diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-04-13 23:35:15 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-04-22 11:32:47 +0200 |
| commit | f344f7fdca63ca90cc3b4ea7d30f32c43dd3d1a6 (patch) | |
| tree | 8a8a1a61481f0559574fa157b988cd48a6139dd1 | |
| parent | execute: share error path between reg file/dir credential loading (diff) | |
| download | systemd-f344f7fdca63ca90cc3b4ea7d30f32c43dd3d1a6.tar.xz systemd-f344f7fdca63ca90cc3b4ea7d30f32c43dd3d1a6.zip | |
execute: restore ability to propagate creds from further up (i.e. container manager and such)
This was broken in 3989bdc1ad7cca4d75c06cdf601fea2cb37ba337 let's
restore the functionality.
Basically, we want that if a relative name is specified as source to
load from we take it relative to the credentials dir the service manager
itself got passed.
| -rw-r--r-- | src/core/execute.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index a16dbdd0c7..5e6b1131e4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2625,7 +2625,8 @@ static int load_credential( assert(left); if (path_is_absolute(path) || read_dfd >= 0) { - /* If this is an absolute path, read the data directly from it, and support AF_UNIX sockets */ + /* If this is an absolute path (or a directory fd is specifier relative which to read), read + * the data directly from it, and support AF_UNIX sockets */ source = path; flags |= READ_FULL_FILE_CONNECT_SOCKET; @@ -2784,17 +2785,19 @@ static int acquire_credentials( HASHMAP_FOREACH(lc, context->load_credentials) { _cleanup_close_ int sub_fd = -1; - /* Skip over credentials with unspecified paths. These are received by the - * service manager via the $CREDENTIALS_DIRECTORY environment variable. */ - if (!is_path(lc->path) && streq(lc->id, lc->path)) - continue; + /* If this is an absolute path, then try to open it as a directory. If that works, then we'll + * recurse into it. If it is an absolute path but it isn't a directory, then we'll open it as + * a regular file. Finally, if it's a relative path we will use it as a credential name to + * propagate a credential passed to us from further up. */ - sub_fd = open(lc->path, O_DIRECTORY|O_CLOEXEC|O_RDONLY); - if (sub_fd < 0 && errno != ENOTDIR) - return -errno; + if (path_is_absolute(lc->path)) { + sub_fd = open(lc->path, O_DIRECTORY|O_CLOEXEC|O_RDONLY); + if (sub_fd < 0 && errno != ENOTDIR) + return -errno; + } if (sub_fd < 0) - /* Regular file */ + /* Regular file (incl. a credential passed in from higher up) */ r = load_credential( context, params, |