Commit f36f8c75ae2e7d4da34f4c908cebdb4aa42c977e
1 parent
ab3c3587f8
Exists in
master
and in
16 other branches
KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
Add support for per-user_namespace registers of persistent per-UID kerberos caches held within the kernel. This allows the kerberos cache to be retained beyond the life of all a user's processes so that the user's cron jobs can work. The kerberos cache is envisioned as a keyring/key tree looking something like: struct user_namespace \___ .krb_cache keyring - The register \___ _krb.0 keyring - Root's Kerberos cache \___ _krb.5000 keyring - User 5000's Kerberos cache \___ _krb.5001 keyring - User 5001's Kerberos cache \___ tkt785 big_key - A ccache blob \___ tkt12345 big_key - Another ccache blob Or possibly: struct user_namespace \___ .krb_cache keyring - The register \___ _krb.0 keyring - Root's Kerberos cache \___ _krb.5000 keyring - User 5000's Kerberos cache \___ _krb.5001 keyring - User 5001's Kerberos cache \___ tkt785 keyring - A ccache \___ krbtgt/REDHAT.COM@REDHAT.COM big_key \___ http/REDHAT.COM@REDHAT.COM user \___ afs/REDHAT.COM@REDHAT.COM user \___ nfs/REDHAT.COM@REDHAT.COM user \___ krbtgt/KERNEL.ORG@KERNEL.ORG big_key \___ http/KERNEL.ORG@KERNEL.ORG big_key What goes into a particular Kerberos cache is entirely up to userspace. Kernel support is limited to giving you the Kerberos cache keyring that you want. The user asks for their Kerberos cache by: krb_cache = keyctl_get_krbcache(uid, dest_keyring); The uid is -1 or the user's own UID for the user's own cache or the uid of some other user's cache (requires CAP_SETUID). This permits rpc.gssd or whatever to mess with the cache. The cache returned is a keyring named "_krb.<uid>" that the possessor can read, search, clear, invalidate, unlink from and add links to. Active LSMs get a chance to rule on whether the caller is permitted to make a link. Each uid's cache keyring is created when it first accessed and is given a timeout that is extended each time this function is called so that the keyring goes away after a while. The timeout is configurable by sysctl but defaults to three days. Each user_namespace struct gets a lazily-created keyring that serves as the register. The cache keyrings are added to it. This means that standard key search and garbage collection facilities are available. The user_namespace struct's register goes away when it does and anything left in it is then automatically gc'd. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Simo Sorce <simo@redhat.com> cc: Serge E. Hallyn <serge.hallyn@ubuntu.com> cc: Eric W. Biederman <ebiederm@xmission.com>
Showing 11 changed files with 230 additions and 0 deletions Side-by-side Diff
include/linux/user_namespace.h
... | ... | @@ -27,6 +27,12 @@ |
27 | 27 | kuid_t owner; |
28 | 28 | kgid_t group; |
29 | 29 | unsigned int proc_inum; |
30 | + | |
31 | + /* Register of per-UID persistent keyrings for this namespace */ | |
32 | +#ifdef CONFIG_PERSISTENT_KEYRINGS | |
33 | + struct key *persistent_keyring_register; | |
34 | + struct rw_semaphore persistent_keyring_register_sem; | |
35 | +#endif | |
30 | 36 | }; |
31 | 37 | |
32 | 38 | extern struct user_namespace init_user_ns; |
include/uapi/linux/keyctl.h
... | ... | @@ -56,6 +56,7 @@ |
56 | 56 | #define KEYCTL_REJECT 19 /* reject a partially constructed key */ |
57 | 57 | #define KEYCTL_INSTANTIATE_IOV 20 /* instantiate a partially constructed key */ |
58 | 58 | #define KEYCTL_INVALIDATE 21 /* invalidate a key */ |
59 | +#define KEYCTL_GET_PERSISTENT 22 /* get a user's persistent keyring */ | |
59 | 60 | |
60 | 61 | #endif /* _LINUX_KEYCTL_H */ |
kernel/user.c
... | ... | @@ -51,6 +51,10 @@ |
51 | 51 | .owner = GLOBAL_ROOT_UID, |
52 | 52 | .group = GLOBAL_ROOT_GID, |
53 | 53 | .proc_inum = PROC_USER_INIT_INO, |
54 | +#ifdef CONFIG_KEYS_KERBEROS_CACHE | |
55 | + .krb_cache_register_sem = | |
56 | + __RWSEM_INITIALIZER(init_user_ns.krb_cache_register_sem), | |
57 | +#endif | |
54 | 58 | }; |
55 | 59 | EXPORT_SYMBOL_GPL(init_user_ns); |
56 | 60 |
kernel/user_namespace.c
... | ... | @@ -101,6 +101,9 @@ |
101 | 101 | |
102 | 102 | set_cred_user_ns(new, ns); |
103 | 103 | |
104 | +#ifdef CONFIG_PERSISTENT_KEYRINGS | |
105 | + init_rwsem(&ns->persistent_keyring_register_sem); | |
106 | +#endif | |
104 | 107 | return 0; |
105 | 108 | } |
106 | 109 | |
... | ... | @@ -130,6 +133,9 @@ |
130 | 133 | |
131 | 134 | do { |
132 | 135 | parent = ns->parent; |
136 | +#ifdef CONFIG_PERSISTENT_KEYRINGS | |
137 | + key_put(ns->persistent_keyring_register); | |
138 | +#endif | |
133 | 139 | proc_free_inum(ns->proc_inum); |
134 | 140 | kmem_cache_free(user_ns_cachep, ns); |
135 | 141 | ns = parent; |
security/keys/Kconfig
... | ... | @@ -20,6 +20,23 @@ |
20 | 20 | |
21 | 21 | If you are unsure as to whether this is required, answer N. |
22 | 22 | |
23 | +config PERSISTENT_KEYRINGS | |
24 | + bool "Enable register of persistent per-UID keyrings" | |
25 | + depends on KEYS | |
26 | + help | |
27 | + This option provides a register of persistent per-UID keyrings, | |
28 | + primarily aimed at Kerberos key storage. The keyrings are persistent | |
29 | + in the sense that they stay around after all processes of that UID | |
30 | + have exited, not that they survive the machine being rebooted. | |
31 | + | |
32 | + A particular keyring may be accessed by either the user whose keyring | |
33 | + it is or by a process with administrative privileges. The active | |
34 | + LSMs gets to rule on which admin-level processes get to access the | |
35 | + cache. | |
36 | + | |
37 | + Keyrings are created and added into the register upon demand and get | |
38 | + removed if they expire (a default timeout is set upon creation). | |
39 | + | |
23 | 40 | config BIG_KEYS |
24 | 41 | tristate "Large payload keys" |
25 | 42 | depends on KEYS |
security/keys/Makefile
security/keys/compat.c
security/keys/internal.h
... | ... | @@ -255,6 +255,15 @@ |
255 | 255 | extern long keyctl_instantiate_key_common(key_serial_t, |
256 | 256 | const struct iovec *, |
257 | 257 | unsigned, size_t, key_serial_t); |
258 | +#ifdef CONFIG_PERSISTENT_KEYRINGS | |
259 | +extern long keyctl_get_persistent(uid_t, key_serial_t); | |
260 | +extern unsigned persistent_keyring_expiry; | |
261 | +#else | |
262 | +static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring) | |
263 | +{ | |
264 | + return -EOPNOTSUPP; | |
265 | +} | |
266 | +#endif | |
258 | 267 | |
259 | 268 | /* |
260 | 269 | * Debugging key validation |
security/keys/keyctl.c
... | ... | @@ -1667,6 +1667,9 @@ |
1667 | 1667 | case KEYCTL_INVALIDATE: |
1668 | 1668 | return keyctl_invalidate_key((key_serial_t) arg2); |
1669 | 1669 | |
1670 | + case KEYCTL_GET_PERSISTENT: | |
1671 | + return keyctl_get_persistent((uid_t)arg2, (key_serial_t)arg3); | |
1672 | + | |
1670 | 1673 | default: |
1671 | 1674 | return -EOPNOTSUPP; |
1672 | 1675 | } |
security/keys/persistent.c
1 | +/* General persistent per-UID keyrings register | |
2 | + * | |
3 | + * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved. | |
4 | + * Written by David Howells (dhowells@redhat.com) | |
5 | + * | |
6 | + * This program is free software; you can redistribute it and/or | |
7 | + * modify it under the terms of the GNU General Public Licence | |
8 | + * as published by the Free Software Foundation; either version | |
9 | + * 2 of the Licence, or (at your option) any later version. | |
10 | + */ | |
11 | + | |
12 | +#include <linux/user_namespace.h> | |
13 | +#include "internal.h" | |
14 | + | |
15 | +unsigned persistent_keyring_expiry = 3 * 24 * 3600; /* Expire after 3 days of non-use */ | |
16 | + | |
17 | +/* | |
18 | + * Create the persistent keyring register for the current user namespace. | |
19 | + * | |
20 | + * Called with the namespace's sem locked for writing. | |
21 | + */ | |
22 | +static int key_create_persistent_register(struct user_namespace *ns) | |
23 | +{ | |
24 | + struct key *reg = keyring_alloc(".persistent_register", | |
25 | + KUIDT_INIT(0), KGIDT_INIT(0), | |
26 | + current_cred(), | |
27 | + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | | |
28 | + KEY_USR_VIEW | KEY_USR_READ), | |
29 | + KEY_ALLOC_NOT_IN_QUOTA, NULL); | |
30 | + if (IS_ERR(reg)) | |
31 | + return PTR_ERR(reg); | |
32 | + | |
33 | + ns->persistent_keyring_register = reg; | |
34 | + return 0; | |
35 | +} | |
36 | + | |
37 | +/* | |
38 | + * Create the persistent keyring for the specified user. | |
39 | + * | |
40 | + * Called with the namespace's sem locked for writing. | |
41 | + */ | |
42 | +static key_ref_t key_create_persistent(struct user_namespace *ns, kuid_t uid, | |
43 | + struct keyring_index_key *index_key) | |
44 | +{ | |
45 | + struct key *persistent; | |
46 | + key_ref_t reg_ref, persistent_ref; | |
47 | + | |
48 | + if (!ns->persistent_keyring_register) { | |
49 | + long err = key_create_persistent_register(ns); | |
50 | + if (err < 0) | |
51 | + return ERR_PTR(err); | |
52 | + } else { | |
53 | + reg_ref = make_key_ref(ns->persistent_keyring_register, true); | |
54 | + persistent_ref = find_key_to_update(reg_ref, index_key); | |
55 | + if (persistent_ref) | |
56 | + return persistent_ref; | |
57 | + } | |
58 | + | |
59 | + persistent = keyring_alloc(index_key->description, | |
60 | + uid, INVALID_GID, current_cred(), | |
61 | + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | | |
62 | + KEY_USR_VIEW | KEY_USR_READ), | |
63 | + KEY_ALLOC_NOT_IN_QUOTA, | |
64 | + ns->persistent_keyring_register); | |
65 | + if (IS_ERR(persistent)) | |
66 | + return ERR_CAST(persistent); | |
67 | + | |
68 | + return make_key_ref(persistent, true); | |
69 | +} | |
70 | + | |
71 | +/* | |
72 | + * Get the persistent keyring for a specific UID and link it to the nominated | |
73 | + * keyring. | |
74 | + */ | |
75 | +static long key_get_persistent(struct user_namespace *ns, kuid_t uid, | |
76 | + key_ref_t dest_ref) | |
77 | +{ | |
78 | + struct keyring_index_key index_key; | |
79 | + struct key *persistent; | |
80 | + key_ref_t reg_ref, persistent_ref; | |
81 | + char buf[32]; | |
82 | + long ret; | |
83 | + | |
84 | + /* Look in the register if it exists */ | |
85 | + index_key.type = &key_type_keyring; | |
86 | + index_key.description = buf; | |
87 | + index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid)); | |
88 | + | |
89 | + if (ns->persistent_keyring_register) { | |
90 | + reg_ref = make_key_ref(ns->persistent_keyring_register, true); | |
91 | + down_read(&ns->persistent_keyring_register_sem); | |
92 | + persistent_ref = find_key_to_update(reg_ref, &index_key); | |
93 | + up_read(&ns->persistent_keyring_register_sem); | |
94 | + | |
95 | + if (persistent_ref) | |
96 | + goto found; | |
97 | + } | |
98 | + | |
99 | + /* It wasn't in the register, so we'll need to create it. We might | |
100 | + * also need to create the register. | |
101 | + */ | |
102 | + down_write(&ns->persistent_keyring_register_sem); | |
103 | + persistent_ref = key_create_persistent(ns, uid, &index_key); | |
104 | + up_write(&ns->persistent_keyring_register_sem); | |
105 | + if (!IS_ERR(persistent_ref)) | |
106 | + goto found; | |
107 | + | |
108 | + return PTR_ERR(persistent_ref); | |
109 | + | |
110 | +found: | |
111 | + ret = key_task_permission(persistent_ref, current_cred(), KEY_LINK); | |
112 | + if (ret == 0) { | |
113 | + persistent = key_ref_to_ptr(persistent_ref); | |
114 | + ret = key_link(key_ref_to_ptr(dest_ref), persistent); | |
115 | + if (ret == 0) { | |
116 | + key_set_timeout(persistent, persistent_keyring_expiry); | |
117 | + ret = persistent->serial; | |
118 | + } | |
119 | + } | |
120 | + | |
121 | + key_ref_put(persistent_ref); | |
122 | + return ret; | |
123 | +} | |
124 | + | |
125 | +/* | |
126 | + * Get the persistent keyring for a specific UID and link it to the nominated | |
127 | + * keyring. | |
128 | + */ | |
129 | +long keyctl_get_persistent(uid_t _uid, key_serial_t destid) | |
130 | +{ | |
131 | + struct user_namespace *ns = current_user_ns(); | |
132 | + key_ref_t dest_ref; | |
133 | + kuid_t uid; | |
134 | + long ret; | |
135 | + | |
136 | + /* -1 indicates the current user */ | |
137 | + if (_uid == (uid_t)-1) { | |
138 | + uid = current_uid(); | |
139 | + } else { | |
140 | + uid = make_kuid(ns, _uid); | |
141 | + if (!uid_valid(uid)) | |
142 | + return -EINVAL; | |
143 | + | |
144 | + /* You can only see your own persistent cache if you're not | |
145 | + * sufficiently privileged. | |
146 | + */ | |
147 | + if (uid_eq(uid, current_uid()) && | |
148 | + uid_eq(uid, current_suid()) && | |
149 | + uid_eq(uid, current_euid()) && | |
150 | + uid_eq(uid, current_fsuid()) && | |
151 | + !ns_capable(ns, CAP_SETUID)) | |
152 | + return -EPERM; | |
153 | + } | |
154 | + | |
155 | + /* There must be a destination keyring */ | |
156 | + dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_WRITE); | |
157 | + if (IS_ERR(dest_ref)) | |
158 | + return PTR_ERR(dest_ref); | |
159 | + if (key_ref_to_ptr(dest_ref)->type != &key_type_keyring) { | |
160 | + ret = -ENOTDIR; | |
161 | + goto out_put_dest; | |
162 | + } | |
163 | + | |
164 | + ret = key_get_persistent(ns, uid, dest_ref); | |
165 | + | |
166 | +out_put_dest: | |
167 | + key_ref_put(dest_ref); | |
168 | + return ret; | |
169 | +} |
security/keys/sysctl.c
... | ... | @@ -61,6 +61,17 @@ |
61 | 61 | .extra1 = (void *) &zero, |
62 | 62 | .extra2 = (void *) &max, |
63 | 63 | }, |
64 | +#ifdef CONFIG_PERSISTENT_KEYRINGS | |
65 | + { | |
66 | + .procname = "persistent_keyring_expiry", | |
67 | + .data = &persistent_keyring_expiry, | |
68 | + .maxlen = sizeof(unsigned), | |
69 | + .mode = 0644, | |
70 | + .proc_handler = proc_dointvec_minmax, | |
71 | + .extra1 = (void *) &zero, | |
72 | + .extra2 = (void *) &max, | |
73 | + }, | |
74 | +#endif | |
64 | 75 | { } |
65 | 76 | }; |