Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755224Ab3H2Bnk (ORCPT ); Wed, 28 Aug 2013 21:43:40 -0400 Received: from tundra.namei.org ([65.99.196.166]:33445 "EHLO tundra.namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754248Ab3H2Bnj (ORCPT ); Wed, 28 Aug 2013 21:43:39 -0400 Date: Thu, 29 Aug 2013 11:44:32 +1000 (EST) From: James Morris To: David Howells cc: simo@redhat.com, keyrings@linux-nfs.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [GIT PULL] Expand keyring capacity and provide support for libkrb5 In-Reply-To: <11520.1377735648@warthog.procyon.org.uk> Message-ID: References: <11520.1377735648@warthog.procyon.org.uk> User-Agent: Alpine 2.02 (LRH 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5691 Lines: 134 On Thu, 29 Aug 2013, David Howells wrote: > > Hi James, > > Could you pull these patches into the security tree? 944 files changed, 17114 insertions(+), 9157 deletions(-) How about no? :) > > The patches can be viewed as three sets: > > (1) KEYS: Skip key state checks when checking for possession > > This is a fix for determining the possessed status of keys that have been > invalidated or revoked or that have expired. If nothing else, can you > please pick this and pass it upstream. > > (2) KEYS: Expand the capacity of a keyring > Add a generic associative array implementation > KEYS: Drop the permissions argument from __keyring_search_one() > KEYS: Define a __key_get() wrapper to use rather than atomic_inc() > KEYS: Search for auth-key by name rather than target key ID > KEYS: Introduce a search context structure > KEYS: Consolidate the concept of an 'index key' for key access > KEYS: key_is_dead() should take a const key pointer argument > KEYS: Use bool in make_key_ref() and is_key_possessed() > > Patches to to expand the capacity of a keyring by using an associative > array rather than a flat list and patches to do some preparatory cleanups > for those. > > (3) KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches > KEYS: Implement a big key type that can save to tmpfs > > Patches to add better support for libkrb5 to save its tokens in a kernel > keyring rather than in files. It already has this ability to some > extent, but that has two problems: your tokens get deleted when you log > out (so your cron jobs can't use them) and the capacity of a user type > key is not sufficient for some of the huge Kerberos tickets one can get. > These patches address that. > > If you need the patches basing on your tree instead, that can be done. > > David > --- > The following changes since commit f1d6e17f540af37bb1891480143669ba7636c4cf: > > Merge branch 'akpm' (patches from Andrew Morton) (2013-08-14 10:04:43 -0700) > > are available in the git repository at: > > > git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-krb-support > > for you to fetch changes up to 0f8d966ebc86d7ab9fb7fd074ae589c2d81de08f: > > KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches (2013-08-28 18:56:14 +0100) > > ---------------------------------------------------------------- > (from the branch description for keys-devel local branch) > > clone of "master" > Kerberos ticket persistence support > > ---------------------------------------------------------------- > David Howells (12): > KEYS: Skip key state checks when checking for possession > KEYS: Use bool in make_key_ref() and is_key_possessed() > KEYS: key_is_dead() should take a const key pointer argument > KEYS: Consolidate the concept of an 'index key' for key access > KEYS: Introduce a search context structure > KEYS: Search for auth-key by name rather than target key ID > KEYS: Define a __key_get() wrapper to use rather than atomic_inc() > KEYS: Drop the permissions argument from __keyring_search_one() > Add a generic associative array implementation. > KEYS: Expand the capacity of a keyring > KEYS: Implement a big key type that can save to tmpfs > KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches > > Documentation/assoc_array.txt | 574 +++++++++++++ > Documentation/security/keys.txt | 20 +- > include/keys/big_key-type.h | 25 + > include/keys/keyring-type.h | 17 +- > include/linux/assoc_array.h | 92 ++ > include/linux/assoc_array_priv.h | 182 ++++ > include/linux/key-type.h | 5 + > include/linux/key.h | 49 +- > include/linux/user_namespace.h | 6 + > include/uapi/linux/keyctl.h | 1 + > kernel/user.c | 4 + > kernel/user_namespace.c | 4 + > lib/Kconfig | 14 + > lib/Makefile | 1 + > lib/assoc_array.c | 1745 ++++++++++++++++++++++++++++++++++++++ > security/keys/Kconfig | 29 + > security/keys/Makefile | 2 + > security/keys/big_key.c | 204 +++++ > security/keys/compat.c | 3 + > security/keys/gc.c | 33 +- > security/keys/internal.h | 74 +- > security/keys/key.c | 91 +- > security/keys/keyctl.c | 3 + > security/keys/keyring.c | 1481 ++++++++++++++++---------------- > security/keys/persistent.c | 169 ++++ > security/keys/proc.c | 17 +- > security/keys/process_keys.c | 131 +-- > security/keys/request_key.c | 56 +- > security/keys/request_key_auth.c | 31 +- > security/keys/sysctl.c | 11 + > security/keys/user_defined.c | 18 +- > 31 files changed, 4124 insertions(+), 968 deletions(-) > create mode 100644 Documentation/assoc_array.txt > create mode 100644 include/keys/big_key-type.h > create mode 100644 include/linux/assoc_array.h > create mode 100644 include/linux/assoc_array_priv.h > create mode 100644 lib/assoc_array.c > create mode 100644 security/keys/big_key.c > create mode 100644 security/keys/persistent.c > -- James Morris -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/