git.kernel.dk Git - linux-2.6-block.git/commit

author	David Howells <dhowells@redhat.com>
	Wed, 26 Jun 2019 20:02:32 +0000 (21:02 +0100)
committer	David Howells <dhowells@redhat.com>
	Wed, 26 Jun 2019 20:02:32 +0000 (21:02 +0100)
commit	0f44e4d976f96c6439da0d6717238efa4b91196e
tree	3cec4bc4ef3faa4e61058e3aff066a7bec1c9d37	tree \| snapshot
parent	b206f281d0ee14969878469816a69db22d5838e8	commit \| diff

keys: Move the user and user-session keyrings to the user_namespace

Move the user and user-session keyrings to the user_namespace struct rather
than pinning them from the user_struct struct. This prevents these
keyrings from propagating across user-namespaces boundaries with regard to
the KEY_SPEC_* flags, thereby making them more useful in a containerised
environment.

The issue is that a single user_struct may be represent UIDs in several
different namespaces.

The way the patch does this is by attaching a 'register keyring' in each
user_namespace and then sticking the user and user-session keyrings into
that. It can then be searched to retrieve them.

Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jann Horn <jannh@google.com>

include/linux/sched/user.h		diff \| blob \| blame \| history
include/linux/user_namespace.h		diff \| blob \| blame \| history
kernel/user.c		diff \| blob \| blame \| history
kernel/user_namespace.c		diff \| blob \| blame \| history
security/keys/internal.h		diff \| blob \| blame \| history
security/keys/keyring.c		diff \| blob \| blame \| history
security/keys/persistent.c		diff \| blob \| blame \| history
security/keys/process_keys.c		diff \| blob \| blame \| history
security/keys/request_key.c		diff \| blob \| blame \| history