ebiederm@xxxxxxxxxxxx (Eric W. Biederman) writes: > David Howells <dhowells@xxxxxxxxxx> writes: > >> Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: >> >>> ... Perhaps we could simply *remove* the concept of named keys and keyrings. >> >> See Linus's dictum about breaking userspace. >> >> The problem isn't named keys: keys have to be named - the description is how >> they're looked up typically. Further, non-keyring keys can't be looked up >> directly by name - you have to search for them in a keyring. >> >> The issue here is named keyrings and keyctl_join_session_keyring(). It might >> well have been a bad idea - though I've seen some people arguing for a single >> session keyring shared across all a user's logins, in which case, we might >> want this after all (or use the user-default session). >> >> One thing we perhaps do want to do, though, is restrict the names of keyrings >> to the user_namespace in which the keyring was created. > > Grr... > > The first round of user namespace support had actually restricted the > description lookup to a single user namespace. Then I missed a detail > and converted the code to it's current form. Ooops! > > I think the answer for all of the issues raised in this conversation is > to just make the keyring names and the keyring name lookup per user > namespace. > > Maybe a few small additional tweaks to install_user_keyrings to notice > if we have the user keyring from the wrong user namespace. > > Something like the untested patch below. Ugh but that approach runs into the fact that the uid_keyring lives in user_struct. So in the short term it is probably better to use the uid in the initial user namespace in install_user_keyrings. Then in keyctl_join_session_keyring look for names that start with _uid. and _uid_ses. and change the strings to have the numbers in the initial user namespace instead of the current user namespace. That would be the smallest change we could make, that would result in correct code. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers