keys: Move the user and user-session keyrings to the user_namespace
Move the user and user-session keyrings to the user_namespace struct rather than pinning them from the user_struct struct. This prevents these keyrings from propagating across user-namespaces boundaries with regard to the KEY_SPEC_* flags, thereby making them more useful in a containerised environment. The issue is that a single user_struct may be represent UIDs in several different namespaces. The way the patch does this is by attaching a 'register keyring' in each user_namespace and then sticking the user and user-session keyrings into that. It can then be searched to retrieve them. Signed-off-by: David Howells <dhowells@redhat.com> cc: Jann Horn <jannh@google.com>
This commit is contained in:
David Howells
@@ -65,14 +65,19 @@ struct user_namespace {
|
||||
unsigned long flags;
|
||||
|
||||
#ifdef CONFIG_KEYS
|
||||
/* List of joinable keyrings in this namespace */
|
||||
/* List of joinable keyrings in this namespace. Modification access of
|
||||
* these pointers is controlled by keyring_sem. Once
|
||||
* user_keyring_register is set, it won't be changed, so it can be
|
||||
* accessed directly with READ_ONCE().
|
||||
*/
|
||||
struct list_head keyring_name_list;
|
||||
struct key *user_keyring_register;
|
||||
struct rw_semaphore keyring_sem;
|
||||
#endif
|
||||
|
||||
/* Register of per-UID persistent keyrings for this namespace */
|
||||
#ifdef CONFIG_PERSISTENT_KEYRINGS
|
||||
struct key *persistent_keyring_register;
|
||||
struct rw_semaphore persistent_keyring_register_sem;
|
||||
#endif
|
||||
struct work_struct work;
|
||||
#ifdef CONFIG_SYSCTL
|
||||
|
||||
Reference in New Issue
Block a user