@@ -42,6 +42,7 @@ struct container {
struct list_head members; /* Member processes, guarded with ->lock */
struct list_head child_link; /* Link in parent->children */
struct list_head children; /* Child containers */
+ struct list_head req_key_traps; /* Traps for request-key upcalls */
wait_queue_head_t waitq; /* Someone waiting for init to exit waits here */
unsigned long flags;
#define CONTAINER_FLAG_INIT_STARTED 0 /* Init is started - certain ops now prohibited */
@@ -60,6 +61,7 @@ extern int copy_container(unsigned long flags, struct task_struct *tsk,
struct container *container);
extern void exit_container(struct task_struct *tsk);
extern void put_container(struct container *c);
+extern long key_del_intercept(struct container *c, const char *type);
static inline struct container *get_container(struct container *c)
{
@@ -66,7 +66,7 @@ struct key_match_data {
*/
struct key_type {
/* name of the type */
- const char *name;
+ const char name[24];
/* default payload length for quota precalculation (optional)
* - this can be used instead of calling key_payload_reserve(), that
@@ -68,6 +68,7 @@
#define KEYCTL_PKEY_VERIFY 28 /* Verify a public key signature */
#define KEYCTL_RESTRICT_KEYRING 29 /* Restrict keys allowed to link to a keyring */
#define KEYCTL_WATCH_KEY 30 /* Watch a key or ring of keys for changes */
+#define KEYCTL_CONTAINER_INTERCEPT 31 /* Intercept upcalls inside a container */
/* keyctl structures */
struct keyctl_dh_params {
@@ -35,6 +35,7 @@ struct container init_container = {
.members.next = &init_task.container_link,
.members.prev = &init_task.container_link,
.children = LIST_HEAD_INIT(init_container.children),
+ .req_key_traps = LIST_HEAD_INIT(init_container.req_key_traps),
.flags = (1 << CONTAINER_FLAG_INIT_STARTED),
.lock = __SPIN_LOCK_UNLOCKED(init_container.lock),
.seq = SEQCNT_ZERO(init_fs.seq),
@@ -53,6 +54,8 @@ void put_container(struct container *c)
while (c && refcount_dec_and_test(&c->usage)) {
BUG_ON(!list_empty(&c->members));
+ if (!list_empty(&c->req_key_traps))
+ key_del_intercept(c, NULL);
if (c->pid_ns)
put_pid_ns(c->pid_ns);
if (c->ns)
@@ -286,6 +289,7 @@ static struct container *alloc_container(const char __user *name)
INIT_LIST_HEAD(&c->members);
INIT_LIST_HEAD(&c->children);
+ INIT_LIST_HEAD(&c->req_key_traps);
init_waitqueue_head(&c->waitq);
spin_lock_init(&c->lock);
refcount_set(&c->usage, 1);
@@ -16,6 +16,7 @@ obj-y := \
request_key.o \
request_key_auth.o \
user_defined.o
+
compat-obj-$(CONFIG_KEY_DH_OPERATIONS) += compat_dh.o
obj-$(CONFIG_KEYS_COMPAT) += compat.o $(compat-obj-y)
obj-$(CONFIG_PROC_FS) += proc.o
@@ -23,6 +24,7 @@ obj-$(CONFIG_SYSCTL) += sysctl.o
obj-$(CONFIG_PERSISTENT_KEYRINGS) += persistent.o
obj-$(CONFIG_KEY_DH_OPERATIONS) += dh.o
obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += keyctl_pkey.o
+obj-$(CONFIG_CONTAINERS) += container.o
#
# Key types
@@ -161,6 +161,11 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option,
case KEYCTL_WATCH_KEY:
return keyctl_watch_key(arg2, arg3, arg4);
+#ifdef CONFIG_CONTAINERS
+ case KEYCTL_CONTAINER_INTERCEPT:
+ return keyctl_container_intercept(arg2, compat_ptr(arg3), arg4, arg5);
+#endif
+
default:
return -EOPNOTSUPP;
}
new file mode 100644
@@ -0,0 +1,227 @@
+/* Container intercept interface
+ *
+ * Copyright (C) 2019 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include <linux/module.h>
+#include <linux/fs.h>
+#include <linux/file.h>
+#include <linux/key.h>
+#include <linux/key-type.h>
+#include <linux/container.h>
+#include <keys/request_key_auth-type.h>
+#include "internal.h"
+
+struct request_key_intercept {
+ char type[32]; /* The type of key to be trapped */
+ struct list_head link; /* Link in containers->req_key_traps */
+ struct key *dest_keyring; /* Where to place the trapped auth keys */
+ struct ns_common *ns; /* Namespace the key must match */
+};
+
+/*
+ * Add an intercept filter to a container.
+ */
+static long key_add_intercept(struct container *c, struct request_key_intercept *rki)
+{
+ struct request_key_intercept *p;
+
+ kenter("%p,{%s,%d}", c, rki->type, key_serial(rki->dest_keyring));
+
+ spin_lock(&c->lock);
+ list_for_each_entry(p, &c->req_key_traps, link) {
+ if (strcmp(rki->type, p->type) == 0) {
+ spin_unlock(&c->lock);
+ return -EEXIST;
+ }
+ }
+
+ /* We put all-matching rules at the back so they're checked after the
+ * more specific rules.
+ */
+ if (rki->type[0] == '*' && !rki->type[1])
+ list_add_tail(&rki->link, &c->req_key_traps);
+ else
+ list_add(&rki->link, &c->req_key_traps);
+
+ spin_unlock(&c->lock);
+ kleave(" = 0");
+ return 0;
+}
+
+/*
+ * Remove one or more intercept filters from a container. Returns the number
+ * of entries removed.
+ */
+long key_del_intercept(struct container *c, const char *type)
+{
+ struct request_key_intercept *p, *q;
+ long count;
+ LIST_HEAD(graveyard);
+
+ kenter("%p,%s", c, type);
+
+ spin_lock(&c->lock);
+ list_for_each_entry_safe(p, q, &c->req_key_traps, link) {
+ if (!type || strcmp(p->type, type) == 0) {
+ kdebug("- match %d", key_serial(p->dest_keyring));
+ list_move(&p->link, &graveyard);
+ }
+ }
+ spin_unlock(&c->lock);
+
+ count = 0;
+ while (!list_empty(&graveyard)) {
+ p = list_entry(graveyard.next, struct request_key_intercept, link);
+ list_del(&p->link);
+ count++;
+
+ key_put(p->dest_keyring);
+ kfree(p);
+ }
+
+ kleave(" = %ld", count);
+ return count;
+}
+
+/*
+ * Create an intercept filter and add it to a container.
+ */
+static long key_create_intercept(struct container *c, const char *type,
+ key_serial_t dest_ring_id)
+{
+ struct request_key_intercept *rki;
+ key_ref_t dest_ref;
+ long ret = -ENOMEM;
+
+ dest_ref = lookup_user_key(dest_ring_id, KEY_LOOKUP_CREATE,
+ KEY_NEED_WRITE);
+ if (IS_ERR(dest_ref))
+ return PTR_ERR(dest_ref);
+
+ rki = kzalloc(sizeof(*rki), GFP_KERNEL);
+ if (!rki)
+ goto out_dest;
+
+ memcpy(rki->type, type, sizeof(rki->type));
+ rki->dest_keyring = key_ref_to_ptr(dest_ref);
+ /* TODO: set rki->ns */
+
+ ret = key_add_intercept(c, rki);
+ if (ret < 0)
+ goto out_rki;
+ return ret;
+
+out_rki:
+ kfree(rki);
+out_dest:
+ key_ref_put(dest_ref);
+ return ret;
+}
+
+/*
+ * Add or remove (if dest_keyring==0) a request_key upcall intercept trap upon
+ * a container. If _type points to a string of "*" that matches all types.
+ */
+long keyctl_container_intercept(int containerfd,
+ const char *_type,
+ unsigned int ns_id,
+ key_serial_t dest_ring_id)
+{
+ struct container *c;
+ struct fd f;
+ char type[32] = "";
+ long ret;
+
+ if (containerfd < 0 || ns_id < 0)
+ return -EINVAL;
+ if (dest_ring_id && !_type)
+ return -EINVAL;
+
+ f = fdget(containerfd);
+ if (!f.file)
+ return -EBADF;
+ ret = -EINVAL;
+ if (!is_container_file(f.file))
+ goto out_fd;
+
+ c = f.file->private_data;
+
+ /* Find out what type we're dealing with (can be NULL to make removal
+ * remove everything).
+ */
+ if (_type) {
+ ret = key_get_type_from_user(type, _type, sizeof(type));
+ if (ret < 0)
+ goto out_fd;
+ }
+
+ /* TODO: Get the namespace to filter on */
+
+ /* We add a filter if a destination keyring has been specified. */
+ if (dest_ring_id) {
+ ret = key_create_intercept(c, type, dest_ring_id);
+ } else {
+ ret = key_del_intercept(c, _type ? type : NULL);
+ }
+
+out_fd:
+ fdput(f);
+ return ret;
+}
+
+/*
+ * Queue a construction record if we can find a handler.
+ *
+ * Returns true if we found a handler - in which case ownership of the
+ * construction record has been passed on to the service queue and the caller
+ * can no longer touch it.
+ */
+int queue_request_key(struct key *authkey)
+{
+ struct container *c = current->container;
+ struct request_key_intercept *rki;
+ struct request_key_auth *rka = get_request_key_auth(authkey);
+ struct key *service_keyring;
+ struct key *key = rka->target_key;
+ int ret;
+
+ kenter("%p,%d,%d", c, key_serial(authkey), key_serial(key));
+
+ if (list_empty(&c->req_key_traps)) {
+ kleave(" = -EAGAIN [e]");
+ return -EAGAIN;
+ }
+
+ spin_lock(&c->lock);
+
+ list_for_each_entry(rki, &c->req_key_traps, link) {
+ if (strcmp(rki->type, "*") == 0 ||
+ strcmp(rki->type, key->type->name) == 0)
+ goto found_match;
+ }
+
+ spin_unlock(&c->lock);
+ kleave(" = -EAGAIN [n]");
+ return -EAGAIN;
+
+found_match:
+ service_keyring = key_get(rki->dest_keyring);
+ kdebug("- match %d", key_serial(service_keyring));
+ spin_unlock(&c->lock);
+
+ /* We add the authentication key to the keyring for the service daemon
+ * to collect. This can be detected by means of a watch on the service
+ * keyring.
+ */
+ ret = key_link(service_keyring, authkey);
+ key_put(service_keyring);
+ kleave(" = %d", ret);
+ return ret;
+}
@@ -93,6 +93,7 @@ extern wait_queue_head_t request_key_conswq;
extern void key_set_index_key(struct keyring_index_key *index_key);
extern struct key_type *key_type_lookup(const char *type);
extern void key_type_put(struct key_type *ktype);
+extern int key_get_type_from_user(char *, const char __user *, unsigned);
extern int __key_link_begin(struct key *keyring,
const struct keyring_index_key *index_key,
@@ -180,6 +181,11 @@ extern void key_gc_keytype(struct key_type *ktype);
extern int key_task_permission(const key_ref_t key_ref,
const struct cred *cred,
key_perm_t perm);
+#ifdef CONFIG_CONTAINERS
+extern int queue_request_key(struct key *);
+#else
+static inline int queue_request_key(struct key *authkey) { return -EAGAIN; }
+#endif
static inline void notify_key(struct key *key,
enum key_notification_subtype subtype, u32 aux)
@@ -354,6 +360,10 @@ static inline long keyctl_watch_key(key_serial_t key_id, int watch_fd, int watch
}
#endif
+#ifdef CONFIG_CONTAINERS
+extern long keyctl_container_intercept(int, const char __user *, unsigned int, key_serial_t);
+#endif
+
/*
* Debugging key validation
*/
@@ -30,9 +30,9 @@
#define KEY_MAX_DESC_SIZE 4096
-static int key_get_type_from_user(char *type,
- const char __user *_type,
- unsigned len)
+int key_get_type_from_user(char *type,
+ const char __user *_type,
+ unsigned len)
{
int ret;
@@ -1857,6 +1857,14 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
case KEYCTL_WATCH_KEY:
return keyctl_watch_key((key_serial_t)arg2, (int)arg3, (int)arg4);
+#ifdef CONFIG_CONTAINERS
+ case KEYCTL_CONTAINER_INTERCEPT:
+ return keyctl_container_intercept((int)arg2,
+ (const char __user *)arg3,
+ (unsigned int)arg4,
+ (key_serial_t)arg5);
+#endif
+
default:
return -EOPNOTSUPP;
}
@@ -17,6 +17,7 @@
#include <linux/err.h>
#include <linux/keyctl.h>
#include <linux/slab.h>
+#include <linux/init_task.h>
#include <net/net_namespace.h>
#include "internal.h"
#include <keys/request_key_auth-type.h>
@@ -91,11 +92,11 @@ static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
* Request userspace finish the construction of a key
* - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
*/
-static int call_sbin_request_key(struct key *authkey, void *aux)
+static int call_sbin_request_key(struct key *authkey)
{
static char const request_key[] = "/sbin/request-key";
struct request_key_auth *rka = get_request_key_auth(authkey);
- const struct cred *cred = current_cred();
+ const struct cred *cred = rka->cred;
key_serial_t prkey, sskey;
struct key *key = rka->target_key, *keyring, *session;
char *argv[9], *envp[3], uid_str[12], gid_str[12];
@@ -203,7 +204,6 @@ static int construct_key(struct key *key, const void *callout_info,
size_t callout_len, void *aux,
struct key *dest_keyring)
{
- request_key_actor_t actor;
struct key *authkey;
int ret;
@@ -216,11 +216,13 @@ static int construct_key(struct key *key, const void *callout_info,
return PTR_ERR(authkey);
/* Make the call */
- actor = call_sbin_request_key;
- if (key->type->request_key)
- actor = key->type->request_key;
-
- ret = actor(authkey, aux);
+ if (key->type->request_key) {
+ ret = key->type->request_key(authkey, aux);
+ } else {
+ ret = queue_request_key(authkey);
+ if (ret == -EAGAIN)
+ ret = call_sbin_request_key(authkey);
+ }
/* check that the actor called complete_request_key() prior to
* returning an error */
@@ -123,6 +123,10 @@ static void free_request_key_auth(struct request_key_auth *rka)
{
if (!rka)
return;
+
+ if (rka->target_key->state == KEY_IS_UNINSTANTIATED)
+ key_reject_and_link(rka->target_key, 0, -ENOKEY, NULL, NULL);
+
key_put(rka->target_key);
key_put(rka->dest_keyring);
if (rka->cred)
@@ -184,7 +188,7 @@ struct key *request_key_auth_new(struct key *target, const char *op,
goto error_free_rka;
}
- irka = cred->request_key_auth->payload.data[0];
+ irka = get_request_key_auth(cred->request_key_auth);
rka->cred = get_cred(irka->cred);
rka->pid = irka->pid;
Provide a mechanism by which a running daemon can intercept request_key upcalls, filtered by namespace and key type, and service them. The list of active services is per-container. Intercepts for a specific {key_type, namespace} can be installed on a container with: keyctl(KEYCTL_ADD_UPCALL_INTERCEPT, int containerfd, const char *type_name, unsigned int ns_id, key_serial_t dest_keyring); The authentication token keys for intercepted keys are linked into the destination keyring. Signed-off-by: David Howells <dhowells@redhat.com> --- include/linux/container.h | 2 include/linux/key-type.h | 2 include/uapi/linux/keyctl.h | 1 kernel/container.c | 4 + security/keys/Makefile | 2 security/keys/compat.c | 5 + security/keys/container.c | 227 ++++++++++++++++++++++++++++++++++++++ security/keys/internal.h | 10 ++ security/keys/keyctl.c | 14 ++ security/keys/request_key.c | 18 ++- security/keys/request_key_auth.c | 6 + 11 files changed, 278 insertions(+), 13 deletions(-) create mode 100644 security/keys/container.c