From ffe958b98ffb9bceceac63db6381bb51329c1abf Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 10 Jun 2024 14:53:38 +0200
Subject: [PATCH] creds-util: add helper for querying system credential dirs

The dirs are constant string, but let's make them overridable via env
vars for debugging purposes.
---
 src/creds/creds.c       | 15 ++++++---------
 src/shared/creds-util.c | 24 ++++++++++++++++++++++++
 src/shared/creds-util.h |  4 ++++
 src/shared/tpm2-util.c  |  9 ++++++---
 4 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/src/creds/creds.c b/src/creds/creds.c
index a4a90dc8835..383ef268b85 100644
--- a/src/creds/creds.c
+++ b/src/creds/creds.c
@@ -148,17 +148,14 @@ static int open_credential_directory(
         if (arg_system)
                 /* PID 1 ensures that system credentials are always accessible under the same fixed path. It
                  * will create symlinks if necessary to guarantee that. */
-                p = encrypted ?
-                        ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY :
-                        SYSTEM_CREDENTIALS_DIRECTORY;
-        else {
+                r = (encrypted ? get_encrypted_system_credentials_dir : get_system_credentials_dir)(&p);
+        else
                 /* Otherwise take the dirs from the env vars we got passed */
                 r = (encrypted ? get_encrypted_credentials_dir : get_credentials_dir)(&p);
-                if (r == -ENXIO) /* No environment variable? */
-                        goto not_found;
-                if (r < 0)
-                        return log_error_errno(r, "Failed to get credentials directory: %m");
-        }
+        if (r == -ENXIO) /* No environment variable? */
+                goto not_found;
+        if (r < 0)
+                return log_error_errno(r, "Failed to get credentials directory: %m");
 
         d = opendir(p);
         if (!d) {
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index a190e3720ca..c035dd671d2 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -125,6 +125,30 @@ int open_credentials_dir(void) {
         return RET_NERRNO(open(d, O_CLOEXEC|O_DIRECTORY));
 }
 
+int get_system_credentials_dir(const char **ret) {
+        int r;
+
+        /* Note that for system credentials the environment variable we honour is just for debugging purpose
+         * (unlike for the per-service credential path env var where it's key part of the protocol). */
+        r = get_credentials_dir_internal("SYSTEMD_SYSTEM_CREDENTIALS_DIRECTORY", ret);
+        if (r >= 0 || r != -ENXIO)
+                return r;
+
+        *ret = SYSTEM_CREDENTIALS_DIRECTORY;
+        return 0;
+}
+
+int get_encrypted_system_credentials_dir(const char **ret) {
+        int r;
+
+        r = get_credentials_dir_internal("SYSTEMD_ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY", ret);
+        if (r >= 0 || r != -ENXIO)
+                return r;
+
+        *ret = ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY;
+        return 0;
+}
+
 int read_credential(const char *name, void **ret, size_t *ret_size) {
         _cleanup_free_ char *fn = NULL;
         const char *d;
diff --git a/src/shared/creds-util.h b/src/shared/creds-util.h
index e5194c7f07a..7b2fc76eb41 100644
--- a/src/shared/creds-util.h
+++ b/src/shared/creds-util.h
@@ -33,6 +33,10 @@ int open_credentials_dir(void);
 #define SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@system"
 #define ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@encrypted"
 
+/* Where system creds have been passed */
+int get_system_credentials_dir(const char **ret);
+int get_encrypted_system_credentials_dir(const char **ret);
+
 int read_credential(const char *name, void **ret, size_t *ret_size); /* use in services! */
 int read_credential_with_decryption(const char *name, void **ret, size_t *ret_size); /* use in generators + pid1! */
 
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index de1c56a84ee..ba6171f15fe 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -7065,9 +7065,12 @@ int tpm2_pcrlock_policy_from_credentials(
          * multi-boot), hence we use the SRK and NV data from the LUKS2 header as search key, and parse all
          * such JSON policies until we find a matching one. */
 
-        const char *cp = secure_getenv("SYSTEMD_ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY") ?: ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY;
+        const char *dp;
+        r = get_encrypted_system_credentials_dir(&dp);
+        if (r < 0)
+                return log_error_errno(r, "Failed to get encrypted system credentials directory: %m");
 
-        dfd = open(cp, O_CLOEXEC|O_DIRECTORY);
+        dfd = open(dp, O_CLOEXEC|O_DIRECTORY);
         if (dfd < 0) {
                 if (errno == ENOENT) {
                         log_debug("No encrypted system credentials passed.");
@@ -7100,7 +7103,7 @@ int tpm2_pcrlock_policy_from_credentials(
                 if (r == -ENOENT)
                         continue;
                 if (r < 0) {
-                        log_warning_errno(r, "Failed to read credentials file %s/%s, skipping: %m", ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY, d->d_name);
+                        log_warning_errno(r, "Failed to read credentials file %s/%s, skipping: %m", dp, d->d_name);
                         continue;
                 }
 
-- 
2.47.3