linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Re: [PATCH] keyrings: Allow searching the user session keyring
       [not found] <1457648428-34445-1-git-send-email-gwendal@chromium.org>
@ 2016-03-17 17:04 ` Gwendal Grignou
  2016-05-03 18:34   ` Gwendal Grignou
  2016-06-14  9:46 ` David Howells
  1 sibling, 1 reply; 5+ messages in thread
From: Gwendal Grignou @ 2016-03-17 17:04 UTC (permalink / raw)
  To: Gwendal Grignou, dhowells, james.l.morris, serge
  Cc: keyrings, Linux Kernel, linux-security-module, Theodore Ts'o

Resent to a larger audience.

On Thu, Mar 10, 2016 at 2:20 PM, Gwendal Grignou <gwendal@chromium.org> wrote:
> Currently, if a session keyring exists, we are not searching in the
> user session or user keyrings.
>
> This is a problem when a session keyring exists and we want to use
> ecryptfs, who adds the needed key only in the user keyring.
>
> TEST=Without this change, mounting an ecryptfs "partition" fails when a
> session keyring exists:
> ...
> [ 2686.047522] Could not find key with description: [dd6f92bd8660b36c]
> ...
> Although the key exits:
> keyctl show @us
> Keyring
>  549666721 --alswrv      0 65534  keyring: _uid_ses.0
>  346719914 --alswrv      0 65534   \_ keyring: _uid.0
>  235623693 --alswrv      0     0       \_ user: dd6f92bd8660b36c
>  747773852 --alswrv      0     0       \_ user: 7025717e50fd74a2
> With this change, ecryptfs can see the keys it needs.
>
> Note that 'keyctl show' still only shows the session keyring by default.
> We need to specify 'keyctl show @us' to see the user session keyring
> when the session keyring exits.
>
> Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
> ---
>  security/keys/process_keys.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
> index e6d50172..a77d66e 100644
> --- a/security/keys/process_keys.c
> +++ b/security/keys/process_keys.c
> @@ -395,8 +395,8 @@ key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx)
>                         break;
>                 }
>         }
> -       /* or search the user-session keyring */
> -       else if (ctx->cred->user->session_keyring) {
> +       /* finally search the user-session keyring */
> +       if (ctx->cred->user->session_keyring) {
>                 key_ref = keyring_search_aux(
>                         make_key_ref(ctx->cred->user->session_keyring, 1),
>                         ctx);
> --
> 2.7.0.rc3.207.g0ac5344
>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] keyrings: Allow searching the user session keyring
  2016-03-17 17:04 ` [PATCH] keyrings: Allow searching the user session keyring Gwendal Grignou
@ 2016-05-03 18:34   ` Gwendal Grignou
  2016-05-20 19:27     ` Serge E. Hallyn
  0 siblings, 1 reply; 5+ messages in thread
From: Gwendal Grignou @ 2016-05-03 18:34 UTC (permalink / raw)
  To: Gwendal Grignou
  Cc: dhowells, james.l.morris, serge, keyrings, Linux Kernel,
	linux-security-module, Theodore Ts'o

Any feedback on this? It is mandatory if we want to mount a ecryptfs
directory while the session keyring is used.

Thanks,
Gwendal.

On Thu, Mar 17, 2016 at 10:04 AM, Gwendal Grignou <gwendal@chromium.org> wrote:
> Resent to a larger audience.
>
> On Thu, Mar 10, 2016 at 2:20 PM, Gwendal Grignou <gwendal@chromium.org> wrote:
>> Currently, if a session keyring exists, we are not searching in the
>> user session or user keyrings.
>>
>> This is a problem when a session keyring exists and we want to use
>> ecryptfs, who adds the needed key only in the user keyring.
>>
>> TEST=Without this change, mounting an ecryptfs "partition" fails when a
>> session keyring exists:
>> ...
>> [ 2686.047522] Could not find key with description: [dd6f92bd8660b36c]
>> ...
>> Although the key exits:
>> keyctl show @us
>> Keyring
>>  549666721 --alswrv      0 65534  keyring: _uid_ses.0
>>  346719914 --alswrv      0 65534   \_ keyring: _uid.0
>>  235623693 --alswrv      0     0       \_ user: dd6f92bd8660b36c
>>  747773852 --alswrv      0     0       \_ user: 7025717e50fd74a2
>> With this change, ecryptfs can see the keys it needs.
>>
>> Note that 'keyctl show' still only shows the session keyring by default.
>> We need to specify 'keyctl show @us' to see the user session keyring
>> when the session keyring exits.
>>
>> Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
>> ---
>>  security/keys/process_keys.c | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
>> index e6d50172..a77d66e 100644
>> --- a/security/keys/process_keys.c
>> +++ b/security/keys/process_keys.c
>> @@ -395,8 +395,8 @@ key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx)
>>                         break;
>>                 }
>>         }
>> -       /* or search the user-session keyring */
>> -       else if (ctx->cred->user->session_keyring) {
>> +       /* finally search the user-session keyring */
>> +       if (ctx->cred->user->session_keyring) {
>>                 key_ref = keyring_search_aux(
>>                         make_key_ref(ctx->cred->user->session_keyring, 1),
>>                         ctx);
>> --
>> 2.7.0.rc3.207.g0ac5344
>>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] keyrings: Allow searching the user session keyring
  2016-05-03 18:34   ` Gwendal Grignou
@ 2016-05-20 19:27     ` Serge E. Hallyn
  0 siblings, 0 replies; 5+ messages in thread
From: Serge E. Hallyn @ 2016-05-20 19:27 UTC (permalink / raw)
  To: Gwendal Grignou
  Cc: Gwendal Grignou, dhowells, james.l.morris, serge, keyrings,
	Linux Kernel, linux-security-module, Theodore Ts'o

Sorry, I just don't know al lthe subtleties there, I think we just need
David's ack/nack here.

Quoting Gwendal Grignou (gwendal@google.com):
> Any feedback on this? It is mandatory if we want to mount a ecryptfs
> directory while the session keyring is used.
> 
> Thanks,
> Gwendal.
> 
> On Thu, Mar 17, 2016 at 10:04 AM, Gwendal Grignou <gwendal@chromium.org> wrote:
> > Resent to a larger audience.
> >
> > On Thu, Mar 10, 2016 at 2:20 PM, Gwendal Grignou <gwendal@chromium.org> wrote:
> >> Currently, if a session keyring exists, we are not searching in the
> >> user session or user keyrings.
> >>
> >> This is a problem when a session keyring exists and we want to use
> >> ecryptfs, who adds the needed key only in the user keyring.
> >>
> >> TEST=Without this change, mounting an ecryptfs "partition" fails when a
> >> session keyring exists:
> >> ...
> >> [ 2686.047522] Could not find key with description: [dd6f92bd8660b36c]
> >> ...
> >> Although the key exits:
> >> keyctl show @us
> >> Keyring
> >>  549666721 --alswrv      0 65534  keyring: _uid_ses.0
> >>  346719914 --alswrv      0 65534   \_ keyring: _uid.0
> >>  235623693 --alswrv      0     0       \_ user: dd6f92bd8660b36c
> >>  747773852 --alswrv      0     0       \_ user: 7025717e50fd74a2
> >> With this change, ecryptfs can see the keys it needs.
> >>
> >> Note that 'keyctl show' still only shows the session keyring by default.
> >> We need to specify 'keyctl show @us' to see the user session keyring
> >> when the session keyring exits.
> >>
> >> Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
> >> ---
> >>  security/keys/process_keys.c | 4 ++--
> >>  1 file changed, 2 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
> >> index e6d50172..a77d66e 100644
> >> --- a/security/keys/process_keys.c
> >> +++ b/security/keys/process_keys.c
> >> @@ -395,8 +395,8 @@ key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx)
> >>                         break;
> >>                 }
> >>         }
> >> -       /* or search the user-session keyring */
> >> -       else if (ctx->cred->user->session_keyring) {
> >> +       /* finally search the user-session keyring */
> >> +       if (ctx->cred->user->session_keyring) {
> >>                 key_ref = keyring_search_aux(
> >>                         make_key_ref(ctx->cred->user->session_keyring, 1),
> >>                         ctx);
> >> --
> >> 2.7.0.rc3.207.g0ac5344
> >>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] keyrings: Allow searching the user session keyring
       [not found] <1457648428-34445-1-git-send-email-gwendal@chromium.org>
  2016-03-17 17:04 ` [PATCH] keyrings: Allow searching the user session keyring Gwendal Grignou
@ 2016-06-14  9:46 ` David Howells
  2016-08-08 21:43   ` Gwendal Grignou
  1 sibling, 1 reply; 5+ messages in thread
From: David Howells @ 2016-06-14  9:46 UTC (permalink / raw)
  To: Gwendal Grignou
  Cc: dhowells, james.l.morris, serge, keyrings, Linux Kernel,
	linux-security-module, Theodore Ts'o

Gwendal Grignou <gwendal@chromium.org> wrote:

> Currently, if a session keyring exists, we are not searching in the
> user session or user keyrings.

That is correct.  New session keyrings are given a link to the user session if
created by pam_keyinit.  If you don't want to search the user keyring, you can
just unlink it from your session keyring.

The user-session keyring is a fallback keyring in case there's no session
keyring.  It seemed to make things easier at the time, but it shouldn't really
exist and I would deprecate it and remove it if I could - especially now that
persistent keyrings exist.  The uid 0 user-session keyring is a potential
security hole because it allows implicit sharing of authentication data
between daemon processes.

David

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] keyrings: Allow searching the user session keyring
  2016-06-14  9:46 ` David Howells
@ 2016-08-08 21:43   ` Gwendal Grignou
  0 siblings, 0 replies; 5+ messages in thread
From: Gwendal Grignou @ 2016-08-08 21:43 UTC (permalink / raw)
  To: David Howells
  Cc: Gwendal Grignou, james.l.morris, serge, keyrings, Linux Kernel,
	linux-security-module, Theodore Ts'o

On Tue, Jun 14, 2016 at 2:46 AM, David Howells <dhowells@redhat.com> wrote:
> Gwendal Grignou <gwendal@chromium.org> wrote:
>
>> Currently, if a session keyring exists, we are not searching in the
>> user session or user keyrings.
>
> That is correct.  New session keyrings are given a link to the user session if
> created by pam_keyinit.  If you don't want to search the user keyring, you can
> just unlink it from your session keyring.
The problem I am facing is that ecrytpfs library (see
https://github.com/dustinkirkland/ecryptfs-utils/blob/master/src/libecryptfs/key_management.c,
function ecryptfs_add_auth_tok_to_keyring) specifically adds the
needed keys to user keyring.
Without the patch above, this code stops working when a session
keyring exists, because the kernel will not search within the user
keyring.
>
> The uid 0 user-session keyring is a potential
> security hole because it allows implicit sharing of authentication data
> between daemon processes.
For ecryptfs, multiple root processes needs to access the key. For
mitigating security risk, we run root daemons that don't need the key
in thin container (called minijail).
>
> David

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-08-08 21:43 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <1457648428-34445-1-git-send-email-gwendal@chromium.org>
2016-03-17 17:04 ` [PATCH] keyrings: Allow searching the user session keyring Gwendal Grignou
2016-05-03 18:34   ` Gwendal Grignou
2016-05-20 19:27     ` Serge E. Hallyn
2016-06-14  9:46 ` David Howells
2016-08-08 21:43   ` Gwendal Grignou

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).