From 8c9db3a7a5145f6b26c8051af319eee6f72c9ca8 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Fri, 3 Jun 2016 11:53:07 -0700 Subject: [PATCH] Add option to disable new session keys This adds an `--no-new-keyring` flag to run and create so that a new session keyring is not created for the container and the calling processes keyring is inherited. Fixes #818 Signed-off-by: Michael Crosby --- create.go | 4 ++++ libcontainer/configs/config.go | 4 ++++ libcontainer/setns_init_linux.go | 8 +++++--- libcontainer/specconv/spec_linux.go | 12 +++++++----- libcontainer/standard_init_linux.go | 20 +++++++++++--------- run.go | 4 ++++ utils_linux.go | 1 + 7 files changed, 36 insertions(+), 17 deletions(-) diff --git a/create.go b/create.go index 6b754d8f..272807bb 100644 --- a/create.go +++ b/create.go @@ -42,6 +42,10 @@ command(s) that get executed on start, edit the args parameter of the spec. See Name: "no-pivot", Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk", }, + cli.BoolFlag{ + Name: "no-new-keyring", + Usage: "do not create a new session keyring for the container. This will cause the container to inherit the calling processes session key", + }, }, Action: func(context *cli.Context) error { spec, err := setupSpec(context) diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go index ef232222..806e0be9 100644 --- a/libcontainer/configs/config.go +++ b/libcontainer/configs/config.go @@ -187,6 +187,10 @@ type Config struct { // Labels are user defined metadata that is stored in the config and populated on the state Labels []string `json:"labels"` + + // NoNewKeyring will not allocated a new session keyring for the container. It will use the + // callers keyring in this case. + NoNewKeyring bool `json:"no_new_keyring"` } type Hooks struct { diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go index f1aa330d..2475587c 100644 --- a/libcontainer/setns_init_linux.go +++ b/libcontainer/setns_init_linux.go @@ -25,9 +25,11 @@ func (l *linuxSetnsInit) getSessionRingName() string { } func (l *linuxSetnsInit) Init(s chan os.Signal) error { - // do not inherit the parent's session keyring - if _, err := keyctl.JoinSessionKeyring(l.getSessionRingName()); err != nil { - return err + if !l.config.Config.NoNewKeyring { + // do not inherit the parent's session keyring + if _, err := keyctl.JoinSessionKeyring(l.getSessionRingName()); err != nil { + return err + } } if l.config.NoNewPrivileges { if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil { diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go index 4c6f7b7a..8cbd6388 100644 --- a/libcontainer/specconv/spec_linux.go +++ b/libcontainer/specconv/spec_linux.go @@ -145,6 +145,7 @@ type CreateOpts struct { CgroupName string UseSystemdCgroup bool NoPivotRoot bool + NoNewKeyring bool Spec *specs.Spec } @@ -170,11 +171,12 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) { labels = append(labels, fmt.Sprintf("%s=%s", k, v)) } config := &configs.Config{ - Rootfs: rootfsPath, - NoPivotRoot: opts.NoPivotRoot, - Readonlyfs: spec.Root.Readonly, - Hostname: spec.Hostname, - Labels: append(labels, fmt.Sprintf("bundle=%s", cwd)), + Rootfs: rootfsPath, + NoPivotRoot: opts.NoPivotRoot, + Readonlyfs: spec.Root.Readonly, + Hostname: spec.Hostname, + Labels: append(labels, fmt.Sprintf("bundle=%s", cwd)), + NoNewKeyring: opts.NoNewKeyring, } exists := false diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go index a319ea84..ac787707 100644 --- a/libcontainer/standard_init_linux.go +++ b/libcontainer/standard_init_linux.go @@ -45,16 +45,18 @@ func (l *linuxStandardInit) getSessionRingParams() (string, uint32, uint32) { const PR_SET_NO_NEW_PRIVS = 0x26 func (l *linuxStandardInit) Init(s chan os.Signal) error { - ringname, keepperms, newperms := l.getSessionRingParams() + if !l.config.Config.NoNewKeyring { + ringname, keepperms, newperms := l.getSessionRingParams() - // do not inherit the parent's session keyring - sessKeyId, err := keyctl.JoinSessionKeyring(ringname) - if err != nil { - return err - } - // make session keyring searcheable - if err := keyctl.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil { - return err + // do not inherit the parent's session keyring + sessKeyId, err := keyctl.JoinSessionKeyring(ringname) + if err != nil { + return err + } + // make session keyring searcheable + if err := keyctl.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil { + return err + } } var console *linuxConsole diff --git a/run.go b/run.go index b69fcfa7..b9b4c4bf 100644 --- a/run.go +++ b/run.go @@ -53,6 +53,10 @@ command(s) that get executed on start, edit the args parameter of the spec. See Name: "no-pivot", Usage: "do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk", }, + cli.BoolFlag{ + Name: "no-new-keyring", + Usage: "do not create a new session keyring for the container. This will cause the container to inherit the calling processes session key", + }, }, Action: func(context *cli.Context) error { spec, err := setupSpec(context) diff --git a/utils_linux.go b/utils_linux.go index 0fd1fbfa..ce2e0344 100644 --- a/utils_linux.go +++ b/utils_linux.go @@ -171,6 +171,7 @@ func createContainer(context *cli.Context, id string, spec *specs.Spec) (libcont CgroupName: id, UseSystemdCgroup: context.GlobalBool("systemd-cgroup"), NoPivotRoot: context.Bool("no-pivot"), + NoNewKeyring: context.Bool("no-new-keyring"), Spec: spec, }) if err != nil {