From 2d6247a41477513d47cdec0e268c62296e1bb931 Mon Sep 17 00:00:00 2001 From: worldofpeace Date: Mon, 15 Apr 2019 14:54:03 -0400 Subject: [PATCH] gnome3.gnome-keyring: CAP_IPC_LOCK gnome-keyring-daemon From gkd-capability.c: This program needs the CAP_IPC_LOCK posix capability. We want to allow either setuid root or file system based capabilies to work. If file system based capabilities, this is a no-op unless the root user is running the program. In that case we just drop capabilities down to IPC_LOCK. If we are setuid root, then change to the invoking user retaining just the IPC_LOCK capability. The application is aborted if for any reason we are unable to drop privileges. --- .../modules/services/desktops/gnome3/gnome-keyring.nix | 5 +++++ pkgs/desktops/gnome-3/core/gnome-keyring/default.nix | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix index 4c350d8bb1c6..db60445ef773 100644 --- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix +++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix @@ -37,6 +37,11 @@ with lib; security.pam.services.login.enableGnomeKeyring = true; + security.wrappers.gnome-keyring-daemon = { + source = "${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon"; + capabilities = "cap_ipc_lock=ep"; + }; + }; } diff --git a/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix b/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix index 9702087ca0d0..f36d3f4a6e0a 100644 --- a/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix +++ b/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix @@ -46,6 +46,16 @@ stdenv.mkDerivation rec { make check ''; + # Use wrapped gnome-keyring-daemon with cap_ipc_lock=ep + postFixup = '' + files=($out/etc/xdg/autostart/* $out/share/dbus-1/services/*) + + for file in ''${files[*]}; do + substituteInPlace $file \ + --replace "$out/bin/gnome-keyring-daemon" "/run/wrappers/bin/gnome-keyring-daemon" + done + ''; + passthru = { updateScript = gnome3.updateScript { packageName = "gnome-keyring";