From f294470262fed5dffbfd055b0054370dc3021662 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 17 Jul 2020 11:53:22 +0200
Subject: [PATCH] fileio: add explicit flag for generating world executable
 warning when reading file

---
 src/basic/fileio.c             | 2 +-
 src/basic/fileio.h             | 7 ++++---
 src/network/netdev/macsec.c    | 2 +-
 src/network/netdev/wireguard.c | 2 +-
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/basic/fileio.c b/src/basic/fileio.c
index f2f1e1139f7..6478a14097d 100644
--- a/src/basic/fileio.c
+++ b/src/basic/fileio.c
@@ -505,7 +505,7 @@ int read_full_stream_full(
                         if (st.st_size > 0)
                                 n_next = st.st_size + 1;
 
-                        if (flags & READ_FULL_FILE_SECURE)
+                        if (flags & READ_FULL_FILE_WARN_WORLD_READABLE)
                                 (void) warn_file_is_world_accessible(filename, &st, NULL, 0);
                 }
         }
diff --git a/src/basic/fileio.h b/src/basic/fileio.h
index e2830b7963e..4ce51265157 100644
--- a/src/basic/fileio.h
+++ b/src/basic/fileio.h
@@ -32,9 +32,10 @@ typedef enum {
 } WriteStringFileFlags;
 
 typedef enum {
-        READ_FULL_FILE_SECURE   = 1 << 0,
-        READ_FULL_FILE_UNBASE64 = 1 << 1,
-        READ_FULL_FILE_UNHEX    = 1 << 2,
+        READ_FULL_FILE_SECURE              = 1 << 0,
+        READ_FULL_FILE_UNBASE64            = 1 << 1,
+        READ_FULL_FILE_UNHEX               = 1 << 2,
+        READ_FULL_FILE_WARN_WORLD_READABLE = 1 << 3,
 } ReadFullFileFlags;
 
 int fopen_unlocked(const char *path, const char *options, FILE **ret);
diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index 57d8f567b96..ab55a4a4894 100644
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -983,7 +983,7 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
 
         (void) warn_file_is_world_accessible(sa->key_file, NULL, NULL, 0);
 
-        r = read_full_file_full(AT_FDCWD, sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX, (char **) &key, &key_len);
+        r = read_full_file_full(AT_FDCWD, sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE, (char **) &key, &key_len);
         if (r < 0)
                 return log_netdev_error_errno(netdev, r,
                                               "Failed to read key from '%s', ignoring: %m",
diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
index b6af9925b74..9636ac77367 100644
--- a/src/network/netdev/wireguard.c
+++ b/src/network/netdev/wireguard.c
@@ -888,7 +888,7 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_
 
         (void) warn_file_is_world_accessible(filename, NULL, NULL, 0);
 
-        r = read_full_file_full(AT_FDCWD, filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64, &key, &key_len);
+        r = read_full_file_full(AT_FDCWD, filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE, &key, &key_len);
         if (r < 0)
                 return r;
 
-- 
2.47.3