diff options
author | David Howells <dhowells@redhat.com> | 2019-06-26 23:02:32 +0300 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2019-06-26 23:02:32 +0300 |
commit | b206f281d0ee14969878469816a69db22d5838e8 (patch) | |
tree | 56828bdaec25c05d6b4126196276bf969d056929 /include/linux/user_namespace.h | |
parent | dcf49dbc8077e278ddd1bc7298abc781496e8a08 (diff) | |
download | linux-b206f281d0ee14969878469816a69db22d5838e8.tar.xz |
keys: Namespace keyring names
Keyring names are held in a single global list that any process can pick
from by means of keyctl_join_session_keyring (provided the keyring grants
Search permission). This isn't very container friendly, however.
Make the following changes:
(1) Make default session, process and thread keyring names begin with a
'.' instead of '_'.
(2) Keyrings whose names begin with a '.' aren't added to the list. Such
keyrings are system specials.
(3) Replace the global list with per-user_namespace lists. A keyring adds
its name to the list for the user_namespace that it is currently in.
(4) When a user_namespace is deleted, it just removes itself from the
keyring name list.
The global keyring_name_lock is retained for accessing the name lists.
This allows (4) to work.
This can be tested by:
# keyctl newring foo @s
995906392
# unshare -U
$ keyctl show
...
995906392 --alswrv 65534 65534 \_ keyring: foo
...
$ keyctl session foo
Joined session keyring: 935622349
As can be seen, a new session keyring was created.
The capability bit KEYCTL_CAPS1_NS_KEYRING_NAME is set if the kernel is
employing this feature.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'include/linux/user_namespace.h')
-rw-r--r-- | include/linux/user_namespace.h | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h index d6b74b91096b..90457015fa3f 100644 --- a/include/linux/user_namespace.h +++ b/include/linux/user_namespace.h @@ -64,6 +64,11 @@ struct user_namespace { struct ns_common ns; unsigned long flags; +#ifdef CONFIG_KEYS + /* List of joinable keyrings in this namespace */ + struct list_head keyring_name_list; +#endif + /* Register of per-UID persistent keyrings for this namespace */ #ifdef CONFIG_PERSISTENT_KEYRINGS struct key *persistent_keyring_register; |