[systemd-devel] Sharing kernel keyring between systemd services
Nikita Krasnov
nikita.nikita.krasnov at gmail.com
Mon Jul 22 09:18:11 UTC 2024
I am working with kernel keyring (`e4crypt` tool stores its keys there).
The end goal, basically, is there is one service that decrypts a folder
(creates a key in the kernel keyring) and then every service has access to
that key, thus having access to the encrypted folder.
For some reason systemd doesn't share kernel keyrings between services.
Service A launches a script that creates a key and then it's nowhere to be
found inside service B (running `keyctl show` there doesn't show the key).
I've tried running `keyctl setperm $KEY_ID 0x3f3f3f3f` (giving everyone all
writes to the key) but to no avail.
I've found systemd has a `KeyringMode=shared` option, so I've added
`User=root` and `KeyringMode=shared` to both A and B service files.
Unfortunately, this had no effect. The keyring of service B is still empty
when it launches.
Running `keyctl show` inside A and B gives this. Service A output:
```
Session Keyring
275477083 --alswrv 0 0 keyring: _ses
511348864 ----s-rv 0 0 \_ user: invocation_id
916643668 --alswrv 0 0 \_ logon: ext4:018b44e44e88466a
```
Service B output:
```
Session Keyring
922937713 --alswrv 100000 100000 keyring: _ses
91724620 --alswrv 100000 65534 \_ keyring: _uid.100000
```
This output is when not using `User=root` and `KeyringMode=shared` since
adding this to every service file isn't feasible (and I also can't have
everything running as root).
--
Sincerely, Nikita Krasnov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240722/8520a949/attachment.htm>
More information about the systemd-devel
mailing list