execute: restore ability to propagate creds from further up (i.e. container manager and such)

This was broken in 3989bdc1ad7cca4d75c06cdf601fea2cb37ba337 let's restore the functionality. Basically, we want that if a relative name is specified as source to load from we take it relative to the credentials dir the service manager itself got passed.
author: Lennart Poettering <lennart@poettering.net> 2022-04-13 23:35:15 +0200
committer: Lennart Poettering <lennart@poettering.net> 2022-04-22 11:32:47 +0200
commit: f344f7fdca63ca90cc3b4ea7d30f32c43dd3d1a6 (patch)
tree: 8a8a1a61481f0559574fa157b988cd48a6139dd1
parent: 61c5a49eb251264a875a23527346698d6390445b (diff)
download: systemd-f344f7fdca63ca90cc3b4ea7d30f32c43dd3d1a6.tar.gz
1 files changed, 12 insertions, 9 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index a16dbdd0c7..5e6b1131e4 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2625,7 +2625,8 @@ static int load_credential(
         assert(left);
 
         if (path_is_absolute(path) || read_dfd >= 0) {
-                /* If this is an absolute path, read the data directly from it, and support AF_UNIX sockets */
+                /* If this is an absolute path (or a directory fd is specifier relative which to read), read
+                 * the data directly from it, and support AF_UNIX sockets */
                 source = path;
                 flags |= READ_FULL_FILE_CONNECT_SOCKET;
 
@@ -2784,17 +2785,19 @@ static int acquire_credentials(
         HASHMAP_FOREACH(lc, context->load_credentials) {
                 _cleanup_close_ int sub_fd = -1;
 
-                /* Skip over credentials with unspecified paths. These are received by the
-                 * service manager via the $CREDENTIALS_DIRECTORY environment variable. */
-                if (!is_path(lc->path) && streq(lc->id, lc->path))
-                        continue;
+                /* If this is an absolute path, then try to open it as a directory. If that works, then we'll
+                 * recurse into it. If it is an absolute path but it isn't a directory, then we'll open it as
+                 * a regular file. Finally, if it's a relative path we will use it as a credential name to
+                 * propagate a credential passed to us from further up. */
 
-                sub_fd = open(lc->path, O_DIRECTORY|O_CLOEXEC|O_RDONLY);
-                if (sub_fd < 0 && errno != ENOTDIR)
-                        return -errno;
+                if (path_is_absolute(lc->path)) {
+                        sub_fd = open(lc->path, O_DIRECTORY|O_CLOEXEC|O_RDONLY);
+                        if (sub_fd < 0 && errno != ENOTDIR)
+                                return -errno;
+                }
 
                 if (sub_fd < 0)
-                        /* Regular file */
+                        /* Regular file (incl. a credential passed in from higher up) */
                         r = load_credential(
                                         context,
                                         params,
author	Lennart Poettering <lennart@poettering.net>	2022-04-13 23:35:15 +0200
committer	Lennart Poettering <lennart@poettering.net>	2022-04-22 11:32:47 +0200
commit	f344f7fdca63ca90cc3b4ea7d30f32c43dd3d1a6 (patch)
tree	8a8a1a61481f0559574fa157b988cd48a6139dd1
parent	61c5a49eb251264a875a23527346698d6390445b (diff)
download	systemd-f344f7fdca63ca90cc3b4ea7d30f32c43dd3d1a6.tar.gz