Merge pull request #14085 from poettering/ask-password-api

make sure asking for a pw works in a container too if keyctl() and friends are blocked
2024-11-27 12:13:33 +08:00 · 2019-11-20 00:54:28 +01:00 · 2019-11-20 00:54:28 +01:00 · faf1bb8244
commit faf1bb8244
parent fbcb630045 09a6b4f34f
2 changed files with 14 additions and 1 deletions
--- a/src/basic/errno-util.h
+++ b/src/basic/errno-util.h
@ -86,3 +86,11 @@ static inline bool ERRNO_IS_RESOURCE(int r) {
                      ENFILE,
                      ENOMEM);
 }
+
+/* Three different errors for "operation/system call/ioctl not supported" */
+static inline bool ERRNO_IS_NOT_SUPPORTED(int r) {
+        return IN_SET(abs(r),
+                      EOPNOTSUPP,
+                      ENOTTY,
+                      ENOSYS);
+}
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@ -168,7 +168,12 @@ static int ask_password_keyring(const char *keyname, AskPasswordFlags flags, cha
                return -EUNATCH;

        r = lookup_key(keyname, &serial);
-        if (r == -ENOSYS) /* when retrieving the distinction doesn't matter */
+        if (ERRNO_IS_NOT_SUPPORTED(r) || r == -EPERM) /* when retrieving the distinction between "kernel or
+                                                       * container manager don't support or allow this" and
+                                                       * "no matching key known" doesn't matter. Note that we
+                                                       * propagate EACCESS here (even if EPERM not) since
+                                                       * that is used if the keyring is available but we lack
+                                                       * access to the key. */
                return -ENOKEY;
        if (r < 0)
                return r;