gnome3.gnome-keyring: CAP_IPC_LOCK gnome-keyring-daemon

From gkd-capability.c: This program needs the CAP_IPC_LOCK posix capability. We want to allow either setuid root or file system based capabilies to work. If file system based capabilities, this is a no-op unless the root user is running the program. In that case we just drop capabilities down to IPC_LOCK. If we are setuid root, then change to the invoking user retaining just the IPC_LOCK capability. The application is aborted if for any reason we are unable to drop privileges.
2019-04-15 14:54:03 -04:00 · 2019-04-15 14:54:03 -04:00 · 2d6247a414
commit 2d6247a414
parent 29884b2b39
2 changed files with 15 additions and 0 deletions
--- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix
@ -37,6 +37,11 @@ with lib;

    security.pam.services.login.enableGnomeKeyring = true;

+    security.wrappers.gnome-keyring-daemon = {
+      source = "${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon";
+      capabilities = "cap_ipc_lock=ep";
+    };
+
  };

 }
--- a/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix
+++ b/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix
@ -46,6 +46,16 @@ stdenv.mkDerivation rec {
      make check
  '';

+  # Use wrapped gnome-keyring-daemon with cap_ipc_lock=ep
+  postFixup = ''
+    files=($out/etc/xdg/autostart/* $out/share/dbus-1/services/*)
+
+    for file in ''${files[*]}; do
+      substituteInPlace $file \
+        --replace "$out/bin/gnome-keyring-daemon" "/run/wrappers/bin/gnome-keyring-daemon"
+    done
+  '';
+
  passthru = {
    updateScript = gnome3.updateScript {
      packageName = "gnome-keyring";