• David Howells's avatar
    KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches · f36f8c75
    David Howells authored
    Add support for per-user_namespace registers of persistent per-UID kerberos
    caches held within the kernel.
    
    This allows the kerberos cache to be retained beyond the life of all a user's
    processes so that the user's cron jobs can work.
    
    The kerberos cache is envisioned as a keyring/key tree looking something like:
    
    	struct user_namespace
    	  \___ .krb_cache keyring		- The register
    		\___ _krb.0 keyring		- Root's Kerberos cache
    		\___ _krb.5000 keyring		- User 5000's Kerberos cache
    		\___ _krb.5001 keyring		- User 5001's Kerberos cache
    			\___ tkt785 big_key	- A ccache blob
    			\___ tkt12345 big_key	- Another ccache blob
    
    Or possibly:
    
    	struct user_namespace
    	  \___ .krb_cache keyring		- The register
    		\___ _krb.0 keyring		- Root's Kerberos cache
    		\___ _krb.5000 keyring		- User 5000's Kerberos cache
    		\___ _krb.5001 keyring		- User 5001's Kerberos cache
    			\___ tkt785 keyring	- A ccache
    				\___ krbtgt/REDHAT.COM@REDHAT.COM big_key
    				\___ http/REDHAT.COM@REDHAT.COM user
    				\___ afs/REDHAT.COM@REDHAT.COM user
    				\___ nfs/REDHAT.COM@REDHAT.COM user
    				\___ krbtgt/KERNEL.ORG@KERNEL.ORG big_key
    				\___ http/KERNEL.ORG@KERNEL.ORG big_key
    
    What goes into a particular Kerberos cache is entirely up to userspace.  Kernel
    support is limited to giving you the Kerberos cache keyring that you want.
    
    The user asks for their Kerberos cache by:
    
    	krb_cache = keyctl_get_krbcache(uid, dest_keyring);
    
    The uid is -1 or the user's own UID for the user's own cache or the uid of some
    other user's cache (requires CAP_SETUID).  This permits rpc.gssd or whatever to
    mess with the cache.
    
    The cache returned is a keyring named "_krb.<uid>" that the possessor can read,
    search, clear, invalidate, unlink from and add links to.  Active LSMs get a
    chance to rule on whether the caller is permitted to make a link.
    
    Each uid's cache keyring is created when it first accessed and is given a
    timeout that is extended each time this function is called so that the keyring
    goes away after a while.  The timeout is configurable by sysctl but defaults to
    three days.
    
    Each user_namespace struct gets a lazily-created keyring that serves as the
    register.  The cache keyrings are added to it.  This means that standard key
    search and garbage collection facilities are available.
    
    The user_namespace struct's register goes away when it does and anything left
    in it is then automatically gc'd.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Tested-by: default avatarSimo Sorce <simo@redhat.com>
    cc: Serge E. Hallyn <serge.hallyn@ubuntu.com>
    cc: Eric W. Biederman <ebiederm@xmission.com>
    f36f8c75
Kconfig 3.48 KB