daemon: Don't warn about CAP_IPC_LOCK if RLIMIT_MEMLOCK is enough

Open Simon McVittie requested to merge wip/smcv/tolerate-lack-of-caps into master

If a distribution has set user processes' RLIMIT_MEMLOCK to be high enough, then there is no reason why gnome-keyring really needs to be setuid or have elevated filesystem capabilities. Silence the warning about insufficient capabilities in this case.

In particular, giving gnome-keyring elevated capabilities is practically problematic because there is a desire to harden libraries like GLib and libdbus against processes that (inadvisably) use those libraries while they have genuinely abusable elevated capabilities, without first sanitizing the execution environment to protect themselves against being invoked by a malicious parent process. The mechanisms used to do this cannot distinguish between genuinely abusable elevated capabilities, like CAP_SYS_ADMIN, and elevated capabilities that are merely a denial-of-service vector, like CAP_IPC_LOCK - so they will tend to err on the side of caution and prevent gnome-keyring from accessing environment variables that it needs to do its job, such as DBUS_SESSION_BUS_ADDRESS and XDG_RUNTIME_DIR.

Also, if a sysadmin is concerned about users carrying out a denial-of-service via locking abusive amounts of memory, they should be equally concerned about whether gnome-keyring can be induced to execute arbitrary code with CAP_IPC_LOCK (which it probably can, because it relies on desktop services like dbus-daemon and systemd --user that are under the unprivileged user's control).

Related to #77.

Edited by Simon McVittie

Merge request reports