diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-04-08 00:18:55 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-04-28 18:12:00 +0200 |
| commit | 4b9a4b01793170b9b17467711195552ef1f25ab8 (patch) | |
| tree | 37dd12c36b4a0667092f0a15c7ef390f610e4ba6 /src/core/meson.build | |
| parent | 5c1d67af465ab6921beec3f864ffdf1670ca4e1e (diff) | |
| download | systemd-4b9a4b01793170b9b17467711195552ef1f25ab8.tar.gz | |
pid1: import creds from sd-stub + qemu + kernel cmdline
Let's beef up our system credential game a bit, and explicitly import
creds from sd-stub, from qemu fw_cfg and the kernel cmdline and expose
them in the same way as those passed in from nspawn.
Specifically, this will imprt such credentials to
/run/credentials/@system (if the source can be trusted, as in the
qemu/kernel cmdline case) and /run/credentials/@encrypted (otherwise,
such as sd-stub provided ones).
Once imported we'll set the $CREDENTIALS_PATH env var for PID 1, like it
would be done by a container manager for the payload. (Conversely, we'll
also creat a symlink from /run/credentials/@system to whatever is set in
$CREDENTIALS_PATH in case we are invoked by a container manager, thus
providing a fixed path where system credentials are found).
Diffstat (limited to 'src/core/meson.build')
| -rw-r--r-- | src/core/meson.build | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/core/meson.build b/src/core/meson.build index ee2f8774bf..1e8b6dc310 100644 --- a/src/core/meson.build +++ b/src/core/meson.build @@ -73,6 +73,8 @@ libcore_sources = ''' generator-setup.h ima-setup.c ima-setup.h + import-creds.c + import-creds.h job.c job.h kill.c |