bootctl: switch a few getenv() calls to secure_getenv()

Following the rule that we should always prefer the secure flavour over
the regular one unless there's a clear reason for the regular one, let's
switch this over. Better safe than sorry.

diff --git a/src/bootctl/bootctl-install.c b/src/bootctl/bootctl-install.c
index 197c9d5bd631879322940fbf2b68d3c0223f1f18..0d07f5447803568f6c5d81b19a46f694a3d0a0dc 100644 (file)
--- a/src/bootctl/bootctl-install.c
+++ b/src/bootctl/bootctl-install.c
@@ -102,7 +102,7 @@ static int load_kernel_install_layout(void) {
         int r;
 
         r = load_kernel_install_conf(arg_root,
-                                     getenv("KERNEL_INSTALL_CONF_ROOT"),
+                                     secure_getenv("KERNEL_INSTALL_CONF_ROOT"),
                                      /* ret_machine_id= */ NULL,
                                      /* ret_boot_root= */ NULL,
                                      &layout,
@@ -578,7 +578,7 @@ static int install_entry_token(void) {
         if (!arg_make_entry_directory && arg_entry_token_type == BOOT_ENTRY_TOKEN_MACHINE_ID)
                 return 0;
 
-        p = path_join(arg_root, getenv("KERNEL_INSTALL_CONF_ROOT") ?: "/etc/kernel/", "entry-token");
+        p = path_join(arg_root, secure_getenv("KERNEL_INSTALL_CONF_ROOT") ?: "/etc/kernel/", "entry-token");
         if (!p)
                 return log_oom();
 

diff --git a/src/bootctl/bootctl-random-seed.c b/src/bootctl/bootctl-random-seed.c
index 7cd39624c11a1df236d2cf19b0f63c0c6a57a182..c4811aace33d8dd732c9d1f0b7ceaaeb8349359c 100644 (file)
--- a/src/bootctl/bootctl-random-seed.c
+++ b/src/bootctl/bootctl-random-seed.c
@@ -61,7 +61,7 @@ static int set_system_token(void) {
         if (!touch_variables())
                 return 0;
 
-        r = getenv_bool("SYSTEMD_WRITE_SYSTEM_TOKEN");
+        r = secure_getenv_bool("SYSTEMD_WRITE_SYSTEM_TOKEN");
         if (r < 0) {
                 if (r != -ENXIO)
                         log_warning_errno(r, "Failed to parse $SYSTEMD_WRITE_SYSTEM_TOKEN, ignoring.");

diff --git a/src/bootctl/bootctl-util.c b/src/bootctl/bootctl-util.c
index 381c6f8af6500d6cf823e14818a38404228200ae..f5642827acaa44f2b3d21095ab5b5b9daf4090ff 100644 (file)
--- a/src/bootctl/bootctl-util.c
+++ b/src/bootctl/bootctl-util.c
@@ -124,7 +124,7 @@ int settle_entry_token(void) {
 
         r = boot_entry_token_ensure(
                         arg_root,
-                        getenv("KERNEL_INSTALL_CONF_ROOT"),
+                        secure_getenv("KERNEL_INSTALL_CONF_ROOT"),
                         arg_machine_id,
                         /* machine_id_is_random = */ false,
                         &arg_entry_token_type,