|
|
|
if (!x->encap) {
|
|
|
|
err = -ENOMEM;
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
2017-06-14 10:34:05 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
natt = x->encap;
|
|
|
|
n_type = ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1];
|
|
|
|
natt->encap_type = n_type->sadb_x_nat_t_type_type;
|
|
|
|
|
|
|
|
if (ext_hdrs[SADB_X_EXT_NAT_T_SPORT-1]) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_x_nat_t_port *n_port =
|
2005-04-16 22:20:36 +00:00
|
|
|
ext_hdrs[SADB_X_EXT_NAT_T_SPORT-1];
|
|
|
|
natt->encap_sport = n_port->sadb_x_nat_t_port_port;
|
|
|
|
}
|
|
|
|
if (ext_hdrs[SADB_X_EXT_NAT_T_DPORT-1]) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_x_nat_t_port *n_port =
|
2005-04-16 22:20:36 +00:00
|
|
|
ext_hdrs[SADB_X_EXT_NAT_T_DPORT-1];
|
|
|
|
natt->encap_dport = n_port->sadb_x_nat_t_port_port;
|
|
|
|
}
|
2009-01-26 04:49:14 +00:00
|
|
|
memset(&natt->encap_oa, 0, sizeof(natt->encap_oa));
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2005-06-20 20:18:08 +00:00
|
|
|
err = xfrm_init_state(x);
|
|
|
|
if (err)
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
2005-06-20 20:18:08 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
x->km.seq = hdr->sadb_msg_seq;
|
|
|
|
return x;
|
|
|
|
|
|
|
|
out:
|
|
|
|
x->km.state = XFRM_STATE_DEAD;
|
|
|
|
xfrm_state_put(x);
|
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_reserved(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_getspi(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sk_buff *resp_skb;
|
|
|
|
struct sadb_x_sa2 *sa2;
|
|
|
|
struct sadb_address *saddr, *daddr;
|
|
|
|
struct sadb_msg *out_hdr;
|
2007-10-09 20:29:52 +00:00
|
|
|
struct sadb_spirange *range;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_state *x = NULL;
|
2007-04-17 19:32:20 +00:00
|
|
|
int mode;
|
2007-10-09 20:29:52 +00:00
|
|
|
int err;
|
|
|
|
u32 min_spi, max_spi;
|
2005-04-16 22:20:36 +00:00
|
|
|
u32 reqid;
|
|
|
|
u8 proto;
|
|
|
|
unsigned short family;
|
|
|
|
xfrm_address_t *xsaddr = NULL, *xdaddr = NULL;
|
|
|
|
|
|
|
|
if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
|
|
|
|
ext_hdrs[SADB_EXT_ADDRESS_DST-1]))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
proto = pfkey_satype2proto(hdr->sadb_msg_satype);
|
|
|
|
if (proto == 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if ((sa2 = ext_hdrs[SADB_X_EXT_SA2-1]) != NULL) {
|
2007-04-17 19:32:20 +00:00
|
|
|
mode = pfkey_mode_to_xfrm(sa2->sadb_x_sa2_mode);
|
|
|
|
if (mode < 0)
|
|
|
|
return -EINVAL;
|
2005-04-16 22:20:36 +00:00
|
|
|
reqid = sa2->sadb_x_sa2_reqid;
|
|
|
|
} else {
|
|
|
|
mode = 0;
|
|
|
|
reqid = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
saddr = ext_hdrs[SADB_EXT_ADDRESS_SRC-1];
|
|
|
|
daddr = ext_hdrs[SADB_EXT_ADDRESS_DST-1];
|
|
|
|
|
|
|
|
family = ((struct sockaddr *)(saddr + 1))->sa_family;
|
|
|
|
switch (family) {
|
|
|
|
case AF_INET:
|
|
|
|
xdaddr = (xfrm_address_t *)&((struct sockaddr_in *)(daddr + 1))->sin_addr.s_addr;
|
|
|
|
xsaddr = (xfrm_address_t *)&((struct sockaddr_in *)(saddr + 1))->sin_addr.s_addr;
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2005-04-16 22:20:36 +00:00
|
|
|
case AF_INET6:
|
|
|
|
xdaddr = (xfrm_address_t *)&((struct sockaddr_in6 *)(daddr + 1))->sin6_addr;
|
|
|
|
xsaddr = (xfrm_address_t *)&((struct sockaddr_in6 *)(saddr + 1))->sin6_addr;
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
if (hdr->sadb_msg_seq) {
|
2010-02-23 00:20:22 +00:00
|
|
|
x = xfrm_find_acq_byseq(net, DUMMY_MARK, hdr->sadb_msg_seq);
|
2013-01-29 12:48:50 +00:00
|
|
|
if (x && !xfrm_addr_equal(&x->id.daddr, xdaddr, family)) {
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_state_put(x);
|
|
|
|
x = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!x)
|
2018-06-12 12:07:07 +00:00
|
|
|
x = xfrm_find_acq(net, &dummy_mark, mode, reqid, 0, proto, xdaddr, xsaddr, 1, family);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (x == NULL)
|
|
|
|
return -ENOENT;
|
|
|
|
|
2007-10-09 20:29:52 +00:00
|
|
|
min_spi = 0x100;
|
|
|
|
max_spi = 0x0fffffff;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-10-09 20:29:52 +00:00
|
|
|
range = ext_hdrs[SADB_EXT_SPIRANGE-1];
|
|
|
|
if (range) {
|
|
|
|
min_spi = range->sadb_spirange_min;
|
|
|
|
max_spi = range->sadb_spirange_max;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2007-10-09 20:29:52 +00:00
|
|
|
|
2013-12-16 10:47:49 +00:00
|
|
|
err = verify_spi_info(x->id.proto, min_spi, max_spi);
|
|
|
|
if (err) {
|
|
|
|
xfrm_state_put(x);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2007-10-09 20:29:52 +00:00
|
|
|
err = xfrm_alloc_spi(x, min_spi, max_spi);
|
2007-10-09 20:31:47 +00:00
|
|
|
resp_skb = err ? ERR_PTR(err) : pfkey_xfrm_state2msg(x);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (IS_ERR(resp_skb)) {
|
|
|
|
xfrm_state_put(x);
|
|
|
|
return PTR_ERR(resp_skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
out_hdr = (struct sadb_msg *) resp_skb->data;
|
|
|
|
out_hdr->sadb_msg_version = hdr->sadb_msg_version;
|
|
|
|
out_hdr->sadb_msg_type = SADB_GETSPI;
|
|
|
|
out_hdr->sadb_msg_satype = pfkey_proto2satype(proto);
|
|
|
|
out_hdr->sadb_msg_errno = 0;
|
|
|
|
out_hdr->sadb_msg_reserved = 0;
|
|
|
|
out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
|
|
|
|
out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
|
|
|
|
|
|
|
|
xfrm_state_put(x);
|
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(resp_skb, GFP_KERNEL, BROADCAST_ONE, sk, net);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_acquire(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_state *x;
|
|
|
|
|
|
|
|
if (hdr->sadb_msg_len != sizeof(struct sadb_msg)/8)
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
|
|
|
if (hdr->sadb_msg_seq == 0 || hdr->sadb_msg_errno == 0)
|
|
|
|
return 0;
|
|
|
|
|
2010-02-23 00:20:22 +00:00
|
|
|
x = xfrm_find_acq_byseq(net, DUMMY_MARK, hdr->sadb_msg_seq);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (x == NULL)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
spin_lock_bh(&x->lock);
|
2013-08-27 11:43:30 +00:00
|
|
|
if (x->km.state == XFRM_STATE_ACQ)
|
2005-04-16 22:20:36 +00:00
|
|
|
x->km.state = XFRM_STATE_ERROR;
|
2013-08-27 11:43:30 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
spin_unlock_bh(&x->lock);
|
|
|
|
xfrm_state_put(x);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
static inline int event2poltype(int event)
|
|
|
|
{
|
|
|
|
switch (event) {
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_DELPOLICY:
|
2005-06-19 05:42:13 +00:00
|
|
|
return SADB_X_SPDDELETE;
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_NEWPOLICY:
|
2005-06-19 05:42:13 +00:00
|
|
|
return SADB_X_SPDADD;
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_UPDPOLICY:
|
2005-06-19 05:42:13 +00:00
|
|
|
return SADB_X_SPDUPDATE;
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_POLEXPIRE:
|
2005-06-19 05:42:13 +00:00
|
|
|
// return SADB_X_SPDEXPIRE;
|
|
|
|
default:
|
2010-05-12 06:37:07 +00:00
|
|
|
pr_err("pfkey: Unknown policy event %d\n", event);
|
2005-06-19 05:42:13 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int event2keytype(int event)
|
|
|
|
{
|
|
|
|
switch (event) {
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_DELSA:
|
2005-06-19 05:42:13 +00:00
|
|
|
return SADB_DELETE;
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_NEWSA:
|
2005-06-19 05:42:13 +00:00
|
|
|
return SADB_ADD;
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_UPDSA:
|
2005-06-19 05:42:13 +00:00
|
|
|
return SADB_UPDATE;
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_EXPIRE:
|
2005-06-19 05:42:13 +00:00
|
|
|
return SADB_EXPIRE;
|
|
|
|
default:
|
2010-05-12 06:37:07 +00:00
|
|
|
pr_err("pfkey: Unknown SA event %d\n", event);
|
2005-06-19 05:42:13 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ADD/UPD/DEL */
|
2011-02-24 05:02:38 +00:00
|
|
|
static int key_notify_sa(struct xfrm_state *x, const struct km_event *c)
|
2005-06-19 05:42:13 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
|
2007-10-09 20:31:47 +00:00
|
|
|
skb = pfkey_xfrm_state2msg(x);
|
2005-06-19 05:42:13 +00:00
|
|
|
|
|
|
|
if (IS_ERR(skb))
|
|
|
|
return PTR_ERR(skb);
|
|
|
|
|
|
|
|
hdr = (struct sadb_msg *) skb->data;
|
|
|
|
hdr->sadb_msg_version = PF_KEY_V2;
|
|
|
|
hdr->sadb_msg_type = event2keytype(c->event);
|
|
|
|
hdr->sadb_msg_satype = pfkey_proto2satype(x->id.proto);
|
|
|
|
hdr->sadb_msg_errno = 0;
|
|
|
|
hdr->sadb_msg_reserved = 0;
|
|
|
|
hdr->sadb_msg_seq = c->seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
hdr->sadb_msg_pid = c->portid;
|
2005-06-19 05:42:13 +00:00
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xs_net(x));
|
2005-06-19 05:42:13 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_add(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_state *x;
|
|
|
|
int err;
|
2005-06-19 05:42:13 +00:00
|
|
|
struct km_event c;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-11-26 01:58:31 +00:00
|
|
|
x = pfkey_msg2xfrm_state(net, hdr, ext_hdrs);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (IS_ERR(x))
|
|
|
|
return PTR_ERR(x);
|
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
xfrm_state_hold(x);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (hdr->sadb_msg_type == SADB_ADD)
|
|
|
|
err = xfrm_state_add(x);
|
|
|
|
else
|
|
|
|
err = xfrm_state_update(x);
|
|
|
|
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_audit_state_add(x, err ? 0 : 1, true);
|
2006-11-27 19:11:54 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (err < 0) {
|
|
|
|
x->km.state = XFRM_STATE_DEAD;
|
2006-02-22 22:47:13 +00:00
|
|
|
__xfrm_state_put(x);
|
2005-06-19 05:45:31 +00:00
|
|
|
goto out;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
if (hdr->sadb_msg_type == SADB_ADD)
|
2005-06-19 05:44:37 +00:00
|
|
|
c.event = XFRM_MSG_NEWSA;
|
2005-06-19 05:42:13 +00:00
|
|
|
else
|
2005-06-19 05:44:37 +00:00
|
|
|
c.event = XFRM_MSG_UPDSA;
|
2005-06-19 05:42:13 +00:00
|
|
|
c.seq = hdr->sadb_msg_seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
c.portid = hdr->sadb_msg_pid;
|
2005-06-19 05:42:13 +00:00
|
|
|
km_state_notify(x, &c);
|
2005-06-19 05:45:31 +00:00
|
|
|
out:
|
2005-06-19 05:42:13 +00:00
|
|
|
xfrm_state_put(x);
|
|
|
|
return err;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_delete(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_state *x;
|
2005-06-19 05:42:13 +00:00
|
|
|
struct km_event c;
|
|
|
|
int err;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (!ext_hdrs[SADB_EXT_SA-1] ||
|
|
|
|
!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
|
|
|
|
ext_hdrs[SADB_EXT_ADDRESS_DST-1]))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2008-11-26 01:58:31 +00:00
|
|
|
x = pfkey_xfrm_state_lookup(net, hdr, ext_hdrs);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (x == NULL)
|
|
|
|
return -ESRCH;
|
|
|
|
|
2006-06-09 06:39:49 +00:00
|
|
|
if ((err = security_xfrm_state_delete(x)))
|
|
|
|
goto out;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (xfrm_state_kern(x)) {
|
2006-06-09 06:39:49 +00:00
|
|
|
err = -EPERM;
|
|
|
|
goto out;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2006-11-27 19:11:54 +00:00
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
err = xfrm_state_delete(x);
|
2006-11-27 19:11:54 +00:00
|
|
|
|
2006-06-09 06:39:49 +00:00
|
|
|
if (err < 0)
|
|
|
|
goto out;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
c.seq = hdr->sadb_msg_seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
c.portid = hdr->sadb_msg_pid;
|
2005-06-19 05:44:37 +00:00
|
|
|
c.event = XFRM_MSG_DELSA;
|
2005-06-19 05:42:13 +00:00
|
|
|
km_state_notify(x, &c);
|
2006-06-09 06:39:49 +00:00
|
|
|
out:
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_audit_state_delete(x, err ? 0 : 1, true);
|
2005-06-19 05:42:13 +00:00
|
|
|
xfrm_state_put(x);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
return err;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_get(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
__u8 proto;
|
|
|
|
struct sk_buff *out_skb;
|
|
|
|
struct sadb_msg *out_hdr;
|
|
|
|
struct xfrm_state *x;
|
|
|
|
|
|
|
|
if (!ext_hdrs[SADB_EXT_SA-1] ||
|
|
|
|
!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
|
|
|
|
ext_hdrs[SADB_EXT_ADDRESS_DST-1]))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2008-11-26 01:58:31 +00:00
|
|
|
x = pfkey_xfrm_state_lookup(net, hdr, ext_hdrs);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (x == NULL)
|
|
|
|
return -ESRCH;
|
|
|
|
|
2007-10-09 20:31:47 +00:00
|
|
|
out_skb = pfkey_xfrm_state2msg(x);
|
2005-04-16 22:20:36 +00:00
|
|
|
proto = x->id.proto;
|
|
|
|
xfrm_state_put(x);
|
|
|
|
if (IS_ERR(out_skb))
|
|
|
|
return PTR_ERR(out_skb);
|
|
|
|
|
|
|
|
out_hdr = (struct sadb_msg *) out_skb->data;
|
|
|
|
out_hdr->sadb_msg_version = hdr->sadb_msg_version;
|
2007-11-22 11:35:15 +00:00
|
|
|
out_hdr->sadb_msg_type = SADB_GET;
|
2005-04-16 22:20:36 +00:00
|
|
|
out_hdr->sadb_msg_satype = pfkey_proto2satype(proto);
|
|
|
|
out_hdr->sadb_msg_errno = 0;
|
|
|
|
out_hdr->sadb_msg_reserved = 0;
|
|
|
|
out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
|
|
|
|
out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static struct sk_buff *compose_sadb_supported(const struct sadb_msg *orig,
|
2005-10-07 06:46:04 +00:00
|
|
|
gfp_t allocation)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
int len, auth_len, enc_len, i;
|
|
|
|
|
2013-01-31 10:40:38 +00:00
|
|
|
auth_len = xfrm_count_pfkey_auth_supported();
|
2005-04-16 22:20:36 +00:00
|
|
|
if (auth_len) {
|
|
|
|
auth_len *= sizeof(struct sadb_alg);
|
|
|
|
auth_len += sizeof(struct sadb_supported);
|
|
|
|
}
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2013-01-31 10:40:38 +00:00
|
|
|
enc_len = xfrm_count_pfkey_enc_supported();
|
2005-04-16 22:20:36 +00:00
|
|
|
if (enc_len) {
|
|
|
|
enc_len *= sizeof(struct sadb_alg);
|
|
|
|
enc_len += sizeof(struct sadb_supported);
|
|
|
|
}
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
len = enc_len + auth_len + sizeof(struct sadb_msg);
|
|
|
|
|
|
|
|
skb = alloc_skb(len + 16, allocation);
|
|
|
|
if (!skb)
|
|
|
|
goto out_put_algs;
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
hdr = skb_put(skb, sizeof(*hdr));
|
2005-04-16 22:20:36 +00:00
|
|
|
pfkey_hdr_dup(hdr, orig);
|
|
|
|
hdr->sadb_msg_errno = 0;
|
|
|
|
hdr->sadb_msg_len = len / sizeof(uint64_t);
|
|
|
|
|
|
|
|
if (auth_len) {
|
|
|
|
struct sadb_supported *sp;
|
|
|
|
struct sadb_alg *ap;
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
sp = skb_put(skb, auth_len);
|
2005-04-16 22:20:36 +00:00
|
|
|
ap = (struct sadb_alg *) (sp + 1);
|
|
|
|
|
|
|
|
sp->sadb_supported_len = auth_len / sizeof(uint64_t);
|
|
|
|
sp->sadb_supported_exttype = SADB_EXT_SUPPORTED_AUTH;
|
|
|
|
|
|
|
|
for (i = 0; ; i++) {
|
|
|
|
struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(i);
|
|
|
|
if (!aalg)
|
|
|
|
break;
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!aalg->pfkey_supported)
|
|
|
|
continue;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (aalg->available)
|
|
|
|
*ap++ = aalg->desc;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (enc_len) {
|
|
|
|
struct sadb_supported *sp;
|
|
|
|
struct sadb_alg *ap;
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
sp = skb_put(skb, enc_len);
|
2005-04-16 22:20:36 +00:00
|
|
|
ap = (struct sadb_alg *) (sp + 1);
|
|
|
|
|
|
|
|
sp->sadb_supported_len = enc_len / sizeof(uint64_t);
|
|
|
|
sp->sadb_supported_exttype = SADB_EXT_SUPPORTED_ENCRYPT;
|
|
|
|
|
|
|
|
for (i = 0; ; i++) {
|
|
|
|
struct xfrm_algo_desc *ealg = xfrm_ealg_get_byidx(i);
|
|
|
|
if (!ealg)
|
|
|
|
break;
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!ealg->pfkey_supported)
|
|
|
|
continue;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (ealg->available)
|
|
|
|
*ap++ = ealg->desc;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
out_put_algs:
|
|
|
|
return skb;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct pfkey_sock *pfk = pfkey_sk(sk);
|
|
|
|
struct sk_buff *supp_skb;
|
|
|
|
|
|
|
|
if (hdr->sadb_msg_satype > SADB_SATYPE_MAX)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) {
|
|
|
|
if (pfk->registered&(1<<hdr->sadb_msg_satype))
|
|
|
|
return -EEXIST;
|
|
|
|
pfk->registered |= (1<<hdr->sadb_msg_satype);
|
|
|
|
}
|
|
|
|
|
2022-08-04 10:03:46 +00:00
|
|
|
mutex_lock(&pfkey_mutex);
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_probe_algs();
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2022-03-08 03:20:28 +00:00
|
|
|
supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO);
|
2022-08-04 10:03:46 +00:00
|
|
|
mutex_unlock(&pfkey_mutex);
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!supp_skb) {
|
|
|
|
if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC)
|
|
|
|
pfk->registered &= ~(1<<hdr->sadb_msg_satype);
|
|
|
|
|
|
|
|
return -ENOBUFS;
|
|
|
|
}
|
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(supp_skb, GFP_KERNEL, BROADCAST_REGISTERED, sk,
|
|
|
|
sock_net(sk));
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int unicast_flush_resp(struct sock *sk, const struct sadb_msg *ihdr)
|
2010-02-19 02:00:40 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
|
|
|
|
skb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);
|
|
|
|
if (!skb)
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
networking: introduce and use skb_put_data()
A common pattern with skb_put() is to just want to memcpy()
some data into the new space, introduce skb_put_data() for
this.
An spatch similar to the one for skb_put_zero() converts many
of the places using it:
@@
identifier p, p2;
expression len, skb, data;
type t, t2;
@@
(
-p = skb_put(skb, len);
+p = skb_put_data(skb, data, len);
|
-p = (t)skb_put(skb, len);
+p = skb_put_data(skb, data, len);
)
(
p2 = (t2)p;
-memcpy(p2, data, len);
|
-memcpy(p, data, len);
)
@@
type t, t2;
identifier p, p2;
expression skb, data;
@@
t *p;
...
(
-p = skb_put(skb, sizeof(t));
+p = skb_put_data(skb, data, sizeof(t));
|
-p = (t *)skb_put(skb, sizeof(t));
+p = skb_put_data(skb, data, sizeof(t));
)
(
p2 = (t2)p;
-memcpy(p2, data, sizeof(*p));
|
-memcpy(p, data, sizeof(*p));
)
@@
expression skb, len, data;
@@
-memcpy(skb_put(skb, len), data, len);
+skb_put_data(skb, data, len);
(again, manually post-processed to retain some comments)
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:20 +00:00
|
|
|
hdr = skb_put_data(skb, ihdr, sizeof(struct sadb_msg));
|
2010-02-19 02:00:40 +00:00
|
|
|
hdr->sadb_msg_errno = (uint8_t) 0;
|
|
|
|
hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
|
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk,
|
|
|
|
sock_net(sk));
|
2010-02-19 02:00:40 +00:00
|
|
|
}
|
|
|
|
|
2011-02-24 05:02:38 +00:00
|
|
|
static int key_notify_sa_flush(const struct km_event *c)
|
2005-06-19 05:42:13 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
|
|
|
|
skb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);
|
|
|
|
if (!skb)
|
|
|
|
return -ENOBUFS;
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
hdr = skb_put(skb, sizeof(struct sadb_msg));
|
2005-06-19 05:44:00 +00:00
|
|
|
hdr->sadb_msg_satype = pfkey_proto2satype(c->data.proto);
|
2006-01-24 20:57:19 +00:00
|
|
|
hdr->sadb_msg_type = SADB_FLUSH;
|
2005-06-19 05:42:13 +00:00
|
|
|
hdr->sadb_msg_seq = c->seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
hdr->sadb_msg_pid = c->portid;
|
2005-06-19 05:42:13 +00:00
|
|
|
hdr->sadb_msg_version = PF_KEY_V2;
|
|
|
|
hdr->sadb_msg_errno = (uint8_t) 0;
|
|
|
|
hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
|
2013-06-26 21:52:30 +00:00
|
|
|
hdr->sadb_msg_reserved = 0;
|
2005-06-19 05:42:13 +00:00
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
|
2005-06-19 05:42:13 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2012-04-15 05:58:06 +00:00
|
|
|
unsigned int proto;
|
2005-06-19 05:42:13 +00:00
|
|
|
struct km_event c;
|
2010-02-19 02:00:40 +00:00
|
|
|
int err, err2;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
proto = pfkey_satype2proto(hdr->sadb_msg_satype);
|
|
|
|
if (proto == 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
xfrm: destroy xfrm_state synchronously on net exit path
xfrm_state_put() moves struct xfrm_state to the GC list
and schedules the GC work to clean it up. On net exit call
path, xfrm_state_flush() is called to clean up and
xfrm_flush_gc() is called to wait for the GC work to complete
before exit.
However, this doesn't work because one of the ->destructor(),
ipcomp_destroy(), schedules the same GC work again inside
the GC work. It is hard to wait for such a nested async
callback. This is also why syzbot still reports the following
warning:
WARNING: CPU: 1 PID: 33 at net/ipv6/xfrm6_tunnel.c:351 xfrm6_tunnel_net_exit+0x2cb/0x500 net/ipv6/xfrm6_tunnel.c:351
...
ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551
process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
In fact, it is perfectly fine to bypass GC and destroy xfrm_state
synchronously on net exit call path, because it is in process context
and doesn't need a work struct to do any blocking work.
This patch introduces xfrm_state_put_sync() which simply bypasses
GC, and lets its callers to decide whether to use this synchronous
version. On net exit path, xfrm_state_fini() and
xfrm6_tunnel_net_exit() use it. And, as ipcomp_destroy() itself is
blocking, it can use xfrm_state_put_sync() directly too.
Also rename xfrm_state_gc_destroy() to ___xfrm_state_destroy() to
reflect this change.
Fixes: b48c05ab5d32 ("xfrm: Fix warning in xfrm6_tunnel_net_exit.")
Reported-and-tested-by: syzbot+e9aebef558e3ed673934@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2019-01-31 21:05:49 +00:00
|
|
|
err = xfrm_state_flush(net, proto, true, false);
|
2010-02-19 02:00:40 +00:00
|
|
|
err2 = unicast_flush_resp(sk, hdr);
|
2010-02-19 02:00:41 +00:00
|
|
|
if (err || err2) {
|
|
|
|
if (err == -ESRCH) /* empty table - go quietly */
|
|
|
|
err = 0;
|
2010-02-19 02:00:40 +00:00
|
|
|
return err ? err : err2;
|
2010-02-19 02:00:41 +00:00
|
|
|
}
|
2010-02-19 02:00:40 +00:00
|
|
|
|
2005-06-19 05:44:00 +00:00
|
|
|
c.data.proto = proto;
|
2005-06-19 05:42:13 +00:00
|
|
|
c.seq = hdr->sadb_msg_seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
c.portid = hdr->sadb_msg_pid;
|
2005-06-19 05:44:37 +00:00
|
|
|
c.event = XFRM_MSG_FLUSHSA;
|
2008-11-26 01:58:31 +00:00
|
|
|
c.net = net;
|
2005-06-19 05:42:13 +00:00
|
|
|
km_state_notify(NULL, &c);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int dump_sa(struct xfrm_state *x, int count, void *ptr)
|
|
|
|
{
|
2008-03-04 07:40:12 +00:00
|
|
|
struct pfkey_sock *pfk = ptr;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sk_buff *out_skb;
|
|
|
|
struct sadb_msg *out_hdr;
|
|
|
|
|
2008-03-04 07:40:12 +00:00
|
|
|
if (!pfkey_can_dump(&pfk->sk))
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
2007-10-09 20:31:47 +00:00
|
|
|
out_skb = pfkey_xfrm_state2msg(x);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (IS_ERR(out_skb))
|
|
|
|
return PTR_ERR(out_skb);
|
|
|
|
|
|
|
|
out_hdr = (struct sadb_msg *) out_skb->data;
|
2008-03-04 07:40:12 +00:00
|
|
|
out_hdr->sadb_msg_version = pfk->dump.msg_version;
|
2005-04-16 22:20:36 +00:00
|
|
|
out_hdr->sadb_msg_type = SADB_DUMP;
|
|
|
|
out_hdr->sadb_msg_satype = pfkey_proto2satype(x->id.proto);
|
|
|
|
out_hdr->sadb_msg_errno = 0;
|
|
|
|
out_hdr->sadb_msg_reserved = 0;
|
2008-10-01 14:03:24 +00:00
|
|
|
out_hdr->sadb_msg_seq = count + 1;
|
2012-09-07 20:12:54 +00:00
|
|
|
out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
|
2008-10-01 14:03:24 +00:00
|
|
|
|
|
|
|
if (pfk->dump.skb)
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
|
2008-11-26 01:58:31 +00:00
|
|
|
&pfk->sk, sock_net(&pfk->sk));
|
2008-10-01 14:03:24 +00:00
|
|
|
pfk->dump.skb = out_skb;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-03-04 07:40:12 +00:00
|
|
|
static int pfkey_dump_sa(struct pfkey_sock *pfk)
|
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(&pfk->sk);
|
|
|
|
return xfrm_state_walk(net, &pfk->dump.u.state, dump_sa, (void *) pfk);
|
2008-03-04 07:40:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void pfkey_dump_sa_done(struct pfkey_sock *pfk)
|
|
|
|
{
|
2013-11-07 09:47:50 +00:00
|
|
|
struct net *net = sock_net(&pfk->sk);
|
|
|
|
|
|
|
|
xfrm_state_walk_done(&pfk->dump.u.state, net);
|
2008-03-04 07:40:12 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
u8 proto;
|
2014-03-06 17:24:29 +00:00
|
|
|
struct xfrm_address_filter *filter = NULL;
|
2008-03-04 07:40:12 +00:00
|
|
|
struct pfkey_sock *pfk = pfkey_sk(sk);
|
|
|
|
|
2017-03-31 07:10:20 +00:00
|
|
|
mutex_lock(&pfk->dump_lock);
|
|
|
|
if (pfk->dump.dump != NULL) {
|
|
|
|
mutex_unlock(&pfk->dump_lock);
|
2008-03-04 07:40:12 +00:00
|
|
|
return -EBUSY;
|
2017-03-31 07:10:20 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
proto = pfkey_satype2proto(hdr->sadb_msg_satype);
|
2017-03-31 07:10:20 +00:00
|
|
|
if (proto == 0) {
|
|
|
|
mutex_unlock(&pfk->dump_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EINVAL;
|
2017-03-31 07:10:20 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-02-14 14:30:36 +00:00
|
|
|
if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
|
|
|
|
struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
|
|
|
|
|
2020-07-22 11:00:53 +00:00
|
|
|
if ((xfilter->sadb_x_filter_splen >=
|
|
|
|
(sizeof(xfrm_address_t) << 3)) ||
|
|
|
|
(xfilter->sadb_x_filter_dplen >=
|
|
|
|
(sizeof(xfrm_address_t) << 3))) {
|
|
|
|
mutex_unlock(&pfk->dump_lock);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
2014-02-14 14:30:36 +00:00
|
|
|
filter = kmalloc(sizeof(*filter), GFP_KERNEL);
|
2017-03-31 07:10:20 +00:00
|
|
|
if (filter == NULL) {
|
|
|
|
mutex_unlock(&pfk->dump_lock);
|
2014-02-14 14:30:36 +00:00
|
|
|
return -ENOMEM;
|
2017-03-31 07:10:20 +00:00
|
|
|
}
|
2014-02-14 14:30:36 +00:00
|
|
|
|
|
|
|
memcpy(&filter->saddr, &xfilter->sadb_x_filter_saddr,
|
|
|
|
sizeof(xfrm_address_t));
|
|
|
|
memcpy(&filter->daddr, &xfilter->sadb_x_filter_daddr,
|
|
|
|
sizeof(xfrm_address_t));
|
|
|
|
filter->family = xfilter->sadb_x_filter_family;
|
|
|
|
filter->splen = xfilter->sadb_x_filter_splen;
|
|
|
|
filter->dplen = xfilter->sadb_x_filter_dplen;
|
|
|
|
}
|
|
|
|
|
2008-03-04 07:40:12 +00:00
|
|
|
pfk->dump.msg_version = hdr->sadb_msg_version;
|
2012-09-07 20:12:54 +00:00
|
|
|
pfk->dump.msg_portid = hdr->sadb_msg_pid;
|
2008-03-04 07:40:12 +00:00
|
|
|
pfk->dump.dump = pfkey_dump_sa;
|
|
|
|
pfk->dump.done = pfkey_dump_sa_done;
|
2014-02-14 14:30:36 +00:00
|
|
|
xfrm_state_walk_init(&pfk->dump.u.state, proto, filter);
|
2017-03-31 07:10:20 +00:00
|
|
|
mutex_unlock(&pfk->dump_lock);
|
2008-02-29 05:31:08 +00:00
|
|
|
|
2008-03-04 07:40:12 +00:00
|
|
|
return pfkey_do_dump(pfk);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_promisc(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct pfkey_sock *pfk = pfkey_sk(sk);
|
|
|
|
int satype = hdr->sadb_msg_satype;
|
2011-02-26 02:07:06 +00:00
|
|
|
bool reset_errno = false;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (hdr->sadb_msg_len == (sizeof(*hdr) / sizeof(uint64_t))) {
|
2011-02-26 02:07:06 +00:00
|
|
|
reset_errno = true;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (satype != 0 && satype != 1)
|
|
|
|
return -EINVAL;
|
|
|
|
pfk->promisc = satype;
|
|
|
|
}
|
2011-02-26 02:07:06 +00:00
|
|
|
if (reset_errno && skb_cloned(skb))
|
|
|
|
skb = skb_copy(skb, GFP_KERNEL);
|
|
|
|
else
|
|
|
|
skb = skb_clone(skb, GFP_KERNEL);
|
|
|
|
|
|
|
|
if (reset_errno && skb) {
|
|
|
|
struct sadb_msg *new_hdr = (struct sadb_msg *) skb->data;
|
|
|
|
new_hdr->sadb_msg_errno = 0;
|
|
|
|
}
|
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ALL, NULL, sock_net(sk));
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int check_reqid(struct xfrm_policy *xp, int dir, int count, void *ptr)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
u32 reqid = *(u32*)ptr;
|
|
|
|
|
|
|
|
for (i=0; i<xp->xfrm_nr; i++) {
|
|
|
|
if (xp->xfrm_vec[i].reqid == reqid)
|
|
|
|
return -EEXIST;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-11-26 01:58:31 +00:00
|
|
|
static u32 gen_reqid(struct net *net)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-02-29 05:31:08 +00:00
|
|
|
struct xfrm_policy_walk walk;
|
2005-04-16 22:20:36 +00:00
|
|
|
u32 start;
|
2008-02-29 05:31:08 +00:00
|
|
|
int rc;
|
2005-04-16 22:20:36 +00:00
|
|
|
static u32 reqid = IPSEC_MANUAL_REQID_MAX;
|
|
|
|
|
|
|
|
start = reqid;
|
|
|
|
do {
|
|
|
|
++reqid;
|
|
|
|
if (reqid == 0)
|
|
|
|
reqid = IPSEC_MANUAL_REQID_MAX+1;
|
2008-02-29 05:31:08 +00:00
|
|
|
xfrm_policy_walk_init(&walk, XFRM_POLICY_TYPE_MAIN);
|
2008-11-26 01:58:31 +00:00
|
|
|
rc = xfrm_policy_walk(net, &walk, check_reqid, (void*)&reqid);
|
2013-11-07 09:47:50 +00:00
|
|
|
xfrm_policy_walk_done(&walk, net);
|
2008-02-29 05:31:08 +00:00
|
|
|
if (rc != -EEXIST)
|
2005-04-16 22:20:36 +00:00
|
|
|
return reqid;
|
|
|
|
} while (reqid != start);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
|
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = xp_net(xp);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr;
|
2007-04-17 19:32:20 +00:00
|
|
|
int mode;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (xp->xfrm_nr >= XFRM_MAX_DEPTH)
|
|
|
|
return -ELOOP;
|
|
|
|
|
|
|
|
if (rq->sadb_x_ipsecrequest_mode == 0)
|
|
|
|
return -EINVAL;
|
2019-03-22 23:26:19 +00:00
|
|
|
if (!xfrm_id_proto_valid(rq->sadb_x_ipsecrequest_proto))
|
|
|
|
return -EINVAL;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2019-03-22 23:26:19 +00:00
|
|
|
t->id.proto = rq->sadb_x_ipsecrequest_proto;
|
2007-04-17 19:32:20 +00:00
|
|
|
if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
t->mode = mode;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE)
|
|
|
|
t->optional = 1;
|
|
|
|
else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) {
|
|
|
|
t->reqid = rq->sadb_x_ipsecrequest_reqid;
|
|
|
|
if (t->reqid > IPSEC_MANUAL_REQID_MAX)
|
|
|
|
t->reqid = 0;
|
2008-11-26 01:58:31 +00:00
|
|
|
if (!t->reqid && !(t->reqid = gen_reqid(net)))
|
2005-04-16 22:20:36 +00:00
|
|
|
return -ENOBUFS;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* addresses present only in tunnel mode */
|
2006-09-22 22:05:15 +00:00
|
|
|
if (t->mode == XFRM_MODE_TUNNEL) {
|
2017-04-13 10:35:59 +00:00
|
|
|
int err;
|
2008-04-27 17:46:24 +00:00
|
|
|
|
2017-04-13 10:35:59 +00:00
|
|
|
err = parse_sockaddr_pair(
|
|
|
|
(struct sockaddr *)(rq + 1),
|
|
|
|
rq->sadb_x_ipsecrequest_len - sizeof(*rq),
|
|
|
|
&t->saddr, &t->id.daddr, &t->encap_family);
|
|
|
|
if (err)
|
|
|
|
return err;
|
2006-12-01 00:41:50 +00:00
|
|
|
} else
|
|
|
|
t->encap_family = xp->family;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* No way to set this via kame pfkey */
|
2008-04-22 07:46:42 +00:00
|
|
|
t->allalgs = 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
xp->xfrm_nr++;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
int len = pol->sadb_x_policy_len*8 - sizeof(struct sadb_x_policy);
|
|
|
|
struct sadb_x_ipsecrequest *rq = (void*)(pol+1);
|
|
|
|
|
2012-09-27 22:21:19 +00:00
|
|
|
if (pol->sadb_x_policy_len * 8 < sizeof(struct sadb_x_policy))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2017-04-13 10:35:59 +00:00
|
|
|
while (len >= sizeof(*rq)) {
|
|
|
|
if (len < rq->sadb_x_ipsecrequest_len ||
|
|
|
|
rq->sadb_x_ipsecrequest_len < sizeof(*rq))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if ((err = parse_ipsecrequest(xp, rq)) < 0)
|
|
|
|
return err;
|
|
|
|
len -= rq->sadb_x_ipsecrequest_len;
|
|
|
|
rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static inline int pfkey_xfrm_policy2sec_ctx_size(const struct xfrm_policy *xp)
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
{
|
2018-11-13 14:23:28 +00:00
|
|
|
struct xfrm_sec_ctx *xfrm_ctx = xp->security;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
|
|
|
if (xfrm_ctx) {
|
|
|
|
int len = sizeof(struct sadb_x_sec_ctx);
|
|
|
|
len += xfrm_ctx->ctx_len;
|
|
|
|
return PFKEY_ALIGN8(len);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_xfrm_policy2msg_size(const struct xfrm_policy *xp)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct xfrm_tmpl *t;
|
2005-04-16 22:20:36 +00:00
|
|
|
int sockaddr_size = pfkey_sockaddr_size(xp->family);
|
2006-12-01 00:41:50 +00:00
|
|
|
int socklen = 0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i=0; i<xp->xfrm_nr; i++) {
|
|
|
|
t = xp->xfrm_vec + i;
|
2008-04-27 15:50:45 +00:00
|
|
|
socklen += pfkey_sockaddr_len(t->encap_family);
|
2006-12-01 00:41:50 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return sizeof(struct sadb_msg) +
|
|
|
|
(sizeof(struct sadb_lifetime) * 3) +
|
2007-02-09 14:24:58 +00:00
|
|
|
(sizeof(struct sadb_address) * 2) +
|
2005-04-16 22:20:36 +00:00
|
|
|
(sockaddr_size * 2) +
|
|
|
|
sizeof(struct sadb_x_policy) +
|
2006-12-01 00:41:50 +00:00
|
|
|
(xp->xfrm_nr * sizeof(struct sadb_x_ipsecrequest)) +
|
|
|
|
(socklen * 2) +
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
pfkey_xfrm_policy2sec_ctx_size(xp);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static struct sk_buff * pfkey_xfrm_policy2msg_prep(const struct xfrm_policy *xp)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
int size;
|
|
|
|
|
|
|
|
size = pfkey_xfrm_policy2msg_size(xp);
|
|
|
|
|
|
|
|
skb = alloc_skb(size + 16, GFP_ATOMIC);
|
|
|
|
if (skb == NULL)
|
|
|
|
return ERR_PTR(-ENOBUFS);
|
|
|
|
|
|
|
|
return skb;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_xfrm_policy2msg(struct sk_buff *skb, const struct xfrm_policy *xp, int dir)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
struct sadb_address *addr;
|
|
|
|
struct sadb_lifetime *lifetime;
|
|
|
|
struct sadb_x_policy *pol;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
struct sadb_x_sec_ctx *sec_ctx;
|
|
|
|
struct xfrm_sec_ctx *xfrm_ctx;
|
2005-04-16 22:20:36 +00:00
|
|
|
int i;
|
|
|
|
int size;
|
|
|
|
int sockaddr_size = pfkey_sockaddr_size(xp->family);
|
2008-04-27 15:50:45 +00:00
|
|
|
int socklen = pfkey_sockaddr_len(xp->family);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
size = pfkey_xfrm_policy2msg_size(xp);
|
|
|
|
|
|
|
|
/* call should fill header later */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
hdr = skb_put(skb, sizeof(struct sadb_msg));
|
2005-04-16 22:20:36 +00:00
|
|
|
memset(hdr, 0, size); /* XXX do we need this ? */
|
|
|
|
|
|
|
|
/* src address */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);
|
2007-02-09 14:24:58 +00:00
|
|
|
addr->sadb_address_len =
|
2005-04-16 22:20:36 +00:00
|
|
|
(sizeof(struct sadb_address)+sockaddr_size)/
|
|
|
|
sizeof(uint64_t);
|
|
|
|
addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
|
|
|
|
addr->sadb_address_proto = pfkey_proto_from_xfrm(xp->selector.proto);
|
|
|
|
addr->sadb_address_prefixlen = xp->selector.prefixlen_s;
|
|
|
|
addr->sadb_address_reserved = 0;
|
2008-04-27 16:46:41 +00:00
|
|
|
if (!pfkey_sockaddr_fill(&xp->selector.saddr,
|
|
|
|
xp->selector.sport,
|
|
|
|
(struct sockaddr *) (addr + 1),
|
|
|
|
xp->family))
|
2005-04-16 22:20:36 +00:00
|
|
|
BUG();
|
|
|
|
|
|
|
|
/* dst address */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);
|
2005-04-16 22:20:36 +00:00
|
|
|
addr->sadb_address_len =
|
|
|
|
(sizeof(struct sadb_address)+sockaddr_size)/
|
|
|
|
sizeof(uint64_t);
|
|
|
|
addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
|
|
|
|
addr->sadb_address_proto = pfkey_proto_from_xfrm(xp->selector.proto);
|
2007-02-09 14:24:58 +00:00
|
|
|
addr->sadb_address_prefixlen = xp->selector.prefixlen_d;
|
2005-04-16 22:20:36 +00:00
|
|
|
addr->sadb_address_reserved = 0;
|
2008-04-27 16:46:41 +00:00
|
|
|
|
|
|
|
pfkey_sockaddr_fill(&xp->selector.daddr, xp->selector.dport,
|
|
|
|
(struct sockaddr *) (addr + 1),
|
|
|
|
xp->family);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
/* hard time */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
lifetime = skb_put(skb, sizeof(struct sadb_lifetime));
|
2005-04-16 22:20:36 +00:00
|
|
|
lifetime->sadb_lifetime_len =
|
|
|
|
sizeof(struct sadb_lifetime)/sizeof(uint64_t);
|
|
|
|
lifetime->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
|
|
|
|
lifetime->sadb_lifetime_allocations = _X2KEY(xp->lft.hard_packet_limit);
|
|
|
|
lifetime->sadb_lifetime_bytes = _X2KEY(xp->lft.hard_byte_limit);
|
|
|
|
lifetime->sadb_lifetime_addtime = xp->lft.hard_add_expires_seconds;
|
|
|
|
lifetime->sadb_lifetime_usetime = xp->lft.hard_use_expires_seconds;
|
|
|
|
/* soft time */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
lifetime = skb_put(skb, sizeof(struct sadb_lifetime));
|
2005-04-16 22:20:36 +00:00
|
|
|
lifetime->sadb_lifetime_len =
|
|
|
|
sizeof(struct sadb_lifetime)/sizeof(uint64_t);
|
|
|
|
lifetime->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT;
|
|
|
|
lifetime->sadb_lifetime_allocations = _X2KEY(xp->lft.soft_packet_limit);
|
|
|
|
lifetime->sadb_lifetime_bytes = _X2KEY(xp->lft.soft_byte_limit);
|
|
|
|
lifetime->sadb_lifetime_addtime = xp->lft.soft_add_expires_seconds;
|
|
|
|
lifetime->sadb_lifetime_usetime = xp->lft.soft_use_expires_seconds;
|
|
|
|
/* current time */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
lifetime = skb_put(skb, sizeof(struct sadb_lifetime));
|
2005-04-16 22:20:36 +00:00
|
|
|
lifetime->sadb_lifetime_len =
|
|
|
|
sizeof(struct sadb_lifetime)/sizeof(uint64_t);
|
|
|
|
lifetime->sadb_lifetime_exttype = SADB_EXT_LIFETIME_CURRENT;
|
|
|
|
lifetime->sadb_lifetime_allocations = xp->curlft.packets;
|
|
|
|
lifetime->sadb_lifetime_bytes = xp->curlft.bytes;
|
|
|
|
lifetime->sadb_lifetime_addtime = xp->curlft.add_time;
|
|
|
|
lifetime->sadb_lifetime_usetime = xp->curlft.use_time;
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
pol = skb_put(skb, sizeof(struct sadb_x_policy));
|
2005-04-16 22:20:36 +00:00
|
|
|
pol->sadb_x_policy_len = sizeof(struct sadb_x_policy)/sizeof(uint64_t);
|
|
|
|
pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
|
|
|
|
pol->sadb_x_policy_type = IPSEC_POLICY_DISCARD;
|
|
|
|
if (xp->action == XFRM_POLICY_ALLOW) {
|
|
|
|
if (xp->xfrm_nr)
|
|
|
|
pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
|
|
|
|
else
|
|
|
|
pol->sadb_x_policy_type = IPSEC_POLICY_NONE;
|
|
|
|
}
|
|
|
|
pol->sadb_x_policy_dir = dir+1;
|
2013-07-28 20:04:45 +00:00
|
|
|
pol->sadb_x_policy_reserved = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
pol->sadb_x_policy_id = xp->index;
|
|
|
|
pol->sadb_x_policy_priority = xp->priority;
|
|
|
|
|
|
|
|
for (i=0; i<xp->xfrm_nr; i++) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct xfrm_tmpl *t = xp->xfrm_vec + i;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sadb_x_ipsecrequest *rq;
|
|
|
|
int req_size;
|
2007-04-17 19:32:20 +00:00
|
|
|
int mode;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
req_size = sizeof(struct sadb_x_ipsecrequest);
|
2008-04-27 16:46:41 +00:00
|
|
|
if (t->mode == XFRM_MODE_TUNNEL) {
|
|
|
|
socklen = pfkey_sockaddr_len(t->encap_family);
|
|
|
|
req_size += socklen * 2;
|
|
|
|
} else {
|
2005-04-16 22:20:36 +00:00
|
|
|
size -= 2*socklen;
|
2008-04-27 16:46:41 +00:00
|
|
|
}
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
rq = skb_put(skb, req_size);
|
2005-04-16 22:20:36 +00:00
|
|
|
pol->sadb_x_policy_len += req_size/8;
|
|
|
|
memset(rq, 0, sizeof(*rq));
|
|
|
|
rq->sadb_x_ipsecrequest_len = req_size;
|
|
|
|
rq->sadb_x_ipsecrequest_proto = t->id.proto;
|
2007-04-17 19:32:20 +00:00
|
|
|
if ((mode = pfkey_mode_from_xfrm(t->mode)) < 0)
|
|
|
|
return -EINVAL;
|
2007-04-18 04:48:10 +00:00
|
|
|
rq->sadb_x_ipsecrequest_mode = mode;
|
2005-04-16 22:20:36 +00:00
|
|
|
rq->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
|
|
|
|
if (t->reqid)
|
|
|
|
rq->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
|
|
|
|
if (t->optional)
|
|
|
|
rq->sadb_x_ipsecrequest_level = IPSEC_LEVEL_USE;
|
|
|
|
rq->sadb_x_ipsecrequest_reqid = t->reqid;
|
2008-04-27 16:46:41 +00:00
|
|
|
|
2006-09-22 22:05:15 +00:00
|
|
|
if (t->mode == XFRM_MODE_TUNNEL) {
|
2008-04-27 16:46:41 +00:00
|
|
|
u8 *sa = (void *)(rq + 1);
|
|
|
|
pfkey_sockaddr_fill(&t->saddr, 0,
|
|
|
|
(struct sockaddr *)sa,
|
|
|
|
t->encap_family);
|
|
|
|
pfkey_sockaddr_fill(&t->id.daddr, 0,
|
|
|
|
(struct sockaddr *) (sa + socklen),
|
|
|
|
t->encap_family);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
}
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
|
|
|
/* security context */
|
|
|
|
if ((xfrm_ctx = xp->security)) {
|
|
|
|
int ctx_size = pfkey_xfrm_policy2sec_ctx_size(xp);
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
sec_ctx = skb_put(skb, ctx_size);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
sec_ctx->sadb_x_sec_len = ctx_size / sizeof(uint64_t);
|
|
|
|
sec_ctx->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX;
|
|
|
|
sec_ctx->sadb_x_ctx_doi = xfrm_ctx->ctx_doi;
|
|
|
|
sec_ctx->sadb_x_ctx_alg = xfrm_ctx->ctx_alg;
|
|
|
|
sec_ctx->sadb_x_ctx_len = xfrm_ctx->ctx_len;
|
|
|
|
memcpy(sec_ctx + 1, xfrm_ctx->ctx_str,
|
|
|
|
xfrm_ctx->ctx_len);
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
hdr->sadb_msg_len = size / sizeof(uint64_t);
|
2017-07-04 12:53:22 +00:00
|
|
|
hdr->sadb_msg_reserved = refcount_read(&xp->refcnt);
|
2007-04-17 19:32:20 +00:00
|
|
|
|
|
|
|
return 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-24 05:02:38 +00:00
|
|
|
static int key_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c)
|
2005-06-19 05:42:13 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *out_skb;
|
|
|
|
struct sadb_msg *out_hdr;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
out_skb = pfkey_xfrm_policy2msg_prep(xp);
|
2010-03-24 01:47:00 +00:00
|
|
|
if (IS_ERR(out_skb))
|
|
|
|
return PTR_ERR(out_skb);
|
|
|
|
|
2007-04-17 19:32:20 +00:00
|
|
|
err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
|
2018-01-10 08:33:26 +00:00
|
|
|
if (err < 0) {
|
|
|
|
kfree_skb(out_skb);
|
2007-04-17 19:32:20 +00:00
|
|
|
return err;
|
2018-01-10 08:33:26 +00:00
|
|
|
}
|
2005-06-19 05:42:13 +00:00
|
|
|
|
|
|
|
out_hdr = (struct sadb_msg *) out_skb->data;
|
|
|
|
out_hdr->sadb_msg_version = PF_KEY_V2;
|
|
|
|
|
2005-06-19 05:44:37 +00:00
|
|
|
if (c->data.byid && c->event == XFRM_MSG_DELPOLICY)
|
2005-06-19 05:42:13 +00:00
|
|
|
out_hdr->sadb_msg_type = SADB_X_SPDDELETE2;
|
|
|
|
else
|
|
|
|
out_hdr->sadb_msg_type = event2poltype(c->event);
|
|
|
|
out_hdr->sadb_msg_errno = 0;
|
|
|
|
out_hdr->sadb_msg_seq = c->seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
out_hdr->sadb_msg_pid = c->portid;
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ALL, NULL, xp_net(xp));
|
2005-06-19 05:42:13 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
int err = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sadb_lifetime *lifetime;
|
|
|
|
struct sadb_address *sa;
|
|
|
|
struct sadb_x_policy *pol;
|
|
|
|
struct xfrm_policy *xp;
|
2005-06-19 05:42:13 +00:00
|
|
|
struct km_event c;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
struct sadb_x_sec_ctx *sec_ctx;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
|
|
|
|
ext_hdrs[SADB_EXT_ADDRESS_DST-1]) ||
|
|
|
|
!ext_hdrs[SADB_X_EXT_POLICY-1])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
pol = ext_hdrs[SADB_X_EXT_POLICY-1];
|
|
|
|
if (pol->sadb_x_policy_type > IPSEC_POLICY_IPSEC)
|
|
|
|
return -EINVAL;
|
|
|
|
if (!pol->sadb_x_policy_dir || pol->sadb_x_policy_dir >= IPSEC_DIR_MAX)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2008-11-26 01:58:31 +00:00
|
|
|
xp = xfrm_policy_alloc(net, GFP_KERNEL);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (xp == NULL)
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
|
|
|
xp->action = (pol->sadb_x_policy_type == IPSEC_POLICY_DISCARD ?
|
|
|
|
XFRM_POLICY_BLOCK : XFRM_POLICY_ALLOW);
|
|
|
|
xp->priority = pol->sadb_x_policy_priority;
|
|
|
|
|
2013-03-06 20:48:47 +00:00
|
|
|
sa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1];
|
2005-04-16 22:20:36 +00:00
|
|
|
xp->family = pfkey_sadb_addr2xfrm_addr(sa, &xp->selector.saddr);
|
|
|
|
xp->selector.family = xp->family;
|
|
|
|
xp->selector.prefixlen_s = sa->sadb_address_prefixlen;
|
|
|
|
xp->selector.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
|
|
|
|
xp->selector.sport = ((struct sockaddr_in *)(sa+1))->sin_port;
|
|
|
|
if (xp->selector.sport)
|
2006-09-28 01:46:11 +00:00
|
|
|
xp->selector.sport_mask = htons(0xffff);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-03-06 20:48:47 +00:00
|
|
|
sa = ext_hdrs[SADB_EXT_ADDRESS_DST-1];
|
2005-04-16 22:20:36 +00:00
|
|
|
pfkey_sadb_addr2xfrm_addr(sa, &xp->selector.daddr);
|
|
|
|
xp->selector.prefixlen_d = sa->sadb_address_prefixlen;
|
|
|
|
|
|
|
|
/* Amusing, we set this twice. KAME apps appear to set same value
|
|
|
|
* in both addresses.
|
|
|
|
*/
|
|
|
|
xp->selector.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
|
|
|
|
|
|
|
|
xp->selector.dport = ((struct sockaddr_in *)(sa+1))->sin_port;
|
|
|
|
if (xp->selector.dport)
|
2006-09-28 01:46:11 +00:00
|
|
|
xp->selector.dport_mask = htons(0xffff);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-06-13 16:21:26 +00:00
|
|
|
sec_ctx = ext_hdrs[SADB_X_EXT_SEC_CTX - 1];
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
if (sec_ctx != NULL) {
|
2014-03-07 11:44:18 +00:00
|
|
|
struct xfrm_user_sec_ctx *uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_KERNEL);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
|
|
|
if (!uctx) {
|
|
|
|
err = -ENOBUFS;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2014-03-07 11:44:19 +00:00
|
|
|
err = security_xfrm_policy_alloc(&xp->security, uctx, GFP_KERNEL);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
kfree(uctx);
|
|
|
|
|
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
xp->lft.soft_byte_limit = XFRM_INF;
|
|
|
|
xp->lft.hard_byte_limit = XFRM_INF;
|
|
|
|
xp->lft.soft_packet_limit = XFRM_INF;
|
|
|
|
xp->lft.hard_packet_limit = XFRM_INF;
|
|
|
|
if ((lifetime = ext_hdrs[SADB_EXT_LIFETIME_HARD-1]) != NULL) {
|
|
|
|
xp->lft.hard_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);
|
|
|
|
xp->lft.hard_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);
|
|
|
|
xp->lft.hard_add_expires_seconds = lifetime->sadb_lifetime_addtime;
|
|
|
|
xp->lft.hard_use_expires_seconds = lifetime->sadb_lifetime_usetime;
|
|
|
|
}
|
|
|
|
if ((lifetime = ext_hdrs[SADB_EXT_LIFETIME_SOFT-1]) != NULL) {
|
|
|
|
xp->lft.soft_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);
|
|
|
|
xp->lft.soft_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);
|
|
|
|
xp->lft.soft_add_expires_seconds = lifetime->sadb_lifetime_addtime;
|
|
|
|
xp->lft.soft_use_expires_seconds = lifetime->sadb_lifetime_usetime;
|
|
|
|
}
|
|
|
|
xp->xfrm_nr = 0;
|
|
|
|
if (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC &&
|
|
|
|
(err = parse_ipsecrequests(xp, pol)) < 0)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
|
|
|
|
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_audit_policy_add(xp, err ? 0 : 1, true);
|
2006-11-27 19:11:54 +00:00
|
|
|
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
if (err)
|
|
|
|
goto out;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
if (hdr->sadb_msg_type == SADB_X_SPDUPDATE)
|
2005-06-19 05:44:37 +00:00
|
|
|
c.event = XFRM_MSG_UPDPOLICY;
|
2007-02-09 14:24:58 +00:00
|
|
|
else
|
2005-06-19 05:44:37 +00:00
|
|
|
c.event = XFRM_MSG_NEWPOLICY;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
c.seq = hdr->sadb_msg_seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
c.portid = hdr->sadb_msg_pid;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
km_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);
|
|
|
|
xfrm_pol_put(xp);
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
out:
|
2008-10-01 14:03:24 +00:00
|
|
|
xp->walk.dead = 1;
|
2008-01-08 06:34:29 +00:00
|
|
|
xfrm_policy_destroy(xp);
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
int err;
|
|
|
|
struct sadb_address *sa;
|
|
|
|
struct sadb_x_policy *pol;
|
2008-04-13 02:07:52 +00:00
|
|
|
struct xfrm_policy *xp;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_selector sel;
|
2005-06-19 05:42:13 +00:00
|
|
|
struct km_event c;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
struct sadb_x_sec_ctx *sec_ctx;
|
2008-04-25 03:38:31 +00:00
|
|
|
struct xfrm_sec_ctx *pol_ctx = NULL;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
|
|
|
|
ext_hdrs[SADB_EXT_ADDRESS_DST-1]) ||
|
|
|
|
!ext_hdrs[SADB_X_EXT_POLICY-1])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
pol = ext_hdrs[SADB_X_EXT_POLICY-1];
|
|
|
|
if (!pol->sadb_x_policy_dir || pol->sadb_x_policy_dir >= IPSEC_DIR_MAX)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
memset(&sel, 0, sizeof(sel));
|
|
|
|
|
2013-03-06 20:48:47 +00:00
|
|
|
sa = ext_hdrs[SADB_EXT_ADDRESS_SRC-1];
|
2005-04-16 22:20:36 +00:00
|
|
|
sel.family = pfkey_sadb_addr2xfrm_addr(sa, &sel.saddr);
|
|
|
|
sel.prefixlen_s = sa->sadb_address_prefixlen;
|
|
|
|
sel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
|
|
|
|
sel.sport = ((struct sockaddr_in *)(sa+1))->sin_port;
|
|
|
|
if (sel.sport)
|
2006-09-28 01:46:11 +00:00
|
|
|
sel.sport_mask = htons(0xffff);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2013-03-06 20:48:47 +00:00
|
|
|
sa = ext_hdrs[SADB_EXT_ADDRESS_DST-1];
|
2005-04-16 22:20:36 +00:00
|
|
|
pfkey_sadb_addr2xfrm_addr(sa, &sel.daddr);
|
|
|
|
sel.prefixlen_d = sa->sadb_address_prefixlen;
|
|
|
|
sel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
|
|
|
|
sel.dport = ((struct sockaddr_in *)(sa+1))->sin_port;
|
|
|
|
if (sel.dport)
|
2006-09-28 01:46:11 +00:00
|
|
|
sel.dport_mask = htons(0xffff);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-06-13 16:21:26 +00:00
|
|
|
sec_ctx = ext_hdrs[SADB_X_EXT_SEC_CTX - 1];
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
if (sec_ctx != NULL) {
|
2014-03-07 11:44:18 +00:00
|
|
|
struct xfrm_user_sec_ctx *uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_KERNEL);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
|
|
|
|
if (!uctx)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2014-03-07 11:44:19 +00:00
|
|
|
err = security_xfrm_policy_alloc(&pol_ctx, uctx, GFP_KERNEL);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
kfree(uctx);
|
|
|
|
if (err)
|
|
|
|
return err;
|
2008-04-25 03:38:31 +00:00
|
|
|
}
|
2006-11-27 19:11:54 +00:00
|
|
|
|
2020-06-22 08:40:29 +00:00
|
|
|
xp = xfrm_policy_bysel_ctx(net, &dummy_mark, 0, XFRM_POLICY_TYPE_MAIN,
|
2008-04-13 02:07:52 +00:00
|
|
|
pol->sadb_x_policy_dir - 1, &sel, pol_ctx,
|
|
|
|
1, &err);
|
|
|
|
security_xfrm_policy_free(pol_ctx);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (xp == NULL)
|
|
|
|
return -ENOENT;
|
|
|
|
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_audit_policy_delete(xp, err ? 0 : 1, true);
|
2007-02-12 21:53:54 +00:00
|
|
|
|
|
|
|
if (err)
|
2006-06-09 06:39:49 +00:00
|
|
|
goto out;
|
2007-02-12 21:53:54 +00:00
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
c.seq = hdr->sadb_msg_seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
c.portid = hdr->sadb_msg_pid;
|
2008-10-10 21:07:03 +00:00
|
|
|
c.data.byid = 0;
|
2005-06-19 05:44:37 +00:00
|
|
|
c.event = XFRM_MSG_DELPOLICY;
|
2005-06-19 05:42:13 +00:00
|
|
|
km_policy_notify(xp, pol->sadb_x_policy_dir-1, &c);
|
|
|
|
|
2006-06-09 06:39:49 +00:00
|
|
|
out:
|
2005-06-19 05:42:13 +00:00
|
|
|
xfrm_pol_put(xp);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struct sadb_msg *hdr, int dir)
|
2005-06-19 05:42:13 +00:00
|
|
|
{
|
|
|
|
int err;
|
|
|
|
struct sk_buff *out_skb;
|
|
|
|
struct sadb_msg *out_hdr;
|
|
|
|
err = 0;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
out_skb = pfkey_xfrm_policy2msg_prep(xp);
|
|
|
|
if (IS_ERR(out_skb)) {
|
|
|
|
err = PTR_ERR(out_skb);
|
|
|
|
goto out;
|
|
|
|
}
|
2007-04-17 19:32:20 +00:00
|
|
|
err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
|
2019-05-25 18:09:35 +00:00
|
|
|
if (err < 0) {
|
|
|
|
kfree_skb(out_skb);
|
2007-04-17 19:32:20 +00:00
|
|
|
goto out;
|
2019-05-25 18:09:35 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
out_hdr = (struct sadb_msg *) out_skb->data;
|
|
|
|
out_hdr->sadb_msg_version = hdr->sadb_msg_version;
|
2005-06-19 05:42:13 +00:00
|
|
|
out_hdr->sadb_msg_type = hdr->sadb_msg_type;
|
2005-04-16 22:20:36 +00:00
|
|
|
out_hdr->sadb_msg_satype = 0;
|
|
|
|
out_hdr->sadb_msg_errno = 0;
|
|
|
|
out_hdr->sadb_msg_seq = hdr->sadb_msg_seq;
|
|
|
|
out_hdr->sadb_msg_pid = hdr->sadb_msg_pid;
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_ONE, sk, xp_net(xp));
|
2005-04-16 22:20:36 +00:00
|
|
|
err = 0;
|
|
|
|
|
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2007-02-08 21:14:33 +00:00
|
|
|
static int pfkey_sockaddr_pair_size(sa_family_t family)
|
|
|
|
{
|
2008-04-27 15:50:45 +00:00
|
|
|
return PFKEY_ALIGN8(pfkey_sockaddr_len(family) * 2);
|
2007-02-08 21:14:33 +00:00
|
|
|
}
|
|
|
|
|
2008-10-05 20:33:42 +00:00
|
|
|
static int parse_sockaddr_pair(struct sockaddr *sa, int ext_len,
|
2007-02-08 21:14:33 +00:00
|
|
|
xfrm_address_t *saddr, xfrm_address_t *daddr,
|
|
|
|
u16 *family)
|
|
|
|
{
|
2008-04-27 17:46:24 +00:00
|
|
|
int af, socklen;
|
|
|
|
|
2017-04-13 10:35:59 +00:00
|
|
|
if (ext_len < 2 || ext_len < pfkey_sockaddr_pair_size(sa->sa_family))
|
2007-02-08 21:14:33 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
2008-10-05 20:33:42 +00:00
|
|
|
af = pfkey_sockaddr_extract(sa, saddr);
|
2008-04-27 17:46:24 +00:00
|
|
|
if (!af)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
socklen = pfkey_sockaddr_len(af);
|
2008-10-05 20:33:42 +00:00
|
|
|
if (pfkey_sockaddr_extract((struct sockaddr *) (((u8 *)sa) + socklen),
|
2008-04-27 17:46:24 +00:00
|
|
|
daddr) != af)
|
2007-02-08 21:14:33 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
2008-04-27 17:46:24 +00:00
|
|
|
*family = af;
|
2007-02-08 21:14:33 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-04-13 10:35:59 +00:00
|
|
|
#ifdef CONFIG_NET_KEY_MIGRATE
|
2007-02-08 21:14:33 +00:00
|
|
|
static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
|
|
|
|
struct xfrm_migrate *m)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
struct sadb_x_ipsecrequest *rq2;
|
2007-04-17 19:32:20 +00:00
|
|
|
int mode;
|
2007-02-08 21:14:33 +00:00
|
|
|
|
2017-04-13 10:35:59 +00:00
|
|
|
if (len < sizeof(*rq1) ||
|
|
|
|
len < rq1->sadb_x_ipsecrequest_len ||
|
|
|
|
rq1->sadb_x_ipsecrequest_len < sizeof(*rq1))
|
2007-02-08 21:14:33 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* old endoints */
|
2008-10-05 20:33:42 +00:00
|
|
|
err = parse_sockaddr_pair((struct sockaddr *)(rq1 + 1),
|
2017-04-13 10:35:59 +00:00
|
|
|
rq1->sadb_x_ipsecrequest_len - sizeof(*rq1),
|
2008-10-05 20:33:42 +00:00
|
|
|
&m->old_saddr, &m->old_daddr,
|
2007-02-08 21:14:33 +00:00
|
|
|
&m->old_family);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
rq2 = (struct sadb_x_ipsecrequest *)((u8 *)rq1 + rq1->sadb_x_ipsecrequest_len);
|
|
|
|
len -= rq1->sadb_x_ipsecrequest_len;
|
|
|
|
|
2017-04-13 10:35:59 +00:00
|
|
|
if (len <= sizeof(*rq2) ||
|
|
|
|
len < rq2->sadb_x_ipsecrequest_len ||
|
|
|
|
rq2->sadb_x_ipsecrequest_len < sizeof(*rq2))
|
2007-02-08 21:14:33 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* new endpoints */
|
2008-10-05 20:33:42 +00:00
|
|
|
err = parse_sockaddr_pair((struct sockaddr *)(rq2 + 1),
|
2017-04-13 10:35:59 +00:00
|
|
|
rq2->sadb_x_ipsecrequest_len - sizeof(*rq2),
|
2008-10-05 20:33:42 +00:00
|
|
|
&m->new_saddr, &m->new_daddr,
|
2007-02-08 21:14:33 +00:00
|
|
|
&m->new_family);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
if (rq1->sadb_x_ipsecrequest_proto != rq2->sadb_x_ipsecrequest_proto ||
|
|
|
|
rq1->sadb_x_ipsecrequest_mode != rq2->sadb_x_ipsecrequest_mode ||
|
|
|
|
rq1->sadb_x_ipsecrequest_reqid != rq2->sadb_x_ipsecrequest_reqid)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
m->proto = rq1->sadb_x_ipsecrequest_proto;
|
2007-04-17 19:32:20 +00:00
|
|
|
if ((mode = pfkey_mode_to_xfrm(rq1->sadb_x_ipsecrequest_mode)) < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
m->mode = mode;
|
2007-02-08 21:14:33 +00:00
|
|
|
m->reqid = rq1->sadb_x_ipsecrequest_reqid;
|
|
|
|
|
|
|
|
return ((int)(rq1->sadb_x_ipsecrequest_len +
|
|
|
|
rq2->sadb_x_ipsecrequest_len));
|
|
|
|
}
|
|
|
|
|
|
|
|
static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2007-02-08 21:14:33 +00:00
|
|
|
{
|
|
|
|
int i, len, ret, err = -EINVAL;
|
|
|
|
u8 dir;
|
|
|
|
struct sadb_address *sa;
|
2008-10-05 20:33:42 +00:00
|
|
|
struct sadb_x_kmaddress *kma;
|
2007-02-08 21:14:33 +00:00
|
|
|
struct sadb_x_policy *pol;
|
|
|
|
struct sadb_x_ipsecrequest *rq;
|
|
|
|
struct xfrm_selector sel;
|
|
|
|
struct xfrm_migrate m[XFRM_MAX_DEPTH];
|
2008-10-05 20:33:42 +00:00
|
|
|
struct xfrm_kmaddress k;
|
2013-11-07 09:47:49 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2007-02-08 21:14:33 +00:00
|
|
|
|
|
|
|
if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
|
2008-10-05 20:33:42 +00:00
|
|
|
ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
|
2007-02-08 21:14:33 +00:00
|
|
|
!ext_hdrs[SADB_X_EXT_POLICY - 1]) {
|
|
|
|
err = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2008-10-05 20:33:42 +00:00
|
|
|
kma = ext_hdrs[SADB_X_EXT_KMADDRESS - 1];
|
2007-02-08 21:14:33 +00:00
|
|
|
pol = ext_hdrs[SADB_X_EXT_POLICY - 1];
|
|
|
|
|
|
|
|
if (pol->sadb_x_policy_dir >= IPSEC_DIR_MAX) {
|
|
|
|
err = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2008-10-05 20:33:42 +00:00
|
|
|
if (kma) {
|
|
|
|
/* convert sadb_x_kmaddress to xfrm_kmaddress */
|
|
|
|
k.reserved = kma->sadb_x_kmaddress_reserved;
|
|
|
|
ret = parse_sockaddr_pair((struct sockaddr *)(kma + 1),
|
|
|
|
8*(kma->sadb_x_kmaddress_len) - sizeof(*kma),
|
|
|
|
&k.local, &k.remote, &k.family);
|
|
|
|
if (ret < 0) {
|
|
|
|
err = ret;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-02-08 21:14:33 +00:00
|
|
|
dir = pol->sadb_x_policy_dir - 1;
|
|
|
|
memset(&sel, 0, sizeof(sel));
|
|
|
|
|
|
|
|
/* set source address info of selector */
|
|
|
|
sa = ext_hdrs[SADB_EXT_ADDRESS_SRC - 1];
|
|
|
|
sel.family = pfkey_sadb_addr2xfrm_addr(sa, &sel.saddr);
|
|
|
|
sel.prefixlen_s = sa->sadb_address_prefixlen;
|
|
|
|
sel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
|
|
|
|
sel.sport = ((struct sockaddr_in *)(sa + 1))->sin_port;
|
|
|
|
if (sel.sport)
|
2007-07-26 16:33:39 +00:00
|
|
|
sel.sport_mask = htons(0xffff);
|
2007-02-08 21:14:33 +00:00
|
|
|
|
|
|
|
/* set destination address info of selector */
|
2014-05-30 15:48:12 +00:00
|
|
|
sa = ext_hdrs[SADB_EXT_ADDRESS_DST - 1];
|
2007-02-08 21:14:33 +00:00
|
|
|
pfkey_sadb_addr2xfrm_addr(sa, &sel.daddr);
|
|
|
|
sel.prefixlen_d = sa->sadb_address_prefixlen;
|
|
|
|
sel.proto = pfkey_proto_to_xfrm(sa->sadb_address_proto);
|
|
|
|
sel.dport = ((struct sockaddr_in *)(sa + 1))->sin_port;
|
|
|
|
if (sel.dport)
|
2007-07-26 16:33:39 +00:00
|
|
|
sel.dport_mask = htons(0xffff);
|
2007-02-08 21:14:33 +00:00
|
|
|
|
|
|
|
rq = (struct sadb_x_ipsecrequest *)(pol + 1);
|
|
|
|
|
|
|
|
/* extract ipsecrequests */
|
|
|
|
i = 0;
|
|
|
|
len = pol->sadb_x_policy_len * 8 - sizeof(struct sadb_x_policy);
|
|
|
|
|
|
|
|
while (len > 0 && i < XFRM_MAX_DEPTH) {
|
|
|
|
ret = ipsecrequests_to_migrate(rq, len, &m[i]);
|
|
|
|
if (ret < 0) {
|
|
|
|
err = ret;
|
|
|
|
goto out;
|
|
|
|
} else {
|
|
|
|
rq = (struct sadb_x_ipsecrequest *)((u8 *)rq + ret);
|
|
|
|
len -= ret;
|
|
|
|
i++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!i || len > 0) {
|
|
|
|
err = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2008-10-05 20:33:42 +00:00
|
|
|
return xfrm_migrate(&sel, dir, XFRM_POLICY_TYPE_MAIN, m, i,
|
xfrm: Check if_id in xfrm_migrate
This patch enables distinguishing SAs and SPs based on if_id during
the xfrm_migrate flow. This ensures support for xfrm interfaces
throughout the SA/SP lifecycle.
When there are multiple existing SPs with the same direction,
the same xfrm_selector and different endpoint addresses,
xfrm_migrate might fail with ENODATA.
Specifically, the code path for performing xfrm_migrate is:
Stage 1: find policy to migrate with
xfrm_migrate_policy_find(sel, dir, type, net)
Stage 2: find and update state(s) with
xfrm_migrate_state_find(mp, net)
Stage 3: update endpoint address(es) of template(s) with
xfrm_policy_migrate(pol, m, num_migrate)
Currently "Stage 1" always returns the first xfrm_policy that
matches, and "Stage 3" looks for the xfrm_tmpl that matches the
old endpoint address. Thus if there are multiple xfrm_policy
with same selector, direction, type and net, "Stage 1" might
rertun a wrong xfrm_policy and "Stage 3" will fail with ENODATA
because it cannot find a xfrm_tmpl with the matching endpoint
address.
The fix is to allow userspace to pass an if_id and add if_id
to the matching rule in Stage 1 and Stage 2 since if_id is a
unique ID for xfrm_policy and xfrm_state. For compatibility,
if_id will only be checked if the attribute is set.
Tested with additions to Android's kernel unit test suite:
https://android-review.googlesource.com/c/kernel/tests/+/1668886
Signed-off-by: Yan Yan <evitayan@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2022-01-19 00:00:13 +00:00
|
|
|
kma ? &k : NULL, net, NULL, 0);
|
2007-02-08 21:14:33 +00:00
|
|
|
|
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
|
2011-03-02 06:51:52 +00:00
|
|
|
const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2007-02-08 21:14:33 +00:00
|
|
|
{
|
|
|
|
return -ENOPROTOOPT;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-10-05 19:15:12 +00:00
|
|
|
unsigned int dir;
|
2007-03-08 00:01:45 +00:00
|
|
|
int err = 0, delete;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sadb_x_policy *pol;
|
|
|
|
struct xfrm_policy *xp;
|
2005-06-19 05:42:13 +00:00
|
|
|
struct km_event c;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
if ((pol = ext_hdrs[SADB_X_EXT_POLICY-1]) == NULL)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2005-10-05 19:15:12 +00:00
|
|
|
dir = xfrm_policy_id2dir(pol->sadb_x_policy_id);
|
|
|
|
if (dir >= XFRM_POLICY_MAX)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2007-03-08 00:01:45 +00:00
|
|
|
delete = (hdr->sadb_msg_type == SADB_X_SPDDELETE2);
|
2020-06-22 08:40:29 +00:00
|
|
|
xp = xfrm_policy_byid(net, &dummy_mark, 0, XFRM_POLICY_TYPE_MAIN,
|
2010-02-23 00:20:22 +00:00
|
|
|
dir, pol->sadb_x_policy_id, delete, &err);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (xp == NULL)
|
|
|
|
return -ENOENT;
|
|
|
|
|
2007-03-08 00:01:45 +00:00
|
|
|
if (delete) {
|
2014-04-22 12:48:30 +00:00
|
|
|
xfrm_audit_policy_delete(xp, err ? 0 : 1, true);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-03-08 00:01:45 +00:00
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
c.seq = hdr->sadb_msg_seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
c.portid = hdr->sadb_msg_pid;
|
2005-06-19 05:44:00 +00:00
|
|
|
c.data.byid = 1;
|
2005-06-19 05:44:37 +00:00
|
|
|
c.event = XFRM_MSG_DELPOLICY;
|
2005-10-05 19:15:12 +00:00
|
|
|
km_policy_notify(xp, dir, &c);
|
2005-06-19 05:42:13 +00:00
|
|
|
} else {
|
2005-10-05 19:15:12 +00:00
|
|
|
err = key_pol_get_resp(sk, xp, hdr, dir);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2007-03-08 00:01:45 +00:00
|
|
|
out:
|
2005-04-16 22:20:36 +00:00
|
|
|
xfrm_pol_put(xp);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int dump_sp(struct xfrm_policy *xp, int dir, int count, void *ptr)
|
|
|
|
{
|
2008-03-04 07:40:12 +00:00
|
|
|
struct pfkey_sock *pfk = ptr;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sk_buff *out_skb;
|
|
|
|
struct sadb_msg *out_hdr;
|
2007-04-17 19:32:20 +00:00
|
|
|
int err;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-03-04 07:40:12 +00:00
|
|
|
if (!pfkey_can_dump(&pfk->sk))
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
out_skb = pfkey_xfrm_policy2msg_prep(xp);
|
|
|
|
if (IS_ERR(out_skb))
|
|
|
|
return PTR_ERR(out_skb);
|
|
|
|
|
2007-04-17 19:32:20 +00:00
|
|
|
err = pfkey_xfrm_policy2msg(out_skb, xp, dir);
|
2019-05-25 18:09:35 +00:00
|
|
|
if (err < 0) {
|
|
|
|
kfree_skb(out_skb);
|
2007-04-17 19:32:20 +00:00
|
|
|
return err;
|
2019-05-25 18:09:35 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
out_hdr = (struct sadb_msg *) out_skb->data;
|
2008-03-04 07:40:12 +00:00
|
|
|
out_hdr->sadb_msg_version = pfk->dump.msg_version;
|
2005-04-16 22:20:36 +00:00
|
|
|
out_hdr->sadb_msg_type = SADB_X_SPDDUMP;
|
|
|
|
out_hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
|
|
|
out_hdr->sadb_msg_errno = 0;
|
2008-10-01 14:03:24 +00:00
|
|
|
out_hdr->sadb_msg_seq = count + 1;
|
2012-09-07 20:12:54 +00:00
|
|
|
out_hdr->sadb_msg_pid = pfk->dump.msg_portid;
|
2008-10-01 14:03:24 +00:00
|
|
|
|
|
|
|
if (pfk->dump.skb)
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(pfk->dump.skb, GFP_ATOMIC, BROADCAST_ONE,
|
2008-11-26 01:58:31 +00:00
|
|
|
&pfk->sk, sock_net(&pfk->sk));
|
2008-10-01 14:03:24 +00:00
|
|
|
pfk->dump.skb = out_skb;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-03-04 07:40:12 +00:00
|
|
|
static int pfkey_dump_sp(struct pfkey_sock *pfk)
|
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(&pfk->sk);
|
|
|
|
return xfrm_policy_walk(net, &pfk->dump.u.policy, dump_sp, (void *) pfk);
|
2008-03-04 07:40:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void pfkey_dump_sp_done(struct pfkey_sock *pfk)
|
|
|
|
{
|
2013-11-07 09:47:50 +00:00
|
|
|
struct net *net = sock_net((struct sock *)pfk);
|
|
|
|
|
|
|
|
xfrm_policy_walk_done(&pfk->dump.u.policy, net);
|
2008-03-04 07:40:12 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-03-04 07:40:12 +00:00
|
|
|
struct pfkey_sock *pfk = pfkey_sk(sk);
|
2008-02-29 05:31:08 +00:00
|
|
|
|
2017-03-31 07:10:20 +00:00
|
|
|
mutex_lock(&pfk->dump_lock);
|
|
|
|
if (pfk->dump.dump != NULL) {
|
|
|
|
mutex_unlock(&pfk->dump_lock);
|
2008-03-04 07:40:12 +00:00
|
|
|
return -EBUSY;
|
2017-03-31 07:10:20 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-03-04 07:40:12 +00:00
|
|
|
pfk->dump.msg_version = hdr->sadb_msg_version;
|
2012-09-07 20:12:54 +00:00
|
|
|
pfk->dump.msg_portid = hdr->sadb_msg_pid;
|
2008-03-04 07:40:12 +00:00
|
|
|
pfk->dump.dump = pfkey_dump_sp;
|
|
|
|
pfk->dump.done = pfkey_dump_sp_done;
|
|
|
|
xfrm_policy_walk_init(&pfk->dump.u.policy, XFRM_POLICY_TYPE_MAIN);
|
2017-03-31 07:10:20 +00:00
|
|
|
mutex_unlock(&pfk->dump_lock);
|
2008-03-04 07:40:12 +00:00
|
|
|
|
|
|
|
return pfkey_do_dump(pfk);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-24 05:02:38 +00:00
|
|
|
static int key_notify_policy_flush(const struct km_event *c)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb_out;
|
2005-06-19 05:42:13 +00:00
|
|
|
struct sadb_msg *hdr;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
skb_out = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!skb_out)
|
|
|
|
return -ENOBUFS;
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
hdr = skb_put(skb_out, sizeof(struct sadb_msg));
|
2006-01-24 20:57:19 +00:00
|
|
|
hdr->sadb_msg_type = SADB_X_SPDFLUSH;
|
2005-06-19 05:42:13 +00:00
|
|
|
hdr->sadb_msg_seq = c->seq;
|
2012-09-07 20:12:54 +00:00
|
|
|
hdr->sadb_msg_pid = c->portid;
|
2005-06-19 05:42:13 +00:00
|
|
|
hdr->sadb_msg_version = PF_KEY_V2;
|
|
|
|
hdr->sadb_msg_errno = (uint8_t) 0;
|
2013-02-18 15:24:20 +00:00
|
|
|
hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
2005-06-19 05:42:13 +00:00
|
|
|
hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
|
2013-06-26 21:52:30 +00:00
|
|
|
hdr->sadb_msg_reserved = 0;
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net);
|
2005-06-19 05:42:13 +00:00
|
|
|
return 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
|
2005-06-19 05:42:13 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-06-19 05:42:13 +00:00
|
|
|
struct km_event c;
|
2010-02-19 02:00:40 +00:00
|
|
|
int err, err2;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-04-22 12:48:30 +00:00
|
|
|
err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, true);
|
2010-02-19 02:00:40 +00:00
|
|
|
err2 = unicast_flush_resp(sk, hdr);
|
2010-02-19 02:00:42 +00:00
|
|
|
if (err || err2) {
|
|
|
|
if (err == -ESRCH) /* empty table - old silent behavior */
|
|
|
|
return 0;
|
|
|
|
return err;
|
|
|
|
}
|
2010-02-19 02:00:40 +00:00
|
|
|
|
2006-08-24 05:49:28 +00:00
|
|
|
c.data.type = XFRM_POLICY_TYPE_MAIN;
|
2005-06-19 05:44:37 +00:00
|
|
|
c.event = XFRM_MSG_FLUSHPOLICY;
|
2012-09-07 20:12:54 +00:00
|
|
|
c.portid = hdr->sadb_msg_pid;
|
2005-06-19 05:42:13 +00:00
|
|
|
c.seq = hdr->sadb_msg_seq;
|
2008-11-26 01:58:31 +00:00
|
|
|
c.net = net;
|
2005-06-19 05:42:13 +00:00
|
|
|
km_policy_notify(NULL, 0, &c);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
typedef int (*pfkey_handler)(struct sock *sk, struct sk_buff *skb,
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct sadb_msg *hdr, void * const *ext_hdrs);
|
2013-06-26 21:56:59 +00:00
|
|
|
static const pfkey_handler pfkey_funcs[SADB_MAX + 1] = {
|
2005-04-16 22:20:36 +00:00
|
|
|
[SADB_RESERVED] = pfkey_reserved,
|
|
|
|
[SADB_GETSPI] = pfkey_getspi,
|
|
|
|
[SADB_UPDATE] = pfkey_add,
|
|
|
|
[SADB_ADD] = pfkey_add,
|
|
|
|
[SADB_DELETE] = pfkey_delete,
|
|
|
|
[SADB_GET] = pfkey_get,
|
|
|
|
[SADB_ACQUIRE] = pfkey_acquire,
|
|
|
|
[SADB_REGISTER] = pfkey_register,
|
|
|
|
[SADB_EXPIRE] = NULL,
|
|
|
|
[SADB_FLUSH] = pfkey_flush,
|
|
|
|
[SADB_DUMP] = pfkey_dump,
|
|
|
|
[SADB_X_PROMISC] = pfkey_promisc,
|
|
|
|
[SADB_X_PCHANGE] = NULL,
|
|
|
|
[SADB_X_SPDUPDATE] = pfkey_spdadd,
|
|
|
|
[SADB_X_SPDADD] = pfkey_spdadd,
|
|
|
|
[SADB_X_SPDDELETE] = pfkey_spddelete,
|
|
|
|
[SADB_X_SPDGET] = pfkey_spdget,
|
|
|
|
[SADB_X_SPDACQUIRE] = NULL,
|
|
|
|
[SADB_X_SPDDUMP] = pfkey_spddump,
|
|
|
|
[SADB_X_SPDFLUSH] = pfkey_spdflush,
|
|
|
|
[SADB_X_SPDSETIDX] = pfkey_spdadd,
|
|
|
|
[SADB_X_SPDDELETE2] = pfkey_spdget,
|
2007-02-08 21:14:33 +00:00
|
|
|
[SADB_X_MIGRATE] = pfkey_migrate,
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
void *ext_hdrs[SADB_EXT_MAX];
|
|
|
|
int err;
|
|
|
|
|
2022-05-23 20:05:24 +00:00
|
|
|
/* Non-zero return value of pfkey_broadcast() does not always signal
|
|
|
|
* an error and even on an actual error we may still want to process
|
|
|
|
* the message so rather ignore the return value.
|
|
|
|
*/
|
|
|
|
pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
|
|
|
|
BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
memset(ext_hdrs, 0, sizeof(ext_hdrs));
|
|
|
|
err = parse_exthdrs(skb, hdr, ext_hdrs);
|
|
|
|
if (!err) {
|
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
if (pfkey_funcs[hdr->sadb_msg_type])
|
|
|
|
err = pfkey_funcs[hdr->sadb_msg_type](sk, skb, hdr, ext_hdrs);
|
|
|
|
}
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct sadb_msg *pfkey_get_base_msg(struct sk_buff *skb, int *errp)
|
|
|
|
{
|
|
|
|
struct sadb_msg *hdr = NULL;
|
|
|
|
|
|
|
|
if (skb->len < sizeof(*hdr)) {
|
|
|
|
*errp = -EMSGSIZE;
|
|
|
|
} else {
|
|
|
|
hdr = (struct sadb_msg *) skb->data;
|
|
|
|
if (hdr->sadb_msg_version != PF_KEY_V2 ||
|
|
|
|
hdr->sadb_msg_reserved != 0 ||
|
|
|
|
(hdr->sadb_msg_type <= SADB_RESERVED ||
|
|
|
|
hdr->sadb_msg_type > SADB_MAX)) {
|
|
|
|
hdr = NULL;
|
|
|
|
*errp = -EINVAL;
|
|
|
|
} else if (hdr->sadb_msg_len != (skb->len /
|
|
|
|
sizeof(uint64_t)) ||
|
|
|
|
hdr->sadb_msg_len < (sizeof(struct sadb_msg) /
|
|
|
|
sizeof(uint64_t))) {
|
|
|
|
hdr = NULL;
|
|
|
|
*errp = -EMSGSIZE;
|
|
|
|
} else {
|
|
|
|
*errp = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return hdr;
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static inline int aalg_tmpl_set(const struct xfrm_tmpl *t,
|
|
|
|
const struct xfrm_algo_desc *d)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-12-20 07:44:29 +00:00
|
|
|
unsigned int id = d->desc.sadb_alg_id;
|
|
|
|
|
|
|
|
if (id >= sizeof(t->aalgos) * 8)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
return (t->aalgos >> id) & 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static inline int ealg_tmpl_set(const struct xfrm_tmpl *t,
|
|
|
|
const struct xfrm_algo_desc *d)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-12-20 07:44:29 +00:00
|
|
|
unsigned int id = d->desc.sadb_alg_id;
|
|
|
|
|
|
|
|
if (id >= sizeof(t->ealgos) * 8)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
return (t->ealgos >> id) & 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int count_ah_combs(const struct xfrm_tmpl *t)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
int i, sz = 0;
|
|
|
|
|
|
|
|
for (i = 0; ; i++) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(i);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!aalg)
|
|
|
|
break;
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!aalg->pfkey_supported)
|
|
|
|
continue;
|
2022-05-18 06:32:18 +00:00
|
|
|
if (aalg_tmpl_set(t, aalg) && aalg->available)
|
2005-04-16 22:20:36 +00:00
|
|
|
sz += sizeof(struct sadb_comb);
|
|
|
|
}
|
|
|
|
return sz + sizeof(struct sadb_prop);
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static int count_esp_combs(const struct xfrm_tmpl *t)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
int i, k, sz = 0;
|
|
|
|
|
|
|
|
for (i = 0; ; i++) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct xfrm_algo_desc *ealg = xfrm_ealg_get_byidx(i);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!ealg)
|
|
|
|
break;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!ealg->pfkey_supported)
|
|
|
|
continue;
|
|
|
|
|
2022-05-18 06:32:18 +00:00
|
|
|
if (!(ealg_tmpl_set(t, ealg) && ealg->available))
|
2005-04-16 22:20:36 +00:00
|
|
|
continue;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
for (k = 1; ; k++) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(k);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!aalg)
|
|
|
|
break;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!aalg->pfkey_supported)
|
|
|
|
continue;
|
|
|
|
|
2022-05-18 06:32:18 +00:00
|
|
|
if (aalg_tmpl_set(t, aalg) && aalg->available)
|
2005-04-16 22:20:36 +00:00
|
|
|
sz += sizeof(struct sadb_comb);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return sz + sizeof(struct sadb_prop);
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sadb_prop *p;
|
|
|
|
int i;
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
p = skb_put(skb, sizeof(struct sadb_prop));
|
2005-04-16 22:20:36 +00:00
|
|
|
p->sadb_prop_len = sizeof(struct sadb_prop)/8;
|
|
|
|
p->sadb_prop_exttype = SADB_EXT_PROPOSAL;
|
|
|
|
p->sadb_prop_replay = 32;
|
|
|
|
memset(p->sadb_prop_reserved, 0, sizeof(p->sadb_prop_reserved));
|
|
|
|
|
|
|
|
for (i = 0; ; i++) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(i);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!aalg)
|
|
|
|
break;
|
|
|
|
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!aalg->pfkey_supported)
|
|
|
|
continue;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (aalg_tmpl_set(t, aalg) && aalg->available) {
|
|
|
|
struct sadb_comb *c;
|
networking: convert many more places to skb_put_zero()
There were many places that my previous spatch didn't find,
as pointed out by yuan linyu in various patches.
The following spatch found many more and also removes the
now unnecessary casts:
@@
identifier p, p2;
expression len;
expression skb;
type t, t2;
@@
(
-p = skb_put(skb, len);
+p = skb_put_zero(skb, len);
|
-p = (t)skb_put(skb, len);
+p = skb_put_zero(skb, len);
)
... when != p
(
p2 = (t2)p;
-memset(p2, 0, len);
|
-memset(p, 0, len);
)
@@
type t, t2;
identifier p, p2;
expression skb;
@@
t *p;
...
(
-p = skb_put(skb, sizeof(t));
+p = skb_put_zero(skb, sizeof(t));
|
-p = (t *)skb_put(skb, sizeof(t));
+p = skb_put_zero(skb, sizeof(t));
)
... when != p
(
p2 = (t2)p;
-memset(p2, 0, sizeof(*p));
|
-memset(p, 0, sizeof(*p));
)
@@
expression skb, len;
@@
-memset(skb_put(skb, len), 0, len);
+skb_put_zero(skb, len);
Apply it to the tree (with one manual fixup to keep the
comment in vxlan.c, which spatch removed.)
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:19 +00:00
|
|
|
c = skb_put_zero(skb, sizeof(struct sadb_comb));
|
2005-04-16 22:20:36 +00:00
|
|
|
p->sadb_prop_len += sizeof(struct sadb_comb)/8;
|
|
|
|
c->sadb_comb_auth = aalg->desc.sadb_alg_id;
|
|
|
|
c->sadb_comb_auth_minbits = aalg->desc.sadb_alg_minbits;
|
|
|
|
c->sadb_comb_auth_maxbits = aalg->desc.sadb_alg_maxbits;
|
|
|
|
c->sadb_comb_hard_addtime = 24*60*60;
|
|
|
|
c->sadb_comb_soft_addtime = 20*60*60;
|
|
|
|
c->sadb_comb_hard_usetime = 8*60*60;
|
|
|
|
c->sadb_comb_soft_usetime = 7*60*60;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-02-26 02:07:06 +00:00
|
|
|
static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sadb_prop *p;
|
|
|
|
int i, k;
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
p = skb_put(skb, sizeof(struct sadb_prop));
|
2005-04-16 22:20:36 +00:00
|
|
|
p->sadb_prop_len = sizeof(struct sadb_prop)/8;
|
|
|
|
p->sadb_prop_exttype = SADB_EXT_PROPOSAL;
|
|
|
|
p->sadb_prop_replay = 32;
|
|
|
|
memset(p->sadb_prop_reserved, 0, sizeof(p->sadb_prop_reserved));
|
|
|
|
|
|
|
|
for (i=0; ; i++) {
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct xfrm_algo_desc *ealg = xfrm_ealg_get_byidx(i);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!ealg)
|
|
|
|
break;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!ealg->pfkey_supported)
|
|
|
|
continue;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!(ealg_tmpl_set(t, ealg) && ealg->available))
|
|
|
|
continue;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
for (k = 1; ; k++) {
|
|
|
|
struct sadb_comb *c;
|
2011-02-26 02:07:06 +00:00
|
|
|
const struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(k);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!aalg)
|
|
|
|
break;
|
2013-01-31 10:40:38 +00:00
|
|
|
if (!aalg->pfkey_supported)
|
|
|
|
continue;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!(aalg_tmpl_set(t, aalg) && aalg->available))
|
|
|
|
continue;
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
c = skb_put(skb, sizeof(struct sadb_comb));
|
2005-04-16 22:20:36 +00:00
|
|
|
memset(c, 0, sizeof(*c));
|
|
|
|
p->sadb_prop_len += sizeof(struct sadb_comb)/8;
|
|
|
|
c->sadb_comb_auth = aalg->desc.sadb_alg_id;
|
|
|
|
c->sadb_comb_auth_minbits = aalg->desc.sadb_alg_minbits;
|
|
|
|
c->sadb_comb_auth_maxbits = aalg->desc.sadb_alg_maxbits;
|
|
|
|
c->sadb_comb_encrypt = ealg->desc.sadb_alg_id;
|
|
|
|
c->sadb_comb_encrypt_minbits = ealg->desc.sadb_alg_minbits;
|
|
|
|
c->sadb_comb_encrypt_maxbits = ealg->desc.sadb_alg_maxbits;
|
|
|
|
c->sadb_comb_hard_addtime = 24*60*60;
|
|
|
|
c->sadb_comb_soft_addtime = 20*60*60;
|
|
|
|
c->sadb_comb_hard_usetime = 8*60*60;
|
|
|
|
c->sadb_comb_soft_usetime = 7*60*60;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-02-24 05:02:38 +00:00
|
|
|
static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c)
|
2005-06-19 05:42:13 +00:00
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-24 05:02:38 +00:00
|
|
|
static int key_notify_sa_expire(struct xfrm_state *x, const struct km_event *c)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *out_skb;
|
|
|
|
struct sadb_msg *out_hdr;
|
2005-06-19 05:42:13 +00:00
|
|
|
int hard;
|
|
|
|
int hsc;
|
|
|
|
|
2005-06-19 05:44:00 +00:00
|
|
|
hard = c->data.hard;
|
2005-06-19 05:42:13 +00:00
|
|
|
if (hard)
|
|
|
|
hsc = 2;
|
|
|
|
else
|
|
|
|
hsc = 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-10-09 20:31:47 +00:00
|
|
|
out_skb = pfkey_xfrm_state2msg_expire(x, hsc);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (IS_ERR(out_skb))
|
|
|
|
return PTR_ERR(out_skb);
|
|
|
|
|
|
|
|
out_hdr = (struct sadb_msg *) out_skb->data;
|
|
|
|
out_hdr->sadb_msg_version = PF_KEY_V2;
|
|
|
|
out_hdr->sadb_msg_type = SADB_EXPIRE;
|
|
|
|
out_hdr->sadb_msg_satype = pfkey_proto2satype(x->id.proto);
|
|
|
|
out_hdr->sadb_msg_errno = 0;
|
|
|
|
out_hdr->sadb_msg_reserved = 0;
|
|
|
|
out_hdr->sadb_msg_seq = 0;
|
|
|
|
out_hdr->sadb_msg_pid = 0;
|
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(out_skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
|
|
|
|
xs_net(x));
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-24 05:02:38 +00:00
|
|
|
static int pfkey_send_notify(struct xfrm_state *x, const struct km_event *c)
|
2005-06-19 05:42:13 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = x ? xs_net(x) : c->net;
|
2008-11-26 01:58:07 +00:00
|
|
|
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
|
|
|
|
|
|
|
|
if (atomic_read(&net_pfkey->socks_nr) == 0)
|
2008-06-10 21:25:34 +00:00
|
|
|
return 0;
|
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
switch (c->event) {
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_EXPIRE:
|
2005-06-19 05:42:13 +00:00
|
|
|
return key_notify_sa_expire(x, c);
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_DELSA:
|
|
|
|
case XFRM_MSG_NEWSA:
|
|
|
|
case XFRM_MSG_UPDSA:
|
2005-06-19 05:42:13 +00:00
|
|
|
return key_notify_sa(x, c);
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_FLUSHSA:
|
2005-06-19 05:42:13 +00:00
|
|
|
return key_notify_sa_flush(c);
|
2006-03-21 03:16:12 +00:00
|
|
|
case XFRM_MSG_NEWAE: /* not yet supported */
|
|
|
|
break;
|
2005-06-19 05:42:13 +00:00
|
|
|
default:
|
2010-05-12 06:37:07 +00:00
|
|
|
pr_err("pfkey: Unknown SA event %d\n", c->event);
|
2005-06-19 05:42:13 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-02-24 05:02:38 +00:00
|
|
|
static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
|
2005-06-19 05:42:13 +00:00
|
|
|
{
|
2006-08-24 05:49:28 +00:00
|
|
|
if (xp && xp->type != XFRM_POLICY_TYPE_MAIN)
|
|
|
|
return 0;
|
|
|
|
|
2005-06-19 05:42:13 +00:00
|
|
|
switch (c->event) {
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_POLEXPIRE:
|
2005-06-19 05:42:13 +00:00
|
|
|
return key_notify_policy_expire(xp, c);
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_DELPOLICY:
|
|
|
|
case XFRM_MSG_NEWPOLICY:
|
|
|
|
case XFRM_MSG_UPDPOLICY:
|
2005-06-19 05:42:13 +00:00
|
|
|
return key_notify_policy(xp, dir, c);
|
2005-06-19 05:44:37 +00:00
|
|
|
case XFRM_MSG_FLUSHPOLICY:
|
2006-08-24 05:49:28 +00:00
|
|
|
if (c->data.type != XFRM_POLICY_TYPE_MAIN)
|
|
|
|
break;
|
2005-06-19 05:42:13 +00:00
|
|
|
return key_notify_policy_flush(c);
|
|
|
|
default:
|
2010-05-12 06:37:07 +00:00
|
|
|
pr_err("pfkey: Unknown policy event %d\n", c->event);
|
2005-06-19 05:42:13 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static u32 get_acqseq(void)
|
|
|
|
{
|
|
|
|
u32 res;
|
2010-01-29 04:05:52 +00:00
|
|
|
static atomic_t acqseq;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-01-29 04:05:52 +00:00
|
|
|
do {
|
|
|
|
res = atomic_inc_return(&acqseq);
|
|
|
|
} while (!res);
|
2005-04-16 22:20:36 +00:00
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
2014-02-12 14:20:06 +00:00
|
|
|
static bool pfkey_is_alive(const struct km_event *c)
|
|
|
|
{
|
|
|
|
struct netns_pfkey *net_pfkey = net_generic(c->net, pfkey_net_id);
|
|
|
|
struct sock *sk;
|
|
|
|
bool is_alive = false;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
sk_for_each_rcu(sk, &net_pfkey->table) {
|
|
|
|
if (pfkey_sk(sk)->registered) {
|
|
|
|
is_alive = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
return is_alive;
|
|
|
|
}
|
|
|
|
|
2012-08-15 02:13:47 +00:00
|
|
|
static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *xp)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
struct sadb_address *addr;
|
|
|
|
struct sadb_x_policy *pol;
|
|
|
|
int sockaddr_size;
|
|
|
|
int size;
|
2006-07-25 06:31:14 +00:00
|
|
|
struct sadb_x_sec_ctx *sec_ctx;
|
|
|
|
struct xfrm_sec_ctx *xfrm_ctx;
|
|
|
|
int ctx_size = 0;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
sockaddr_size = pfkey_sockaddr_size(x->props.family);
|
|
|
|
if (!sockaddr_size)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
size = sizeof(struct sadb_msg) +
|
|
|
|
(sizeof(struct sadb_address) * 2) +
|
|
|
|
(sockaddr_size * 2) +
|
|
|
|
sizeof(struct sadb_x_policy);
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (x->id.proto == IPPROTO_AH)
|
|
|
|
size += count_ah_combs(t);
|
|
|
|
else if (x->id.proto == IPPROTO_ESP)
|
|
|
|
size += count_esp_combs(t);
|
|
|
|
|
2006-07-25 06:31:14 +00:00
|
|
|
if ((xfrm_ctx = x->security)) {
|
|
|
|
ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len);
|
|
|
|
size += sizeof(struct sadb_x_sec_ctx) + ctx_size;
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
skb = alloc_skb(size + 16, GFP_ATOMIC);
|
|
|
|
if (skb == NULL)
|
|
|
|
return -ENOMEM;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
hdr = skb_put(skb, sizeof(struct sadb_msg));
|
2005-04-16 22:20:36 +00:00
|
|
|
hdr->sadb_msg_version = PF_KEY_V2;
|
|
|
|
hdr->sadb_msg_type = SADB_ACQUIRE;
|
|
|
|
hdr->sadb_msg_satype = pfkey_proto2satype(x->id.proto);
|
|
|
|
hdr->sadb_msg_len = size / sizeof(uint64_t);
|
|
|
|
hdr->sadb_msg_errno = 0;
|
|
|
|
hdr->sadb_msg_reserved = 0;
|
|
|
|
hdr->sadb_msg_seq = x->km.seq = get_acqseq();
|
|
|
|
hdr->sadb_msg_pid = 0;
|
|
|
|
|
|
|
|
/* src address */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);
|
2007-02-09 14:24:58 +00:00
|
|
|
addr->sadb_address_len =
|
2005-04-16 22:20:36 +00:00
|
|
|
(sizeof(struct sadb_address)+sockaddr_size)/
|
|
|
|
sizeof(uint64_t);
|
|
|
|
addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
|
|
|
|
addr->sadb_address_proto = 0;
|
|
|
|
addr->sadb_address_reserved = 0;
|
2008-04-27 16:46:41 +00:00
|
|
|
addr->sadb_address_prefixlen =
|
|
|
|
pfkey_sockaddr_fill(&x->props.saddr, 0,
|
|
|
|
(struct sockaddr *) (addr + 1),
|
|
|
|
x->props.family);
|
|
|
|
if (!addr->sadb_address_prefixlen)
|
2005-04-16 22:20:36 +00:00
|
|
|
BUG();
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/* dst address */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);
|
2005-04-16 22:20:36 +00:00
|
|
|
addr->sadb_address_len =
|
|
|
|
(sizeof(struct sadb_address)+sockaddr_size)/
|
|
|
|
sizeof(uint64_t);
|
|
|
|
addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
|
|
|
|
addr->sadb_address_proto = 0;
|
|
|
|
addr->sadb_address_reserved = 0;
|
2008-04-27 16:46:41 +00:00
|
|
|
addr->sadb_address_prefixlen =
|
|
|
|
pfkey_sockaddr_fill(&x->id.daddr, 0,
|
|
|
|
(struct sockaddr *) (addr + 1),
|
|
|
|
x->props.family);
|
|
|
|
if (!addr->sadb_address_prefixlen)
|
2005-04-16 22:20:36 +00:00
|
|
|
BUG();
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
pol = skb_put(skb, sizeof(struct sadb_x_policy));
|
2005-04-16 22:20:36 +00:00
|
|
|
pol->sadb_x_policy_len = sizeof(struct sadb_x_policy)/sizeof(uint64_t);
|
|
|
|
pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
|
|
|
|
pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
|
2012-08-15 02:13:47 +00:00
|
|
|
pol->sadb_x_policy_dir = XFRM_POLICY_OUT + 1;
|
2013-07-28 20:04:45 +00:00
|
|
|
pol->sadb_x_policy_reserved = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
pol->sadb_x_policy_id = xp->index;
|
2013-07-28 20:04:45 +00:00
|
|
|
pol->sadb_x_policy_priority = xp->priority;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
/* Set sadb_comb's. */
|
|
|
|
if (x->id.proto == IPPROTO_AH)
|
|
|
|
dump_ah_combs(skb, t);
|
|
|
|
else if (x->id.proto == IPPROTO_ESP)
|
|
|
|
dump_esp_combs(skb, t);
|
|
|
|
|
2006-07-25 06:31:14 +00:00
|
|
|
/* security context */
|
|
|
|
if (xfrm_ctx) {
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
sec_ctx = skb_put(skb,
|
|
|
|
sizeof(struct sadb_x_sec_ctx) + ctx_size);
|
2006-07-25 06:31:14 +00:00
|
|
|
sec_ctx->sadb_x_sec_len =
|
|
|
|
(sizeof(struct sadb_x_sec_ctx) + ctx_size) / sizeof(uint64_t);
|
|
|
|
sec_ctx->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX;
|
|
|
|
sec_ctx->sadb_x_ctx_doi = xfrm_ctx->ctx_doi;
|
|
|
|
sec_ctx->sadb_x_ctx_alg = xfrm_ctx->ctx_alg;
|
|
|
|
sec_ctx->sadb_x_ctx_len = xfrm_ctx->ctx_len;
|
|
|
|
memcpy(sec_ctx + 1, xfrm_ctx->ctx_str,
|
|
|
|
xfrm_ctx->ctx_len);
|
|
|
|
}
|
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
|
|
|
|
xs_net(x));
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2006-07-25 06:32:20 +00:00
|
|
|
static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
|
2007-02-09 14:24:58 +00:00
|
|
|
u8 *data, int len, int *dir)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-11-26 01:58:31 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct xfrm_policy *xp;
|
|
|
|
struct sadb_x_policy *pol = (struct sadb_x_policy*)data;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
struct sadb_x_sec_ctx *sec_ctx;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-07-25 06:32:20 +00:00
|
|
|
switch (sk->sk_family) {
|
2005-04-16 22:20:36 +00:00
|
|
|
case AF_INET:
|
|
|
|
if (opt != IP_IPSEC_POLICY) {
|
|
|
|
*dir = -EOPNOTSUPP;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
break;
|
2011-12-10 09:48:31 +00:00
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
2005-04-16 22:20:36 +00:00
|
|
|
case AF_INET6:
|
|
|
|
if (opt != IPV6_IPSEC_POLICY) {
|
|
|
|
*dir = -EOPNOTSUPP;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
default:
|
|
|
|
*dir = -EINVAL;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
*dir = -EINVAL;
|
|
|
|
|
|
|
|
if (len < sizeof(struct sadb_x_policy) ||
|
|
|
|
pol->sadb_x_policy_len*8 > len ||
|
|
|
|
pol->sadb_x_policy_type > IPSEC_POLICY_BYPASS ||
|
|
|
|
(!pol->sadb_x_policy_dir || pol->sadb_x_policy_dir > IPSEC_DIR_OUTBOUND))
|
|
|
|
return NULL;
|
|
|
|
|
2008-11-26 01:58:31 +00:00
|
|
|
xp = xfrm_policy_alloc(net, GFP_ATOMIC);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (xp == NULL) {
|
|
|
|
*dir = -ENOBUFS;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
xp->action = (pol->sadb_x_policy_type == IPSEC_POLICY_DISCARD ?
|
|
|
|
XFRM_POLICY_BLOCK : XFRM_POLICY_ALLOW);
|
|
|
|
|
|
|
|
xp->lft.soft_byte_limit = XFRM_INF;
|
|
|
|
xp->lft.hard_byte_limit = XFRM_INF;
|
|
|
|
xp->lft.soft_packet_limit = XFRM_INF;
|
|
|
|
xp->lft.hard_packet_limit = XFRM_INF;
|
2006-07-25 06:32:20 +00:00
|
|
|
xp->family = sk->sk_family;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
xp->xfrm_nr = 0;
|
|
|
|
if (pol->sadb_x_policy_type == IPSEC_POLICY_IPSEC &&
|
|
|
|
(*dir = parse_ipsecrequests(xp, pol)) < 0)
|
|
|
|
goto out;
|
|
|
|
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
/* security context too */
|
|
|
|
if (len >= (pol->sadb_x_policy_len*8 +
|
|
|
|
sizeof(struct sadb_x_sec_ctx))) {
|
|
|
|
char *p = (char *)pol;
|
|
|
|
struct xfrm_user_sec_ctx *uctx;
|
|
|
|
|
|
|
|
p += pol->sadb_x_policy_len*8;
|
|
|
|
sec_ctx = (struct sadb_x_sec_ctx *)p;
|
|
|
|
if (len < pol->sadb_x_policy_len*8 +
|
2017-05-05 05:40:42 +00:00
|
|
|
sec_ctx->sadb_x_sec_len*8) {
|
2006-07-25 06:32:20 +00:00
|
|
|
*dir = -EINVAL;
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
goto out;
|
2006-07-25 06:32:20 +00:00
|
|
|
}
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
if ((*dir = verify_sec_ctx_len(p)))
|
|
|
|
goto out;
|
2014-03-07 11:44:18 +00:00
|
|
|
uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_ATOMIC);
|
2014-03-07 11:44:19 +00:00
|
|
|
*dir = security_xfrm_policy_alloc(&xp->security, uctx, GFP_ATOMIC);
|
[LSM-IPSec]: Security association restriction.
This patch series implements per packet access control via the
extension of the Linux Security Modules (LSM) interface by hooks in
the XFRM and pfkey subsystems that leverage IPSec security
associations to label packets. Extensions to the SELinux LSM are
included that leverage the patch for this purpose.
This patch implements the changes necessary to the XFRM subsystem,
pfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a
socket to use only authorized security associations (or no security
association) to send/receive network packets.
Patch purpose:
The patch is designed to enable access control per packets based on
the strongly authenticated IPSec security association. Such access
controls augment the existing ones based on network interface and IP
address. The former are very coarse-grained, and the latter can be
spoofed. By using IPSec, the system can control access to remote
hosts based on cryptographic keys generated using the IPSec mechanism.
This enables access control on a per-machine basis or per-application
if the remote machine is running the same mechanism and trusted to
enforce the access control policy.
Patch design approach:
The overall approach is that policy (xfrm_policy) entries set by
user-level programs (e.g., setkey for ipsec-tools) are extended with a
security context that is used at policy selection time in the XFRM
subsystem to restrict the sockets that can send/receive packets via
security associations (xfrm_states) that are built from those
policies.
A presentation available at
www.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf
from the SELinux symposium describes the overall approach.
Patch implementation details:
On output, the policy retrieved (via xfrm_policy_lookup or
xfrm_sk_policy_lookup) must be authorized for the security context of
the socket and the same security context is required for resultant
security association (retrieved or negotiated via racoon in
ipsec-tools). This is enforced in xfrm_state_find.
On input, the policy retrieved must also be authorized for the socket
(at __xfrm_policy_check), and the security context of the policy must
also match the security association being used.
The patch has virtually no impact on packets that do not use IPSec.
The existing Netfilter (outgoing) and LSM rcv_skb hooks are used as
before.
Also, if IPSec is used without security contexts, the impact is
minimal. The LSM must allow such policies to be selected for the
combination of socket and remote machine, but subsequent IPSec
processing proceeds as in the original case.
Testing:
The pfkey interface is tested using the ipsec-tools. ipsec-tools have
been modified (a separate ipsec-tools patch is available for version
0.5) that supports assignment of xfrm_policy entries and security
associations with security contexts via setkey and the negotiation
using the security contexts via racoon.
The xfrm_user interface is tested via ad hoc programs that set
security contexts. These programs are also available from me, and
contain programs for setting, getting, and deleting policy for testing
this interface. Testing of sa functions was done by tracing kernel
behavior.
Signed-off-by: Trent Jaeger <tjaeger@cse.psu.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2005-12-14 07:12:27 +00:00
|
|
|
kfree(uctx);
|
|
|
|
|
|
|
|
if (*dir)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
*dir = pol->sadb_x_policy_dir-1;
|
|
|
|
return xp;
|
|
|
|
|
|
|
|
out:
|
2008-11-07 07:08:37 +00:00
|
|
|
xp->walk.dead = 1;
|
2008-01-08 06:34:29 +00:00
|
|
|
xfrm_policy_destroy(xp);
|
2005-04-16 22:20:36 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2006-11-08 08:24:06 +00:00
|
|
|
static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
struct sadb_sa *sa;
|
|
|
|
struct sadb_address *addr;
|
|
|
|
struct sadb_x_nat_t_port *n_port;
|
|
|
|
int sockaddr_size;
|
|
|
|
int size;
|
|
|
|
__u8 satype = (x->id.proto == IPPROTO_ESP ? SADB_SATYPE_ESP : 0);
|
|
|
|
struct xfrm_encap_tmpl *natt = NULL;
|
|
|
|
|
|
|
|
sockaddr_size = pfkey_sockaddr_size(x->props.family);
|
|
|
|
if (!sockaddr_size)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!satype)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!x->encap)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
natt = x->encap;
|
|
|
|
|
|
|
|
/* Build an SADB_X_NAT_T_NEW_MAPPING message:
|
|
|
|
*
|
|
|
|
* HDR | SA | ADDRESS_SRC (old addr) | NAT_T_SPORT (old port) |
|
|
|
|
* ADDRESS_DST (new addr) | NAT_T_DPORT (new port)
|
|
|
|
*/
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
size = sizeof(struct sadb_msg) +
|
|
|
|
sizeof(struct sadb_sa) +
|
|
|
|
(sizeof(struct sadb_address) * 2) +
|
|
|
|
(sockaddr_size * 2) +
|
|
|
|
(sizeof(struct sadb_x_nat_t_port) * 2);
|
2007-02-09 14:24:58 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
skb = alloc_skb(size + 16, GFP_ATOMIC);
|
|
|
|
if (skb == NULL)
|
|
|
|
return -ENOMEM;
|
2007-02-09 14:24:58 +00:00
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
hdr = skb_put(skb, sizeof(struct sadb_msg));
|
2005-04-16 22:20:36 +00:00
|
|
|
hdr->sadb_msg_version = PF_KEY_V2;
|
|
|
|
hdr->sadb_msg_type = SADB_X_NAT_T_NEW_MAPPING;
|
|
|
|
hdr->sadb_msg_satype = satype;
|
|
|
|
hdr->sadb_msg_len = size / sizeof(uint64_t);
|
|
|
|
hdr->sadb_msg_errno = 0;
|
|
|
|
hdr->sadb_msg_reserved = 0;
|
|
|
|
hdr->sadb_msg_seq = x->km.seq = get_acqseq();
|
|
|
|
hdr->sadb_msg_pid = 0;
|
|
|
|
|
|
|
|
/* SA */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
sa = skb_put(skb, sizeof(struct sadb_sa));
|
2005-04-16 22:20:36 +00:00
|
|
|
sa->sadb_sa_len = sizeof(struct sadb_sa)/sizeof(uint64_t);
|
|
|
|
sa->sadb_sa_exttype = SADB_EXT_SA;
|
|
|
|
sa->sadb_sa_spi = x->id.spi;
|
|
|
|
sa->sadb_sa_replay = 0;
|
|
|
|
sa->sadb_sa_state = 0;
|
|
|
|
sa->sadb_sa_auth = 0;
|
|
|
|
sa->sadb_sa_encrypt = 0;
|
|
|
|
sa->sadb_sa_flags = 0;
|
|
|
|
|
|
|
|
/* ADDRESS_SRC (old addr) */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);
|
2007-02-09 14:24:58 +00:00
|
|
|
addr->sadb_address_len =
|
2005-04-16 22:20:36 +00:00
|
|
|
(sizeof(struct sadb_address)+sockaddr_size)/
|
|
|
|
sizeof(uint64_t);
|
|
|
|
addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
|
|
|
|
addr->sadb_address_proto = 0;
|
|
|
|
addr->sadb_address_reserved = 0;
|
2008-04-27 16:46:41 +00:00
|
|
|
addr->sadb_address_prefixlen =
|
|
|
|
pfkey_sockaddr_fill(&x->props.saddr, 0,
|
|
|
|
(struct sockaddr *) (addr + 1),
|
|
|
|
x->props.family);
|
|
|
|
if (!addr->sadb_address_prefixlen)
|
2005-04-16 22:20:36 +00:00
|
|
|
BUG();
|
|
|
|
|
|
|
|
/* NAT_T_SPORT (old port) */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
n_port = skb_put(skb, sizeof(*n_port));
|
2005-04-16 22:20:36 +00:00
|
|
|
n_port->sadb_x_nat_t_port_len = sizeof(*n_port)/sizeof(uint64_t);
|
|
|
|
n_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
|
|
|
|
n_port->sadb_x_nat_t_port_port = natt->encap_sport;
|
|
|
|
n_port->sadb_x_nat_t_port_reserved = 0;
|
|
|
|
|
|
|
|
/* ADDRESS_DST (new addr) */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb, sizeof(struct sadb_address) + sockaddr_size);
|
2007-02-09 14:24:58 +00:00
|
|
|
addr->sadb_address_len =
|
2005-04-16 22:20:36 +00:00
|
|
|
(sizeof(struct sadb_address)+sockaddr_size)/
|
|
|
|
sizeof(uint64_t);
|
|
|
|
addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST;
|
|
|
|
addr->sadb_address_proto = 0;
|
|
|
|
addr->sadb_address_reserved = 0;
|
2008-04-27 16:46:41 +00:00
|
|
|
addr->sadb_address_prefixlen =
|
|
|
|
pfkey_sockaddr_fill(ipaddr, 0,
|
|
|
|
(struct sockaddr *) (addr + 1),
|
|
|
|
x->props.family);
|
|
|
|
if (!addr->sadb_address_prefixlen)
|
2005-04-16 22:20:36 +00:00
|
|
|
BUG();
|
|
|
|
|
|
|
|
/* NAT_T_DPORT (new port) */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
n_port = skb_put(skb, sizeof(*n_port));
|
2005-04-16 22:20:36 +00:00
|
|
|
n_port->sadb_x_nat_t_port_len = sizeof(*n_port)/sizeof(uint64_t);
|
|
|
|
n_port->sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
|
|
|
|
n_port->sadb_x_nat_t_port_port = sport;
|
|
|
|
n_port->sadb_x_nat_t_port_reserved = 0;
|
|
|
|
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_REGISTERED, NULL,
|
|
|
|
xs_net(x));
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2007-02-08 21:14:33 +00:00
|
|
|
#ifdef CONFIG_NET_KEY_MIGRATE
|
|
|
|
static int set_sadb_address(struct sk_buff *skb, int sasize, int type,
|
2011-02-24 05:28:01 +00:00
|
|
|
const struct xfrm_selector *sel)
|
2007-02-08 21:14:33 +00:00
|
|
|
{
|
|
|
|
struct sadb_address *addr;
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
addr = skb_put(skb, sizeof(struct sadb_address) + sasize);
|
2007-02-08 21:14:33 +00:00
|
|
|
addr->sadb_address_len = (sizeof(struct sadb_address) + sasize)/8;
|
|
|
|
addr->sadb_address_exttype = type;
|
|
|
|
addr->sadb_address_proto = sel->proto;
|
|
|
|
addr->sadb_address_reserved = 0;
|
|
|
|
|
|
|
|
switch (type) {
|
|
|
|
case SADB_EXT_ADDRESS_SRC:
|
2008-04-27 16:46:41 +00:00
|
|
|
addr->sadb_address_prefixlen = sel->prefixlen_s;
|
|
|
|
pfkey_sockaddr_fill(&sel->saddr, 0,
|
|
|
|
(struct sockaddr *)(addr + 1),
|
|
|
|
sel->family);
|
2007-02-08 21:14:33 +00:00
|
|
|
break;
|
|
|
|
case SADB_EXT_ADDRESS_DST:
|
2008-04-27 16:46:41 +00:00
|
|
|
addr->sadb_address_prefixlen = sel->prefixlen_d;
|
|
|
|
pfkey_sockaddr_fill(&sel->daddr, 0,
|
|
|
|
(struct sockaddr *)(addr + 1),
|
|
|
|
sel->family);
|
2007-02-08 21:14:33 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-10-05 20:33:42 +00:00
|
|
|
|
2011-02-24 05:28:01 +00:00
|
|
|
static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *k)
|
2008-10-05 20:33:42 +00:00
|
|
|
{
|
|
|
|
struct sadb_x_kmaddress *kma;
|
|
|
|
u8 *sa;
|
|
|
|
int family = k->family;
|
|
|
|
int socklen = pfkey_sockaddr_len(family);
|
|
|
|
int size_req;
|
|
|
|
|
|
|
|
size_req = (sizeof(struct sadb_x_kmaddress) +
|
|
|
|
pfkey_sockaddr_pair_size(family));
|
|
|
|
|
networking: convert many more places to skb_put_zero()
There were many places that my previous spatch didn't find,
as pointed out by yuan linyu in various patches.
The following spatch found many more and also removes the
now unnecessary casts:
@@
identifier p, p2;
expression len;
expression skb;
type t, t2;
@@
(
-p = skb_put(skb, len);
+p = skb_put_zero(skb, len);
|
-p = (t)skb_put(skb, len);
+p = skb_put_zero(skb, len);
)
... when != p
(
p2 = (t2)p;
-memset(p2, 0, len);
|
-memset(p, 0, len);
)
@@
type t, t2;
identifier p, p2;
expression skb;
@@
t *p;
...
(
-p = skb_put(skb, sizeof(t));
+p = skb_put_zero(skb, sizeof(t));
|
-p = (t *)skb_put(skb, sizeof(t));
+p = skb_put_zero(skb, sizeof(t));
)
... when != p
(
p2 = (t2)p;
-memset(p2, 0, sizeof(*p));
|
-memset(p, 0, sizeof(*p));
)
@@
expression skb, len;
@@
-memset(skb_put(skb, len), 0, len);
+skb_put_zero(skb, len);
Apply it to the tree (with one manual fixup to keep the
comment in vxlan.c, which spatch removed.)
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:19 +00:00
|
|
|
kma = skb_put_zero(skb, size_req);
|
2008-10-05 20:33:42 +00:00
|
|
|
kma->sadb_x_kmaddress_len = size_req / 8;
|
|
|
|
kma->sadb_x_kmaddress_exttype = SADB_X_EXT_KMADDRESS;
|
|
|
|
kma->sadb_x_kmaddress_reserved = k->reserved;
|
|
|
|
|
|
|
|
sa = (u8 *)(kma + 1);
|
|
|
|
if (!pfkey_sockaddr_fill(&k->local, 0, (struct sockaddr *)sa, family) ||
|
|
|
|
!pfkey_sockaddr_fill(&k->remote, 0, (struct sockaddr *)(sa+socklen), family))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-02-08 21:14:33 +00:00
|
|
|
static int set_ipsecrequest(struct sk_buff *skb,
|
|
|
|
uint8_t proto, uint8_t mode, int level,
|
|
|
|
uint32_t reqid, uint8_t family,
|
2011-02-24 05:28:01 +00:00
|
|
|
const xfrm_address_t *src, const xfrm_address_t *dst)
|
2007-02-08 21:14:33 +00:00
|
|
|
{
|
|
|
|
struct sadb_x_ipsecrequest *rq;
|
2008-04-27 16:46:41 +00:00
|
|
|
u8 *sa;
|
|
|
|
int socklen = pfkey_sockaddr_len(family);
|
2007-02-08 21:14:33 +00:00
|
|
|
int size_req;
|
|
|
|
|
|
|
|
size_req = sizeof(struct sadb_x_ipsecrequest) +
|
|
|
|
pfkey_sockaddr_pair_size(family);
|
|
|
|
|
networking: convert many more places to skb_put_zero()
There were many places that my previous spatch didn't find,
as pointed out by yuan linyu in various patches.
The following spatch found many more and also removes the
now unnecessary casts:
@@
identifier p, p2;
expression len;
expression skb;
type t, t2;
@@
(
-p = skb_put(skb, len);
+p = skb_put_zero(skb, len);
|
-p = (t)skb_put(skb, len);
+p = skb_put_zero(skb, len);
)
... when != p
(
p2 = (t2)p;
-memset(p2, 0, len);
|
-memset(p, 0, len);
)
@@
type t, t2;
identifier p, p2;
expression skb;
@@
t *p;
...
(
-p = skb_put(skb, sizeof(t));
+p = skb_put_zero(skb, sizeof(t));
|
-p = (t *)skb_put(skb, sizeof(t));
+p = skb_put_zero(skb, sizeof(t));
)
... when != p
(
p2 = (t2)p;
-memset(p2, 0, sizeof(*p));
|
-memset(p, 0, sizeof(*p));
)
@@
expression skb, len;
@@
-memset(skb_put(skb, len), 0, len);
+skb_put_zero(skb, len);
Apply it to the tree (with one manual fixup to keep the
comment in vxlan.c, which spatch removed.)
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:19 +00:00
|
|
|
rq = skb_put_zero(skb, size_req);
|
2007-02-08 21:14:33 +00:00
|
|
|
rq->sadb_x_ipsecrequest_len = size_req;
|
|
|
|
rq->sadb_x_ipsecrequest_proto = proto;
|
|
|
|
rq->sadb_x_ipsecrequest_mode = mode;
|
|
|
|
rq->sadb_x_ipsecrequest_level = level;
|
|
|
|
rq->sadb_x_ipsecrequest_reqid = reqid;
|
|
|
|
|
2008-04-27 16:46:41 +00:00
|
|
|
sa = (u8 *) (rq + 1);
|
|
|
|
if (!pfkey_sockaddr_fill(src, 0, (struct sockaddr *)sa, family) ||
|
|
|
|
!pfkey_sockaddr_fill(dst, 0, (struct sockaddr *)(sa + socklen), family))
|
2007-02-08 21:14:33 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef CONFIG_NET_KEY_MIGRATE
|
2011-02-24 05:28:01 +00:00
|
|
|
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
|
|
|
|
const struct xfrm_migrate *m, int num_bundles,
|
2017-06-06 10:12:14 +00:00
|
|
|
const struct xfrm_kmaddress *k,
|
|
|
|
const struct xfrm_encap_tmpl *encap)
|
2007-02-08 21:14:33 +00:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
int sasize_sel;
|
|
|
|
int size = 0;
|
|
|
|
int size_pol = 0;
|
|
|
|
struct sk_buff *skb;
|
|
|
|
struct sadb_msg *hdr;
|
|
|
|
struct sadb_x_policy *pol;
|
2011-02-24 05:28:01 +00:00
|
|
|
const struct xfrm_migrate *mp;
|
2007-02-08 21:14:33 +00:00
|
|
|
|
|
|
|
if (type != XFRM_POLICY_TYPE_MAIN)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (num_bundles <= 0 || num_bundles > XFRM_MAX_DEPTH)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2008-10-05 20:33:42 +00:00
|
|
|
if (k != NULL) {
|
|
|
|
/* addresses for KM */
|
|
|
|
size += PFKEY_ALIGN8(sizeof(struct sadb_x_kmaddress) +
|
|
|
|
pfkey_sockaddr_pair_size(k->family));
|
|
|
|
}
|
|
|
|
|
2007-02-08 21:14:33 +00:00
|
|
|
/* selector */
|
|
|
|
sasize_sel = pfkey_sockaddr_size(sel->family);
|
|
|
|
if (!sasize_sel)
|
|
|
|
return -EINVAL;
|
|
|
|
size += (sizeof(struct sadb_address) + sasize_sel) * 2;
|
|
|
|
|
|
|
|
/* policy info */
|
|
|
|
size_pol += sizeof(struct sadb_x_policy);
|
|
|
|
|
|
|
|
/* ipsecrequests */
|
|
|
|
for (i = 0, mp = m; i < num_bundles; i++, mp++) {
|
|
|
|
/* old locator pair */
|
|
|
|
size_pol += sizeof(struct sadb_x_ipsecrequest) +
|
|
|
|
pfkey_sockaddr_pair_size(mp->old_family);
|
|
|
|
/* new locator pair */
|
|
|
|
size_pol += sizeof(struct sadb_x_ipsecrequest) +
|
|
|
|
pfkey_sockaddr_pair_size(mp->new_family);
|
|
|
|
}
|
|
|
|
|
|
|
|
size += sizeof(struct sadb_msg) + size_pol;
|
|
|
|
|
|
|
|
/* alloc buffer */
|
|
|
|
skb = alloc_skb(size, GFP_ATOMIC);
|
|
|
|
if (skb == NULL)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
hdr = skb_put(skb, sizeof(struct sadb_msg));
|
2007-02-08 21:14:33 +00:00
|
|
|
hdr->sadb_msg_version = PF_KEY_V2;
|
|
|
|
hdr->sadb_msg_type = SADB_X_MIGRATE;
|
|
|
|
hdr->sadb_msg_satype = pfkey_proto2satype(m->proto);
|
|
|
|
hdr->sadb_msg_len = size / 8;
|
|
|
|
hdr->sadb_msg_errno = 0;
|
|
|
|
hdr->sadb_msg_reserved = 0;
|
|
|
|
hdr->sadb_msg_seq = 0;
|
|
|
|
hdr->sadb_msg_pid = 0;
|
|
|
|
|
2008-10-05 20:33:42 +00:00
|
|
|
/* Addresses to be used by KM for negotiation, if ext is available */
|
|
|
|
if (k != NULL && (set_sadb_kmaddress(skb, k) < 0))
|
2012-04-08 22:41:10 +00:00
|
|
|
goto err;
|
2008-10-05 20:33:42 +00:00
|
|
|
|
2007-02-08 21:14:33 +00:00
|
|
|
/* selector src */
|
|
|
|
set_sadb_address(skb, sasize_sel, SADB_EXT_ADDRESS_SRC, sel);
|
|
|
|
|
|
|
|
/* selector dst */
|
|
|
|
set_sadb_address(skb, sasize_sel, SADB_EXT_ADDRESS_DST, sel);
|
|
|
|
|
|
|
|
/* policy information */
|
networking: make skb_put & friends return void pointers
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.
Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:
@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)
@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)
which actually doesn't cover pskb_put since there are only three
users overall.
A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-16 12:29:21 +00:00
|
|
|
pol = skb_put(skb, sizeof(struct sadb_x_policy));
|
2007-02-08 21:14:33 +00:00
|
|
|
pol->sadb_x_policy_len = size_pol / 8;
|
|
|
|
pol->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
|
|
|
|
pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
|
|
|
|
pol->sadb_x_policy_dir = dir + 1;
|
2013-07-28 20:04:45 +00:00
|
|
|
pol->sadb_x_policy_reserved = 0;
|
2007-02-08 21:14:33 +00:00
|
|
|
pol->sadb_x_policy_id = 0;
|
|
|
|
pol->sadb_x_policy_priority = 0;
|
|
|
|
|
|
|
|
for (i = 0, mp = m; i < num_bundles; i++, mp++) {
|
|
|
|
/* old ipsecrequest */
|
2007-04-17 19:32:20 +00:00
|
|
|
int mode = pfkey_mode_from_xfrm(mp->mode);
|
|
|
|
if (mode < 0)
|
2008-01-21 01:24:29 +00:00
|
|
|
goto err;
|
2007-04-17 19:32:20 +00:00
|
|
|
if (set_ipsecrequest(skb, mp->proto, mode,
|
2007-02-08 21:14:33 +00:00
|
|
|
(mp->reqid ? IPSEC_LEVEL_UNIQUE : IPSEC_LEVEL_REQUIRE),
|
|
|
|
mp->reqid, mp->old_family,
|
2008-01-21 01:24:29 +00:00
|
|
|
&mp->old_saddr, &mp->old_daddr) < 0)
|
|
|
|
goto err;
|
2007-02-08 21:14:33 +00:00
|
|
|
|
|
|
|
/* new ipsecrequest */
|
2007-04-17 19:32:20 +00:00
|
|
|
if (set_ipsecrequest(skb, mp->proto, mode,
|
2007-02-08 21:14:33 +00:00
|
|
|
(mp->reqid ? IPSEC_LEVEL_UNIQUE : IPSEC_LEVEL_REQUIRE),
|
|
|
|
mp->reqid, mp->new_family,
|
2008-01-21 01:24:29 +00:00
|
|
|
&mp->new_saddr, &mp->new_daddr) < 0)
|
|
|
|
goto err;
|
2007-02-08 21:14:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* broadcast migrate message to sockets */
|
af_key: do not use GFP_KERNEL in atomic contexts
pfkey_broadcast() might be called from non process contexts,
we can not use GFP_KERNEL in these cases [1].
This patch partially reverts commit ba51b6be38c1 ("net: Fix RCU splat in
af_key"), only keeping the GFP_ATOMIC forcing under rcu_read_lock()
section.
[1] : syzkaller reported :
in_atomic(): 1, irqs_disabled(): 0, pid: 2932, name: syzkaller183439
3 locks held by syzkaller183439/2932:
#0: (&net->xfrm.xfrm_cfg_mutex){+.+.+.}, at: [<ffffffff83b43888>] pfkey_sendmsg+0x4c8/0x9f0 net/key/af_key.c:3649
#1: (&pfk->dump_lock){+.+.+.}, at: [<ffffffff83b467f6>] pfkey_do_dump+0x76/0x3f0 net/key/af_key.c:293
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] spin_lock_bh include/linux/spinlock.h:304 [inline]
#2: (&(&net->xfrm.xfrm_policy_lock)->rlock){+...+.}, at: [<ffffffff83957632>] xfrm_policy_walk+0x192/0xa30 net/xfrm/xfrm_policy.c:1028
CPU: 0 PID: 2932 Comm: syzkaller183439 Not tainted 4.13.0-rc4+ #24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:52
___might_sleep+0x2b2/0x470 kernel/sched/core.c:5994
__might_sleep+0x95/0x190 kernel/sched/core.c:5947
slab_pre_alloc_hook mm/slab.h:416 [inline]
slab_alloc mm/slab.c:3383 [inline]
kmem_cache_alloc+0x24b/0x6e0 mm/slab.c:3559
skb_clone+0x1a0/0x400 net/core/skbuff.c:1037
pfkey_broadcast_one+0x4b2/0x6f0 net/key/af_key.c:207
pfkey_broadcast+0x4ba/0x770 net/key/af_key.c:281
dump_sp+0x3d6/0x500 net/key/af_key.c:2685
xfrm_policy_walk+0x2f1/0xa30 net/xfrm/xfrm_policy.c:1042
pfkey_dump_sp+0x42/0x50 net/key/af_key.c:2695
pfkey_do_dump+0xaa/0x3f0 net/key/af_key.c:299
pfkey_spddump+0x1a0/0x210 net/key/af_key.c:2722
pfkey_process+0x606/0x710 net/key/af_key.c:2814
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3650
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:643
___sys_sendmsg+0x755/0x890 net/socket.c:2035
__sys_sendmsg+0xe5/0x210 net/socket.c:2069
SYSC_sendmsg net/socket.c:2080 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2076
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x445d79
RSP: 002b:00007f32447c1dc8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445d79
RDX: 0000000000000000 RSI: 000000002023dfc8 RDI: 0000000000000008
RBP: 0000000000000086 R08: 00007f32447c2700 R09: 00007f32447c2700
R10: 00007f32447c2700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffe33edec4f R14: 00007f32447c29c0 R15: 0000000000000000
Fixes: ba51b6be38c1 ("net: Fix RCU splat in af_key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: David Ahern <dsa@cumulusnetworks.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-14 17:16:45 +00:00
|
|
|
pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, &init_net);
|
2007-02-08 21:14:33 +00:00
|
|
|
|
|
|
|
return 0;
|
2008-01-21 01:24:29 +00:00
|
|
|
|
|
|
|
err:
|
|
|
|
kfree_skb(skb);
|
|
|
|
return -EINVAL;
|
2007-02-08 21:14:33 +00:00
|
|
|
}
|
|
|
|
#else
|
2011-02-24 05:28:01 +00:00
|
|
|
static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
|
|
|
|
const struct xfrm_migrate *m, int num_bundles,
|
2017-06-06 10:12:14 +00:00
|
|
|
const struct xfrm_kmaddress *k,
|
|
|
|
const struct xfrm_encap_tmpl *encap)
|
2007-02-08 21:14:33 +00:00
|
|
|
{
|
|
|
|
return -ENOPROTOOPT;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2015-03-02 07:37:48 +00:00
|
|
|
static int pfkey_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
|
|
|
struct sk_buff *skb = NULL;
|
|
|
|
struct sadb_msg *hdr = NULL;
|
|
|
|
int err;
|
2013-11-07 09:47:50 +00:00
|
|
|
struct net *net = sock_net(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
if (msg->msg_flags & MSG_OOB)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
err = -EMSGSIZE;
|
2012-04-15 05:58:06 +00:00
|
|
|
if ((unsigned int)len > sk->sk_sndbuf - 32)
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
|
|
|
|
|
|
|
err = -ENOBUFS;
|
|
|
|
skb = alloc_skb(len, GFP_KERNEL);
|
|
|
|
if (skb == NULL)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
err = -EFAULT;
|
2014-04-07 01:25:44 +00:00
|
|
|
if (memcpy_from_msg(skb_put(skb,len), msg, len))
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
|
|
|
|
|
|
|
hdr = pfkey_get_base_msg(skb, &err);
|
|
|
|
if (!hdr)
|
|
|
|
goto out;
|
|
|
|
|
2013-11-07 09:47:50 +00:00
|
|
|
mutex_lock(&net->xfrm.xfrm_cfg_mutex);
|
2005-04-16 22:20:36 +00:00
|
|
|
err = pfkey_process(sk, skb, hdr);
|
2013-11-07 09:47:50 +00:00
|
|
|
mutex_unlock(&net->xfrm.xfrm_cfg_mutex);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
out:
|
|
|
|
if (err && hdr && pfkey_error(hdr, err, sk) == 0)
|
|
|
|
err = 0;
|
2009-02-25 00:31:04 +00:00
|
|
|
kfree_skb(skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return err ? : len;
|
|
|
|
}
|
|
|
|
|
2015-03-02 07:37:48 +00:00
|
|
|
static int pfkey_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
|
2005-04-16 22:20:36 +00:00
|
|
|
int flags)
|
|
|
|
{
|
|
|
|
struct sock *sk = sock->sk;
|
2008-03-04 07:40:12 +00:00
|
|
|
struct pfkey_sock *pfk = pfkey_sk(sk);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sk_buff *skb;
|
|
|
|
int copied, err;
|
|
|
|
|
|
|
|
err = -EINVAL;
|
|
|
|
if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT))
|
|
|
|
goto out;
|
|
|
|
|
2022-04-04 16:30:22 +00:00
|
|
|
skb = skb_recv_datagram(sk, flags, &err);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (skb == NULL)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
copied = skb->len;
|
|
|
|
if (copied > len) {
|
|
|
|
msg->msg_flags |= MSG_TRUNC;
|
|
|
|
copied = len;
|
|
|
|
}
|
|
|
|
|
2007-03-13 16:06:52 +00:00
|
|
|
skb_reset_transport_header(skb);
|
2014-11-05 21:46:40 +00:00
|
|
|
err = skb_copy_datagram_msg(skb, 0, msg, copied);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (err)
|
|
|
|
goto out_free;
|
|
|
|
|
2022-04-27 20:02:37 +00:00
|
|
|
sock_recv_cmsgs(msg, sk, skb);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
err = (flags & MSG_TRUNC) ? skb->len : copied;
|
|
|
|
|
2008-03-04 07:40:12 +00:00
|
|
|
if (pfk->dump.dump != NULL &&
|
|
|
|
3 * atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf)
|
|
|
|
pfkey_do_dump(pfk);
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
out_free:
|
|
|
|
skb_free_datagram(sk, skb);
|
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2005-12-22 20:49:22 +00:00
|
|
|
static const struct proto_ops pfkey_ops = {
|
2005-04-16 22:20:36 +00:00
|
|
|
.family = PF_KEY,
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
/* Operations that make no sense on pfkey sockets. */
|
|
|
|
.bind = sock_no_bind,
|
|
|
|
.connect = sock_no_connect,
|
|
|
|
.socketpair = sock_no_socketpair,
|
|
|
|
.accept = sock_no_accept,
|
|
|
|
.getname = sock_no_getname,
|
|
|
|
.ioctl = sock_no_ioctl,
|
|
|
|
.listen = sock_no_listen,
|
|
|
|
.shutdown = sock_no_shutdown,
|
|
|
|
.mmap = sock_no_mmap,
|
|
|
|
.sendpage = sock_no_sendpage,
|
|
|
|
|
|
|
|
/* Now the operations that really occur. */
|
|
|
|
.release = pfkey_release,
|
2018-06-28 16:43:44 +00:00
|
|
|
.poll = datagram_poll,
|
2005-04-16 22:20:36 +00:00
|
|
|
.sendmsg = pfkey_sendmsg,
|
|
|
|
.recvmsg = pfkey_recvmsg,
|
|
|
|
};
|
|
|
|
|
2009-10-05 05:58:39 +00:00
|
|
|
static const struct net_proto_family pfkey_family_ops = {
|
2005-04-16 22:20:36 +00:00
|
|
|
.family = PF_KEY,
|
|
|
|
.create = pfkey_create,
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
};
|
|
|
|
|
|
|
|
#ifdef CONFIG_PROC_FS
|
2008-02-10 07:20:06 +00:00
|
|
|
static int pfkey_seq_show(struct seq_file *f, void *v)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2010-02-08 23:20:29 +00:00
|
|
|
struct sock *s = sk_entry(v);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-02-10 07:20:06 +00:00
|
|
|
if (v == SEQ_START_TOKEN)
|
|
|
|
seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
|
|
|
|
else
|
net: convert %p usage to %pK
The %pK format specifier is designed to hide exposed kernel pointers,
specifically via /proc interfaces. Exposing these pointers provides an
easy target for kernel write vulnerabilities, since they reveal the
locations of writable structures containing easily triggerable function
pointers. The behavior of %pK depends on the kptr_restrict sysctl.
If kptr_restrict is set to 0, no deviation from the standard %p behavior
occurs. If kptr_restrict is set to 1, the default, if the current user
(intended to be a reader via seq_printf(), etc.) does not have CAP_SYSLOG
(currently in the LSM tree), kernel pointers using %pK are printed as 0's.
If kptr_restrict is set to 2, kernel pointers using %pK are printed as
0's regardless of privileges. Replacing with 0's was chosen over the
default "(null)", which cannot be parsed by userland %p, which expects
"(nil)".
The supporting code for kptr_restrict and %pK are currently in the -mm
tree. This patch converts users of %p in net/ to %pK. Cases of printing
pointers to the syslog are not covered, since this would eliminate useful
information for postmortem debugging and the reading of the syslog is
already optionally protected by the dmesg_restrict sysctl.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: James Morris <jmorris@namei.org>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Thomas Graf <tgraf@infradead.org>
Cc: Eugene Teo <eugeneteo@kernel.org>
Cc: Kees Cook <kees.cook@canonical.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: David S. Miller <davem@davemloft.net>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Eric Paris <eparis@parisplace.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-23 12:17:35 +00:00
|
|
|
seq_printf(f, "%pK %-6d %-6u %-6u %-6u %-6lu\n",
|
2005-04-16 22:20:36 +00:00
|
|
|
s,
|
2017-06-30 10:08:01 +00:00
|
|
|
refcount_read(&s->sk_refcnt),
|
2009-06-18 02:05:41 +00:00
|
|
|
sk_rmem_alloc_get(s),
|
|
|
|
sk_wmem_alloc_get(s),
|
2012-05-24 07:10:10 +00:00
|
|
|
from_kuid_munged(seq_user_ns(f), sock_i_uid(s)),
|
2005-04-16 22:20:36 +00:00
|
|
|
sock_i_ino(s)
|
|
|
|
);
|
2008-02-10 07:20:06 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void *pfkey_seq_start(struct seq_file *f, loff_t *ppos)
|
2011-02-23 09:06:50 +00:00
|
|
|
__acquires(rcu)
|
2008-02-10 07:20:06 +00:00
|
|
|
{
|
2008-11-26 01:59:00 +00:00
|
|
|
struct net *net = seq_file_net(f);
|
2008-11-26 01:58:07 +00:00
|
|
|
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-02-22 07:57:19 +00:00
|
|
|
rcu_read_lock();
|
|
|
|
return seq_hlist_start_head_rcu(&net_pfkey->table, *ppos);
|
2008-02-10 07:20:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void *pfkey_seq_next(struct seq_file *f, void *v, loff_t *ppos)
|
|
|
|
{
|
2008-11-26 01:59:00 +00:00
|
|
|
struct net *net = seq_file_net(f);
|
2008-11-26 01:58:07 +00:00
|
|
|
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
|
|
|
|
|
2010-02-22 07:57:19 +00:00
|
|
|
return seq_hlist_next_rcu(v, &net_pfkey->table, ppos);
|
2008-02-10 07:20:06 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-02-10 07:20:06 +00:00
|
|
|
static void pfkey_seq_stop(struct seq_file *f, void *v)
|
2011-02-23 09:06:50 +00:00
|
|
|
__releases(rcu)
|
2008-02-10 07:20:06 +00:00
|
|
|
{
|
2010-02-22 07:57:19 +00:00
|
|
|
rcu_read_unlock();
|
2008-02-10 07:20:06 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-09-01 19:25:02 +00:00
|
|
|
static const struct seq_operations pfkey_seq_ops = {
|
2008-02-10 07:20:06 +00:00
|
|
|
.start = pfkey_seq_start,
|
|
|
|
.next = pfkey_seq_next,
|
|
|
|
.stop = pfkey_seq_stop,
|
|
|
|
.show = pfkey_seq_show,
|
|
|
|
};
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-11-26 01:59:00 +00:00
|
|
|
static int __net_init pfkey_init_proc(struct net *net)
|
2008-02-10 07:19:14 +00:00
|
|
|
{
|
2008-02-10 07:20:06 +00:00
|
|
|
struct proc_dir_entry *e;
|
|
|
|
|
2018-04-10 17:42:55 +00:00
|
|
|
e = proc_create_net("pfkey", 0, net->proc_net, &pfkey_seq_ops,
|
|
|
|
sizeof(struct seq_net_private));
|
2008-02-10 07:20:06 +00:00
|
|
|
if (e == NULL)
|
2008-02-10 07:19:14 +00:00
|
|
|
return -ENOMEM;
|
2008-02-10 07:20:06 +00:00
|
|
|
|
|
|
|
return 0;
|
2008-02-10 07:19:14 +00:00
|
|
|
}
|
|
|
|
|
2010-01-17 03:35:32 +00:00
|
|
|
static void __net_exit pfkey_exit_proc(struct net *net)
|
2008-02-10 07:19:14 +00:00
|
|
|
{
|
2013-02-18 01:34:56 +00:00
|
|
|
remove_proc_entry("pfkey", net->proc_net);
|
2008-02-10 07:19:14 +00:00
|
|
|
}
|
|
|
|
#else
|
2010-01-17 03:35:32 +00:00
|
|
|
static inline int pfkey_init_proc(struct net *net)
|
2008-02-10 07:19:14 +00:00
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-01-17 03:35:32 +00:00
|
|
|
static inline void pfkey_exit_proc(struct net *net)
|
2008-02-10 07:19:14 +00:00
|
|
|
{
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
static struct xfrm_mgr pfkeyv2_mgr =
|
|
|
|
{
|
|
|
|
.notify = pfkey_send_notify,
|
|
|
|
.acquire = pfkey_send_acquire,
|
|
|
|
.compile_policy = pfkey_compile_policy,
|
|
|
|
.new_mapping = pfkey_send_new_mapping,
|
2005-06-19 05:42:13 +00:00
|
|
|
.notify_policy = pfkey_send_policy_notify,
|
2007-02-08 21:14:33 +00:00
|
|
|
.migrate = pfkey_send_migrate,
|
2014-02-12 14:20:06 +00:00
|
|
|
.is_alive = pfkey_is_alive,
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
2008-11-26 01:58:07 +00:00
|
|
|
static int __net_init pfkey_net_init(struct net *net)
|
|
|
|
{
|
2009-11-29 15:46:06 +00:00
|
|
|
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
|
2008-11-26 01:58:07 +00:00
|
|
|
int rv;
|
|
|
|
|
|
|
|
INIT_HLIST_HEAD(&net_pfkey->table);
|
|
|
|
atomic_set(&net_pfkey->socks_nr, 0);
|
2009-11-29 15:46:06 +00:00
|
|
|
|
2008-11-26 01:59:00 +00:00
|
|
|
rv = pfkey_init_proc(net);
|
2008-11-26 01:58:07 +00:00
|
|
|
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __net_exit pfkey_net_exit(struct net *net)
|
|
|
|
{
|
|
|
|
struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
|
|
|
|
|
2008-11-26 01:59:00 +00:00
|
|
|
pfkey_exit_proc(net);
|
2017-11-12 19:26:53 +00:00
|
|
|
WARN_ON(!hlist_empty(&net_pfkey->table));
|
2008-11-26 01:58:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct pernet_operations pfkey_net_ops = {
|
|
|
|
.init = pfkey_net_init,
|
|
|
|
.exit = pfkey_net_exit,
|
2009-11-29 15:46:06 +00:00
|
|
|
.id = &pfkey_net_id,
|
|
|
|
.size = sizeof(struct netns_pfkey),
|
2008-11-26 01:58:07 +00:00
|
|
|
};
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static void __exit ipsec_pfkey_exit(void)
|
|
|
|
{
|
|
|
|
xfrm_unregister_km(&pfkeyv2_mgr);
|
|
|
|
sock_unregister(PF_KEY);
|
2010-01-30 02:53:27 +00:00
|
|
|
unregister_pernet_subsys(&pfkey_net_ops);
|
2005-04-16 22:20:36 +00:00
|
|
|
proto_unregister(&key_proto);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int __init ipsec_pfkey_init(void)
|
|
|
|
{
|
|
|
|
int err = proto_register(&key_proto, 0);
|
|
|
|
|
|
|
|
if (err != 0)
|
|
|
|
goto out;
|
|
|
|
|
2010-01-30 02:53:27 +00:00
|
|
|
err = register_pernet_subsys(&pfkey_net_ops);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (err != 0)
|
|
|
|
goto out_unregister_key_proto;
|
2010-01-30 02:53:27 +00:00
|
|
|
err = sock_register(&pfkey_family_ops);
|
|
|
|
if (err != 0)
|
|
|
|
goto out_unregister_pernet;
|
2022-06-15 01:55:19 +00:00
|
|
|
xfrm_register_km(&pfkeyv2_mgr);
|
2005-04-16 22:20:36 +00:00
|
|
|
out:
|
|
|
|
return err;
|
2010-01-30 02:53:27 +00:00
|
|
|
|
|
|
|
out_unregister_pernet:
|
|
|
|
unregister_pernet_subsys(&pfkey_net_ops);
|
2005-04-16 22:20:36 +00:00
|
|
|
out_unregister_key_proto:
|
|
|
|
proto_unregister(&key_proto);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(ipsec_pfkey_init);
|
|
|
|
module_exit(ipsec_pfkey_exit);
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_ALIAS_NETPROTO(PF_KEY);
|