keys: Move the user and user-session keyrings to the user_namespace

Move the user and user-session keyrings to the user_namespace struct rather than pinning them from the user_struct struct. This prevents these keyrings from propagating across user-namespaces boundaries with regard to the KEY_SPEC_* flags, thereby making them more useful in a containerised environment. The issue is that a single user_struct may be represent UIDs in several different namespaces. The way the patch does this is by attaching a 'register keyring' in each user_namespace and then sticking the user and user-session keyrings into that. It can then be searched to retrieve them. Signed-off-by: David Howells <dhowells@redhat.com> cc: Jann Horn <jannh@google.com>
author: David Howells <dhowells@redhat.com> 2019-06-26 23:02:32 +0300
committer: David Howells <dhowells@redhat.com> 2019-06-26 23:02:32 +0300
commit: 0f44e4d976f96c6439da0d6717238efa4b91196e (patch)
tree: 3cec4bc4ef3faa4e61058e3aff066a7bec1c9d37 /security/keys/keyring.c
parent: b206f281d0ee14969878469816a69db22d5838e8 (diff)
download: linux-0f44e4d976f96c6439da0d6717238efa4b91196e.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index fe851292509e..3663e5168583 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -62,6 +62,7 @@ void key_free_user_ns(struct user_namespace *ns)
 	list_del_init(&ns->keyring_name_list);
 	write_unlock(&keyring_name_lock);
 
+	key_put(ns->user_keyring_register);
 #ifdef CONFIG_PERSISTENT_KEYRINGS
 	key_put(ns->persistent_keyring_register);
 #endif
author	David Howells <dhowells@redhat.com>	2019-06-26 23:02:32 +0300
committer	David Howells <dhowells@redhat.com>	2019-06-26 23:02:32 +0300
commit	0f44e4d976f96c6439da0d6717238efa4b91196e (patch)
tree	3cec4bc4ef3faa4e61058e3aff066a7bec1c9d37 /security/keys/keyring.c
parent	b206f281d0ee14969878469816a69db22d5838e8 (diff)
download	linux-0f44e4d976f96c6439da0d6717238efa4b91196e.tar.xz