| Message ID | 20231211163412.2766147-1-dhowells@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | afs: Fix dynamic root interaction with failing DNS lookups | expand |
This is the related bug: https://bugzilla.kernel.org/show_bug.cgi?id=216637
ma, 2023-12-11 kello 16:34 +0000, David Howells kirjoitti: > Hi Markus, Marc, > > Here's a set of fixes to improve the interaction of arbitrary lookups in > the AFS dynamic root that hit DNS lookup failures: > > (1) Always delete unused (particularly negative) dentries as soon as > possible so that they don't prevent future lookups from retrying. > > (2) Fix the handling of new-style negative DNS lookups in ->lookup() to > make them return ENOENT so that userspace doesn't get confused when > stat succeeds but the following open on the looked up file then fails. > > (3) Fix key handling so that DNS lookup results are reclaimed as soon as > they expire rather than sitting round either forever or for an > additional 5 mins beyond a set expiry time returning EKEYEXPIRED. > > The patches can be found here: > > https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=afs-fixes > I tested this patches 6.7.0-rc4-gdfbc00cb940b It seems that not existing directory will remove my valid rxprc key. Reproduce: 1) kinit .... 2) aklog.... 3) keyctl show Session Keyring 347100937 --alswrv 1001 65534 keyring: _uid_ses.1001 1062692655 --alswrv 1001 65534 \_ keyring: _uid.1001 698363997 --als-rv 1001 100 \_ rxrpc: afs@station.com klist Ticket cache: KEYRING:persistent:1001:1001 Default principal: ..... ... 4) ls /afs/notfound 5) keyctl show Session Keyring 709308533 --alswrv 1001 65534 keyring: _uid_ses.1001 385820479 --alswrv 1001 65534 \_ keyring: _uid.1001 klist klist: Credentials cache keyring 'persistent:1001:1001' not found -Markus
markus.suvanto@gmail.com wrote: > Reproduce: > 1) kinit .... > 2) aklog.... > 3) keyctl show > Session Keyring > 347100937 --alswrv 1001 65534 keyring: _uid_ses.1001 > 1062692655 --alswrv 1001 65534 \_ keyring: _uid.1001 > 698363997 --als-rv 1001 100 \_ rxrpc: afs@station.com > > klist > Ticket cache: KEYRING:persistent:1001:1001 > Default principal: ..... Can you "grep rxrpc /proc/keys" at this point? > 4) ls /afs/notfound > 5) keyctl show > Session Keyring > 709308533 --alswrv 1001 65534 keyring: _uid_ses.1001 > 385820479 --alswrv 1001 65534 \_ keyring: _uid.1001 > > klist > klist: Credentials cache keyring 'persistent:1001:1001' not found David
ti, 2023-12-12 kello 09:03 +0000, David Howells kirjoitti: > markus.suvanto@gmail.com wrote: > > > Reproduce: > > 1) kinit .... > > 2) aklog.... > > 3) keyctl show > > Session Keyring > > 347100937 --alswrv 1001 65534 keyring: _uid_ses.1001 > > 1062692655 --alswrv 1001 65534 \_ keyring: _uid.1001 > > 698363997 --als-rv 1001 100 \_ rxrpc: afs@station.com > > > > klist > > Ticket cache: KEYRING:persistent:1001:1001 > > Default principal: ..... > > Can you "grep rxrpc /proc/keys" at this point? > different cell though... masu@t470 ~ % grep rxrpc /proc/keys 23e16cda I--Q--- 1 3d 3b010000 1001 100 rxrpc afs@movesole.com: ka
markus.suvanto@gmail.com wrote: > > Can you "grep rxrpc /proc/keys" at this point? > > > different cell though... > > masu@t470 ~ % grep rxrpc /proc/keys > 23e16cda I--Q--- 1 3d 3b010000 1001 100 rxrpc afs@movesole.com: ka Okay, I see the persistent keyring disappear, but I don't see a key linked into my session keyring vanish. David
> > masu@t470 ~ % grep rxrpc /proc/keys > > 23e16cda I--Q--- 1 3d 3b010000 1001 100 rxrpc afs@movesole.com: ka > > Okay, I see the persistent keyring disappear, but I don't see a key linked > into my session keyring vanish. Full log of my commands... masu@t470 ~ % klist klist: Credentials cache keyring 'persistent:1001:1001' not found masu@t470 ~ % keyctl show Session Keyring 388545754 --alswrv 1001 65534 keyring: _uid_ses.1001 946177719 --alswrv 1001 65534 \_ keyring: _uid.1001 masu@t470 ~ % grep rxrpc /proc/keys masu@t470 ~ % masu@t470 ~ % masu@t470 ~ % masu@t470 ~ % kinit masu@MOVESOLE.COM Password for masu@MOVESOLE.COM: masu@t470 ~ % aklog-kafs-kdf movesole.com MOVESOLE.COM masu@t470 ~ % masu@t470 ~ % masu@t470 ~ % grep rxrpc /proc/keys 2600d2d5 I--Q--- 1 3d 3b010000 1001 100 rxrpc afs@movesole.com: ka masu@t470 ~ % klist Ticket cache: KEYRING:persistent:1001:1001 Default principal: masu@MOVESOLE.COM Valid starting Expires Service principal 12.12.2023 11.52.47 16.12.2023 11.52.40 afs/movesole.com@MOVESOLE.COM renew until 26.12.2023 11.52.40 12.12.2023 11.52.43 16.12.2023 11.52.40 krbtgt/MOVESOLE.COM@MOVESOLE.COM renew until 26.12.2023 11.52.40 masu@t470 ~ % keyctl show Session Keyring 388545754 --alswrv 1001 65534 keyring: _uid_ses.1001 946177719 --alswrv 1001 65534 \_ keyring: _uid.1001 637588181 --als-rv 1001 100 \_ rxrpc: afs@movesole.com masu@t470 ~ % masu@t470 ~ % masu@t470 ~ % masu@t470 ~ % masu@t470 ~ % ls /afs/notfound ls: tiedostoa '/afs/notfound' ei voi käsitellä: Tiedostoa tai hakemistoa ei ole masu@t470 ~ % masu@t470 ~ % masu@t470 ~ % masu@t470 ~ % klist klist: Credentials cache keyring 'persistent:1001:1001' not found masu@t470 ~ % grep rxrpc /proc/keys masu@t470 ~ % keyctl show Session Keyring 1025218481 --alswrv 1001 65534 keyring: _uid_ses.1001 322736164 --alswrv 1001 65534 \_ keyring: _uid.1001
Hi Markus, Marc, Here's a set of fixes to improve the interaction of arbitrary lookups in the AFS dynamic root that hit DNS lookup failures: (1) Always delete unused (particularly negative) dentries as soon as possible so that they don't prevent future lookups from retrying. (2) Fix the handling of new-style negative DNS lookups in ->lookup() to make them return ENOENT so that userspace doesn't get confused when stat succeeds but the following open on the looked up file then fails. (3) Fix key handling so that DNS lookup results are reclaimed as soon as they expire rather than sitting round either forever or for an additional 5 mins beyond a set expiry time returning EKEYEXPIRED. The patches can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=afs-fixes Thanks, David David Howells (3): afs: Fix the dynamic root's d_delete to always delete unused dentries afs: Fix dynamic root lookup DNS check keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry fs/afs/dynroot.c | 31 +++++++++++++++++-------------- include/linux/key-type.h | 1 + net/dns_resolver/dns_key.c | 10 +++++++++- security/keys/gc.c | 31 +++++++++++++++++++++---------- security/keys/internal.h | 8 +++++++- security/keys/key.c | 15 +++++---------- security/keys/proc.c | 2 +- 7 files changed, 61 insertions(+), 37 deletions(-)