Linux-NFS Archive on lore.kernel.org
 help / color / Atom feed
* [GIT PULL] keys: Namespacing
@ 2019-04-30 22:39 David Howells
  2019-05-01 17:07 ` James Morris
  2019-05-01 17:18 ` David Howells
  0 siblings, 2 replies; 3+ messages in thread
From: David Howells @ 2019-04-30 22:39 UTC (permalink / raw)
  To: jmorris
  Cc: dhowells, dwalsh, vgoyal, keyrings, linux-security-module,
	linux-nfs, linux-fsdevel, linux-kernel, netdev

Hi James,

Can you pull this set of patches into the security tree and pass them along
to Linus in the next merge window?  The primary thrust is to add
namespacing to keyrings.

One miscellaneous and four prerequisite patches start:

 (1) Use invalidation to kill off request_key authentication tokens more
     quickly than revoking them.

 (2) Remove request_key_async{,_with_auxdata} - I would need to add extra
     arguments, but they're not currently used.

 (3), (4) Simplify the key description management and cache the hash value
     to avoid the need for constant recalculation during a search.  This
     makes it easier to add namespace info to a key's index key.

 (5) Make it possible for keyring_search() to do searches that don't
     recurse down into and search keyrings linked to from the starting
     keyring.

Then the rest are about namespacing:

 (6) Replace the global list of keyring names with per-user_namespace lists
     and exclude certain internal keyrings from being added to the lists.

 (7) Move the user and user-session keyrings from the user_struct, and
     store them instead in a "user keyring register" in the user_namespace.
     This prevents KEY_SPEC_* specifiers from picking keyrings from the
     wrong namespace.  Note that it also means that uids that share a
     user_struct will not see the same user keyrings inside and outside a
     user_namespace.

     This has been tested by Dan Walsh in a Fedora environment, though the
     patch was modified from the one here.

 (8) Provide the ability to add a domain tag to a key's index key, so that
     a keyring can hold keys of the same type and description, but
     different target namespace/domain.

 (9) Make the garbage collector remove keys for which the target domain tag
     has been removed.

(10) Provide a domain tag for each network namespace.

(11) Tag DNS resolver keys and rxrpc/afs keys so that keys for different
     domains can coexist in the same keyrings.

In the future, hopefully, it will be possible to use the domain tags in
ACLs to grant permissions to namespaces for containerisation.

David
---
The following changes since commit 6beff00b79ca0b5caf0ce6fb8e11f57311bd95f8:

  seccomp: fix up grammar in comment (2019-04-23 16:21:12 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-namespace-20190430

for you to fetch changes up to ccedc142360bd68fdaf444671d67d42fa306398b:

  keys: Pass the network namespace into request_key mechanism (2019-04-25 13:10:25 +0100)

----------------------------------------------------------------
Keyrings namespacing

----------------------------------------------------------------
David Howells (11):
      keys: Invalidate used request_key authentication keys
      keys: Kill off request_key_async{,_with_auxdata}
      keys: Simplify key description management
      keys: Cache the hash value to avoid lots of recalculation
      keys: Add a 'recurse' flag for keyring searches
      keys: Namespace keyring names
      keys: Move the user and user-session keyrings to the user_namespace
      keys: Include target namespace in match criteria
      keys: Garbage collect keys for which the domain has been removed
      keys: Network namespace domain tag
      keys: Pass the network namespace into request_key mechanism

 Documentation/security/keys/core.rst     |  10 +-
 certs/blacklist.c                        |   2 +-
 crypto/asymmetric_keys/asymmetric_type.c |   2 +-
 fs/afs/addr_list.c                       |   4 +-
 fs/afs/dynroot.c                         |   7 +-
 fs/cifs/dns_resolve.c                    |   3 +-
 fs/nfs/dns_resolve.c                     |   2 +-
 include/linux/dns_resolver.h             |   3 +-
 include/linux/key-type.h                 |   3 +
 include/linux/key.h                      |  50 ++++--
 include/linux/sched/user.h               |  14 --
 include/linux/user_namespace.h           |  12 +-
 include/net/net_namespace.h              |   4 +
 kernel/user.c                            |  10 +-
 kernel/user_namespace.c                  |   9 +-
 lib/digsig.c                             |   2 +-
 net/ceph/messenger.c                     |   3 +-
 net/core/net_namespace.c                 |  19 +++
 net/dns_resolver/dns_key.c               |   1 +
 net/dns_resolver/dns_query.c             |   6 +-
 net/rxrpc/key.c                          |   6 +-
 net/rxrpc/security.c                     |   2 +-
 security/integrity/digsig_asymmetric.c   |   4 +-
 security/keys/gc.c                       |   2 +-
 security/keys/internal.h                 |  10 +-
 security/keys/key.c                      |   9 +-
 security/keys/keyctl.c                   |   4 +-
 security/keys/keyring.c                  | 263 +++++++++++++++++--------------
 security/keys/persistent.c               |  10 +-
 security/keys/proc.c                     |   3 +-
 security/keys/process_keys.c             | 252 ++++++++++++++++++-----------
 security/keys/request_key.c              | 113 ++++++-------
 security/keys/request_key_auth.c         |   3 +-
 33 files changed, 508 insertions(+), 339 deletions(-)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [GIT PULL] keys: Namespacing
  2019-04-30 22:39 [GIT PULL] keys: Namespacing David Howells
@ 2019-05-01 17:07 ` James Morris
  2019-05-01 17:18 ` David Howells
  1 sibling, 0 replies; 3+ messages in thread
From: James Morris @ 2019-05-01 17:07 UTC (permalink / raw)
  To: David Howells
  Cc: dwalsh, vgoyal, keyrings, linux-security-module, linux-nfs,
	linux-fsdevel, linux-kernel, netdev

On Tue, 30 Apr 2019, David Howells wrote:

> Hi James,
> 
> Can you pull this set of patches into the security tree and pass them along
> to Linus in the next merge window?  The primary thrust is to add
> namespacing to keyrings.

Not for this merge window, it's too close. Something like this would need 
to be in -rc2 or so.


-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [GIT PULL] keys: Namespacing
  2019-04-30 22:39 [GIT PULL] keys: Namespacing David Howells
  2019-05-01 17:07 ` James Morris
@ 2019-05-01 17:18 ` David Howells
  1 sibling, 0 replies; 3+ messages in thread
From: David Howells @ 2019-05-01 17:18 UTC (permalink / raw)
  To: James Morris
  Cc: dhowells, dwalsh, vgoyal, keyrings, linux-security-module,
	linux-nfs, linux-fsdevel, linux-kernel, netdev

James Morris <jmorris@namei.org> wrote:

> > Can you pull this set of patches into the security tree and pass them along
> > to Linus in the next merge window?  The primary thrust is to add
> > namespacing to keyrings.
> 
> Not for this merge window, it's too close. Something like this would need 
> to be in -rc2 or so.

Okay.

David

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-30 22:39 [GIT PULL] keys: Namespacing David Howells
2019-05-01 17:07 ` James Morris
2019-05-01 17:18 ` David Howells

Linux-NFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-nfs/0 linux-nfs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-nfs linux-nfs/ https://lore.kernel.org/linux-nfs \
		linux-nfs@vger.kernel.org linux-nfs@archiver.kernel.org
	public-inbox-index linux-nfs


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-nfs


AGPL code for this site: git clone https://public-inbox.org/ public-inbox