return 0;
}
+bool exec_context_has_encrypted_credentials(ExecContext *c) {
+ ExecLoadCredential *load_cred;
+ ExecSetCredential *set_cred;
+
+ assert(c);
+
+ HASHMAP_FOREACH(load_cred, c->load_credentials)
+ if (load_cred->encrypted)
+ return true;
+
+ HASHMAP_FOREACH(set_cred, c->set_credentials)
+ if (set_cred->encrypted)
+ return true;
+
+ return false;
+}
+
void exec_status_start(ExecStatus *s, pid_t pid) {
assert(s);
bool exec_context_may_touch_console(const ExecContext *c);
bool exec_context_maintains_privileges(const ExecContext *c);
+bool exec_context_has_encrypted_credentials(ExecContext *c);
int exec_context_get_effective_ioprio(const ExecContext *c);
bool exec_context_get_effective_mount_apivfs(const ExecContext *c);
}
/* If there are encrypted credentials we might need to access the TPM. */
- bool allow_tpm = false;
- ExecLoadCredential *load_cred;
- ExecSetCredential *set_cred;
- HASHMAP_FOREACH(load_cred, ec->load_credentials)
- if ((allow_tpm |= load_cred->encrypted))
- break;
- HASHMAP_FOREACH(set_cred, ec->set_credentials)
- if ((allow_tpm |= set_cred->encrypted))
- break;
-
- if (allow_tpm) {
+ if (exec_context_has_encrypted_credentials(ec)) {
r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
if (r < 0)
return r;