Support attaching the kernel persistent keyring to an existing keyring (for example, session keyring).

65a · 65a · commit cbd86dccaea5 · 2021-12-29T03:30:10.000Z
Currently, this will always use the persistent keyring associated with the UID executing the process. Specifying UID is supportable but use case unclear.

The AttachPersistent() function will return a Keyring pointing to the kernel persistent keyring, or an error.
diff --git a/keyring.go b/keyring.go
@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build linux
 // +build linux
 
 // A Go interface to linux kernel keyrings (keyctl interface)
@@ -21,6 +22,7 @@ type Keyring interface {
 	Add(string, []byte) (*Key, error)
 	Search(string) (*Key, error)
 	SetDefaultTimeout(uint)
+	AttachPersistent() (Keyring, error)
 }
 
 // Named keyrings are user-created keyrings linked to a parent keyring. The
@@ -93,6 +95,13 @@ func (kr *keyring) Search(name string) (*Key, error) {
 	return nil, err
 }
 
+// AttachPersistentKeyring attaches the current executing context's persistent
+// keyring to this keyring. See persistent-keyring(7) for more info.
+// It returns either an error, or the persistent Keyring.
+func (kr *keyring) AttachPersistent() (Keyring, error) {
+	return attachPersistent(kr.id)
+}
+
 // Return the current login session keyring
 func SessionKeyring() (Keyring, error) {
 	return newKeyring(keySpecSessionKeyring)
diff --git a/keyring_test.go b/keyring_test.go
@@ -112,6 +112,18 @@ func TestCreateKeyring(t *testing.T) {
 	}
 }
 
+func TestAttachPersistentKeyring(t *testing.T) {
+	kr, err := SessionKeyring()
+	if err != nil {
+		t.Fatalf("unexpected test failure: could not create session keyring: %v", err)
+	}
+	pkr, err := kr.AttachPersistent()
+	if err != nil {
+		t.Fatalf("unexpected test failure: could not attach persistent keyring: %v", err)
+	}
+	t.Logf("found persistent keyring %d", pkr.Id())
+}
+
 func TestCreateNestedKeyring(t *testing.T) {
 	ring := helperTestCreateKeyring(nil, "", t)
 
diff --git a/sys_linux.go b/sys_linux.go
@@ -37,6 +37,12 @@ const (
 	keyctlSetReqKeyKeyring
 	keyctlSetTimeout
 	keyctlAssumeAuthority
+	keyctlGetSecurity
+	keyctlSessionToParent
+	keyctlReject
+	keyctlInstantiateIOV
+	keyctlInvalidate
+	keyctlGetPersistent
 )
 
 var debugSyscalls bool
@@ -81,6 +87,8 @@ func (cmd keyctlCommand) String() string {
 		return "keyctlSetTimeout"
 	case keyctlAssumeAuthority:
 		return "keyctlAssumeAuthority"
+	case keyctlGetPersistent:
+		return "keyctlGetPersistent"
 	}
 	panic("bad arg")
 }
@@ -294,3 +302,12 @@ func updateKey(id keyId, payload []byte) error {
 	}
 	return nil
 }
+
+func attachPersistent(id keyId) (*keyring, error) {
+	uid := int32(-1)
+	r1, _, errno := syscall.Syscall(syscall_keyctl, uintptr(keyctlGetPersistent), uintptr(uid), uintptr(id))
+	if errno != 0 {
+		return nil, errno
+	}
+	return &keyring{id: keyId(r1)}, nil
+}
