Thread (13 messages) 13 messages, 4 authors, 2024-09-16

Re: Can KEYCTL_SESSION_TO_PARENT be dropped entirely? -- was Re: [PATCH v2 1/2] KEYS: use synchronous task work for changing parent credentials

From: Jann Horn <jannh@google.com>
Date: 2024-08-15 20:00:35
Also in: keyrings, lkml, selinux 

On Thu, Aug 15, 2024 at 9:46 PM David Howells [off-list ref] wrote:
Jann Horn [off-list ref] wrote:
quoted
Rewrite keyctl_session_to_parent() to run task work on the parent
synchronously, so that any errors that happen in the task work can be
plumbed back into the syscall return value in the child.
The main thing I worry about is if there's a way to deadlock the child and the
parent against each other.  vfork() for example.
Yes - I think it would work fine for scenarios like using
KEYCTL_SESSION_TO_PARENT from a helper binary against the shell that
launched the helper (which I think is the intended usecase?), but
there could theoretically be constellations where it would cause an
(interruptible) hang if the parent is stuck in
uninterruptible/killable sleep.

I think vfork() is rather special in that it does a killable wait for
the child to exit or execute; and based on my understanding of the
intended usecase of KEYCTL_SESSION_TO_PARENT, I think normally
KEYCTL_SESSION_TO_PARENT would only be used by a child that has gone
through execve?
quoted
+     if (task_work_cancel(parent, &ctx.work)) {
+             /*
+              * We got interrupted and the task work was canceled before it
+              * could execute.
+              * Use -ERESTARTNOINTR instead of -ERESTARTSYS for
+              * compatibility - the manpage does not list -EINTR as a
+              * possible error for keyctl().
+              */
I think returning EINTR is fine, provided that if we return EINTR, the change
didn't happen.  KEYCTL_SESSION_TO_PARENT is only used by the aklog, dlog and
klog* OpenAFS programs AFAIK, and only if "-setpag" is set as a command line
option.  It also won't be effective if you strace the program.
Ah, I didn't even know about those.

The users I knew of are the command-line tools "keyctl new_session"
and "e4crypt new_session" (see
https://codesearch.debian.net/search?q=KEYCTL_SESSION_TO_PARENT&literal=1,
which indexes code that's part of Debian).

Maybe the AFS people can say whether it's even worth keeping the functionality
rather than just dropping KEYCTL_SESSION_TO_PARENT?
I think this would break the tools "keyctl new_session" and "e4crypt
new_session" - though I don't know if anyone actually uses those
invocations.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help