summaryrefslogtreecommitdiffstats
path: root/security/keys/persistent.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2019-06-26 22:02:32 +0200
committerDavid Howells <dhowells@redhat.com>2019-06-26 22:02:32 +0200
commit3b6e4de05e9ee2e2f94e4a3fe14d945e2418d9a8 (patch)
treec31a08de17f1607b40358d4351b1f97d78520164 /security/keys/persistent.c
parentkeys: Move the user and user-session keyrings to the user_namespace (diff)
downloadlinux-3b6e4de05e9ee2e2f94e4a3fe14d945e2418d9a8.tar.xz
linux-3b6e4de05e9ee2e2f94e4a3fe14d945e2418d9a8.zip
keys: Include target namespace in match criteria
Currently a key has a standard matching criteria of { type, description } and this is used to only allow keys with unique criteria in a keyring. This means, however, that you cannot have keys with the same type and description but a different target namespace in the same keyring. This is a potential problem for a containerised environment where, say, a container is made up of some parts of its mount space involving netfs superblocks from two different network namespaces. This is also a problem for shared system management keyrings such as the DNS records keyring or the NFS idmapper keyring that might contain keys from different network namespaces. Fix this by including a namespace component in a key's matching criteria. Keyring types are marked to indicate which, if any, namespace is relevant to keys of that type, and that namespace is set when the key is created from the current task's namespace set. The capability bit KEYCTL_CAPS1_NS_KEY_TAG is set if the kernel is employing this feature. Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to '')
-rw-r--r--security/keys/persistent.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/keys/persistent.c b/security/keys/persistent.c
index 90303fe4a394..9944d855a28d 100644
--- a/security/keys/persistent.c
+++ b/security/keys/persistent.c
@@ -84,6 +84,7 @@ static long key_get_persistent(struct user_namespace *ns, kuid_t uid,
long ret;
/* Look in the register if it exists */
+ memset(&index_key, 0, sizeof(index_key));
index_key.type = &key_type_keyring;
index_key.description = buf;
index_key.desc_len = sprintf(buf, "_persistent.%u", from_kuid(ns, uid));