diff --git a/config-linux.md b/config-linux.md index 37ea951f7..9160c932a 100644 --- a/config-linux.md +++ b/config-linux.md @@ -826,6 +826,21 @@ subset of the available options. * **`flags`** *(array of strings, OPTIONAL)* - the additional flags to apply. Currently no flag values are supported. +## Keyrings + +**`keyrings`** (object, OPTIONAL) sets the kernel keyrings that are created and/or joined by the +container. For more information, see the [keyrings][keyrings.7] man page. + +* **`session`** *(object, OPTIONAL)* - the session shared process keyring. + The session-specific keyring is inherited and shared by all child processes. If `session` is + not specified, no new session keyring will be created/and or joined by the container. This + will cause the container to inherit the calling processes session key. + +* **`process`** *(object, OPTIONAL)* - the per-process shared keyring. + The process-specific keyring is shared by all threads in a process. + +* **`thread`** *(object, OPTIONAL)* - the per-thread keyring. + The thread-specific keyring is kept to a particular thread. [cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt [cgroup-v1-blkio]: https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt @@ -849,6 +864,7 @@ subset of the available options. [tmpfs]: https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt [full.4]: http://man7.org/linux/man-pages/man4/full.4.html +[keyrings.7]: https://man7.org/linux/man-pages/man7/keyrings.7.html [mknod.1]: http://man7.org/linux/man-pages/man1/mknod.1.html [mknod.2]: http://man7.org/linux/man-pages/man2/mknod.2.html [namespaces.7_2]: http://man7.org/linux/man-pages/man7/namespaces.7.html diff --git a/specs-go/config.go b/specs-go/config.go index 6a7a91e55..c2ed2f086 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -182,6 +182,8 @@ type Linux struct { IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"` // Personality contains configuration for the Linux personality syscall Personality *LinuxPersonality `json:"personality,omitempty"` + // Keyrings specifies the kernel keyrings that are created and/or joined by the container. + Keyrings *LinuxKeyrings `json:"keyrings,omitempty"` } // LinuxNamespace is the configuration for a Linux namespace @@ -431,6 +433,38 @@ type LinuxPersonality struct { Flags []LinuxPersonalityFlag `json:"flags,omitempty"` } +// LinuxKeyrings specifies the list of keyrings used to anchor keys on behalf of a process. +// https://man7.org/linux/man-pages/man7/keyrings.7.html +type LinuxKeyrings struct { + // Session is the session shared process keyring. + // It is inherited and shared by all child processes. + Session LinuxSessionKeyring `json:"session,omitempty"` + // Process is the per-process shared keyring. + // It is shared by all threads in a process. + Process LinuxProcessKeyring `json:"process,omitempty"` + // Session is the per-thread keyring. + // It is specific to a particular thread. + Thread LinuxThreadKeyring `json:"thread,omitempty"` +} + +// LinuxSessionKeyring defines the session shared process keyring. +type LinuxSessionKeyring struct { + // Name is the name of the session-specific keyring. + Name string `json:"name,omitempty"` +} + +// LinuxProcessKeyring defines the per-process shared keyring. +type LinuxProcessKeyring struct { + // Name is the name of the process-specific keyring. + Name string `json:"name,omitempty"` +} + +// LinuxThreadKeyring defines the per-thread keyring. +type LinuxThreadKeyring struct { + // Name is the name of the thread-specific keyring. + Name string `json:"name,omitempty"` +} + // Solaris contains platform-specific configuration for Solaris application containers. type Solaris struct { // SMF FMRI which should go "online" before we start the container process.