[Keyrings] [PATCH] Keys: Permit running process to instantiate
keys
David Howells
dhowells at redhat.com
Tue Nov 22 13:52:46 EST 2005
Trond Myklebust <trond.myklebust at fys.uio.no> wrote:
> > Can you look at the mechanism for requesting keys without invoking
> > /sbin/request-key and let me know if it suits your needs?
>
> Hmm... The main problem appears to be the question of how to link the
> authorisation key into one of the gssd daemon's keyrings.
>
> I think that can be done when gssd calls ->read() on the RPC pipe in
> order to get the upcall message: at the end of the read call, we simply
> link the authorisation key into the current session keyring.
>
> Does that sound plausible to you?
Yes.
Rather than looking specifically at the session keyring, it might be worth
looking at current->jit_keyring and choosing the keyring based on that (set by
KEYCTL_SET_REQKEY_KEYRING).
The keyring serial number could then be returned through the ->read() call.
Whilst key_link() is exported, it might be wise to have an alternate function
that invokes LSM, thus allowing that to deny a process access.
Should I also export call_sbin_request_key() so that you can fall back to that
if the RPC mechanism hasn't been set up at the time of requesting?
David
More information about the Keyrings
mailing list