From: Christian Brauner Date: Fri, 28 Sep 2018 11:14:25 +0000 (+0200) Subject: utils: add lxc_setup_keyring() X-Git-Tag: lxc-3.1.0~76^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b25291da1466a6cf890cc8a428400776fa8628e9;p=thirdparty%2Flxc.git utils: add lxc_setup_keyring() Allocate a new keyring if we can to prevent information leak. Signed-off-by: Christian Brauner --- diff --git a/configure.ac b/configure.ac index 43c2b199f..5c77c3e2c 100644 --- a/configure.ac +++ b/configure.ac @@ -651,6 +651,10 @@ AC_CHECK_FUNCS([fgetln], AM_CONDITIONAL(HAVE_FGETLN, true) AC_DEFINE(HAVE_FGETLN,1,[Have fgetln]), AM_CONDITIONAL(HAVE_FGETLN, false)) +AC_CHECK_FUNCS([keyctl], + AM_CONDITIONAL(HAVE_KEYCTL, true) + AC_DEFINE(HAVE_KEYCTL,1,[Have keyctl]), + AM_CONDITIONAL(HAVE_KEYCTL, false)) AC_CHECK_FUNCS([prlimit], AM_CONDITIONAL(HAVE_PRLIMIT, true) AC_DEFINE(HAVE_PRLIMIT,1,[Have prlimit]), diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index dccb59a4c..b48c7d7c9 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -37,6 +37,7 @@ noinst_HEADERS = api_extensions.h \ storage/storage_utils.h \ storage/zfs.h \ string_utils.h \ + syscall_wrappers.h \ terminal.h \ ../tests/lxctest.h \ tools/arguments.h \ @@ -132,6 +133,7 @@ liblxc_la_SOURCES = af_unix.c af_unix.h \ storage/zfs.c storage/zfs.h \ string_utils.c string_utils.h \ sync.c sync.h \ + syscall_wrappers.h \ terminal.c \ utils.c utils.h \ version.h \ diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 936511701..8e98f7ee4 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -3586,6 +3586,10 @@ int lxc_setup(struct lxc_handler *handler) } } + ret = lxc_setup_keyring(); + if (ret < 0) + return -1; + ret = lxc_setup_network_in_child_namespaces(lxc_conf, &lxc_conf->network); if (ret < 0) { ERROR("Failed to setup network"); diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h new file mode 100644 index 000000000..4692cea59 --- /dev/null +++ b/src/lxc/syscall_wrappers.h @@ -0,0 +1,51 @@ +/* liblxcapi + * + * Copyright © 2018 Christian Brauner . + * Copyright © 2018 Canonical Ltd. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, as + * published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef __LXC_SYSCALL_WRAPPER_H +#define __LXC_SYSCALL_WRAPPER_H + +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 +#endif +#include +#include +#include +#include +#include +#include + +#include "config.h" + +typedef int32_t key_serial_t; + +#if !HAVE_KEYCTL +static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5) +{ +#ifdef __NR_keyctl + return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); +#else + errno = ENOSYS; + return -1; +#endif +} +#define keyctl __keyctl +#endif + +#endif /* __LXC_SYSCALL_WRAPPER_H */ diff --git a/src/lxc/utils.c b/src/lxc/utils.c index 52b75b3f9..8f79ca9ab 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -51,6 +51,7 @@ #include "lxclock.h" #include "namespace.h" #include "parse.h" +#include "syscall_wrappers.h" #include "utils.h" #ifndef HAVE_STRLCPY @@ -1753,3 +1754,33 @@ int recursive_destroy(char *dirname) return r; } + +int lxc_setup_keyring(void) +{ + key_serial_t keyring; + int ret = 0; + + /* Try to allocate a new session keyring for the container to prevent + * information leaks. + */ + keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, prctl_arg(0), + prctl_arg(0), prctl_arg(0), prctl_arg(0)); + if (keyring < 0) { + switch (errno) { + case ENOSYS: + DEBUG("The keyctl() syscall is not supported or blocked"); + break; + case EACCES: + __fallthrough; + case EPERM: + DEBUG("Failed to access kernel keyring. Continuing..."); + break; + default: + SYSERROR("Failed to create kernel keyring"); + ret = -1; + break; + } + } + + return ret; +} diff --git a/src/lxc/utils.h b/src/lxc/utils.h index a26366d1c..6d10dbf5f 100644 --- a/src/lxc/utils.h +++ b/src/lxc/utils.h @@ -436,5 +436,6 @@ static inline pid_t lxc_raw_gettid(void) extern int lxc_set_death_signal(int signal); extern int fd_cloexec(int fd, bool cloexec); extern int recursive_destroy(char *dirname); +extern int lxc_setup_keyring(void); #endif /* __LXC_UTILS_H */