From: Ian Kent <raven@themaw.net>
To: Kernel Mailing List <linux-kernel@vger.kernel.org>
Cc: David Howells <dhowells@redhat.com>,
Oleg Nesterov <onestero@redhat.com>,
Trond Myklebust <trond.myklebust@primarydata.com>,
"J. Bruce Fields" <bfields@fieldses.org>,
Benjamin Coddington <bcodding@redhat.com>,
Al Viro <viro@ZenIV.linux.org.uk>,
Jeff Layton <jeff.layton@primarydata.com>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [RFC PATCH v4 12/12] KEYS: exec request-key within the requesting task's init namespace
Date: Tue, 17 Mar 2015 10:46:08 +0800 [thread overview]
Message-ID: <20150317024607.24592.67322.stgit@pluto.fritz.box> (raw)
In-Reply-To: <20150317022308.24592.35785.stgit@pluto.fritz.box>
From: Ian Kent <ikent@redhat.com>
Containerized request key helper callbacks need the ability to execute
a binary in a container's context. To do this calling an in kernel
equivalent of setns(2) should be sufficient since the user mode helper
execution kernel thread ultimately calls do_execve().
Signed-off-by: Ian Kent <ikent@redhat.com>
Cc: Benjamin Coddington <bcodding@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: J. Bruce Fields <bfields@fieldses.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Trond Myklebust <trond.myklebust@primarydata.com>
Cc: Oleg Nesterov <onestero@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Jeff Layton <jeff.layton@primarydata.com>
---
include/linux/key.h | 3 +++
security/keys/gc.c | 2 ++
security/keys/key.c | 4 ++++
security/keys/request_key.c | 35 +++++++++++++++++++++++++++++++++--
4 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/include/linux/key.h b/include/linux/key.h
index e1d4715..89dc2d7 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -209,6 +209,9 @@ struct key {
} payload;
struct assoc_array keys;
};
+
+ /* Namespace token */
+ long umh_token;
};
extern struct key *key_alloc(struct key_type *type,
diff --git a/security/keys/gc.c b/security/keys/gc.c
index c795237..57a0730 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -156,6 +156,8 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
kfree(key->description);
+ umh_ns_put_token(key->umh_token);
+
#ifdef KEY_DEBUGGING
key->magic = KEY_DEBUG_MAGIC_X;
#endif
diff --git a/security/keys/key.c b/security/keys/key.c
index aee2ec5..e7ab89d 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -18,6 +18,7 @@
#include <linux/workqueue.h>
#include <linux/random.h>
#include <linux/err.h>
+#include <net/net_namespace.h>
#include "internal.h"
struct kmem_cache *key_jar;
@@ -309,6 +310,9 @@ struct key *key_alloc(struct key_type *type, const char *desc,
/* publish the key by giving it a serial number */
atomic_inc(&user->nkeys);
key_alloc_serial(key);
+ /* If running within a container use the container namespace */
+ if (current->nsproxy->net_ns != &init_net)
+ key->umh_token = umh_ns_get_token(0);
error:
return key;
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index e865f9f..16ac3b0 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -90,6 +90,31 @@ static int call_usermodehelper_keys(char *path, char **argv, char **envp,
}
/*
+ * Call a usermode helper with a specific session keyring and execute
+ * within a namespace.
+ */
+static int call_usermodehelper_keys_ns(char *path, char **argv, char **envp,
+ struct key *session_keyring,
+ unsigned int wait, long token)
+{
+ struct subprocess_info *info;
+ unsigned int gfp_mask = (wait & UMH_NO_WAIT) ?
+ GFP_ATOMIC : GFP_KERNEL;
+
+ if (token <= 0)
+ return -EINVAL;
+
+ info = call_usermodehelper_setup_ns(path, argv, envp, gfp_mask,
+ umh_keys_init, umh_keys_cleanup,
+ session_keyring, token);
+ if (!info)
+ return -ENOMEM;
+
+ key_get(session_keyring);
+ return call_usermodehelper_exec(info, wait|UMH_USE_NS);
+}
+
+/*
* Request userspace finish the construction of a key
* - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
*/
@@ -104,6 +129,7 @@ static int call_sbin_request_key(struct key_construction *cons,
char *argv[9], *envp[3], uid_str[12], gid_str[12];
char key_str[12], keyring_str[3][12];
char desc[20];
+ unsigned int wait = UMH_WAIT_PROC;
int ret, i;
kenter("{%d},{%d},%s", key->serial, authkey->serial, op);
@@ -174,8 +200,13 @@ static int call_sbin_request_key(struct key_construction *cons,
argv[i] = NULL;
/* do it */
- ret = call_usermodehelper_keys(argv[0], argv, envp, keyring,
- UMH_WAIT_PROC);
+ /* If running within a container use the container namespace */
+ if (key->umh_token)
+ ret = call_usermodehelper_keys_ns(argv[0], argv, envp,
+ keyring, wait, key->umh_token);
+ else
+ ret = call_usermodehelper_keys(argv[0],
+ argv, envp, keyring, wait);
kdebug("usermode -> 0x%x", ret);
if (ret >= 0) {
/* ret is the exit/wait code */
next prev parent reply other threads:[~2015-03-17 2:46 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-17 2:44 [RFC PATCH v4 00/12] Second attempt at contained helper execution Ian Kent
2015-03-17 2:44 ` [RFC PATCH v4 01/12] nsproxy - make create_new_namespaces() non-static Ian Kent
2015-03-17 2:45 ` [RFC PATCH v4 02/12] kmod - rename call_usermodehelper() flags parameter Ian Kent
2015-03-17 2:45 ` [RFC PATCH v4 03/12] vfs - move mnt_namespace definition to linux/mount.h Ian Kent
2015-03-19 19:47 ` Al Viro
2015-03-20 0:57 ` Ian Kent
2015-03-20 1:14 ` Eric W. Biederman
2015-03-20 2:11 ` Ian Kent
2015-03-20 2:47 ` Al Viro
2015-03-17 2:45 ` [RFC PATCH v4 04/12] kmod - add namespace aware thread runner Ian Kent
2015-03-17 2:45 ` [RFC PATCH v4 05/12] kmod - teach call_usermodehelper() to use a namespace Ian Kent
2015-03-17 2:45 ` [RFC PATCH v4 06/12] kmod - add namespace info store Ian Kent
2015-03-17 2:45 ` [RFC PATCH v4 07/12] kmod - add call_usermodehelper_ns() Ian Kent
2015-03-17 2:45 ` [RFC PATCH v4 08/12] nfsd - use namespace if not executing in init namespace Ian Kent
2015-03-17 2:45 ` [RFC PATCH v4 09/12] nfs - cache_lib " Ian Kent
2015-03-17 2:45 ` [RFC PATCH v4 10/12] nfs - objlayout " Ian Kent
2015-03-17 2:46 ` [RFC PATCH v4 11/12] KEYS - use correct memory allocation flag in call_usermodehelper_keys() Ian Kent
2015-03-17 2:46 ` Ian Kent [this message]
2015-03-18 17:41 ` [RFC PATCH v4 00/12] Second attempt at contained helper execution J. Bruce Fields
2015-03-19 21:38 ` Eric W. Biederman
2015-03-20 2:10 ` Ian Kent
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150317024607.24592.67322.stgit@pluto.fritz.box \
--to=raven@themaw.net \
--cc=bcodding@redhat.com \
--cc=bfields@fieldses.org \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jeff.layton@primarydata.com \
--cc=linux-kernel@vger.kernel.org \
--cc=onestero@redhat.com \
--cc=trond.myklebust@primarydata.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.