On Fri, May 15, 2020 at 3:12 PM Richard Haines
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
> Kernel 5.? introduced the watch_queue service that allows watching for
(I will fix up 5.? to 5.8 when applying.)
> key changes. This requires key { view } permission, therefore check if
> allowed or not.
>
> Note that the keyctl_watch_key() function is not yet built into the
> keyutils library, therefore a syscall() is used.
>
> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> ---
> Tested on kernel.org 'linux-next: next-20200514'
I tested the patch on the latest Rawhide 5.8-rc1 kernel build and it
seems to work fine.
Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> V2 Changes:
> 1) The watch_queue changed from using /dev/watch_queue to pipe2(2), therefore
> update watchkey.c
> 2) Update policy to reflect the changes.
>
> defconfig | 5 +++
> policy/Makefile | 2 +-
> policy/test_watchkey.te | 27 +++++++++++
> tests/Makefile | 4 ++
> tests/watchkey/.gitignore | 1 +
> tests/watchkey/Makefile | 7 +++
> tests/watchkey/test | 29 ++++++++++++
> tests/watchkey/watchkey.c | 94 +++++++++++++++++++++++++++++++++++++++
> 8 files changed, 168 insertions(+), 1 deletion(-)
> create mode 100644 policy/test_watchkey.te
> create mode 100644 tests/watchkey/.gitignore
> create mode 100644 tests/watchkey/Makefile
> create mode 100755 tests/watchkey/test
> create mode 100644 tests/watchkey/watchkey.c
[...]
> diff --git a/tests/watchkey/watchkey.c b/tests/watchkey/watchkey.c
> new file mode 100644
> index 0000000..c7f3274
> --- /dev/null
> +++ b/tests/watchkey/watchkey.c
[...]
> + fd = pipefd[0];
> +
> + result = ioctl(fd, IOC_WATCH_QUEUE_SET_SIZE, BUF_SIZE);
> + if (result < 0) {
> + fprintf(stderr, "Failed to set watch_queue size: %s\n",
> + strerror(errno));
> + exit(-1);
> + }
> +
> + save_errno = 0;
> + /* Requires key { view } */
> + result = keyctl_watch_key(KEY_SPEC_PROCESS_KEYRING, fd,
> + WATCH_TYPE_KEY_NOTIFY);
> + if (result < 0) {
> + save_errno = errno;
> + fprintf(stderr, "Failed keyctl_watch_key(): %s\n",
> + strerror(errno));
> + goto err;
> + }
> + if (verbose)
> + printf("keyctl_watch_key() successful\n");
> +
> +err:
> + close(fd);
Minor nit: we should actually close both pipefds here (the write end
(pipefd[1]) is unused, but according to strace, the kernel does return
a valid fd there, too). Also, there is one error path that just calls
exit(-1) instead of closing the descriptors. Anyway, since this is
just a test program and the kernel closes the fds at exit anyway, I'm
not going to hold up the patch because of it. Feel free to send a
separate patch if you'd like to clean it up.
> + return save_errno;
> +}
> --
> 2.25.3
>
--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.
