• David Howells's avatar
    KEYS: Add a keyctl to install a process's session keyring on its parent [try #6] · ee18d64c
    David Howells authored
    Add a keyctl to install a process's session keyring onto its parent.  This
    replaces the parent's session keyring.  Because the COW credential code does
    not permit one process to change another process's credentials directly, the
    change is deferred until userspace next starts executing again.  Normally this
    will be after a wait*() syscall.
    
    To support this, three new security hooks have been provided:
    cred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in
    the blank security creds and key_session_to_parent() - which asks the LSM if
    the process may replace its parent's session keyring.
    
    The replacement may only happen if the process has the same ownership details
    as its parent, and the process has LINK permission on the session keyring, and
    the session keyring is owned by the process, and the LSM permits it.
    
    Note that this requires alteration to each architecture's notify_resume path.
    This has been done for all arches barring blackfin, m68k* and xtensa, all of
    which need assembly alteration to support TIF_NOTIFY_RESUME.  This allows the
    replacement to be performed at the point the parent process resumes userspace
    execution.
    
    This allows the userspace AFS pioctl emulation to fully emulate newpag() and
    the VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to
    alter the parent process's PAG membership.  However, since kAFS doesn't use
    PAGs per se, but rather dumps the keys into the session keyring, the session
    keyring of the parent must be replaced if, for example, VIOCSETTOK is passed
    the newpag flag.
    
    This can be tested with the following program:
    
    	#include <stdio.h>
    	#include <stdlib.h>
    	#include <keyutils.h>
    
    	#define KEYCTL_SESSION_TO_PARENT	18
    
    	#define OSERROR(X, S) do { if ((long)(X) == -1) { perror(S); exit(1); } } while(0)
    
    	int main(int argc, char **argv)
    	{
    		key_serial_t keyring, key;
    		long ret;
    
    		keyring = keyctl_join_session_keyring(argv[1]);
    		OSERROR(keyring, "keyctl_join_session_keyring");
    
    		key = add_key("user", "a", "b", 1, keyring);
    		OSERROR(key, "add_key");
    
    		ret = keyctl(KEYCTL_SESSION_TO_PARENT);
    		OSERROR(ret, "KEYCTL_SESSION_TO_PARENT");
    
    		return 0;
    	}
    
    Compiled and linked with -lkeyutils, you should see something like:
    
    	[dhowells@andromeda ~]$ keyctl show
    	Session Keyring
    	       -3 --alswrv   4043  4043  keyring: _ses
    	355907932 --alswrv   4043    -1   \_ keyring: _uid.4043
    	[dhowells@andromeda ~]$ /tmp/newpag
    	[dhowells@andromeda ~]$ keyctl show
    	Session Keyring
    	       -3 --alswrv   4043  4043  keyring: _ses
    	1055658746 --alswrv   4043  4043   \_ user: a
    	[dhowells@andromeda ~]$ /tmp/newpag hello
    	[dhowells@andromeda ~]$ keyctl show
    	Session Keyring
    	       -3 --alswrv   4043  4043  keyring: hello
    	340417692 --alswrv   4043  4043   \_ user: a
    
    Where the test program creates a new session keyring, sticks a user key named
    'a' into it and then installs it on its parent.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    ee18d64c
tomoyo.c 7.71 KB