From 0a352294ffeca35798503af7f65e9dd2a0473357 Mon Sep 17 00:00:00 2001
From: Kailun Qin <kailun.qin@intel.com>
Date: Tue, 3 Aug 2021 12:02:04 -0400
Subject: [PATCH 1/2] specs-go/config: add keyring support

Currently, with `runc` we have a special cmdline flag `--no-new-keyring`
for `runc run` that enables/disables the creation of a new kernel
keyring. The main reason we have the option is that older kernels had
issues with allocating a lot of keyrings (so in order to run containers
on old kernels you need to disable the creation of a new keyring).

This patch adds keyring support into part of the OCI spec which allows
managers to drive this behavior in a runtime-agnostic way and helps make
swapping in other runtimes easier.

Fixes https://github.com/opencontainers/runtime-spec/issues/754
Fixes https://github.com/opencontainers/runtime-spec/issues/950

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
---
 specs-go/config.go | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/specs-go/config.go b/specs-go/config.go
index 6a7a91e55..c2ed2f086 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -182,6 +182,8 @@ type Linux struct {
 	IntelRdt *LinuxIntelRdt `json:"intelRdt,omitempty"`
 	// Personality contains configuration for the Linux personality syscall
 	Personality *LinuxPersonality `json:"personality,omitempty"`
+	// Keyrings specifies the kernel keyrings that are created and/or joined by the container.
+	Keyrings *LinuxKeyrings `json:"keyrings,omitempty"`
 }
 
 // LinuxNamespace is the configuration for a Linux namespace
@@ -431,6 +433,38 @@ type LinuxPersonality struct {
 	Flags []LinuxPersonalityFlag `json:"flags,omitempty"`
 }
 
+// LinuxKeyrings specifies the list of keyrings used to anchor keys on behalf of a process.
+// https://man7.org/linux/man-pages/man7/keyrings.7.html
+type LinuxKeyrings struct {
+	// Session is the session shared process keyring.
+	// It is inherited and shared by all child processes.
+	Session LinuxSessionKeyring `json:"session,omitempty"`
+	// Process is the per-process shared keyring.
+	// It is shared by all threads in a process.
+	Process LinuxProcessKeyring `json:"process,omitempty"`
+	// Session is the per-thread keyring.
+	// It is specific to a particular thread.
+	Thread LinuxThreadKeyring `json:"thread,omitempty"`
+}
+
+// LinuxSessionKeyring defines the session shared process keyring.
+type LinuxSessionKeyring struct {
+	// Name is the name of the session-specific keyring.
+	Name string `json:"name,omitempty"`
+}
+
+// LinuxProcessKeyring defines the per-process shared keyring.
+type LinuxProcessKeyring struct {
+	// Name is the name of the process-specific keyring.
+	Name string `json:"name,omitempty"`
+}
+
+// LinuxThreadKeyring defines the per-thread keyring.
+type LinuxThreadKeyring struct {
+	// Name is the name of the thread-specific keyring.
+	Name string `json:"name,omitempty"`
+}
+
 // Solaris contains platform-specific configuration for Solaris application containers.
 type Solaris struct {
 	// SMF FMRI which should go "online" before we start the container process.

From fa2890234880a3f28376c630ebd59f01517053cc Mon Sep 17 00:00:00 2001
From: Kailun Qin <kailun.qin@intel.com>
Date: Tue, 3 Aug 2021 12:38:55 -0400
Subject: [PATCH 2/2] Update keyring support docs

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
---
 config-linux.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/config-linux.md b/config-linux.md
index 37ea951f7..9160c932a 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -826,6 +826,21 @@ subset of the available options.
 * **`flags`** *(array of strings, OPTIONAL)* - the additional flags to apply.
     Currently no flag values are supported.
 
+## <a name="configLinuxKeyrings" />Keyrings
+
+**`keyrings`** (object, OPTIONAL) sets the kernel keyrings that are created and/or joined by the
+container. For more information, see the [keyrings][keyrings.7] man page.
+
+* **`session`** *(object, OPTIONAL)* - the session shared process keyring.
+    The session-specific keyring is inherited and shared by all child processes. If `session` is
+    not specified, no new session keyring will be created/and or joined by the container. This
+    will cause the container to inherit the calling processes session key.
+
+* **`process`** *(object, OPTIONAL)* - the per-process shared keyring.
+    The process-specific keyring is shared by all threads in a process.
+
+* **`thread`** *(object, OPTIONAL)* - the per-thread keyring.
+	The thread-specific keyring is kept to a particular thread.
 
 [cgroup-v1]: https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
 [cgroup-v1-blkio]: https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt
@@ -849,6 +864,7 @@ subset of the available options.
 [tmpfs]: https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt
 
 [full.4]: http://man7.org/linux/man-pages/man4/full.4.html
+[keyrings.7]: https://man7.org/linux/man-pages/man7/keyrings.7.html
 [mknod.1]: http://man7.org/linux/man-pages/man1/mknod.1.html
 [mknod.2]: http://man7.org/linux/man-pages/man2/mknod.2.html
 [namespaces.7_2]: http://man7.org/linux/man-pages/man7/namespaces.7.html