From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751299AbcETT1w (ORCPT ); Fri, 20 May 2016 15:27:52 -0400 Received: from h2.hallyn.com ([78.46.35.8]:43248 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750723AbcETT1t (ORCPT ); Fri, 20 May 2016 15:27:49 -0400 Date: Fri, 20 May 2016 14:27:47 -0500 From: "Serge E. Hallyn" To: Gwendal Grignou Cc: Gwendal Grignou , dhowells@redhat.com, james.l.morris@oracle.com, serge@hallyn.com, keyrings@vger.kernel.org, Linux Kernel , linux-security-module@vger.kernel.org, "Theodore Ts'o" Subject: Re: [PATCH] keyrings: Allow searching the user session keyring Message-ID: <20160520192747.GA11802@mail.hallyn.com> References: <1457648428-34445-1-git-send-email-gwendal@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Sorry, I just don't know al lthe subtleties there, I think we just need David's ack/nack here. Quoting Gwendal Grignou (gwendal@google.com): > Any feedback on this? It is mandatory if we want to mount a ecryptfs > directory while the session keyring is used. > > Thanks, > Gwendal. > > On Thu, Mar 17, 2016 at 10:04 AM, Gwendal Grignou wrote: > > Resent to a larger audience. > > > > On Thu, Mar 10, 2016 at 2:20 PM, Gwendal Grignou wrote: > >> Currently, if a session keyring exists, we are not searching in the > >> user session or user keyrings. > >> > >> This is a problem when a session keyring exists and we want to use > >> ecryptfs, who adds the needed key only in the user keyring. > >> > >> TEST=Without this change, mounting an ecryptfs "partition" fails when a > >> session keyring exists: > >> ... > >> [ 2686.047522] Could not find key with description: [dd6f92bd8660b36c] > >> ... > >> Although the key exits: > >> keyctl show @us > >> Keyring > >> 549666721 --alswrv 0 65534 keyring: _uid_ses.0 > >> 346719914 --alswrv 0 65534 \_ keyring: _uid.0 > >> 235623693 --alswrv 0 0 \_ user: dd6f92bd8660b36c > >> 747773852 --alswrv 0 0 \_ user: 7025717e50fd74a2 > >> With this change, ecryptfs can see the keys it needs. > >> > >> Note that 'keyctl show' still only shows the session keyring by default. > >> We need to specify 'keyctl show @us' to see the user session keyring > >> when the session keyring exits. > >> > >> Signed-off-by: Gwendal Grignou > >> --- > >> security/keys/process_keys.c | 4 ++-- > >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> > >> diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c > >> index e6d50172..a77d66e 100644 > >> --- a/security/keys/process_keys.c > >> +++ b/security/keys/process_keys.c > >> @@ -395,8 +395,8 @@ key_ref_t search_my_process_keyrings(struct keyring_search_context *ctx) > >> break; > >> } > >> } > >> - /* or search the user-session keyring */ > >> - else if (ctx->cred->user->session_keyring) { > >> + /* finally search the user-session keyring */ > >> + if (ctx->cred->user->session_keyring) { > >> key_ref = keyring_search_aux( > >> make_key_ref(ctx->cred->user->session_keyring, 1), > >> ctx); > >> -- > >> 2.7.0.rc3.207.g0ac5344 > >>