summaryrefslogtreecommitdiffstats
path: root/kernel/user_namespace.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2019-06-26 21:02:32 +0100
committerDavid Howells <dhowells@redhat.com>2019-06-26 21:02:32 +0100
commit0f44e4d976f96c6439da0d6717238efa4b91196e (patch)
tree3cec4bc4ef3faa4e61058e3aff066a7bec1c9d37 /kernel/user_namespace.c
parentb206f281d0ee14969878469816a69db22d5838e8 (diff)
downloadlinux-0f44e4d976f96c6439da0d6717238efa4b91196e.tar.gz
linux-0f44e4d976f96c6439da0d6717238efa4b91196e.tar.bz2
linux-0f44e4d976f96c6439da0d6717238efa4b91196e.zip
keys: Move the user and user-session keyrings to the user_namespace
Move the user and user-session keyrings to the user_namespace struct rather than pinning them from the user_struct struct. This prevents these keyrings from propagating across user-namespaces boundaries with regard to the KEY_SPEC_* flags, thereby making them more useful in a containerised environment. The issue is that a single user_struct may be represent UIDs in several different namespaces. The way the patch does this is by attaching a 'register keyring' in each user_namespace and then sticking the user and user-session keyrings into that. It can then be searched to retrieve them. Signed-off-by: David Howells <dhowells@redhat.com> cc: Jann Horn <jannh@google.com>
Diffstat (limited to 'kernel/user_namespace.c')
-rw-r--r--kernel/user_namespace.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index bda6e890ad88..c87c2ecc7085 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -135,9 +135,7 @@ int create_user_ns(struct cred *new)
#ifdef CONFIG_KEYS
INIT_LIST_HEAD(&ns->keyring_name_list);
-#endif
-#ifdef CONFIG_PERSISTENT_KEYRINGS
- init_rwsem(&ns->persistent_keyring_register_sem);
+ init_rwsem(&ns->keyring_sem);
#endif
ret = -ENOMEM;
if (!setup_userns_sysctls(ns))