[PATCH] keys: allow request-key path to be configured via Kconfig

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Gary Guo <gary@kernel.org>
To: David Howells <dhowells@redhat.com>,
	Jarkko Sakkinen <jarkko@kernel.org>,
	Paul Moore <paul@paul-moore.com>,
	James Morris <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>
Cc: Gary Guo <gary@garyguo.net>,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] keys: allow request-key path to be configured via Kconfig
Date: Sun,  7 Jun 2026 14:49:27 +0100	[thread overview]
Message-ID: <20260607134928.2832202-1-gary@kernel.org> (raw)

From: Gary Guo <gary@garyguo.net>

Some Linux distributions (e.g. NixOS) does not have /sbin present, and they
currently carry patches to replace /sbin/request-key to some other path.

Follow the way modprobe handles this by making this a Kconfig option which
defaults to the current /sbin/request-key.

Also changed "char const" to "const char" as checkpatch complains
otherwise.

Link: https://github.com/NixOS/nixpkgs/blob/6b316287bae2ee04c9b93c8c858d930fd07d7338/pkgs/os-specific/linux/kernel/request-key-helper.patch
Signed-off-by: Gary Guo <gary@garyguo.net>
---
I did not update mentions of /sbin/request-key in documentation and
elsewhere, as "/sbin/request-key" is concise while "request-key UMH" is
more mouthful and less clear.

Number of distros that doesn't have /sbin is limited so I think it wouldn't
create much confusion. Similarly, there are a lot of places where
/sbin/modprobe is mentioned despite it is technically configurable.
---
 security/keys/Kconfig       | 9 +++++++++
 security/keys/request_key.c | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index f4510d8cb485..ee3c3d85fc03 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -40,6 +40,15 @@ config KEYS_REQUEST_CACHE
 	  key.  Pathwalk will call multiple methods for each dentry traversed
 	  (permission, d_revalidate, lookup, getxattr, getacl, ...).
 
+config REQUEST_KEY_PATH
+	string "Path to the request-key binary"
+	default "/sbin/request-key"
+	help
+	  Path of the request-key usermode helper binary.
+
+	  This program is invoked by the kernel when the kernel is asked for
+	  a key that it doesn't have immediately available.
+
 config PERSISTENT_KEYRINGS
 	bool "Enable register of persistent per-UID keyrings"
 	help
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index a7673ad86d18..ac8f9d1a87ad 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -117,7 +117,7 @@ static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
  */
 static int call_sbin_request_key(struct key *authkey, void *aux)
 {
-	static char const request_key[] = "/sbin/request-key";
+	static const char request_key[] = CONFIG_REQUEST_KEY_PATH;
 	struct request_key_auth *rka = get_request_key_auth(authkey);
 	const struct cred *cred = current_cred();
 	key_serial_t prkey, sskey;

base-commit: 6e845bcb78c95af935094040bd4edc3c2b6dd784
-- 
2.54.0

next             reply	other threads:[~2026-06-07 13:50 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-07 13:49 Gary Guo [this message]
2026-06-07 19:55 ` [PATCH] keys: allow request-key path to be configured via Kconfig Serge E. Hallyn
2026-06-08  4:49 ` Jarkko Sakkinen
2026-06-08  4:59   ` Jarkko Sakkinen
2026-06-08 10:30     ` Gary Guo

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f4510d8cb48 dfblob:ee3c3d85fc0 dfblob:a7673ad86d1
dfblob:ac8f9d1a87a )
 OR (
bs:"[PATCH] keys: allow request-key path to be configured via Kconfig" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260607134928.2832202-1-gary@kernel.org \
    --to=gary@kernel.org \
    --cc=dhowells@redhat.com \
    --cc=gary@garyguo.net \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.