aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/keys-request-key.txt
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/keys-request-key.txt')
-rw-r--r--Documentation/keys-request-key.txt54
1 files changed, 36 insertions, 18 deletions
diff --git a/Documentation/keys-request-key.txt b/Documentation/keys-request-key.txt
index 22488d791168..c1f64fdf84cb 100644
--- a/Documentation/keys-request-key.txt
+++ b/Documentation/keys-request-key.txt
@@ -3,16 +3,23 @@
3 =================== 3 ===================
4 4
5The key request service is part of the key retention service (refer to 5The key request service is part of the key retention service (refer to
6Documentation/keys.txt). This document explains more fully how that the 6Documentation/keys.txt). This document explains more fully how the requesting
7requesting algorithm works. 7algorithm works.
8 8
9The process starts by either the kernel requesting a service by calling 9The process starts by either the kernel requesting a service by calling
10request_key(): 10request_key*():
11 11
12 struct key *request_key(const struct key_type *type, 12 struct key *request_key(const struct key_type *type,
13 const char *description, 13 const char *description,
14 const char *callout_string); 14 const char *callout_string);
15 15
16or:
17
18 struct key *request_key_with_auxdata(const struct key_type *type,
19 const char *description,
20 const char *callout_string,
21 void *aux);
22
16Or by userspace invoking the request_key system call: 23Or by userspace invoking the request_key system call:
17 24
18 key_serial_t request_key(const char *type, 25 key_serial_t request_key(const char *type,
@@ -20,16 +27,26 @@ Or by userspace invoking the request_key system call:
20 const char *callout_info, 27 const char *callout_info,
21 key_serial_t dest_keyring); 28 key_serial_t dest_keyring);
22 29
23The main difference between the two access points is that the in-kernel 30The main difference between the access points is that the in-kernel interface
24interface does not need to link the key to a keyring to prevent it from being 31does not need to link the key to a keyring to prevent it from being immediately
25immediately destroyed. The kernel interface returns a pointer directly to the 32destroyed. The kernel interface returns a pointer directly to the key, and
26key, and it's up to the caller to destroy the key. 33it's up to the caller to destroy the key.
34
35The request_key_with_auxdata() call is like the in-kernel request_key() call,
36except that it permits auxiliary data to be passed to the upcaller (the default
37is NULL). This is only useful for those key types that define their own upcall
38mechanism rather than using /sbin/request-key.
27 39
28The userspace interface links the key to a keyring associated with the process 40The userspace interface links the key to a keyring associated with the process
29to prevent the key from going away, and returns the serial number of the key to 41to prevent the key from going away, and returns the serial number of the key to
30the caller. 42the caller.
31 43
32 44
45The following example assumes that the key types involved don't define their
46own upcall mechanisms. If they do, then those should be substituted for the
47forking and execution of /sbin/request-key.
48
49
33=========== 50===========
34THE PROCESS 51THE PROCESS
35=========== 52===========
@@ -40,8 +57,8 @@ A request proceeds in the following manner:
40 interface]. 57 interface].
41 58
42 (2) request_key() searches the process's subscribed keyrings to see if there's 59 (2) request_key() searches the process's subscribed keyrings to see if there's
43 a suitable key there. If there is, it returns the key. If there isn't, and 60 a suitable key there. If there is, it returns the key. If there isn't,
44 callout_info is not set, an error is returned. Otherwise the process 61 and callout_info is not set, an error is returned. Otherwise the process
45 proceeds to the next step. 62 proceeds to the next step.
46 63
47 (3) request_key() sees that A doesn't have the desired key yet, so it creates 64 (3) request_key() sees that A doesn't have the desired key yet, so it creates
@@ -62,7 +79,7 @@ A request proceeds in the following manner:
62 instantiation. 79 instantiation.
63 80
64 (7) The program may want to access another key from A's context (say a 81 (7) The program may want to access another key from A's context (say a
65 Kerberos TGT key). It just requests the appropriate key, and the keyring 82 Kerberos TGT key). It just requests the appropriate key, and the keyring
66 search notes that the session keyring has auth key V in its bottom level. 83 search notes that the session keyring has auth key V in its bottom level.
67 84
68 This will permit it to then search the keyrings of process A with the 85 This will permit it to then search the keyrings of process A with the
@@ -79,10 +96,11 @@ A request proceeds in the following manner:
79(10) The program then exits 0 and request_key() deletes key V and returns key 96(10) The program then exits 0 and request_key() deletes key V and returns key
80 U to the caller. 97 U to the caller.
81 98
82This also extends further. If key W (step 7 above) didn't exist, key W would be 99This also extends further. If key W (step 7 above) didn't exist, key W would
83created uninstantiated, another auth key (X) would be created (as per step 3) 100be created uninstantiated, another auth key (X) would be created (as per step
84and another copy of /sbin/request-key spawned (as per step 4); but the context 1013) and another copy of /sbin/request-key spawned (as per step 4); but the
85specified by auth key X will still be process A, as it was in auth key V. 102context specified by auth key X will still be process A, as it was in auth key
103V.
86 104
87This is because process A's keyrings can't simply be attached to 105This is because process A's keyrings can't simply be attached to
88/sbin/request-key at the appropriate places because (a) execve will discard two 106/sbin/request-key at the appropriate places because (a) execve will discard two
@@ -118,17 +136,17 @@ A search of any particular keyring proceeds in the following fashion:
118 136
119 (2) It considers all the non-keyring keys within that keyring and, if any key 137 (2) It considers all the non-keyring keys within that keyring and, if any key
120 matches the criteria specified, calls key_permission(SEARCH) on it to see 138 matches the criteria specified, calls key_permission(SEARCH) on it to see
121 if the key is allowed to be found. If it is, that key is returned; if 139 if the key is allowed to be found. If it is, that key is returned; if
122 not, the search continues, and the error code is retained if of higher 140 not, the search continues, and the error code is retained if of higher
123 priority than the one currently set. 141 priority than the one currently set.
124 142
125 (3) It then considers all the keyring-type keys in the keyring it's currently 143 (3) It then considers all the keyring-type keys in the keyring it's currently
126 searching. It calls key_permission(SEARCH) on each keyring, and if this 144 searching. It calls key_permission(SEARCH) on each keyring, and if this
127 grants permission, it recurses, executing steps (2) and (3) on that 145 grants permission, it recurses, executing steps (2) and (3) on that
128 keyring. 146 keyring.
129 147
130The process stops immediately a valid key is found with permission granted to 148The process stops immediately a valid key is found with permission granted to
131use it. Any error from a previous match attempt is discarded and the key is 149use it. Any error from a previous match attempt is discarded and the key is
132returned. 150returned.
133 151
134When search_process_keyrings() is invoked, it performs the following searches 152When search_process_keyrings() is invoked, it performs the following searches
@@ -153,7 +171,7 @@ The moment one succeeds, all pending errors are discarded and the found key is
153returned. 171returned.
154 172
155Only if all these fail does the whole thing fail with the highest priority 173Only if all these fail does the whole thing fail with the highest priority
156error. Note that several errors may have come from LSM. 174error. Note that several errors may have come from LSM.
157 175
158The error priority is: 176The error priority is:
159 177