keys: Namespace keyring names

Keyring names are held in a single global list that any process can pick from by means of keyctl_join_session_keyring (provided the keyring grants Search permission). This isn't very container friendly, however. Make the following changes: (1) Make default session, process and thread keyring names begin with a '.' instead of '_'. (2) Keyrings whose names begin with a '.' aren't added to the list. Such keyrings are system specials. (3) Replace the global list with per-user_namespace lists. A keyring adds its name to the list for the user_namespace that it is currently in. (4) When a user_namespace is deleted, it just removes itself from the keyring name list. The global keyring_name_lock is retained for accessing the name lists. This allows (4) to work. This can be tested by: # keyctl newring foo @s 995906392 # unshare -U $ keyctl show ... 995906392 --alswrv 65534 65534 \_ keyring: foo ... $ keyctl session foo Joined session keyring: 935622349 As can be seen, a new session keyring was created. The capability bit KEYCTL_CAPS1_NS_KEYRING_NAME is set if the kernel is employing this feature. Signed-off-by: David Howells <dhowells@redhat.com> cc: Eric W. Biederman <ebiederm@xmission.com>
2019-06-26 21:02:32 +01:00 · 2019-06-26 21:02:32 +01:00 · b206f281d0
parent dcf49dbc80
commit b206f281d0
7 changed files with 60 additions and 60 deletions
--- a/include/linux/key.h
+++ b/include/linux/key.h
@ -361,6 +361,7 @@ extern void key_set_timeout(struct key *, unsigned);
 extern key_ref_t lookup_user_key(key_serial_t id, unsigned long flags,
 				 key_perm_t perm);
 extern void key_free_user_ns(struct user_namespace *);
 /*
 * The permissions required on a key that we're looking up.
@ -434,6 +435,7 @@ extern void key_init(void);
 #define key_fsuid_changed(c)		do { } while(0)
 #define key_fsgid_changed(c)		do { } while(0)
 #define key_init()			do { } while(0)
 #define key_free_user_ns(ns)		do { } while(0)
 #endif /* CONFIG_KEYS */
 #endif /* __KERNEL__ */
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@ -64,6 +64,11 @@ struct user_namespace {
 	struct ns_common	ns;
 	unsigned long		flags;
 #ifdef CONFIG_KEYS
 	/* List of joinable keyrings in this namespace */
 	struct list_head	keyring_name_list;
 #endif
 	/* Register of per-UID persistent keyrings for this namespace */
 #ifdef CONFIG_PERSISTENT_KEYRINGS
 	struct key		*persistent_keyring_register;
--- a/include/uapi/linux/keyctl.h
+++ b/include/uapi/linux/keyctl.h
@ -128,5 +128,6 @@ struct keyctl_pkey_params {
 #define KEYCTL_CAPS0_INVALIDATE		0x20 /* KEYCTL_INVALIDATE supported */
 #define KEYCTL_CAPS0_RESTRICT_KEYRING	0x40 /* KEYCTL_RESTRICT_KEYRING supported */
 #define KEYCTL_CAPS0_MOVE		0x80 /* KEYCTL_MOVE supported */
 #define KEYCTL_CAPS1_NS_KEYRING_NAME	0x01 /* Keyring names are per-user_namespace */
 #endif /*  _LINUX_KEYCTL_H */
--- a/kernel/user.c
+++ b/kernel/user.c
@ -62,6 +62,9 @@ struct user_namespace init_user_ns = {
 	.ns.ops = &userns_operations,
 #endif
 	.flags = USERNS_INIT_FLAGS,
 #ifdef CONFIG_KEYS
 	.keyring_name_list = LIST_HEAD_INIT(init_user_ns.keyring_name_list),
 #endif
 #ifdef CONFIG_PERSISTENT_KEYRINGS
 	.persistent_keyring_register_sem =
 	__RWSEM_INITIALIZER(init_user_ns.persistent_keyring_register_sem),
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@ -133,6 +133,9 @@ int create_user_ns(struct cred *new)
 	ns->flags = parent_ns->flags;
 	mutex_unlock(&userns_state_mutex);
 #ifdef CONFIG_KEYS
 	INIT_LIST_HEAD(&ns->keyring_name_list);
 #endif
 #ifdef CONFIG_PERSISTENT_KEYRINGS
 	init_rwsem(&ns->persistent_keyring_register_sem);
 #endif
@ -196,9 +199,7 @@ static void free_user_ns(struct work_struct *work)
 			kfree(ns->projid_map.reverse);
 		}
 		retire_userns_sysctls(ns);
-#ifdef CONFIG_PERSISTENT_KEYRINGS
+		key_free_user_ns(ns);
 		key_put(ns->persistent_keyring_register);
 #endif
 		ns_free_inum(&ns->ns);
 		kmem_cache_free(user_ns_cachep, ns);
 		dec_user_namespaces(ucounts);
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@ -30,7 +30,7 @@
 #define KEY_MAX_DESC_SIZE 4096
-static const unsigned char keyrings_capabilities[1] = {
+static const unsigned char keyrings_capabilities[2] = {
 	[0] = (KEYCTL_CAPS0_CAPABILITIES |
 	       (IS_ENABLED(CONFIG_PERSISTENT_KEYRINGS)	? KEYCTL_CAPS0_PERSISTENT_KEYRINGS : 0) |
 	       (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS)	? KEYCTL_CAPS0_DIFFIE_HELLMAN : 0) |
@ -40,6 +40,7 @@ static const unsigned char keyrings_capabilities[1] = {
 	       KEYCTL_CAPS0_RESTRICT_KEYRING |
 	       KEYCTL_CAPS0_MOVE
 	       ),
 	[1] = (KEYCTL_CAPS1_NS_KEYRING_NAME),
 };
 static int key_get_type_from_user(char *type,
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@ -16,6 +16,7 @@
 #include <linux/security.h>
 #include <linux/seq_file.h>
 #include <linux/err.h>
 #include <linux/user_namespace.h>
 #include <keys/keyring-type.h>
 #include <keys/user-type.h>
 #include <linux/assoc_array_priv.h>
@ -28,11 +29,6 @@
 */
 #define KEYRING_SEARCH_MAX_DEPTH 6
 /*
 * We keep all named keyrings in a hash to speed looking them up.
 */
 #define KEYRING_NAME_HASH_SIZE	(1 << 5)
 /*
 * We mark pointers we pass to the associative array with bit 1 set if
 * they're keyrings and clear otherwise.
@ -55,17 +51,20 @@ static inline void *keyring_key_to_ptr(struct key *key)
 	return key;
 }
 static struct list_head	keyring_name_hash[KEYRING_NAME_HASH_SIZE];
 static DEFINE_RWLOCK(keyring_name_lock);
-static inline unsigned keyring_hash(const char *desc)
+/*
 * Clean up the bits of user_namespace that belong to us.
 */
 void key_free_user_ns(struct user_namespace *ns)
 {
-	unsigned bucket = 0;
+	write_lock(&keyring_name_lock);
 	list_del_init(&ns->keyring_name_list);
 	write_unlock(&keyring_name_lock);
-	for (; *desc; desc++)
+#ifdef CONFIG_PERSISTENT_KEYRINGS
-		bucket += (unsigned char)*desc;
+	key_put(ns->persistent_keyring_register);
-
+#endif
 	return bucket & (KEYRING_NAME_HASH_SIZE - 1);
 }
 /*
@ -104,23 +103,17 @@ static DEFINE_MUTEX(keyring_serialise_link_lock);
 /*
 * Publish the name of a keyring so that it can be found by name (if it has
- * one).
+ * one and it doesn't begin with a dot).
 */
 static void keyring_publish_name(struct key *keyring)
 {
-	int bucket;
+	struct user_namespace *ns = current_user_ns();
 	if (keyring->description) {
 		bucket = keyring_hash(keyring->description);
 	if (keyring->description &&
 	    keyring->description[0] &&
 	    keyring->description[0] != '.') {
 		write_lock(&keyring_name_lock);
-
+		list_add_tail(&keyring->name_link, &ns->keyring_name_list);
 		if (!keyring_name_hash[bucket].next)
 			INIT_LIST_HEAD(&keyring_name_hash[bucket]);
 		list_add_tail(&keyring->name_link,
 			      &keyring_name_hash[bucket]);
 		write_unlock(&keyring_name_lock);
 	}
 }
@ -1097,50 +1090,44 @@ found:
 */
 struct key *find_keyring_by_name(const char *name, bool uid_keyring)
 {
 	struct user_namespace *ns = current_user_ns();
 	struct key *keyring;
 	int bucket;
 	if (!name)
 		return ERR_PTR(-EINVAL);
 	bucket = keyring_hash(name);
 	read_lock(&keyring_name_lock);
-	if (keyring_name_hash[bucket].next) {
+	/* Search this hash bucket for a keyring with a matching name that
-		/* search this hash bucket for a keyring with a matching name
+	 * grants Search permission and that hasn't been revoked
-		 * that's readable and that hasn't been revoked */
+	 */
-		list_for_each_entry(keyring,
+	list_for_each_entry(keyring, &ns->keyring_name_list, name_link) {
-				    &keyring_name_hash[bucket],
+		if (!kuid_has_mapping(ns, keyring->user->uid))
-				    name_link
+			continue;
 				    ) {
 			if (!kuid_has_mapping(current_user_ns(), keyring->user->uid))
 				continue;
-			if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
+		if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
-				continue;
+			continue;
-			if (strcmp(keyring->description, name) != 0)
+		if (strcmp(keyring->description, name) != 0)
-				continue;
+			continue;
-			if (uid_keyring) {
+		if (uid_keyring) {
-				if (!test_bit(KEY_FLAG_UID_KEYRING,
+			if (!test_bit(KEY_FLAG_UID_KEYRING,
-					      &keyring->flags))
+				      &keyring->flags))
-					continue;
+				continue;
-			} else {
+		} else {
-				if (key_permission(make_key_ref(keyring, 0),
+			if (key_permission(make_key_ref(keyring, 0),
-						   KEY_NEED_SEARCH) < 0)
+					   KEY_NEED_SEARCH) < 0)
 					continue;
 			}
 			/* we've got a match but we might end up racing with
 			 * key_cleanup() if the keyring is currently 'dead'
 			 * (ie. it has a zero usage count) */
 			if (!refcount_inc_not_zero(&keyring->usage))
 				continue;
 			keyring->last_used_at = ktime_get_real_seconds();
 			goto out;
 		}
 		/* we've got a match but we might end up racing with
 		 * key_cleanup() if the keyring is currently 'dead'
 		 * (ie. it has a zero usage count) */
 		if (!refcount_inc_not_zero(&keyring->usage))
 			continue;
 		keyring->last_used_at = ktime_get_real_seconds();
 		goto out;
 	}
 	keyring = ERR_PTR(-ENOKEY);