Hi,
I spent a few days trying to understand how PAGs
work on recent linux kernel (I did not find documentation,
suggestions ?) and I concluded the following:
1. pags are associated to a session_type keyring i.e.
setpag (in src/afs/LINUX/osi_groups.c) assigns a keyring
in the struct_task (in signal->session_keyring, in my current kernel)
and stores a key of type afs_pag, named "_pag" in this keyring
2. the "real" pag is stored in the payload of the "_pag" key
(and in groups)
3. when a credential is required PagInCred (in src/afs/afs_osi_pag.c)
retrieve the pag from the keyrings using ``request_key``
4. ktc_SetTok (src/auth/ktc.c) through pioctl VIOCSETTOK associates
(I do not understand well how) a token to the "current" PAG
(current here, I assume, means the pag that is found via
the _pag key of the calling task)
I have some evidence of this, but I had no chance of finding
the right piece of code.
All the previous items let me to assume that:
I cannot have a PAG associated to a thread (session keyrings
are shared between threads) and, at the same time I cannot
have different credentials associated to different threads of the same process
(tests for this exhibit a strange behavior but I think this is true).
On the other hand request_key (the one used in PagInCred) searches
for keys in any keyring (in a fixed order, starting from the thread one)
so if I store a key named "_pag" (as I did) in thread's keyring
any thread can get a pag and, thus, can have (unshared) credentials.
Can someone tell me if I (completely) misunderstood something ?
If anything before happen to be true I have a question:
what kind of interface can I provide to request a thread-pag ?
In my local tests I hijaked syscall nr. 29 (left free) and it works
but I have not idea of consequences.
Finally, I am not able to understand why pags are stored in groups too;
any help ?
Thank you,
Alberto Mancini
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
