diff options
| -rw-r--r-- | docs/CREDENTIALS.md | 6 | ||||
| -rw-r--r-- | man/systemd.link.xml | 12 | ||||
| -rw-r--r-- | man/systemd.netdev.xml | 1 | ||||
| -rw-r--r-- | man/systemd.network.xml | 1 | ||||
| -rw-r--r-- | man/systemd.unit.xml | 13 | ||||
| -rw-r--r-- | src/core/load-fragment-gperf.gperf.in | 2 | ||||
| -rw-r--r-- | src/network/netdev/netdev-gperf.gperf | 1 | ||||
| -rw-r--r-- | src/network/networkd-network-gperf.gperf | 1 | ||||
| -rw-r--r-- | src/shared/condition.c | 44 | ||||
| -rw-r--r-- | src/shared/condition.h | 1 | ||||
| -rw-r--r-- | src/test/test-condition.c | 59 | ||||
| -rw-r--r-- | src/udev/net/link-config-gperf.gperf | 1 | ||||
| -rwxr-xr-x | test/units/testsuite-54.sh | 6 |
13 files changed, 148 insertions, 0 deletions
diff --git a/docs/CREDENTIALS.md b/docs/CREDENTIALS.md index bbd92ad3c9..4ba3784469 100644 --- a/docs/CREDENTIALS.md +++ b/docs/CREDENTIALS.md @@ -395,3 +395,9 @@ in `/etc/credstore/`, `/run/credstore/`, `/usr/lib/credstore/`. `LoadCredentialEncrypted=` will also search `/etc/credstore.encrypted/` and similar directories. These directories are hence a great place to store credentials to load on the system. + +## Conditionalizing Services + +Sometimes it makes sense to conditionalize system services and invoke them only +if the right system credential is passed to the system. use the +`ConditionCredential=` and `AssertCredential=` unit file settings for that. diff --git a/man/systemd.link.xml b/man/systemd.link.xml index de23b941ad..d933632393 100644 --- a/man/systemd.link.xml +++ b/man/systemd.link.xml @@ -269,6 +269,18 @@ </listitem> </varlistentry> + <varlistentry id='credential'> + <term><varname>Credential=</varname></term> + <listitem> + <para>Checks whether the specified credential was passed to the + <filename>systemd-networkd.service</filename> service. See <ulink + url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> for details. When + prefixed with an exclamation mark (<literal>!</literal>), the result is negated. If an empty + string is assigned, the previously assigned value is cleared. + </para> + </listitem> + </varlistentry> + <varlistentry id='architecture'> <term><varname>Architecture=</varname></term> <listitem> diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml index 7d3a4f95c8..c3578fc2da 100644 --- a/man/systemd.netdev.xml +++ b/man/systemd.netdev.xml @@ -217,6 +217,7 @@ <xi:include href="systemd.link.xml" xpointer="virtualization" /> <xi:include href="systemd.link.xml" xpointer="kernel-command-line" /> <xi:include href="systemd.link.xml" xpointer="kernel-version" /> + <xi:include href="systemd.link.xml" xpointer="credential" /> <xi:include href="systemd.link.xml" xpointer="architecture" /> <xi:include href="systemd.link.xml" xpointer="firmware" /> </variablelist> diff --git a/man/systemd.network.xml b/man/systemd.network.xml index 516a42e25a..70d2c34a40 100644 --- a/man/systemd.network.xml +++ b/man/systemd.network.xml @@ -135,6 +135,7 @@ <xi:include href="systemd.link.xml" xpointer="virtualization" /> <xi:include href="systemd.link.xml" xpointer="kernel-command-line" /> <xi:include href="systemd.link.xml" xpointer="kernel-version" /> + <xi:include href="systemd.link.xml" xpointer="credential" /> <xi:include href="systemd.link.xml" xpointer="architecture" /> <xi:include href="systemd.link.xml" xpointer="firmware" /> </variablelist> diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 55f32f3272..ea95ba8869 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1331,6 +1331,19 @@ </varlistentry> <varlistentry> + <term><varname>ConditionCredential=</varname></term> + + <listitem><para><varname>ConditionCredential=</varname> may be used to check whether a credential + by the specified name was passed into the service manager. See <ulink + url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> for details about + credentials. If used in services for the system service manager this may be used to conditionalize + services based on system credentials passed in. If used in services for the per-user service + manager this may be used to conditionalize services based on credentials passed into the + <filename>unit@.service</filename> service instance belonging to the user. The argument must be a + valid credential name.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>ConditionEnvironment=</varname></term> <listitem><para><varname>ConditionEnvironment=</varname> may be used to check whether a specific diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in index 7817c20c0b..54c1c0bb56 100644 --- a/src/core/load-fragment-gperf.gperf.in +++ b/src/core/load-fragment-gperf.gperf.in @@ -332,6 +332,7 @@ Unit.ConditionVirtualization, config_parse_unit_condition_string, Unit.ConditionHost, config_parse_unit_condition_string, CONDITION_HOST, offsetof(Unit, conditions) Unit.ConditionKernelCommandLine, config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, conditions) Unit.ConditionKernelVersion, config_parse_unit_condition_string, CONDITION_KERNEL_VERSION, offsetof(Unit, conditions) +Unit.ConditionCredential, config_parse_unit_condition_string, CONDITION_CREDENTIAL, offsetof(Unit, conditions) Unit.ConditionSecurity, config_parse_unit_condition_string, CONDITION_SECURITY, offsetof(Unit, conditions) Unit.ConditionCapability, config_parse_unit_condition_string, CONDITION_CAPABILITY, offsetof(Unit, conditions) Unit.ConditionACPower, config_parse_unit_condition_string, CONDITION_AC_POWER, offsetof(Unit, conditions) @@ -363,6 +364,7 @@ Unit.AssertVirtualization, config_parse_unit_condition_string, Unit.AssertHost, config_parse_unit_condition_string, CONDITION_HOST, offsetof(Unit, asserts) Unit.AssertKernelCommandLine, config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, offsetof(Unit, asserts) Unit.AssertKernelVersion, config_parse_unit_condition_string, CONDITION_KERNEL_VERSION, offsetof(Unit, asserts) +Unit.AssertCredential, config_parse_unit_condition_string, CONDITION_CREDENTIAL, offsetof(Unit, asserts) Unit.AssertSecurity, config_parse_unit_condition_string, CONDITION_SECURITY, offsetof(Unit, asserts) Unit.AssertCapability, config_parse_unit_condition_string, CONDITION_CAPABILITY, offsetof(Unit, asserts) Unit.AssertACPower, config_parse_unit_condition_string, CONDITION_AC_POWER, offsetof(Unit, asserts) diff --git a/src/network/netdev/netdev-gperf.gperf b/src/network/netdev/netdev-gperf.gperf index 55ad60ddc8..162664ecf1 100644 --- a/src/network/netdev/netdev-gperf.gperf +++ b/src/network/netdev/netdev-gperf.gperf @@ -45,6 +45,7 @@ Match.Host, config_parse_net_condition, Match.Virtualization, config_parse_net_condition, CONDITION_VIRTUALIZATION, offsetof(NetDev, conditions) Match.KernelCommandLine, config_parse_net_condition, CONDITION_KERNEL_COMMAND_LINE, offsetof(NetDev, conditions) Match.KernelVersion, config_parse_net_condition, CONDITION_KERNEL_VERSION, offsetof(NetDev, conditions) +Match.Credential, config_parse_net_condition, CONDITION_CREDENTIAL, offsetof(NetDev, conditions) Match.Architecture, config_parse_net_condition, CONDITION_ARCHITECTURE, offsetof(NetDev, conditions) Match.Firmware, config_parse_net_condition, CONDITION_FIRMWARE, offsetof(NetDev, conditions) NetDev.Description, config_parse_string, 0, offsetof(NetDev, description) diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf index 0b0c8da27b..13d521e37a 100644 --- a/src/network/networkd-network-gperf.gperf +++ b/src/network/networkd-network-gperf.gperf @@ -62,6 +62,7 @@ Match.Host, config_parse_net_condition, Match.Virtualization, config_parse_net_condition, CONDITION_VIRTUALIZATION, offsetof(Network, conditions) Match.KernelCommandLine, config_parse_net_condition, CONDITION_KERNEL_COMMAND_LINE, offsetof(Network, conditions) Match.KernelVersion, config_parse_net_condition, CONDITION_KERNEL_VERSION, offsetof(Network, conditions) +Match.Credential, config_parse_net_condition, CONDITION_CREDENTIAL, offsetof(Network, conditions) Match.Architecture, config_parse_net_condition, CONDITION_ARCHITECTURE, offsetof(Network, conditions) Match.Firmware, config_parse_net_condition, CONDITION_FIRMWARE, offsetof(Network, conditions) Link.MACAddress, config_parse_hw_addr, 0, offsetof(Network, hw_addr) diff --git a/src/shared/condition.c b/src/shared/condition.c index 640dd96eb2..2fc22c3714 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -22,6 +22,7 @@ #include "cgroup-util.h" #include "condition.h" #include "cpu-set-util.h" +#include "creds-util.h" #include "efi-api.h" #include "env-file.h" #include "env-util.h" @@ -140,6 +141,46 @@ static int condition_test_kernel_command_line(Condition *c, char **env) { return false; } +static int condition_test_credential(Condition *c, char **env) { + int (*gd)(const char **ret); + int r; + + assert(c); + assert(c->parameter); + assert(c->type == CONDITION_CREDENTIAL); + + /* For now we'll do a very simple existance check and are happy with either a regular or an encrypted + * credential. Given that we check the syntax of the argument we have the option to later maybe allow + * contents checks too without breaking compatibility, but for now let's be minimalistic. */ + + if (!credential_name_valid(c->parameter)) /* credentials with invalid names do not exist */ + return false; + + FOREACH_POINTER(gd, get_credentials_dir, get_encrypted_credentials_dir) { + _cleanup_free_ char *j = NULL; + const char *cd; + + r = gd(&cd); + if (r == -ENXIO) /* no env var set */ + continue; + if (r < 0) + return r; + + j = path_join(cd, c->parameter); + if (!j) + return -ENOMEM; + + if (laccess(j, F_OK) >= 0) + return true; /* yay! */ + if (errno != ENOENT) + return -errno; + + /* not found in this dir */ + } + + return false; +} + typedef enum { /* Listed in order of checking. Note that some comparators are prefixes of others, hence the longest * should be listed first. */ @@ -1099,6 +1140,7 @@ int condition_test(Condition *c, char **env) { [CONDITION_FILE_IS_EXECUTABLE] = condition_test_file_is_executable, [CONDITION_KERNEL_COMMAND_LINE] = condition_test_kernel_command_line, [CONDITION_KERNEL_VERSION] = condition_test_kernel_version, + [CONDITION_CREDENTIAL] = condition_test_credential, [CONDITION_VIRTUALIZATION] = condition_test_virtualization, [CONDITION_SECURITY] = condition_test_security, [CONDITION_CAPABILITY] = condition_test_capability, @@ -1218,6 +1260,7 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = { [CONDITION_HOST] = "ConditionHost", [CONDITION_KERNEL_COMMAND_LINE] = "ConditionKernelCommandLine", [CONDITION_KERNEL_VERSION] = "ConditionKernelVersion", + [CONDITION_CREDENTIAL] = "ConditionCredential", [CONDITION_SECURITY] = "ConditionSecurity", [CONDITION_CAPABILITY] = "ConditionCapability", [CONDITION_AC_POWER] = "ConditionACPower", @@ -1255,6 +1298,7 @@ static const char* const assert_type_table[_CONDITION_TYPE_MAX] = { [CONDITION_HOST] = "AssertHost", [CONDITION_KERNEL_COMMAND_LINE] = "AssertKernelCommandLine", [CONDITION_KERNEL_VERSION] = "AssertKernelVersion", + [CONDITION_CREDENTIAL] = "AssertCredential", [CONDITION_SECURITY] = "AssertSecurity", [CONDITION_CAPABILITY] = "AssertCapability", [CONDITION_AC_POWER] = "AssertACPower", diff --git a/src/shared/condition.h b/src/shared/condition.h index 2bbb7fa7f4..54cc904feb 100644 --- a/src/shared/condition.h +++ b/src/shared/condition.h @@ -14,6 +14,7 @@ typedef enum ConditionType { CONDITION_HOST, CONDITION_KERNEL_COMMAND_LINE, CONDITION_KERNEL_VERSION, + CONDITION_CREDENTIAL, CONDITION_SECURITY, CONDITION_CAPABILITY, CONDITION_AC_POWER, diff --git a/src/test/test-condition.c b/src/test/test-condition.c index fb82f44d04..56b5ad88a2 100644 --- a/src/test/test-condition.c +++ b/src/test/test-condition.c @@ -15,7 +15,9 @@ #include "condition.h" #include "cpu-set-util.h" #include "efi-loader.h" +#include "env-util.h" #include "errno-util.h" +#include "fs-util.h" #include "hostname-util.h" #include "id128-util.h" #include "ima-util.h" @@ -24,14 +26,17 @@ #include "macro.h" #include "nulstr-util.h" #include "os-util.h" +#include "path-util.h" #include "process-util.h" #include "psi-util.h" +#include "rm-rf.h" #include "selinux-util.h" #include "set.h" #include "smack-util.h" #include "string-util.h" #include "strv.h" #include "tests.h" +#include "tmpfile-util.h" #include "tomoyo-util.h" #include "udev-util.h" #include "uid-alloc-range.h" @@ -460,6 +465,60 @@ TEST(condition_test_kernel_version) { condition_free(condition); } +TEST(condition_test_credential) { + _cleanup_(rm_rf_physical_and_freep) char *n1 = NULL, *n2 = NULL; + _cleanup_free_ char *d1 = NULL, *d2 = NULL, *j = NULL; + Condition *condition; + + assert_se(free_and_strdup(&d1, getenv("CREDENTIALS_DIRECTORY")) >= 0); + assert_se(free_and_strdup(&d2, getenv("ENCRYPTED_CREDENTIALS_DIRECTORY")) >= 0); + + assert_se(unsetenv("CREDENTIALS_DIRECTORY") >= 0); + assert_se(unsetenv("ENCRYPTED_CREDENTIALS_DIRECTORY") >= 0); + + condition = condition_new(CONDITION_CREDENTIAL, "definitelymissing", /* trigger= */ false, /* negate= */ false); + assert_se(condition); + assert_se(condition_test(condition, environ) == 0); + condition_free(condition); + + /* invalid */ + condition = condition_new(CONDITION_CREDENTIAL, "..", /* trigger= */ false, /* negate= */ false); + assert_se(condition); + assert_se(condition_test(condition, environ) == 0); + condition_free(condition); + + assert_se(mkdtemp_malloc(NULL, &n1) >= 0); + assert_se(mkdtemp_malloc(NULL, &n2) >= 0); + + assert_se(setenv("CREDENTIALS_DIRECTORY", n1, /* overwrite= */ true) >= 0); + assert_se(setenv("ENCRYPTED_CREDENTIALS_DIRECTORY", n2, /* overwrite= */ true) >= 0); + + condition = condition_new(CONDITION_CREDENTIAL, "stillmissing", /* trigger= */ false, /* negate= */ false); + assert_se(condition); + assert_se(condition_test(condition, environ) == 0); + condition_free(condition); + + assert_se(j = path_join(n1, "existing")); + assert_se(touch(j) >= 0); + assert_se(j); + condition = condition_new(CONDITION_CREDENTIAL, "existing", /* trigger= */ false, /* negate= */ false); + assert_se(condition); + assert_se(condition_test(condition, environ) > 0); + condition_free(condition); + free(j); + + assert_se(j = path_join(n2, "existing-encrypted")); + assert_se(touch(j) >= 0); + assert_se(j); + condition = condition_new(CONDITION_CREDENTIAL, "existing-encrypted", /* trigger= */ false, /* negate= */ false); + assert_se(condition); + assert_se(condition_test(condition, environ) > 0); + condition_free(condition); + + assert_se(set_unset_env("CREDENTIALS_DIRECTORY", d1, /* overwrite= */ true) >= 0); + assert_se(set_unset_env("ENCRYPTED_CREDENTIALS_DIRECTORY", d2, /* overwrite= */ true) >= 0); +} + #if defined(__i386__) || defined(__x86_64__) TEST(condition_test_cpufeature) { Condition *condition; diff --git a/src/udev/net/link-config-gperf.gperf b/src/udev/net/link-config-gperf.gperf index 96280148c7..240f16e251 100644 --- a/src/udev/net/link-config-gperf.gperf +++ b/src/udev/net/link-config-gperf.gperf @@ -34,6 +34,7 @@ Match.Host, config_parse_net_condition, Match.Virtualization, config_parse_net_condition, CONDITION_VIRTUALIZATION, offsetof(LinkConfig, conditions) Match.KernelCommandLine, config_parse_net_condition, CONDITION_KERNEL_COMMAND_LINE, offsetof(LinkConfig, conditions) Match.KernelVersion, config_parse_net_condition, CONDITION_KERNEL_VERSION, offsetof(LinkConfig, conditions) +Match.Credential, config_parse_net_condition, CONDITION_CREDENTIAL, offsetof(LinkConfig, conditions) Match.Architecture, config_parse_net_condition, CONDITION_ARCHITECTURE, offsetof(LinkConfig, conditions) Match.Firmware, config_parse_net_condition, CONDITION_FIRMWARE, offsetof(LinkConfig, conditions) Link.Description, config_parse_string, 0, offsetof(LinkConfig, description) diff --git a/test/units/testsuite-54.sh b/test/units/testsuite-54.sh index 151a7987d5..771b041bf1 100755 --- a/test/units/testsuite-54.sh +++ b/test/units/testsuite-54.sh @@ -58,6 +58,12 @@ if [ "$expected_credential" != "" ] ; then # Combine it with a fallback (which should have no effect, given the cred should be passed down) [ "$(systemd-run -p LoadCredential="$expected_credential" -p SetCredential="$expected_credential":zzz --pipe --wait systemd-creds cat "$expected_credential")" = "$expected_value" ] + + # This should succeed + systemd-run -p AssertCredential="$expected_credential" -p Type=oneshot true + + # And this should fail + systemd-run -p AssertCredential="undefinedcredential" -p Type=oneshot true && { echo 'unexpected success'; exit 1; } fi # Verify that the creds are immutable |