shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-11 05:17:44 +03:00
Code

core: change KeyringMode= to "shared" by default for non-service units in the system manager (#8172)

Browse Source 
Before this change all unit types would default to "private" in the
system service manager and "inherit" to in the user service manager.

With this change this is slightly altered: non-service units of the
system service manager are now run with KeyringMode=shared. This appears
to be the more appropriate choice as isolation is not as desirable for
mount tools, which regularly consume key material. After all mounts are
a shared resource themselves as they appear system-wide hence it makes a
lot of sense to share their key material too.

Fixes: #8159
This commit is contained in:
Lennart Poettering 2018-02-20 08:53:34 +01:00 committed by Zbigniew Jędrzejewski-Szmek
parent 6f58ff2325
commit 00f5ad93b5
3 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
man/systemd.exec.xml
View File

@ -631,8 +631,8 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
processes. In this modes multiple units running processes under the same user ID may share key material. Unless
<option>inherit</option> is selected the unique invocation ID for the unit (see below) is added as a protected
key by the name <literal>invocation_id</literal> to the newly created session keyring. Defaults to
<option>private</option> for the system service manager and to <option>inherit</option> for the user service
manager.</para></listitem>
<option>private</option> for services of the system service manager and to <option>inherit</option> for
non-service units and for services of the user service manager.</para></listitem>
</varlistentry>
<varlistentry>

3
src/core/service.c
View File

@ -120,6 +120,9 @@ static void service_init(Unit *u) {
s->guess_main_pid = true;
s->control_command_id = _SERVICE_EXEC_COMMAND_INVALID;
s->exec_context.keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
EXEC_KEYRING_PRIVATE : EXEC_KEYRING_INHERIT;
}
static void service_unwatch_control_pid(Service *s) {

2
src/core/unit.c
View File

@ -186,7 +186,7 @@ static void unit_init(Unit *u) {
exec_context_init(ec);
ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
EXEC_KEYRING_PRIVATE : EXEC_KEYRING_INHERIT;
EXEC_KEYRING_SHARED : EXEC_KEYRING_INHERIT;
}
kc = unit_get_kill_context(u);