• Lorenzo Colitti's avatar
    net: xfrm: allow clearing socket xfrm policies. · c9e82cb3
    Lorenzo Colitti authored
    
    [ Upstream commit be8f8284 ]
    
    Currently it is possible to add or update socket policies, but
    not clear them. Therefore, once a socket policy has been applied,
    the socket cannot be used for unencrypted traffic.
    
    This patch allows (privileged) users to clear socket policies by
    passing in a NULL pointer and zero length argument to the
    {IP,IPV6}_{IPSEC,XFRM}_POLICY setsockopts. This results in both
    the incoming and outgoing policies being cleared.
    
    The simple approach taken in this patch cannot clear socket
    policies in only one direction. If desired this could be added
    in the future, for example by continuing to pass in a length of
    zero (which currently is guaranteed to return EMSGSIZE) and
    making the policy be a pointer to an integer that contains one
    of the XFRM_POLICY_{IN,OUT} enum values.
    
    An alternative would have been to interpret the length as a
    signed integer and use XFRM_POLICY_IN (i.e., 0) to clear the
    input policy and -XFRM_POLICY_OUT (i.e., -1) to clear the output
    policy.
    
    Tested: https://android-review.googlesource.com/539816Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
    Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    c9e82cb3
xfrm_policy.c 78.9 KB