From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 19 Nov 2019 17:47:31 +0000 (+0100)
Subject: ask-password: skip kernel keyring logic if we see EPERM
X-Git-Tag: v244-rc1~17^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=09a6b4f34fd29064bcbf83a7c42db8fb9d7e5f2e;p=thirdparty%2Fsystemd.git

ask-password: skip kernel keyring logic if we see EPERM

Let's improve compat with container managers that block the keyring
logic and return EPERM for them.
---

diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
index 04ef6b58932..9ffbe1bc4e0 100644
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@@ -168,7 +168,12 @@ static int ask_password_keyring(const char *keyname, AskPasswordFlags flags, cha
                 return -EUNATCH;
 
         r = lookup_key(keyname, &serial);
-        if (r == -ENOSYS) /* when retrieving the distinction doesn't matter */
+        if (ERRNO_IS_NOT_SUPPORTED(r) || r == -EPERM) /* when retrieving the distinction between "kernel or
+                                                       * container manager don't support or allow this" and
+                                                       * "no matching key known" doesn't matter. Note that we
+                                                       * propagate EACCESS here (even if EPERM not) since
+                                                       * that is used if the keyring is available but we lack
+                                                       * access to the key. */
                 return -ENOKEY;
         if (r < 0)
                 return r;