[PATCH 00/18] xfrm: Add compat layer
Andy Lutomirski
luto at amacapital.net
Fri Jul 27 17:09:50 UTC 2018
> On Jul 27, 2018, at 9:48 AM, Nathan Harold <nharold at google.com> wrote:
>
> We (Android) are very interested in removing the restriction for 32-bit userspace processes accessing xfrm netlink on 64-bit kernels. IPsec support is required to pass Android conformance tests, and any manufacturer wishing to ship 32-bit userspace with a recent kernel needs out-of-tree changes (removing the compat_task check) to do so.
>
> That said, it’s not difficult to work around alignment issues directly in userspace, so maybe we could just remove the check and make this the caller's responsibility? Here’s an example of the workaround currently in the Android tree:
> https://android.googlesource.com/platform/system/netd/+/refs/heads/master/server/XfrmController.h#257
>
> We could also employ a (relatively simple) solution such as the one above in the uapi XFRM header itself, though it would require a caller to declare the target kernel ABI at compile time. Maybe that’s not unthinkable for an uncommon case?
>
Could there just be an XFRM2 that is entirely identical to XFRM for 64-bit userspace but makes the 32-bit structures match? If there are a grand total of two or so userspace implementations, that should cover most use cases. L
> -Nathan
>
>
>> On Fri, Jul 27, 2018 at 7:51 AM, Dmitry Safonov <dima at arista.com> wrote:
>> On Fri, 2018-07-27 at 16:19 +0200, Florian Westphal wrote:
>> > Dmitry Safonov <dima at arista.com> wrote:
>> > > 1. It will double copy netlink messages, making it O(n) instead of
>> > > O(1), where n - is number of bind()s.. Probably we don't care much.
>> >
>> > About those bind() patches, I don't understand why they are needed.
>> >
>> > Why can't you just add the compat skb to the native skb when doing
>> > the multicast call?
>> >
>> > skb_shinfo(skb)->frag_list = compat_skb;
>> > xfrm_nlmsg_multicast(net, skb, 0, ...
>>
>> Oh yeah, sorry, I think I misread the patch - will try to add compat
>> skb in the multicast call.
>>
>> --
>> Thanks,
>> Dmitry
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180727/62f1409d/attachment.htm>
More information about the Linux-audit
mailing list