From c9210b74701d749c5b684cc4de517be42baa9c57 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sat, 15 Apr 2023 03:01:52 +0100
Subject: [PATCH] creds: make available to all ExecStartPre= and ExecStart=
 processes

Fixes https://github.com/systemd/systemd/issues/27275
---
 src/core/service.c         | 3 ++-
 test/units/testsuite-54.sh | 8 ++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/core/service.c b/src/core/service.c
index 1c31782fabb..3e4febeaa2b 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -2649,6 +2649,7 @@ static void service_run_next_control(Service *s) {
                           s->control_command,
                           timeout,
                           EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_IS_CONTROL|
+                          (IN_SET(s->state, SERVICE_CONDITION, SERVICE_START_PRE, SERVICE_START, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD) ? EXEC_WRITE_CREDENTIALS : 0)|
                           (IN_SET(s->control_command_id, SERVICE_EXEC_CONDITION, SERVICE_EXEC_START_PRE, SERVICE_EXEC_STOP_POST) ? EXEC_APPLY_TTY_STDIN : 0)|
                           (IN_SET(s->control_command_id, SERVICE_EXEC_STOP, SERVICE_EXEC_STOP_POST) ? EXEC_SETENV_RESULT : 0)|
                           (IN_SET(s->control_command_id, SERVICE_EXEC_START_PRE, SERVICE_EXEC_START) ? EXEC_SETENV_MONITOR_RESULT : 0)|
@@ -2688,7 +2689,7 @@ static void service_run_next_main(Service *s) {
         r = service_spawn(s,
                           s->main_command,
                           s->timeout_start_usec,
-                          EXEC_PASS_FDS|EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN|EXEC_SET_WATCHDOG|EXEC_SETENV_MONITOR_RESULT,
+                          EXEC_PASS_FDS|EXEC_APPLY_SANDBOXING|EXEC_APPLY_CHROOT|EXEC_APPLY_TTY_STDIN|EXEC_SET_WATCHDOG|EXEC_SETENV_MONITOR_RESULT|EXEC_WRITE_CREDENTIALS,
                           &pid);
         if (r < 0)
                 goto fail;
diff --git a/test/units/testsuite-54.sh b/test/units/testsuite-54.sh
index 43049dea508..ab896a57594 100755
--- a/test/units/testsuite-54.sh
+++ b/test/units/testsuite-54.sh
@@ -131,6 +131,14 @@ if systemctl --version | grep -q -- +OPENSSL ; then
     rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
 fi
 
+# https://github.com/systemd/systemd/issues/27275
+systemd-run -p DynamicUser=yes -p 'LoadCredential=os:/etc/os-release' \
+            -p 'ExecStartPre=true' \
+            -p 'ExecStartPre=systemd-creds cat os' \
+            --wait \
+            --pipe \
+            true | cmp /etc/os-release
+
 systemd-analyze log-level info
 
 echo OK >/testok
-- 
2.47.3