git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Thu, 7 Apr 2022 22:18:55 +0000 (00:18 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 28 Apr 2022 16:12:00 +0000 (18:12 +0200)
commit	4b9a4b01793170b9b17467711195552ef1f25ab8
tree	37dd12c36b4a0667092f0a15c7ef390f610e4ba6	tree \| snapshot
parent	5c1d67af465ab6921beec3f864ffdf1670ca4e1e	commit \| diff

pid1: import creds from sd-stub + qemu + kernel cmdline

Let's beef up our system credential game a bit, and explicitly import
creds from sd-stub, from qemu fw_cfg and the kernel cmdline and expose
them in the same way as those passed in from nspawn.

Specifically, this will imprt such credentials to
/run/credentials/@system (if the source can be trusted, as in the
qemu/kernel cmdline case) and /run/credentials/@encrypted (otherwise,
such as sd-stub provided ones).

Once imported we'll set the $CREDENTIALS_PATH env var for PID 1, like it
would be done by a container manager for the payload. (Conversely, we'll
also creat a symlink from /run/credentials/@system to whatever is set in
$CREDENTIALS_PATH in case we are invoked by a container manager, thus
providing a fixed path where system credentials are found).

src/core/import-creds.c	[new file with mode: 0644]	blob
src/core/import-creds.h	[new file with mode: 0644]	blob
src/core/main.c		diff \| blob \| blame \| history
src/core/meson.build		diff \| blob \| blame \| history
src/shared/creds-util.c		diff \| blob \| blame \| history
src/shared/creds-util.h		diff \| blob \| blame \| history