Re: [RFC PATCH 5/5] SUNRPC: store GSS creds in keyrings

[Ben Boeckel <me@benboeckel.net>]

On Thu, Apr 20, 2023 at 16:20:04 -0400, Scott Mayhew wrote:
> This patch adds the option to store GSS credentials in keyrings as an
> alternative to the RPC credential cache, to give users the ability to
> destroy their GSS credentials on demand via 'keyctl unlink'.

Can documentation please be added to `Documentation/security/keys` about
this key type?

> Summary of the changes:
> 
> - Added key_type key_type_gss_cred and associated functions.  The
>   request_key function makes use of the existing upcall mechanism to
>   gssd.
> 
> - Added a keyring to the gss_auth struct to allow all of the assocated
>   GSS credentials to be destroyed on RPC client shutdown (when the
>   filesystem is unmounted).
> 
> - The key description contains the RPC client id, the user id, and the
>   principal (for machine creds).

What is the format of this within the bytes?

> - The key payload contains the address of the gss_cred.

What is the format of this within the bytes?

> - The key is linked to the user's user keyring (KEY_SPEC_USER_KEYRING)
>   as well as to the keyring on the gss_auth struct.

Where is this documented? Can the key be moved later?

> - gss_cred_init() now takes an optional pointer to an authkey, which is
>   passed down to gss_create_upcall() and gss_setup_upcall(), where it is
>   added to the gss_msg.  This is used for complete_request_key() after
>   the upcall is done.
> 
> - put_rpccred() now returns a bool to indicate whether it called
>   crdestroy(), and is used by gss_key_revoke() and gss_key_destroy() to
>   determine whether to clear the key payload.
> 
> - gss_fill_context() now returns the GSS context's timeout via the tout
>   parameter, which is used to set the timeout of the key.
> 
> - Added the module parameter 'use_keyring'.  When set to true, the GSS
>   credentials are stored in the keyrings.  When false, the GSS
>   credentials are stored in the RPC credential caches.
> 
> - Added a tracepoint to log the result of the key request, which prints
>   either the key serial or an error return value.
> 
> Signed-off-by: Scott Mayhew <smayhew@redhat.com>
> ---
>  include/linux/sunrpc/auth.h    |   4 +-
>  include/trace/events/rpcgss.h  |  46 ++++-
>  net/sunrpc/auth.c              |   9 +-
>  net/sunrpc/auth_gss/auth_gss.c | 338 +++++++++++++++++++++++++++++++--
>  4 files changed, 376 insertions(+), 21 deletions(-)

Thanks,

--Ben