core: fix KeyringMode for user services

KeyringMode option is useful for user services. Also, documentation for the
option suggests that the option applies to user services. However, setting the
option to any of its allowed values has no effect.

This commit fixes that and removes EXEC_NEW_KEYRING flag. The flag is no longer
necessary: instead of checking if the flag is set we can check if keyring_mode
is not equal to EXEC_KEYRING_INHERIT.

diff --git a/src/core/execute.c b/src/core/execute.c
index e966f9cfe85ee48717f3e02ea62b98d4e0aa1dc2..e11143148fb26f95d9915d6967a0f1eceb60c657 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2530,9 +2530,6 @@ static int setup_keyring(
          * on-demand behaviour is very appropriate for login users, but probably not so much for system services, where
          * UIDs are not necessarily specific to a service but reused (at least in the case of UID 0). */
 
-        if (!(p->flags & EXEC_NEW_KEYRING))
-                return 0;
-
         if (context->keyring_mode == EXEC_KEYRING_INHERIT)
                 return 0;
 

diff --git a/src/core/execute.h b/src/core/execute.h
index fb8c752efaa1af9815a6b5f6a232aa0eecf90e82..0f1bf56744bb5d5d4d3defda249cfc279a49d9a0 100644 (file)
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -289,18 +289,17 @@ typedef enum ExecFlags {
         EXEC_APPLY_SANDBOXING  = 1 << 0,
         EXEC_APPLY_CHROOT      = 1 << 1,
         EXEC_APPLY_TTY_STDIN   = 1 << 2,
-        EXEC_NEW_KEYRING       = 1 << 3,
-        EXEC_PASS_LOG_UNIT     = 1 << 4, /* Whether to pass the unit name to the service's journal stream connection */
-        EXEC_CHOWN_DIRECTORIES = 1 << 5, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */
-        EXEC_NSS_BYPASS_BUS    = 1 << 6, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */
-        EXEC_CGROUP_DELEGATE   = 1 << 7,
-        EXEC_IS_CONTROL        = 1 << 8,
-        EXEC_CONTROL_CGROUP    = 1 << 9, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */
+        EXEC_PASS_LOG_UNIT     = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */
+        EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */
+        EXEC_NSS_BYPASS_BUS    = 1 << 5, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */
+        EXEC_CGROUP_DELEGATE   = 1 << 6,
+        EXEC_IS_CONTROL        = 1 << 7,
+        EXEC_CONTROL_CGROUP    = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */
 
         /* The following are not used by execute.c, but by consumers internally */
-        EXEC_PASS_FDS          = 1 << 10,
-        EXEC_SETENV_RESULT     = 1 << 11,
-        EXEC_SET_WATCHDOG      = 1 << 12,
+        EXEC_PASS_FDS          = 1 << 9,
+        EXEC_SETENV_RESULT     = 1 << 10,
+        EXEC_SET_WATCHDOG      = 1 << 11,
 } ExecFlags;
 
 /* Parameters for a specific invocation of a command. This structure is put together right before a command is

diff --git a/src/core/service.c b/src/core/service.c
index d631687205e048b46e0791d366adb2d235667a77..cfa327123200734f0a31989f00c14ab71c4d9e3b 100644 (file)
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1535,9 +1535,6 @@ static int service_spawn(
         if (!final_env)
                 return -ENOMEM;
 
-        /* System services should get a new keyring by default. */
-        SET_FLAG(exec_params.flags, EXEC_NEW_KEYRING, MANAGER_IS_SYSTEM(UNIT(s)->manager));
-
         /* System D-Bus needs nss-systemd disabled, so that we don't deadlock */
         SET_FLAG(exec_params.flags, EXEC_NSS_BYPASS_BUS,
                  MANAGER_IS_SYSTEM(UNIT(s)->manager) && unit_has_name(UNIT(s), SPECIAL_DBUS_SERVICE));