diff --git a/man/systemd-journal-gatewayd.service.xml b/man/systemd-journal-gatewayd.service.xml
index 0f7aaab624f..a7c50f382f0 100644
--- a/man/systemd-journal-gatewayd.service.xml
+++ b/man/systemd-journal-gatewayd.service.xml
@@ -58,26 +58,25 @@
- Specify the path to a file containing a server
- certificate in PEM format. This option switches
- systemd-journal-gatewayd into HTTPS mode
- and must be used together with
+ Specify the path to a file or AF_UNIX stream socket to read the
+ server certificate from. The certificate must be in PEM format. This option switches
+ systemd-journal-gatewayd into HTTPS mode and must be used together with
.
- Specify the path to a file containing a server
- key in PEM format corresponding to the certificate specified
- with .
+ Specify the path to a file or AF_UNIX stream socket to read the
+ server key corresponding to the certificate specified with from. The key
+ must be in PEM format.
- Specify the path to a file containing a
- CA certificate in PEM format.
+ Specify the path to a file or AF_UNIX stream socket to read a CA
+ certificate from. The certificate must be in PEM format.
diff --git a/man/systemd-journal-remote.service.xml b/man/systemd-journal-remote.service.xml
index b28092d18c3..1db0128f746 100644
--- a/man/systemd-journal-remote.service.xml
+++ b/man/systemd-journal-remote.service.xml
@@ -180,33 +180,29 @@
-
- Takes a path to a SSL key file in PEM format.
- Defaults to &CERTIFICATE_ROOT;/private/journal-remote.pem.
- This option can be used with .
-
+ Takes a path to a SSL key file in PEM format. Defaults to
+ &CERTIFICATE_ROOT;/private/journal-remote.pem. This option can be used with
+ . If the path refers to an AF_UNIX stream socket
+ in the file system a connection is made to it and the key read from it.
-
- Takes a path to a SSL certificate file in PEM format.
- Defaults to &CERTIFICATE_ROOT;/certs/journal-remote.pem.
- This option can be used with .
-
+ Takes a path to a SSL certificate file in PEM format. Defaults to
+ &CERTIFICATE_ROOT;/certs/journal-remote.pem. This option can be used with
+ . If the path refers to an AF_UNIX stream socket
+ in the file system a connection is made to it and the certificate read from it.
-
- Takes a path to a SSL CA certificate file in PEM format,
- or . If is set,
- then certificate checking will be disabled.
- Defaults to &CERTIFICATE_ROOT;/ca/trusted.pem.
- This option can be used with .
-
+ Takes a path to a SSL CA certificate file in PEM format, or . If
+ is set, then certificate checking will be disabled. Defaults to
+ &CERTIFICATE_ROOT;/ca/trusted.pem. This option can be used with
+ . If the path refers to an AF_UNIX stream socket
+ in the file system a connection is made to it and the certificate read from it.
diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index 5516f63b658..c2957fd1823 100644
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -1028,11 +1028,13 @@
KeyFile=
- Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
- string, which will be used in the transmission channel. When this option is specified,
+ Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal string,
+ which will be used in the transmission channel. When this option is specified,
Key= is ignored. Note that the file must be readable by the user
systemd-network, so it should be, e.g., owned by
- root:systemd-network with a 0640 file mode.
+ root:systemd-network with a 0640 file mode. If the path
+ refers to an AF_UNIX stream socket in the file system a connection is made to
+ it and the key read from it.
@@ -1518,11 +1520,12 @@
PrivateKeyFile=
- Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
- When this option is specified, then PrivateKey= is ignored.
- Note that the file must be readable by the user systemd-network, so it
- should be, e.g., owned by root:systemd-network with a
- 0640 file mode.
+ Takes an absolute path to a file which contains the Base64 encoded private key for the
+ interface. When this option is specified, then PrivateKey= is ignored. Note
+ that the file must be readable by the user systemd-network, so it should be,
+ e.g., owned by root:systemd-network with a 0640 file mode. If
+ the path refers to an AF_UNIX stream socket in the file system a connection is
+ made to it and the key read from it.
@@ -1577,10 +1580,11 @@
PresharedKeyFile=Takes an absolute path to a file which contains the Base64 encoded preshared key for the
- peer. When this option is specified, then PresharedKey= is ignored.
- Note that the file must be readable by the user systemd-network, so it
- should be, e.g., owned by root:systemd-network with a
- 0640 file mode.
+ peer. When this option is specified, then PresharedKey= is ignored. Note that
+ the file must be readable by the user systemd-network, so it should be, e.g.,
+ owned by root:systemd-network with a 0640 file mode. If the
+ path refers to an AF_UNIX stream socket in the file system a connection is
+ made to it and the key read from it.
diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c
index 3ab7c98b0b5..48106d1bdbb 100644
--- a/src/journal-remote/journal-gatewayd.c
+++ b/src/journal-remote/journal-gatewayd.c
@@ -906,7 +906,7 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_key_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Key file specified twice");
- r = read_full_file(optarg, &arg_key_pem, NULL);
+ r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_key_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read key file: %m");
assert(arg_key_pem);
@@ -916,7 +916,7 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_cert_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Certificate file specified twice");
- r = read_full_file(optarg, &arg_cert_pem, NULL);
+ r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_cert_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read certificate file: %m");
assert(arg_cert_pem);
@@ -927,7 +927,7 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_trust_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"CA certificate file specified twice");
- r = read_full_file(optarg, &arg_trust_pem, NULL);
+ r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_trust_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read CA certificate file: %m");
assert(arg_trust_pem);
diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c
index 273fdf9196e..77dfdefd64c 100644
--- a/src/journal-remote/journal-remote-main.c
+++ b/src/journal-remote/journal-remote-main.c
@@ -1077,12 +1077,12 @@ static int parse_argv(int argc, char *argv[]) {
static int load_certificates(char **key, char **cert, char **trust) {
int r;
- r = read_full_file(arg_key ?: PRIV_KEY_FILE, key, NULL);
+ r = read_full_file_full(AT_FDCWD, arg_key ?: PRIV_KEY_FILE, READ_FULL_FILE_CONNECT_SOCKET, key, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read key from file '%s': %m",
arg_key ?: PRIV_KEY_FILE);
- r = read_full_file(arg_cert ?: CERT_FILE, cert, NULL);
+ r = read_full_file_full(AT_FDCWD, arg_cert ?: CERT_FILE, READ_FULL_FILE_CONNECT_SOCKET, cert, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read certificate from file '%s': %m",
arg_cert ?: CERT_FILE);
@@ -1090,7 +1090,7 @@ static int load_certificates(char **key, char **cert, char **trust) {
if (arg_trust_all)
log_info("Certificate checking disabled.");
else {
- r = read_full_file(arg_trust ?: TRUST_FILE, trust, NULL);
+ r = read_full_file_full(AT_FDCWD, arg_trust ?: TRUST_FILE, READ_FULL_FILE_CONNECT_SOCKET, trust, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read CA certificate file '%s': %m",
arg_trust ?: TRUST_FILE);
diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index ab55a4a4894..2ffa5ec8c69 100644
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -983,7 +983,10 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
(void) warn_file_is_world_accessible(sa->key_file, NULL, NULL, 0);
- r = read_full_file_full(AT_FDCWD, sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE, (char **) &key, &key_len);
+ r = read_full_file_full(
+ AT_FDCWD, sa->key_file,
+ READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+ (char **) &key, &key_len);
if (r < 0)
return log_netdev_error_errno(netdev, r,
"Failed to read key from '%s', ignoring: %m",
diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
index 9636ac77367..6812b07bff5 100644
--- a/src/network/netdev/wireguard.c
+++ b/src/network/netdev/wireguard.c
@@ -888,7 +888,10 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_
(void) warn_file_is_world_accessible(filename, NULL, NULL, 0);
- r = read_full_file_full(AT_FDCWD, filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE, &key, &key_len);
+ r = read_full_file_full(
+ AT_FDCWD, filename,
+ READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+ &key, &key_len);
if (r < 0)
return r;
diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c
index 465d194b408..e475402d9d4 100644
--- a/src/veritysetup/veritysetup.c
+++ b/src/veritysetup/veritysetup.c
@@ -100,7 +100,7 @@ static int run(int argc, char *argv[]) {
if (r < 0)
return log_error_errno(r, "Failed to parse root hash signature '%s': %m", argv[6]);
} else {
- r = read_full_file_full(AT_FDCWD, argv[6], 0, &hash_sig, &hash_sig_size);
+ r = read_full_file_full(AT_FDCWD, argv[6], READ_FULL_FILE_CONNECT_SOCKET, &hash_sig, &hash_sig_size);
if (r < 0)
return log_error_errno(r, "Failed to read root hash signature: %m");
}