Here's a rough draft of a facility by which keys can be intercepted. There are two patches: (1) Add tags to namespaces that can be used to find out, when we're looking for an intercept, if a namespace that an intercept is filtering on is the same as namespace of the caller of request_key() without the need for the intercept record to pin the namespaces that it's using as filters (which would also cause a dependency cycle). Tags contain only a refcount and are compared by address. (2) Add a new keyctl: keyctl(KEYCTL_SERVICE_INTERCEPT, int queue_keyring, int userns_fd, const char *type_name, unsigned int ns_mask); that allows a request_key() intercept to be added to the specified user namespace. The authorisation key for an intercepted request is placed in the queue_keyring, which can be watched to gain a notification of this happening. The watcher can then examine the auth key to determine what key is to be instantiated. A simple sample is provided that can be used to try this. Some things that need to be worked out: (*) Intercepts are linked to the lifetime of the user_namespace on which they're placed, but not the daemon or the queue keyring. Probably they should be removed when the queue keyring is removed, but they currently pin it. (*) Setting userns_fd to other than -1 is not yet supported (-1 indicates the current user namespace). (*) Multiple threads can monitor a queue keyring, but they will all get woken. They can use keyctl_move() to decide who gets to process it. The patches can be found on the following branch: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-intercept David --- David Howells (2): Add namespace tags that can be used for matching without pinning a ns keys: Allow request_key upcalls from a container to be intercepted include/linux/key-type.h | 4 +- include/linux/user_namespace.h | 2 + include/uapi/linux/keyctl.h | 13 + kernel/user.c | 3 + kernel/user_namespace.c | 2 + samples/watch_queue/Makefile | 2 + samples/watch_queue/key_req_intercept.c | 271 +++++++++++++++++++ security/keys/Makefile | 2 + security/keys/compat.c | 3 + security/keys/internal.h | 5 + security/keys/keyctl.c | 6 + security/keys/keyring.c | 1 + security/keys/process_keys.c | 2 +- security/keys/request_key.c | 16 +- security/keys/request_key_auth.c | 3 + security/keys/service.c | 337 ++++++++++++++++++++++++ 16 files changed, 663 insertions(+), 9 deletions(-) create mode 100644 samples/watch_queue/key_req_intercept.c create mode 100644 security/keys/service.c _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers