From: David Howells <dhowells@redhat.com>
To: keyrings@vger.kernel.org, trond.myklebust@hammerspace.com,
sfrench@samba.org
Cc: linux-security-module@vger.kernel.org, linux-nfs@vger.kernel.org,
linux-cifs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
rgb@redhat.com, dhowells@redhat.com,
linux-kernel@vger.kernel.org
Subject: [RFC PATCH 26/27] keys: Allow containers to be included in key ACLs by name
Date: Fri, 15 Feb 2019 16:12:09 +0000 [thread overview]
Message-ID: <155024712939.21651.14094051420890992278.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <155024683432.21651.14153938339749694146.stgit@warthog.procyon.org.uk>
Allow a container to be specified to KEYCTL_GRANT_PERMISSION by name. This
allows processes that don't have access to the container fd to grant
permission on a key to a container. This is restricted to the containers
that are children of the current container.
This can be effected with something like:
keyctl(KEYCTL_GRANT_PERMISSION, key,
KEY_ACE_SUBJ_CONTAINER_NAME, "foo-test",
KEY_ACE_SEARCH);
Signed-off-by: David Howells <dhowells@redhat.com>
---
include/linux/container.h | 1 +
include/uapi/linux/keyctl.h | 1 +
kernel/container.c | 24 ++++++++++++++++++++++++
security/keys/compat.c | 4 ++++
security/keys/internal.h | 2 +-
security/keys/keyctl.c | 2 +-
security/keys/permission.c | 19 ++++++++++++++++++-
7 files changed, 50 insertions(+), 3 deletions(-)
diff --git a/include/linux/container.h b/include/linux/container.h
index cd82074c26a3..fd49ce23467d 100644
--- a/include/linux/container.h
+++ b/include/linux/container.h
@@ -61,6 +61,7 @@ extern struct container init_container;
#ifdef CONFIG_CONTAINERS
extern const struct file_operations container_fops;
+extern struct container *find_container(const char *name);
extern int copy_container(unsigned long flags, struct task_struct *tsk,
struct container *container);
extern void exit_container(struct task_struct *tsk);
diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h
index 89ab609f774c..31520da17f37 100644
--- a/include/uapi/linux/keyctl.h
+++ b/include/uapi/linux/keyctl.h
@@ -21,6 +21,7 @@
enum key_ace_subject_type {
KEY_ACE_SUBJ_STANDARD = 0, /* subject is one of key_ace_standard_subject */
KEY_ACE_SUBJ_CONTAINER = 1, /* subject is a container fd */
+ KEY_ACE_SUBJ_CONTAINER_NAME = 2, /* subject is a container name pointer */
nr__key_ace_subject_type
};
diff --git a/kernel/container.c b/kernel/container.c
index 81be4ed915c2..c164c16328d6 100644
--- a/kernel/container.c
+++ b/kernel/container.c
@@ -235,6 +235,30 @@ struct container *fd_to_container(int fd)
return c;
}
+/**
+ * find_container - Find a child container by name.
+ * @name: The name of the container to find.
+ *
+ * Find a child of the current container by name.
+ */
+struct container *find_container(const char *name)
+{
+ struct container *c = current->container, *p;
+
+ spin_lock(&c->lock);
+ list_for_each_entry(p, &c->children, child_link) {
+ if (strcmp(p->name, name) == 0) {
+ get_container(p);
+ goto found;
+ }
+ }
+
+ p = NULL;
+found:
+ spin_unlock(&c->lock);
+ return p;
+}
+
/*
* Handle fork/clone.
*
diff --git a/security/keys/compat.c b/security/keys/compat.c
index 953156f94320..78c6c0e0eb59 100644
--- a/security/keys/compat.c
+++ b/security/keys/compat.c
@@ -175,6 +175,10 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option,
case KEYCTL_MOVE:
return keyctl_keyring_move(arg2, arg3, arg4, arg5);
case KEYCTL_GRANT_PERMISSION:
+ if (arg3 == KEY_ACE_SUBJ_CONTAINER_NAME)
+ return keyctl_grant_permission(arg2, arg3,
+ (unsigned long)compat_ptr(arg4),
+ arg5);
return keyctl_grant_permission(arg2, arg3, arg4, arg5);
default:
diff --git a/security/keys/internal.h b/security/keys/internal.h
index 6cd7b5c17298..aa4ad9c8002e 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -379,7 +379,7 @@ extern long keyctl_set_container_keyring(int, key_serial_t);
extern long keyctl_grant_permission(key_serial_t keyid,
enum key_ace_subject_type type,
- unsigned int subject,
+ unsigned long subject,
unsigned int perm);
/*
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 02bd73d5a05a..978c9008c3b2 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1964,7 +1964,7 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
case KEYCTL_GRANT_PERMISSION:
return keyctl_grant_permission((key_serial_t)arg2,
(enum key_ace_subject_type)arg3,
- (unsigned int)arg4,
+ (unsigned long)arg4,
(unsigned int)arg5);
default:
diff --git a/security/keys/permission.c b/security/keys/permission.c
index f16d1665885f..b0e94ccc4635 100644
--- a/security/keys/permission.c
+++ b/security/keys/permission.c
@@ -407,7 +407,7 @@ static long key_change_acl(struct key *key, struct key_ace *new_ace)
*/
long keyctl_grant_permission(key_serial_t keyid,
enum key_ace_subject_type type,
- unsigned int subject,
+ unsigned long subject,
unsigned int perm)
{
struct key_ace new_ace;
@@ -436,6 +436,23 @@ long keyctl_grant_permission(key_serial_t keyid,
put_container(c);
break;
}
+ case KEY_ACE_SUBJ_CONTAINER_NAME: {
+ struct container *c;
+ char *name;
+
+ name = strndup_user((const char __user *)subject, 23);
+ if (IS_ERR(name))
+ return PTR_ERR(name);
+ c = find_container(name);
+ kfree(name);
+ if (!c)
+ return -EINVAL;
+ new_ace.type = KEY_ACE_SUBJ_CONTAINER;
+ refcount_inc(&c->tag->usage);
+ new_ace.container_tag = c->tag;
+ put_container(c);
+ break;
+ }
#endif
default:
next prev parent reply other threads:[~2019-02-15 16:12 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 16:07 [RFC PATCH 00/27] Containers and using authenticated filesystems David Howells
2019-02-15 16:07 ` [RFC PATCH 01/27] containers: Rename linux/container.h to linux/container_dev.h David Howells
2019-02-15 16:07 ` [RFC PATCH 02/27] containers: Implement containers as kernel objects David Howells
2019-02-17 18:57 ` Trond Myklebust
2019-02-17 19:39 ` James Bottomley
2019-02-19 16:56 ` Eric W. Biederman
2019-02-19 23:03 ` David Howells
2019-02-20 14:23 ` Trond Myklebust
2019-02-19 23:06 ` David Howells
2019-02-20 2:20 ` James Bottomley
2019-02-20 3:04 ` Ian Kent
2019-02-20 3:46 ` James Bottomley
2019-02-20 4:42 ` Ian Kent
2019-02-20 6:57 ` Paul Moore
2019-02-19 23:13 ` David Howells
2019-02-19 23:55 ` Tycho Andersen
2019-02-20 2:46 ` Ian Kent
2019-02-20 13:26 ` Christian Brauner
2019-02-21 10:39 ` Ian Kent
2019-02-15 16:07 ` [RFC PATCH 03/27] containers: Provide /proc/containers David Howells
2019-02-15 16:07 ` [RFC PATCH 04/27] containers: Allow a process to be forked into a container David Howells
2019-02-15 17:39 ` Stephen Smalley
2019-02-19 16:39 ` Eric W. Biederman
2019-02-19 23:16 ` David Howells
2019-02-15 16:07 ` [RFC PATCH 05/27] containers: Open a socket inside " David Howells
2019-02-19 16:41 ` Eric W. Biederman
2019-02-15 16:08 ` [RFC PATCH 06/27] containers, vfs: Allow syscall dirfd arguments to take a container fd David Howells
2019-02-19 16:45 ` Eric W. Biederman
2019-02-19 23:24 ` David Howells
2019-02-15 16:08 ` [RFC PATCH 07/27] containers: Make fsopen() able to create a superblock in a container David Howells
2019-02-15 16:08 ` [RFC PATCH 08/27] containers, vfs: Honour CONTAINER_NEW_EMPTY_FS_NS David Howells
2019-02-17 0:11 ` Al Viro
2019-02-15 16:08 ` [RFC PATCH 09/27] vfs: Allow mounting to other namespaces David Howells
2019-02-17 0:14 ` Al Viro
2019-02-15 16:08 ` [RFC PATCH 10/27] containers: Provide fs_context op for container setting David Howells
2019-02-15 16:09 ` [RFC PATCH 11/27] containers: Sample program for driving container objects David Howells
2019-02-15 16:09 ` [RFC PATCH 12/27] containers: Allow a daemon to intercept request_key upcalls in a container David Howells
2019-02-15 16:09 ` [RFC PATCH 13/27] keys: Provide a keyctl to query a request_key authentication key David Howells
2019-02-15 16:09 ` [RFC PATCH 14/27] keys: Break bits out of key_unlink() David Howells
2019-02-15 16:09 ` [RFC PATCH 15/27] keys: Make __key_link_begin() handle lockdep nesting David Howells
2019-02-15 16:09 ` [RFC PATCH 16/27] keys: Grant Link permission to possessers of request_key auth keys David Howells
2019-02-15 16:10 ` [RFC PATCH 17/27] keys: Add a keyctl to move a key between keyrings David Howells
2019-02-15 16:10 ` [RFC PATCH 18/27] keys: Find the least-recently used unseen key in a keyring David Howells
2019-02-15 16:10 ` [RFC PATCH 19/27] containers: Sample: request_key upcall handling David Howells
2019-02-15 16:10 ` [RFC PATCH 20/27] container, keys: Add a container keyring David Howells
2019-02-15 21:46 ` Eric Biggers
2019-02-15 16:11 ` [RFC PATCH 21/27] keys: Fix request_key() lack of Link perm check on found key David Howells
2019-02-15 16:11 ` [RFC PATCH 22/27] KEYS: Replace uid/gid/perm permissions checking with an ACL David Howells
2019-02-15 17:32 ` Stephen Smalley
2019-02-15 17:39 ` David Howells
2019-02-15 16:11 ` [RFC PATCH 23/27] KEYS: Provide KEYCTL_GRANT_PERMISSION David Howells
2019-02-15 16:11 ` [RFC PATCH 24/27] keys: Allow a container to be specified as a subject in a key's ACL David Howells
2019-02-15 16:11 ` [RFC PATCH 25/27] keys: Provide a way to ask for the container keyring David Howells
2019-02-15 16:12 ` David Howells [this message]
2019-02-15 16:12 ` [RFC PATCH 27/27] containers: Sample to grant access to a key in a container David Howells
2019-02-15 22:36 ` [RFC PATCH 00/27] Containers and using authenticated filesystems James Morris
2019-02-19 16:35 ` Eric W. Biederman
2019-02-20 14:18 ` Christian Brauner
2019-02-19 23:42 ` David Howells
2019-02-20 7:00 ` Paul Moore
2019-02-20 18:54 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=155024712939.21651.14094051420890992278.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=sfrench@samba.org \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).