tree-wide: use READ_FULL_FILE_CONNECT_SOCKET at various places

Let's use the new flag wherever we read key material/passphrases/hashes off disk, so that people can plug in their own IPC service as backend if they like, easily. (My main goal was actually to support this for crypttab key files — i.e. that you can specify AF_UNIX sockets as third column in crypttab — but that's harder to implement, since the keys are read via libcryptsetup's API, not ours.)
author: Lennart Poettering <lennart@poettering.net> 2020-07-17 12:58:19 +0200
committer: Lennart Poettering <lennart@poettering.net> 2020-07-21 10:32:01 +0200
commit: 49f16281c90c22d34b3511c27d43ebacf22fac62 (patch)
tree: 304cab60889a67527bd12d54ada1a12d575d0abc /man
parent: c668aa8b351717cfce766cbe85a82cb3c2d40d18 (diff)
download: systemd-49f16281c90c22d34b3511c27d43ebacf22fac62.tar.gz
3 files changed, 37 insertions, 38 deletions
diff --git a/man/systemd-journal-gatewayd.service.xml b/man/systemd-journal-gatewayd.service.xml
index 0f7aaab624..a7c50f382f 100644
--- a/man/systemd-journal-gatewayd.service.xml
+++ b/man/systemd-journal-gatewayd.service.xml
@@ -58,26 +58,25 @@
       <varlistentry>
         <term><option>--cert=</option></term>
 
-        <listitem><para>Specify the path to a file containing a server
-        certificate in PEM format. This option switches
-        <command>systemd-journal-gatewayd</command> into HTTPS mode
-        and must be used together with
+        <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the
+        server certificate from. The certificate must be in PEM format. This option switches
+        <command>systemd-journal-gatewayd</command> into HTTPS mode and must be used together with
         <option>--key=</option>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--key=</option></term>
 
-        <listitem><para>Specify the path to a file containing a server
-        key in PEM format corresponding to the certificate specified
-        with <option>--cert=</option>.</para></listitem>
+        <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the
+        server key corresponding to the certificate specified with <option>--cert=</option> from. The key
+        must be in PEM format.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--trust=</option></term>
 
-        <listitem><para>Specify the path to a file containing a
-        CA certificate in PEM format.</para></listitem>
+        <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read a CA
+        certificate from. The certificate must be in PEM format.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/man/systemd-journal-remote.service.xml b/man/systemd-journal-remote.service.xml
index b28092d18c..1db0128f74 100644
--- a/man/systemd-journal-remote.service.xml
+++ b/man/systemd-journal-remote.service.xml
@@ -180,33 +180,29 @@
       <varlistentry>
         <term><option>--key=</option></term>
 
-        <listitem><para>
-          Takes a path to a SSL key file in PEM format.
-          Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>.
-          This option can be used with <option>--listen-https=</option>.
-        </para></listitem>
+        <listitem><para> Takes a path to a SSL key file in PEM format. Defaults to
+        <filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>. This option can be used with
+        <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
+        in the file system a connection is made to it and the key read from it.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--cert=</option></term>
 
-        <listitem><para>
-          Takes a path to a SSL certificate file in PEM format.
-          Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>.
-          This option can be used with <option>--listen-https=</option>.
-        </para></listitem>
+        <listitem><para> Takes a path to a SSL certificate file in PEM format. Defaults to
+        <filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>. This option can be used with
+        <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
+        in the file system a connection is made to it and the certificate read from it.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--trust=</option></term>
 
-        <listitem><para>
-          Takes a path to a SSL CA certificate file in PEM format,
-          or <option>all</option>. If <option>all</option> is set,
-          then certificate checking will be disabled.
-          Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
-          This option can be used with <option>--listen-https=</option>.
-        </para></listitem>
+        <listitem><para> Takes a path to a SSL CA certificate file in PEM format, or <option>all</option>. If
+        <option>all</option> is set, then certificate checking will be disabled. Defaults to
+        <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>. This option can be used with
+        <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
+        in the file system a connection is made to it and the certificate read from it.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index 5516f63b65..c2957fd182 100644
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -1028,11 +1028,13 @@
       <varlistentry>
         <term><varname>KeyFile=</varname></term>
         <listitem>
-          <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
-          string, which will be used in the transmission channel. When this option is specified,
+          <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal string,
+          which will be used in the transmission channel. When this option is specified,
           <varname>Key=</varname> is ignored. Note that the file must be readable by the user
           <literal>systemd-network</literal>, so it should be, e.g., owned by
-          <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
+          <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the path
+          refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made to
+          it and the key read from it.</para>
         </listitem>
       </varlistentry>
       <varlistentry>
@@ -1518,11 +1520,12 @@
       <varlistentry>
         <term><varname>PrivateKeyFile=</varname></term>
         <listitem>
-          <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
-          When this option is specified, then <varname>PrivateKey=</varname> is ignored.
-          Note that the file must be readable by the user <literal>systemd-network</literal>, so it
-          should be, e.g., owned by <literal>root:systemd-network</literal> with a
-          <literal>0640</literal> file mode.</para>
+          <para>Takes an absolute path to a file which contains the Base64 encoded private key for the
+          interface.  When this option is specified, then <varname>PrivateKey=</varname> is ignored.  Note
+          that the file must be readable by the user <literal>systemd-network</literal>, so it should be,
+          e.g., owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If
+          the path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
+          made to it and the key read from it.</para>
         </listitem>
       </varlistentry>
       <varlistentry>
@@ -1577,10 +1580,11 @@
         <term><varname>PresharedKeyFile=</varname></term>
         <listitem>
           <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
-          peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
-          Note that the file must be readable by the user <literal>systemd-network</literal>, so it
-          should be, e.g., owned by <literal>root:systemd-network</literal> with a
-          <literal>0640</literal> file mode.</para>
+          peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.  Note that
+          the file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g.,
+          owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the
+          path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
+          made to it and the key read from it.</para>
         </listitem>
       </varlistentry>
       <varlistentry>
author	Lennart Poettering <lennart@poettering.net>	2020-07-17 12:58:19 +0200
committer	Lennart Poettering <lennart@poettering.net>	2020-07-21 10:32:01 +0200
commit	49f16281c90c22d34b3511c27d43ebacf22fac62 (patch)
tree	304cab60889a67527bd12d54ada1a12d575d0abc /man
parent	c668aa8b351717cfce766cbe85a82cb3c2d40d18 (diff)
download	systemd-49f16281c90c22d34b3511c27d43ebacf22fac62.tar.gz