core: change KeyringMode= to "shared" by default for non-service units in the system manager (#8172)
Before this change all unit types would default to "private" in the system service manager and "inherit" to in the user service manager. With this change this is slightly altered: non-service units of the system service manager are now run with KeyringMode=shared. This appears to be the more appropriate choice as isolation is not as desirable for mount tools, which regularly consume key material. After all mounts are a shared resource themselves as they appear system-wide hence it makes a lot of sense to share their key material too. Fixes: #8159
This commit is contained in:
Lennart Poettering
Zbigniew Jędrzejewski-Szmek
parent
6f58ff2325
commit
00f5ad93b5
|
|
@ -631,8 +631,8 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
||||||
processes. In this modes multiple units running processes under the same user ID may share key material. Unless
|
processes. In this modes multiple units running processes under the same user ID may share key material. Unless
|
||||||
<option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected
|
<option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected
|
||||||
key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to
|
key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to
|
||||||
<option>private</option> for the system service manager and to <option>inherit</option> for the user service
|
<option>private</option> for services of the system service manager and to <option>inherit</option> for
|
||||||
manager.</para></listitem>
|
non-service units and for services of the user service manager.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
|
||||||
|
|
@ -120,6 +120,9 @@ static void service_init(Unit *u) {
|
||||||
s->guess_main_pid = true;
|
s->guess_main_pid = true;
|
||||||
|
|
||||||
s->control_command_id = _SERVICE_EXEC_COMMAND_INVALID;
|
s->control_command_id = _SERVICE_EXEC_COMMAND_INVALID;
|
||||||
|
|
||||||
|
s->exec_context.keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
|
||||||
|
EXEC_KEYRING_PRIVATE : EXEC_KEYRING_INHERIT;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void service_unwatch_control_pid(Service *s) {
|
static void service_unwatch_control_pid(Service *s) {
|
||||||
|
|
|
||||||
|
|
@ -186,7 +186,7 @@ static void unit_init(Unit *u) {
|
||||||
exec_context_init(ec);
|
exec_context_init(ec);
|
||||||
|
|
||||||
ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
|
ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
|
||||||
EXEC_KEYRING_PRIVATE : EXEC_KEYRING_INHERIT;
|
EXEC_KEYRING_SHARED : EXEC_KEYRING_INHERIT;
|
||||||
}
|
}
|
||||||
|
|
||||||
kc = unit_get_kill_context(u);
|
kc = unit_get_kill_context(u);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue