Let's improve compat with container managers that block the keyring
logic and return EPERM for them.
return -EUNATCH;
r = lookup_key(keyname, &serial);
- if (r == -ENOSYS) /* when retrieving the distinction doesn't matter */
+ if (ERRNO_IS_NOT_SUPPORTED(r) || r == -EPERM) /* when retrieving the distinction between "kernel or
+ * container manager don't support or allow this" and
+ * "no matching key known" doesn't matter. Note that we
+ * propagate EACCESS here (even if EPERM not) since
+ * that is used if the keyring is available but we lack
+ * access to the key. */
return -ENOKEY;
if (r < 0)
return r;