[RFC PATCH 25/27] keys: Provide a way to ask for the container keyring

David Howells dhowells at redhat.com
Fri Feb 15 16:11:58 UTC 2019


Provide a constant that can be used in place of a key ID to indicate the
keyring belonging to the current process's container.  Used as:

	key_serial_t container_keyring =
		keyctl_get_key_ID(KEY_SPEC_CONTAINER_KEYRING, 0);

Note that this is merely a 'macro' for the ID of the keyring.  To be able
to actually do anything with it requires the keyring to grant appropriate
permissions to the denizens of the container.

Signed-off-by: David Howells <dhowells at redhat.com>
---

 include/uapi/linux/keyctl.h  |    1 +
 samples/vfs/test-container.c |   15 +++++++++++++++
 security/keys/process_keys.c |    7 +++++++
 3 files changed, 23 insertions(+)

diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h
index 7136d14dd4d7..89ab609f774c 100644
--- a/include/uapi/linux/keyctl.h
+++ b/include/uapi/linux/keyctl.h
@@ -88,6 +88,7 @@ enum key_ace_standard_subject {
 #define KEY_SPEC_GROUP_KEYRING		-6	/* - key ID for GID-specific keyring */
 #define KEY_SPEC_REQKEY_AUTH_KEY	-7	/* - key ID for assumed request_key auth key */
 #define KEY_SPEC_REQUESTOR_KEYRING	-8	/* - key ID for request_key() dest keyring */
+#define KEY_SPEC_CONTAINER_KEYRING	-9	/* - key ID for current->container's keyring */
 
 /* request-key default keyrings */
 #define KEY_REQKEY_DEFL_NO_CHANGE		-1
diff --git a/samples/vfs/test-container.c b/samples/vfs/test-container.c
index 7b2081693fce..4716dd50b696 100644
--- a/samples/vfs/test-container.c
+++ b/samples/vfs/test-container.c
@@ -20,6 +20,7 @@
 #include <sys/stat.h>
 #include <keyutils.h>
 
+#define KEY_SPEC_CONTAINER_KEYRING	-9	/* - key ID for current->container's keyring */
 #define KEYCTL_CONTAINER_INTERCEPT	31	/* Intercept upcalls inside a container */
 #define KEYCTL_SET_CONTAINER_KEYRING	35	/* Attach a keyring to a container */
 #define KEYCTL_GRANT_PERMISSION		36	/* Grant a permit to a key */
@@ -160,6 +161,8 @@ static inline int fork_into_container(int containerfd)
 static __attribute__((noreturn))
 void container_init(void)
 {
+	key_serial_t ckey;
+
 	if (0) {
 		/* Do a bit of debugging on the container. */
 		struct dirent **dlist;
@@ -203,6 +206,12 @@ void container_init(void)
 		exit(1);
 	}
 
+	ckey = keyctl_get_keyring_ID(KEY_SPEC_CONTAINER_KEYRING, 0);
+	if (ckey == -1)
+		perror("keyctl_get_keyring_ID");
+	else
+		printf("Container keyring %d\n", ckey);
+	
 	setenv("PS1", "container>", 1);
 	execl("/bin/bash", "bash", NULL);
 	perror("execl");
@@ -310,6 +319,12 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 
+	if (keyctl(KEYCTL_GRANT_PERMISSION, keyring,
+		   KEY_ACE_SUBJ_STANDARD, KEY_ACE_OWNER, 0) < 0) {
+		perror("keyctl_grant/s");
+		exit(1);
+	}
+
 	if (keyctl(KEYCTL_SET_CONTAINER_KEYRING, cfd, keyring) < 0) {
 		perror("keyctl_set_container_keyring");
 		exit(1);
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index f296a1cc979a..f8f580a760c9 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -725,6 +725,13 @@ key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
 		key_ref = make_key_ref(key, 1);
 		break;
 
+	case KEY_SPEC_CONTAINER_KEYRING:
+		key = current->container->keyring;
+		if (!key)
+			goto error;
+		key_ref = make_key_ref(key, 0);
+		goto error;
+
 	default:
 		key_ref = ERR_PTR(-EINVAL);
 		if (id < 1)



More information about the Linux-security-module-archive mailing list