From: David Howells <dhowells@redhat.com>
To: sprabhu@redhat.com
Cc: dhowells@redhat.com, Jarkko Sakkinen <jarkko@kernel.org>,
christian@brauner.io, selinux@vger.kernel.org,
keyrings@vger.kernel.org, linux-api@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org,
containers@lists.linux-foundation.org
Subject: [RFC][PATCH 0/2] keys: request_key() interception in containers
Date: Thu, 04 Feb 2021 17:47:31 +0000 [thread overview]
Message-ID: <161246085160.1990927.13137391845549674518.stgit@warthog.procyon.org.uk> (raw)
Here's a rough draft of a facility by which keys can be intercepted.
There are two patches:
(1) Add tags to namespaces that can be used to find out, when we're
looking for an intercept, if a namespace that an intercept is
filtering on is the same as namespace of the caller of request_key()
without the need for the intercept record to pin the namespaces that
it's using as filters (which would also cause a dependency cycle).
Tags contain only a refcount and are compared by address.
(2) Add a new keyctl:
keyctl(KEYCTL_SERVICE_INTERCEPT,
int queue_keyring, int userns_fd,
const char *type_name, unsigned int ns_mask);
that allows a request_key() intercept to be added to the specified
user namespace. The authorisation key for an intercepted request is
placed in the queue_keyring, which can be watched to gain a
notification of this happening. The watcher can then examine the auth
key to determine what key is to be instantiated.
A simple sample is provided that can be used to try this.
Some things that need to be worked out:
(*) Intercepts are linked to the lifetime of the user_namespace on which
they're placed, but not the daemon or the queue keyring. Probably
they should be removed when the queue keyring is removed, but they
currently pin it.
(*) Setting userns_fd to other than -1 is not yet supported (-1 indicates
the current user namespace).
(*) Multiple threads can monitor a queue keyring, but they will all get
woken. They can use keyctl_move() to decide who gets to process it.
The patches can be found on the following branch:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-intercept
David
---
David Howells (2):
Add namespace tags that can be used for matching without pinning a ns
keys: Allow request_key upcalls from a container to be intercepted
include/linux/key-type.h | 4 +-
include/linux/user_namespace.h | 2 +
include/uapi/linux/keyctl.h | 13 +
kernel/user.c | 3 +
kernel/user_namespace.c | 2 +
samples/watch_queue/Makefile | 2 +
samples/watch_queue/key_req_intercept.c | 271 +++++++++++++++++++
security/keys/Makefile | 2 +
security/keys/compat.c | 3 +
security/keys/internal.h | 5 +
security/keys/keyctl.c | 6 +
security/keys/keyring.c | 1 +
security/keys/process_keys.c | 2 +-
security/keys/request_key.c | 16 +-
security/keys/request_key_auth.c | 3 +
security/keys/service.c | 337 ++++++++++++++++++++++++
16 files changed, 663 insertions(+), 9 deletions(-)
create mode 100644 samples/watch_queue/key_req_intercept.c
create mode 100644 security/keys/service.c
next reply other threads:[~2021-02-04 17:50 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-04 17:47 David Howells [this message]
2021-02-04 17:47 ` [PATCH 1/2] Add namespace tags that can be used for matching without pinning a ns David Howells
2021-02-04 20:14 ` kernel test robot
2021-02-04 20:58 ` kernel test robot
2021-02-05 2:46 ` Jarkko Sakkinen
2021-02-05 8:25 ` David Howells
2021-02-07 23:55 ` Jarkko Sakkinen
2021-02-04 17:47 ` [PATCH 2/2] keys: Allow request_key upcalls from a container to be intercepted David Howells
2021-02-04 19:55 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=161246085160.1990927.13137391845549674518.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
--cc=sprabhu@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).