core: link user keyring to session keyring (#6275)

Commit 74dd6b515f (core: run each system service with a fresh session keyring) broke adding keys to user keyring. Added keys could not be accessed with error message: keyctl_read_alloc: Permission denied So link the user keyring to our session keyring.
2017-07-04 09:38:31 +02:00 · 2017-07-04 09:38:31 +02:00 · 437a85112e
parent 2240fc54e9
commit 437a85112e
2 changed files with 12 additions and 0 deletions
--- a/src/basic/missing.h
+++ b/src/basic/missing.h
@ -1093,6 +1093,10 @@ typedef int32_t key_serial_t;
 #define KEYCTL_DESCRIBE 6
 #endif

+#ifndef KEYCTL_LINK
+#define KEYCTL_LINK 8
+#endif
+
 #ifndef KEYCTL_READ
 #define KEYCTL_READ 11
 #endif
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -2099,6 +2099,14 @@ static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid)
                return 0;
        }

+        /* Having our own session keyring is nice, but results in keys added
+         * to the user keyring being inaccessible with permission denied.
+         * So link the user keyring to our session keyring. */
+        if (keyctl(KEYCTL_LINK,
+                   KEY_SPEC_USER_KEYRING,
+                   keyring,  0, 0) < 0)
+                return log_debug_errno(errno, "Failed to link user keyring to session keyring.");
+
        /* Populate they keyring with the invocation ID by default. */
        if (!sd_id128_is_null(u->invocation_id)) {
                key_serial_t key;