Check xfrm state to delete embryonic SA
3 VtsKernelNetTest test cases fail on a platform where an IPsec key manager
is running. They are testSocketPolicyIPv4, testSocketPolicyIPv6 and
testSocketPolicyMapped. These 3 cases fail because CreateNewSa returns
EEXIST when test cases call CreateNewSa() to send netlink message of adding
xfrm state info to kernel.
Take testSocketPolicyIPv4 as an example, normal flow is as below.
udp send dns query -> apply socket policy ->
assertRaisesErrno(EAGAIN, s.sendto, ...) -> CreateNewSa() ->
Send encrypted dns query
When it calls sendto after applying socket policy, kernel will call
xfrm_state_find() to check if policy and state match. If there is a
xfrm netlink message listener, kernel will allocate xfrm state.
Therefore, when CreateNewSa() tries to create a new xfrm state, kernel
returns EEXIST. On a platform where an IPsec key manager is running,
there is a daemon which listens to xfrm policy message. We suggest that we
can delete embryonic SA before creating a new SA when there is a existing
user space key manager. Without existing user space key manager, test case
still creates a new SA. In both conditions, EAGAIN will be returned after
calling sendto().
Bug: 112518266
Test: VtsKernelNetTest can pass
Change-Id: Id461b6c06884ff3e3464cd80dcf091f7da28f418
1 file changed