Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gnome3.gnome-keyring: CAP_IPC_LOCK gnome-keyring-daemon #59630

Merged
merged 1 commit into from Apr 30, 2019
Merged

gnome3.gnome-keyring: CAP_IPC_LOCK gnome-keyring-daemon #59630

merged 1 commit into from Apr 30, 2019

Conversation

worldofpeace
Copy link
Contributor

@worldofpeace worldofpeace commented Apr 15, 2019
edited

From gkd-capability.c:

This program needs the CAP_IPC_LOCK posix capability.
We want to allow either setuid root or file system based capabilies
to work. If file system based capabilities, this is a no-op unless
the root user is running the program. In that case we just drop
capabilities down to IPC_LOCK. If we are setuid root, then change to the
invoking user retaining just the IPC_LOCK capability. The application
is aborted if for any reason we are unable to drop privileges.

Motivation for this change

Seen the warning

insufficient process capabilities, insecure memory might get used

for the last time when debugging 😄

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@worldofpeace
gnome3.gnome-keyring: CAP_IPC_LOCK gnome-keyring-daemon
2d6247a 
From gkd-capability.c:

This program needs the CAP_IPC_LOCK posix capability.
We want to allow either setuid root or file system based capabilies
to work. If file system based capabilities, this is a no-op unless
the root user is running the program. In that case we just drop
capabilities down to IPC_LOCK. If we are setuid root, then change to the
invoking user retaining just the IPC_LOCK capability. The application
is aborted if for any reason we are unable to drop privileges.
@GrahamcOfBorg GrahamcOfBorg added 6.topic: GNOME GNOME desktop environment and its underlying platform 6.topic: nixos 8.has: module (update) labels Apr 15, 2019
rycee
rycee reviewed Apr 15, 2019
View reviewed changes
pkgs/desktops/gnome-3/core/gnome-keyring/default.nix

for file in ''${files[*]}; do
substituteInPlace $file \
--replace "$out/bin/gnome-keyring-daemon" "/run/wrappers/bin/gnome-keyring-daemon"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't this cause issues when gnome-keyring is installed when the system has

services.gnome3.gnome-keyring.enable = false;

?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or the system is not NixOS…

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a daemon, any usage other than through NixOS module is not supported.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, something similar is even done for the dbus-daemon apparently:

nixpkgs/pkgs/development/libraries/dbus/default.nix

Line 33 in 73debdc

--replace 'DBUS_DAEMONDIR"/dbus-daemon"' '"/run/current-system/sw/bin/dbus-daemon"'

@worldofpeace
Copy link
Contributor Author

I've tested this and I no longer see the aforementioned warnings at runtime.

@worldofpeace worldofpeace merged commit 7df410c into NixOS:master Apr 30, 2019
@worldofpeace worldofpeace deleted the setcap-gnome-keyring branch April 30, 2019 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rycee rycee rycee left review comments

@infinisil infinisil Awaiting requested review from infinisil

@hedning hedning Awaiting requested review from hedning

@jtojnar jtojnar Awaiting requested review from jtojnar

Assignees
No one assigned
Labels
6.topic: GNOME GNOME desktop environment and its underlying platform 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@worldofpeace @hedning @jtojnar @rycee @GrahamcOfBorg