diff options
| author |   David Howells <dhowells@redhat.com> | 2019-06-26 21:02:32 +0100 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2019-06-26 21:02:32 +0100 |
| commit | 0f44e4d976f96c6439da0d6717238efa4b91196e (patch) | |
| tree | 3cec4bc4ef3faa4e61058e3aff066a7bec1c9d37 /security/keys/keyring.c | |
| parent | keys: Namespace keyring names (diff) | |
| download | linux-dev-0f44e4d976f96c6439da0d6717238efa4b91196e.tar.xz linux-dev-0f44e4d976f96c6439da0d6717238efa4b91196e.zip | |
keys: Move the user and user-session keyrings to the user_namespace
Move the user and user-session keyrings to the user_namespace struct rather
than pinning them from the user_struct struct. This prevents these
keyrings from propagating across user-namespaces boundaries with regard to
the KEY_SPEC_* flags, thereby making them more useful in a containerised
environment.
The issue is that a single user_struct may be represent UIDs in several
different namespaces.
The way the patch does this is by attaching a 'register keyring' in each
user_namespace and then sticking the user and user-session keyrings into
that. It can then be searched to retrieve them.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Jann Horn <jannh@google.com>
Diffstat (limited to '')
| -rw-r--r-- | security/keys/keyring.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/keys/keyring.c b/security/keys/keyring.c index fe851292509e..3663e5168583 100644 --- a/security/keys/keyring.c +++ b/security/keys/keyring.c @@ -62,6 +62,7 @@ void key_free_user_ns(struct user_namespace *ns) list_del_init(&ns->keyring_name_list); write_unlock(&keyring_name_lock); + key_put(ns->user_keyring_register); #ifdef CONFIG_PERSISTENT_KEYRINGS key_put(ns->persistent_keyring_register); #endif |