From patchwork Thu Sep 13 14:08:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 10599611 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4F78515A7 for ; Thu, 13 Sep 2018 14:08:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3E1A82AFEA for ; Thu, 13 Sep 2018 14:08:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 329092AFED; Thu, 13 Sep 2018 14:08:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E129E2AFFE for ; Thu, 13 Sep 2018 14:08:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728306AbeIMTSU (ORCPT ); Thu, 13 Sep 2018 15:18:20 -0400 Received: from mx1.redhat.com ([209.132.183.28]:46122 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728071AbeIMTST (ORCPT ); Thu, 13 Sep 2018 15:18:19 -0400 Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8C47D88E5F; Thu, 13 Sep 2018 14:08:39 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-123-84.rdu2.redhat.com [10.10.123.84]) by smtp.corp.redhat.com (Postfix) with ESMTP id C263C86B93; Thu, 13 Sep 2018 14:08:37 +0000 (UTC) Subject: [PATCH 0/3] keyutils: request_key and DNS resolver changes From: David Howells To: keyrings@vger.kernel.org Cc: dhowells@redhat.com, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, linux-security-module@vger.kernel.org Date: Thu, 13 Sep 2018 15:08:37 +0100 Message-ID: <153684771698.10049.12488548190876920608.stgit@warthog.procyon.org.uk> User-Agent: StGit/unknown-version MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 13 Sep 2018 14:08:39 +0000 (UTC) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Here's a set of keyutils patches that makes it possible to override the DNS resolver (or any other upcall target). This allows the kafs-utils package to override requests to the dns resolver and make use of static configuration in addition to DNS lookups. This allows this function to be moved out of keyutils and allows the dependency on krb5 to be removed. The following changes are made: (1) request-key now has better command-line option support for debugging the configuration. (2) request-key now reads all its config files and searches for the best match rather than the first match. 'Best match' is defined as the match with the least number of characters skipped by a wildcard, first in the left most column, then in the next column and so on. So in the following two config lines: create dns_resolver * * /sbin/key.dns_resolver %k create dns_resolver afsdb:* * /sbin/dns_afsdb %k For dns_resolver keys, the second line is preferred if the description matches "afsdb:*" - no matter the order in which they're encountered - but the first line will be used otherwise. (3) The AFS cellservdb config file parsing is removed from key.dns_resolver and the dependencies for the krb5 profile functions are dropped. The patches can also be found here: https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git on branch next (bottom 3 patches). Thanks, David --- David Howells (3): request-key: Provide a command line option to suppress execution request-key: Find best match rather than first match Remove the dependency on MIT Kerberos Makefile | 2 dns.afsdb.c | 268 ++++--------------------------- keyutils.spec | 2 man/request-key.8 | 31 +++- man/request-key.conf.5 | 36 ++-- request-key.c | 419 +++++++++++++++++++++++++++++------------------- 6 files changed, 336 insertions(+), 422 deletions(-)