| Message ID | x49a64iq492.fsf@segfault.boston.devel.redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 5668264e89b2ec2e40806763855890e65a3d3de1 |
| Headers | show |
| Series | [ndctl] security.sh: ensure a user keyring is linked into the session keyring | expand |
On 11/22/2022 10:38 AM, Jeff Moyer wrote: > The restraint test harness is started via a systemd unit file. In this > environment, there is no user keyring linked into the session keyring: > > # keyctl show > Session Keyring > 406647380 --alswrv 0 0 keyring: _ses > 148623625 ----s-rv 0 0 \_ user: invocation_id > > As a result, the security.sh test fails. The logs show: > > ++ keyctl show > ++ grep -Eo '_uid.[0-9]+' > ++ head -1 > ++ cut -d. -f2- > + uid= > + '[' '' -ne 0 ']' > /root/rpmbuild/BUILD/ndctl-71.1/test/security.sh: line 245: [: : integer expression expected > > and: > > + keyctl search @u encrypted nvdimm:cdab-0a-07e0-feffffff > keyctl_search: Required key not available > + keyctl search @u user nvdimm-master > keyctl_search: Required key not available > ++ hostname > + '[' -f /etc/ndctl/keys/nvdimm_cdab-0a-07e0-feffffff_storageqe-40.sqe.lab.eng.bos.redhat.com.blob ']' > + setup_keys > + '[' '!' -d /etc/ndctl/keys ']' > + '[' -f /etc/ndctl/keys/nvdimm-master.blob ']' > + '[' -f /etc/ndctl/keys/tpm.handle ']' > + dd if=/dev/urandom bs=1 count=32 > + keyctl padd user nvdimm-master @u > ++ keyctl search @u user nvdimm-master > + keyctl pipe 416513477 > keyctl_read_alloc: Permission denied > ++ err 47 > +++ basename /root/rpmbuild/BUILD/ndctl-71.1/test/security.sh > ++ echo test/security.sh: failed at line 47 > ++ '[' -n '' ']' > ++ exit 1 > > To fix this, create a new session keyring and link in the user keyring > from within the script. > > Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Thanks Jeff! > > diff --git a/test/security.sh b/test/security.sh > index 34c4977..1aa8488 100755 > --- a/test/security.sh > +++ b/test/security.sh > @@ -43,6 +43,9 @@ setup_keys() > backup_handle=1 > fi > > + # Make sure there is a session and a user keyring linked into it > + keyctl new_session > + keyctl link @u @s > dd if=/dev/urandom bs=1 count=32 2>/dev/null | keyctl padd user "$masterkey" @u > keyctl pipe "$(keyctl search @u user $masterkey)" > "$masterpath" > } > >
diff --git a/test/security.sh b/test/security.sh index 34c4977..1aa8488 100755 --- a/test/security.sh +++ b/test/security.sh @@ -43,6 +43,9 @@ setup_keys() backup_handle=1 fi + # Make sure there is a session and a user keyring linked into it + keyctl new_session + keyctl link @u @s dd if=/dev/urandom bs=1 count=32 2>/dev/null | keyctl padd user "$masterkey" @u keyctl pipe "$(keyctl search @u user $masterkey)" > "$masterpath" }
The restraint test harness is started via a systemd unit file. In this environment, there is no user keyring linked into the session keyring: # keyctl show Session Keyring 406647380 --alswrv 0 0 keyring: _ses 148623625 ----s-rv 0 0 \_ user: invocation_id As a result, the security.sh test fails. The logs show: ++ keyctl show ++ grep -Eo '_uid.[0-9]+' ++ head -1 ++ cut -d. -f2- + uid= + '[' '' -ne 0 ']' /root/rpmbuild/BUILD/ndctl-71.1/test/security.sh: line 245: [: : integer expression expected and: + keyctl search @u encrypted nvdimm:cdab-0a-07e0-feffffff keyctl_search: Required key not available + keyctl search @u user nvdimm-master keyctl_search: Required key not available ++ hostname + '[' -f /etc/ndctl/keys/nvdimm_cdab-0a-07e0-feffffff_storageqe-40.sqe.lab.eng.bos.redhat.com.blob ']' + setup_keys + '[' '!' -d /etc/ndctl/keys ']' + '[' -f /etc/ndctl/keys/nvdimm-master.blob ']' + '[' -f /etc/ndctl/keys/tpm.handle ']' + dd if=/dev/urandom bs=1 count=32 + keyctl padd user nvdimm-master @u ++ keyctl search @u user nvdimm-master + keyctl pipe 416513477 keyctl_read_alloc: Permission denied ++ err 47 +++ basename /root/rpmbuild/BUILD/ndctl-71.1/test/security.sh ++ echo test/security.sh: failed at line 47 ++ '[' -n '' ']' ++ exit 1 To fix this, create a new session keyring and link in the user keyring from within the script. Signed-off-by: Jeff Moyer <jmoyer@redhat.com>