From: Yu Watanabe Date: Fri, 16 Aug 2024 17:01:51 +0000 (+0900) Subject: network: refuse files under API VFS specified in PrivateKeyFile= and friends X-Git-Tag: v257-rc1~689 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c53a28cea19b993b4eb138da872c544e507bdfdc;p=thirdparty%2Fsystemd.git network: refuse files under API VFS specified in PrivateKeyFile= and friends Addresses https://github.com/systemd/systemd/pull/34013#discussion_r1719890231. --- diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c index 4b9f19cc95c..187da413441 100644 --- a/src/network/netdev/macsec.c +++ b/src/network/netdev/macsec.c @@ -777,7 +777,7 @@ int config_parse_macsec_key_file( if (!path) return log_oom(); - if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) + if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS, unit, filename, line, lvalue) < 0) return 0; free_and_replace(*dest, path); diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index ba013e3ba54..f4b7045151a 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -574,7 +574,7 @@ int config_parse_wireguard_private_key_file( if (!path) return log_oom(); - if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) + if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS, unit, filename, line, lvalue) < 0) return 0; return free_and_replace(w->private_key_file, path); @@ -652,7 +652,7 @@ int config_parse_wireguard_peer_key_file( if (!path) return log_oom(); - if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) + if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS, unit, filename, line, lvalue) < 0) return 0; free_and_replace(*key_file, path);