Bug 649560 – Improve checks for fs capabilities

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 649560 - Improve checks for fs capabilities


Summary:	Improve checks for fs capabilities


Status:	RESOLVED FIXED

Product:	gnome-keyring
Classification:	Core
Component:	general
Version:	unspecified
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME keyring maintainer(s)
QA Contact:	GNOME keyring maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2011-05-06 12:27 UTC by Vincent Untz
Modified:	2011-06-18 07:40 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Improved checks for fs capabilities, and drop unneeded ones (1.63 KB, patch) 2011-05-06 12:27 UTC, Vincent Untz	committed	Details \| Review
Accept to run if ipc_lock capability is not available (1.60 KB, patch) 2011-05-06 12:27 UTC, Vincent Untz	committed	Details \| Review

Description Vincent Untz 2011-05-06 12:27:49 UTC

I'm attaching two patches that I think improve things wrt filesystem capabilities:

 - first one really makes sure that we have ipc_lock, and drop everything else
 - second one makes it possible to run even if we don't have ipc_lock

Comment 1 Vincent Untz 2011-05-06 12:27:51 UTC

Created attachment 187350 [details] [review]
Improved checks for fs capabilities, and drop unneeded ones

If we have fs capabilities, we first need to check that we really do
have ipc_lock, and if that's the case we just keep ipc_lock and drop
everything else.

Comment 2 Vincent Untz 2011-05-06 12:27:54 UTC

Created attachment 187351 [details] [review]
Accept to run if ipc_lock capability is not available

We print a warning about potential use of unsecure memory, but still
run (and drop unneeded capabilities if we have some). This is better
than nothing.

Comment 3 Vincent Untz 2011-05-06 12:33:34 UTC

Oh, hrm, it's worth mentioning that I wasn't able to test the patches myself (well, except for the second one) as my kernel currently doesn't have fs caps turned on. So make sure to double-check things :-)

Comment 4 Stef Walter 2011-05-09 08:58:15 UTC

Tomas, can you review these?

Comment 5 Tomas Bzatek 2011-05-10 13:10:59 UTC

Seems to be working fine on fscaps-enabled system. The second patch is great to have and I wanted to propose something like that (though I haven't tested it when fscaps are not set). I've received bugreport from an user having root fs on nfs, which doesn't support extattrs and thus no fscaps. We'd still like to allow g-k-d to run in such cases.

Comment 6 Tomas Bzatek 2011-05-10 13:12:21 UTC

Submitted for testing in Fedora:
 gnome-keyring-3.1.1-2.fc16
 gnome-keyring-3.0.1-2.fc15

Comment 7 Vincent Untz 2011-05-16 06:47:49 UTC

Thanks, I pushed to master. I can cherry-pick on gnome-3-0 if this is wanted.

Comment 8 Stef Walter 2011-06-18 07:40:27 UTC

Thanks!

I'm not doing any more releases on the 3.0 branch, so cherry-picking isn't  necessary.