From 4dabc3005068b83d72100021c2427767f4f68068 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Sat, 8 Nov 2025 19:16:50 +0100
Subject: [PATCH] service: setup credentials for ExecCondition

Closes #35788

This gives access to credentials within ExecCondition=. As described in
ticket #35788, I do have a use-case for this and as noted in the
commit that dropped this[1], this is OK to be revisited if there are
use-cases.

[1] a145623bc403e410f41808a8e5cb31d29a52567c
---
 src/core/service.c          | 2 ++
 test/units/TEST-54-CREDS.sh | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/src/core/service.c b/src/core/service.c
index 7b446351943..c92fb450857 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1692,6 +1692,8 @@ static ExecFlags service_exec_flags(ServiceExecCommand command_id, ExecFlags cre
         /* All start phases get access to credentials. ExecStartPre= gets a new credential store upon
          * every invocation, so that updating credential files through it works. When the first main process
          * starts, passed creds become stable. Also see 'cred_flag'. */
+        if (command_id == SERVICE_EXEC_CONDITION)
+                flags |= EXEC_SETUP_CREDENTIALS;
         if (command_id == SERVICE_EXEC_START_PRE)
                 flags |= EXEC_SETUP_CREDENTIALS_FRESH;
         if (command_id == SERVICE_EXEC_START_POST)
diff --git a/test/units/TEST-54-CREDS.sh b/test/units/TEST-54-CREDS.sh
index 7024adace45..479417dea00 100755
--- a/test/units/TEST-54-CREDS.sh
+++ b/test/units/TEST-54-CREDS.sh
@@ -446,6 +446,13 @@ systemd-run -p DynamicUser=yes -p 'LoadCredential=os:/etc/os-release' \
             --service-type=oneshot --wait --pipe \
             true | cmp /etc/os-release
 
+# https://github.com/systemd/systemd/issues/35788
+systemd-run -p DynamicUser=yes -p 'LoadCredential=os:/etc/os-release' \
+            -p 'ExecCondition=systemd-creds cat os' \
+            --unit=test-54-exec-condition.service \
+            --service-type=oneshot --wait --pipe \
+            true | cmp /etc/os-release
+
 # https://github.com/systemd/systemd/pull/24734#issuecomment-1925440546
 # Also ExecStartPre= should be able to update creds
 dd if=/dev/urandom of=/tmp/cred-huge bs=600K count=1
-- 
2.47.3