Add support for removing IPsec Transforms from Sockets
This patch add support to remove per-socket IPsec security policies.
This change is enabled by new support in the linux kernel to support
clearing socket policies using the IP_XFRM_POLICY sockopt.
Bug: 65688605
Test: runtest -x server/netd_unit_test.cpp
Change-Id: I7ce8ae6c6475a2e030966376fc3184efb76f2465
diff --git a/server/XfrmController.cpp b/server/XfrmController.cpp
index 24ccee4..b222325 100644
--- a/server/XfrmController.cpp
+++ b/server/XfrmController.cpp
@@ -653,8 +653,37 @@
netdutils::Status
XfrmController::ipSecRemoveTransportModeTransform(const android::base::unique_fd& socket) {
- (void)socket;
- return netdutils::status::ok;
+ ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__);
+
+ StatusOr<sockaddr_storage> ret = getSyscallInstance().getsockname<sockaddr_storage>(Fd(socket));
+ if (!isOk(ret)) {
+ ALOGE("Failed to get socket info in %s! (%s)", __FUNCTION__, toString(ret).c_str());
+ return ret;
+ }
+
+ int sockOpt, sockLayer;
+ switch (ret.value().ss_family) {
+ case AF_INET:
+ sockOpt = IP_XFRM_POLICY;
+ sockLayer = SOL_IP;
+ break;
+ case AF_INET6:
+ sockOpt = IPV6_XFRM_POLICY;
+ sockLayer = SOL_IPV6;
+ break;
+ default:
+ return netdutils::statusFromErrno(EAFNOSUPPORT, "Invalid address family");
+ }
+
+ // Kernel will delete the security policy on this socket for both direction
+ // if optval is set to NULL and optlen is set to 0.
+ netdutils::Status status =
+ getSyscallInstance().setsockopt(Fd(socket), sockLayer, sockOpt, NULL, 0);
+ if (!isOk(status)) {
+ ALOGE("Error removing socket option for XFRM! (%s)", toString(status).c_str());
+ }
+
+ return status;
}
void XfrmController::fillTransportModeSelector(const XfrmSaInfo& record, xfrm_selector* selector) {