Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: Session keyring caches don't work if session keyring not set
 (with current Linux)
X-RT-Original-Encoding: iso-8859-1
Content-Length: 1041

In many Linux configurations, the PAM stack does not use pam_keyinit or 
equivalent, so typical processes have no explicit session keyring.  In 
this situation, current Linux kernels default to a per-uid default 
(known as the user default session keyring) for reading, but when 
writing, they create a new session keyring for the process, which is 
garbage-collected when the process exits.

The result is that a KEYRING ccache bound to the session anchor cannot 
be seen by a subsequence process.  This causes a failure in the 1.12 
"make check", though it does not break the sparser keyring ccache tests 
in 1.11.

After some discussion, future kernel versions will probably write to the 
user default session keyring instead of creating a new one.  There is 
also a workaround we can use to get those semantics with current 
kernels: use keyctl_get_keyring_ID() to get the IDs of 
KEY_SPEC_SESSION_KEYRING and KEY_SPEC_USER_SESSION_KEYRING, and if they 
match, write to KEY_SPEC_USER_SESSION_KEYRING instead of 
KEY_SPEC_SESSION_KEYRING.