[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <161246085160.1990927.13137391845549674518.stgit@warthog.procyon.org.uk>
Date: Thu, 04 Feb 2021 17:47:31 +0000
From: David Howells <dhowells@...hat.com>
To: sprabhu@...hat.com
Cc: dhowells@...hat.com, Jarkko Sakkinen <jarkko@...nel.org>,
christian@...uner.io, selinux@...r.kernel.org,
keyrings@...r.kernel.org, linux-api@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, containers@...ts.linux-foundation.org
Subject: [RFC][PATCH 0/2] keys: request_key() interception in containers
Here's a rough draft of a facility by which keys can be intercepted.
There are two patches:
(1) Add tags to namespaces that can be used to find out, when we're
looking for an intercept, if a namespace that an intercept is
filtering on is the same as namespace of the caller of request_key()
without the need for the intercept record to pin the namespaces that
it's using as filters (which would also cause a dependency cycle).
Tags contain only a refcount and are compared by address.
(2) Add a new keyctl:
keyctl(KEYCTL_SERVICE_INTERCEPT,
int queue_keyring, int userns_fd,
const char *type_name, unsigned int ns_mask);
that allows a request_key() intercept to be added to the specified
user namespace. The authorisation key for an intercepted request is
placed in the queue_keyring, which can be watched to gain a
notification of this happening. The watcher can then examine the auth
key to determine what key is to be instantiated.
A simple sample is provided that can be used to try this.
Some things that need to be worked out:
(*) Intercepts are linked to the lifetime of the user_namespace on which
they're placed, but not the daemon or the queue keyring. Probably
they should be removed when the queue keyring is removed, but they
currently pin it.
(*) Setting userns_fd to other than -1 is not yet supported (-1 indicates
the current user namespace).
(*) Multiple threads can monitor a queue keyring, but they will all get
woken. They can use keyctl_move() to decide who gets to process it.
The patches can be found on the following branch:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-intercept
David
---
David Howells (2):
Add namespace tags that can be used for matching without pinning a ns
keys: Allow request_key upcalls from a container to be intercepted
include/linux/key-type.h | 4 +-
include/linux/user_namespace.h | 2 +
include/uapi/linux/keyctl.h | 13 +
kernel/user.c | 3 +
kernel/user_namespace.c | 2 +
samples/watch_queue/Makefile | 2 +
samples/watch_queue/key_req_intercept.c | 271 +++++++++++++++++++
security/keys/Makefile | 2 +
security/keys/compat.c | 3 +
security/keys/internal.h | 5 +
security/keys/keyctl.c | 6 +
security/keys/keyring.c | 1 +
security/keys/process_keys.c | 2 +-
security/keys/request_key.c | 16 +-
security/keys/request_key_auth.c | 3 +
security/keys/service.c | 337 ++++++++++++++++++++++++
16 files changed, 663 insertions(+), 9 deletions(-)
create mode 100644 samples/watch_queue/key_req_intercept.c
create mode 100644 security/keys/service.c
Powered by blists - more mailing lists