diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-04-08 00:18:55 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-04-28 18:12:00 +0200 |
| commit | 4b9a4b01793170b9b17467711195552ef1f25ab8 (patch) | |
| tree | 37dd12c36b4a0667092f0a15c7ef390f610e4ba6 /src/shared/creds-util.c | |
| parent | 5c1d67af465ab6921beec3f864ffdf1670ca4e1e (diff) | |
| download | systemd-4b9a4b01793170b9b17467711195552ef1f25ab8.tar.gz | |
pid1: import creds from sd-stub + qemu + kernel cmdline
Let's beef up our system credential game a bit, and explicitly import
creds from sd-stub, from qemu fw_cfg and the kernel cmdline and expose
them in the same way as those passed in from nspawn.
Specifically, this will imprt such credentials to
/run/credentials/@system (if the source can be trusted, as in the
qemu/kernel cmdline case) and /run/credentials/@encrypted (otherwise,
such as sd-stub provided ones).
Once imported we'll set the $CREDENTIALS_PATH env var for PID 1, like it
would be done by a container manager for the payload. (Conversely, we'll
also creat a symlink from /run/credentials/@system to whatever is set in
$CREDENTIALS_PATH in case we are invoked by a container manager, thus
providing a fixed path where system credentials are found).
Diffstat (limited to 'src/shared/creds-util.c')
| -rw-r--r-- | src/shared/creds-util.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index ac53693eb0..3c89f527b4 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -33,12 +33,12 @@ bool credential_name_valid(const char *s) { return filename_is_valid(s) && fdname_is_valid(s); } -int get_credentials_dir(const char **ret) { +static int get_credentials_dir_internal(const char *envvar, const char **ret) { const char *e; assert(ret); - e = secure_getenv("CREDENTIALS_DIRECTORY"); + e = secure_getenv(envvar); if (!e) return -ENXIO; @@ -49,6 +49,14 @@ int get_credentials_dir(const char **ret) { return 0; } +int get_credentials_dir(const char **ret) { + return get_credentials_dir_internal("CREDENTIALS_DIRECTORY", ret); +} + +int get_encrypted_credentials_dir(const char **ret) { + return get_credentials_dir_internal("ENCRYPTED_CREDENTIALS_DIRECTORY", ret); +} + int read_credential(const char *name, void **ret, size_t *ret_size) { _cleanup_free_ char *fn = NULL; const char *d; |