kernel: add CONFIG_KEYS=y to enable kernel keyring

KinD checks for the presence of this (and other) kernel configuration via scripts like https://blog.hypriot.com/post/verify-kernel-container-compatibility/ or attempts to directly use /proc/sys/kernel/keys/ without checking to see if it exists, causing an exit when it does not see it. Docker/it's consumers apparently expect to be able to use the kernel keyring and it's associated syscalls from/for containers. There aren't any known downsides to enabling this except that it would by definition enable additional syscalls defined in https://man7.org/linux/man-pages/man7/keyrings.7.html which are reachable from userspace. This minimally increases the attack surface of the Kata Kernel, but this attack surface is minimal (especially since the kernel is most likely being executed by some kind of hypervisor) and highly restricted compared to the utility of enabling this feature to get further containerization compatibility. Signed-off-by: Crypt0s <BryanHalf@gmail.com>
2025-04-27 19:35:32 +00:00 · 2024-11-14 13:38:23 -05:00 · 2024-11-14 13:38:23 -05:00 · 563a6887e2
commit 563a6887e2
parent 6a9266124b
2 changed files with 3 additions and 1 deletions
--- a/tools/packaging/kernel/configs/fragments/common/base.conf
+++ b/tools/packaging/kernel/configs/fragments/common/base.conf
@ -41,6 +41,8 @@ CONFIG_RELOCATABLE=y
 # https://github.com/kata-containers/tests/issues/1543
 # RANDOM_TRUST_CPU=y

+CONFIG_KEYS=y
+
 # CONFIG_CGROUP_PERF needs
 CONFIG_HAVE_PERF_EVENTS=y
 CONFIG_PERF_EVENTS=y
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@ -1 +1 @@
-139
+140