Kernel keyring leak with systemd sockets

[aither64]

systemd socket activated services on some systemd versions lead to keys being left behind in the keyring, thus causing the system maxkeys limit to be reached.

Steps to reproduce:

# conf
_name=test
_port=4444
_iterations=100

# socket
cat <<EOF > /etc/systemd/system/${_name}.socket
[Unit]
Conflicts=${_name}.service
Description=Socket ${_name}

[Socket]
Accept=true
ListenStream=${_port}
PrivateDevices=true

[Install]
WantedBy=sockets.target
EOF

# service
cat <<EOF > /etc/systemd/system/${_name}@.service
[Unit]
Description=Test Service

[Service]
Type=simple
PrivateDevices=true
ExecStart=/usr/bin/sh /usr/local/bin/${_name}.sh

[Install]
WantedBy=multi-user.target
EOF

# something to run
echo 'logger -t TEST "Connect: $REMOTE_ADDR $REMOTE_PORT"; echo bla bla' > /usr/local/bin/${_name}.sh

# get nc
which dnf && dnf install nmap-ncat -y
which apt && apt install netcat
which pacman && pacman -S gnu-netcat

systemctl daemon-reload

systemctl start ${_name}.socket

echo "Before: $(grep ^\ *0: /proc/key-users)"

for i in {1..$_iterations}
do
 echo AHOJ$i|nc localhost ${_port} 2>/dev/null
done

sleep 2 # wait a bit
echo "After: $(grep ^\ *0: /proc/key-users)"

Affected distributions include CentOS 8/9 Stream and Debian 11. CentOS 7 and Arch Linux are not affected.

Related IRC discussion: https://im.vpsfree.cz/archive/irc.libera.chat/#vpsfree/2022/03/29.html#l57

[snajpa]

https://github.com/vpsfreecz/vpsadminos/commit/0edfb350a85bc99ee171f8b2b19955b5a5db551e (edit: nope, that didn't work)

[snajpa]

fixed in https://github.com/vpsfreecz/linux/commit/8bf1613e575a668303a560345c3d483e6e123283

[snajpa]

livepatch https://github.com/vpsfreecz/vpsadminos/commit/1e7e2892b483cb88b205547b8e1bf7ea1541937e