core: link user keyring to session keyring (#6275)

eworm-de · poettering · commit 437a85112e02 · 2017-07-04T09:38:31.000+02:00
Commit 74dd6b5 (core: run each system service with a fresh session keyring) broke adding keys to user keyring. Added keys could not be accessed with error message: keyctl_read_alloc: Permission denied So link the user keyring to our session keyring.
diff --git a/src/basic/missing.h b/src/basic/missing.h
@@ -1093,6 +1093,10 @@ typedef int32_t key_serial_t;
 #define KEYCTL_DESCRIBE 6
 #endif
 
+#ifndef KEYCTL_LINK
+#define KEYCTL_LINK 8
+#endif
+
 #ifndef KEYCTL_READ
 #define KEYCTL_READ 11
 #endif
diff --git a/src/core/execute.c b/src/core/execute.c
@@ -2099,6 +2099,14 @@ static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid)
                 return 0;
         }
 
+        /* Having our own session keyring is nice, but results in keys added
+         * to the user keyring being inaccessible with permission denied.
+         * So link the user keyring to our session keyring. */
+        if (keyctl(KEYCTL_LINK,
+                   KEY_SPEC_USER_KEYRING,
+                   keyring,  0, 0) < 0)
+                return log_debug_errno(errno, "Failed to link user keyring to session keyring.");
+
         /* Populate they keyring with the invocation ID by default. */
         if (!sd_id128_is_null(u->invocation_id)) {
                 key_serial_t key;
