From 2bfb1b435afdf4f294a511a83ebbeb5176c77a06 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Sun, 18 Sep 2016 16:50:32 -0400
Subject: [PATCH] Don't allow access to the kernel keyring

For now, we don't use the kernel keyring for anything, so it is
better to shut off the access to it.
---
 common/flatpak-run.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 888f7f90..0a7fb28c 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -3026,6 +3026,11 @@ setup_seccomp (GPtrArray  *argv_array,
     /* Don't allow reading current quota use */
     {SCMP_SYS (quotactl)},
 
+    /* Don't allow access to the kernel keyring */
+    {SCMP_SYS (add_key)},
+    {SCMP_SYS (keyctl)},
+    {SCMP_SYS (request_key)},
+
     /* Scary VM/NUMA ops */
     {SCMP_SYS (move_pages)},
     {SCMP_SYS (mbind)},