Re: [PATCH 00/18] xfrm: Add compat layer

[Andy Lutomirski]

On Jul 27, 2018, at 9:48 AM, Nathan Harold <nharold@xxxxxxxxxx> wrote:

We (Android) are very interested in removing the restriction for 32-bit userspace processes accessing xfrm netlink on 64-bit kernels. IPsec support is required to pass Android conformance tests, and any manufacturer wishing to ship 32-bit userspace with a recent kernel needs out-of-tree changes (removing the compat_task check) to do so.

That said, itâs not difficult to work around alignment issues directly in userspace, so maybe we could just remove the check and make this the caller's responsibility? Hereâs an example of the workaround currently in the Android tree:

https://android.googlesource.com/platform/system/netd/+/refs/heads/master/server/XfrmController.h#257

We could also employ a (relatively simple) solution such as the one above in the uapi XFRM header itself, though it would require a caller to declare the target kernel ABI at compile time. Maybe thatâs not unthinkable for an uncommon case?

Could there just be an XFRM2 that is entirely identical to XFRM for 64-bit userspace but makes the 32-bit structures match?  If there are a grand total of two or so userspace implementations, that should cover most use cases. L

-Nathan

On Fri, Jul 27, 2018 at 7:51 AM, Dmitry Safonov <dima@xxxxxxxxxx> wrote:

On Fri, 2018-07-27 at 16:19 +0200, Florian Westphal wrote:
> Dmitry Safonov <dima@xxxxxxxxxx> wrote:
> > 1. It will double copy netlink messages, making it O(n) instead of
> > O(1), where n - is number of bind()s.. Probably we don't care much.
>
> About those bind() patches, I don't understand why they are needed.
>
> Why can't you just add the compat skb to the native skb when doing
> the multicast call?
>
> skb_shinfo(skb)->frag_list = compat_skb;
> xfrm_nlmsg_multicast(net, skb, 0, ...

Oh yeah, sorry, I think I misread the patch - will try to add compat
skb in the multicast call.

--
Thanks,
             Dmitry