diff options
| -rw-r--r-- | man/systemd-journal-gatewayd.service.xml | 17 | ||||
| -rw-r--r-- | man/systemd-journal-remote.service.xml | 30 | ||||
| -rw-r--r-- | man/systemd.netdev.xml | 28 | ||||
| -rw-r--r-- | src/journal-remote/journal-gatewayd.c | 6 | ||||
| -rw-r--r-- | src/journal-remote/journal-remote-main.c | 6 | ||||
| -rw-r--r-- | src/network/netdev/macsec.c | 5 | ||||
| -rw-r--r-- | src/network/netdev/wireguard.c | 5 | ||||
| -rw-r--r-- | src/veritysetup/veritysetup.c | 2 |
8 files changed, 52 insertions, 47 deletions
diff --git a/man/systemd-journal-gatewayd.service.xml b/man/systemd-journal-gatewayd.service.xml index 0f7aaab624..a7c50f382f 100644 --- a/man/systemd-journal-gatewayd.service.xml +++ b/man/systemd-journal-gatewayd.service.xml @@ -58,26 +58,25 @@ <varlistentry> <term><option>--cert=</option></term> - <listitem><para>Specify the path to a file containing a server - certificate in PEM format. This option switches - <command>systemd-journal-gatewayd</command> into HTTPS mode - and must be used together with + <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the + server certificate from. The certificate must be in PEM format. This option switches + <command>systemd-journal-gatewayd</command> into HTTPS mode and must be used together with <option>--key=</option>.</para></listitem> </varlistentry> <varlistentry> <term><option>--key=</option></term> - <listitem><para>Specify the path to a file containing a server - key in PEM format corresponding to the certificate specified - with <option>--cert=</option>.</para></listitem> + <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the + server key corresponding to the certificate specified with <option>--cert=</option> from. The key + must be in PEM format.</para></listitem> </varlistentry> <varlistentry> <term><option>--trust=</option></term> - <listitem><para>Specify the path to a file containing a - CA certificate in PEM format.</para></listitem> + <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read a CA + certificate from. The certificate must be in PEM format.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd-journal-remote.service.xml b/man/systemd-journal-remote.service.xml index b28092d18c..1db0128f74 100644 --- a/man/systemd-journal-remote.service.xml +++ b/man/systemd-journal-remote.service.xml @@ -180,33 +180,29 @@ <varlistentry> <term><option>--key=</option></term> - <listitem><para> - Takes a path to a SSL key file in PEM format. - Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>. - This option can be used with <option>--listen-https=</option>. - </para></listitem> + <listitem><para> Takes a path to a SSL key file in PEM format. Defaults to + <filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>. This option can be used with + <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket + in the file system a connection is made to it and the key read from it.</para></listitem> </varlistentry> <varlistentry> <term><option>--cert=</option></term> - <listitem><para> - Takes a path to a SSL certificate file in PEM format. - Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>. - This option can be used with <option>--listen-https=</option>. - </para></listitem> + <listitem><para> Takes a path to a SSL certificate file in PEM format. Defaults to + <filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>. This option can be used with + <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket + in the file system a connection is made to it and the certificate read from it.</para></listitem> </varlistentry> <varlistentry> <term><option>--trust=</option></term> - <listitem><para> - Takes a path to a SSL CA certificate file in PEM format, - or <option>all</option>. If <option>all</option> is set, - then certificate checking will be disabled. - Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>. - This option can be used with <option>--listen-https=</option>. - </para></listitem> + <listitem><para> Takes a path to a SSL CA certificate file in PEM format, or <option>all</option>. If + <option>all</option> is set, then certificate checking will be disabled. Defaults to + <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>. This option can be used with + <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket + in the file system a connection is made to it and the certificate read from it.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 5516f63b65..c2957fd182 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -1028,11 +1028,13 @@ <varlistentry> <term><varname>KeyFile=</varname></term> <listitem> - <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal - string, which will be used in the transmission channel. When this option is specified, + <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal string, + which will be used in the transmission channel. When this option is specified, <varname>Key=</varname> is ignored. Note that the file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g., owned by - <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para> + <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the path + refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made to + it and the key read from it.</para> </listitem> </varlistentry> <varlistentry> @@ -1518,11 +1520,12 @@ <varlistentry> <term><varname>PrivateKeyFile=</varname></term> <listitem> - <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface. - When this option is specified, then <varname>PrivateKey=</varname> is ignored. - Note that the file must be readable by the user <literal>systemd-network</literal>, so it - should be, e.g., owned by <literal>root:systemd-network</literal> with a - <literal>0640</literal> file mode.</para> + <para>Takes an absolute path to a file which contains the Base64 encoded private key for the + interface. When this option is specified, then <varname>PrivateKey=</varname> is ignored. Note + that the file must be readable by the user <literal>systemd-network</literal>, so it should be, + e.g., owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If + the path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is + made to it and the key read from it.</para> </listitem> </varlistentry> <varlistentry> @@ -1577,10 +1580,11 @@ <term><varname>PresharedKeyFile=</varname></term> <listitem> <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the - peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored. - Note that the file must be readable by the user <literal>systemd-network</literal>, so it - should be, e.g., owned by <literal>root:systemd-network</literal> with a - <literal>0640</literal> file mode.</para> + peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored. Note that + the file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g., + owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the + path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is + made to it and the key read from it.</para> </listitem> </varlistentry> <varlistentry> diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c index 3ab7c98b0b..48106d1bdb 100644 --- a/src/journal-remote/journal-gatewayd.c +++ b/src/journal-remote/journal-gatewayd.c @@ -906,7 +906,7 @@ static int parse_argv(int argc, char *argv[]) { if (arg_key_pem) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Key file specified twice"); - r = read_full_file(optarg, &arg_key_pem, NULL); + r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_key_pem, NULL); if (r < 0) return log_error_errno(r, "Failed to read key file: %m"); assert(arg_key_pem); @@ -916,7 +916,7 @@ static int parse_argv(int argc, char *argv[]) { if (arg_cert_pem) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Certificate file specified twice"); - r = read_full_file(optarg, &arg_cert_pem, NULL); + r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_cert_pem, NULL); if (r < 0) return log_error_errno(r, "Failed to read certificate file: %m"); assert(arg_cert_pem); @@ -927,7 +927,7 @@ static int parse_argv(int argc, char *argv[]) { if (arg_trust_pem) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "CA certificate file specified twice"); - r = read_full_file(optarg, &arg_trust_pem, NULL); + r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_trust_pem, NULL); if (r < 0) return log_error_errno(r, "Failed to read CA certificate file: %m"); assert(arg_trust_pem); diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c index 273fdf9196..77dfdefd64 100644 --- a/src/journal-remote/journal-remote-main.c +++ b/src/journal-remote/journal-remote-main.c @@ -1077,12 +1077,12 @@ static int parse_argv(int argc, char *argv[]) { static int load_certificates(char **key, char **cert, char **trust) { int r; - r = read_full_file(arg_key ?: PRIV_KEY_FILE, key, NULL); + r = read_full_file_full(AT_FDCWD, arg_key ?: PRIV_KEY_FILE, READ_FULL_FILE_CONNECT_SOCKET, key, NULL); if (r < 0) return log_error_errno(r, "Failed to read key from file '%s': %m", arg_key ?: PRIV_KEY_FILE); - r = read_full_file(arg_cert ?: CERT_FILE, cert, NULL); + r = read_full_file_full(AT_FDCWD, arg_cert ?: CERT_FILE, READ_FULL_FILE_CONNECT_SOCKET, cert, NULL); if (r < 0) return log_error_errno(r, "Failed to read certificate from file '%s': %m", arg_cert ?: CERT_FILE); @@ -1090,7 +1090,7 @@ static int load_certificates(char **key, char **cert, char **trust) { if (arg_trust_all) log_info("Certificate checking disabled."); else { - r = read_full_file(arg_trust ?: TRUST_FILE, trust, NULL); + r = read_full_file_full(AT_FDCWD, arg_trust ?: TRUST_FILE, READ_FULL_FILE_CONNECT_SOCKET, trust, NULL); if (r < 0) return log_error_errno(r, "Failed to read CA certificate file '%s': %m", arg_trust ?: TRUST_FILE); diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c index ab55a4a489..2ffa5ec8c6 100644 --- a/src/network/netdev/macsec.c +++ b/src/network/netdev/macsec.c @@ -983,7 +983,10 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) { (void) warn_file_is_world_accessible(sa->key_file, NULL, NULL, 0); - r = read_full_file_full(AT_FDCWD, sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE, (char **) &key, &key_len); + r = read_full_file_full( + AT_FDCWD, sa->key_file, + READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET, + (char **) &key, &key_len); if (r < 0) return log_netdev_error_errno(netdev, r, "Failed to read key from '%s', ignoring: %m", diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index 9636ac7736..6812b07bff 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -888,7 +888,10 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_ (void) warn_file_is_world_accessible(filename, NULL, NULL, 0); - r = read_full_file_full(AT_FDCWD, filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE, &key, &key_len); + r = read_full_file_full( + AT_FDCWD, filename, + READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET, + &key, &key_len); if (r < 0) return r; diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c index 465d194b40..e475402d9d 100644 --- a/src/veritysetup/veritysetup.c +++ b/src/veritysetup/veritysetup.c @@ -100,7 +100,7 @@ static int run(int argc, char *argv[]) { if (r < 0) return log_error_errno(r, "Failed to parse root hash signature '%s': %m", argv[6]); } else { - r = read_full_file_full(AT_FDCWD, argv[6], 0, &hash_sig, &hash_sig_size); + r = read_full_file_full(AT_FDCWD, argv[6], READ_FULL_FILE_CONNECT_SOCKET, &hash_sig, &hash_sig_size); if (r < 0) return log_error_errno(r, "Failed to read root hash signature: %m"); } |