pid1: import creds from sd-stub + qemu + kernel cmdline

Let's beef up our system credential game a bit, and explicitly import creds from sd-stub, from qemu fw_cfg and the kernel cmdline and expose them in the same way as those passed in from nspawn. Specifically, this will imprt such credentials to /run/credentials/@system (if the source can be trusted, as in the qemu/kernel cmdline case) and /run/credentials/@encrypted (otherwise, such as sd-stub provided ones). Once imported we'll set the $CREDENTIALS_PATH env var for PID 1, like it would be done by a container manager for the payload. (Conversely, we'll also creat a symlink from /run/credentials/@system to whatever is set in $CREDENTIALS_PATH in case we are invoked by a container manager, thus providing a fixed path where system credentials are found).
author: Lennart Poettering <lennart@poettering.net> 2022-04-08 00:18:55 +0200
committer: Lennart Poettering <lennart@poettering.net> 2022-04-28 18:12:00 +0200
commit: 4b9a4b01793170b9b17467711195552ef1f25ab8 (patch)
tree: 37dd12c36b4a0667092f0a15c7ef390f610e4ba6 /src/core/import-creds.h
parent: 5c1d67af465ab6921beec3f864ffdf1670ca4e1e (diff)
download: systemd-4b9a4b01793170b9b17467711195552ef1f25ab8.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/core/import-creds.h b/src/core/import-creds.h
new file mode 100644
index 0000000000..a87865c3fc
--- /dev/null
+++ b/src/core/import-creds.h
@@ -0,0 +1,4 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+int import_credentials(void);
author	Lennart Poettering <lennart@poettering.net>	2022-04-08 00:18:55 +0200
committer	Lennart Poettering <lennart@poettering.net>	2022-04-28 18:12:00 +0200
commit	4b9a4b01793170b9b17467711195552ef1f25ab8 (patch)
tree	37dd12c36b4a0667092f0a15c7ef390f610e4ba6 /src/core/import-creds.h
parent	5c1d67af465ab6921beec3f864ffdf1670ca4e1e (diff)
download	systemd-4b9a4b01793170b9b17467711195552ef1f25ab8.tar.gz