Commit 33ffbbd5 authored by Alexey Dobriyan's avatar Alexey Dobriyan Committed by David S. Miller

netns xfrm: policy flushing in netns

Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 1121994c
...@@ -1444,7 +1444,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir, ...@@ -1444,7 +1444,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(u8 type, int dir,
struct xfrm_sec_ctx *ctx, int delete, struct xfrm_sec_ctx *ctx, int delete,
int *err); int *err);
struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err); struct xfrm_policy *xfrm_policy_byid(u8, int dir, u32 id, int delete, int *err);
int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info); int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info);
u32 xfrm_get_acqseq(void); u32 xfrm_get_acqseq(void);
extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi); extern int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
struct xfrm_state * xfrm_find_acq(struct net *net, u8 mode, u32 reqid, u8 proto, struct xfrm_state * xfrm_find_acq(struct net *net, u8 mode, u32 reqid, u8 proto,
......
...@@ -2686,7 +2686,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg ...@@ -2686,7 +2686,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
audit_info.loginuid = audit_get_loginuid(current); audit_info.loginuid = audit_get_loginuid(current);
audit_info.sessionid = audit_get_sessionid(current); audit_info.sessionid = audit_get_sessionid(current);
audit_info.secid = 0; audit_info.secid = 0;
err = xfrm_policy_flush(XFRM_POLICY_TYPE_MAIN, &audit_info); err = xfrm_policy_flush(&init_net, XFRM_POLICY_TYPE_MAIN, &audit_info);
if (err) if (err)
return err; return err;
c.data.type = XFRM_POLICY_TYPE_MAIN; c.data.type = XFRM_POLICY_TYPE_MAIN;
......
...@@ -732,7 +732,7 @@ EXPORT_SYMBOL(xfrm_policy_byid); ...@@ -732,7 +732,7 @@ EXPORT_SYMBOL(xfrm_policy_byid);
#ifdef CONFIG_SECURITY_NETWORK_XFRM #ifdef CONFIG_SECURITY_NETWORK_XFRM
static inline int static inline int
xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
{ {
int dir, err = 0; int dir, err = 0;
...@@ -742,7 +742,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) ...@@ -742,7 +742,7 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
int i; int i;
hlist_for_each_entry(pol, entry, hlist_for_each_entry(pol, entry,
&init_net.xfrm.policy_inexact[dir], bydst) { &net->xfrm.policy_inexact[dir], bydst) {
if (pol->type != type) if (pol->type != type)
continue; continue;
err = security_xfrm_policy_delete(pol->security); err = security_xfrm_policy_delete(pol->security);
...@@ -754,9 +754,9 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) ...@@ -754,9 +754,9 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
return err; return err;
} }
} }
for (i = init_net.xfrm.policy_bydst[dir].hmask; i >= 0; i--) { for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
hlist_for_each_entry(pol, entry, hlist_for_each_entry(pol, entry,
init_net.xfrm.policy_bydst[dir].table + i, net->xfrm.policy_bydst[dir].table + i,
bydst) { bydst) {
if (pol->type != type) if (pol->type != type)
continue; continue;
...@@ -776,19 +776,19 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) ...@@ -776,19 +776,19 @@ xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info)
} }
#else #else
static inline int static inline int
xfrm_policy_flush_secctx_check(u8 type, struct xfrm_audit *audit_info) xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audit_info)
{ {
return 0; return 0;
} }
#endif #endif
int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
{ {
int dir, err = 0; int dir, err = 0;
write_lock_bh(&xfrm_policy_lock); write_lock_bh(&xfrm_policy_lock);
err = xfrm_policy_flush_secctx_check(type, audit_info); err = xfrm_policy_flush_secctx_check(net, type, audit_info);
if (err) if (err)
goto out; goto out;
...@@ -800,7 +800,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) ...@@ -800,7 +800,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
killed = 0; killed = 0;
again1: again1:
hlist_for_each_entry(pol, entry, hlist_for_each_entry(pol, entry,
&init_net.xfrm.policy_inexact[dir], bydst) { &net->xfrm.policy_inexact[dir], bydst) {
if (pol->type != type) if (pol->type != type)
continue; continue;
hlist_del(&pol->bydst); hlist_del(&pol->bydst);
...@@ -818,10 +818,10 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) ...@@ -818,10 +818,10 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
goto again1; goto again1;
} }
for (i = init_net.xfrm.policy_bydst[dir].hmask; i >= 0; i--) { for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) {
again2: again2:
hlist_for_each_entry(pol, entry, hlist_for_each_entry(pol, entry,
init_net.xfrm.policy_bydst[dir].table + i, net->xfrm.policy_bydst[dir].table + i,
bydst) { bydst) {
if (pol->type != type) if (pol->type != type)
continue; continue;
...@@ -842,7 +842,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info) ...@@ -842,7 +842,7 @@ int xfrm_policy_flush(u8 type, struct xfrm_audit *audit_info)
} }
} }
init_net.xfrm.policy_count[dir] -= killed; net->xfrm.policy_count[dir] -= killed;
} }
atomic_inc(&flow_cache_genid); atomic_inc(&flow_cache_genid);
out: out:
......
...@@ -1546,7 +1546,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -1546,7 +1546,7 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
audit_info.loginuid = NETLINK_CB(skb).loginuid; audit_info.loginuid = NETLINK_CB(skb).loginuid;
audit_info.sessionid = NETLINK_CB(skb).sessionid; audit_info.sessionid = NETLINK_CB(skb).sessionid;
audit_info.secid = NETLINK_CB(skb).sid; audit_info.secid = NETLINK_CB(skb).sid;
err = xfrm_policy_flush(type, &audit_info); err = xfrm_policy_flush(&init_net, type, &audit_info);
if (err) if (err)
return err; return err;
c.data.type = type; c.data.type = type;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment