keys: Namespace keyring names
Keyring names are held in a single global list that any process can pick
from by means of keyctl_join_session_keyring (provided the keyring grants
Search permission). This isn't very container friendly, however.
Make the following changes:
(1) Make default session, process and thread keyring names begin with a
'.' instead of '_'.
(2) Keyrings whose names begin with a '.' aren't added to the list. Such
keyrings are system specials.
(3) Replace the global list with per-user_namespace lists. A keyring adds
its name to the list for the user_namespace that it is currently in.
(4) When a user_namespace is deleted, it just removes itself from the
keyring name list.
The global keyring_name_lock is retained for accessing the name lists.
This allows (4) to work.
This can be tested by:
# keyctl newring foo @s
995906392
# unshare -U
$ keyctl show
...
995906392 --alswrv 65534 65534 \_ keyring: foo
...
$ keyctl session foo
Joined session keyring: 935622349
As can be seen, a new session keyring was created.
The capability bit KEYCTL_CAPS1_NS_KEYRING_NAME is set if the kernel is
employing this feature.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
David Howells
parent
dcf49dbc80
commit
b206f281d0
|
|
@ -361,6 +361,7 @@ extern void key_set_timeout(struct key *, unsigned);
|
|||
|
||||
extern key_ref_t lookup_user_key(key_serial_t id, unsigned long flags,
|
||||
key_perm_t perm);
|
||||
extern void key_free_user_ns(struct user_namespace *);
|
||||
|
||||
/*
|
||||
* The permissions required on a key that we're looking up.
|
||||
|
|
@ -434,6 +435,7 @@ extern void key_init(void);
|
|||
#define key_fsuid_changed(c) do { } while(0)
|
||||
#define key_fsgid_changed(c) do { } while(0)
|
||||
#define key_init() do { } while(0)
|
||||
#define key_free_user_ns(ns) do { } while(0)
|
||||
|
||||
#endif /* CONFIG_KEYS */
|
||||
#endif /* __KERNEL__ */
|
||||
|
|
|
|||
|
|
@ -64,6 +64,11 @@ struct user_namespace {
|
|||
struct ns_common ns;
|
||||
unsigned long flags;
|
||||
|
||||
#ifdef CONFIG_KEYS
|
||||
/* List of joinable keyrings in this namespace */
|
||||
struct list_head keyring_name_list;
|
||||
#endif
|
||||
|
||||
/* Register of per-UID persistent keyrings for this namespace */
|
||||
#ifdef CONFIG_PERSISTENT_KEYRINGS
|
||||
struct key *persistent_keyring_register;
|
||||
|
|
|
|||
|
|
@ -128,5 +128,6 @@ struct keyctl_pkey_params {
|
|||
#define KEYCTL_CAPS0_INVALIDATE 0x20 /* KEYCTL_INVALIDATE supported */
|
||||
#define KEYCTL_CAPS0_RESTRICT_KEYRING 0x40 /* KEYCTL_RESTRICT_KEYRING supported */
|
||||
#define KEYCTL_CAPS0_MOVE 0x80 /* KEYCTL_MOVE supported */
|
||||
#define KEYCTL_CAPS1_NS_KEYRING_NAME 0x01 /* Keyring names are per-user_namespace */
|
||||
|
||||
#endif /* _LINUX_KEYCTL_H */
|
||||
|
|
|
|||
|
|
@ -62,6 +62,9 @@ struct user_namespace init_user_ns = {
|
|||
.ns.ops = &userns_operations,
|
||||
#endif
|
||||
.flags = USERNS_INIT_FLAGS,
|
||||
#ifdef CONFIG_KEYS
|
||||
.keyring_name_list = LIST_HEAD_INIT(init_user_ns.keyring_name_list),
|
||||
#endif
|
||||
#ifdef CONFIG_PERSISTENT_KEYRINGS
|
||||
.persistent_keyring_register_sem =
|
||||
__RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),
|
||||
|
|
|
|||
|
|
@ -133,6 +133,9 @@ int create_user_ns(struct cred *new)
|
|||
ns->flags = parent_ns->flags;
|
||||
mutex_unlock(&userns_state_mutex);
|
||||
|
||||
#ifdef CONFIG_KEYS
|
||||
INIT_LIST_HEAD(&ns->keyring_name_list);
|
||||
#endif
|
||||
#ifdef CONFIG_PERSISTENT_KEYRINGS
|
||||
init_rwsem(&ns->persistent_keyring_register_sem);
|
||||
#endif
|
||||
|
|
@ -196,9 +199,7 @@ static void free_user_ns(struct work_struct *work)
|
|||
kfree(ns->projid_map.reverse);
|
||||
}
|
||||
retire_userns_sysctls(ns);
|
||||
#ifdef CONFIG_PERSISTENT_KEYRINGS
|
||||
key_put(ns->persistent_keyring_register);
|
||||
#endif
|
||||
key_free_user_ns(ns);
|
||||
ns_free_inum(&ns->ns);
|
||||
kmem_cache_free(user_ns_cachep, ns);
|
||||
dec_user_namespaces(ucounts);
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@
|
|||
|
||||
#define KEY_MAX_DESC_SIZE 4096
|
||||
|
||||
static const unsigned char keyrings_capabilities[1] = {
|
||||
static const unsigned char keyrings_capabilities[2] = {
|
||||
[0] = (KEYCTL_CAPS0_CAPABILITIES |
|
||||
(IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS) ? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) |
|
||||
(IS_ENABLED(CONFIG_KEY_DH_OPERATIONS) ? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) |
|
||||
|
|
@ -40,6 +40,7 @@ static const unsigned char keyrings_capabilities[1] = {
|
|||
KEYCTL_CAPS0_RESTRICT_KEYRING |
|
||||
KEYCTL_CAPS0_MOVE
|
||||
),
|
||||
[1] = (KEYCTL_CAPS1_NS_KEYRING_NAME),
|
||||
};
|
||||
|
||||
static int key_get_type_from_user(char *type,
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@
|
|||
#include <linux/security.h>
|
||||
#include <linux/seq_file.h>
|
||||
#include <linux/err.h>
|
||||
#include <linux/user_namespace.h>
|
||||
#include <keys/keyring-type.h>
|
||||
#include <keys/user-type.h>
|
||||
#include <linux/assoc_array_priv.h>
|
||||
|
|
@ -28,11 +29,6 @@
|
|||
*/
|
||||
#define KEYRING_SEARCH_MAX_DEPTH 6
|
||||
|
||||
/*
|
||||
* We keep all named keyrings in a hash to speed looking them up.
|
||||
*/
|
||||
#define KEYRING_NAME_HASH_SIZE (1 << 5)
|
||||
|
||||
/*
|
||||
* We mark pointers we pass to the associative array with bit 1 set if
|
||||
* they're keyrings and clear otherwise.
|
||||
|
|
@ -55,17 +51,20 @@ static inline void *keyring_key_to_ptr(struct key *key)
|
|||
return key;
|
||||
}
|
||||
|
||||
static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
|
||||
static DEFINE_RWLOCK(keyring_name_lock);
|
||||
|
||||
static inline unsigned keyring_hash(const char *desc)
|
||||
/*
|
||||
* Clean up the bits of user_namespace that belong to us.
|
||||
*/
|
||||
void key_free_user_ns(struct user_namespace *ns)
|
||||
{
|
||||
unsigned bucket = 0;
|
||||
write_lock(&keyring_name_lock);
|
||||
list_del_init(&ns->keyring_name_list);
|
||||
write_unlock(&keyring_name_lock);
|
||||
|
||||
for (; *desc; desc++)
|
||||
bucket += (unsigned char)*desc;
|
||||
|
||||
return bucket & (KEYRING_NAME_HASH_SIZE - 1);
|
||||
#ifdef CONFIG_PERSISTENT_KEYRINGS
|
||||
key_put(ns->persistent_keyring_register);
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
@ -104,23 +103,17 @@ static DEFINE_MUTEX(keyring_serialise_link_lock);
|
|||
|
||||
/*
|
||||
* Publish the name of a keyring so that it can be found by name (if it has
|
||||
* one).
|
||||
* one and it doesn't begin with a dot).
|
||||
*/
|
||||
static void keyring_publish_name(struct key *keyring)
|
||||
{
|
||||
int bucket;
|
||||
|
||||
if (keyring->description) {
|
||||
bucket = keyring_hash(keyring->description);
|
||||
struct user_namespace *ns = current_user_ns();
|
||||
|
||||
if (keyring->description &&
|
||||
keyring->description[0] &&
|
||||
keyring->description[0] != '.') {
|
||||
write_lock(&keyring_name_lock);
|
||||
|
||||
if (!keyring_name_hash[bucket].next)
|
||||
INIT_LIST_HEAD(&keyring_name_hash[bucket]);
|
||||
|
||||
list_add_tail(&keyring->name_link,
|
||||
&keyring_name_hash[bucket]);
|
||||
|
||||
list_add_tail(&keyring->name_link, &ns->keyring_name_list);
|
||||
write_unlock(&keyring_name_lock);
|
||||
}
|
||||
}
|
||||
|
|
@ -1097,50 +1090,44 @@ found:
|
|||
*/
|
||||
struct key *find_keyring_by_name(const char *name, bool uid_keyring)
|
||||
{
|
||||
struct user_namespace *ns = current_user_ns();
|
||||
struct key *keyring;
|
||||
int bucket;
|
||||
|
||||
if (!name)
|
||||
return ERR_PTR(-EINVAL);
|
||||
|
||||
bucket = keyring_hash(name);
|
||||
|
||||
read_lock(&keyring_name_lock);
|
||||
|
||||
if (keyring_name_hash[bucket].next) {
|
||||
/* search this hash bucket for a keyring with a matching name
|
||||
* that's readable and that hasn't been revoked */
|
||||
list_for_each_entry(keyring,
|
||||
&keyring_name_hash[bucket],
|
||||
name_link
|
||||
) {
|
||||
if (!kuid_has_mapping(current_user_ns(), keyring->user->uid))
|
||||
continue;
|
||||
/* Search this hash bucket for a keyring with a matching name that
|
||||
* grants Search permission and that hasn't been revoked
|
||||
*/
|
||||
list_for_each_entry(keyring, &ns->keyring_name_list, name_link) {
|
||||
if (!kuid_has_mapping(ns, keyring->user->uid))
|
||||
continue;
|
||||
|
||||
if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
|
||||
continue;
|
||||
if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
|
||||
continue;
|
||||
|
||||
if (strcmp(keyring->description, name) != 0)
|
||||
continue;
|
||||
if (strcmp(keyring->description, name) != 0)
|
||||
continue;
|
||||
|
||||
if (uid_keyring) {
|
||||
if (!test_bit(KEY_FLAG_UID_KEYRING,
|
||||
&keyring->flags))
|
||||
continue;
|
||||
} else {
|
||||
if (key_permission(make_key_ref(keyring, 0),
|
||||
KEY_NEED_SEARCH) < 0)
|
||||
continue;
|
||||
}
|
||||
|
||||
/* we've got a match but we might end up racing with
|
||||
* key_cleanup() if the keyring is currently 'dead'
|
||||
* (ie. it has a zero usage count) */
|
||||
if (!refcount_inc_not_zero(&keyring->usage))
|
||||
if (uid_keyring) {
|
||||
if (!test_bit(KEY_FLAG_UID_KEYRING,
|
||||
&keyring->flags))
|
||||
continue;
|
||||
} else {
|
||||
if (key_permission(make_key_ref(keyring, 0),
|
||||
KEY_NEED_SEARCH) < 0)
|
||||
continue;
|
||||
keyring->last_used_at = ktime_get_real_seconds();
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* we've got a match but we might end up racing with
|
||||
* key_cleanup() if the keyring is currently 'dead'
|
||||
* (ie. it has a zero usage count) */
|
||||
if (!refcount_inc_not_zero(&keyring->usage))
|
||||
continue;
|
||||
keyring->last_used_at = ktime_get_real_seconds();
|
||||
goto out;
|
||||
}
|
||||
|
||||
keyring = ERR_PTR(-ENOKEY);
|
||||
|
|
|
|||
Loading…
Reference in New Issue