summaryrefslogtreecommitdiff
path: root/security/keys/internal.h
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2019-06-26 23:02:32 +0300
committerDavid Howells <dhowells@redhat.com>2019-06-26 23:02:32 +0300
commit0f44e4d976f96c6439da0d6717238efa4b91196e (patch)
tree3cec4bc4ef3faa4e61058e3aff066a7bec1c9d37 /security/keys/internal.h
parentb206f281d0ee14969878469816a69db22d5838e8 (diff)
downloadlinux-0f44e4d976f96c6439da0d6717238efa4b91196e.tar.xz
keys: Move the user and user-session keyrings to the user_namespace
Move the user and user-session keyrings to the user_namespace struct rather than pinning them from the user_struct struct. This prevents these keyrings from propagating across user-namespaces boundaries with regard to the KEY_SPEC_* flags, thereby making them more useful in a containerised environment. The issue is that a single user_struct may be represent UIDs in several different namespaces. The way the patch does this is by attaching a 'register keyring' in each user_namespace and then sticking the user and user-session keyrings into that. It can then be searched to retrieve them. Signed-off-by: David Howells <dhowells@redhat.com> cc: Jann Horn <jannh@google.com>
Diffstat (limited to 'security/keys/internal.h')
-rw-r--r--security/keys/internal.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/keys/internal.h b/security/keys/internal.h
index aa361299a3ec..d3a9439e2386 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -148,7 +148,8 @@ extern key_ref_t search_process_keyrings_rcu(struct keyring_search_context *ctx)
extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
-extern int install_user_keyrings(void);
+extern int look_up_user_keyrings(struct key **, struct key **);
+extern struct key *get_user_session_keyring_rcu(const struct cred *);
extern int install_thread_keyring_to_cred(struct cred *);
extern int install_process_keyring_to_cred(struct cred *);
extern int install_session_keyring_to_cred(struct cred *, struct key *);