Add option to disable new session keys

This adds an `--no-new-keyring` flag to run and create so that a new
session keyring is not created for the container and the calling
processes keyring is inherited.

Fixes #818

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

create.go

@@ -42,6 +42,10 @@ command(s) that get executed on start, edit the args parameter of the spec. See
 			Name:  "no-pivot",
 			Usage: "do not use pivot root to jail process inside rootfs.  This should be used whenever the rootfs is on top of a ramdisk",
 		},
+		cli.BoolFlag{
+			Name:  "no-new-keyring",
+			Usage: "do not create a new session keyring for the container.  This will cause the container to inherit the calling processes session key",
+		},
 	},
 	Action: func(context *cli.Context) error {
 		spec, err := setupSpec(context)

libcontainer/configs/config.go

@@ -187,6 +187,10 @@ type Config struct {
 
 	// Labels are user defined metadata that is stored in the config and populated on the state
 	Labels []string `json:"labels"`
+
+	// NoNewKeyring will not allocated a new session keyring for the container.  It will use the
+	// callers keyring in this case.
+	NoNewKeyring bool `json:"no_new_keyring"`
 }
 
 type Hooks struct {

libcontainer/setns_init_linux.go

@@ -25,10 +25,12 @@ func (l *linuxSetnsInit) getSessionRingName() string {
 }
 
 func (l *linuxSetnsInit) Init(s chan os.Signal) error {
+	if !l.config.Config.NoNewKeyring {
 		// do not inherit the parent's session keyring
 		if _, err := keyctl.JoinSessionKeyring(l.getSessionRingName()); err != nil {
 			return err
 		}
+	}
 	if l.config.NoNewPrivileges {
 		if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
 			return err

libcontainer/specconv/spec_linux.go

@@ -145,6 +145,7 @@ type CreateOpts struct {
 	CgroupName       string
 	UseSystemdCgroup bool
 	NoPivotRoot      bool
+	NoNewKeyring     bool
 	Spec             *specs.Spec
 }
 
@@ -175,6 +176,7 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 		Readonlyfs:   spec.Root.Readonly,
 		Hostname:     spec.Hostname,
 		Labels:       append(labels, fmt.Sprintf("bundle=%s", cwd)),
+		NoNewKeyring: opts.NoNewKeyring,
 	}
 
 	exists := false

libcontainer/standard_init_linux.go

@@ -45,6 +45,7 @@ func (l *linuxStandardInit) getSessionRingParams() (string, uint32, uint32) {
 const PR_SET_NO_NEW_PRIVS = 0x26
 
 func (l *linuxStandardInit) Init(s chan os.Signal) error {
+	if !l.config.Config.NoNewKeyring {
 		ringname, keepperms, newperms := l.getSessionRingParams()
 
 		// do not inherit the parent's session keyring
@@ -56,6 +57,7 @@ func (l *linuxStandardInit) Init(s chan os.Signal) error {
 		if err := keyctl.ModKeyringPerm(sessKeyId, keepperms, newperms); err != nil {
 			return err
 		}
+	}
 
 	var console *linuxConsole
 	if l.config.Console != "" {

run.go

@@ -53,6 +53,10 @@ command(s) that get executed on start, edit the args parameter of the spec. See
 			Name:  "no-pivot",
 			Usage: "do not use pivot root to jail process inside rootfs.  This should be used whenever the rootfs is on top of a ramdisk",
 		},
+		cli.BoolFlag{
+			Name:  "no-new-keyring",
+			Usage: "do not create a new session keyring for the container.  This will cause the container to inherit the calling processes session key",
+		},
 	},
 	Action: func(context *cli.Context) error {
 		spec, err := setupSpec(context)

utils_linux.go

@@ -171,6 +171,7 @@ func createContainer(context *cli.Context, id string, spec *specs.Spec) (libcont
 		CgroupName:       id,
 		UseSystemdCgroup: context.GlobalBool("systemd-cgroup"),
 		NoPivotRoot:      context.Bool("no-pivot"),
+		NoNewKeyring:     context.Bool("no-new-keyring"),
 		Spec:             spec,
 	})
 	if err != nil {