On Thu, Apr 20, 2023 at 16:20:04 -0400, Scott Mayhew wrote: > This patch adds the option to store GSS credentials in keyrings as an > alternative to the RPC credential cache, to give users the ability to > destroy their GSS credentials on demand via 'keyctl unlink'. Can documentation please be added to `Documentation/security/keys` about this key type? > Summary of the changes: > > - Added key_type key_type_gss_cred and associated functions. The > request_key function makes use of the existing upcall mechanism to > gssd. > > - Added a keyring to the gss_auth struct to allow all of the assocated > GSS credentials to be destroyed on RPC client shutdown (when the > filesystem is unmounted). > > - The key description contains the RPC client id, the user id, and the > principal (for machine creds). What is the format of this within the bytes? > - The key payload contains the address of the gss_cred. What is the format of this within the bytes? > - The key is linked to the user's user keyring (KEY_SPEC_USER_KEYRING) > as well as to the keyring on the gss_auth struct. Where is this documented? Can the key be moved later? > - gss_cred_init() now takes an optional pointer to an authkey, which is > passed down to gss_create_upcall() and gss_setup_upcall(), where it is > added to the gss_msg. This is used for complete_request_key() after > the upcall is done. > > - put_rpccred() now returns a bool to indicate whether it called > crdestroy(), and is used by gss_key_revoke() and gss_key_destroy() to > determine whether to clear the key payload. > > - gss_fill_context() now returns the GSS context's timeout via the tout > parameter, which is used to set the timeout of the key. > > - Added the module parameter 'use_keyring'. When set to true, the GSS > credentials are stored in the keyrings. When false, the GSS > credentials are stored in the RPC credential caches. > > - Added a tracepoint to log the result of the key request, which prints > either the key serial or an error return value. > > Signed-off-by: Scott Mayhew <smayhew@xxxxxxxxxx> > --- > include/linux/sunrpc/auth.h | 4 +- > include/trace/events/rpcgss.h | 46 ++++- > net/sunrpc/auth.c | 9 +- > net/sunrpc/auth_gss/auth_gss.c | 338 +++++++++++++++++++++++++++++++-- > 4 files changed, 376 insertions(+), 21 deletions(-) Thanks, --Ben
