netbird/gvisor
0
0
Fork 0
mirror of https://github.com/netbirdio/gvisor.git synced 2026-05-22 17:12:49 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
gvisor/pkg/sentry/kernel/task_key.go
T
Etienne Perot 02f70b5df0 Implement a subset of keyctl(2) and keyrings(7) for better Docker support. 
The intention of this change is to cover a sufficient surface to accommodate
the use of running Docker within gVisor, rather than a full implementation.

This implements the following features:

  - Keys as a first-class concept in the kernel.
  - Tracking keys in user namespaces.
  - Task session keyrings: possession, inheritance.
  - Key permission enforcement.
  - The following `keyctl(2)` operations:
    - `KEYCTL_GET_KEYRING_ID`
    - `KEYCTL_DESCRIBE`
    - `KEYCTL_JOIN_SESSION_KEYRING`
    - `KEYCTL_SETPERM`

Notably, this does not implement:

  - The ability to actually add any keys other than the session keyring
    (which does not hold any cryptographic key data).
  - Other special keyrings (thread keyring, process keyring, user session
    keyring, etc.).
  - Lots of `keyctl(2)` operations.
  - Key expiration.
  - Key garbage collection. Keys live until their user namespace is destroyed.
    However, each user namespace is limited to 200 keys, so memory growth is
    bounded.
  - `add_key(2)`
  - `request_key(2)`

... However, this makes design choices that seem odd given the limited scope
of this change, but make sense when taking into account the desire to
eventually accommodate them in the future. For example, there are many
`switch` statements with only one option for session keyrings, which would get
more options when adding support for other special keyrings. Similarly, the
signature of `PossessedKeys` takes in all 3 special "possessed" keyrings, but
currently only ever gets the session keyring as non-nil.

PiperOrigin-RevId: 567047896
2023-09-20 12:38:39 -07:00

123 lines
4.2 KiB
Go
Raw Permalink Blame History

// Copyright 2023 The gVisor Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package kernel
import (
"gvisor.dev/gvisor/pkg/errors/linuxerr"
"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
)
// SessionKeyring returns this Task's session keyring.
// Session keyrings are inherited from the parent when a task is started.
// If the session keyring is unset, it is implicitly initialized.
// As such, this function should never return ENOKEY.
func (t *Task) SessionKeyring() (*auth.Key, error) {
t.mu.Lock()
defer t.mu.Unlock()
if t.sessionKeyring != nil {
// Verify that we still have access to this keyring.
creds := t.Credentials()
if !creds.HasKeyPermission(t.sessionKeyring, creds.PossessedKeys(t.sessionKeyring, nil, nil), auth.KeySearch) {
return nil, linuxerr.EACCES
}
return t.sessionKeyring, nil
}
// If we don't have a session keyring, implicitly create one.
return t.joinNewSessionKeyringLocked(auth.DefaultSessionKeyringName, auth.DefaultUnnamedSessionKeyringPermissions)
}
// joinNewSessionKeyringLocked creates a new session keyring with the given
// description, and joins it immediately.
// Preconditions: t.mu is held.
//
// +checklocks:t.mu
func (t *Task) joinNewSessionKeyringLocked(newKeyDesc string, newKeyPerms auth.KeyPermissions) (*auth.Key, error) {
var sessionKeyring *auth.Key
err := t.UserNamespace().Keys.Do(func(keySet *auth.LockedKeySet) error {
creds := t.Credentials()
var err error
sessionKeyring, err = keySet.Add(newKeyDesc, creds, newKeyPerms)
return err
})
if err != nil {
return nil, err
}
t.Debugf("Joining newly-created session keyring with ID %d, permissions %v", sessionKeyring.ID, newKeyPerms)
t.sessionKeyring = sessionKeyring
return sessionKeyring, nil
}
// JoinSessionKeyring causes the task to join a keyring with the given
// key description (not ID).
// If `keyDesc` is nil, then the task joins a newly-instantiated session
// keyring instead.
func (t *Task) JoinSessionKeyring(keyDesc *string) (*auth.Key, error) {
t.mu.Lock()
defer t.mu.Unlock()
creds := t.Credentials()
possessed := creds.PossessedKeys(t.sessionKeyring, nil, nil)
var sessionKeyring *auth.Key
newKeyPerms := auth.DefaultUnnamedSessionKeyringPermissions
newKeyDesc := auth.DefaultSessionKeyringName
if keyDesc != nil {
creds.UserNamespace.Keys.ForEach(func(k *auth.Key) bool {
if k.Description == *keyDesc && creds.HasKeyPermission(k, possessed, auth.KeySearch) {
sessionKeyring = k
return true
}
return false
})
if sessionKeyring != nil {
t.Debugf("Joining existing session keyring with ID %d", sessionKeyring.ID)
t.sessionKeyring = sessionKeyring
return sessionKeyring, nil
}
newKeyDesc = *keyDesc
newKeyPerms = auth.DefaultNamedSessionKeyringPermissions
}
return t.joinNewSessionKeyringLocked(newKeyDesc, newKeyPerms)
}
// LookupKey looks up a key by ID using this task's credentials.
func (t *Task) LookupKey(keyID auth.KeySerial) (*auth.Key, error) {
t.mu.Lock()
defer t.mu.Unlock()
creds := t.Credentials()
key, err := creds.UserNamespace.Keys.Lookup(keyID)
if err != nil {
return nil, err
}
if !creds.HasKeyPermission(key, creds.PossessedKeys(t.sessionKeyring, nil, nil), auth.KeySearch) {
return nil, linuxerr.EACCES
}
return key, nil
}
// SetPermsOnKey sets the permission bits on the given key using the task's
// credentials.
func (t *Task) SetPermsOnKey(key *auth.Key, perms auth.KeyPermissions) error {
t.mu.Lock()
defer t.mu.Unlock()
creds := t.Credentials()
possessed := creds.PossessedKeys(t.sessionKeyring, nil, nil)
return creds.UserNamespace.Keys.Do(func(keySet *auth.LockedKeySet) error {
if !creds.HasKeyPermission(key, possessed, auth.KeySetAttr) {
return linuxerr.EACCES
}
keySet.SetPerms(key, perms)
return nil
})
}
Reference in New Issue View Git Blame Copy Permalink