From: David Howells <dhowells@redhat.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: dhowells@redhat.com, d.kasatkin@samsung.com,
Mimi Zohar <zohar@us.ibm.com>,
keyrings@linux-nfs.org, linux-security-module@vger.kernel.org,
linux-kernel <linux-kernel@vger.kernel.org>,
David Safford <safford@linux.vnet.ibm.com>
Subject: Re: [RFC][PATCH 0/9] encrypted keys & key control op
Date: Tue, 12 Nov 2013 16:19:42 +0000 [thread overview]
Message-ID: <1567.1384273182@warthog.procyon.org.uk> (raw)
In-Reply-To: <1384215971.18684.172.camel@dhcp-9-2-203-236.watson.ibm.com>
Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > > I'm sure there is/was a good reason for add_key() to do both.
> >
> > Yes. No race.
> >
> > > > But you can't pre-search for the existence of a key and mould the
> > > > payload accordingly because that means you can race against both
> > > > add_key() and keyctl_unlink().
> > >
> > > Would this still be the case, if you differentiated between
> > > instantiating and updating a key?
> >
> > Yes. Imagine, you try to add a key and it gets rejected because the key
> > already exists. You then try to update the existing key, but that gets
> > rejected because someone unlinked the key in the meantime. So you try and
> > add it again, but this now fails because someone added a new key. Repeat.
>
> A counter example would be two processes, having nothing to do with each
> other, attempt to a create a key with the same name. Instead of each
> process getting its own key, they land up sharing the same key.
> Not only are they sharing the same key, but neither process knows that
> there is another process using the same key. I would think this is a
> bigger problem.
>
> Failing to create/update a key, at least to me, seems safer than having
> two apps trying to create a key with same name, but instead land up
> using the same key.
Yes. Two keys of the same type with the same description should be able to
substitute for one another and should be able to fulfil the same roll. Safety
should not be an issue.
> > Or add_key() could immediately displace a key someone else just added,
> > leaving them with a key ID that disappeared as soon as it was returned due
> > to an add/add race.
>
> This is a separate issue. If a key/keyring exists, a new key/keyring,
> with the same name, should not be created replacing the existing
> key/keyring. It should simply fail. (Removing a key/keyring first,
> before creating a key/keyring of the same name, is different.)
If you have a key type that's not "updateable" then you'd have to unlink it
before trying to add a new one. This would give you a gap in time where the
key does not exist.
So, no, creating a new key with the same name *should* atomically displace an
old one if it exists - if it doesn't update it instead. Note that keys have an
"under construction" concept so that the core can create a partially formed key
and then instantiate it at its leisure whilst using it to block those that
would like to use it.
David
next prev parent reply other threads:[~2013-11-12 16:21 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-04 16:22 [RFC][PATCH 0/9] encrypted keys & key control op David Howells
2013-11-04 16:22 ` [PATCH 1/9] KEYS: The RSA public key algorithm needs to select MPILIB David Howells
2013-11-04 16:22 ` [PATCH 2/9] KEYS: Provide a generic instantiation function David Howells
2013-11-04 16:22 ` [PATCH 3/9] KEYS: struct key_preparsed_payload should have two payload pointers David Howells
2013-11-04 16:22 ` [PATCH 4/9] KEYS: Allow expiry time to be set when preparsing a key David Howells
2013-11-04 16:22 ` [PATCH 5/9] KEYS: Call ->free_preparse() even after ->preparse() returns an error David Howells
2013-11-04 16:23 ` [PATCH 6/9] KEYS: Trusted: Use key preparsing David Howells
2013-11-13 16:49 ` Mimi Zohar
2013-11-14 15:50 ` David Howells
2013-11-04 16:23 ` [PATCH 7/9] KEYS: Add a keyctl function to alter/control a key in type-dependent way David Howells
2013-11-04 16:23 ` [PATCH 8/9] KEYS: Implement keyctl control for encrypted keys David Howells
2013-11-04 16:23 ` [PATCH 9/9] KEYS: Fix encrypted key type update method David Howells
2013-11-13 18:45 ` Mimi Zohar
2013-11-14 17:59 ` David Howells
2013-11-17 3:51 ` Mimi Zohar
2013-11-17 9:17 ` David Howells
2013-11-17 13:43 ` Mimi Zohar
2013-11-06 17:20 ` [RFC][PATCH 0/9] encrypted keys & key control op Dmitry Kasatkin
2013-11-06 17:42 ` David Howells
2013-11-11 12:14 ` Mimi Zohar
2013-11-11 22:34 ` David Howells
2013-11-12 0:26 ` Mimi Zohar
2013-11-12 16:19 ` David Howells [this message]
2013-11-11 16:32 ` Mimi Zohar
2013-11-11 22:35 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1567.1384273182@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=d.kasatkin@samsung.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=safford@linux.vnet.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.