Commit 7743c48e authored by David Howells's avatar David Howells
Browse files

keys: Cache result of request_key*() temporarily in task_struct

If a filesystem uses keys to hold authentication tokens, then it needs a
token for each VFS operation that might perform an authentication check -
either by passing it to the server, or using to perform a check based on
authentication data cached locally.

For open files this isn't a problem, since the key should be cached in the
file struct since it represents the subject performing operations on that
file descriptor.

During pathwalk, however, there isn't anywhere to cache the key, except
perhaps in the nameidata struct - but that isn't exposed to the
filesystems.  Further, a pathwalk can incur a lot of operations, calling
one or more of the following, for instance:


on each dentry/inode it encounters - and each one may need to call
request_key().  And then, at the end of pathwalk, it will call the actual


which may need to go and get the token again.

However, it is very likely that all of the operations on a single
dentry/inode - and quite possibly a sequence of them - will all want to use
the same authentication token, which suggests that caching it would be a
good idea.

To this end:

 (1) Make it so that a positive result of request_key() and co. that didn't
     require upcalling to userspace is cached temporarily in task_struct.

 (2) The cache is 1 deep, so a new result displaces the old one.

 (3) The key is released by exit and by notify-resume.

 (4) The cache is cleared in a newly forked process.

Signed-off-by: default avatarDavid Howells <>
parent 896f1950
......@@ -176,6 +176,9 @@ The process stops immediately a valid key is found with permission granted to
use it. Any error from a previous match attempt is discarded and the key is
When request_key() is invoked, if CONFIG_KEYS_REQUEST_CACHE=y, a per-task
one-key cache is first checked for a match.
When search_process_keyrings() is invoked, it performs the following searches
until one succeeds:
......@@ -195,7 +198,9 @@ until one succeeds:
c) The calling process's session keyring is searched.
The moment one succeeds, all pending errors are discarded and the found key is
returned. If CONFIG_KEYS_REQUEST_CACHE=y, then that key is placed in the
per-task cache, displacing the previous key. The cache is cleared on exit or
just prior to resumption of userspace.
Only if all these fail does the whole thing fail with the highest priority
error. Note that several errors may have come from LSM.
......@@ -831,6 +831,11 @@ struct task_struct {
/* Effective (overridable) subjective task credentials (COW): */
const struct cred __rcu *cred;
/* Cached requested key. */
struct key *cached_requested_key;
* executable name, excluding path.
......@@ -187,6 +187,13 @@ static inline void tracehook_notify_resume(struct pt_regs *regs)
if (unlikely(current->task_works))
if (unlikely(current->cached_requested_key)) {
current->cached_requested_key = NULL;
......@@ -174,6 +174,11 @@ void exit_creds(struct task_struct *tsk)
alter_cred_subscribers(cred, -1);
current->cached_requested_key = NULL;
......@@ -327,6 +332,10 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
struct cred *new;
int ret;
p->cached_requested_key = NULL;
if (
!p->cred->thread_keyring &&
......@@ -24,6 +24,24 @@ config KEYS_COMPAT
def_bool y
depends on COMPAT && KEYS
bool "Enable temporary caching of the last request_key() result"
depends on KEYS
This option causes the result of the last successful request_key()
call that didn't upcall to the kernel to be cached temporarily in the
task_struct. The cache is cleared by exit and just prior to the
resumption of userspace.
This allows the key used for multiple step processes where each step
wants to request a key that is likely the same as the one requested
by the last step to save on the searching.
An example of such a process is a pathwalk through a network
filesystem in which each method needs to request an authentication
key. Pathwalk will call multiple methods for each dentry traversed
(permission, d_revalidate, lookup, getxattr, getacl, ...).
bool "Enable register of persistent per-UID keyrings"
depends on KEYS
......@@ -22,6 +22,31 @@
#define key_negative_timeout 60 /* default timeout on a negative key's existence */
static struct key *check_cached_key(struct keyring_search_context *ctx)
struct key *key = current->cached_requested_key;
if (key &&
ctx->match_data.cmp(key, &ctx->match_data) &&
!(key->flags & ((1 << KEY_FLAG_INVALIDATED) |
return key_get(key);
return NULL;
static void cache_requested_key(struct key *key)
struct task_struct *t = current;
t->cached_requested_key = key_get(key);
set_tsk_thread_flag(t, TIF_NOTIFY_RESUME);
* complete_request_key - Complete the construction of a key.
* @authkey: The authorisation key.
......@@ -562,6 +587,10 @@ struct key *request_key_and_link(struct key_type *type,
key = check_cached_key(&ctx);
if (key)
return key;
/* search all the process keyrings for a key */
key_ref = search_process_keyrings_rcu(&ctx);
......@@ -587,6 +616,9 @@ struct key *request_key_and_link(struct key_type *type,
goto error_free;
/* Only cache the key on immediate success */
} else if (PTR_ERR(key_ref) != -EAGAIN) {
key = ERR_CAST(key_ref);
} else {
......@@ -786,6 +818,10 @@ struct key *request_key_rcu(struct key_type *type, const char *description)
kenter("%s,%s", type->name, description);
key = check_cached_key(&ctx);
if (key)
return key;
/* search all the process keyrings for a key */
key_ref = search_process_keyrings_rcu(&ctx);
if (IS_ERR(key_ref)) {
......@@ -794,6 +830,7 @@ struct key *request_key_rcu(struct key_type *type, const char *description)
} else {
key = key_ref_to_ptr(key_ref);
kleave(" = %p", key);
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment