keys: Move the user and user-session keyrings to the user_namespace
Move the user and user-session keyrings to the user_namespace struct rather
than pinning them from the user_struct struct. This prevents these
keyrings from propagating across user-namespaces boundaries with regard to
the KEY_SPEC_* flags, thereby making them more useful in a containerised
environment.
The issue is that a single user_struct may be represent UIDs in several
different namespaces.
The way the patch does this is by attaching a 'register keyring' in each
user_namespace and then sticking the user and user-session keyrings into
that. It can then be searched to retrieve them.
Signed-off-by: 
David Howells <dhowells@redhat.com>
cc: Jann Horn <jannh@google.com>
Showing
- include/linux/sched/user.h 0 additions, 14 deletionsinclude/linux/sched/user.h
- include/linux/user_namespace.h 7 additions, 2 deletionsinclude/linux/user_namespace.h
- kernel/user.c 1 addition, 6 deletionskernel/user.c
- kernel/user_namespace.c 1 addition, 3 deletionskernel/user_namespace.c
- security/keys/internal.h 2 additions, 1 deletionsecurity/keys/internal.h
- security/keys/keyring.c 1 addition, 0 deletionssecurity/keys/keyring.c
- security/keys/persistent.c 4 additions, 4 deletionssecurity/keys/persistent.c
- security/keys/process_keys.c 168 additions, 91 deletionssecurity/keys/process_keys.c
- security/keys/request_key.c 12 additions, 8 deletionssecurity/keys/request_key.c
Loading
Please register or sign in to comment