Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp920350imj; Fri, 15 Feb 2019 09:00:19 -0800 (PST) X-Google-Smtp-Source: AHgI3IaZLXdg0qdK7Z2BgMvUzV3OAmyXEAs2o1lH5CzxLoVm3nz44WAZPL6slu2bZte+fsXjGIwh X-Received: by 2002:a17:902:c23:: with SMTP id 32mr11356434pls.183.1550250019663; Fri, 15 Feb 2019 09:00:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550250019; cv=none; d=google.com; s=arc-20160816; b=ys2FW/VVQ0BLV3pMFTKo7tL9bU8bUagO3zKPIsXy/wKSCe0MVItwy6MHPnbCtTcry8 N0sihzgH6nXYy7wXAG+gUF0aAyVRG+UN4hV7E/ipm3iIzs+PxnPgLtPAD+efg5pkTIxb hsZ8g0y3o1dl5VGDDsuIpjIKcehqVyV04P9s4ZplItD08udgwvLtWUzMfaildvfLYHdz A5f6LZ4Wam0A3MhVXesBmHZcRRZezfKy+TSDPhoBg/3Xmt0q2QOUJ4A8aD4s/B8hq7PX t/BIzC5IKysNIxe5bomXowdlvqKvM81MnHpDV1z9jkfT/w9E7NloifHyEBXRnPkSa3Lq P2zA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization; bh=L7zKJtP2U5SHK5bWCO1JCnUvSujVUJuYh6GznBmm7rY=; b=OBXu6zaeLbxFYH/xm+dNzbobwTQoDpVVHpXoBSLbRQgGZpLU55og4VxSp3vD5W1wNZ /o7gnY2pXTwZolMr1kJNZ8LAynQO2kX0BK2Vnn0jWkq9n7cEQSBxebKJR9w8d55K+6Xn /8+VcKa6TLsnJci4iDV51Ms38jJ5H3LIxA2GXTG/T2jW9En+T79fwF0BU9K6p7KkxIae BPze3ly24qneK+N5+F89Zs7CS78QQb6umBxaJFUNX+7NhuuAcex9JN04op0DcbG48SPq C9AuqwMzENXxXLc1EU3i8V5PGQov8x+EVO6AntGqDAWeQm4iWJtrhFhOy0MNwGw29MSE ULjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h14si5676497pgk.458.2019.02.15.09.00.03; Fri, 15 Feb 2019 09:00:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392619AbfBOQM3 (ORCPT + 99 others); Fri, 15 Feb 2019 11:12:29 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36804 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727183AbfBOQM1 (ORCPT ); Fri, 15 Feb 2019 11:12:27 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 823E8C7943; Fri, 15 Feb 2019 16:12:25 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-121-129.rdu2.redhat.com [10.10.121.129]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4BEFE60C62; Fri, 15 Feb 2019 16:12:19 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [RFC PATCH 27/27] containers: Sample to grant access to a key in a container From: David Howells To: keyrings@vger.kernel.org, trond.myklebust@hammerspace.com, sfrench@samba.org Cc: linux-security-module@vger.kernel.org, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, linux-fsdevel@vger.kernel.org, rgb@redhat.com, dhowells@redhat.com, linux-kernel@vger.kernel.org Date: Fri, 15 Feb 2019 16:12:17 +0000 Message-ID: <155024713756.21651.13272811997083735868.stgit@warthog.procyon.org.uk> In-Reply-To: <155024683432.21651.14153938339749694146.stgit@warthog.procyon.org.uk> References: <155024683432.21651.14153938339749694146.stgit@warthog.procyon.org.uk> User-Agent: StGit/unknown-version MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 15 Feb 2019 16:12:26 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Provide a sample program that will grant access to the specified key for a container named "foo-test" (as created by the test-container sample) and then link the key into the container keyring (either given on the command line or searches for a keyring called "_container" in the session keyring as placed there by the test-container sample). So, for example, this could be used to place an rxrpc key in the container keyring for kAFS inside the container to use: (1) Poke kerberos to get a ticket for accessing AFS. # kinit # aklog-kafs redhat.com (2) Find the rxrpc key ID: # keyctl show Session Keyring 1071328996 --alswrv 0 0 keyring: _ses 574060623 ---lswrv 0 65534 \_ keyring: _uid.0 1004048468 --alswrv 0 0 \_ rxrpc: afs@redhat.com 918328787 --alswrv 0 0 \_ keyring: upcall 996275498 --alswrv 0 0 \_ keyring: _container 785497401 --alswrv 0 0 \_ user: foobar which would be 1004048468 in this example. (3) Invoke the sample: # test-cont-grant 1004048468 The rxrpc key can now be seen in the container keyring: # keyctl show Session Keyring 1071328996 --alswrv 0 0 keyring: _ses 574060623 ---lswrv 0 65534 \_ keyring: _uid.0 1004048468 --alswrv 0 0 \_ rxrpc: afs@redhat.com 918328787 --alswrv 0 0 \_ keyring: upcall 996275498 --alswrv 0 0 \_ keyring: _container 785497401 --alswrv 0 0 \_ user: foobar 1004048468 --alswrv 0 0 \_ rxrpc: afs@redhat.com (4) Mount the kAFS filesystem inside the container: > mount -t afs "%redhat.com:root.cell" /mnt The contents of /mnt can then be used from inside the container using the key placed into the container keyring. Signed-off-by: David Howells --- samples/vfs/Makefile | 3 + samples/vfs/test-cont-grant.c | 84 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 samples/vfs/test-cont-grant.c diff --git a/samples/vfs/Makefile b/samples/vfs/Makefile index a8e9e1142ae3..c8eea193a856 100644 --- a/samples/vfs/Makefile +++ b/samples/vfs/Makefile @@ -6,6 +6,7 @@ hostprogs-$(CONFIG_SAMPLE_VFS) := \ test-mntinfo \ test-statx \ test-container \ + test-cont-grant \ test-upcall # Tell kbuild to always build the programs @@ -22,5 +23,7 @@ HOSTCFLAGS_test-statx.o += -I$(objtree)/usr/include HOSTCFLAGS_test-container.o += -I$(objtree)/usr/include HOSTLDLIBS_test-container += -lkeyutils +HOSTCFLAGS_test-cont-grant.o += -I$(objtree)/usr/include +HOSTLDLIBS_test-cont-grant += -lkeyutils HOSTCFLAGS_test-upcall.o += -I$(objtree)/usr/include HOSTLDLIBS_test-upcall += -lkeyutils diff --git a/samples/vfs/test-cont-grant.c b/samples/vfs/test-cont-grant.c new file mode 100644 index 000000000000..da4a60bc71fa --- /dev/null +++ b/samples/vfs/test-cont-grant.c @@ -0,0 +1,84 @@ +/* Link a key into a container keyring and grant perms to the container. + * + * Copyright (C) 2019 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define KEYCTL_GRANT_PERMISSION 36 /* Grant a permit to a key */ + +enum key_ace_subject_type { + KEY_ACE_SUBJ_STANDARD = 0, /* subject is one of key_ace_standard_subject */ + KEY_ACE_SUBJ_CONTAINER = 1, /* subject is a container fd */ + KEY_ACE_SUBJ_CONTAINER_NAME = 2, /* subject is a container name pointer */ +}; + +enum key_ace_standard_subject { + KEY_ACE_EVERYONE = 0, /* Everyone, including owner and group */ + KEY_ACE_GROUP = 1, /* The key's group */ + KEY_ACE_OWNER = 2, /* The owner of the key */ + KEY_ACE_POSSESSOR = 3, /* Any process that possesses of the key */ +}; + +#define KEY_ACE_VIEW 0x00000001 /* Can describe the key */ +#define KEY_ACE_READ 0x00000002 /* Can read the key content */ +#define KEY_ACE_WRITE 0x00000004 /* Can update/modify the key content */ +#define KEY_ACE_SEARCH 0x00000008 /* Can find the key by search */ +#define KEY_ACE_LINK 0x00000010 /* Can make a link to the key */ +#define KEY_ACE_SET_SECURITY 0x00000020 /* Can set owner, group, ACL */ +#define KEY_ACE_INVAL 0x00000040 /* Can invalidate the key */ +#define KEY_ACE_REVOKE 0x00000080 /* Can revoke the key */ +#define KEY_ACE_JOIN 0x00000100 /* Can join keyring */ +#define KEY_ACE_CLEAR 0x00000200 /* Can clear keyring */ + +int main(int argc, char *argv[]) +{ + key_serial_t key, keyring; + + if (argc == 2) { + printf("Find keyring '_container'...\n"); + keyring = keyctl_search(KEY_SPEC_SESSION_KEYRING, "keyring", "_container", 0); + if (keyring == -1) { + perror("keyctl_search"); + exit(1); + } + + key = atoi(argv[1]); + } else if (argc == 3) { + printf("Use specified keyring...\n"); + keyring = atoi(argv[2]); + key = atoi(argv[1]); + } else { + fprintf(stderr, "Format: test-cont-grant []\n"); + exit(2); + } + + if (keyctl(KEYCTL_GRANT_PERMISSION, key, + KEY_ACE_SUBJ_CONTAINER_NAME, "foo-test", + KEY_ACE_SEARCH) < 0) { + perror("keyctl_grant/s"); + exit(1); + } + + if (keyctl_link(key, keyring) < 0) { + perror("keyctl_link"); + exit(1); + } + + exit(0); +}