[v1] afs: Fix dynamic root interaction with failing DNS lookups

[PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

Posted by David Howells 2 years ago

Hi Markus, Marc,

Here's a set of fixes to improve the interaction of arbitrary lookups in
the AFS dynamic root that hit DNS lookup failures:

 (1) Always delete unused (particularly negative) dentries as soon as
     possible so that they don't prevent future lookups from retrying.

 (2) Fix the handling of new-style negative DNS lookups in ->lookup() to
     make them return ENOENT so that userspace doesn't get confused when
     stat succeeds but the following open on the looked up file then fails.

 (3) Fix key handling so that DNS lookup results are reclaimed as soon as
     they expire rather than sitting round either forever or for an
     additional 5 mins beyond a set expiry time returning EKEYEXPIRED.

The patches can be found here:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=afs-fixes

Thanks,
David

David Howells (3):
  afs: Fix the dynamic root's d_delete to always delete unused dentries
  afs: Fix dynamic root lookup DNS check
  keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on
    expiry

 fs/afs/dynroot.c           | 31 +++++++++++++++++--------------
 include/linux/key-type.h   |  1 +
 net/dns_resolver/dns_key.c | 10 +++++++++-
 security/keys/gc.c         | 31 +++++++++++++++++++++----------
 security/keys/internal.h   |  8 +++++++-
 security/keys/key.c        | 15 +++++----------
 security/keys/proc.c       |  2 +-
 7 files changed, 61 insertions(+), 37 deletions(-)

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

Posted by markus.suvanto@gmail.com 2 years ago

ma, 2023-12-11 kello 16:34 +0000, David Howells kirjoitti:
> Hi Markus, Marc,
> 
> Here's a set of fixes to improve the interaction of arbitrary lookups in
> the AFS dynamic root that hit DNS lookup failures:
> 
>  (1) Always delete unused (particularly negative) dentries as soon as
>      possible so that they don't prevent future lookups from retrying.
> 
>  (2) Fix the handling of new-style negative DNS lookups in ->lookup() to
>      make them return ENOENT so that userspace doesn't get confused when
>      stat succeeds but the following open on the looked up file then fails.
> 
>  (3) Fix key handling so that DNS lookup results are reclaimed as soon as
>      they expire rather than sitting round either forever or for an
>      additional 5 mins beyond a set expiry time returning EKEYEXPIRED.
> 
> The patches can be found here:
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=afs-fixes
> 
I tested this patches
6.7.0-rc4-gdfbc00cb940b
It seems that not existing directory will remove my valid rxprc key.

Reproduce:
1) kinit ....
2) aklog....
3) keyctl show 
Session Keyring
 347100937 --alswrv   1001 65534  keyring: _uid_ses.1001
1062692655 --alswrv   1001 65534   \_ keyring: _uid.1001
 698363997 --als-rv   1001   100   \_ rxrpc: afs@station.com

klist 
Ticket cache: KEYRING:persistent:1001:1001
Default principal: .....
...

4) ls /afs/notfound
5) keyctl show   
Session Keyring
 709308533 --alswrv   1001 65534  keyring: _uid_ses.1001
 385820479 --alswrv   1001 65534   \_ keyring: _uid.1001

klist
klist: Credentials cache keyring 'persistent:1001:1001' not found

-Markus

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

Posted by David Howells 2 years ago

markus.suvanto@gmail.com wrote:

> Reproduce:
> 1) kinit ....
> 2) aklog....
> 3) keyctl show 
> Session Keyring
>  347100937 --alswrv   1001 65534  keyring: _uid_ses.1001
> 1062692655 --alswrv   1001 65534   \_ keyring: _uid.1001
>  698363997 --als-rv   1001   100   \_ rxrpc: afs@station.com
> 
> klist 
> Ticket cache: KEYRING:persistent:1001:1001
> Default principal: .....

Can you "grep rxrpc /proc/keys" at this point?

> 4) ls /afs/notfound
> 5) keyctl show   
> Session Keyring
>  709308533 --alswrv   1001 65534  keyring: _uid_ses.1001
>  385820479 --alswrv   1001 65534   \_ keyring: _uid.1001
> 
> klist
> klist: Credentials cache keyring 'persistent:1001:1001' not found

David

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

Posted by markus.suvanto@gmail.com 2 years ago

ti, 2023-12-12 kello 09:03 +0000, David Howells kirjoitti:
> markus.suvanto@gmail.com wrote:
> 
> > Reproduce:
> > 1) kinit ....
> > 2) aklog....
> > 3) keyctl show 
> > Session Keyring
> >  347100937 --alswrv   1001 65534  keyring: _uid_ses.1001
> > 1062692655 --alswrv   1001 65534   \_ keyring: _uid.1001
> >  698363997 --als-rv   1001   100   \_ rxrpc: afs@station.com
> > 
> > klist 
> > Ticket cache: KEYRING:persistent:1001:1001
> > Default principal: .....
> 
> Can you "grep rxrpc /proc/keys" at this point?
> 
different cell though...

masu@t470 ~ % grep rxrpc /proc/keys
23e16cda I--Q---     1   3d 3b010000  1001   100 rxrpc     afs@movesole.com: ka

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

Posted by David Howells 2 years ago

markus.suvanto@gmail.com wrote:

> > Can you "grep rxrpc /proc/keys" at this point?
> > 
> different cell though...
> 
> masu@t470 ~ % grep rxrpc /proc/keys
> 23e16cda I--Q---     1   3d 3b010000  1001   100 rxrpc     afs@movesole.com: ka

Okay, I see the persistent keyring disappear, but I don't see a key linked
into my session keyring vanish.

David

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

Posted by markus.suvanto@gmail.com 2 years ago

> > masu@t470 ~ % grep rxrpc /proc/keys
> > 23e16cda I--Q---     1   3d 3b010000  1001   100 rxrpc     afs@movesole.com: ka
> 
> Okay, I see the persistent keyring disappear, but I don't see a key linked
> into my session keyring vanish.

Full log of my commands...

masu@t470 ~ % klist 
klist: Credentials cache keyring 'persistent:1001:1001' not found
masu@t470 ~ % keyctl show   
Session Keyring
 388545754 --alswrv   1001 65534  keyring: _uid_ses.1001
 946177719 --alswrv   1001 65534   \_ keyring: _uid.1001
masu@t470 ~ % grep rxrpc /proc/keys
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % kinit masu@MOVESOLE.COM
Password for masu@MOVESOLE.COM: 
masu@t470 ~ % aklog-kafs-kdf movesole.com MOVESOLE.COM
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % grep rxrpc /proc/keys

2600d2d5 I--Q---     1   3d 3b010000  1001   100 rxrpc     afs@movesole.com: ka
masu@t470 ~ % klist 
Ticket cache: KEYRING:persistent:1001:1001
Default principal: masu@MOVESOLE.COM

Valid starting       Expires              Service principal
12.12.2023 11.52.47  16.12.2023 11.52.40  afs/movesole.com@MOVESOLE.COM
	renew until 26.12.2023 11.52.40
12.12.2023 11.52.43  16.12.2023 11.52.40  krbtgt/MOVESOLE.COM@MOVESOLE.COM
	renew until 26.12.2023 11.52.40
masu@t470 ~ % keyctl show            
Session Keyring
 388545754 --alswrv   1001 65534  keyring: _uid_ses.1001
 946177719 --alswrv   1001 65534   \_ keyring: _uid.1001
 637588181 --als-rv   1001   100   \_ rxrpc: afs@movesole.com
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % ls /afs/notfound
ls: tiedostoa '/afs/notfound' ei voi käsitellä: Tiedostoa tai hakemistoa ei ole
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % 
masu@t470 ~ % klist
klist: Credentials cache keyring 'persistent:1001:1001' not found
masu@t470 ~ % grep rxrpc /proc/keys

masu@t470 ~ % keyctl show   
Session Keyring
1025218481 --alswrv   1001 65534  keyring: _uid_ses.1001
 322736164 --alswrv   1001 65534   \_ keyring: _uid.1001

Re: [PATCH 0/3] afs: Fix dynamic root interaction with failing DNS lookups

Posted by David Howells 2 years ago

This is the related bug: https://bugzilla.kernel.org/show_bug.cgi?id=216637