Back to home page

OSCL-LXR
 
 

     

0001 ===================
0002 Key Request Service
0003 ===================
0004 
0005 The key request service is part of the key retention service (refer to
0006 Documentation/security/keys/core.rst).  This document explains more fully how
0007 the requesting algorithm works.
0008 
0009 The process starts by either the kernel requesting a service by calling
0010 ``request_key*()``::
0011 
0012         struct key *request_key(const struct key_type *type,
0013                                 const char *description,
0014                                 const char *callout_info);
0015 
0016 or::
0017 
0018         struct key *request_key_tag(const struct key_type *type,
0019                                     const char *description,
0020                                     const struct key_tag *domain_tag,
0021                                     const char *callout_info);
0022 
0023 or::
0024 
0025         struct key *request_key_with_auxdata(const struct key_type *type,
0026                                              const char *description,
0027                                              const struct key_tag *domain_tag,
0028                                              const char *callout_info,
0029                                              size_t callout_len,
0030                                              void *aux);
0031 
0032 or::
0033 
0034         struct key *request_key_rcu(const struct key_type *type,
0035                                     const char *description,
0036                                     const struct key_tag *domain_tag);
0037 
0038 Or by userspace invoking the request_key system call::
0039 
0040         key_serial_t request_key(const char *type,
0041                                  const char *description,
0042                                  const char *callout_info,
0043                                  key_serial_t dest_keyring);
0044 
0045 The main difference between the access points is that the in-kernel interface
0046 does not need to link the key to a keyring to prevent it from being immediately
0047 destroyed.  The kernel interface returns a pointer directly to the key, and
0048 it's up to the caller to destroy the key.
0049 
0050 The request_key_tag() call is like the in-kernel request_key(), except that it
0051 also takes a domain tag that allows keys to be separated by namespace and
0052 killed off as a group.
0053 
0054 The request_key_with_auxdata() calls is like the request_key_tag() call, except
0055 that they permit auxiliary data to be passed to the upcaller (the default is
0056 NULL).  This is only useful for those key types that define their own upcall
0057 mechanism rather than using /sbin/request-key.
0058 
0059 The request_key_rcu() call is like the request_key_tag() call, except that it
0060 doesn't check for keys that are under construction and doesn't attempt to
0061 construct missing keys.
0062 
0063 The userspace interface links the key to a keyring associated with the process
0064 to prevent the key from going away, and returns the serial number of the key to
0065 the caller.
0066 
0067 
0068 The following example assumes that the key types involved don't define their
0069 own upcall mechanisms.  If they do, then those should be substituted for the
0070 forking and execution of /sbin/request-key.
0071 
0072 
0073 The Process
0074 ===========
0075 
0076 A request proceeds in the following manner:
0077 
0078   1) Process A calls request_key() [the userspace syscall calls the kernel
0079      interface].
0080 
0081   2) request_key() searches the process's subscribed keyrings to see if there's
0082      a suitable key there.  If there is, it returns the key.  If there isn't,
0083      and callout_info is not set, an error is returned.  Otherwise the process
0084      proceeds to the next step.
0085 
0086   3) request_key() sees that A doesn't have the desired key yet, so it creates
0087      two things:
0088 
0089       a) An uninstantiated key U of requested type and description.
0090 
0091       b) An authorisation key V that refers to key U and notes that process A
0092          is the context in which key U should be instantiated and secured, and
0093          from which associated key requests may be satisfied.
0094 
0095   4) request_key() then forks and executes /sbin/request-key with a new session
0096      keyring that contains a link to auth key V.
0097 
0098   5) /sbin/request-key assumes the authority associated with key U.
0099 
0100   6) /sbin/request-key execs an appropriate program to perform the actual
0101      instantiation.
0102 
0103   7) The program may want to access another key from A's context (say a
0104      Kerberos TGT key).  It just requests the appropriate key, and the keyring
0105      search notes that the session keyring has auth key V in its bottom level.
0106 
0107      This will permit it to then search the keyrings of process A with the
0108      UID, GID, groups and security info of process A as if it was process A,
0109      and come up with key W.
0110 
0111   8) The program then does what it must to get the data with which to
0112      instantiate key U, using key W as a reference (perhaps it contacts a
0113      Kerberos server using the TGT) and then instantiates key U.
0114 
0115   9) Upon instantiating key U, auth key V is automatically revoked so that it
0116      may not be used again.
0117 
0118   10) The program then exits 0 and request_key() deletes key V and returns key
0119       U to the caller.
0120 
0121 This also extends further.  If key W (step 7 above) didn't exist, key W would
0122 be created uninstantiated, another auth key (X) would be created (as per step
0123 3) and another copy of /sbin/request-key spawned (as per step 4); but the
0124 context specified by auth key X will still be process A, as it was in auth key
0125 V.
0126 
0127 This is because process A's keyrings can't simply be attached to
0128 /sbin/request-key at the appropriate places because (a) execve will discard two
0129 of them, and (b) it requires the same UID/GID/Groups all the way through.
0130 
0131 
0132 Negative Instantiation And Rejection
0133 ====================================
0134 
0135 Rather than instantiating a key, it is possible for the possessor of an
0136 authorisation key to negatively instantiate a key that's under construction.
0137 This is a short duration placeholder that causes any attempt at re-requesting
0138 the key while it exists to fail with error ENOKEY if negated or the specified
0139 error if rejected.
0140 
0141 This is provided to prevent excessive repeated spawning of /sbin/request-key
0142 processes for a key that will never be obtainable.
0143 
0144 Should the /sbin/request-key process exit anything other than 0 or die on a
0145 signal, the key under construction will be automatically negatively
0146 instantiated for a short amount of time.
0147 
0148 
0149 The Search Algorithm
0150 ====================
0151 
0152 A search of any particular keyring proceeds in the following fashion:
0153 
0154   1) When the key management code searches for a key (keyring_search_rcu) it
0155      firstly calls key_permission(SEARCH) on the keyring it's starting with,
0156      if this denies permission, it doesn't search further.
0157 
0158   2) It considers all the non-keyring keys within that keyring and, if any key
0159      matches the criteria specified, calls key_permission(SEARCH) on it to see
0160      if the key is allowed to be found.  If it is, that key is returned; if
0161      not, the search continues, and the error code is retained if of higher
0162      priority than the one currently set.
0163 
0164   3) It then considers all the keyring-type keys in the keyring it's currently
0165      searching.  It calls key_permission(SEARCH) on each keyring, and if this
0166      grants permission, it recurses, executing steps (2) and (3) on that
0167      keyring.
0168 
0169 The process stops immediately a valid key is found with permission granted to
0170 use it.  Any error from a previous match attempt is discarded and the key is
0171 returned.
0172 
0173 When request_key() is invoked, if CONFIG_KEYS_REQUEST_CACHE=y, a per-task
0174 one-key cache is first checked for a match.
0175 
0176 When search_process_keyrings() is invoked, it performs the following searches
0177 until one succeeds:
0178 
0179   1) If extant, the process's thread keyring is searched.
0180 
0181   2) If extant, the process's process keyring is searched.
0182 
0183   3) The process's session keyring is searched.
0184 
0185   4) If the process has assumed the authority associated with a request_key()
0186      authorisation key then:
0187 
0188       a) If extant, the calling process's thread keyring is searched.
0189 
0190       b) If extant, the calling process's process keyring is searched.
0191 
0192       c) The calling process's session keyring is searched.
0193 
0194 The moment one succeeds, all pending errors are discarded and the found key is
0195 returned.  If CONFIG_KEYS_REQUEST_CACHE=y, then that key is placed in the
0196 per-task cache, displacing the previous key.  The cache is cleared on exit or
0197 just prior to resumption of userspace.
0198 
0199 Only if all these fail does the whole thing fail with the highest priority
0200 error.  Note that several errors may have come from LSM.
0201 
0202 The error priority is::
0203 
0204         EKEYREVOKED > EKEYEXPIRED > ENOKEY
0205 
0206 EACCES/EPERM are only returned on a direct search of a specific keyring where
0207 the basal keyring does not grant Search permission.
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!