[systemd-devel] Have 'session' keyrings per service

[Stef Walter]

Hey guys. I'm trying to figure out details for:

http://www.freedesktop.org/wiki/Specifications/login-unlock/

Lennart we talked about this briefly in Brno ... basically the concept
is that when systemd does cryptsetup, it'll stash away the password it
successfully used in the kernel keyring, and then the PAM stack in GDM
will use it to try and log the user in.

One thing we should work out is how to avoid having any uid 0 process
accessing that password at will. By:

 1. Obviously, a kernel keyring timeout.
 2. Putting it in a keyring that only certain services have access to.

The second is why I'm writing...

I'm thinking about the idea of defining a named session keyring per
systemd unit (kernel 'session keyrings' have nothing to do with user
login sessions, overloaded term, :S ).

On its own this makes a lot of sense, since we essentially make a
per-cgroup keyring for services, which becomes really useful.

Then also have the ability to in a .service file to define additional
named keyrings that are searchable for the service.

So perhaps cryptsetup would put the password in its own named keyring,
and then gdm.service would have:

[Service]
Keyrings=@cryptsetup

Which tells systemd to link the cryptsetup keyring into the gdm
(session) keyring. That makes gdm be able to find and use keys in the
cryptsetup keyring.

I think I've figured out a way to implement the above. But anyone
already thought about this? Other use cases?

Cheers,

Stef