From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 22 Dec 2022 16:57:56 +0000 (+0100)
Subject: import-creds: don't try to import VM creds in a container
X-Git-Tag: v253-rc1~224
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=13b99dccb7617756626f93c102aefff99a964436;p=thirdparty%2Fsystemd.git

import-creds: don't try to import VM creds in a container

If we run in a container we shouldn#t try to import creds passed in from
a VMM, as they are not for us, but for the VM itself.
---

diff --git a/src/core/import-creds.c b/src/core/import-creds.c
index 0bcd407e682..1f5a15f73b4 100644
--- a/src/core/import-creds.c
+++ b/src/core/import-creds.c
@@ -20,6 +20,7 @@
 #include "proc-cmdline.h"
 #include "recurse-dir.h"
 #include "strv.h"
+#include "virt.h"
 
 /* This imports credentials passed in from environments higher up (VM manager, boot loader, …) and rearranges
  * them so that later code can access them using our regular credential protocol
@@ -370,6 +371,9 @@ static int import_credentials_qemu(ImportCredentialContext *c) {
 
         assert(c);
 
+        if (detect_container() > 0) /* don't access /sys/ in a container */
+                return 0;
+
         source_dir_fd = open(QEMU_FWCFG_PATH, O_RDONLY|O_DIRECTORY|O_CLOEXEC);
         if (source_dir_fd < 0) {
                 if (errno == ENOENT) {
@@ -561,6 +565,9 @@ static int import_credentials_smbios(ImportCredentialContext *c) {
 
         /* Parses DMI OEM strings fields (SMBIOS type 11), as settable with qemu's -smbios type=11,value=… switch. */
 
+        if (detect_container() > 0) /* don't access /sys/ in a container */
+                return 0;
+
         for (unsigned i = 0;; i++) {
                 struct dmi_field_header {
                         uint8_t type;