[GIT PULL] Expand keyring capacity and provide support for libkrb5

From: David Howells
Date: Wed Aug 28 2013 - 20:21:13 EST

Next message: Jingoo Han: "Re: [PATCH 33/35] power: use dev_get_platdata()"
Previous message: David Miller: "Re: [PATCH] bridge: separate querier and query timer intoIGMP/IPv4 and MLD/IPv6 ones"
Next in thread: James Morris: "Re: [GIT PULL] Expand keyring capacity and provide support forlibkrb5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi James,

Could you pull these patches into the security tree?

The patches can be viewed as three sets:

(1) KEYS: Skip key state checks when checking for possession

This is a fix for determining the possessed status of keys that have been
invalidated or revoked or that have expired. If nothing else, can you
please pick this and pass it upstream.

(2) KEYS: Expand the capacity of a keyring
Add a generic associative array implementation
KEYS: Drop the permissions argument from __keyring_search_one()
KEYS: Define a __key_get() wrapper to use rather than atomic_inc()
KEYS: Search for auth-key by name rather than target key ID
KEYS: Introduce a search context structure
KEYS: Consolidate the concept of an 'index key' for key access
KEYS: key_is_dead() should take a const key pointer argument
KEYS: Use bool in make_key_ref() and is_key_possessed()

Patches to to expand the capacity of a keyring by using an associative
array rather than a flat list and patches to do some preparatory cleanups
for those.

(3) KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches
KEYS: Implement a big key type that can save to tmpfs

Patches to add better support for libkrb5 to save its tokens in a kernel
keyring rather than in files. It already has this ability to some
extent, but that has two problems: your tokens get deleted when you log
out (so your cron jobs can't use them) and the capacity of a user type
key is not sufficient for some of the huge Kerberos tickets one can get.
These patches address that.

If you need the patches basing on your tree instead, that can be done.

David
---
The following changes since commit f1d6e17f540af37bb1891480143669ba7636c4cf:

Merge branch 'akpm' (patches from Andrew Morton) (2013-08-14 10:04:43 -0700)

are available in the git repository at:

git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-krb-support

for you to fetch changes up to 0f8d966ebc86d7ab9fb7fd074ae589c2d81de08f:

KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches (2013-08-28 18:56:14 +0100)

----------------------------------------------------------------
(from the branch description for keys-devel local branch)

clone of "master"
Kerberos ticket persistence support

----------------------------------------------------------------
David Howells (12):
KEYS: Skip key state checks when checking for possession
KEYS: Use bool in make_key_ref() and is_key_possessed()
KEYS: key_is_dead() should take a const key pointer argument
KEYS: Consolidate the concept of an 'index key' for key access
KEYS: Introduce a search context structure
KEYS: Search for auth-key by name rather than target key ID
KEYS: Define a __key_get() wrapper to use rather than atomic_inc()
KEYS: Drop the permissions argument from __keyring_search_one()
Add a generic associative array implementation.
KEYS: Expand the capacity of a keyring
KEYS: Implement a big key type that can save to tmpfs
KEYS: Add per-user_namespace registers for persistent per-UID kerberos caches

Documentation/assoc_array.txt | 574 +++++++++++++
Documentation/security/keys.txt | 20 +-
include/keys/big_key-type.h | 25 +
include/keys/keyring-type.h | 17 +-
include/linux/assoc_array.h | 92 ++
include/linux/assoc_array_priv.h | 182 ++++
include/linux/key-type.h | 5 +
include/linux/key.h | 49 +-
include/linux/user_namespace.h | 6 +
include/uapi/linux/keyctl.h | 1 +
kernel/user.c | 4 +
kernel/user_namespace.c | 4 +
lib/Kconfig | 14 +
lib/Makefile | 1 +
lib/assoc_array.c | 1745 ++++++++++++++++++++++++++++++++++++++
security/keys/Kconfig | 29 +
security/keys/Makefile | 2 +
security/keys/big_key.c | 204 +++++
security/keys/compat.c | 3 +
security/keys/gc.c | 33 +-
security/keys/internal.h | 74 +-
security/keys/key.c | 91 +-
security/keys/keyctl.c | 3 +
security/keys/keyring.c | 1481 ++++++++++++++++----------------
security/keys/persistent.c | 169 ++++
security/keys/proc.c | 17 +-
security/keys/process_keys.c | 131 +--
security/keys/request_key.c | 56 +-
security/keys/request_key_auth.c | 31 +-
security/keys/sysctl.c | 11 +
security/keys/user_defined.c | 18 +-
31 files changed, 4124 insertions(+), 968 deletions(-)
create mode 100644 Documentation/assoc_array.txt
create mode 100644 include/keys/big_key-type.h
create mode 100644 include/linux/assoc_array.h
create mode 100644 include/linux/assoc_array_priv.h
create mode 100644 lib/assoc_array.c
create mode 100644 security/keys/big_key.c
create mode 100644 security/keys/persistent.c

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jingoo Han: "Re: [PATCH 33/35] power: use dev_get_platdata()"
Previous message: David Miller: "Re: [PATCH] bridge: separate querier and query timer intoIGMP/IPv4 and MLD/IPv6 ones"
Next in thread: James Morris: "Re: [GIT PULL] Expand keyring capacity and provide support forlibkrb5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]