diff options
Diffstat (limited to 'Documentation/keys-request-key.txt')
-rw-r--r-- | Documentation/keys-request-key.txt | 54 |
1 files changed, 36 insertions, 18 deletions
diff --git a/Documentation/keys-request-key.txt b/Documentation/keys-request-key.txt index 22488d791168..c1f64fdf84cb 100644 --- a/Documentation/keys-request-key.txt +++ b/Documentation/keys-request-key.txt | |||
@@ -3,16 +3,23 @@ | |||
3 | =================== | 3 | =================== |
4 | 4 | ||
5 | The key request service is part of the key retention service (refer to | 5 | The key request service is part of the key retention service (refer to |
6 | Documentation/keys.txt). This document explains more fully how that the | 6 | Documentation/keys.txt). This document explains more fully how the requesting |
7 | requesting algorithm works. | 7 | algorithm works. |
8 | 8 | ||
9 | The process starts by either the kernel requesting a service by calling | 9 | The process starts by either the kernel requesting a service by calling |
10 | request_key(): | 10 | request_key*(): |
11 | 11 | ||
12 | struct key *request_key(const struct key_type *type, | 12 | struct key *request_key(const struct key_type *type, |
13 | const char *description, | 13 | const char *description, |
14 | const char *callout_string); | 14 | const char *callout_string); |
15 | 15 | ||
16 | or: | ||
17 | |||
18 | struct key *request_key_with_auxdata(const struct key_type *type, | ||
19 | const char *description, | ||
20 | const char *callout_string, | ||
21 | void *aux); | ||
22 | |||
16 | Or by userspace invoking the request_key system call: | 23 | Or by userspace invoking the request_key system call: |
17 | 24 | ||
18 | key_serial_t request_key(const char *type, | 25 | key_serial_t request_key(const char *type, |
@@ -20,16 +27,26 @@ Or by userspace invoking the request_key system call: | |||
20 | const char *callout_info, | 27 | const char *callout_info, |
21 | key_serial_t dest_keyring); | 28 | key_serial_t dest_keyring); |
22 | 29 | ||
23 | The main difference between the two access points is that the in-kernel | 30 | The main difference between the access points is that the in-kernel interface |
24 | interface does not need to link the key to a keyring to prevent it from being | 31 | does not need to link the key to a keyring to prevent it from being immediately |
25 | immediately destroyed. The kernel interface returns a pointer directly to the | 32 | destroyed. The kernel interface returns a pointer directly to the key, and |
26 | key, and it's up to the caller to destroy the key. | 33 | it's up to the caller to destroy the key. |
34 | |||
35 | The request_key_with_auxdata() call is like the in-kernel request_key() call, | ||
36 | except that it permits auxiliary data to be passed to the upcaller (the default | ||
37 | is NULL). This is only useful for those key types that define their own upcall | ||
38 | mechanism rather than using /sbin/request-key. | ||
27 | 39 | ||
28 | The userspace interface links the key to a keyring associated with the process | 40 | The userspace interface links the key to a keyring associated with the process |
29 | to prevent the key from going away, and returns the serial number of the key to | 41 | to prevent the key from going away, and returns the serial number of the key to |
30 | the caller. | 42 | the caller. |
31 | 43 | ||
32 | 44 | ||
45 | The following example assumes that the key types involved don't define their | ||
46 | own upcall mechanisms. If they do, then those should be substituted for the | ||
47 | forking and execution of /sbin/request-key. | ||
48 | |||
49 | |||
33 | =========== | 50 | =========== |
34 | THE PROCESS | 51 | THE PROCESS |
35 | =========== | 52 | =========== |
@@ -40,8 +57,8 @@ A request proceeds in the following manner: | |||
40 | interface]. | 57 | interface]. |
41 | 58 | ||
42 | (2) request_key() searches the process's subscribed keyrings to see if there's | 59 | (2) request_key() searches the process's subscribed keyrings to see if there's |
43 | a suitable key there. If there is, it returns the key. If there isn't, and | 60 | a suitable key there. If there is, it returns the key. If there isn't, |
44 | callout_info is not set, an error is returned. Otherwise the process | 61 | and callout_info is not set, an error is returned. Otherwise the process |
45 | proceeds to the next step. | 62 | proceeds to the next step. |
46 | 63 | ||
47 | (3) request_key() sees that A doesn't have the desired key yet, so it creates | 64 | (3) request_key() sees that A doesn't have the desired key yet, so it creates |
@@ -62,7 +79,7 @@ A request proceeds in the following manner: | |||
62 | instantiation. | 79 | instantiation. |
63 | 80 | ||
64 | (7) The program may want to access another key from A's context (say a | 81 | (7) The program may want to access another key from A's context (say a |
65 | Kerberos TGT key). It just requests the appropriate key, and the keyring | 82 | Kerberos TGT key). It just requests the appropriate key, and the keyring |
66 | search notes that the session keyring has auth key V in its bottom level. | 83 | search notes that the session keyring has auth key V in its bottom level. |
67 | 84 | ||
68 | This will permit it to then search the keyrings of process A with the | 85 | This will permit it to then search the keyrings of process A with the |
@@ -79,10 +96,11 @@ A request proceeds in the following manner: | |||
79 | (10) The program then exits 0 and request_key() deletes key V and returns key | 96 | (10) The program then exits 0 and request_key() deletes key V and returns key |
80 | U to the caller. | 97 | U to the caller. |
81 | 98 | ||
82 | This also extends further. If key W (step 7 above) didn't exist, key W would be | 99 | This also extends further. If key W (step 7 above) didn't exist, key W would |
83 | created uninstantiated, another auth key (X) would be created (as per step 3) | 100 | be created uninstantiated, another auth key (X) would be created (as per step |
84 | and another copy of /sbin/request-key spawned (as per step 4); but the context | 101 | 3) and another copy of /sbin/request-key spawned (as per step 4); but the |
85 | specified by auth key X will still be process A, as it was in auth key V. | 102 | context specified by auth key X will still be process A, as it was in auth key |
103 | V. | ||
86 | 104 | ||
87 | This is because process A's keyrings can't simply be attached to | 105 | This is because process A's keyrings can't simply be attached to |
88 | /sbin/request-key at the appropriate places because (a) execve will discard two | 106 | /sbin/request-key at the appropriate places because (a) execve will discard two |
@@ -118,17 +136,17 @@ A search of any particular keyring proceeds in the following fashion: | |||
118 | 136 | ||
119 | (2) It considers all the non-keyring keys within that keyring and, if any key | 137 | (2) It considers all the non-keyring keys within that keyring and, if any key |
120 | matches the criteria specified, calls key_permission(SEARCH) on it to see | 138 | matches the criteria specified, calls key_permission(SEARCH) on it to see |
121 | if the key is allowed to be found. If it is, that key is returned; if | 139 | if the key is allowed to be found. If it is, that key is returned; if |
122 | not, the search continues, and the error code is retained if of higher | 140 | not, the search continues, and the error code is retained if of higher |
123 | priority than the one currently set. | 141 | priority than the one currently set. |
124 | 142 | ||
125 | (3) It then considers all the keyring-type keys in the keyring it's currently | 143 | (3) It then considers all the keyring-type keys in the keyring it's currently |
126 | searching. It calls key_permission(SEARCH) on each keyring, and if this | 144 | searching. It calls key_permission(SEARCH) on each keyring, and if this |
127 | grants permission, it recurses, executing steps (2) and (3) on that | 145 | grants permission, it recurses, executing steps (2) and (3) on that |
128 | keyring. | 146 | keyring. |
129 | 147 | ||
130 | The process stops immediately a valid key is found with permission granted to | 148 | The process stops immediately a valid key is found with permission granted to |
131 | use it. Any error from a previous match attempt is discarded and the key is | 149 | use it. Any error from a previous match attempt is discarded and the key is |
132 | returned. | 150 | returned. |
133 | 151 | ||
134 | When search_process_keyrings() is invoked, it performs the following searches | 152 | When search_process_keyrings() is invoked, it performs the following searches |
@@ -153,7 +171,7 @@ The moment one succeeds, all pending errors are discarded and the found key is | |||
153 | returned. | 171 | returned. |
154 | 172 | ||
155 | Only if all these fail does the whole thing fail with the highest priority | 173 | Only if all these fail does the whole thing fail with the highest priority |
156 | error. Note that several errors may have come from LSM. | 174 | error. Note that several errors may have come from LSM. |
157 | 175 | ||
158 | The error priority is: | 176 | The error priority is: |
159 | 177 | ||