From: Zbigniew Jędrzejewski-Szmek Date: Wed, 26 Aug 2020 08:32:30 +0000 (+0200) Subject: Merge pull request #16568 from poettering/creds-store X-Git-Tag: v247-rc1~362 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b6abc2acb4a56344db90eefa36a989e6b7ded34d;p=thirdparty%2Fsystemd.git Merge pull request #16568 from poettering/creds-store credentials logic to pass privileged data to services --- b6abc2acb4a56344db90eefa36a989e6b7ded34d diff --cc TODO index 179d17e2342,c4c20f71a57..e25ca895106 --- a/TODO +++ b/TODO @@@ -119,15 -119,25 +119,19 @@@ Features * seccomp: maybe merge all filters we install into one with that libseccomp API that allows merging. - * per-service credential system. Specifically: add LoadCredential= (for loading - cred from file), AcquireCredential= (for asking user for cred, via - ask-password), PassCredential= (for passing on credential systemd itself - got). Then, place credentials in a per-service, immutable ramfs instance (so - that it cannot be swapped out), destroy after use. Also pass via keyring - (with graceful fallback to cover for containers). Define CredentialPath= for - defining subdir of /run/credentials/ where to place it. Set $CREDENTIAL_PATH - env var for services to the result. Also pass via fd passing (optionally). + * credentials system: + - maybe add AcquireCredential= for querying a cred via ask-password + - maybe try to acquire creds via keyring? + - maybe try to pass creds via keyring? + - maybe optionally pass creds via memfd + - maybe add support for decrypting creds via TPM + - maybe add support for decrypting/importing creds via pkcs11 + - make systemd-cryptsetup acquire pw via creds logic + - make PAMName= acquire pw via creds logic + - make macsec/wireguard code in networkd read key via creds logic + - make gatwayd/remote read key via creds logic + - add sd_notify() command for flushing out creds not needed anymore -* homed: add native recovery key support. use 48 lowercase modhex characters - (192bit), show qr code of it, include pattern expression in user record. - -* homed: introduce "degraded" state for home directories that weren't cleanly - unmounted (use xattr we add and remove on the loop back file) - * homed: during login resize fs automatically towards size goal. Specifically, resize to diskSize if possible, but leave a certain amount (configured by a new value diskLeaveFreeSize) of space free on the backing fs.