Commit c236b6dd authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'keys-request-20190626' of... 

Merge tag 'keys-request-20190626' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull request_key improvements from David Howells:
 "These are all request_key()-related, including a fix and some improvements:

   - Fix the lack of a Link permission check on a key found by
     request_key(), thereby enabling request_key() to link keys that
     don't grant this permission to the target keyring (which must still
     grant Write permission).

     Note that the key must be in the caller's keyrings already to be
     found.

   - Invalidate used request_key authentication keys rather than
     revoking them, so that they get cleaned up immediately rather than
     hanging around till the expiry time is passed.

   - Move the RCU locks outwards from the keyring search functions so
     that a request_key_rcu() can be provided. This can be called in RCU
     mode, so it can't sleep and can't upcall - but it can be called
     from LOOKUP_RCU pathwalk mode.

   - Cache the latest positive result of request_key*() temporarily in
     task_struct so that filesystems that make a lot of request_key()
     calls during pathwalk can take advantage of it to avoid having to
     redo the searching. This requires CONFIG_KEYS_REQUEST_CACHE=y.

     It is assumed that the key just found is likely to be used multiple
     times in each step in an RCU pathwalk, and is likely to be reused
     for the next step too.

     Note that the cleanup of the cache is done on TIF_NOTIFY_RESUME,
     just before userspace resumes, and on exit"

* tag 'keys-request-20190626' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  keys: Kill off request_key_async{,_with_auxdata}
  keys: Cache result of request_key*() temporarily in task_struct
  keys: Provide request_key_rcu()
  keys: Move the RCU locks outwards from the keyring search functions
  keys: Invalidate used request_key authentication keys
  keys: Fix request_key() lack of Link perm check on found key
parents d44a6274 3b8c4a08

Documentation/security/keys/core.rst

+10 −28
Original line number Diff line number Diff line
@@ -433,6 +433,10 @@ The main syscalls are: 
     /sbin/request-key will be invoked in an attempt to obtain a key. The

     callout_info string will be passed as an argument to the program.



     To link a key into the destination keyring the key must grant link

     permission on the key to the caller and the keyring must grant write

     permission.



     See also Documentation/security/keys/request-key.rst.
@@ -1111,36 +1115,14 @@ payload contents" for more information. 
    is a blob of length callout_len, if given (the length may be 0).





 *  A key can be requested asynchronously by calling one of::



	struct key *request_key_async(const struct key_type *type,

				      const char *description,

				      const void *callout_info,

				      size_t callout_len);



    or::



	struct key *request_key_async_with_auxdata(const struct key_type *type,

						   const char *description,

						   const char *callout_info,

					     	   size_t callout_len,

					     	   void *aux);



    which are asynchronous equivalents of request_key() and

    request_key_with_auxdata() respectively.



    These two functions return with the key potentially still under

    construction.  To wait for construction completion, the following should be

    called::



	int wait_for_key_construction(struct key *key, bool intr);

 *  To search for a key under RCU conditions, call::



    The function will wait for the key to finish being constructed and then

    invokes key_validate() to return an appropriate value to indicate the state

    of the key (0 indicates the key is usable).

	struct key *request_key_rcu(const struct key_type *type,

				    const char *description);



    If intr is true, then the wait can be interrupted by a signal, in which

    case error ERESTARTSYS will be returned.

    which is similar to request_key() except that it does not check for keys

    that are under construction and it will not call out to userspace to

    construct a key if it can't find a match.





 *  When it is no longer required, the key should be released using::

Documentation/security/keys/request-key.rst

+14 −19
Original line number Diff line number Diff line
@@ -23,18 +23,8 @@ or:: 


or::



	struct key *request_key_async(const struct key_type *type,

				      const char *description,

				      const char *callout_info,

				      size_t callout_len);



or::



	struct key *request_key_async_with_auxdata(const struct key_type *type,

						   const char *description,

						   const char *callout_info,

					     	   size_t callout_len,

						   void *aux);

	struct key *request_key_rcu(const struct key_type *type,

				    const char *description);



Or by userspace invoking the request_key system call::
@@ -48,14 +38,14 @@ does not need to link the key to a keyring to prevent it from being immediately 
destroyed.  The kernel interface returns a pointer directly to the key, and

it's up to the caller to destroy the key.



The request_key*_with_auxdata() calls are like the in-kernel request_key*()

calls, except that they permit auxiliary data to be passed to the upcaller (the

The request_key_with_auxdata() calls is like the in-kernel request_key() call,

except that they permit auxiliary data to be passed to the upcaller (the

default is NULL).  This is only useful for those key types that define their

own upcall mechanism rather than using /sbin/request-key.



The two async in-kernel calls may return keys that are still in the process of

being constructed.  The two non-async ones will wait for construction to

complete first.

The request_key_rcu() call is like the in-kernel request_key() call, except

that it doesn't check for keys that are under construction and doesn't attempt

to construct missing keys.



The userspace interface links the key to a keyring associated with the process

to prevent the key from going away, and returns the serial number of the key to
@@ -148,7 +138,7 @@ The Search Algorithm 


A search of any particular keyring proceeds in the following fashion:



  1) When the key management code searches for a key (keyring_search_aux) it

  1) When the key management code searches for a key (keyring_search_rcu) it

     firstly calls key_permission(SEARCH) on the keyring it's starting with,

     if this denies permission, it doesn't search further.
@@ -167,6 +157,9 @@ The process stops immediately a valid key is found with permission granted to 
use it.  Any error from a previous match attempt is discarded and the key is

returned.



When request_key() is invoked, if CONFIG_KEYS_REQUEST_CACHE=y, a per-task

one-key cache is first checked for a match.



When search_process_keyrings() is invoked, it performs the following searches

until one succeeds:
@@ -186,7 +179,9 @@ until one succeeds: 
      c) The calling process's session keyring is searched.



The moment one succeeds, all pending errors are discarded and the found key is

returned.

returned.  If CONFIG_KEYS_REQUEST_CACHE=y, then that key is placed in the

per-task cache, displacing the previous key.  The cache is cleared on exit or

just prior to resumption of userspace.



Only if all these fail does the whole thing fail with the highest priority

error.  Note that several errors may have come from LSM.

include/keys/request_key_auth-type.h

+1 −0
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
 * Authorisation record for request_key().

 */

struct request_key_auth {

	struct rcu_head		rcu;

	struct key		*target_key;

	struct key		*dest_keyring;

	const struct cred	*cred;

include/linux/key.h

+3 −11
Original line number Diff line number Diff line
@@ -269,18 +269,10 @@ extern struct key *request_key(struct key_type *type, 
			       const char *description,

			       const char *callout_info);



extern struct key *request_key_with_auxdata(struct key_type *type,

					    const char *description,

					    const void *callout_info,

					    size_t callout_len,

					    void *aux);



extern struct key *request_key_async(struct key_type *type,

				     const char *description,

				     const void *callout_info,

				     size_t callout_len);

extern struct key *request_key_rcu(struct key_type *type,

				   const char *description);



extern struct key *request_key_async_with_auxdata(struct key_type *type,

extern struct key *request_key_with_auxdata(struct key_type *type,

					    const char *description,

					    const void *callout_info,

					    size_t callout_len,

include/linux/sched.h

+5 −0
Original line number Diff line number Diff line
@@ -892,6 +892,11 @@ struct task_struct { 
	/* Effective (overridable) subjective task credentials (COW): */

	const struct cred __rcu		*cred;



#ifdef CONFIG_KEYS

	/* Cached requested key. */

	struct key			*cached_requested_key;

#endif



	/*

	 * executable name, excluding path.

	 *

CRA Git | Maintained and supported by SUSTech CRA and CCSE