@@ -61,6 +61,7 @@ extern struct container init_container;
#ifdef CONFIG_CONTAINERS
extern const struct file_operations container_fops;
+extern struct container *find_container(const char *name);
extern int copy_container(unsigned long flags, struct task_struct *tsk,
struct container *container);
extern void exit_container(struct task_struct *tsk);
@@ -21,6 +21,7 @@
enum key_ace_subject_type {
KEY_ACE_SUBJ_STANDARD = 0, /* subject is one of key_ace_standard_subject */
KEY_ACE_SUBJ_CONTAINER = 1, /* subject is a container fd */
+ KEY_ACE_SUBJ_CONTAINER_NAME = 2, /* subject is a container name pointer */
nr__key_ace_subject_type
};
@@ -235,6 +235,30 @@ struct container *fd_to_container(int fd)
return c;
}
+/**
+ * find_container - Find a child container by name.
+ * @name: The name of the container to find.
+ *
+ * Find a child of the current container by name.
+ */
+struct container *find_container(const char *name)
+{
+ struct container *c = current->container, *p;
+
+ spin_lock(&c->lock);
+ list_for_each_entry(p, &c->children, child_link) {
+ if (strcmp(p->name, name) == 0) {
+ get_container(p);
+ goto found;
+ }
+ }
+
+ p = NULL;
+found:
+ spin_unlock(&c->lock);
+ return p;
+}
+
/*
* Handle fork/clone.
*
@@ -175,6 +175,10 @@ COMPAT_SYSCALL_DEFINE5(keyctl, u32, option,
case KEYCTL_MOVE:
return keyctl_keyring_move(arg2, arg3, arg4, arg5);
case KEYCTL_GRANT_PERMISSION:
+ if (arg3 == KEY_ACE_SUBJ_CONTAINER_NAME)
+ return keyctl_grant_permission(arg2, arg3,
+ (unsigned long)compat_ptr(arg4),
+ arg5);
return keyctl_grant_permission(arg2, arg3, arg4, arg5);
default:
@@ -379,7 +379,7 @@ extern long keyctl_set_container_keyring(int, key_serial_t);
extern long keyctl_grant_permission(key_serial_t keyid,
enum key_ace_subject_type type,
- unsigned int subject,
+ unsigned long subject,
unsigned int perm);
/*
@@ -1964,7 +1964,7 @@ SYSCALL_DEFINE5(keyctl, int, option, unsigned long, arg2, unsigned long, arg3,
case KEYCTL_GRANT_PERMISSION:
return keyctl_grant_permission((key_serial_t)arg2,
(enum key_ace_subject_type)arg3,
- (unsigned int)arg4,
+ (unsigned long)arg4,
(unsigned int)arg5);
default:
@@ -407,7 +407,7 @@ static long key_change_acl(struct key *key, struct key_ace *new_ace)
*/
long keyctl_grant_permission(key_serial_t keyid,
enum key_ace_subject_type type,
- unsigned int subject,
+ unsigned long subject,
unsigned int perm)
{
struct key_ace new_ace;
@@ -436,6 +436,23 @@ long keyctl_grant_permission(key_serial_t keyid,
put_container(c);
break;
}
+ case KEY_ACE_SUBJ_CONTAINER_NAME: {
+ struct container *c;
+ char *name;
+
+ name = strndup_user((const char __user *)subject, 23);
+ if (IS_ERR(name))
+ return PTR_ERR(name);
+ c = find_container(name);
+ kfree(name);
+ if (!c)
+ return -EINVAL;
+ new_ace.type = KEY_ACE_SUBJ_CONTAINER;
+ refcount_inc(&c->tag->usage);
+ new_ace.container_tag = c->tag;
+ put_container(c);
+ break;
+ }
#endif
default:
Allow a container to be specified to KEYCTL_GRANT_PERMISSION by name. This allows processes that don't have access to the container fd to grant permission on a key to a container. This is restricted to the containers that are children of the current container. This can be effected with something like: keyctl(KEYCTL_GRANT_PERMISSION, key, KEY_ACE_SUBJ_CONTAINER_NAME, "foo-test", KEY_ACE_SEARCH); Signed-off-by: David Howells <dhowells@redhat.com> --- include/linux/container.h | 1 + include/uapi/linux/keyctl.h | 1 + kernel/container.c | 24 ++++++++++++++++++++++++ security/keys/compat.c | 4 ++++ security/keys/internal.h | 2 +- security/keys/keyctl.c | 2 +- security/keys/permission.c | 19 ++++++++++++++++++- 7 files changed, 50 insertions(+), 3 deletions(-)