Re: [PATCH] Crypto_user: Make crypto user API available for all net ns

2017-07-13 Thread Steffen Klassert 
On Thu, Jul 13, 2017 at 04:51:10PM +0200, Stephan Müller wrote:
> Am Donnerstag, 13. Juli 2017, 16:22:32 CEST schrieb Christian Langrock:
> 
> Hi Christian,
> 
> > With this patch it's possible to use crypto user API form all
> > network namespaces, not only form the initial net ns.
> 
> Is this wise?
> 
> The crypto_user interface allows root users to change settings in the kernel 
> with a global scope. For example, you can deregister ciphers, change the prio 
> of ciphers and so on. All of that is visible on a global scale and thus 
> should 
> not be possible from namespaces, IMHO.

It is possible to use crypto from all namespaces, so would be nice if
it would be possible to choose which algorithm to use. The problem is that
you can change the global crypto configuration from within a namespace
with this. Maybe crypto_alg_list etc. should be namespace aware first,
then each namespace can have its own configuration.

Re: [PATCH] Crypto_user: Make crypto user API available for all net ns

2017-07-13 Thread Stephan Müller 
Am Donnerstag, 13. Juli 2017, 16:22:32 CEST schrieb Christian Langrock:

Hi Christian,

> With this patch it's possible to use crypto user API form all
> network namespaces, not only form the initial net ns.

Is this wise?

The crypto_user interface allows root users to change settings in the kernel 
with a global scope. For example, you can deregister ciphers, change the prio 
of ciphers and so on. All of that is visible on a global scale and thus should 
not be possible from namespaces, IMHO.

Ciao
Stephan

[PATCH] Crypto_user: Make crypto user API available for all net ns

2017-07-13 Thread Christian Langrock 
With this patch it's possible to use crypto user API form all
network namespaces, not only form the initial net ns.

Signed-off-by: Christian Langrock 
---
 crypto/crypto_user.c| 39 ++-
 include/net/net_namespace.h |  1 +
 2 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
index 0dbe2be7..359ec2f 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -23,7 +23,7 @@
 #include 
 #include 
 #include 
-#include 
+#include 
 #include 
 #include 
 #include 
@@ -36,9 +36,6 @@
 
 static DEFINE_MUTEX(crypto_cfg_mutex);
 
-/* The crypto netlink socket */
-static struct sock *crypto_nlsk;
-
 struct crypto_dump_info {
 struct sk_buff *in_skb;
 struct sk_buff *out_skb;
@@ -257,6 +254,7 @@ static int crypto_report_alg(struct crypto_alg *alg,
 static int crypto_report(struct sk_buff *in_skb, struct nlmsghdr *in_nlh,
  struct nlattr **attrs)
 {
+struct net *net = sock_net(in_skb->sk);
 struct crypto_user_alg *p = nlmsg_data(in_nlh);
 struct crypto_alg *alg;
 struct sk_buff *skb;
@@ -288,7 +286,7 @@ static int crypto_report(struct sk_buff *in_skb,
struct nlmsghdr *in_nlh,
 if (err)
 return err;
 
-return nlmsg_unicast(crypto_nlsk, skb, NETLINK_CB(in_skb).portid);
+return nlmsg_unicast(net->crypto_nlsk, skb, NETLINK_CB(in_skb).portid);
 }
 
 static int crypto_dump_report(struct sk_buff *skb, struct
netlink_callback *cb)
@@ -486,6 +484,7 @@ static const struct crypto_link {
 static int crypto_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
struct netlink_ext_ack *extack)
 {
+struct net *net = sock_net(skb->sk);
 struct nlattr *attrs[CRYPTOCFGA_MAX+1];
 const struct crypto_link *link;
 int type, err;
@@ -515,7 +514,7 @@ static int crypto_user_rcv_msg(struct sk_buff *skb,
struct nlmsghdr *nlh,
 .done = link->done,
 .min_dump_alloc = dump_alloc,
 };
-err = netlink_dump_start(crypto_nlsk, skb, nlh, );
+err = netlink_dump_start(net->crypto_nlsk, skb, nlh, );
 }
 up_read(_alg_sem);
 
@@ -540,22 +539,44 @@ static void crypto_netlink_rcv(struct sk_buff *skb)
 mutex_unlock(_cfg_mutex);
 }
 
-static int __init crypto_user_init(void)
+static int __net_init crypto_user_net_init(struct net *net)
 {
+struct sock *crypto_nlsk;
 struct netlink_kernel_cfg cfg = {
 .input= crypto_netlink_rcv,
 };
 
-crypto_nlsk = netlink_kernel_create(_net, NETLINK_CRYPTO, );
+crypto_nlsk = netlink_kernel_create(net, NETLINK_CRYPTO, );
 if (!crypto_nlsk)
 return -ENOMEM;
 
+net->crypto_nlsk = crypto_nlsk;
+
+return 0;
+}
+
+static void __net_exit crypto_user_net_exit(struct net *net)
+{
+netlink_kernel_release(net->crypto_nlsk);
+net->crypto_nlsk = NULL;
+}
+
+static struct pernet_operations crypto_user_net_ops = {
+.init = crypto_user_net_init,
+.exit = crypto_user_net_exit,
+};
+
+
+static int __init crypto_user_init(void)
+{
+if (register_pernet_subsys(_user_net_ops))
+panic("crypto_user_init: cannot initialize crypto_user\n");
 return 0;
 }
 
 static void __exit crypto_user_exit(void)
 {
-netlink_kernel_release(crypto_nlsk);
+unregister_pernet_subsys(_user_net_ops);
 }
 
 module_init(crypto_user_init);
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 31a2b51..d5d831d 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -148,6 +148,7 @@ struct net {
 #endif
 struct sock*diag_nlsk;
 atomic_tfnhe_genid;
+struct sock*crypto_nlsk;
 };
 
 #include 
-- 
2.7.4




0x82EB6B5E.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature