)]}'
{
  "commit": "06a67e452fb9c5815f6181878949ab31178c6d67",
  "tree": "0f577477b0f0bfceb53303f91fee3c26e37485d3",
  "parents": [
    "eed986d8643280beed60cf7e7b9599f768706a53"
  ],
  "author": {
    "name": "David Howells",
    "email": "dhowells@redhat.com",
    "time": "Thu Jul 16 10:17:09 2020 +0100"
  },
  "committer": {
    "name": "David Howells",
    "email": "dhowells@redhat.com",
    "time": "Fri Feb 05 13:25:46 2021 +0000"
  },
  "message": "keys: Implement a \u0027container\u0027 keyring\n\nImplement a per-container keyring, dangling it off of a user_namespace.\nThe properties of this keyring are such that it\u0027s searched by request_key()\nselectively before or after the other keyrings have been searched, but the\nkeys in it don\u0027t grant possession to the denizens of the container, and so\nthe denizens can\u0027t see such keys unless those keys grant direct access\nthrough the ACL.  The kernel recurses up the user_namespace stack looking\nfor keyrings.\n\nThe container manager, however, can access the keyring, and can add, update\nand remove keys therein.\n\nThis allows the container manager to push filesystem authentication keys,\nfor example, into the container and to keep them refreshed without the\ndenizens of the container needing to know anything about it.\n\nTo this end, the following pieces are also added:\n\n (1) A new keyctl function, KEYCTL_GET_CONTAINER_KEYRING, to get the\n     container keyring from a user namespace:\n\n\tkeyring \u003d keyctl_get_userns_keyring(int userns_fd,\n\t\t\t\t\t    key_serial_t dest_keyring);\n\n     Get the container keyring attached to a user namespace, creating it if\n     it doesn\u0027t exist.  A file descriptor pointing to the user namespace\n     must be supplied.  The keyring will be linked into the destination\n     keyring if one is supplied (ie. not 0).  The keyring will be owned by\n     the user_namespace\u0027s owner and will grant various permissions to the\n     possessor.\n\n (2) An ACL ACE type that allows access to a key by a container:\n\n\tkeyctl_grant_acl(key_serial_t key,\n\t\t\t KEY_ACE_SUBJ_CONTAINER,\n\t\t\t int userns_fd,\n\t\t\t KEY_ACE_SEARCH);\n\n     This grants the kernel the ability to use a key on behalf of the\n     denizens of a container, but doesn\u0027t grant any other rights, including\n     the ability of the denizens see the key even exists.\n\nThis can then be tested with something like the following from the command\nline:\n\n (1) Get the container keyring for a user namespace and link it to the\n     session keyring.  The container is referenced as file descriptor 5.\n\n\t# keyctl get_container 5 @s 5\u003c/proc/self/ns/user\n\t197321290\n\n (2) Get a key that should be placed into the container, e.g.:\n\n\t# kinit foo@EXAMPLE.COM\n\t# aklog-kafs example.com\n\n     This, say, adds key 748104263 to the session keyring.\n\n (3) Grant permission to the container to use the key:\n\n\t# keyctl grant 748104263 cont:5 s 5\u003c/proc/self/ns/user\n\n (4) Move (or link) the key into the container keyring:\n\n\t# keyctl move 748104263 @s 197321290\n\n (5) View the resultant keyrings:\n\n\t# keyctl show\n\tSession Keyring\n\t 711486290 --alswrv      0     0  keyring: _ses\n\t 468790230 ---lswrv      0 65534   \\_ keyring: _uid.0\n\t 197321290 ----swrv      0 65534   \\_ keyring: .container\n\t 748104263 --alswrv      0     0       \\_ rxrpc: afs@example.com\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "451ac85f44738063bc25bf9225709f526453f7d8",
      "old_mode": 33188,
      "old_path": "include/linux/key.h",
      "new_id": "9b8392398976d3de03b3645e3d4a8f58dd73c1b6",
      "new_mode": 33188,
      "new_path": "include/linux/key.h"
    },
    {
      "type": "modify",
      "old_id": "64cf8ebdc4ec9434af97ea8a68ff801021378fed",
      "old_mode": 33188,
      "old_path": "include/linux/user_namespace.h",
      "new_id": "4fe9b8f470a61174a3fa92a8200001415d766fec",
      "new_mode": 33188,
      "new_path": "include/linux/user_namespace.h"
    },
    {
      "type": "modify",
      "old_id": "a5938f2c3e66cab173a35cf2a1c731ac327ba20c",
      "old_mode": 33188,
      "old_path": "include/uapi/linux/keyctl.h",
      "new_id": "2579fe75b93fc0f3d183ebf2f01cde4adea56ea9",
      "new_mode": 33188,
      "new_path": "include/uapi/linux/keyctl.h"
    },
    {
      "type": "modify",
      "old_id": "c161642a8484172a9dfb7a2fa9500da523fecfb3",
      "old_mode": 33188,
      "old_path": "security/keys/Kconfig",
      "new_id": "9fd24d23ce40a9a0a2d55c635431427869d3dfe2",
      "new_mode": 33188,
      "new_path": "security/keys/Kconfig"
    },
    {
      "type": "modify",
      "old_id": "7e2d4fe6213f86c95921947a6aa8e3bcfca8fd3e",
      "old_mode": 33188,
      "old_path": "security/keys/compat.c",
      "new_id": "1c2c081f81dc9ebeedfecf6fb4fafa1add24c05b",
      "new_mode": 33188,
      "new_path": "security/keys/compat.c"
    },
    {
      "type": "modify",
      "old_id": "7108106824c875369a08f6a72ba571797f744f8e",
      "old_mode": 33188,
      "old_path": "security/keys/internal.h",
      "new_id": "bccded41ea3afaa17c0eed3b087b2277814783a9",
      "new_mode": 33188,
      "new_path": "security/keys/internal.h"
    },
    {
      "type": "modify",
      "old_id": "371c23ff5f21d909dc4b90b36a26400e26daadb3",
      "old_mode": 33188,
      "old_path": "security/keys/key.c",
      "new_id": "f9db167a92594832f0d8a8d2a22a0f304e8122b3",
      "new_mode": 33188,
      "new_path": "security/keys/key.c"
    },
    {
      "type": "modify",
      "old_id": "a8b28e099e5da54d567010a77ed25667f21fdb56",
      "old_mode": 33188,
      "old_path": "security/keys/keyctl.c",
      "new_id": "eed70a6c317f8525579e214f7ed416daaaa1ec91",
      "new_mode": 33188,
      "new_path": "security/keys/keyctl.c"
    },
    {
      "type": "modify",
      "old_id": "8a56ddbac28f621b21baa6984fb3da7ad324e8b0",
      "old_mode": 33188,
      "old_path": "security/keys/keyring.c",
      "new_id": "bbd6b93abad01d356ef7dd86044561f97d0eba78",
      "new_mode": 33188,
      "new_path": "security/keys/keyring.c"
    },
    {
      "type": "modify",
      "old_id": "3ae4d9aedc3a880a736438d447f6c4bc04d31d8b",
      "old_mode": 33188,
      "old_path": "security/keys/permission.c",
      "new_id": "b984e1ce7e5d66dbb44dcd6a331b6458cd3e9b7e",
      "new_mode": 33188,
      "new_path": "security/keys/permission.c"
    },
    {
      "type": "modify",
      "old_id": "a6b349ee1759ba14b877ccaf540db77edb15d82c",
      "old_mode": 33188,
      "old_path": "security/keys/proc.c",
      "new_id": "ba3be0e9c97dd91e22b2ad70681d8db802b8f143",
      "new_mode": 33188,
      "new_path": "security/keys/proc.c"
    },
    {
      "type": "modify",
      "old_id": "fe1285a8452a0a94088719584b5adecfc6c90b7c",
      "old_mode": 33188,
      "old_path": "security/keys/process_keys.c",
      "new_id": "e049d4025a391bfd5a3188a3b59ad346208264ac",
      "new_mode": 33188,
      "new_path": "security/keys/process_keys.c"
    }
  ]
}