pfkey: fix SA and SP flush sequence

RFC 2367 says flushing behavior should be: 1) user space -> kernel: flush 2) kernel: flush 3) kernel -> user space: flush event to ALL listeners This is not realistic today in the presence of selinux policies which may reject the flush etc. So we make the sequence become: 1) user space -> kernel: flush 2) kernel: flush 3) kernel -> user space: flush response to originater from #1 4) if there were no errors then: kernel -> user space: flush event to ALL listeners Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Jamal Hadi Salim <hadi@cyberus.ca> 2010-02-18 21:00:40 -0500
committer: David S. Miller <davem@davemloft.net> 2010-02-19 16:11:49 -0500
commit: 8be987d73481831265d7e8c648bec838271bfd9b (patch)
tree: d06242ca463d87e3840090959c695d9c1a151799 /net/key
parent: 927606a17e802fcf0c9ee82a74bc444b84726e67 (diff)
1 files changed, 27 insertions, 6 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 79d2c0f3c334..b3faede9a4f6 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1712,6 +1712,23 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, struct sadb_msg
        return 0;
 }
+static int unicast_flush_resp(struct sock *sk, struct sadb_msg *ihdr)
+{
+        struct sk_buff *skb;
+        struct sadb_msg *hdr;
+        skb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);
+        if (!skb)
+                return -ENOBUFS;
+        hdr = (struct sadb_msg *) skb_put(skb, sizeof(struct sadb_msg));
+        memcpy(hdr, ihdr, sizeof(struct sadb_msg));
+        hdr->sadb_msg_errno = (uint8_t) 0;
+        hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+        return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
+}
 static int key_notify_sa_flush(struct km_event *c)
 {
        struct sk_buff *skb;
@@ -1740,7 +1757,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
        unsigned proto;
        struct km_event c;
        struct xfrm_audit audit_info;
-        int err;
+        int err, err2;
        proto = pfkey_satype2proto(hdr->sadb_msg_satype);
        if (proto == 0)
@@ -1750,8 +1767,10 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
        audit_info.sessionid = audit_get_sessionid(current);
        audit_info.secid = 0;
        err = xfrm_state_flush(net, proto, &audit_info);
-        if (err)
+        err2 = unicast_flush_resp(sk, hdr);
-                return err;
+        if (err || err2)
+                return err ? err : err2;
        c.data.proto = proto;
        c.seq = hdr->sadb_msg_seq;
        c.pid = hdr->sadb_msg_pid;
@@ -2706,14 +2725,16 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
        struct net *net = sock_net(sk);
        struct km_event c;
        struct xfrm_audit audit_info;
-        int err;
+        int err, err2;
        audit_info.loginuid = audit_get_loginuid(current);
        audit_info.sessionid = audit_get_sessionid(current);
        audit_info.secid = 0;
        err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
-        if (err)
+        err2 = unicast_flush_resp(sk, hdr);
-                return err;
+        if (err || err2)
+                return err ? err : err2;
        c.data.type = XFRM_POLICY_TYPE_MAIN;
        c.event = XFRM_MSG_FLUSHPOLICY;
        c.pid = hdr->sadb_msg_pid;
author	Jamal Hadi Salim <hadi@cyberus.ca>	2010-02-18 21:00:40 -0500
committer	David S. Miller <davem@davemloft.net>	2010-02-19 16:11:49 -0500
commit	8be987d73481831265d7e8c648bec838271bfd9b (patch)
tree	d06242ca463d87e3840090959c695d9c1a151799 /net/key
parent	927606a17e802fcf0c9ee82a74bc444b84726e67 (diff)