From: Lennart Poettering Date: Tue, 10 Dec 2024 12:35:39 +0000 (+0100) Subject: execute: introduce a user-scoped credstore X-Git-Tag: v258-rc1~1795^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8506a9955cb4e6036a38d8634af683d8a4e47220;p=thirdparty%2Fsystemd.git execute: introduce a user-scoped credstore Fixes: #33887 --- diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c index 784cea208d6..56fc86ef8d3 100644 --- a/src/core/exec-credential.c +++ b/src/core/exec-credential.c @@ -384,30 +384,46 @@ typedef enum CredentialSearchPath { _CREDENTIAL_SEARCH_PATH_INVALID = -EINVAL, } CredentialSearchPath; -static char** credential_search_path(const ExecParameters *params, CredentialSearchPath path) { +static int credential_search_path(const ExecParameters *params, CredentialSearchPath path, char ***ret) { _cleanup_strv_free_ char **l = NULL; + int r; assert(params); assert(path >= 0 && path < _CREDENTIAL_SEARCH_PATH_MAX); + assert(ret); /* Assemble a search path to find credentials in. For non-encrypted credentials, We'll look in * /etc/credstore/ (and similar directories in /usr/lib/ + /run/). If we're looking for encrypted * credentials, we'll look in /etc/credstore.encrypted/ (and similar dirs). */ if (IN_SET(path, CREDENTIAL_SEARCH_PATH_ENCRYPTED, CREDENTIAL_SEARCH_PATH_ALL)) { - if (strv_extend(&l, params->received_encrypted_credentials_directory) < 0) - return NULL; + r = strv_extend(&l, params->received_encrypted_credentials_directory); + if (r < 0) + return r; + + _cleanup_strv_free_ char **add = NULL; + r = credential_store_path_encrypted(params->runtime_scope, &add); + if (r < 0) + return r; - if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore.encrypted"), /* filter_duplicates= */ true) < 0) - return NULL; + r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ false); + if (r < 0) + return r; } if (IN_SET(path, CREDENTIAL_SEARCH_PATH_TRUSTED, CREDENTIAL_SEARCH_PATH_ALL)) { - if (strv_extend(&l, params->received_credentials_directory) < 0) - return NULL; + r = strv_extend(&l, params->received_credentials_directory); + if (r < 0) + return r; + + _cleanup_strv_free_ char **add = NULL; + r = credential_store_path(params->runtime_scope, &add); + if (r < 0) + return r; - if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore"), /* filter_duplicates= */ true) < 0) - return NULL; + r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ false); + if (r < 0) + return r; } if (DEBUG_LOGGING) { @@ -415,7 +431,8 @@ static char** credential_search_path(const ExecParameters *params, CredentialSea log_debug("Credential search path is: %s", strempty(t)); } - return TAKE_PTR(l); + *ret = TAKE_PTR(l); + return 0; } struct load_cred_args { @@ -612,9 +629,9 @@ static int load_credential( * directory we received ourselves. We don't support the AF_UNIX stuff in this mode, since we * are operating on a credential store, i.e. this is guaranteed to be regular files. */ - search_path = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL); - if (!search_path) - return -ENOMEM; + r = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL, &search_path); + if (r < 0) + return r; missing_ok = true; } else @@ -798,9 +815,9 @@ static int acquire_credentials( ORDERED_SET_FOREACH(ic, context->import_credentials) { _cleanup_free_ char **search_path = NULL; - search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED); - if (!search_path) - return -ENOMEM; + r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED, &search_path); + if (r < 0) + return r; args.encrypted = false; @@ -812,9 +829,10 @@ static int acquire_credentials( return r; search_path = strv_free(search_path); - search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED); - if (!search_path) - return -ENOMEM; + + r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED, &search_path); + if (r < 0) + return r; args.encrypted = true; diff --git a/src/libsystemd/sd-path/path-lookup.h b/src/libsystemd/sd-path/path-lookup.h index 819c4cdb15d..1289e7ac6fc 100644 --- a/src/libsystemd/sd-path/path-lookup.h +++ b/src/libsystemd/sd-path/path-lookup.h @@ -84,3 +84,19 @@ static inline char** generator_binary_paths(RuntimeScope runtime_scope) { static inline char** env_generator_binary_paths(RuntimeScope runtime_scope) { return generator_binary_paths_internal(runtime_scope, true); } + +static inline int credential_store_path(RuntimeScope runtime_scope, char ***ret) { + return sd_path_lookup_strv( + runtime_scope == RUNTIME_SCOPE_SYSTEM ? + SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE : SD_PATH_USER_SEARCH_CREDENTIAL_STORE, + /* suffix= */ NULL, + ret); +} + +static inline int credential_store_path_encrypted(RuntimeScope runtime_scope, char ***ret) { + return sd_path_lookup_strv( + runtime_scope == RUNTIME_SCOPE_SYSTEM ? + SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED : SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED, + /* suffix= */ NULL, + ret); +}