)]}' { "log": [ { "commit": "fd75815f727f157a05f4c96b5294a4617c0557da", "tree": "b2e76abf176d37b5d810b0c813b8c0219754b88c", "parents": [ "31d5a79d7f3d436da176a78ebc12d53c06da402e" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Add invalidation support\n\nAdd support for invalidating a key - which renders it immediately invisible to\nfurther searches and causes the garbage collector to immediately wake up,\nremove it from keyrings and then destroy it when it\u0027s no longer referenced.\n\nIt\u0027s better not to do this with keyctl_revoke() as that marks the key to start\nreturning -EKEYREVOKED to searches when what is actually desired is to have the\nkey refetched.\n\nTo invalidate a key the caller must be granted SEARCH permission by the key.\nThis may be too strict. It may be better to also permit invalidation if the\ncaller has any of READ, WRITE or SETATTR permission.\n\nThe primary use for this is to evict keys that are cached in special keyrings,\nsuch as the DNS resolver or an ID mapper.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "233e4735f2a45d9e641c2488b8d7afeb1f377dac", "tree": "d273536aaea91cf4817dd305450f327ebb37059f", "parents": [ "65d87fe68abf2fc226a9e96be61160f65d6b4680" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Permit in-place link replacement in keyring list\n\nMake use of the previous patch that makes the garbage collector perform RCU\nsynchronisation before destroying defunct keys. Key pointers can now be\nreplaced in-place without creating a new keyring payload and replacing the\nwhole thing as the discarded keys will not be destroyed until all currently\nheld RCU read locks are released.\n\nIf the keyring payload space needs to be expanded or contracted, then a\nreplacement will still need allocating, and the original will still have to be\nfreed by RCU.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n" }, { "commit": "65d87fe68abf2fc226a9e96be61160f65d6b4680", "tree": "23881b6daf54c7522178363f0ae32ddb6c836784", "parents": [ "1eb1bcf5bfad001128293b86d891c9d6f2f27333" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "committer": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Fri May 11 10:56:56 2012 +0100" }, "message": "KEYS: Perform RCU synchronisation on keys prior to key destruction\n\nMake the keys garbage collector invoke synchronize_rcu() prior to destroying\nkeys with a zero usage count. This means that a key can be examined under the\nRCU read lock in the safe knowledge that it won\u0027t get deallocated until after\nthe lock is released - even if its usage count becomes zero whilst we\u0027re\nlooking at it.\n\nThis is useful in keyring search vs key link. Consider a keyring containing a\nlink to a key. That link can be replaced in-place in the keyring without\nrequiring an RCU copy-and-replace on the keyring contents without breaking a\nsearch underway on that keyring when the displaced key is released, provided\nthe key is actually destroyed only after the RCU read lock held by the search\nalgorithm is released.\n\nThis permits __key_link() to replace a key without having to reallocate the key\npayload. A key gets replaced if a new key being linked into a keyring has the\nsame type and description.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Jeff Layton \u003cjlayton@redhat.com\u003e\n" }, { "commit": "efde8b6e16f11e7d1681c68d86c7fd51053cada7", "tree": "4fb5e80428c4f36c5da35ff3319cd71c1771451c", "parents": [ "25add8cf99c9ec8b8dc0acd8b9241e963fc0d29c" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue Jan 17 20:39:40 2012 +0000" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Jan 18 10:41:27 2012 +1100" }, "message": "KEYS: Add missing smp_rmb() primitives to the keyring search code\n\nAdd missing smp_rmb() primitives to the keyring search code.\n\nWhen keyring payloads are appended to without replacement (thus using up spare\nslots in the key pointer array), an smp_wmb() is issued between the pointer\nassignment and the increment of the key count (nkeys).\n\nThere should be corresponding read barriers between the read of nkeys and\ndereferences of keys[n] when n is dependent on the value of nkeys.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nReviewed-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "0c061b5707ab84ebfe8f18f1c9c3110ae5cd6073", "tree": "cb6e83458126f3cc9ef9f5504937c8445f790b0f", "parents": [ "d199798bdf969873f78d48140600ff0a98a87e69" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:36 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:37 2011 +1000" }, "message": "KEYS: Correctly destroy key payloads when their keytype is removed\n\nunregister_key_type() has code to mark a key as dead and make it unavailable in\none loop and then destroy all those unavailable key payloads in the next loop.\nHowever, the loop to mark keys dead renders the key undetectable to the second\nloop by changing the key type pointer also.\n\nFix this by the following means:\n\n (1) The key code has two garbage collectors: one deletes unreferenced keys and\n the other alters keyrings to delete links to old dead, revoked and expired\n keys. They can end up holding each other up as both want to scan the key\n serial tree under spinlock. Combine these into a single routine.\n\n (2) Move the dead key marking, dead link removal and dead key removal into the\n garbage collector as a three phase process running over the three cycles\n of the normal garbage collection procedure. This is tracked by the\n KEY_GC_REAPING_DEAD_1, _2 and _3 state flags.\n\n unregister_key_type() then just unlinks the key type from the list, wakes\n up the garbage collector and waits for the third phase to complete.\n\n (3) Downgrade the key types sem in unregister_key_type() once it has deleted\n the key type from the list so that it doesn\u0027t block the keyctl() syscall.\n\n (4) Dead keys that cannot be simply removed in the third phase have their\n payloads destroyed with the key\u0027s semaphore write-locked to prevent\n interference by the keyctl() syscall. There should be no in-kernel users\n of dead keys of that type by the point of unregistration, though keyctl()\n may be holding a reference.\n\n (5) Only perform timer recalculation in the GC if the timer actually expired.\n If it didn\u0027t, we\u0027ll get another cycle when it goes off - and if the key\n that actually triggered it has been removed, it\u0027s not a problem.\n\n (6) Only garbage collect link if the timer expired or if we\u0027re doing dead key\n clean up phase 2.\n\n (7) As only key_garbage_collector() is permitted to use rb_erase() on the key\n serial tree, it doesn\u0027t need to revalidate its cursor after dropping the\n spinlock as the node the cursor points to must still exist in the tree.\n\n (8) Drop the spinlock in the GC if there is contention on it or if we need to\n reschedule. After dealing with that, get the spinlock again and resume\n scanning.\n\nThis has been tested in the following ways:\n\n (1) Run the keyutils testsuite against it.\n\n (2) Using the AF_RXRPC and RxKAD modules to test keytype removal:\n\n Load the rxrpc_s key type:\n\n\t# insmod /tmp/af-rxrpc.ko\n\t# insmod /tmp/rxkad.ko\n\n Create a key (http://people.redhat.com/~dhowells/rxrpc/listen.c):\n\n\t# /tmp/listen \u0026\n\t[1] 8173\n\n Find the key:\n\n\t# grep rxrpc_s /proc/keys\n\t091086e1 I--Q-- 1 perm 39390000 0 0 rxrpc_s 52:2\n\n Link it to a session keyring, preferably one with a higher serial number:\n\n\t# keyctl link 0x20e36251 @s\n\n Kill the process (the key should remain as it\u0027s linked to another place):\n\n\t# fg\n\t/tmp/listen\n\t^C\n\n Remove the key type:\n\n\trmmod rxkad\n\trmmod af-rxrpc\n\n This can be made a more effective test by altering the following part of\n the patch:\n\n\tif (unlikely(gc_state \u0026 KEY_GC_REAPING_DEAD_2)) {\n\t\t/* Make sure everyone revalidates their keys if we marked a\n\t\t * bunch as being dead and make sure all keyring ex-payloads\n\t\t * are destroyed.\n\t\t */\n\t\tkdebug(\"dead sync\");\n\t\tsynchronize_rcu();\n\n To call synchronize_rcu() in GC phase 1 instead. That causes that the\n keyring\u0027s old payload content to hang around longer until it\u0027s RCU\n destroyed - which usually happens after GC phase 3 is complete. This\n allows the destroy_dead_key branch to be tested.\n\nReported-by: Benjamin Coddington \u003cbcodding@gmail.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "d199798bdf969873f78d48140600ff0a98a87e69", "tree": "fb0fbfe0eda27054eae9c9efe0240ace297c3661", "parents": [ "b072e9bc2fe9aeff4e104e80e479160349f474a9" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:28 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: The dead key link reaper should be non-reentrant\n\nThe dead key link reaper should be non-reentrant as it relies on global state\nto keep track of where it\u0027s got to when it returns to the work queue manager to\ngive it some air.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8bc16deabce7649e480e94b648c88d4e90c34352", "tree": "d9e28a921375e7448801b0b89ff43a7e0d2e61ff", "parents": [ "012146d0728f85f7a5c7c36fb84bba33e2760507" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Aug 22 14:09:11 2011 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Aug 23 09:57:36 2011 +1000" }, "message": "KEYS: Move the unreferenced key reaper to the keys garbage collector file\n\nMove the unreferenced key reaper function to the keys garbage collector file\nas that\u0027s a more appropriate place with the dead key link reaper.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "973c9f4f49ca96a53bcf6384c4c59ccd26c33906", "tree": "e3535a43c1e5cb5f0c06c040f58bc25c9b869fd1", "parents": [ "a8b17ed019bd40d3bfa20439d9c36a99f9be9180" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jan 20 16:38:33 2011 +0000" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@linux-foundation.org", "time": "Fri Jan 21 14:59:30 2011 -0800" }, "message": "KEYS: Fix up comments in key management code\n\nFix up comments in the key management code. No functional changes.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "cf8304e8f380903de3a15dc6ebd551c9e6cf1a21", "tree": "fe94f3ebb044b5026b1062631b2d89e77c8b674e", "parents": [ "d9a9b4aeea334e7912ce3d878d7f5cc6fdf1ffe4" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Tue May 04 14:16:10 2010 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed May 05 11:39:23 2010 +1000" }, "message": "KEYS: Fix RCU handling in key_gc_keyring()\n\nkey_gc_keyring() needs to either hold the RCU read lock or hold the keyring\nsemaphore if it\u0027s going to scan the keyring\u0027s list. Given that it only needs\nto read the key list, and it\u0027s doing so under a spinlock, the RCU read lock is\nthe thing to use.\n\nFurthermore, the RCU check added in e7b0a61b7929632d36cf052d9e2820ef0a9c1bfe is\nincorrect as holding the spinlock on key_serial_lock is not grounds for\nassuming a keyring\u0027s pointer list can be read safely. Instead, a simple\nrcu_dereference() inside of the previously mentioned RCU read lock is what we\nwant.\n\nReported-by: Serge E. Hallyn \u003cserue@us.ibm.com\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nAcked-by: Serge Hallyn \u003cserue@us.ibm.com\u003e\nAcked-by: \"Paul E. McKenney\" \u003cpaulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "e7b0a61b7929632d36cf052d9e2820ef0a9c1bfe", "tree": "69dbe6f03abc5a9ef0dea3a2c28921cebcc59a08", "parents": [ "96be753af91fc9d582450a84722f6a6721d218ad" ], "author": { "name": "Paul E. McKenney", "email": "paulmck@linux.vnet.ibm.com", "time": "Mon Feb 22 17:04:56 2010 -0800" }, "committer": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Thu Feb 25 10:34:52 2010 +0100" }, "message": "security: Apply lockdep-based checking to rcu_dereference() uses\n\nApply lockdep-ified RCU primitives to key_gc_keyring() and\nkeyring_destroy().\n\nCc: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: Paul E. McKenney \u003cpaulmck@linux.vnet.ibm.com\u003e\nCc: laijs@cn.fujitsu.com\nCc: dipankar@in.ibm.com\nCc: mathieu.desnoyers@polymtl.ca\nCc: josh@joshtriplett.org\nCc: dvhltc@us.ibm.com\nCc: niv@us.ibm.com\nCc: peterz@infradead.org\nCc: rostedt@goodmis.org\nCc: Valdis.Kletnieks@vt.edu\nCc: dhowells@redhat.com\nLKML-Reference: \u003c1266887105-1528-12-git-send-email-paulmck@linux.vnet.ibm.com\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\n" }, { "commit": "606531c316d30e9639473a6da09ee917125ab467", "tree": "b83f3d8d82597401bdee6a451facaa5c2de006d1", "parents": [ "0afd9056f1b43c9fcbfdf933b263d72023d382fe" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 16 15:54:14 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 23 11:03:47 2009 -0700" }, "message": "KEYS: Have the garbage collector set its timer for live expired keys\n\nThe key garbage collector sets a timer to start a new collection cycle at the\npoint the earliest key to expire should be considered garbage. However, it\ncurrently only does this if the key it is considering hasn\u0027t yet expired.\n\nIf the key being considering has expired, but hasn\u0027t yet reached the collection\ntime then it is ignored, and won\u0027t be collected until some other key provokes a\nround of collection.\n\nMake the garbage collector set the timer for the earliest key that hasn\u0027t yet\npassed its collection time, rather than the earliest key that hasn\u0027t yet\nexpired.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c08ef808ef24df32e25fbd949fe5310172f3c408", "tree": "12bae6fd48e1cdcc1b792c221376c727d9472cc6", "parents": [ "5c84342a3e147a23752276650340801c237d0e56" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Mon Sep 14 17:26:13 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Tue Sep 15 09:11:02 2009 +1000" }, "message": "KEYS: Fix garbage collector\n\nFix a number of problems with the new key garbage collector:\n\n (1) A rogue semicolon in keyring_gc() was causing the initial count of dead\n keys to be miscalculated.\n\n (2) A missing return in keyring_gc() meant that under certain circumstances,\n the keyring semaphore would be unlocked twice.\n\n (3) The key serial tree iterator (key_garbage_collector()) part of the garbage\n collector has been modified to:\n\n (a) Complete each scan of the keyrings before setting the new timer.\n\n (b) Only set the new timer for keys that have yet to expire. This means\n that the new timer is now calculated correctly, and the gc doesn\u0027t\n get into a loop continually scanning for keys that have expired, and\n preventing other things from happening, like RCU cleaning up the old\n keyring contents.\n\n (c) Perform an extra scan if any keys were garbage collected in this one\n \t as a key might become garbage during a scan, and (b) could mean we\n \t don\u0027t set the timer again.\n\n (4) Made key_schedule_gc() take the time at which to do a collection run,\n rather than the time at which the key expires. This means the collection\n of dead keys (key type unregistered) can happen immediately.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "ee18d64c1f632043a02e6f5ba5e045bb26a5465f", "tree": "80b5a4d530ec7d5fd69799920f0db7b78aba6b9d", "parents": [ "d0420c83f39f79afb82010c2d2cafd150eef651b" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:21 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:22 2009 +1000" }, "message": "KEYS: Add a keyctl to install a process\u0027s session keyring on its parent [try #6]\n\nAdd a keyctl to install a process\u0027s session keyring onto its parent. This\nreplaces the parent\u0027s session keyring. Because the COW credential code does\nnot permit one process to change another process\u0027s credentials directly, the\nchange is deferred until userspace next starts executing again. Normally this\nwill be after a wait*() syscall.\n\nTo support this, three new security hooks have been provided:\ncred_alloc_blank() to allocate unset security creds, cred_transfer() to fill in\nthe blank security creds and key_session_to_parent() - which asks the LSM if\nthe process may replace its parent\u0027s session keyring.\n\nThe replacement may only happen if the process has the same ownership details\nas its parent, and the process has LINK permission on the session keyring, and\nthe session keyring is owned by the process, and the LSM permits it.\n\nNote that this requires alteration to each architecture\u0027s notify_resume path.\nThis has been done for all arches barring blackfin, m68k* and xtensa, all of\nwhich need assembly alteration to support TIF_NOTIFY_RESUME. This allows the\nreplacement to be performed at the point the parent process resumes userspace\nexecution.\n\nThis allows the userspace AFS pioctl emulation to fully emulate newpag() and\nthe VIOCSETTOK and VIOCSETTOK2 pioctls, all of which require the ability to\nalter the parent process\u0027s PAG membership. However, since kAFS doesn\u0027t use\nPAGs per se, but rather dumps the keys into the session keyring, the session\nkeyring of the parent must be replaced if, for example, VIOCSETTOK is passed\nthe newpag flag.\n\nThis can be tested with the following program:\n\n\t#include \u003cstdio.h\u003e\n\t#include \u003cstdlib.h\u003e\n\t#include \u003ckeyutils.h\u003e\n\n\t#define KEYCTL_SESSION_TO_PARENT\t18\n\n\t#define OSERROR(X, S) do { if ((long)(X) \u003d\u003d -1) { perror(S); exit(1); } } while(0)\n\n\tint main(int argc, char **argv)\n\t{\n\t\tkey_serial_t keyring, key;\n\t\tlong ret;\n\n\t\tkeyring \u003d keyctl_join_session_keyring(argv[1]);\n\t\tOSERROR(keyring, \"keyctl_join_session_keyring\");\n\n\t\tkey \u003d add_key(\"user\", \"a\", \"b\", 1, keyring);\n\t\tOSERROR(key, \"add_key\");\n\n\t\tret \u003d keyctl(KEYCTL_SESSION_TO_PARENT);\n\t\tOSERROR(ret, \"KEYCTL_SESSION_TO_PARENT\");\n\n\t\treturn 0;\n\t}\n\nCompiled and linked with -lkeyutils, you should see something like:\n\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t355907932 --alswrv 4043 -1 \\_ keyring: _uid.4043\n\t[dhowells@andromeda ~]$ /tmp/newpag\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: _ses\n\t1055658746 --alswrv 4043 4043 \\_ user: a\n\t[dhowells@andromeda ~]$ /tmp/newpag hello\n\t[dhowells@andromeda ~]$ keyctl show\n\tSession Keyring\n\t -3 --alswrv 4043 4043 keyring: hello\n\t340417692 --alswrv 4043 4043 \\_ user: a\n\nWhere the test program creates a new session keyring, sticks a user key named\n\u0027a\u0027 into it and then installs it on its parent.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "5d135440faf7db8d566de0c6fab36b16cf9cfc3b", "tree": "d9c022e73ed51dfe5729fde9a97150cb64b68196", "parents": [ "f041ae2f99d49adc914153a34a2d0e14e4389d90" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Wed Sep 02 09:14:00 2009 +0100" }, "committer": { "name": "James Morris", "email": "jmorris@namei.org", "time": "Wed Sep 02 21:29:11 2009 +1000" }, "message": "KEYS: Add garbage collection for dead, revoked and expired keys. [try #6]\n\nAdd garbage collection for dead, revoked and expired keys. This involved\nerasing all links to such keys from keyrings that point to them. At that\npoint, the key will be deleted in the normal manner.\n\nKeyrings from which garbage collection occurs are shrunk and their quota\nconsumption reduced as appropriate.\n\nDead keys (for which the key type has been removed) will be garbage collected\nimmediately.\n\nRevoked and expired keys will hang around for a number of seconds, as set in\n/proc/sys/kernel/keys/gc_delay before being automatically removed. The default\nis 5 minutes.\n\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" } ] }