diff options
| author | David Howells <dhowells@redhat.com> | 2013-09-24 05:35:19 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2013-09-24 05:35:19 -0400 |
| commit | f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e (patch) | |
| tree | 09d5dd4ffe2e8cc499f97b0fc3895b7e3f35ccbf /security/keys/internal.h | |
| parent | ab3c3587f8cda9083209a61dbe3a4407d3cada10 (diff) | |
KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
Add support for per-user_namespace registers of persistent per-UID kerberos
caches held within the kernel.
This allows the kerberos cache to be retained beyond the life of all a user's
processes so that the user's cron jobs can work.
The kerberos cache is envisioned as a keyring/key tree looking something like:
struct user_namespace
\___ .krb_cache keyring - The register
\___ _krb.0 keyring - Root's Kerberos cache
\___ _krb.5000 keyring - User 5000's Kerberos cache
\___ _krb.5001 keyring - User 5001's Kerberos cache
\___ tkt785 big_key - A ccache blob
\___ tkt12345 big_key - Another ccache blob
Or possibly:
struct user_namespace
\___ .krb_cache keyring - The register
\___ _krb.0 keyring - Root's Kerberos cache
\___ _krb.5000 keyring - User 5000's Kerberos cache
\___ _krb.5001 keyring - User 5001's Kerberos cache
\___ tkt785 keyring - A ccache
\___ krbtgt/REDHAT.COM@REDHAT.COM big_key
\___ http/REDHAT.COM@REDHAT.COM user
\___ afs/REDHAT.COM@REDHAT.COM user
\___ nfs/REDHAT.COM@REDHAT.COM user
\___ krbtgt/KERNEL.ORG@KERNEL.ORG big_key
\___ http/KERNEL.ORG@KERNEL.ORG big_key
What goes into a particular Kerberos cache is entirely up to userspace. Kernel
support is limited to giving you the Kerberos cache keyring that you want.
The user asks for their Kerberos cache by:
krb_cache = keyctl_get_krbcache(uid, dest_keyring);
The uid is -1 or the user's own UID for the user's own cache or the uid of some
other user's cache (requires CAP_SETUID). This permits rpc.gssd or whatever to
mess with the cache.
The cache returned is a keyring named "_krb.<uid>" that the possessor can read,
search, clear, invalidate, unlink from and add links to. Active LSMs get a
chance to rule on whether the caller is permitted to make a link.
Each uid's cache keyring is created when it first accessed and is given a
timeout that is extended each time this function is called so that the keyring
goes away after a while. The timeout is configurable by sysctl but defaults to
three days.
Each user_namespace struct gets a lazily-created keyring that serves as the
register. The cache keyrings are added to it. This means that standard key
search and garbage collection facilities are available.
The user_namespace struct's register goes away when it does and anything left
in it is then automatically gc'd.
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Simo Sorce <simo@redhat.com>
cc: Serge E. Hallyn <serge.hallyn@ubuntu.com>
cc: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'security/keys/internal.h')
| -rw-r--r-- | security/keys/internal.h | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/security/keys/internal.h b/security/keys/internal.h index 581c6f688352..80b2aac4f50c 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h | |||
| @@ -255,6 +255,15 @@ extern long keyctl_invalidate_key(key_serial_t); | |||
| 255 | extern long keyctl_instantiate_key_common(key_serial_t, | 255 | extern long keyctl_instantiate_key_common(key_serial_t, |
| 256 | const struct iovec *, | 256 | const struct iovec *, |
| 257 | unsigned, size_t, key_serial_t); | 257 | unsigned, size_t, key_serial_t); |
| 258 | #ifdef CONFIG_PERSISTENT_KEYRINGS | ||
| 259 | extern long keyctl_get_persistent(uid_t, key_serial_t); | ||
| 260 | extern unsigned persistent_keyring_expiry; | ||
| 261 | #else | ||
| 262 | static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring) | ||
| 263 | { | ||
| 264 | return -EOPNOTSUPP; | ||
| 265 | } | ||
| 266 | #endif | ||
| 258 | 267 | ||
| 259 | /* | 268 | /* |
| 260 | * Debugging key validation | 269 | * Debugging key validation |