From: David Howells <dhowells@redhat.com>
To: keyrings@vger.kernel.org, trond.myklebust@hammerspace.com,
sfrench@samba.org
Cc: linux-security-module@vger.kernel.org, linux-nfs@vger.kernel.org,
linux-cifs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
rgb@redhat.com, dhowells@redhat.com,
linux-kernel@vger.kernel.org
Subject: [RFC PATCH 13/27] keys: Provide a keyctl to query a request_key authentication key
Date: Fri, 15 Feb 2019 16:09:24 +0000 [thread overview]
Message-ID: <155024696409.21651.3488621563034826227.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <155024683432.21651.14153938339749694146.stgit@warthog.procyon.org.uk>
Provide a keyctl to query a request_key authentication key for situations
where this information isn't passed on the command line (such as where the
authentication key is placed in a queue instead of /sbin/request-key being
invoked):
struct keyctl_query_request_key_auth {
char operation[32];
uid_t fsuid;
gid_t fsgid;
key_serial_t target_key;
key_serial_t thread_keyring;
key_serial_t process_keyring;
key_serial_t session_keyring;
__u64 spare[1];
};
keyctl(KEYCTL_QUERY_REQUEST_KEY_AUTH,
key_serial_t key,
struct keyctl_query_request_key_auth *data);
Signed-off-by: David Howells <dhowells@redhat.com>
---
include/uapi/linux/keyctl.h | 12 ++++++++++++
security/keys/compat.c | 2 ++
security/keys/container.c | 42 ++++++++++++++++++++++++++++++++++++++++++
security/keys/internal.h | 2 ++
security/keys/keyctl.c | 4 ++++
5 files changed, 62 insertions(+)
diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h
index 85e8fef89bba..bb075ad1827d 100644
--- a/include/uapi/linux/keyctl.h
+++ b/include/uapi/linux/keyctl.h
@@ -69,6 +69,7 @@
#define KEYCTL_RESTRICT_KEYRING 29 /* Restrict keys allowed to link to a keyring */
#define KEYCTL_WATCH_KEY 30 /* Watch a key or ring of keys for changes */
#define KEYCTL_CONTAINER_INTERCEPT 31 /* Intercept upcalls inside a container */
+#define KEYCTL_QUERY_REQUEST_KEY_AUTH 32 /* Query a request_key_auth key */
/* keyctl structures */
struct keyctl_dh_params {
@@ -114,4 +115,15 @@ struct keyctl_pkey_params {
__u32 __spare[7];
};
+struct keyctl_query_request_key_auth {
+ char operation[32]; /* Operation name, typically "create" */
+ uid_t fsuid; /* UID of requester */
+ gid_t fsgid; /* GID of requester */
+ __u32 target_key; /* The key being instantiated */
+ __u32 thread_keyring; /* The requester's thread keyring */
+ __u32 process_keyring; /* The requester's process keyring */
+ __u32 session_keyring; /* The requester's session keyring */
+ __u64 spare[1];
+};
+
#endif /* _LINUX_KEYCTL_H */
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 6420881e5ce7..30055fc2b629 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -164,6 +164,8 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option,
#ifdef CONFIG_CONTAINERS
case KEYCTL_CONTAINER_INTERCEPT:
return keyctl_container_intercept(arg2, compat_ptr(arg3), arg4, arg5);
+ case KEYCTL_QUERY_REQUEST_KEY_AUTH:
+ return keyctl_query_request_key_auth(arg2, compat_ptr(arg3));
#endif
default:
diff --git a/security/keys/container.c b/security/keys/container.c
index c61c43658f3b..115998e867cd 100644
--- a/security/keys/container.c
+++ b/security/keys/container.c
@@ -225,3 +225,45 @@ int queue_request_key(struct key *authkey)
kleave(" = %d", ret);
return ret;
}
+
+/*
+ * Query information about a request_key_auth key.
+ */
+long keyctl_query_request_key_auth(key_serial_t auth_id,
+ struct keyctl_query_request_key_auth __user *_data)
+{
+ struct keyctl_query_request_key_auth data;
+ struct request_key_auth *rka;
+ struct key *session;
+ key_ref_t authkey_ref;
+
+ if (auth_id <= 0 || !_data)
+ return -EINVAL;
+
+ authkey_ref = lookup_user_key(auth_id, 0, KEY_NEED_SEARCH);
+ if (IS_ERR(authkey_ref))
+ return PTR_ERR(authkey_ref);
+ rka = get_request_key_auth(key_ref_to_ptr(authkey_ref));
+
+ memset(&data, 0, sizeof(data));
+ strlcpy(data.operation, rka->op, sizeof(data.operation));
+ data.fsuid = from_kuid(current_user_ns(), rka->cred->fsuid);
+ data.fsgid = from_kgid(current_user_ns(), rka->cred->fsgid);
+ data.target_key = rka->target_key->serial;
+ data.thread_keyring = key_serial(rka->cred->thread_keyring);
+ data.process_keyring = key_serial(rka->cred->thread_keyring);
+
+ rcu_read_lock();
+ session = rcu_dereference(rka->cred->session_keyring);
+ if (!session)
+ session = rka->cred->user->session_keyring;
+ data.session_keyring = key_serial(session);
+ rcu_read_unlock();
+
+ key_ref_put(authkey_ref);
+
+ if (copy_to_user(_data, &data, sizeof(data)))
+ return -EFAULT;
+
+ return 0;
+}
diff --git a/security/keys/internal.h b/security/keys/internal.h
index e98fca465146..9f2a6ce67d15 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -362,6 +362,8 @@ static inline long keyctl_watch_key(key_serial_t key_id, int watch_fd, int watch
#ifdef CONFIG_CONTAINERS
extern long keyctl_container_intercept(int, const char __user *, unsigned int, key_serial_t);
+extern long keyctl_query_request_key_auth(key_serial_t,
+ struct keyctl_query_request_key_auth __user *);
#endif
/*
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 38ff33431f33..a19efc60944d 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1863,6 +1863,10 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
(const char __user *)arg3,
(unsigned int)arg4,
(key_serial_t)arg5);
+ case KEYCTL_QUERY_REQUEST_KEY_AUTH:
+ return keyctl_query_request_key_auth(
+ (key_serial_t)arg2,
+ (struct keyctl_query_request_key_auth __user *)arg3);
#endif
default:
next prev parent reply other threads:[~2019-02-15 16:09 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 16:07 [RFC PATCH 00/27] Containers and using authenticated filesystems David Howells
2019-02-15 16:07 ` [RFC PATCH 01/27] containers: Rename linux/container.h to linux/container_dev.h David Howells
2019-02-15 16:07 ` [RFC PATCH 02/27] containers: Implement containers as kernel objects David Howells
2019-02-17 18:57 ` Trond Myklebust
2019-02-17 19:39 ` James Bottomley
2019-02-19 16:56 ` Eric W. Biederman
2019-02-19 23:03 ` David Howells
2019-02-20 14:23 ` Trond Myklebust
2019-02-19 23:06 ` David Howells
2019-02-20 2:20 ` James Bottomley
2019-02-20 3:04 ` Ian Kent
2019-02-20 3:46 ` James Bottomley
2019-02-20 4:42 ` Ian Kent
2019-02-20 6:57 ` Paul Moore
2019-02-19 23:13 ` David Howells
2019-02-19 23:55 ` Tycho Andersen
2019-02-20 2:46 ` Ian Kent
2019-02-20 13:26 ` Christian Brauner
2019-02-21 10:39 ` Ian Kent
2019-02-15 16:07 ` [RFC PATCH 03/27] containers: Provide /proc/containers David Howells
2019-02-15 16:07 ` [RFC PATCH 04/27] containers: Allow a process to be forked into a container David Howells
2019-02-15 17:39 ` Stephen Smalley
2019-02-19 16:39 ` Eric W. Biederman
2019-02-19 23:16 ` David Howells
2019-02-15 16:07 ` [RFC PATCH 05/27] containers: Open a socket inside " David Howells
2019-02-19 16:41 ` Eric W. Biederman
2019-02-15 16:08 ` [RFC PATCH 06/27] containers, vfs: Allow syscall dirfd arguments to take a container fd David Howells
2019-02-19 16:45 ` Eric W. Biederman
2019-02-19 23:24 ` David Howells
2019-02-15 16:08 ` [RFC PATCH 07/27] containers: Make fsopen() able to create a superblock in a container David Howells
2019-02-15 16:08 ` [RFC PATCH 08/27] containers, vfs: Honour CONTAINER_NEW_EMPTY_FS_NS David Howells
2019-02-17 0:11 ` Al Viro
2019-02-15 16:08 ` [RFC PATCH 09/27] vfs: Allow mounting to other namespaces David Howells
2019-02-17 0:14 ` Al Viro
2019-02-15 16:08 ` [RFC PATCH 10/27] containers: Provide fs_context op for container setting David Howells
2019-02-15 16:09 ` [RFC PATCH 11/27] containers: Sample program for driving container objects David Howells
2019-02-15 16:09 ` [RFC PATCH 12/27] containers: Allow a daemon to intercept request_key upcalls in a container David Howells
2019-02-15 16:09 ` David Howells [this message]
2019-02-15 16:09 ` [RFC PATCH 14/27] keys: Break bits out of key_unlink() David Howells
2019-02-15 16:09 ` [RFC PATCH 15/27] keys: Make __key_link_begin() handle lockdep nesting David Howells
2019-02-15 16:09 ` [RFC PATCH 16/27] keys: Grant Link permission to possessers of request_key auth keys David Howells
2019-02-15 16:10 ` [RFC PATCH 17/27] keys: Add a keyctl to move a key between keyrings David Howells
2019-02-15 16:10 ` [RFC PATCH 18/27] keys: Find the least-recently used unseen key in a keyring David Howells
2019-02-15 16:10 ` [RFC PATCH 19/27] containers: Sample: request_key upcall handling David Howells
2019-02-15 16:10 ` [RFC PATCH 20/27] container, keys: Add a container keyring David Howells
2019-02-15 21:46 ` Eric Biggers
2019-02-15 16:11 ` [RFC PATCH 21/27] keys: Fix request_key() lack of Link perm check on found key David Howells
2019-02-15 16:11 ` [RFC PATCH 22/27] KEYS: Replace uid/gid/perm permissions checking with an ACL David Howells
2019-02-15 17:32 ` Stephen Smalley
2019-02-15 17:39 ` David Howells
2019-02-15 16:11 ` [RFC PATCH 23/27] KEYS: Provide KEYCTL_GRANT_PERMISSION David Howells
2019-02-15 16:11 ` [RFC PATCH 24/27] keys: Allow a container to be specified as a subject in a key's ACL David Howells
2019-02-15 16:11 ` [RFC PATCH 25/27] keys: Provide a way to ask for the container keyring David Howells
2019-02-15 16:12 ` [RFC PATCH 26/27] keys: Allow containers to be included in key ACLs by name David Howells
2019-02-15 16:12 ` [RFC PATCH 27/27] containers: Sample to grant access to a key in a container David Howells
2019-02-15 22:36 ` [RFC PATCH 00/27] Containers and using authenticated filesystems James Morris
2019-02-19 16:35 ` Eric W. Biederman
2019-02-20 14:18 ` Christian Brauner
2019-02-19 23:42 ` David Howells
2019-02-20 7:00 ` Paul Moore
2019-02-20 18:54 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=155024696409.21651.3488621563034826227.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=sfrench@samba.org \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).