From: Yu Watanabe Date: Thu, 10 Aug 2023 06:55:25 +0000 (+0900) Subject: core/credential: make setup_credentials() return path to credentials directory X-Git-Tag: v255-rc1~669^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7241b9cd72d6e6079d5140cf24c34e78d3cf43cc;p=thirdparty%2Fsystemd.git core/credential: make setup_credentials() return path to credentials directory Then, we can reuse the path when building environment variables and setting up mount namespace. No functional change, just refactoring. --- diff --git a/src/core/credential.c b/src/core/credential.c index b8b8b4edaa7..7c9d6f6a9b4 100644 --- a/src/core/credential.c +++ b/src/core/credential.c @@ -876,16 +876,20 @@ int setup_credentials( const ExecParameters *params, const char *unit, uid_t uid, - gid_t gid) { + gid_t gid, + char **ret_path) { _cleanup_free_ char *p = NULL, *q = NULL; int r; assert(context); assert(params); + assert(ret_path); - if (!exec_context_has_credentials(context)) + if (!exec_context_has_credentials(context)) { + *ret_path = NULL; return 0; + } if (!params->prefix[EXEC_DIRECTORY_RUNTIME]) return -EINVAL; @@ -999,5 +1003,7 @@ int setup_credentials( * actually end up mounting anything on it. In that case we'd rather have ENOENT than EACCESS being * seen by users when trying access this inode. */ (void) rmdir(p); + + *ret_path = TAKE_PTR(p); return 0; } diff --git a/src/core/credential.h b/src/core/credential.h index 54155f515bc..2afd88dfc50 100644 --- a/src/core/credential.h +++ b/src/core/credential.h @@ -45,4 +45,5 @@ int setup_credentials( const ExecParameters *params, const char *unit, uid_t uid, - gid_t gid); + gid_t gid, + char **ret_path); diff --git a/src/core/execute.c b/src/core/execute.c index 78d8988e8b1..9c900095ce1 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1864,6 +1864,7 @@ static int build_environment( dev_t journal_stream_dev, ino_t journal_stream_ino, const char *memory_pressure_path, + const char *creds_path, char ***ret) { _cleanup_strv_free_ char **our_env = NULL; @@ -2041,10 +2042,8 @@ static int build_environment( our_env[n_env++] = x; } - if (exec_context_has_credentials(c) && - p->prefix[EXEC_DIRECTORY_RUNTIME] && - FLAGS_SET(p->flags, EXEC_WRITE_CREDENTIALS)) { - x = strjoin("CREDENTIALS_DIRECTORY=", p->prefix[EXEC_DIRECTORY_RUNTIME], "/credentials/", u->id); + if (creds_path) { + x = strjoin("CREDENTIALS_DIRECTORY=", creds_path); if (!x) return -ENOMEM; @@ -3112,12 +3111,13 @@ static int apply_mount_namespace( const ExecParameters *params, ExecRuntime *runtime, const char *memory_pressure_path, + const char *creds_path, char **error_path) { _cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT; _cleanup_strv_free_ char **empty_directories = NULL, **symlinks = NULL, **read_write_paths_cleanup = NULL; - _cleanup_free_ char *creds_path = NULL, *incoming_dir = NULL, *propagate_dir = NULL, + _cleanup_free_ char *incoming_dir = NULL, *propagate_dir = NULL, *extension_dir = NULL, *host_os_release_stage = NULL; const char *root_dir = NULL, *root_image = NULL, *tmp_dir = NULL, *var_tmp_dir = NULL; char **read_write_paths; @@ -3219,14 +3219,6 @@ static int apply_mount_namespace( if (context->mount_propagation_flag == MS_SHARED) log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring"); - if (exec_context_has_credentials(context) && - params->prefix[EXEC_DIRECTORY_RUNTIME] && - FLAGS_SET(params->flags, EXEC_WRITE_CREDENTIALS)) { - creds_path = path_join(params->prefix[EXEC_DIRECTORY_RUNTIME], "credentials", u->id); - if (!creds_path) - return -ENOMEM; - } - if (params->runtime_scope == RUNTIME_SCOPE_SYSTEM) { propagate_dir = path_join("/run/systemd/propagate/", u->id); if (!propagate_dir) @@ -3948,7 +3940,7 @@ static int exec_child( int r, ngids = 0, exec_fd; _cleanup_free_ gid_t *supplementary_gids = NULL; const char *username = NULL, *groupname = NULL; - _cleanup_free_ char *home_buffer = NULL, *memory_pressure_path = NULL; + _cleanup_free_ char *home_buffer = NULL, *memory_pressure_path = NULL, *creds_path = NULL; const char *home = NULL, *shell = NULL; char **final_argv = NULL; dev_t journal_stream_dev = 0; @@ -4429,7 +4421,7 @@ static int exec_child( } if (FLAGS_SET(params->flags, EXEC_WRITE_CREDENTIALS)) { - r = setup_credentials(context, params, unit->id, uid, gid); + r = setup_credentials(context, params, unit->id, uid, gid, &creds_path); if (r < 0) { *exit_status = EXIT_CREDENTIALS; return log_unit_error_errno(unit, r, "Failed to set up credentials: %m"); @@ -4449,6 +4441,7 @@ static int exec_child( journal_stream_dev, journal_stream_ino, memory_pressure_path, + creds_path, &our_env); if (r < 0) { *exit_status = EXIT_MEMORY; @@ -4642,7 +4635,7 @@ static int exec_child( if (needs_mount_namespace) { _cleanup_free_ char *error_path = NULL; - r = apply_mount_namespace(unit, command->flags, context, params, runtime, memory_pressure_path, &error_path); + r = apply_mount_namespace(unit, command->flags, context, params, runtime, memory_pressure_path, creds_path, &error_path); if (r < 0) { *exit_status = EXIT_NAMESPACE; return log_unit_error_errno(unit, r, "Failed to set up mount namespacing%s%s: %m",