projects / platform / upstream / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e6a7ec4) | patch
nspawn: set up a new session keyring for the container process
authorLennart Poettering <lennart@poettering.net>
Thu, 21 Sep 2017 12:02:31 +0000 (14:02 +0200)
committerLennart Poettering <lennart@poettering.net>
Fri, 22 Sep 2017 13:28:04 +0000 (15:28 +0200)
commit8e5430c4bd9d39a5e405794f9c883f48de5205d9
tree4ef6ed49ef5ed3e9603538e3cfe7e633307fc77btree | snapshot
parente6a7ec4b8e33f38f578e12af9ae9ca7ddde80aaccommit | diff
nspawn: set up a new session keyring for the container process

keyring material should not leak into the container. So far we relied on
seccomp to deny access to the keyring, but given that we now made the
seccomp configurable, and access to keyctl() and friends may optionally
be permitted to containers now let's make sure we disconnect the callers
keyring from the keyring of PID 1 in the container.
src/nspawn/nspawn.c diff | blob | history
Domain: System / System Framework;