Linux distribution and version

Ubuntu 20.04

Flatpak version

1.6.5

Description of the problem

Any KEYCTL related syscalls return a permission denied error.

1Password would like to create an official Flatpak for the 1Password for Linux application, but a few of our features are dependent on access to the kernel keyrings. These currently including system authentication and browser integration.

It's noted in the source that Flatpak would like to allow desktop apps to access these, but is concerned about privacy. It seems like, to me, that the most straightforward way to allow behavior like this is to add a new configuration option that would only disable the specific seccomp filter for specific packages. I do agree though that it could be a privacy risk since its rather hard to create keys that can't be accessed by random processes.

Would the Flatpak team consider adding opt-in support for this?

Steps to reproduce

1. Install any application to get a container.
2. Copy/paste an application that uses KEYCTL syscalls into the bin folder of the Flatpak app.
3. Use flatpak run --command=/bin/bash org.org.name to get a shell
4. Try running keyutils or another small app.
5. Observe that it gets permission denied errors.

You should also be able to see the audit errors with sudo journalctl --since=today | grep audit:

May 19 17:55:16 machine-name kernel: audit: type=1326 audit(1621464916.053:3): auid=1000 uid=1000 gid=1000 ses=3 subj=kernel pid=213966 comm="name:inv" exe="/path/to/binary" sig=0 arch=c000003e syscall=250 compat=0 ip=0xfffffffffff code=0x50000

In this case, syscall 250 is keyctl.