On Sunday, July 16, 2006 12:23:23 PM -0400 chas williams <[EMAIL PROTECTED]> wrote:
below is a sample implementation of keyring/pag support for linux kernels. i had access to some previous code (thanks derrick) but some of the kernel interfaces used in keyring have changed since that code compiled. this led me down a slightly different path. it seems like a bad idea to duplicate some of the work the kernel already does (like installing a new session keyring), but we cant get access to these routines from a kernel module. so, the only part that is done in the kernel is searching the keyring for an appropriate key. this key holds the pag and gets inserted from userspace during setpag(). PagInCred only looks for this key when the current process doesnt have a pag, and reinserts the necessary groups. this isnt strictly necessary but it changes the current behavior the least. pagsh uses the keyctl() to create a new anonymous session keyring before spawning the shell. its not clear if this should be done in setpag(). it would atleast need to be done in whatever login you use (login.krb5 in my case). the drawback to this, is that you need the keyutils library (and any program using setpag() will need to link with the keyutils as well).
This is fine as a proof-of-concept, but for something real the existing setpag() and pioctl() system calls need to continue to work. There are things that use these interfaces other than our own library, and IMHO it is not at all reasonable to break those, or require them to know about a bunch of Linux-specific interfaces (the /proc thing is bad enough already).
If I recall correctly, the interfaces you need that aren't exported are the same ones we've been waiting on for over a year at this point. The keyring folks promised Derrick they'd export the required interfaces, but apparently never got around to actually doing so. :-(
I haven't looked at what you did in detail, but it sounds like part of setpag() in your model is setting a key from usermode which contains the PAG ID. I'm not sure where you get the ID or what restrictions are enforced, but obviously a user process must not be able to set any arbitrary PAG ID it wants.
-- Jeff _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
