keys: make procfiles per-user-namespace

Restrict the /proc/keys and /proc/key-users output to keys belonging to the same user namespace as the reading task. We may want to make this more complicated - so that any keys in a user-namespace which is belongs to the reading task are also shown. But let's see if anyone wants that first. Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>

keys: make procfiles per-user-namespace
Restrict the /proc/keys and /proc/key-users output to keys belonging to the same user namespace as the reading task. We may want to make this more complicated - so that any keys in a user-namespace which is belongs to the reading task are also shown. But let's see if anyone wants that first. Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Serge E. Hallyn · James Morris
1 parent 2ea190d0a0
Showing 1 changed file with 49 additions and 6 deletions Side-by-side Diff
security/keys/proc.c
@@ -91,6 +91,28 @@
  */
 #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
  
+static struct rb_node *__key_serial_next(struct rb_node *n)
+{
+	while (n) {
+		struct key *key = rb_entry(n, struct key, serial_node);
+		if (key->user->user_ns == current_user_ns())
+			break;
+		n = rb_next(n);
+	}
+	return n;
+}
+
+static struct rb_node *key_serial_next(struct rb_node *n)
+{
+	return __key_serial_next(rb_next(n));
+}
+
+static struct rb_node *key_serial_first(struct rb_root *r)
+{
+	struct rb_node *n = rb_first(r);
+	return __key_serial_next(n);
+}
+
 static int proc_keys_open(struct inode *inode, struct file *file)
 {
 	return seq_open(file, &proc_keys_ops);
  
@@ -104,10 +126,10 @@
  
 	spin_lock(&key_serial_lock);
  
-	_p = rb_first(&key_serial_tree);
+	_p = key_serial_first(&key_serial_tree);
 	while (pos > 0 && _p) {
 		pos--;
-		_p = rb_next(_p);
+		_p = key_serial_next(_p);
 	}
  
 	return _p;
@@ -117,7 +139,7 @@
 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos)
 {
 	(*_pos)++;
-	return rb_next((struct rb_node *) v);
+	return key_serial_next((struct rb_node *) v);
  
 }
  
@@ -203,6 +225,27 @@
  
 #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */
  
+static struct rb_node *__key_user_next(struct rb_node *n)
+{
+	while (n) {
+		struct key_user *user = rb_entry(n, struct key_user, node);
+		if (user->user_ns == current_user_ns())
+			break;
+		n = rb_next(n);
+	}
+	return n;
+}
+
+static struct rb_node *key_user_next(struct rb_node *n)
+{
+	return __key_user_next(rb_next(n));
+}
+
+static struct rb_node *key_user_first(struct rb_root *r)
+{
+	struct rb_node *n = rb_first(r);
+	return __key_user_next(n);
+}
 /*****************************************************************************/
 /*
  * implement "/proc/key-users" to provides a list of the key users
  
@@ -220,10 +263,10 @@
  
 	spin_lock(&key_user_lock);
  
-	_p = rb_first(&key_user_tree);
+	_p = key_user_first(&key_user_tree);
 	while (pos > 0 && _p) {
 		pos--;
-		_p = rb_next(_p);
+		_p = key_user_next(_p);
 	}
  
 	return _p;
@@ -233,7 +276,7 @@
 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos)
 {
 	(*_pos)++;
-	return rb_next((struct rb_node *) v);
+	return key_user_next((struct rb_node *) v);
  
 }
...	...	@@ -91,6 +91,28 @@
91	91	*/
92	92	#ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
93	93
	94	+static struct rb_node __key_serial_next(struct rb_node n)
	95	+{
	96	+ while (n) {
	97	+ struct key *key = rb_entry(n, struct key, serial_node);
	98	+ if (key->user->user_ns == current_user_ns())
	99	+ break;
	100	+ n = rb_next(n);
	101	+ }
	102	+ return n;
	103	+}
	104	+
	105	+static struct rb_node key_serial_next(struct rb_node n)
	106	+{
	107	+ return __key_serial_next(rb_next(n));
	108	+}
	109	+
	110	+static struct rb_node key_serial_first(struct rb_root r)
	111	+{
	112	+ struct rb_node *n = rb_first(r);
	113	+ return __key_serial_next(n);
	114	+}
	115	+
94	116	static int proc_keys_open(struct inode inode, struct file file)
95	117	{
96	118	return seq_open(file, &proc_keys_ops);
97	119
...	...	@@ -104,10 +126,10 @@
104	126
105	127	spin_lock(&key_serial_lock);
106	128
107		- _p = rb_first(&key_serial_tree);
	129	+ _p = key_serial_first(&key_serial_tree);
108	130	while (pos > 0 && _p) {
109	131	pos--;
110		- _p = rb_next(_p);
	132	+ _p = key_serial_next(_p);
111	133	}
112	134
113	135	return _p;
...	...	@@ -117,7 +139,7 @@
117	139	static void proc_keys_next(struct seq_file p, void v, loff_t _pos)
118	140	{
119	141	(*_pos)++;
120		- return rb_next((struct rb_node *) v);
	142	+ return key_serial_next((struct rb_node *) v);
121	143
122	144	}
123	145
...	...	@@ -203,6 +225,27 @@
203	225
204	226	#endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */
205	227
	228	+static struct rb_node __key_user_next(struct rb_node n)
	229	+{
	230	+ while (n) {
	231	+ struct key_user *user = rb_entry(n, struct key_user, node);
	232	+ if (user->user_ns == current_user_ns())
	233	+ break;
	234	+ n = rb_next(n);
	235	+ }
	236	+ return n;
	237	+}
	238	+
	239	+static struct rb_node key_user_next(struct rb_node n)
	240	+{
	241	+ return __key_user_next(rb_next(n));
	242	+}
	243	+
	244	+static struct rb_node key_user_first(struct rb_root r)
	245	+{
	246	+ struct rb_node *n = rb_first(r);
	247	+ return __key_user_next(n);
	248	+}
206	249	/*****************************************************************************/
207	250	/*
208	251	* implement "/proc/key-users" to provides a list of the key users
209	252
...	...	@@ -220,10 +263,10 @@
220	263
221	264	spin_lock(&key_user_lock);
222	265
223		- _p = rb_first(&key_user_tree);
	266	+ _p = key_user_first(&key_user_tree);
224	267	while (pos > 0 && _p) {
225	268	pos--;
226		- _p = rb_next(_p);
	269	+ _p = key_user_next(_p);
227	270	}
228	271
229	272	return _p;
...	...	@@ -233,7 +276,7 @@
233	276	static void proc_key_users_next(struct seq_file p, void v, loff_t _pos)
234	277	{
235	278	(*_pos)++;
236		- return rb_next((struct rb_node *) v);
	279	+ return key_user_next((struct rb_node *) v);
237	280
238	281	}
239	282