keys: Include target namespace in match criteria
Currently a key has a standard matching criteria of { type, description }
and this is used to only allow keys with unique criteria in a keyring.
This means, however, that you cannot have keys with the same type and
description but a different target namespace in the same keyring.
This is a potential problem for a containerised environment where, say, a
container is made up of some parts of its mount space involving netfs
superblocks from two different network namespaces.
This is also a problem for shared system management keyrings such as the
DNS records keyring or the NFS idmapper keyring that might contain keys
from different network namespaces.
Fix this by including a namespace component in a key's matching criteria.
Keyring types are marked to indicate which, if any, namespace is relevant
to keys of that type, and that namespace is set when the key is created
from the current task's namespace set.
The capability bit KEYCTL_CAPS1_NS_KEY_TAG is set if the kernel is
employing this feature.
Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
David Howells
@@ -154,7 +154,7 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
|
||||
atomic_dec(&key->user->nikeys);
|
||||
|
||||
key_user_put(key->user);
|
||||
|
||||
key_put_tag(key->domain_tag);
|
||||
kfree(key->description);
|
||||
|
||||
memzero_explicit(key, sizeof(*key));
|
||||
|
||||
@@ -317,6 +317,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
|
||||
goto security_error;
|
||||
|
||||
/* publish the key by giving it a serial number */
|
||||
refcount_inc(&key->domain_tag->usage);
|
||||
atomic_inc(&user->nkeys);
|
||||
key_alloc_serial(key);
|
||||
|
||||
|
||||
@@ -40,7 +40,8 @@ static const unsigned char keyrings_capabilities[2] = {
|
||||
KEYCTL_CAPS0_RESTRICT_KEYRING |
|
||||
KEYCTL_CAPS0_MOVE
|
||||
),
|
||||
[1] = (KEYCTL_CAPS1_NS_KEYRING_NAME),
|
||||
[1] = (KEYCTL_CAPS1_NS_KEYRING_NAME |
|
||||
KEYCTL_CAPS1_NS_KEY_TAG),
|
||||
};
|
||||
|
||||
static int key_get_type_from_user(char *type,
|
||||
|
||||
@@ -175,6 +175,9 @@ static void hash_key_type_and_desc(struct keyring_index_key *index_key)
|
||||
type = (unsigned long)index_key->type;
|
||||
acc = mult_64x32_and_fold(type, desc_len + 13);
|
||||
acc = mult_64x32_and_fold(acc, 9207);
|
||||
piece = (unsigned long)index_key->domain_tag;
|
||||
acc = mult_64x32_and_fold(acc, piece);
|
||||
acc = mult_64x32_and_fold(acc, 9207);
|
||||
|
||||
for (;;) {
|
||||
n = desc_len;
|
||||
@@ -208,16 +211,36 @@ static void hash_key_type_and_desc(struct keyring_index_key *index_key)
|
||||
|
||||
/*
|
||||
* Finalise an index key to include a part of the description actually in the
|
||||
* index key and to add in the hash too.
|
||||
* index key, to set the domain tag and to calculate the hash.
|
||||
*/
|
||||
void key_set_index_key(struct keyring_index_key *index_key)
|
||||
{
|
||||
static struct key_tag default_domain_tag = { .usage = REFCOUNT_INIT(1), };
|
||||
size_t n = min_t(size_t, index_key->desc_len, sizeof(index_key->desc));
|
||||
|
||||
memcpy(index_key->desc, index_key->description, n);
|
||||
|
||||
index_key->domain_tag = &default_domain_tag;
|
||||
hash_key_type_and_desc(index_key);
|
||||
}
|
||||
|
||||
/**
|
||||
* key_put_tag - Release a ref on a tag.
|
||||
* @tag: The tag to release.
|
||||
*
|
||||
* This releases a reference the given tag and returns true if that ref was the
|
||||
* last one.
|
||||
*/
|
||||
bool key_put_tag(struct key_tag *tag)
|
||||
{
|
||||
if (refcount_dec_and_test(&tag->usage)) {
|
||||
kfree_rcu(tag, rcu);
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/*
|
||||
* Build the next index key chunk.
|
||||
*
|
||||
@@ -238,8 +261,10 @@ static unsigned long keyring_get_key_chunk(const void *data, int level)
|
||||
return index_key->x;
|
||||
case 2:
|
||||
return (unsigned long)index_key->type;
|
||||
case 3:
|
||||
return (unsigned long)index_key->domain_tag;
|
||||
default:
|
||||
level -= 3;
|
||||
level -= 4;
|
||||
if (desc_len <= sizeof(index_key->desc))
|
||||
return 0;
|
||||
|
||||
@@ -268,6 +293,7 @@ static bool keyring_compare_object(const void *object, const void *data)
|
||||
const struct key *key = keyring_ptr_to_key(object);
|
||||
|
||||
return key->index_key.type == index_key->type &&
|
||||
key->index_key.domain_tag == index_key->domain_tag &&
|
||||
key->index_key.desc_len == index_key->desc_len &&
|
||||
memcmp(key->index_key.description, index_key->description,
|
||||
index_key->desc_len) == 0;
|
||||
@@ -309,6 +335,12 @@ static int keyring_diff_objects(const void *object, const void *data)
|
||||
goto differ;
|
||||
level += sizeof(unsigned long);
|
||||
|
||||
seg_a = (unsigned long)a->domain_tag;
|
||||
seg_b = (unsigned long)b->domain_tag;
|
||||
if ((seg_a ^ seg_b) != 0)
|
||||
goto differ;
|
||||
level += sizeof(unsigned long);
|
||||
|
||||
i = sizeof(a->desc);
|
||||
if (a->desc_len <= i)
|
||||
goto same;
|
||||
|
||||
@@ -84,6 +84,7 @@ static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
|
||||
long ret;
|
||||
|
||||
/* Look in the register if it exists */
|
||||
memset(&index_key, 0, sizeof(index_key));
|
||||
index_key.type = &key_type_keyring;
|
||||
index_key.description = buf;
|
||||
index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid));
|
||||
|
||||
Reference in New Issue
Block a user