git.ipfire.org Git - thirdparty/systemd.git/commit

fileio: beef up READ_FULL_FILE_CONNECT_SOCKET to allow setting sender socket name

This beefs up the READ_FULL_FILE_CONNECT_SOCKET logic of
read_full_file_full() a bit: when used a sender socket name may be
specified. If specified as NULL behaviour is as before: the client
socket name is picked by the kernel. But if specified as non-NULL the
client can pick a socket name to use when connecting. This is useful to
communicate a minimal amount of metainformation from client to server,
outside of the transport payload.

Specifically, these beefs up the service credential logic to pass an
abstract AF_UNIX socket name as client socket name when connecting via
READ_FULL_FILE_CONNECT_SOCKET, that includes the requesting unit name
and the eventual credential name. This allows servers implementing the
trivial credential socket logic to distinguish clients: via a simple
getpeername() it can be determined which unit is requesting a
credential, and which credential specifically.

Example: with this patch in place, in a unit file "waldo.service" a
configuration line like the following:

LoadCredential=foo:/run/quux/creds.sock

will result in a connection to the AF_UNIX socket /run/quux/creds.sock,
originating from an abstract namespace AF_UNIX socket:

@$RANDOM/unit/waldo.service/foo

(The $RANDOM is replaced by some randomized string. This is included in
the socket name order to avoid namespace squatting issues: the abstract
socket namespace is open to unprivileged users after all, and care needs
to be taken not to use guessable names)

The services listening on the /run/quux/creds.sock socket may thus
easily retrieve the name of the unit the credential is requested for
plus the credential name, via a simpler getpeername(), discarding the
random preifx and the /unit/ string.

This logic uses "/" as separator between the fields, since both unit
names and credential names appear in the file system, and thus are
designed to use "/" as outer separators. Given that it's a good safe
choice to use as separators here, too avoid any conflicts.

This is a minimal patch only: the new logic is used only for the unit
file credential logic. For other places where we use
READ_FULL_FILE_CONNECT_SOCKET it is probably a good idea to use this
scheme too, but this should be done carefully in later patches, since
the socket names become API that way, and we should determine the right
amount of info to pass over.

author	Lennart Poettering <lennart@poettering.net>
	Mon, 2 Nov 2020 11:07:51 +0000 (12:07 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 3 Nov 2020 08:48:04 +0000 (09:48 +0100)
commit	d3dcf4e3b95e3d3149ee169dc13b43e2e1a02cec
tree	c719d002955da7ac68b169a56adef4387e006fab	tree \| snapshot
parent	ff640bd2e160a74be80d2b055b5fca3cdf5cfbaf	commit \| diff

man/systemd.exec.xml		diff \| blob \| blame \| history
src/basic/fileio.c		diff \| blob \| blame \| history
src/basic/fileio.h		diff \| blob \| blame \| history
src/core/execute.c		diff \| blob \| blame \| history
src/journal-remote/journal-gatewayd.c		diff \| blob \| blame \| history
src/journal-remote/journal-remote-main.c		diff \| blob \| blame \| history
src/network/netdev/macsec.c		diff \| blob \| blame \| history
src/network/netdev/wireguard.c		diff \| blob \| blame \| history
src/nspawn/nspawn.c		diff \| blob \| blame \| history
src/partition/repart.c		diff \| blob \| blame \| history
src/shared/dissect-image.c		diff \| blob \| blame \| history
src/shared/json.c		diff \| blob \| blame \| history
src/test/test-fileio.c		diff \| blob \| blame \| history
src/veritysetup/veritysetup.c		diff \| blob \| blame \| history