From: David Howells <dhowells@redhat.com> To: ebiederm@xmission.com, keyrings@vger.kernel.org Cc: linux-cifs@vger.kernel.org, linux-nfs@vger.kernel.org, netdev@vger.kernel.org, linux-afs@lists.infradead.org, dhowells@redhat.com, dwalsh@redhat.com, vgoyal@redhat.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 8/9] keys: Network namespace domain tag [ver #4] Date: Wed, 19 Jun 2019 16:47:51 +0000 [thread overview] Message-ID: <156096287188.28733.15342608110117616221.stgit@warthog.procyon.org.uk> (raw) In-Reply-To: <156096279115.28733.8761881995303698232.stgit@warthog.procyon.org.uk> Create key domain tags for network namespaces and make it possible to automatically tag keys that are used by networked services (e.g. AF_RXRPC, AFS, DNS) with the default network namespace if not set by the caller. This allows keys with the same description but in different namespaces to coexist within a keyring. Signed-off-by: David Howells <dhowells@redhat.com> cc: netdev@vger.kernel.org cc: linux-nfs@vger.kernel.org cc: linux-cifs@vger.kernel.org cc: linux-afs@lists.infradead.org --- include/linux/key-type.h | 3 +++ include/net/net_namespace.h | 3 +++ net/core/net_namespace.c | 19 +++++++++++++++++++ net/dns_resolver/dns_key.c | 1 + net/rxrpc/key.c | 2 ++ security/keys/keyring.c | 7 ++++++- 6 files changed, 34 insertions(+), 1 deletion(-) diff --git a/include/linux/key-type.h b/include/linux/key-type.h index e49d1de0614e..2148a6bf58f1 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -74,6 +74,9 @@ struct key_type { */ size_t def_datalen; + unsigned int flags; +#define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */ + /* vet a description */ int (*vet_description)(const char *description); diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index 12689ddfc24c..a56bf7fc7c2b 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -71,6 +71,9 @@ struct net { */ struct llist_node cleanup_list; /* namespaces on death row */ +#ifdef CONFIG_KEYS + struct key_tag *key_domain; /* Key domain of operation tag */ +#endif struct user_namespace *user_ns; /* Owning user namespace */ struct ucounts *ucounts; spinlock_t nsid_lock; diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index 711b161505ac..076a75c73c9e 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -38,9 +38,16 @@ EXPORT_SYMBOL_GPL(net_namespace_list); DECLARE_RWSEM(net_rwsem); EXPORT_SYMBOL_GPL(net_rwsem); +#ifdef CONFIG_KEYS +static struct key_tag init_net_key_domain = { .usage = REFCOUNT_INIT(1) }; +#endif + struct net init_net = { .count = REFCOUNT_INIT(1), .dev_base_head = LIST_HEAD_INIT(init_net.dev_base_head), +#ifdef CONFIG_KEYS + .key_domain = &init_net_key_domain, +#endif }; EXPORT_SYMBOL(init_net); @@ -386,10 +393,21 @@ static struct net *net_alloc(void) if (!net) goto out_free; +#ifdef CONFIG_KEYS + net->key_domain = kzalloc(sizeof(struct key_tag), GFP_KERNEL); + if (!net->key_domain) + goto out_free_2; + refcount_set(&net->key_domain->usage, 1); +#endif + rcu_assign_pointer(net->gen, ng); out: return net; +#ifdef CONFIG_KEYS +out_free_2: + kmem_cache_free(net_cachep, net); +#endif out_free: kfree(ng); goto out; @@ -566,6 +584,7 @@ static void cleanup_net(struct work_struct *work) list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) { list_del_init(&net->exit_list); dec_net_namespaces(net->ucounts); + key_remove_domain(net->key_domain); put_user_ns(net->user_ns); net_drop_ns(net); } diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index a65d553e730d..3e1a90669006 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -314,6 +314,7 @@ static long dns_resolver_read(const struct key *key, struct key_type key_type_dns_resolver = { .name = "dns_resolver", + .flags = KEY_TYPE_NET_DOMAIN, .preparse = dns_resolver_preparse, .free_preparse = dns_resolver_free_preparse, .instantiate = generic_key_instantiate, diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index e7f6b8823eb6..2722189ec273 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -43,6 +43,7 @@ static long rxrpc_read(const struct key *, char __user *, size_t); */ struct key_type key_type_rxrpc = { .name = "rxrpc", + .flags = KEY_TYPE_NET_DOMAIN, .preparse = rxrpc_preparse, .free_preparse = rxrpc_free_preparse, .instantiate = generic_key_instantiate, @@ -58,6 +59,7 @@ EXPORT_SYMBOL(key_type_rxrpc); */ struct key_type key_type_rxrpc_s = { .name = "rxrpc_s", + .flags = KEY_TYPE_NET_DOMAIN, .vet_description = rxrpc_vet_description_s, .preparse = rxrpc_preparse_s, .free_preparse = rxrpc_free_preparse_s, diff --git a/security/keys/keyring.c b/security/keys/keyring.c index d3c86fda1510..bca070f6ab46 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -17,10 +17,12 @@ #include <linux/seq_file.h> #include <linux/err.h> #include <linux/user_namespace.h> +#include <linux/nsproxy.h> #include <keys/keyring-type.h> #include <keys/user-type.h> #include <linux/assoc_array_priv.h> #include <linux/uaccess.h> +#include <net/net_namespace.h> #include "internal.h" /* @@ -220,7 +222,10 @@ void key_set_index_key(struct keyring_index_key *index_key) memcpy(index_key->desc, index_key->description, n); - index_key->domain_tag = &default_domain_tag; + if (index_key->type->flags & KEY_TYPE_NET_DOMAIN) + index_key->domain_tag = current->nsproxy->net_ns->key_domain; + else + index_key->domain_tag = &default_domain_tag; hash_key_type_and_desc(index_key); }
WARNING: multiple messages have this Message-ID (diff)
From: David Howells <dhowells@redhat.com> To: ebiederm@xmission.com, keyrings@vger.kernel.org Cc: linux-cifs@vger.kernel.org, linux-nfs@vger.kernel.org, netdev@vger.kernel.org, linux-afs@lists.infradead.org, dhowells@redhat.com, dwalsh@redhat.com, vgoyal@redhat.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 8/9] keys: Network namespace domain tag [ver #4] Date: Wed, 19 Jun 2019 17:47:51 +0100 [thread overview] Message-ID: <156096287188.28733.15342608110117616221.stgit@warthog.procyon.org.uk> (raw) In-Reply-To: <156096279115.28733.8761881995303698232.stgit@warthog.procyon.org.uk> Create key domain tags for network namespaces and make it possible to automatically tag keys that are used by networked services (e.g. AF_RXRPC, AFS, DNS) with the default network namespace if not set by the caller. This allows keys with the same description but in different namespaces to coexist within a keyring. Signed-off-by: David Howells <dhowells@redhat.com> cc: netdev@vger.kernel.org cc: linux-nfs@vger.kernel.org cc: linux-cifs@vger.kernel.org cc: linux-afs@lists.infradead.org --- include/linux/key-type.h | 3 +++ include/net/net_namespace.h | 3 +++ net/core/net_namespace.c | 19 +++++++++++++++++++ net/dns_resolver/dns_key.c | 1 + net/rxrpc/key.c | 2 ++ security/keys/keyring.c | 7 ++++++- 6 files changed, 34 insertions(+), 1 deletion(-) diff --git a/include/linux/key-type.h b/include/linux/key-type.h index e49d1de0614e..2148a6bf58f1 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -74,6 +74,9 @@ struct key_type { */ size_t def_datalen; + unsigned int flags; +#define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */ + /* vet a description */ int (*vet_description)(const char *description); diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index 12689ddfc24c..a56bf7fc7c2b 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h @@ -71,6 +71,9 @@ struct net { */ struct llist_node cleanup_list; /* namespaces on death row */ +#ifdef CONFIG_KEYS + struct key_tag *key_domain; /* Key domain of operation tag */ +#endif struct user_namespace *user_ns; /* Owning user namespace */ struct ucounts *ucounts; spinlock_t nsid_lock; diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index 711b161505ac..076a75c73c9e 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -38,9 +38,16 @@ EXPORT_SYMBOL_GPL(net_namespace_list); DECLARE_RWSEM(net_rwsem); EXPORT_SYMBOL_GPL(net_rwsem); +#ifdef CONFIG_KEYS +static struct key_tag init_net_key_domain = { .usage = REFCOUNT_INIT(1) }; +#endif + struct net init_net = { .count = REFCOUNT_INIT(1), .dev_base_head = LIST_HEAD_INIT(init_net.dev_base_head), +#ifdef CONFIG_KEYS + .key_domain = &init_net_key_domain, +#endif }; EXPORT_SYMBOL(init_net); @@ -386,10 +393,21 @@ static struct net *net_alloc(void) if (!net) goto out_free; +#ifdef CONFIG_KEYS + net->key_domain = kzalloc(sizeof(struct key_tag), GFP_KERNEL); + if (!net->key_domain) + goto out_free_2; + refcount_set(&net->key_domain->usage, 1); +#endif + rcu_assign_pointer(net->gen, ng); out: return net; +#ifdef CONFIG_KEYS +out_free_2: + kmem_cache_free(net_cachep, net); +#endif out_free: kfree(ng); goto out; @@ -566,6 +584,7 @@ static void cleanup_net(struct work_struct *work) list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) { list_del_init(&net->exit_list); dec_net_namespaces(net->ucounts); + key_remove_domain(net->key_domain); put_user_ns(net->user_ns); net_drop_ns(net); } diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c index a65d553e730d..3e1a90669006 100644 --- a/net/dns_resolver/dns_key.c +++ b/net/dns_resolver/dns_key.c @@ -314,6 +314,7 @@ static long dns_resolver_read(const struct key *key, struct key_type key_type_dns_resolver = { .name = "dns_resolver", + .flags = KEY_TYPE_NET_DOMAIN, .preparse = dns_resolver_preparse, .free_preparse = dns_resolver_free_preparse, .instantiate = generic_key_instantiate, diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index e7f6b8823eb6..2722189ec273 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -43,6 +43,7 @@ static long rxrpc_read(const struct key *, char __user *, size_t); */ struct key_type key_type_rxrpc = { .name = "rxrpc", + .flags = KEY_TYPE_NET_DOMAIN, .preparse = rxrpc_preparse, .free_preparse = rxrpc_free_preparse, .instantiate = generic_key_instantiate, @@ -58,6 +59,7 @@ EXPORT_SYMBOL(key_type_rxrpc); */ struct key_type key_type_rxrpc_s = { .name = "rxrpc_s", + .flags = KEY_TYPE_NET_DOMAIN, .vet_description = rxrpc_vet_description_s, .preparse = rxrpc_preparse_s, .free_preparse = rxrpc_free_preparse_s, diff --git a/security/keys/keyring.c b/security/keys/keyring.c index d3c86fda1510..bca070f6ab46 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -17,10 +17,12 @@ #include <linux/seq_file.h> #include <linux/err.h> #include <linux/user_namespace.h> +#include <linux/nsproxy.h> #include <keys/keyring-type.h> #include <keys/user-type.h> #include <linux/assoc_array_priv.h> #include <linux/uaccess.h> +#include <net/net_namespace.h> #include "internal.h" /* @@ -220,7 +222,10 @@ void key_set_index_key(struct keyring_index_key *index_key) memcpy(index_key->desc, index_key->description, n); - index_key->domain_tag = &default_domain_tag; + if (index_key->type->flags & KEY_TYPE_NET_DOMAIN) + index_key->domain_tag = current->nsproxy->net_ns->key_domain; + else + index_key->domain_tag = &default_domain_tag; hash_key_type_and_desc(index_key); }
next prev parent reply other threads:[~2019-06-19 16:47 UTC|newest] Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-06-19 16:06 [PATCH 0/9] keys: Namespacing [ver #4] David Howells 2019-06-19 16:06 ` David Howells 2019-06-19 16:06 ` [PATCH 1/9] keys: Simplify key description management " David Howells 2019-06-19 16:06 ` David Howells 2019-06-19 16:06 ` [PATCH 2/9] keys: Cache the hash value to avoid lots of recalculation " David Howells 2019-06-19 16:06 ` David Howells 2019-06-19 16:06 ` [PATCH 3/9] keys: Add a 'recurse' flag for keyring searches " David Howells 2019-06-19 16:06 ` David Howells 2019-06-19 16:06 ` [PATCH 4/9] keys: Namespace keyring names " David Howells 2019-06-19 16:06 ` David Howells 2019-06-19 16:06 ` [PATCH 5/9] keys: Move the user and user-session keyrings to the user_namespace " David Howells 2019-06-19 16:06 ` David Howells 2019-06-19 16:09 ` [PATCH 0/9] keys: Namespacing " David Howells 2019-06-19 16:09 ` David Howells 2019-06-19 16:46 ` David Howells 2019-06-19 16:46 ` David Howells 2019-06-19 16:46 ` [PATCH 1/9] keys: Simplify key description management " David Howells 2019-06-19 16:46 ` David Howells 2019-06-19 16:46 ` [PATCH 2/9] keys: Cache the hash value to avoid lots of recalculation " David Howells 2019-06-19 16:46 ` David Howells 2019-06-19 16:47 ` [PATCH 3/9] keys: Add a 'recurse' flag for keyring searches " David Howells 2019-06-19 16:47 ` David Howells 2019-06-19 16:47 ` [PATCH 4/9] keys: Namespace keyring names " David Howells 2019-06-19 16:47 ` David Howells 2019-06-19 16:47 ` [PATCH 5/9] keys: Move the user and user-session keyrings to the user_namespace " David Howells 2019-06-19 16:47 ` David Howells 2019-06-19 16:47 ` [PATCH 6/9] keys: Include target namespace in match criteria " David Howells 2019-06-19 16:47 ` David Howells 2019-06-19 16:47 ` [PATCH 7/9] keys: Garbage collect keys for which the domain has been removed " David Howells 2019-06-19 16:47 ` David Howells 2019-06-19 16:47 ` David Howells [this message] 2019-06-19 16:47 ` [PATCH 8/9] keys: Network namespace domain tag " David Howells 2019-06-27 20:55 ` Willem de Bruijn 2019-06-27 20:55 ` Willem de Bruijn 2019-06-27 22:07 ` David Howells 2019-06-27 22:07 ` David Howells 2019-06-19 16:48 ` [PATCH 9/9] keys: Pass the network namespace into request_key mechanism " David Howells 2019-06-19 16:48 ` David Howells
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=156096287188.28733.15342608110117616221.stgit@warthog.procyon.org.uk \ --to=dhowells@redhat.com \ --cc=dwalsh@redhat.com \ --cc=ebiederm@xmission.com \ --cc=keyrings@vger.kernel.org \ --cc=linux-afs@lists.infradead.org \ --cc=linux-cifs@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-nfs@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=vgoyal@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.