network: refuse files under API VFS specified in PrivateKeyFile= and friends

Addresses https://github.com/systemd/systemd/pull/34013#discussion_r1719890231.

diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index 4b9f19cc95cf6dc9079ddf796469d217ae54621a..187da4134411331cd2cd39e9ad32f67be44c6f82 100644 (file)
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -777,7 +777,7 @@ int config_parse_macsec_key_file(
         if (!path)
                 return log_oom();
 
-        if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0)
+        if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS, unit, filename, line, lvalue) < 0)
                 return 0;
 
         free_and_replace(*dest, path);

diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
index ba013e3ba54141e4e5444e55566fe9bc6a5fd3f0..f4b7045151adb094eda2ee2974f89d02ed529fec 100644 (file)
--- a/src/network/netdev/wireguard.c
+++ b/src/network/netdev/wireguard.c
@@ -574,7 +574,7 @@ int config_parse_wireguard_private_key_file(
         if (!path)
                 return log_oom();
 
-        if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0)
+        if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS, unit, filename, line, lvalue) < 0)
                 return 0;
 
         return free_and_replace(w->private_key_file, path);
@@ -652,7 +652,7 @@ int config_parse_wireguard_peer_key_file(
         if (!path)
                 return log_oom();
 
-        if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0)
+        if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS, unit, filename, line, lvalue) < 0)
                 return 0;
 
         free_and_replace(*key_file, path);