Keyrings, user namespaces and the user_struct
David Howells
dhowells at redhat.com
Wed Oct 26 18:35:25 UTC 2016
Eric W. Biederman <ebiederm at xmission.com> wrote:
> > Jann Horn <jann at thejh.net> wrote:
> >
> >> find_keyring_by_name() checks that the UID of the keyring's owner is
> >> mapped into the current user namespace. But that doesn't catch the
> >> scenario I described: The keyring is created in an attacker-created
> >> namespace and looked up from the init namespace, into which all kuids are
> >> mapped.
> >
> > Ah - gotcha.
>
> Unless I am misreading something it actually gets worse. You don't even
> need a user namespace. You can just call keyctl_join_session_keyring
> and the named keyring of your choice will be created.
It's meant to do that - assuming a keyring of that name doesn't yet exist or
isn't accessible by you.
I should perhaps prohibit the creation of a _uid.N keyring. However, I think
that conceptually, it should be possible to join the user-session keyring as
your session - or I should make it so that the user-session keyring doesn't
exist (but I'm pretty certain that will break userspace).
> Plus there are various really weird things in their where the keyring
> names of _tid, _pid, _ses, get reused over and over again.
True, however per-thread (_tid) and per-process(_pid) keyrings are always
allocated by key_alloc() and never looked up by name when being created.
Anonymous session (_ses) keyrings are also created by key_alloc() and not
looked up when created. It's only when a named session keyring is requested
that a look up by name is done.
I could make the per-thread, per-process and anon-session keyrings nameless by
default, or prefix them with '.' and not permit joining of a keyring whose
name begins with a '.' (you aren't allowed to use add_key() to create a such
keyrings, so that really ought to be extended to here too).
> So it looks like there are some significant things to fix.
So:
(1) Make the keyring name list per user_namespace.
(2) Don't let _uid.N, _tid, _pid and _ses (anonymous session) keyrings be
joined.
(3) Don't let keyrings whose name begins '.' be joined.
(4) Don't keep the user and user-session keyrings in the user_struct, but
rather make them subordinates of the user namespace.
for starters.
David
More information about the Containers
mailing list