mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-10 07:10:27 +00:00
netns xfrm: policy flushing in netns
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
1121994c80
commit
33ffbbd52c
@ -1444,7 +1444,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
|
|||||||
struct xfrm_sec_ctx *ctx, int delete,
|
struct xfrm_sec_ctx *ctx, int delete,
|
||||||
int *err);
|
int *err);
|
||||||
struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err);
|
struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err);
|
||||||
int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info);
|
int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
|
||||||
u32 xfrm_get_acqseq(void);
|
u32 xfrm_get_acqseq(void);
|
||||||
extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
|
extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
|
||||||
struct xfrm_state * xfrm_find_acq(struct net *net, u8 mode, u32 reqid, u8 proto,
|
struct xfrm_state * xfrm_find_acq(struct net *net, u8 mode, u32 reqid, u8 proto,
|
||||||
|
@ -2686,7 +2686,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
|
|||||||
audit_info.loginuid = audit_get_loginuid(current);
|
audit_info.loginuid = audit_get_loginuid(current);
|
||||||
audit_info.sessionid = audit_get_sessionid(current);
|
audit_info.sessionid = audit_get_sessionid(current);
|
||||||
audit_info.secid = 0;
|
audit_info.secid = 0;
|
||||||
err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info);
|
err = xfrm_policy_flush(&init_net, XFRM_POLICY_TYPE_MAIN, &audit_info);
|
||||||
if (err)
|
if (err)
|
||||||
return err;
|
return err;
|
||||||
c.data.type = XFRM_POLICY_TYPE_MAIN;
|
c.data.type = XFRM_POLICY_TYPE_MAIN;
|
||||||
|
@ -732,7 +732,7 @@ EXPORT_SYMBOL(xfrm_policy_byid);
|
|||||||
|
|
||||||
#ifdef CONFIG_SECURITY_NETWORK_XFRM
|
#ifdef CONFIG_SECURITY_NETWORK_XFRM
|
||||||
static inline int
|
static inline int
|
||||||
xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
|
xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
|
||||||
{
|
{
|
||||||
int dir, err = 0;
|
int dir, err = 0;
|
||||||
|
|
||||||
@ -742,7 +742,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
|
|||||||
int i;
|
int i;
|
||||||
|
|
||||||
hlist_for_each_entry(pol, entry,
|
hlist_for_each_entry(pol, entry,
|
||||||
&init_net.xfrm.policy_inexact[dir], bydst) {
|
&net->xfrm.policy_inexact[dir], bydst) {
|
||||||
if (pol->type != type)
|
if (pol->type != type)
|
||||||
continue;
|
continue;
|
||||||
err = security_xfrm_policy_delete(pol->security);
|
err = security_xfrm_policy_delete(pol->security);
|
||||||
@ -754,9 +754,9 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
|
|||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for (i = init_net.xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
|
for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
|
||||||
hlist_for_each_entry(pol, entry,
|
hlist_for_each_entry(pol, entry,
|
||||||
init_net.xfrm.policy_bydst[dir].table + i,
|
net->xfrm.policy_bydst[dir].table + i,
|
||||||
bydst) {
|
bydst) {
|
||||||
if (pol->type != type)
|
if (pol->type != type)
|
||||||
continue;
|
continue;
|
||||||
@ -776,19 +776,19 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
|
|||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
static inline int
|
static inline int
|
||||||
xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
|
xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
|
||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
|
int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
|
||||||
{
|
{
|
||||||
int dir, err = 0;
|
int dir, err = 0;
|
||||||
|
|
||||||
write_lock_bh(&xfrm_policy_lock);
|
write_lock_bh(&xfrm_policy_lock);
|
||||||
|
|
||||||
err = xfrm_policy_flush_secctx_check(type, audit_info);
|
err = xfrm_policy_flush_secctx_check(net, type, audit_info);
|
||||||
if (err)
|
if (err)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@ -800,7 +800,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
|
|||||||
killed = 0;
|
killed = 0;
|
||||||
again1:
|
again1:
|
||||||
hlist_for_each_entry(pol, entry,
|
hlist_for_each_entry(pol, entry,
|
||||||
&init_net.xfrm.policy_inexact[dir], bydst) {
|
&net->xfrm.policy_inexact[dir], bydst) {
|
||||||
if (pol->type != type)
|
if (pol->type != type)
|
||||||
continue;
|
continue;
|
||||||
hlist_del(&pol->bydst);
|
hlist_del(&pol->bydst);
|
||||||
@ -818,10 +818,10 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
|
|||||||
goto again1;
|
goto again1;
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = init_net.xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
|
for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
|
||||||
again2:
|
again2:
|
||||||
hlist_for_each_entry(pol, entry,
|
hlist_for_each_entry(pol, entry,
|
||||||
init_net.xfrm.policy_bydst[dir].table + i,
|
net->xfrm.policy_bydst[dir].table + i,
|
||||||
bydst) {
|
bydst) {
|
||||||
if (pol->type != type)
|
if (pol->type != type)
|
||||||
continue;
|
continue;
|
||||||
@ -842,7 +842,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
init_net.xfrm.policy_count[dir] -= killed;
|
net->xfrm.policy_count[dir] -= killed;
|
||||||
}
|
}
|
||||||
atomic_inc(&flow_cache_genid);
|
atomic_inc(&flow_cache_genid);
|
||||||
out:
|
out:
|
||||||
|
@ -1546,7 +1546,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
|
|||||||
audit_info.loginuid = NETLINK_CB(skb).loginuid;
|
audit_info.loginuid = NETLINK_CB(skb).loginuid;
|
||||||
audit_info.sessionid = NETLINK_CB(skb).sessionid;
|
audit_info.sessionid = NETLINK_CB(skb).sessionid;
|
||||||
audit_info.secid = NETLINK_CB(skb).sid;
|
audit_info.secid = NETLINK_CB(skb).sid;
|
||||||
err = xfrm_policy_flush(type, &audit_info);
|
err = xfrm_policy_flush(&init_net, type, &audit_info);
|
||||||
if (err)
|
if (err)
|
||||||
return err;
|
return err;
|
||||||
c.data.type = type;
|
c.data.type = type;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user