[lxc-devel] [lxc/master] utils: add lxc_setup_keyring()

brauner on Github lxc-bot at linuxcontainers.org
Fri Sep 28 11:15:57 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 429 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180928/a9af7dff/attachment.bin>
-------------- next part --------------
From 79229171677ff13e43bd57fed4409b5580a13133 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 28 Sep 2018 13:14:25 +0200
Subject: [PATCH] utils: add lxc_setup_keyring()

Allocate a new keyring if we can to prevent information leak.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 configure.ac               |  4 +++
 src/lxc/Makefile.am        |  1 +
 src/lxc/conf.c             |  4 +++
 src/lxc/syscall_wrappers.h | 51 ++++++++++++++++++++++++++++++++++++++
 src/lxc/utils.c            | 25 +++++++++++++++++++
 src/lxc/utils.h            |  1 +
 6 files changed, 86 insertions(+)
 create mode 100644 src/lxc/syscall_wrappers.h

diff --git a/configure.ac b/configure.ac
index 8264c7c48..dfdbe6df3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -651,6 +651,10 @@ AC_CHECK_FUNCS([fgetln],
 	AM_CONDITIONAL(HAVE_FGETLN, true)
 	AC_DEFINE(HAVE_FGETLN,1,[Have fgetln]),
 	AM_CONDITIONAL(HAVE_FGETLN, false))
+AC_CHECK_FUNCS([keyctl],
+	AM_CONDITIONAL(HAVE_KEYCTL, true)
+	AC_DEFINE(HAVE_KEYCTL,1,[Have keyctl]),
+	AM_CONDITIONAL(HAVE_KEYCTL, false))
 AC_CHECK_FUNCS([prlimit],
 	AM_CONDITIONAL(HAVE_PRLIMIT, true)
 	AC_DEFINE(HAVE_PRLIMIT,1,[Have prlimit]),
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index dccb59a4c..4ad5cf482 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -37,6 +37,7 @@ noinst_HEADERS = api_extensions.h \
 		 storage/storage_utils.h \
 		 storage/zfs.h \
 		 string_utils.h \
+		 syscall_wrappers.h \
 		 terminal.h \
 		 ../tests/lxctest.h \
 		 tools/arguments.h \
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 936511701..8e98f7ee4 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3586,6 +3586,10 @@ int lxc_setup(struct lxc_handler *handler)
 		}
 	}
 
+	ret = lxc_setup_keyring();
+	if (ret < 0)
+		return -1;
+
 	ret = lxc_setup_network_in_child_namespaces(lxc_conf, &lxc_conf->network);
 	if (ret < 0) {
 		ERROR("Failed to setup network");
diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
new file mode 100644
index 000000000..4692cea59
--- /dev/null
+++ b/src/lxc/syscall_wrappers.h
@@ -0,0 +1,51 @@
+/* liblxcapi
+ *
+ * Copyright © 2018 Christian Brauner <christian.brauner at ubuntu.com>.
+ * Copyright © 2018 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef __LXC_SYSCALL_WRAPPER_H
+#define __LXC_SYSCALL_WRAPPER_H
+
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE 1
+#endif
+#include <asm/unistd.h>
+#include <linux/keyctl.h>
+#include <stdint.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "config.h"
+
+typedef int32_t key_serial_t;
+
+#if !HAVE_KEYCTL
+static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3,
+			    unsigned long arg4, unsigned long arg5)
+{
+#ifdef __NR_keyctl
+	return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
+#else
+	errno = ENOSYS;
+	return -1;
+#endif
+}
+#define keyctl __keyctl
+#endif
+
+#endif /* __LXC_SYSCALL_WRAPPER_H */
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 52b75b3f9..f7db9fa7b 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -51,6 +51,7 @@
 #include "lxclock.h"
 #include "namespace.h"
 #include "parse.h"
+#include "syscall_wrappers.h"
 #include "utils.h"
 
 #ifndef HAVE_STRLCPY
@@ -1753,3 +1754,27 @@ int recursive_destroy(char *dirname)
 
 	return r;
 }
+
+int lxc_setup_keyring(void)
+{
+	key_serial_t keyring;
+
+	/* Try to allocate a new session keyring for the container to prevent
+	 * information leaks.
+	 */
+	keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, prctl_arg(0),
+			 prctl_arg(0), prctl_arg(0), prctl_arg(0));
+	if (keyring == -1) {
+		if (errno == ENOSYS) {
+			DEBUG(
+			    "The keyctl() syscall is not supported or blocked");
+		} else if (errno == EACCES || errno == EPERM) {
+			DEBUG("Failed to access kernel keyring. Continuing...");
+		} else {
+			SYSERROR("Failed to create kernel keyring");
+			return -1;
+		}
+	}
+
+	return 0;
+}
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index a26366d1c..6d10dbf5f 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -436,5 +436,6 @@ static inline pid_t lxc_raw_gettid(void)
 extern int lxc_set_death_signal(int signal);
 extern int fd_cloexec(int fd, bool cloexec);
 extern int recursive_destroy(char *dirname);
+extern int lxc_setup_keyring(void);
 
 #endif /* __LXC_UTILS_H */


More information about the lxc-devel mailing list