summaryrefslogtreecommitdiff
path: root/net/key
diff options
context:
space:
mode:
authorJamal Hadi Salim <hadi@cyberus.ca>2010-02-19 02:00:40 +0000
committerDavid S. Miller <davem@davemloft.net>2010-02-19 13:11:49 -0800
commit8be987d73481831265d7e8c648bec838271bfd9b (patch)
treed06242ca463d87e3840090959c695d9c1a151799 /net/key
parent927606a17e802fcf0c9ee82a74bc444b84726e67 (diff)
downloadlinux-3.10-8be987d73481831265d7e8c648bec838271bfd9b.tar.gz
linux-3.10-8be987d73481831265d7e8c648bec838271bfd9b.tar.bz2
linux-3.10-8be987d73481831265d7e8c648bec838271bfd9b.zip
pfkey: fix SA and SP flush sequence
RFC 2367 says flushing behavior should be: 1) user space -> kernel: flush 2) kernel: flush 3) kernel -> user space: flush event to ALL listeners This is not realistic today in the presence of selinux policies which may reject the flush etc. So we make the sequence become: 1) user space -> kernel: flush 2) kernel: flush 3) kernel -> user space: flush response to originater from #1 4) if there were no errors then: kernel -> user space: flush event to ALL listeners Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/key')
-rw-r--r--net/key/af_key.c33
1 files changed, 27 insertions, 6 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 79d2c0f3c33..b3faede9a4f 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1712,6 +1712,23 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, struct sadb_msg
return 0;
}
+static int unicast_flush_resp(struct sock *sk, struct sadb_msg *ihdr)
+{
+ struct sk_buff *skb;
+ struct sadb_msg *hdr;
+
+ skb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);
+ if (!skb)
+ return -ENOBUFS;
+
+ hdr = (struct sadb_msg *) skb_put(skb, sizeof(struct sadb_msg));
+ memcpy(hdr, ihdr, sizeof(struct sadb_msg));
+ hdr->sadb_msg_errno = (uint8_t) 0;
+ hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+
+ return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
+}
+
static int key_notify_sa_flush(struct km_event *c)
{
struct sk_buff *skb;
@@ -1740,7 +1757,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
unsigned proto;
struct km_event c;
struct xfrm_audit audit_info;
- int err;
+ int err, err2;
proto = pfkey_satype2proto(hdr->sadb_msg_satype);
if (proto == 0)
@@ -1750,8 +1767,10 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
audit_info.sessionid = audit_get_sessionid(current);
audit_info.secid = 0;
err = xfrm_state_flush(net, proto, &audit_info);
- if (err)
- return err;
+ err2 = unicast_flush_resp(sk, hdr);
+ if (err || err2)
+ return err ? err : err2;
+
c.data.proto = proto;
c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid;
@@ -2706,14 +2725,16 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
struct net *net = sock_net(sk);
struct km_event c;
struct xfrm_audit audit_info;
- int err;
+ int err, err2;
audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current);
audit_info.secid = 0;
err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
- if (err)
- return err;
+ err2 = unicast_flush_resp(sk, hdr);
+ if (err || err2)
+ return err ? err : err2;
+
c.data.type = XFRM_POLICY_TYPE_MAIN;
c.event = XFRM_MSG_FLUSHPOLICY;
c.pid = hdr->sadb_msg_pid;