gnome3.gnome-keyring: CAP_IPC_LOCK gnome-keyring-daemon
From gkd-capability.c: This program needs the CAP_IPC_LOCK posix capability. We want to allow either setuid root or file system based capabilies to work. If file system based capabilities, this is a no-op unless the root user is running the program. In that case we just drop capabilities down to IPC_LOCK. If we are setuid root, then change to the invoking user retaining just the IPC_LOCK capability. The application is aborted if for any reason we are unable to drop privileges.
This commit is contained in:
parent
29884b2b39
commit
2d6247a414
@ -37,6 +37,11 @@ with lib;
|
||||
|
||||
security.pam.services.login.enableGnomeKeyring = true;
|
||||
|
||||
security.wrappers.gnome-keyring-daemon = {
|
||||
source = "${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon";
|
||||
capabilities = "cap_ipc_lock=ep";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -46,6 +46,16 @@ stdenv.mkDerivation rec {
|
||||
make check
|
||||
'';
|
||||
|
||||
# Use wrapped gnome-keyring-daemon with cap_ipc_lock=ep
|
||||
postFixup = ''
|
||||
files=($out/etc/xdg/autostart/* $out/share/dbus-1/services/*)
|
||||
|
||||
for file in ''${files[*]}; do
|
||||
substituteInPlace $file \
|
||||
--replace "$out/bin/gnome-keyring-daemon" "/run/wrappers/bin/gnome-keyring-daemon"
|
||||
done
|
||||
'';
|
||||
|
||||
passthru = {
|
||||
updateScript = gnome3.updateScript {
|
||||
packageName = "gnome-keyring";
|
||||
|
Loading…
Reference in New Issue
Block a user