if (arg_system)
/* PID 1 ensures that system credentials are always accessible under the same fixed path. It
* will create symlinks if necessary to guarantee that. */
- p = encrypted ?
- ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY :
- SYSTEM_CREDENTIALS_DIRECTORY;
- else {
+ r = (encrypted ? get_encrypted_system_credentials_dir : get_system_credentials_dir)(&p);
+ else
/* Otherwise take the dirs from the env vars we got passed */
r = (encrypted ? get_encrypted_credentials_dir : get_credentials_dir)(&p);
- if (r == -ENXIO) /* No environment variable? */
- goto not_found;
- if (r < 0)
- return log_error_errno(r, "Failed to get credentials directory: %m");
- }
+ if (r == -ENXIO) /* No environment variable? */
+ goto not_found;
+ if (r < 0)
+ return log_error_errno(r, "Failed to get credentials directory: %m");
d = opendir(p);
if (!d) {
return RET_NERRNO(open(d, O_CLOEXEC|O_DIRECTORY));
}
+int get_system_credentials_dir(const char **ret) {
+ int r;
+
+ /* Note that for system credentials the environment variable we honour is just for debugging purpose
+ * (unlike for the per-service credential path env var where it's key part of the protocol). */
+ r = get_credentials_dir_internal("SYSTEMD_SYSTEM_CREDENTIALS_DIRECTORY", ret);
+ if (r >= 0 || r != -ENXIO)
+ return r;
+
+ *ret = SYSTEM_CREDENTIALS_DIRECTORY;
+ return 0;
+}
+
+int get_encrypted_system_credentials_dir(const char **ret) {
+ int r;
+
+ r = get_credentials_dir_internal("SYSTEMD_ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY", ret);
+ if (r >= 0 || r != -ENXIO)
+ return r;
+
+ *ret = ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY;
+ return 0;
+}
+
int read_credential(const char *name, void **ret, size_t *ret_size) {
_cleanup_free_ char *fn = NULL;
const char *d;
#define SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@system"
#define ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@encrypted"
+/* Where system creds have been passed */
+int get_system_credentials_dir(const char **ret);
+int get_encrypted_system_credentials_dir(const char **ret);
+
int read_credential(const char *name, void **ret, size_t *ret_size); /* use in services! */
int read_credential_with_decryption(const char *name, void **ret, size_t *ret_size); /* use in generators + pid1! */
* multi-boot), hence we use the SRK and NV data from the LUKS2 header as search key, and parse all
* such JSON policies until we find a matching one. */
- const char *cp = secure_getenv("SYSTEMD_ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY") ?: ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY;
+ const char *dp;
+ r = get_encrypted_system_credentials_dir(&dp);
+ if (r < 0)
+ return log_error_errno(r, "Failed to get encrypted system credentials directory: %m");
- dfd = open(cp, O_CLOEXEC|O_DIRECTORY);
+ dfd = open(dp, O_CLOEXEC|O_DIRECTORY);
if (dfd < 0) {
if (errno == ENOENT) {
log_debug("No encrypted system credentials passed.");
if (r == -ENOENT)
continue;
if (r < 0) {
- log_warning_errno(r, "Failed to read credentials file %s/%s, skipping: %m", ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY, d->d_name);
+ log_warning_errno(r, "Failed to read credentials file %s/%s, skipping: %m", dp, d->d_name);
continue;
}
projects / thirdparty / systemd.git / commitdiff
