A mechanism for intercepting kernel upcalls
A mechanism for intercepting kernel upcalls
Last week, Containers as kernel objects looked at an attempt to add a formal "container" concept to the kernel, partly as a way of ensuring that kernel upcalls (calls to a user-space program from inside the kernel) would run inside the correct namespaces. This week, David Howells is back with a different approach: a way for a daemon process to intercept and handle specific key-related upcalls.
In particular, the keyctl() system call is enhanced with a KEYCTL_SERVICE_CREATE command, which returns a special file descriptor. Subsequent calls can add "filters" describing the upcalls that should be intercepted; they are described by name and a set of flags indicating a set of relevant namespaces. If the calling program's namespaces match those of a process creating an upcall, that program will be allowed to handle the call. See the patch posting for a more detailed description of how it works.