lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.02.1308291144090.431@tundra.namei.org>
Date:	Thu, 29 Aug 2013 11:44:32 +1000 (EST)
From:	James Morris <jmorris@...ei.org>
To:	David Howells <dhowells@...hat.com>
cc:	simo@...hat.com, keyrings@...ux-nfs.org,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [GIT PULL] Expand keyring capacity and provide support for
 libkrb5

On Thu, 29 Aug 2013, David Howells wrote:

> 
> Hi James,
> 
> Could you pull these patches into the security tree?

944 files changed, 17114 insertions(+), 9157 deletions(-)


How about no?  :)



> 
> The patches can be viewed as three sets:
> 
>  (1) KEYS: Skip key state checks when checking for possession
> 
>      This is a fix for determining the possessed status of keys that have been
>      invalidated or revoked or that have expired.  If nothing else, can you
>      please pick this and pass it upstream.
> 
>  (2) KEYS: Expand the capacity of a keyring
>      Add a generic associative array implementation
>      KEYS: Drop the permissions argument from __keyring_search_one()
>      KEYS: Define a __key_get() wrapper to use rather than atomic_inc()
>      KEYS: Search for auth-key by name rather than target key ID
>      KEYS: Introduce a search context structure
>      KEYS: Consolidate the concept of an 'index key' for key access
>      KEYS: key_is_dead() should take a const key pointer argument
>      KEYS: Use bool in make_key_ref() and is_key_possessed()
> 
>      Patches to to expand the capacity of a keyring by using an associative
>      array rather than a flat list and patches to do some preparatory cleanups
>      for those.
> 
>  (3) KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
>      KEYS: Implement a big key type that can save to tmpfs
> 
>      Patches to add better support for libkrb5 to save its tokens in a kernel
>      keyring rather than in files.  It already has this ability to some
>      extent, but that has two problems: your tokens get deleted when you log
>      out (so your cron jobs can't use them) and the capacity of a user type
>      key is not sufficient for some of the huge Kerberos tickets one can get.
>      These patches address that.
> 
> If you need the patches basing on your tree instead, that can be done.
> 
> David
> ---
> The following changes since commit f1d6e17f540af37bb1891480143669ba7636c4cf:
> 
>   Merge branch 'akpm' (patches from Andrew Morton) (2013-08-14 10:04:43 -0700)
> 
> are available in the git repository at:
> 
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-krb-support
> 
> for you to fetch changes up to 0f8d966ebc86d7ab9fb7fd074ae589c2d81de08f:
> 
>   KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches (2013-08-28 18:56:14 +0100)
> 
> ----------------------------------------------------------------
> (from the branch description for keys-devel local branch)
> 
> clone of "master"
> Kerberos ticket persistence support
> 
> ----------------------------------------------------------------
> David Howells (12):
>       KEYS: Skip key state checks when checking for possession
>       KEYS: Use bool in make_key_ref() and is_key_possessed()
>       KEYS: key_is_dead() should take a const key pointer argument
>       KEYS: Consolidate the concept of an 'index key' for key access
>       KEYS: Introduce a search context structure
>       KEYS: Search for auth-key by name rather than target key ID
>       KEYS: Define a __key_get() wrapper to use rather than atomic_inc()
>       KEYS: Drop the permissions argument from __keyring_search_one()
>       Add a generic associative array implementation.
>       KEYS: Expand the capacity of a keyring
>       KEYS: Implement a big key type that can save to tmpfs
>       KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
> 
>  Documentation/assoc_array.txt    |  574 +++++++++++++
>  Documentation/security/keys.txt  |   20 +-
>  include/keys/big_key-type.h      |   25 +
>  include/keys/keyring-type.h      |   17 +-
>  include/linux/assoc_array.h      |   92 ++
>  include/linux/assoc_array_priv.h |  182 ++++
>  include/linux/key-type.h         |    5 +
>  include/linux/key.h              |   49 +-
>  include/linux/user_namespace.h   |    6 +
>  include/uapi/linux/keyctl.h      |    1 +
>  kernel/user.c                    |    4 +
>  kernel/user_namespace.c          |    4 +
>  lib/Kconfig                      |   14 +
>  lib/Makefile                     |    1 +
>  lib/assoc_array.c                | 1745 ++++++++++++++++++++++++++++++++++++++
>  security/keys/Kconfig            |   29 +
>  security/keys/Makefile           |    2 +
>  security/keys/big_key.c          |  204 +++++
>  security/keys/compat.c           |    3 +
>  security/keys/gc.c               |   33 +-
>  security/keys/internal.h         |   74 +-
>  security/keys/key.c              |   91 +-
>  security/keys/keyctl.c           |    3 +
>  security/keys/keyring.c          | 1481 ++++++++++++++++----------------
>  security/keys/persistent.c       |  169 ++++
>  security/keys/proc.c             |   17 +-
>  security/keys/process_keys.c     |  131 +--
>  security/keys/request_key.c      |   56 +-
>  security/keys/request_key_auth.c |   31 +-
>  security/keys/sysctl.c           |   11 +
>  security/keys/user_defined.c     |   18 +-
>  31 files changed, 4124 insertions(+), 968 deletions(-)
>  create mode 100644 Documentation/assoc_array.txt
>  create mode 100644 include/keys/big_key-type.h
>  create mode 100644 include/linux/assoc_array.h
>  create mode 100644 include/linux/assoc_array_priv.h
>  create mode 100644 lib/assoc_array.c
>  create mode 100644 security/keys/big_key.c
>  create mode 100644 security/keys/persistent.c
> 

-- 
James Morris
<jmorris@...ei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ