1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
|
# Copyright 2017 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
# AF_NETLINK/NETLINK_XFRM support.
include <linux/net.h>
include <uapi/linux/netlink.h>
include <uapi/linux/in.h>
include <uapi/linux/xfrm.h>
include <uapi/linux/ipsec.h>
resource sock_nl_xfrm[sock_netlink]
type xfrm_req_id int32[13567:13575, opt]
type xfrm_policy_index int32[7236528:7236544, opt]
type xfrm_spi int32be[1234:1238]
# Note: executor sets up xfrm0 device with XFRM_IF_ID=1.
type xfrm_if_id int32[1:4]
socket$nl_xfrm(domain const[AF_NETLINK], type const[SOCK_RAW], proto const[NETLINK_XFRM]) sock_nl_xfrm
sendmsg$nl_xfrm(fd sock_nl_xfrm, msg ptr[in, msghdr_nl_xfrm], f flags[send_flags])
type msghdr_nl_xfrm msghdr_netlink[netlink_msg_xfrm]
netlink_msg_xfrm [
newsa netlink_msg[XFRM_MSG_NEWSA, xfrm_usersa_info, xfrma_policy]
updsa netlink_msg[XFRM_MSG_UPDSA, xfrm_usersa_info, xfrma_policy]
delsa netlink_msg[XFRM_MSG_DELSA, xfrm_usersa_id, xfrma_policy]
getsa netlink_msg[XFRM_MSG_GETSA, xfrm_usersa_id, xfrma_policy]
newpolicy netlink_msg[XFRM_MSG_NEWPOLICY, xfrm_userpolicy_info, xfrma_policy]
updpolicy netlink_msg[XFRM_MSG_UPDPOLICY, xfrm_userpolicy_info, xfrma_policy]
delpolicy netlink_msg[XFRM_MSG_DELPOLICY, xfrm_userpolicy_id, xfrma_policy]
getpolicy netlink_msg[XFRM_MSG_GETPOLICY, xfrm_userpolicy_id, xfrma_policy]
migrate netlink_msg[XFRM_MSG_MIGRATE, xfrm_userpolicy_id, xfrma_policy]
allocspi netlink_msg[XFRM_MSG_ALLOCSPI, xfrm_userspi_info, xfrma_policy]
acquire netlink_msg[XFRM_MSG_ACQUIRE, xfrm_user_acquire, xfrma_policy]
expire netlink_msg[XFRM_MSG_EXPIRE, xfrm_user_expire, xfrma_policy]
polexpire netlink_msg[XFRM_MSG_POLEXPIRE, xfrm_user_polexpire, xfrma_policy]
flushsa netlink_msg[XFRM_MSG_FLUSHSA, xfrm_usersa_flush, xfrma_policy]
report netlink_msg[XFRM_MSG_REPORT, xfrm_user_report, xfrma_policy]
flushpolicy netlink_msg[XFRM_MSG_FLUSHPOLICY, void, xfrma_policy]
newae netlink_msg[XFRM_MSG_NEWAE, xfrm_aevent_id, xfrma_policy]
getae netlink_msg[XFRM_MSG_GETAE, xfrm_aevent_id, xfrma_policy]
getsadinfo netlink_msg[XFRM_MSG_GETSADINFO, const[0, int32], xfrma_policy]
newspdinfo netlink_msg[XFRM_MSG_NEWSPDINFO, int32, xfrma_spd_policy]
getspdinfo netlink_msg[XFRM_MSG_GETSPDINFO, int32, void]
] [varlen]
xfrm_usersa_info {
sel xfrm_selector
id xfrm_id
saddr xfrm_address_t
lft xfrm_lifetime_cfg
curlft xfrm_lifetime_cur
stats xfrm_stats
seq netlink_seq
reqid xfrm_req_id
family flags[xfrm_family, int16]
mode flags[xfrm_mode, int8]
replay_window int8
flags flags[xfrm_state, int8]
}
xfrm_usersa_id {
daddr xfrm_address_t
spi xfrm_spi
family flags[xfrm_family, int16]
proto flags[xfrm_proto, int8]
}
xfrm_userpolicy_id {
sel xfrm_selector
index xfrm_policy_index
dir flags[xfrm_policy_dir, int8]
}
xfrm_userspi_info {
info xfrm_usersa_info
min int32
max int32
}
xfrm_user_acquire {
id xfrm_id
saddr xfrm_address_t
sel xfrm_selector
policy xfrm_userpolicy_info
aalgos int32
ealgos int32
calgo int32
seq netlink_seq
}
xfrm_user_expire {
state xfrm_usersa_info
hard int8
}
xfrm_user_polexpire {
pol xfrm_userpolicy_info
hard int8
}
xfrm_usersa_flush {
proto flags[xfrm_proto, int8]
}
xfrm_user_report {
proto flags[xfrm_proto, int8]
sel xfrm_selector
}
xfrm_aevent_id {
sa_id xfrm_usersa_id
saddr xfrm_address_t
flags int32
reqid xfrm_req_id
}
xfrma_policy [
sa nlattr[XFRMA_SA, xfrm_usersa_info]
policy nlattr[XFRMA_POLICY, xfrm_userpolicy_info]
lastused nlattr[XFRMA_LASTUSED, int64]
algo_auth_trunc nlattr[XFRMA_ALG_AUTH_TRUNC, xfrm_algo_auth]
algo_aead nlattr[XFRMA_ALG_AEAD, xfrm_algo_aead]
algo_auth nlattr[XFRMA_ALG_AUTH, xfrm_algo_hash]
algo_crypt nlattr[XFRMA_ALG_CRYPT, xfrm_algo_skcipher]
algo_comp nlattr[XFRMA_ALG_COMP, xfrm_algo_compress]
srcaddr nlattr[XFRMA_SRCADDR, xfrm_address_t]
coaddr nlattr[XFRMA_COADDR, xfrm_address_t]
extra_flags nlattr[XFRMA_SA_EXTRA_FLAGS, int32]
tfcpad nlattr[XFRMA_TFCPAD, int32]
replay_thresh nlattr[XFRMA_REPLAY_THRESH, int32]
etimer_thresh nlattr[XFRMA_ETIMER_THRESH, int32]
encap nlattr[XFRMA_ENCAP, xfrm_encap_tmpl]
offload nlattr[XFRMA_OFFLOAD_DEV, xfrm_user_offload]
sec_ctx nlattr[XFRMA_SEC_CTX, xfrm_user_sec_ctx]
lifetime_val nlattr[XFRMA_LTIME_VAL, xfrm_lifetime_cur]
tmpl nlattr[XFRMA_TMPL, array[xfrm_user_tmpl, 1:XFRM_MAX_DEPTH]]
replay_val nlattr[XFRMA_REPLAY_VAL, xfrm_replay_state]
replay_esn_val nlattr[XFRMA_REPLAY_ESN_VAL, xfrm_replay_state_esn]
policy_type nlattr[XFRMA_POLICY_TYPE, xfrm_userpolicy_type]
migrate nlattr[XFRMA_MIGRATE, array[xfrm_user_migrate, 1:XFRM_MAX_DEPTH]]
user_kmaddress nlattr[XFRMA_KMADDRESS, xfrm_user_kmaddress]
mark nlattr[XFRMA_MARK, xfrm_mark]
proto nlattr[XFRMA_PROTO, flags[xfrm_proto, int8]]
address_filter nlattr[XFRMA_ADDRESS_FILTER, xfrm_address_filter]
XFRMA_SET_MARK nlattr[XFRMA_SET_MARK, int32]
XFRMA_SET_MARK_MASK nlattr[XFRMA_SET_MARK_MASK, int32]
XFRMA_IF_ID nlattr[XFRMA_IF_ID, xfrm_if_id]
] [varlen]
define XFRM_MAX_DEPTH 6
xfrma_spd_policy [
XFRMA_SPD_IPV4_HTHRESH nlattr[XFRMA_SPD_IPV4_HTHRESH, xfrmu_spdhthresh[32]]
XFRMA_SPD_IPV6_HTHRESH nlattr[XFRMA_SPD_IPV6_HTHRESH, xfrmu_spdhthresh[128]]
] [varlen]
xfrm_encap_tmpl {
encap_type flags[xfrm_encap_type, int16]
encap_sport sock_port
encap_dport sock_port
encap_oa xfrm_address_t
}
xfrm_user_offload {
ifindex ifindex[opt]
flags flags[xfrm_offload_flags, int8]
}
xfrm_offload_flags = XFRM_OFFLOAD_IPV6, XFRM_OFFLOAD_INBOUND
xfrm_user_sec_ctx {
len len[parent, int16]
exttype const[XFRMA_SEC_CTX, int16]
ctx_alg flags[xfrm_sec_ctx_alg, int8]
ctx_doi int8
ctx_len len[payload, int16]
# TODO: what's this? looks intersting.
payload array[int8]
}
xfrm_sec_ctx_alg = XFRM_SC_ALG_SELINUX
xfrm_replay_state {
oseq netlink_seq
seq netlink_seq
bitmap int32
}
xfrm_replay_state_esn {
bmp_len len[bmp, int32]
oseq netlink_seq
seq netlink_seq
oseq_hi netlink_seq
seq_hi netlink_seq
replay_window int32
bmp array[int32]
}
xfrm_userpolicy_type {
type flags[xfrm_policy_types, int8]
reserved1 const[0, int16]
reserved2 const[0, int8]
}
xfrm_user_migrate {
old_daddr xfrm_address_t
old_saddr xfrm_address_t
new_daddr xfrm_address_t
new_saddr xfrm_address_t
proto flags[xfrm_proto, int8]
mode flags[xfrm_mode, int8]
reserved const[0, int16]
reqid xfrm_req_id
old_family flags[xfrm_family, int16]
new_family flags[xfrm_family, int16]
}
xfrm_user_kmaddress {
local xfrm_address_t
remote xfrm_address_t
reserved const[0, int32]
family flags[xfrm_family, int16]
}
xfrm_mark {
v int32[3475289:3475293]
m int32
}
xfrm_address_filter {
saddr xfrm_address_t
daddr xfrm_address_t
family flags[xfrm_family, int16]
splen int8
dplen int8
}
type xfrmu_spdhthresh[BOUND] {
lbits int8[0:BOUND]
rbits int8[0:BOUND]
}
xfrm_selector {
daddr xfrm_address_t
saddr xfrm_address_t
dport sock_port
dport_mask int16be[opt]
sport sock_port
sport_mask int16be[opt]
family flags[xfrm_family, int16]
prefixlen_d flags[xfrm_prefixlens, int8]
prefixlen_s flags[xfrm_prefixlens, int8]
proto flags[ipv6_types, int8]
ifindex ifindex[opt]
user uid
}
xfrm_lifetime_cfg {
soft_byte_limit int64
hard_byte_limit int64
soft_packet_limit int64
hard_packet_limit int64
soft_add_expires_seconds int64
hard_add_expires_seconds int64
soft_use_expires_seconds int64
hard_use_expires_seconds int64
}
xfrm_lifetime_cur {
bytes int64
packets int64
add_time int64
use_time int64
}
xfrm_stats {
replay_window int32
replay int32
integrity_failed int32
}
xfrm_algo_hash {
alg_name alg_hash_name
alg_key_len bitsize[alg_key, int32]
alg_key array[int8]
}
xfrm_algo_skcipher {
alg_name alg_skcipher_name
alg_key_len bitsize[alg_key, int32]
alg_key array[int8]
}
xfrm_algo_compress {
alg_name alg_compress_name
alg_key_len bitsize[alg_key, int32]
alg_key array[int8]
}
xfrm_algo_auth {
alg_name alg_hash_name
alg_key_len bitsize[alg_key, int32]
alg_icv_len flags[xfrm_algo_truncbits, int32]
alg_key array[int8]
}
xfrm_algo_aead {
alg_name alg_aead_name
alg_key_len bitsize[alg_key, int32]
alg_icv_len flags[xfrm_algo_truncbits, int32]
alg_key array[int8]
}
xfrm_algo_truncbits = 0, 64, 96, 128, 160, 192, 256, 384, 512
xfrm_id {
daddr xfrm_address_t
spi xfrm_spi
proto flags[xfrm_proto, int8]
}
xfrm_address_t [
in ipv4_addr
in6 ipv6_addr
]
xfrm_filter {
info xfrm_userpolicy_info
tmpl xfrm_user_tmpl
}
xfrm_userpolicy_info {
sel xfrm_selector
lft xfrm_lifetime_cfg
curlft xfrm_lifetime_cur
priority int32
index xfrm_policy_index
dir flags[xfrm_policy_dir, int8]
action flags[xfrm_policy_actions, int8]
flags flags[xfrm_policy_flags, int8]
share flags[xfrm_policy_shares, int8]
}
xfrm_user_tmpl {
id xfrm_id
family flags[xfrm_family, int16]
saddr xfrm_address_t
reqid xfrm_req_id
mode flags[xfrm_mode, int8]
share flags[xfrm_policy_shares, int8]
optional int8
aalgos int32
ealgos int32
calgos int32
}
xfrm_mode = XFRM_MODE_TRANSPORT, XFRM_MODE_TUNNEL, XFRM_MODE_ROUTEOPTIMIZATION, XFRM_MODE_IN_TRIGGER, XFRM_MODE_BEET
xfrm_state = XFRM_STATE_NOECN, XFRM_STATE_DECAP_DSCP, XFRM_STATE_NOPMTUDISC, XFRM_STATE_WILDRECV, XFRM_STATE_ICMP, XFRM_STATE_AF_UNSPEC, XFRM_STATE_ALIGN4, XFRM_STATE_ESN
xfrm_family = AF_INET, AF_INET6
xfrm_proto = IPPROTO_AH, IPPROTO_ESP, IPPROTO_COMP, IPPROTO_DSTOPTS, IPPROTO_ROUTING, IPSEC_PROTO_ANY
xfrm_policy_types = XFRM_POLICY_TYPE_MAIN, XFRM_POLICY_TYPE_SUB
xfrm_policy_actions = XFRM_POLICY_ALLOW, XFRM_POLICY_BLOCK
xfrm_policy_flags = XFRM_POLICY_LOCALOK, XFRM_POLICY_ICMP
xfrm_policy_shares = XFRM_SHARE_ANY, XFRM_SHARE_SESSION, XFRM_SHARE_USER, XFRM_SHARE_UNIQUE
xfrm_policy_dir = XFRM_POLICY_IN, XFRM_POLICY_OUT, XFRM_POLICY_FWD
xfrm_prefixlens = 32, 128
xfrm_encap_type = -3, -2, -1, 0, 1, 2, 3
|
