From 820a7277ed1c553d33b2a7f3efb48655fb993b77 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 27 Jul 2025 12:44:16 -0400
Subject: [PATCH] Run KEYRING ccache tests in session wrapper

Tests for the KEYRING ccache type can fail if the session keyring has
been revoked.  When keyctl is present, run these tests within a keyctl
session wrapper to isolate them from the containing environment's
session keyring.
---
 src/config/pre.in               | 1 +
 src/configure.ac                | 8 ++++++++
 src/lib/krb5/ccache/Makefile.in | 4 ++--
 src/tests/Makefile.in           | 2 +-
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/config/pre.in b/src/config/pre.in
index 1197c1ffd6..6a6a4adbb1 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -178,6 +178,7 @@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
 LDFLAGS = @LDFLAGS@
 LIBS = @LIBS@
 FUZZ_LDFLAGS = @FUZZ_LDFLAGS@
+KEYCTL_SESSION = @KEYCTL_SESSION@
 
 INSTALL=@INSTALL@
 INSTALL_STRIP=
diff --git a/src/configure.ac b/src/configure.ac
index bf6cc14c52..7313bc5528 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -351,6 +351,14 @@ if test "$with_keyutils" != no; then
   fi
 fi
 
+# Check for keyctl.  If it is found, define a command prefix for
+# running a command inside a keyring session.  Include "env" in the
+# wrapper to allow environment variable settings in the wrapped
+# command.
+AC_CHECK_PROG(KEYCTL,keyctl,keyctl)
+AS_IF([test x"$KEYCTL" != x], [KEYCTL_SESSION="keyctl session - env"])
+AC_SUBST([KEYCTL_SESSION])
+
 # The SPAKE preauth plugin currently supports edwards25519 natively,
 # and can support three NIST groups using OpenSSL.
 HAVE_SPAKE_OPENSSL=no
diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in
index 2864e92b96..449f74bf44 100644
--- a/src/lib/krb5/ccache/Makefile.in
+++ b/src/lib/krb5/ccache/Makefile.in
@@ -145,11 +145,11 @@ t_marshal: $(T_MARSHAL_OBJS) $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o $@ $(T_MARSHAL_OBJS) $(KRB5_BASE_LIBS)
 
 check-unix: t_cc t_marshal
-	$(RUN_TEST) ./t_cc
+	$(RUN_TEST) $(KEYCTL_SESSION) ./t_cc
 	$(RUN_TEST) ./t_marshal testcache
 
 check-pytests: t_cccursor t_cccol
-	$(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
+	$(KEYCTL_SESSION) $(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
 
 clean-unix::
 	$(RM) t_cc t_cc.o t_cccursor t_cccursor.o t_cccol t_cccol.o
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 80ac35aacc..52c5777b49 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -150,7 +150,7 @@ check-pytests: responder s2p s4u2proxy unlockiter s4u2self
 	$(RUNPYTEST) $(srcdir)/t_keyrollover.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_renew.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_renprinc.py $(PYTESTFLAGS)
-	$(RUNPYTEST) $(srcdir)/t_ccache.py $(PYTESTFLAGS)
+	$(KEYCTL_SESSION) $(RUNPYTEST) $(srcdir)/t_ccache.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_sesskeynego.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS)
-- 
2.47.2