nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-01 03:12:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

gnome3.gnome-keyring: CAP_IPC_LOCK gnome-keyring-daemon

Browse Source 
From gkd-capability.c:

This program needs the CAP_IPC_LOCK posix capability.
We want to allow either setuid root or file system based capabilies
to work. If file system based capabilities, this is a no-op unless
the root user is running the program. In that case we just drop
capabilities down to IPC_LOCK. If we are setuid root, then change to the
invoking user retaining just the IPC_LOCK capability. The application
is aborted if for any reason we are unable to drop privileges.
This commit is contained in:
worldofpeace 2019-04-15 14:54:03 -04:00
parent 29884b2b39
commit 2d6247a414
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/modules/services/desktops/gnome3/gnome-keyring.nix
View File

@ -37,6 +37,11 @@ with lib;
security.pam.services.login.enableGnomeKeyring = true; security.pam.services.login.enableGnomeKeyring = true;
security.wrappers.gnome-keyring-daemon = {
source = "${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon";
capabilities = "cap_ipc_lock=ep";
};
}; };
} }

10
pkgs/desktops/gnome-3/core/gnome-keyring/default.nix
View File

@ -46,6 +46,16 @@ stdenv.mkDerivation rec {
make check make check
''; '';
# Use wrapped gnome-keyring-daemon with cap_ipc_lock=ep
postFixup = ''
files=($out/etc/xdg/autostart/* $out/share/dbus-1/services/*)
for file in ''${files[*]}; do
substituteInPlace $file \
--replace "$out/bin/gnome-keyring-daemon" "/run/wrappers/bin/gnome-keyring-daemon"
done
'';
passthru = { passthru = {
updateScript = gnome3.updateScript { updateScript = gnome3.updateScript {
packageName = "gnome-keyring"; packageName = "gnome-keyring";