<varlistentry>
<term><option>--cert=</option></term>
- <listitem><para>Specify the path to a file containing a server
- certificate in PEM format. This option switches
- <command>systemd-journal-gatewayd</command> into HTTPS mode
- and must be used together with
+ <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the
+ server certificate from. The certificate must be in PEM format. This option switches
+ <command>systemd-journal-gatewayd</command> into HTTPS mode and must be used together with
<option>--key=</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--key=</option></term>
- <listitem><para>Specify the path to a file containing a server
- key in PEM format corresponding to the certificate specified
- with <option>--cert=</option>.</para></listitem>
+ <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the
+ server key corresponding to the certificate specified with <option>--cert=</option> from. The key
+ must be in PEM format.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--trust=</option></term>
- <listitem><para>Specify the path to a file containing a
- CA certificate in PEM format.</para></listitem>
+ <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read a CA
+ certificate from. The certificate must be in PEM format.</para></listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><option>--key=</option></term>
- <listitem><para>
- Takes a path to a SSL key file in PEM format.
- Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>.
- This option can be used with <option>--listen-https=</option>.
- </para></listitem>
+ <listitem><para> Takes a path to a SSL key file in PEM format. Defaults to
+ <filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>. This option can be used with
+ <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
+ in the file system a connection is made to it and the key read from it.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--cert=</option></term>
- <listitem><para>
- Takes a path to a SSL certificate file in PEM format.
- Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>.
- This option can be used with <option>--listen-https=</option>.
- </para></listitem>
+ <listitem><para> Takes a path to a SSL certificate file in PEM format. Defaults to
+ <filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>. This option can be used with
+ <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
+ in the file system a connection is made to it and the certificate read from it.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--trust=</option></term>
- <listitem><para>
- Takes a path to a SSL CA certificate file in PEM format,
- or <option>all</option>. If <option>all</option> is set,
- then certificate checking will be disabled.
- Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
- This option can be used with <option>--listen-https=</option>.
- </para></listitem>
+ <listitem><para> Takes a path to a SSL CA certificate file in PEM format, or <option>all</option>. If
+ <option>all</option> is set, then certificate checking will be disabled. Defaults to
+ <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>. This option can be used with
+ <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
+ in the file system a connection is made to it and the certificate read from it.</para></listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>KeyFile=</varname></term>
<listitem>
- <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
- string, which will be used in the transmission channel. When this option is specified,
+ <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal string,
+ which will be used in the transmission channel. When this option is specified,
<varname>Key=</varname> is ignored. Note that the file must be readable by the user
<literal>systemd-network</literal>, so it should be, e.g., owned by
- <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
+ <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the path
+ refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made to
+ it and the key read from it.</para>
</listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><varname>PrivateKeyFile=</varname></term>
<listitem>
- <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
- When this option is specified, then <varname>PrivateKey=</varname> is ignored.
- Note that the file must be readable by the user <literal>systemd-network</literal>, so it
- should be, e.g., owned by <literal>root:systemd-network</literal> with a
- <literal>0640</literal> file mode.</para>
+ <para>Takes an absolute path to a file which contains the Base64 encoded private key for the
+ interface. When this option is specified, then <varname>PrivateKey=</varname> is ignored. Note
+ that the file must be readable by the user <literal>systemd-network</literal>, so it should be,
+ e.g., owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If
+ the path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
+ made to it and the key read from it.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>PresharedKeyFile=</varname></term>
<listitem>
<para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
- peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
- Note that the file must be readable by the user <literal>systemd-network</literal>, so it
- should be, e.g., owned by <literal>root:systemd-network</literal> with a
- <literal>0640</literal> file mode.</para>
+ peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored. Note that
+ the file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g.,
+ owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the
+ path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
+ made to it and the key read from it.</para>
</listitem>
</varlistentry>
<varlistentry>
if (arg_key_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Key file specified twice");
- r = read_full_file(optarg, &arg_key_pem, NULL);
+ r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_key_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read key file: %m");
assert(arg_key_pem);
if (arg_cert_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Certificate file specified twice");
- r = read_full_file(optarg, &arg_cert_pem, NULL);
+ r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_cert_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read certificate file: %m");
assert(arg_cert_pem);
if (arg_trust_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"CA certificate file specified twice");
- r = read_full_file(optarg, &arg_trust_pem, NULL);
+ r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_trust_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read CA certificate file: %m");
assert(arg_trust_pem);
static int load_certificates(char **key, char **cert, char **trust) {
int r;
- r = read_full_file(arg_key ?: PRIV_KEY_FILE, key, NULL);
+ r = read_full_file_full(AT_FDCWD, arg_key ?: PRIV_KEY_FILE, READ_FULL_FILE_CONNECT_SOCKET, key, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read key from file '%s': %m",
arg_key ?: PRIV_KEY_FILE);
- r = read_full_file(arg_cert ?: CERT_FILE, cert, NULL);
+ r = read_full_file_full(AT_FDCWD, arg_cert ?: CERT_FILE, READ_FULL_FILE_CONNECT_SOCKET, cert, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read certificate from file '%s': %m",
arg_cert ?: CERT_FILE);
if (arg_trust_all)
log_info("Certificate checking disabled.");
else {
- r = read_full_file(arg_trust ?: TRUST_FILE, trust, NULL);
+ r = read_full_file_full(AT_FDCWD, arg_trust ?: TRUST_FILE, READ_FULL_FILE_CONNECT_SOCKET, trust, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read CA certificate file '%s': %m",
arg_trust ?: TRUST_FILE);
(void) warn_file_is_world_accessible(sa->key_file, NULL, NULL, 0);
- r = read_full_file_full(AT_FDCWD, sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE, (char **) &key, &key_len);
+ r = read_full_file_full(
+ AT_FDCWD, sa->key_file,
+ READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+ (char **) &key, &key_len);
if (r < 0)
return log_netdev_error_errno(netdev, r,
"Failed to read key from '%s', ignoring: %m",
(void) warn_file_is_world_accessible(filename, NULL, NULL, 0);
- r = read_full_file_full(AT_FDCWD, filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE, &key, &key_len);
+ r = read_full_file_full(
+ AT_FDCWD, filename,
+ READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+ &key, &key_len);
if (r < 0)
return r;
if (r < 0)
return log_error_errno(r, "Failed to parse root hash signature '%s': %m", argv[6]);
} else {
- r = read_full_file_full(AT_FDCWD, argv[6], 0, &hash_sig, &hash_sig_size);
+ r = read_full_file_full(AT_FDCWD, argv[6], READ_FULL_FILE_CONNECT_SOCKET, &hash_sig, &hash_sig_size);
if (r < 0)
return log_error_errno(r, "Failed to read root hash signature: %m");
}