core: link user keyring to session keyring (#6275)

author Christian Hesse <mail@eworm.de>

Tue, 4 Jul 2017 07:38:31 +0000 (09:38 +0200)

committer Lennart Poettering <lennart@poettering.net>

Tue, 4 Jul 2017 07:38:31 +0000 (09:38 +0200)
author Christian Hesse <mail@eworm.de>
Tue, 4 Jul 2017 07:38:31 +0000 (09:38 +0200)
committer Lennart Poettering <lennart@poettering.net>
Tue, 4 Jul 2017 07:38:31 +0000 (09:38 +0200)
diff --git a/src/basic/missing.h b/src/basic/missing.h

index 7c323c6..a563187 100644 (file)
--- a/src/basic/missing.h
+++ b/src/basic/missing.h
@@ -1093,6 +1093,10 @@ typedef int32_t key_serial_t;
  #define KEYCTL_DESCRIBE 6
  #endif
  
+#ifndef KEYCTL_LINK
+#define KEYCTL_LINK 8
+#endif
+
  #ifndef KEYCTL_READ
  #define KEYCTL_READ 11
  #endif
diff --git a/src/core/execute.c b/src/core/execute.c

index d72e5bf..643a209 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2099,6 +2099,14 @@ static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid)
                  return 0;
          }
  
+        /* Having our own session keyring is nice, but results in keys added
+         * to the user keyring being inaccessible with permission denied.
+         * So link the user keyring to our session keyring. */
+        if (keyctl(KEYCTL_LINK,
+                   KEY_SPEC_USER_KEYRING,
+                   keyring,  0, 0) < 0)
+                return log_debug_errno(errno, "Failed to link user keyring to session keyring.");
+
          /* Populate they keyring with the invocation ID by default. */
          if (!sd_id128_is_null(u->invocation_id)) {
                  key_serial_t key;
author	Christian Hesse <mail@eworm.de>
	Tue, 4 Jul 2017 07:38:31 +0000 (09:38 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 4 Jul 2017 07:38:31 +0000 (09:38 +0200)
src/basic/missing.h		patch \| blob \| history
src/core/execute.c		patch \| blob \| history