linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [GIT PULL] Expand keyring capacity and provide support for libkrb5
@ 2013-08-29  0:20 David Howells
  2013-08-29  1:44 ` James Morris
  2013-08-29 18:06 ` David Howells
  0 siblings, 2 replies; 7+ messages in thread
From: David Howells @ 2013-08-29  0:20 UTC (permalink / raw)
  To: jmorris; +Cc: dhowells, simo, keyrings, linux-security-module, linux-kernel


Hi James,

Could you pull these patches into the security tree?

The patches can be viewed as three sets:

 (1) KEYS: Skip key state checks when checking for possession

     This is a fix for determining the possessed status of keys that have been
     invalidated or revoked or that have expired.  If nothing else, can you
     please pick this and pass it upstream.

 (2) KEYS: Expand the capacity of a keyring
     Add a generic associative array implementation
     KEYS: Drop the permissions argument from __keyring_search_one()
     KEYS: Define a __key_get() wrapper to use rather than atomic_inc()
     KEYS: Search for auth-key by name rather than target key ID
     KEYS: Introduce a search context structure
     KEYS: Consolidate the concept of an 'index key' for key access
     KEYS: key_is_dead() should take a const key pointer argument
     KEYS: Use bool in make_key_ref() and is_key_possessed()

     Patches to to expand the capacity of a keyring by using an associative
     array rather than a flat list and patches to do some preparatory cleanups
     for those.

 (3) KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
     KEYS: Implement a big key type that can save to tmpfs

     Patches to add better support for libkrb5 to save its tokens in a kernel
     keyring rather than in files.  It already has this ability to some
     extent, but that has two problems: your tokens get deleted when you log
     out (so your cron jobs can't use them) and the capacity of a user type
     key is not sufficient for some of the huge Kerberos tickets one can get.
     These patches address that.

If you need the patches basing on your tree instead, that can be done.

David
---
The following changes since commit f1d6e17f540af37bb1891480143669ba7636c4cf:

  Merge branch 'akpm' (patches from Andrew Morton) (2013-08-14 10:04:43 -0700)

are available in the git repository at:


  git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-krb-support

for you to fetch changes up to 0f8d966ebc86d7ab9fb7fd074ae589c2d81de08f:

  KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches (2013-08-28 18:56:14 +0100)

----------------------------------------------------------------
(from the branch description for keys-devel local branch)

clone of "master"
Kerberos ticket persistence support

----------------------------------------------------------------
David Howells (12):
      KEYS: Skip key state checks when checking for possession
      KEYS: Use bool in make_key_ref() and is_key_possessed()
      KEYS: key_is_dead() should take a const key pointer argument
      KEYS: Consolidate the concept of an 'index key' for key access
      KEYS: Introduce a search context structure
      KEYS: Search for auth-key by name rather than target key ID
      KEYS: Define a __key_get() wrapper to use rather than atomic_inc()
      KEYS: Drop the permissions argument from __keyring_search_one()
      Add a generic associative array implementation.
      KEYS: Expand the capacity of a keyring
      KEYS: Implement a big key type that can save to tmpfs
      KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches

 Documentation/assoc_array.txt    |  574 +++++++++++++
 Documentation/security/keys.txt  |   20 +-
 include/keys/big_key-type.h      |   25 +
 include/keys/keyring-type.h      |   17 +-
 include/linux/assoc_array.h      |   92 ++
 include/linux/assoc_array_priv.h |  182 ++++
 include/linux/key-type.h         |    5 +
 include/linux/key.h              |   49 +-
 include/linux/user_namespace.h   |    6 +
 include/uapi/linux/keyctl.h      |    1 +
 kernel/user.c                    |    4 +
 kernel/user_namespace.c          |    4 +
 lib/Kconfig                      |   14 +
 lib/Makefile                     |    1 +
 lib/assoc_array.c                | 1745 ++++++++++++++++++++++++++++++++++++++
 security/keys/Kconfig            |   29 +
 security/keys/Makefile           |    2 +
 security/keys/big_key.c          |  204 +++++
 security/keys/compat.c           |    3 +
 security/keys/gc.c               |   33 +-
 security/keys/internal.h         |   74 +-
 security/keys/key.c              |   91 +-
 security/keys/keyctl.c           |    3 +
 security/keys/keyring.c          | 1481 ++++++++++++++++----------------
 security/keys/persistent.c       |  169 ++++
 security/keys/proc.c             |   17 +-
 security/keys/process_keys.c     |  131 +--
 security/keys/request_key.c      |   56 +-
 security/keys/request_key_auth.c |   31 +-
 security/keys/sysctl.c           |   11 +
 security/keys/user_defined.c     |   18 +-
 31 files changed, 4124 insertions(+), 968 deletions(-)
 create mode 100644 Documentation/assoc_array.txt
 create mode 100644 include/keys/big_key-type.h
 create mode 100644 include/linux/assoc_array.h
 create mode 100644 include/linux/assoc_array_priv.h
 create mode 100644 lib/assoc_array.c
 create mode 100644 security/keys/big_key.c
 create mode 100644 security/keys/persistent.c


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [GIT PULL] Expand keyring capacity and provide support for libkrb5
  2013-08-29  0:20 [GIT PULL] Expand keyring capacity and provide support for libkrb5 David Howells
@ 2013-08-29  1:44 ` James Morris
  2013-08-29 18:06 ` David Howells
  1 sibling, 0 replies; 7+ messages in thread
From: James Morris @ 2013-08-29  1:44 UTC (permalink / raw)
  To: David Howells; +Cc: simo, keyrings, linux-security-module, linux-kernel

On Thu, 29 Aug 2013, David Howells wrote:

> 
> Hi James,
> 
> Could you pull these patches into the security tree?

944 files changed, 17114 insertions(+), 9157 deletions(-)


How about no?  :)



> 
> The patches can be viewed as three sets:
> 
>  (1) KEYS: Skip key state checks when checking for possession
> 
>      This is a fix for determining the possessed status of keys that have been
>      invalidated or revoked or that have expired.  If nothing else, can you
>      please pick this and pass it upstream.
> 
>  (2) KEYS: Expand the capacity of a keyring
>      Add a generic associative array implementation
>      KEYS: Drop the permissions argument from __keyring_search_one()
>      KEYS: Define a __key_get() wrapper to use rather than atomic_inc()
>      KEYS: Search for auth-key by name rather than target key ID
>      KEYS: Introduce a search context structure
>      KEYS: Consolidate the concept of an 'index key' for key access
>      KEYS: key_is_dead() should take a const key pointer argument
>      KEYS: Use bool in make_key_ref() and is_key_possessed()
> 
>      Patches to to expand the capacity of a keyring by using an associative
>      array rather than a flat list and patches to do some preparatory cleanups
>      for those.
> 
>  (3) KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
>      KEYS: Implement a big key type that can save to tmpfs
> 
>      Patches to add better support for libkrb5 to save its tokens in a kernel
>      keyring rather than in files.  It already has this ability to some
>      extent, but that has two problems: your tokens get deleted when you log
>      out (so your cron jobs can't use them) and the capacity of a user type
>      key is not sufficient for some of the huge Kerberos tickets one can get.
>      These patches address that.
> 
> If you need the patches basing on your tree instead, that can be done.
> 
> David
> ---
> The following changes since commit f1d6e17f540af37bb1891480143669ba7636c4cf:
> 
>   Merge branch 'akpm' (patches from Andrew Morton) (2013-08-14 10:04:43 -0700)
> 
> are available in the git repository at:
> 
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-krb-support
> 
> for you to fetch changes up to 0f8d966ebc86d7ab9fb7fd074ae589c2d81de08f:
> 
>   KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches (2013-08-28 18:56:14 +0100)
> 
> ----------------------------------------------------------------
> (from the branch description for keys-devel local branch)
> 
> clone of "master"
> Kerberos ticket persistence support
> 
> ----------------------------------------------------------------
> David Howells (12):
>       KEYS: Skip key state checks when checking for possession
>       KEYS: Use bool in make_key_ref() and is_key_possessed()
>       KEYS: key_is_dead() should take a const key pointer argument
>       KEYS: Consolidate the concept of an 'index key' for key access
>       KEYS: Introduce a search context structure
>       KEYS: Search for auth-key by name rather than target key ID
>       KEYS: Define a __key_get() wrapper to use rather than atomic_inc()
>       KEYS: Drop the permissions argument from __keyring_search_one()
>       Add a generic associative array implementation.
>       KEYS: Expand the capacity of a keyring
>       KEYS: Implement a big key type that can save to tmpfs
>       KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
> 
>  Documentation/assoc_array.txt    |  574 +++++++++++++
>  Documentation/security/keys.txt  |   20 +-
>  include/keys/big_key-type.h      |   25 +
>  include/keys/keyring-type.h      |   17 +-
>  include/linux/assoc_array.h      |   92 ++
>  include/linux/assoc_array_priv.h |  182 ++++
>  include/linux/key-type.h         |    5 +
>  include/linux/key.h              |   49 +-
>  include/linux/user_namespace.h   |    6 +
>  include/uapi/linux/keyctl.h      |    1 +
>  kernel/user.c                    |    4 +
>  kernel/user_namespace.c          |    4 +
>  lib/Kconfig                      |   14 +
>  lib/Makefile                     |    1 +
>  lib/assoc_array.c                | 1745 ++++++++++++++++++++++++++++++++++++++
>  security/keys/Kconfig            |   29 +
>  security/keys/Makefile           |    2 +
>  security/keys/big_key.c          |  204 +++++
>  security/keys/compat.c           |    3 +
>  security/keys/gc.c               |   33 +-
>  security/keys/internal.h         |   74 +-
>  security/keys/key.c              |   91 +-
>  security/keys/keyctl.c           |    3 +
>  security/keys/keyring.c          | 1481 ++++++++++++++++----------------
>  security/keys/persistent.c       |  169 ++++
>  security/keys/proc.c             |   17 +-
>  security/keys/process_keys.c     |  131 +--
>  security/keys/request_key.c      |   56 +-
>  security/keys/request_key_auth.c |   31 +-
>  security/keys/sysctl.c           |   11 +
>  security/keys/user_defined.c     |   18 +-
>  31 files changed, 4124 insertions(+), 968 deletions(-)
>  create mode 100644 Documentation/assoc_array.txt
>  create mode 100644 include/keys/big_key-type.h
>  create mode 100644 include/linux/assoc_array.h
>  create mode 100644 include/linux/assoc_array_priv.h
>  create mode 100644 lib/assoc_array.c
>  create mode 100644 security/keys/big_key.c
>  create mode 100644 security/keys/persistent.c
> 

-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [GIT PULL] Expand keyring capacity and provide support for libkrb5
  2013-08-29  0:20 [GIT PULL] Expand keyring capacity and provide support for libkrb5 David Howells
  2013-08-29  1:44 ` James Morris
@ 2013-08-29 18:06 ` David Howells
  2013-08-30  1:20   ` James Morris
                     ` (2 more replies)
  1 sibling, 3 replies; 7+ messages in thread
From: David Howells @ 2013-08-29 18:06 UTC (permalink / raw)
  To: James Morris
  Cc: dhowells, simo, keyrings, linux-security-module, linux-kernel

James Morris <jmorris@namei.org> wrote:

> > Could you pull these patches into the security tree?
> 
> 944 files changed, 17114 insertions(+), 9157 deletions(-)

Ummm...  Where did that come from?  That doesn't look like what's in my
tree...

David

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [GIT PULL] Expand keyring capacity and provide support for libkrb5
  2013-08-29 18:06 ` David Howells
@ 2013-08-30  1:20   ` James Morris
  2013-08-30  9:58   ` David Howells
  2013-09-03 19:08   ` David Howells
  2 siblings, 0 replies; 7+ messages in thread
From: James Morris @ 2013-08-30  1:20 UTC (permalink / raw)
  To: David Howells; +Cc: simo, keyrings, linux-security-module, linux-kernel

On Thu, 29 Aug 2013, David Howells wrote:

> James Morris <jmorris@namei.org> wrote:
> 
> > > Could you pull these patches into the security tree?
> > 
> > 944 files changed, 17114 insertions(+), 9157 deletions(-)
> 
> Ummm...  Where did that come from?  That doesn't look like what's in my
> tree...

Is your tree based on mine?


-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [GIT PULL] Expand keyring capacity and provide support for libkrb5
  2013-08-29 18:06 ` David Howells
  2013-08-30  1:20   ` James Morris
@ 2013-08-30  9:58   ` David Howells
  2013-09-03 19:08   ` David Howells
  2 siblings, 0 replies; 7+ messages in thread
From: David Howells @ 2013-08-30  9:58 UTC (permalink / raw)
  To: James Morris
  Cc: dhowells, simo, keyrings, linux-security-module, linux-kernel

James Morris <jmorris@namei.org> wrote:

> Is your tree based on mine?

No.  As I said in my original email:

	If you need the patches basing on your tree instead, that can be done.

;-)

David

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [GIT PULL] Expand keyring capacity and provide support for libkrb5
  2013-08-29 18:06 ` David Howells
  2013-08-30  1:20   ` James Morris
  2013-08-30  9:58   ` David Howells
@ 2013-09-03 19:08   ` David Howells
  2013-09-04  0:42     ` James Morris
  2 siblings, 1 reply; 7+ messages in thread
From: David Howells @ 2013-09-03 19:08 UTC (permalink / raw)
  To: James Morris
  Cc: dhowells, simo, keyrings, linux-security-module, linux-kernel

James Morris <jmorris@namei.org> wrote:

> > Ummm...  Where did that come from?  That doesn't look like what's in my
> > tree...
> 
> Is your tree based on mine?

It is now.  See:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-devel

based on your "next" branch.  If you can take up to the keys-krb-support tag
for now?

David

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: [GIT PULL] Expand keyring capacity and provide support for libkrb5
  2013-09-03 19:08   ` David Howells
@ 2013-09-04  0:42     ` James Morris
  0 siblings, 0 replies; 7+ messages in thread
From: James Morris @ 2013-09-04  0:42 UTC (permalink / raw)
  To: David Howells; +Cc: simo, keyrings, linux-security-module, linux-kernel

On Tue, 3 Sep 2013, David Howells wrote:

> James Morris <jmorris@namei.org> wrote:
> 
> > > Ummm...  Where did that come from?  That doesn't look like what's in my
> > > tree...
> > 
> > Is your tree based on mine?
> 
> It is now.  See:
> 
> 	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-devel
> 
> based on your "next" branch.  If you can take up to the keys-krb-support tag
> for now?

What's the pull syntax for that?


-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-09-04  0:40 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-08-29  0:20 [GIT PULL] Expand keyring capacity and provide support for libkrb5 David Howells
2013-08-29  1:44 ` James Morris
2013-08-29 18:06 ` David Howells
2013-08-30  1:20   ` James Morris
2013-08-30  9:58   ` David Howells
2013-09-03 19:08   ` David Howells
2013-09-04  0:42     ` James Morris

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).