summaryrefslogtreecommitdiff
path: root/src/basic
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-12-02 01:54:41 +0100
committerLennart Poettering <lennart@poettering.net>2016-12-13 20:59:10 +0100
commit74dd6b515fa968c5710b396a7664cac335e25ca8 (patch)
tree4aa9a78c228ce5e2833e2b3ed0bbee931895f653 /src/basic
parent9ef4e1e5a2d0a9cc50406f1cae05f3918d6f0c2a (diff)
core: run each system service with a fresh session keyring
This patch ensures that each system service gets its own session kernel keyring automatically, and implicitly. Without this a keyring is allocated for it on-demand, but is then linked with the user's kernel keyring, which is OK behaviour for logged in users, but not so much for system services. With this change each service gets a session keyring that is specific to the service and ceases to exist when the service is shut down. The session keyring is not linked up with the user keyring and keys hence only search within the session boundaries by default. (This is useful in a later commit to store per-service material in the keyring, for example the invocation ID) (With input from David Howells)
Diffstat (limited to 'src/basic')
-rw-r--r--src/basic/exit-status.c3
-rw-r--r--src/basic/exit-status.h1
-rw-r--r--src/basic/missing.h50
3 files changed, 54 insertions, 0 deletions
diff --git a/src/basic/exit-status.c b/src/basic/exit-status.c
index 59557f8afe..1e23c32c3f 100644
--- a/src/basic/exit-status.c
+++ b/src/basic/exit-status.c
@@ -148,6 +148,9 @@ const char* exit_status_to_string(int status, ExitStatusLevel level) {
case EXIT_SMACK_PROCESS_LABEL:
return "SMACK_PROCESS_LABEL";
+
+ case EXIT_KEYRING:
+ return "KEYRING";
}
}
diff --git a/src/basic/exit-status.h b/src/basic/exit-status.h
index 0cfdfd7891..d22b2c00e4 100644
--- a/src/basic/exit-status.h
+++ b/src/basic/exit-status.h
@@ -82,6 +82,7 @@ enum {
EXIT_MAKE_STARTER,
EXIT_CHOWN,
EXIT_SMACK_PROCESS_LABEL,
+ EXIT_KEYRING,
};
typedef enum ExitStatusLevel {
diff --git a/src/basic/missing.h b/src/basic/missing.h
index 1502b3f4f4..dd4425697f 100644
--- a/src/basic/missing.h
+++ b/src/basic/missing.h
@@ -1026,6 +1026,22 @@ struct btrfs_ioctl_quota_ctl_args {
typedef int32_t key_serial_t;
#endif
+#ifndef KEYCTL_JOIN_SESSION_KEYRING
+#define KEYCTL_JOIN_SESSION_KEYRING 1
+#endif
+
+#ifndef KEYCTL_CHOWN
+#define KEYCTL_CHOWN 4
+#endif
+
+#ifndef KEYCTL_SETPERM
+#define KEYCTL_SETPERM 5
+#endif
+
+#ifndef KEYCTL_DESCRIBE
+#define KEYCTL_DESCRIBE 6
+#endif
+
#ifndef KEYCTL_READ
#define KEYCTL_READ 11
#endif
@@ -1034,10 +1050,44 @@ typedef int32_t key_serial_t;
#define KEYCTL_SET_TIMEOUT 15
#endif
+#ifndef KEY_POS_VIEW
+#define KEY_POS_VIEW 0x01000000
+#define KEY_POS_READ 0x02000000
+#define KEY_POS_WRITE 0x04000000
+#define KEY_POS_SEARCH 0x08000000
+#define KEY_POS_LINK 0x10000000
+#define KEY_POS_SETATTR 0x20000000
+
+#define KEY_USR_VIEW 0x00010000
+#define KEY_USR_READ 0x00020000
+#define KEY_USR_WRITE 0x00040000
+#define KEY_USR_SEARCH 0x00080000
+#define KEY_USR_LINK 0x00100000
+#define KEY_USR_SETATTR 0x00200000
+
+#define KEY_GRP_VIEW 0x00000100
+#define KEY_GRP_READ 0x00000200
+#define KEY_GRP_WRITE 0x00000400
+#define KEY_GRP_SEARCH 0x00000800
+#define KEY_GRP_LINK 0x00001000
+#define KEY_GRP_SETATTR 0x00002000
+
+#define KEY_OTH_VIEW 0x00000001
+#define KEY_OTH_READ 0x00000002
+#define KEY_OTH_WRITE 0x00000004
+#define KEY_OTH_SEARCH 0x00000008
+#define KEY_OTH_LINK 0x00000010
+#define KEY_OTH_SETATTR 0x00000020
+#endif
+
#ifndef KEY_SPEC_USER_KEYRING
#define KEY_SPEC_USER_KEYRING -4
#endif
+#ifndef KEY_SPEC_SESSION_KEYRING
+#define KEY_SPEC_SESSION_KEYRING -3
+#endif
+
#ifndef PR_CAP_AMBIENT
#define PR_CAP_AMBIENT 47
#endif