diff options
author | Luke Shumaker <lukeshu@parabola.nu> | 2017-09-10 18:01:12 -0400 |
---|---|---|
committer | Luke Shumaker <lukeshu@parabola.nu> | 2017-09-10 18:02:57 -0400 |
commit | 0c1be275623c1cf7d4eb2b0b71aad540f39412fb (patch) | |
tree | d86685faa92b51ddba97567139078a783b9be2f8 | |
parent | e2ec33504eccf34df1931a595e189edc91c7bcc0 (diff) |
Revert "core: run each system service with a fresh session keyring"systemd/v234.11-6
This reverts commit 74dd6b515fa968c5710b396a7664cac335e25ca8.
-rw-r--r-- | src/basic/exit-status.c | 3 | ||||
-rw-r--r-- | src/basic/exit-status.h | 1 | ||||
-rw-r--r-- | src/basic/missing.h | 50 | ||||
-rw-r--r-- | src/core/execute.c | 44 | ||||
-rw-r--r-- | src/core/execute.h | 9 | ||||
-rw-r--r-- | src/core/service.c | 1 |
6 files changed, 4 insertions, 104 deletions
diff --git a/src/basic/exit-status.c b/src/basic/exit-status.c index 1e23c32c3f..59557f8afe 100644 --- a/src/basic/exit-status.c +++ b/src/basic/exit-status.c @@ -148,9 +148,6 @@ const char* exit_status_to_string(int status, ExitStatusLevel level) { case EXIT_SMACK_PROCESS_LABEL: return "SMACK_PROCESS_LABEL"; - - case EXIT_KEYRING: - return "KEYRING"; } } diff --git a/src/basic/exit-status.h b/src/basic/exit-status.h index d22b2c00e4..0cfdfd7891 100644 --- a/src/basic/exit-status.h +++ b/src/basic/exit-status.h @@ -82,7 +82,6 @@ enum { EXIT_MAKE_STARTER, EXIT_CHOWN, EXIT_SMACK_PROCESS_LABEL, - EXIT_KEYRING, }; typedef enum ExitStatusLevel { diff --git a/src/basic/missing.h b/src/basic/missing.h index 7830a4f415..f3846da8bd 100644 --- a/src/basic/missing.h +++ b/src/basic/missing.h @@ -1086,22 +1086,6 @@ struct input_mask { typedef int32_t key_serial_t; #endif -#ifndef KEYCTL_JOIN_SESSION_KEYRING -#define KEYCTL_JOIN_SESSION_KEYRING 1 -#endif - -#ifndef KEYCTL_CHOWN -#define KEYCTL_CHOWN 4 -#endif - -#ifndef KEYCTL_SETPERM -#define KEYCTL_SETPERM 5 -#endif - -#ifndef KEYCTL_DESCRIBE -#define KEYCTL_DESCRIBE 6 -#endif - #ifndef KEYCTL_READ #define KEYCTL_READ 11 #endif @@ -1110,44 +1094,10 @@ typedef int32_t key_serial_t; #define KEYCTL_SET_TIMEOUT 15 #endif -#ifndef KEY_POS_VIEW -#define KEY_POS_VIEW 0x01000000 -#define KEY_POS_READ 0x02000000 -#define KEY_POS_WRITE 0x04000000 -#define KEY_POS_SEARCH 0x08000000 -#define KEY_POS_LINK 0x10000000 -#define KEY_POS_SETATTR 0x20000000 - -#define KEY_USR_VIEW 0x00010000 -#define KEY_USR_READ 0x00020000 -#define KEY_USR_WRITE 0x00040000 -#define KEY_USR_SEARCH 0x00080000 -#define KEY_USR_LINK 0x00100000 -#define KEY_USR_SETATTR 0x00200000 - -#define KEY_GRP_VIEW 0x00000100 -#define KEY_GRP_READ 0x00000200 -#define KEY_GRP_WRITE 0x00000400 -#define KEY_GRP_SEARCH 0x00000800 -#define KEY_GRP_LINK 0x00001000 -#define KEY_GRP_SETATTR 0x00002000 - -#define KEY_OTH_VIEW 0x00000001 -#define KEY_OTH_READ 0x00000002 -#define KEY_OTH_WRITE 0x00000004 -#define KEY_OTH_SEARCH 0x00000008 -#define KEY_OTH_LINK 0x00000010 -#define KEY_OTH_SETATTR 0x00000020 -#endif - #ifndef KEY_SPEC_USER_KEYRING #define KEY_SPEC_USER_KEYRING -4 #endif -#ifndef KEY_SPEC_SESSION_KEYRING -#define KEY_SPEC_SESSION_KEYRING -3 -#endif - #ifndef PR_CAP_AMBIENT #define PR_CAP_AMBIENT 47 #endif diff --git a/src/core/execute.c b/src/core/execute.c index 8f22f4ee8e..f1b75c9f75 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2069,44 +2069,6 @@ static int apply_working_directory( return 0; } -static int setup_keyring(Unit *u, const ExecParameters *p, uid_t uid, gid_t gid) { - key_serial_t keyring; - - assert(u); - assert(p); - - /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that - * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond - * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be - * automatically created on-demand and then linked to the per-UID keyring, by the kernel. The kernel's built-in - * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where - * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */ - - if (!(p->flags & EXEC_NEW_KEYRING)) - return 0; - - keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0); - if (keyring == -1) { - if (errno == ENOSYS) - log_debug_errno(errno, "Kernel keyring not supported, ignoring."); - else if (IN_SET(errno, EACCES, EPERM)) - log_debug_errno(errno, "Kernel keyring access prohibited, ignoring."); - else if (errno == EDQUOT) - log_debug_errno(errno, "Out of kernel keyrings to allocate, ignoring."); - else - return log_error_errno(errno, "Setting up kernel keyring failed: %m"); - - return 0; - } - - /* And now, make the keyring owned by the service's user */ - if (uid_is_valid(uid) || gid_is_valid(gid)) - if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0) - return log_error_errno(errno, "Failed to change ownership of session keyring: %m"); - - return 0; -} - static void append_socket_pair(int *array, unsigned *n, int pair[2]) { assert(array); assert(n); @@ -2582,12 +2544,6 @@ static int exec_child( (void) umask(context->umask); - r = setup_keyring(unit, params, uid, gid); - if (r < 0) { - *exit_status = EXIT_KEYRING; - return r; - } - if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) { if (context->pam_name && username) { r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds); diff --git a/src/core/execute.h b/src/core/execute.h index 9f07aa4aef..157495af35 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -231,13 +231,12 @@ typedef enum ExecFlags { EXEC_APPLY_PERMISSIONS = 1U << 0, EXEC_APPLY_CHROOT = 1U << 1, EXEC_APPLY_TTY_STDIN = 1U << 2, - EXEC_NEW_KEYRING = 1U << 3, /* The following are not used by execute.c, but by consumers internally */ - EXEC_PASS_FDS = 1U << 4, - EXEC_IS_CONTROL = 1U << 5, - EXEC_SETENV_RESULT = 1U << 6, - EXEC_SET_WATCHDOG = 1U << 7, + EXEC_PASS_FDS = 1U << 3, + EXEC_IS_CONTROL = 1U << 4, + EXEC_SETENV_RESULT = 1U << 5, + EXEC_SET_WATCHDOG = 1U << 6, } ExecFlags; struct ExecParameters { diff --git a/src/core/service.c b/src/core/service.c index 7dbe92260a..3a348c760d 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -1352,7 +1352,6 @@ static int service_spawn( } else path = UNIT(s)->cgroup_path; - exec_params.flags |= MANAGER_IS_SYSTEM(UNIT(s)->manager) ? EXEC_NEW_KEYRING : 0; exec_params.argv = c->argv; exec_params.environment = final_env; exec_params.fds = fds; |