| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171201054513.qhvhrejnflj27wpt@gauss3.secunet.de>
Date: Fri, 1 Dec 2017 06:45:13 +0100
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Lorenzo Colitti <lorenzo@...gle.com>
CC: <netdev@...r.kernel.org>, <zenczykowski@...il.com>,
<nharold@...gle.com>
Subject: Re: [PATCH ipsec-next] net: xfrm: allow clearing socket xfrm
policies.
On Mon, Nov 20, 2017 at 07:26:02PM +0900, Lorenzo Colitti wrote:
> Currently it is possible to add or update socket policies, but
> not clear them. Therefore, once a socket policy has been applied,
> the socket cannot be used for unencrypted traffic.
>
> This patch allows (privileged) users to clear socket policies by
> passing in a NULL pointer and zero length argument to the
> {IP,IPV6}_{IPSEC,XFRM}_POLICY setsockopts. This results in both
> the incoming and outgoing policies being cleared.
>
> The simple approach taken in this patch cannot clear socket
> policies in only one direction. If desired this could be added
> in the future, for example by continuing to pass in a length of
> zero (which currently is guaranteed to return EMSGSIZE) and
> making the policy be a pointer to an integer that contains one
> of the XFRM_POLICY_{IN,OUT} enum values.
>
> An alternative would have been to interpret the length as a
> signed integer and use XFRM_POLICY_IN (i.e., 0) to clear the
> input policy and -XFRM_POLICY_OUT (i.e., -1) to clear the output
> policy.
>
> Tested: https://android-review.googlesource.com/539816
> Signed-off-by: Lorenzo Colitti <lorenzo@...gle.com>
Applied to ipsec-next, thanks Lorenzo!
Powered by blists - more mailing lists