shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-19 22:50:17 +03:00
Code

sd-id128: gracefully handle systems where kernel keyring access is blocked

Browse Source 
In various scenarios we invoke containers with access to the kernel
keyring blocked. Let's make sure we can handle this properly: when the
invocation ID is stored in in the kernel keyring and we try to read it
and get EPERM we should handle it gracefully, like EOPNOTSUPP.

(cherry picked from commit f2e38b01e052ebd50eaf98763bd9709e880c0a75)
This commit is contained in:
Lennart Poettering 2025-03-02 07:51:05 +01:00 committed by Luca Boccassi
parent 59f2d9b2cc
commit a2abc3b8ec
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libsystemd/sd-id128/sd-id128.c
View File

@ -214,8 +214,10 @@ static int get_invocation_from_keyring(sd_id128_t *ret) {
key = request_key("user", "invocation_id", NULL, 0);
if (key == -1) {
/* Keyring support not available? No invocation key stored? */
if (IN_SET(errno, ENOSYS, ENOKEY))
/* Keyring support not available? Keyring access locked down? No invocation key stored? */
if (ERRNO_IS_NOT_SUPPORTED(errno) ||
ERRNO_IS_PRIVILEGE(errno) ||
errno == ENOKEY)
return -ENXIO;
return -errno;