diff options
| author | Nathan Harold <nharold@google.com> | 2018-03-16 20:13:03 -0700 |
|---|---|---|
| committer | Nathan Harold <nharold@google.com> | 2018-04-26 16:12:19 -0700 |
| commit | 21299f760a5d9e3ef88b68503b82ba9107b1de31 (patch) | |
| tree | ad241c5c5b18eaf7486a42e2361621a2483d2648 /server/XfrmController.cpp | |
| parent | 172f8e4b7aef86b4727f6c8336b7c9ecdf981da2 (diff) | |
| download | platform_system_netd-21299f760a5d9e3ef88b68503b82ba9107b1de31.tar.gz platform_system_netd-21299f760a5d9e3ef88b68503b82ba9107b1de31.tar.bz2 platform_system_netd-21299f760a5d9e3ef88b68503b82ba9107b1de31.zip | |
Add Functions to flush SADB, Policy DB, and Ifaces
-Add ipSecFlushState() which flushes the kernel's
SA DB and Policy DB.
-Add ipSecFlushInterfaces() which seeks and removes
any interfaces that have the prefix 'ipsec'
-Automatically call these functions when netd restarts
-Make XfrmController's methods static
-Add integration tests to verify flushing of policy
states, and interfaces
-Convert XfrmController functions to static for easier
test-ability
Bug: 74560705
Test: runtest ...netd_integration_test.cpp
Merged-In: Id60e7c29ff9aeee7f5ccd505b86c94cce858745f
Change-Id: Id60e7c29ff9aeee7f5ccd505b86c94cce858745f
(cherry picked from commit f5646cde551de44ba10b61c2d5cecb414847d454)
Diffstat (limited to 'server/XfrmController.cpp')
| -rw-r--r-- | server/XfrmController.cpp | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/server/XfrmController.cpp b/server/XfrmController.cpp index 16af043ae..031777912 100644 --- a/server/XfrmController.cpp +++ b/server/XfrmController.cpp @@ -39,6 +39,7 @@ #include <sys/wait.h> #include <linux/in.h> +#include <linux/ipsec.h> #include <linux/netlink.h> #include <linux/xfrm.h> @@ -47,6 +48,7 @@ #include "android-base/unique_fd.h" #include <log/log_properties.h> #define LOG_TAG "XfrmController" +#include "InterfaceController.h" #include "NetdConstants.h" #include "NetlinkCommands.h" #include "ResponseCode.h" @@ -83,6 +85,9 @@ constexpr uint32_t RAND_SPI_MAX = 0xFFFFFFFE; constexpr uint32_t INVALID_SPI = 0; +// Must match TUNNEL_INTERFACE_PREFIX in IpSecService.java +constexpr char const* TUNNEL_INTERFACE_PREFIX = "ipsec"; + #define XFRM_MSG_TRANS(x) \ case x: \ return #x; @@ -370,6 +375,45 @@ private: // XfrmController::XfrmController(void) {} +netdutils::Status XfrmController::Init() { + RETURN_IF_NOT_OK(flushInterfaces()); + XfrmSocketImpl sock; + RETURN_IF_NOT_OK(sock.open()); + RETURN_IF_NOT_OK(flushSaDb(sock)); + return flushPolicyDb(sock); +} + +netdutils::Status XfrmController::flushInterfaces() { + const auto& ifaces = InterfaceController::getIfaceNames(); + RETURN_IF_NOT_OK(ifaces); + + for (const std::string& iface : ifaces.value()) { + int status = 0; + // Look for the reserved interface prefix, which must be in the name at position 0 + if (iface.find(TUNNEL_INTERFACE_PREFIX) == 0 && + (status = removeVirtualTunnelInterface(iface)) < 0) { + ALOGE("Failed to delete ipsec tunnel %s.", iface.c_str()); + return netdutils::statusFromErrno(status, "Failed to remove ipsec tunnel."); + } + } + return netdutils::status::ok; +} + +netdutils::Status XfrmController::flushSaDb(const XfrmSocket& s) { + struct xfrm_usersa_flush flushUserSa = {.proto = IPSEC_PROTO_ANY}; + + std::vector<iovec> iov = {{NULL, 0}, // reserved for the eventual addition of a NLMSG_HDR + {&flushUserSa, sizeof(flushUserSa)}, // xfrm_usersa_flush structure + {kPadBytes, NLMSG_ALIGN(sizeof(flushUserSa)) - sizeof(flushUserSa)}}; + + return s.sendMessage(XFRM_MSG_FLUSHSA, NETLINK_REQUEST_FLAGS, 0, &iov); +} + +netdutils::Status XfrmController::flushPolicyDb(const XfrmSocket& s) { + std::vector<iovec> iov = {{NULL, 0}}; // reserved for the eventual addition of a NLMSG_HDR + return s.sendMessage(XFRM_MSG_FLUSHPOLICY, NETLINK_REQUEST_FLAGS, 0, &iov); +} + netdutils::Status XfrmController::ipSecSetEncapSocketOwner(const android::base::unique_fd& socket, int newUid, uid_t callerUid) { ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__); |