microsoft / WSL

Issues found on WSL
https://docs.microsoft.com/windows/wsl
MIT License
17.41k stars 822 forks source link

Key Request Service (Documentation/security/keys/request-key.rst) unable to perform upcalls #11470

Open jaltman opened 6 months ago

jaltman commented 6 months ago

Windows Version

Microsoft Windows [Version 10.0.22631.3520]

WSL Version

0.0.0.0

Are you using WSL 1 or WSL 2?

Kernel Version

5.15.150.1

Distro Version

Debian 12.2.0

Other Software

keyutils-1.6.3 (Built 2022-12-18)

Repro Steps

The keyutils key request service documented in Documentation/security/keys/request-key.rst is used for management of keyrings as as well as dns resolution and id mapping. The key request service executes /sbin/request-key which performs the requested operation.

Reproduction of the failure can be performed by executing

  1. keyctl request2 user debug:foo "expired" @s

Expected Behavior

If the upcall succeeds /sbin/request-key will have been launched and key named "foo" will be visible within the /proc/keys output.

  1. grep foo /proc/keys

Actual Behavior

The /sbin/request-key process is not executed and "keyctl request2" fails with request_key: No such file or directory.

The underlying problem is that "/sbin/request-key" cannot be found. # keyctl request2 user debug:foo "expired" @s request_key: No such file or directory

The underlying problem appears to be that /sbin/request-key and its configuration /etc/request-key.conf are present in the WSL2 container's root filesystem and not the filesystem of the underlying host.

$ ls -l /sbin/request-key -rwxr-xr-x 1 root root 26952 Dec 18 2022 /sbin/request-key

Without a functioning key request service it is not possible to keyrings, nfs, cifs, afs, id mapping, and other services that rely upon the key request service cannot properly function.

I'm not sure if the fix is for WSL2 to install keyutils as part of the host root filesystem or for the Linux kernel to be patched to execute /sbin/request-key from the container's root filesystem.

Diagnostic Logs

Diagnostic logs should not be required to reproduce this issue. Prior bug reports such as https://github.com/microsoft/WSL/issues/9540 are the same as this report but were closed due to inactivity.

github-actions[bot] commented 6 months ago

Logs are required for review from WSL team

If this a feature request, please reply with '/feature'. If this is a question, reply with '/question'. Otherwise please attach logs by following the instructions below, your issue will not be reviewed unless they are added. These logs will help us understand what is going on in your machine.

How to collect WSL logs Download and execute [collect-wsl-logs.ps1](https://github.com/Microsoft/WSL/blob/master/diagnostics/collect-wsl-logs.ps1) in an **administrative powershell prompt**: ``` Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-wsl-logs.ps1" -OutFile collect-wsl-logs.ps1 Set-ExecutionPolicy Bypass -Scope Process -Force .\collect-wsl-logs.ps1 ``` The scipt will output the path of the log file once done. Once completed please upload the output files to this Github issue. [Click here for more info on logging](https://github.com/microsoft/WSL/blob/master/CONTRIBUTING.md#8-collect-wsl-logs-recommended-method) If you choose to email these logs instead of attaching to the bug, please send them to wsl-gh-logs@microsoft.com with the number of the github issue in the subject, and in the message a link to your comment in the github issue and reply with '/emailed-logs'.

View similar issues

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it!

Closed similar issues:

Note: You can give me feedback by thumbs upping or thumbs downing this comment.

jaltman commented 6 months ago

/feature

github-actions[bot] commented 6 months ago
Diagnostic information ``` Found '/feature', adding tag 'feature' ```
jaltman commented 6 months ago

After examining the contents of the wsl.exe --system base image I think keyutils should be installed in the base image.

jaltman commented 6 months ago

I've submitted a matching feature request to AzureLinux (formerly known as CBL-Mariner). https://github.com/microsoft/azurelinux/issues/8810