Re: [PATCH] keys: allow request-key path to be configured via Kconfig

["Serge E. Hallyn" <serge@hallyn.com>]

On Sun, Jun 07, 2026 at 02:49:27PM +0100, Gary Guo wrote:
> From: Gary Guo <gary@garyguo.net>
> 
> Some Linux distributions (e.g. NixOS) does not have /sbin present, and they
> currently carry patches to replace /sbin/request-key to some other path.
> 
> Follow the way modprobe handles this by making this a Kconfig option which
> defaults to the current /sbin/request-key.
> 
> Also changed "char const" to "const char" as checkpatch complains
> otherwise.
> 
> Link: https://github.com/NixOS/nixpkgs/blob/6b316287bae2ee04c9b93c8c858d930fd07d7338/pkgs/os-specific/linux/kernel/request-key-helper.patch
> Signed-off-by: Gary Guo <gary@garyguo.net>

Reviewed-by: Serge Hallyn <serge@hallyn.com>

> ---
> I did not update mentions of /sbin/request-key in documentation and
> elsewhere, as "/sbin/request-key" is concise while "request-key UMH" is
> more mouthful and less clear.
> 
> Number of distros that doesn't have /sbin is limited so I think it wouldn't
> create much confusion. Similarly, there are a lot of places where
> /sbin/modprobe is mentioned despite it is technically configurable.
> ---
>  security/keys/Kconfig       | 9 +++++++++
>  security/keys/request_key.c | 2 +-
>  2 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/security/keys/Kconfig b/security/keys/Kconfig
> index f4510d8cb485..ee3c3d85fc03 100644
> --- a/security/keys/Kconfig
> +++ b/security/keys/Kconfig
> @@ -40,6 +40,15 @@ config KEYS_REQUEST_CACHE
>  	  key.  Pathwalk will call multiple methods for each dentry traversed
>  	  (permission, d_revalidate, lookup, getxattr, getacl, ...).
>  
> +config REQUEST_KEY_PATH
> +	string "Path to the request-key binary"
> +	default "/sbin/request-key"
> +	help
> +	  Path of the request-key usermode helper binary.
> +
> +	  This program is invoked by the kernel when the kernel is asked for
> +	  a key that it doesn't have immediately available.
> +
>  config PERSISTENT_KEYRINGS
>  	bool "Enable register of persistent per-UID keyrings"
>  	help
> diff --git a/security/keys/request_key.c b/security/keys/request_key.c
> index a7673ad86d18..ac8f9d1a87ad 100644
> --- a/security/keys/request_key.c
> +++ b/security/keys/request_key.c
> @@ -117,7 +117,7 @@ static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
>   */
>  static int call_sbin_request_key(struct key *authkey, void *aux)
>  {
> -	static char const request_key[] = "/sbin/request-key";
> +	static const char request_key[] = CONFIG_REQUEST_KEY_PATH;
>  	struct request_key_auth *rka = get_request_key_auth(authkey);
>  	const struct cred *cred = current_cred();
>  	key_serial_t prkey, sskey;
> 
> base-commit: 6e845bcb78c95af935094040bd4edc3c2b6dd784
> -- 
> 2.54.0