From: Mike Yuan <me@yhndnzj.com>
Date: Sun, 4 Feb 2024 11:36:06 +0000 (+0800)
Subject: core/service: don't setup credentials for ExecCondition= and ExecReload=
X-Git-Tag: v256-rc1~968^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a145623bc403e410f41808a8e5cb31d29a52567c;p=thirdparty%2Fsystemd.git

core/service: don't setup credentials for ExecCondition= and ExecReload=

This seems to be a mistake in #27279. I believe credentials should
not be made available to condition or reload tasks. In most cases
they're irrelevant from the actual job of the service. Also, currently
the first ExecCondition= or ExecReload= cannot access creds anyway,
making the incompatibility introduced negligible.

If people actually come up with valid use cases, we can always
revisit this.
---

diff --git a/src/core/service.c b/src/core/service.c
index ac9986994d3..41fe842db63 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1609,7 +1609,7 @@ static ExecFlags service_exec_flags(ServiceExecCommand command_id) {
 
         /* All start phases get access to credentials */
         // FIXME: SERVICE_EXEC_START_POST
-        if (IN_SET(command_id, /* FIXME */ SERVICE_EXEC_CONDITION, SERVICE_EXEC_START_PRE, SERVICE_EXEC_START, /* FIXME */ SERVICE_EXEC_RELOAD))
+        if (IN_SET(command_id, SERVICE_EXEC_START_PRE, SERVICE_EXEC_START))
                 flags |= EXEC_WRITE_CREDENTIALS;
 
         if (IN_SET(command_id, SERVICE_EXEC_START_PRE, SERVICE_EXEC_START))