diff options
| author | David Howells <dhowells@redhat.com> | 2013-09-24 05:35:19 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2013-09-24 05:35:19 -0400 |
| commit | f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e (patch) | |
| tree | 09d5dd4ffe2e8cc499f97b0fc3895b7e3f35ccbf | |
| parent | ab3c3587f8cda9083209a61dbe3a4407d3cada10 (diff) | |
KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
Add support for per-user_namespace registers of persistent per-UID kerberos
caches held within the kernel.
This allows the kerberos cache to be retained beyond the life of all a user's
processes so that the user's cron jobs can work.
The kerberos cache is envisioned as a keyring/key tree looking something like:
struct user_namespace
\___ .krb_cache keyring - The register
\___ _krb.0 keyring - Root's Kerberos cache
\___ _krb.5000 keyring - User 5000's Kerberos cache
\___ _krb.5001 keyring - User 5001's Kerberos cache
\___ tkt785 big_key - A ccache blob
\___ tkt12345 big_key - Another ccache blob
Or possibly:
struct user_namespace
\___ .krb_cache keyring - The register
\___ _krb.0 keyring - Root's Kerberos cache
\___ _krb.5000 keyring - User 5000's Kerberos cache
\___ _krb.5001 keyring - User 5001's Kerberos cache
\___ tkt785 keyring - A ccache
\___ krbtgt/REDHAT.COM@REDHAT.COM big_key
\___ http/REDHAT.COM@REDHAT.COM user
\___ afs/REDHAT.COM@REDHAT.COM user
\___ nfs/REDHAT.COM@REDHAT.COM user
\___ krbtgt/KERNEL.ORG@KERNEL.ORG big_key
\___ http/KERNEL.ORG@KERNEL.ORG big_key
What goes into a particular Kerberos cache is entirely up to userspace. Kernel
support is limited to giving you the Kerberos cache keyring that you want.
The user asks for their Kerberos cache by:
krb_cache = keyctl_get_krbcache(uid, dest_keyring);
The uid is -1 or the user's own UID for the user's own cache or the uid of some
other user's cache (requires CAP_SETUID). This permits rpc.gssd or whatever to
mess with the cache.
The cache returned is a keyring named "_krb.<uid>" that the possessor can read,
search, clear, invalidate, unlink from and add links to. Active LSMs get a
chance to rule on whether the caller is permitted to make a link.
Each uid's cache keyring is created when it first accessed and is given a
timeout that is extended each time this function is called so that the keyring
goes away after a while. The timeout is configurable by sysctl but defaults to
three days.
Each user_namespace struct gets a lazily-created keyring that serves as the
register. The cache keyrings are added to it. This means that standard key
search and garbage collection facilities are available.
The user_namespace struct's register goes away when it does and anything left
in it is then automatically gc'd.
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Simo Sorce <simo@redhat.com>
cc: Serge E. Hallyn <serge.hallyn@ubuntu.com>
cc: Eric W. Biederman <ebiederm@xmission.com>
| -rw-r--r-- | include/linux/user_namespace.h | 6 | ||||
| -rw-r--r-- | include/uapi/linux/keyctl.h | 1 | ||||
| -rw-r--r-- | kernel/user.c | 4 | ||||
| -rw-r--r-- | kernel/user_namespace.c | 6 | ||||
| -rw-r--r-- | security/keys/Kconfig | 17 | ||||
| -rw-r--r-- | security/keys/Makefile | 1 | ||||
| -rw-r--r-- | security/keys/compat.c | 3 | ||||
| -rw-r--r-- | security/keys/internal.h | 9 | ||||
| -rw-r--r-- | security/keys/keyctl.c | 3 | ||||
| -rw-r--r-- | security/keys/persistent.c | 169 | ||||
| -rw-r--r-- | security/keys/sysctl.c | 11 |
11 files changed, 230 insertions, 0 deletions
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h index 4db29859464f..4836ba3c1cd8 100644 --- a/include/linux/user_namespace.h +++ b/include/linux/user_namespace.h | |||
| @@ -27,6 +27,12 @@ struct user_namespace { | |||
| 27 | kuid_t owner; | 27 | kuid_t owner; |
| 28 | kgid_t group; | 28 | kgid_t group; |
| 29 | unsigned int proc_inum; | 29 | unsigned int proc_inum; |
| 30 | |||
| 31 | /* Register of per-UID persistent keyrings for this namespace */ | ||
| 32 | #ifdef CONFIG_PERSISTENT_KEYRINGS | ||
| 33 | struct key *persistent_keyring_register; | ||
| 34 | struct rw_semaphore persistent_keyring_register_sem; | ||
| 35 | #endif | ||
| 30 | }; | 36 | }; |
| 31 | 37 | ||
| 32 | extern struct user_namespace init_user_ns; | 38 | extern struct user_namespace init_user_ns; |
diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h index c9b7f4faf97a..840cb990abe2 100644 --- a/include/uapi/linux/keyctl.h +++ b/include/uapi/linux/keyctl.h | |||
| @@ -56,5 +56,6 @@ | |||
| 56 | #define KEYCTL_REJECT 19 /* reject a partially constructed key */ | 56 | #define KEYCTL_REJECT 19 /* reject a partially constructed key */ |
| 57 | #define KEYCTL_INSTANTIATE_IOV 20 /* instantiate a partially constructed key */ | 57 | #define KEYCTL_INSTANTIATE_IOV 20 /* instantiate a partially constructed key */ |
| 58 | #define KEYCTL_INVALIDATE 21 /* invalidate a key */ | 58 | #define KEYCTL_INVALIDATE 21 /* invalidate a key */ |
| 59 | #define KEYCTL_GET_PERSISTENT 22 /* get a user's persistent keyring */ | ||
| 59 | 60 | ||
| 60 | #endif /* _LINUX_KEYCTL_H */ | 61 | #endif /* _LINUX_KEYCTL_H */ |
diff --git a/kernel/user.c b/kernel/user.c index 5bbb91988e69..a3a0dbfda329 100644 --- a/kernel/user.c +++ b/kernel/user.c | |||
| @@ -51,6 +51,10 @@ struct user_namespace init_user_ns = { | |||
| 51 | .owner = GLOBAL_ROOT_UID, | 51 | .owner = GLOBAL_ROOT_UID, |
| 52 | .group = GLOBAL_ROOT_GID, | 52 | .group = GLOBAL_ROOT_GID, |
| 53 | .proc_inum = PROC_USER_INIT_INO, | 53 | .proc_inum = PROC_USER_INIT_INO, |
| 54 | #ifdef CONFIG_KEYS_KERBEROS_CACHE | ||
| 55 | .krb_cache_register_sem = | ||
| 56 | __RWSEM_INITIALIZER(init_user_ns.krb_cache_register_sem), | ||
| 57 | #endif | ||
| 54 | }; | 58 | }; |
| 55 | EXPORT_SYMBOL_GPL(init_user_ns); | 59 | EXPORT_SYMBOL_GPL(init_user_ns); |
| 56 | 60 | ||
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index 13fb1134ba58..240fb62cf394 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c | |||
| @@ -101,6 +101,9 @@ int create_user_ns(struct cred *new) | |||
| 101 | 101 | ||
| 102 | set_cred_user_ns(new, ns); | 102 | set_cred_user_ns(new, ns); |
| 103 | 103 | ||
| 104 | #ifdef CONFIG_PERSISTENT_KEYRINGS | ||
| 105 | init_rwsem(&ns->persistent_keyring_register_sem); | ||
| 106 | #endif | ||
| 104 | return 0; | 107 | return 0; |
| 105 | } | 108 | } |
| 106 | 109 | ||
| @@ -130,6 +133,9 @@ void free_user_ns(struct user_namespace *ns) | |||
| 130 | 133 | ||
| 131 | do { | 134 | do { |
| 132 | parent = ns->parent; | 135 | parent = ns->parent; |
| 136 | #ifdef CONFIG_PERSISTENT_KEYRINGS | ||
| 137 | key_put(ns->persistent_keyring_register); | ||
| 138 | #endif | ||
| 133 | proc_free_inum(ns->proc_inum); | 139 | proc_free_inum(ns->proc_inum); |
| 134 | kmem_cache_free(user_ns_cachep, ns); | 140 | kmem_cache_free(user_ns_cachep, ns); |
| 135 | ns = parent; | 141 | ns = parent; |
diff --git a/security/keys/Kconfig b/security/keys/Kconfig index b56362275ec8..53d8748c9564 100644 --- a/security/keys/Kconfig +++ b/security/keys/Kconfig | |||
| @@ -20,6 +20,23 @@ config KEYS | |||
| 20 | 20 | ||
| 21 | If you are unsure as to whether this is required, answer N. | 21 | If you are unsure as to whether this is required, answer N. |
| 22 | 22 | ||
| 23 | config PERSISTENT_KEYRINGS | ||
| 24 | bool "Enable register of persistent per-UID keyrings" | ||
| 25 | depends on KEYS | ||
| 26 | help | ||
| 27 | This option provides a register of persistent per-UID keyrings, | ||
| 28 | primarily aimed at Kerberos key storage. The keyrings are persistent | ||
| 29 | in the sense that they stay around after all processes of that UID | ||
| 30 | have exited, not that they survive the machine being rebooted. | ||
| 31 | |||
| 32 | A particular keyring may be accessed by either the user whose keyring | ||
| 33 | it is or by a process with administrative privileges. The active | ||
| 34 | LSMs gets to rule on which admin-level processes get to access the | ||
| 35 | cache. | ||
| 36 | |||
| 37 | Keyrings are created and added into the register upon demand and get | ||
| 38 | removed if they expire (a default timeout is set upon creation). | ||
| 39 | |||
| 23 | config BIG_KEYS | 40 | config BIG_KEYS |
| 24 | tristate "Large payload keys" | 41 | tristate "Large payload keys" |
| 25 | depends on KEYS | 42 | depends on KEYS |
diff --git a/security/keys/Makefile b/security/keys/Makefile index c487c77a00be..dfb3a7bededf 100644 --- a/security/keys/Makefile +++ b/security/keys/Makefile | |||
| @@ -18,6 +18,7 @@ obj-y := \ | |||
| 18 | obj-$(CONFIG_KEYS_COMPAT) += compat.o | 18 | obj-$(CONFIG_KEYS_COMPAT) += compat.o |
| 19 | obj-$(CONFIG_PROC_FS) += proc.o | 19 | obj-$(CONFIG_PROC_FS) += proc.o |
| 20 | obj-$(CONFIG_SYSCTL) += sysctl.o | 20 | obj-$(CONFIG_SYSCTL) += sysctl.o |
| 21 | obj-$(CONFIG_PERSISTENT_KEYRINGS) += persistent.o | ||
| 21 | 22 | ||
| 22 | # | 23 | # |
| 23 | # Key types | 24 | # Key types |
diff --git a/security/keys/compat.c b/security/keys/compat.c index d65fa7fa29ba..bbd32c729dbb 100644 --- a/security/keys/compat.c +++ b/security/keys/compat.c | |||
| @@ -138,6 +138,9 @@ asmlinkage long compat_sys_keyctl(u32 option, | |||
| 138 | case KEYCTL_INVALIDATE: | 138 | case KEYCTL_INVALIDATE: |
| 139 | return keyctl_invalidate_key(arg2); | 139 | return keyctl_invalidate_key(arg2); |
| 140 | 140 | ||
| 141 | case KEYCTL_GET_PERSISTENT: | ||
| 142 | return keyctl_get_persistent(arg2, arg3); | ||
| 143 | |||
| 141 | default: | 144 | default: |
| 142 | return -EOPNOTSUPP; | 145 | return -EOPNOTSUPP; |
| 143 | } | 146 | } |
diff --git a/security/keys/internal.h b/security/keys/internal.h index 581c6f688352..80b2aac4f50c 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h | |||
| @@ -255,6 +255,15 @@ extern long keyctl_invalidate_key(key_serial_t); | |||
| 255 | extern long keyctl_instantiate_key_common(key_serial_t, | 255 | extern long keyctl_instantiate_key_common(key_serial_t, |
| 256 | const struct iovec *, | 256 | const struct iovec *, |
| 257 | unsigned, size_t, key_serial_t); | 257 | unsigned, size_t, key_serial_t); |
| 258 | #ifdef CONFIG_PERSISTENT_KEYRINGS | ||
| 259 | extern long keyctl_get_persistent(uid_t, key_serial_t); | ||
| 260 | extern unsigned persistent_keyring_expiry; | ||
| 261 | #else | ||
| 262 | static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring) | ||
| 263 | { | ||
| 264 | return -EOPNOTSUPP; | ||
| 265 | } | ||
| 266 | #endif | ||
| 258 | 267 | ||
| 259 | /* | 268 | /* |
| 260 | * Debugging key validation | 269 | * Debugging key validation |
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 33cfd27b4de2..cee72ce64222 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c | |||
| @@ -1667,6 +1667,9 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3, | |||
| 1667 | case KEYCTL_INVALIDATE: | 1667 | case KEYCTL_INVALIDATE: |
| 1668 | return keyctl_invalidate_key((key_serial_t) arg2); | 1668 | return keyctl_invalidate_key((key_serial_t) arg2); |
| 1669 | 1669 | ||
| 1670 | case KEYCTL_GET_PERSISTENT: | ||
| 1671 | return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); | ||
| 1672 | |||
| 1670 | default: | 1673 | default: |
| 1671 | return -EOPNOTSUPP; | 1674 | return -EOPNOTSUPP; |
| 1672 | } | 1675 | } |
diff --git a/security/keys/persistent.c b/security/keys/persistent.c new file mode 100644 index 000000000000..82f4957a7acf --- /dev/null +++ b/security/keys/persistent.c | |||
| @@ -0,0 +1,169 @@ | |||
| 1 | /* General persistent per-UID keyrings register | ||
| 2 | * | ||
| 3 | * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. | ||
| 4 | * Written by David Howells (dhowells@redhat.com) | ||
| 5 | * | ||
| 6 | * This program is free software; you can redistribute it and/or | ||
| 7 | * modify it under the terms of the GNU General Public Licence | ||
| 8 | * as published by the Free Software Foundation; either version | ||
| 9 | * 2 of the Licence, or (at your option) any later version. | ||
| 10 | */ | ||
