From 2d6247a41477513d47cdec0e268c62296e1bb931 Mon Sep 17 00:00:00 2001
From: worldofpeace <worldofpeace@users.noreply.github.com>
Date: Mon, 15 Apr 2019 14:54:03 -0400
Subject: [PATCH] gnome3.gnome-keyring: CAP_IPC_LOCK gnome-keyring-daemon

From gkd-capability.c:

This program needs the CAP_IPC_LOCK posix capability.
We want to allow either setuid root or file system based capabilies
to work. If file system based capabilities, this is a no-op unless
the root user is running the program. In that case we just drop
capabilities down to IPC_LOCK. If we are setuid root, then change to the
invoking user retaining just the IPC_LOCK capability. The application
is aborted if for any reason we are unable to drop privileges.
---
 .../modules/services/desktops/gnome3/gnome-keyring.nix |  5 +++++
 pkgs/desktops/gnome-3/core/gnome-keyring/default.nix   | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix
index 4c350d8bb1c..db60445ef77 100644
--- a/nixos/modules/services/desktops/gnome3/gnome-keyring.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-keyring.nix
@@ -37,6 +37,11 @@ with lib;
 
     security.pam.services.login.enableGnomeKeyring = true;
 
+    security.wrappers.gnome-keyring-daemon = {
+      source = "${pkgs.gnome3.gnome-keyring}/bin/gnome-keyring-daemon";
+      capabilities = "cap_ipc_lock=ep";
+    };
+
   };
 
 }
diff --git a/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix b/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix
index 9702087ca0d..f36d3f4a6e0 100644
--- a/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix
+++ b/pkgs/desktops/gnome-3/core/gnome-keyring/default.nix
@@ -46,6 +46,16 @@ stdenv.mkDerivation rec {
       make check
   '';
 
+  # Use wrapped gnome-keyring-daemon with cap_ipc_lock=ep
+  postFixup = ''
+    files=($out/etc/xdg/autostart/* $out/share/dbus-1/services/*)
+
+    for file in ''${files[*]}; do
+      substituteInPlace $file \
+        --replace "$out/bin/gnome-keyring-daemon" "/run/wrappers/bin/gnome-keyring-daemon"
+    done
+  '';
+
   passthru = {
     updateScript = gnome3.updateScript {
       packageName = "gnome-keyring";