core: move encrypted credential check to execute.c

This is an operation on an ExecContext, hence it probably should be
placed there.

diff --git a/src/core/execute.c b/src/core/execute.c
index 8609a0ba3146a8613f58cf53251c65379ea7a2e8..f8ac4705e77a1d87dcd6d493b83a69a3e21f3ac7 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -6782,6 +6782,23 @@ int exec_context_get_clean_mask(ExecContext *c, ExecCleanMask *ret) {
         return 0;
 }
 
+bool exec_context_has_encrypted_credentials(ExecContext *c) {
+        ExecLoadCredential *load_cred;
+        ExecSetCredential *set_cred;
+
+        assert(c);
+
+        HASHMAP_FOREACH(load_cred, c->load_credentials)
+                if (load_cred->encrypted)
+                        return true;
+
+        HASHMAP_FOREACH(set_cred, c->set_credentials)
+                if (set_cred->encrypted)
+                        return true;
+
+        return false;
+}
+
 void exec_status_start(ExecStatus *s, pid_t pid) {
         assert(s);
 

diff --git a/src/core/execute.h b/src/core/execute.h
index 1d264782fcecaa258261d57c9b68e4853117dcfd..ff537b77cb6df58453cc8d5de40dbed71a4256a9 100644 (file)
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -466,6 +466,7 @@ const char* exec_context_fdname(const ExecContext *c, int fd_index);
 
 bool exec_context_may_touch_console(const ExecContext *c);
 bool exec_context_maintains_privileges(const ExecContext *c);
+bool exec_context_has_encrypted_credentials(ExecContext *c);
 
 int exec_context_get_effective_ioprio(const ExecContext *c);
 bool exec_context_get_effective_mount_apivfs(const ExecContext *c);

diff --git a/src/core/unit.c b/src/core/unit.c
index ecf3b2b7fc70571fc6b7700a61c1483d951a66be..70f270e87472248be058be335779d208a6ad8154 100644 (file)
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4216,17 +4216,7 @@ int unit_patch_contexts(Unit *u) {
                         }
 
                         /* If there are encrypted credentials we might need to access the TPM. */
-                        bool allow_tpm = false;
-                        ExecLoadCredential *load_cred;
-                        ExecSetCredential *set_cred;
-                        HASHMAP_FOREACH(load_cred, ec->load_credentials)
-                                if ((allow_tpm |= load_cred->encrypted))
-                                        break;
-                        HASHMAP_FOREACH(set_cred, ec->set_credentials)
-                                if ((allow_tpm |= set_cred->encrypted))
-                                        break;
-
-                        if (allow_tpm) {
+                        if (exec_context_has_encrypted_credentials(ec)) {
                                 r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
                                 if (r < 0)
                                         return r;