mirror of
https://github.com/systemd/systemd
synced 2024-07-21 10:17:21 +00:00
core/credential: make setup_credentials() return path to credentials directory
Then, we can reuse the path when building environment variables and setting up mount namespace. No functional change, just refactoring.
This commit is contained in:
parent
fbaf3b23ae
commit
7241b9cd72
|
@ -876,16 +876,20 @@ int setup_credentials(
|
|||
const ExecParameters *params,
|
||||
const char *unit,
|
||||
uid_t uid,
|
||||
gid_t gid) {
|
||||
gid_t gid,
|
||||
char **ret_path) {
|
||||
|
||||
_cleanup_free_ char *p = NULL, *q = NULL;
|
||||
int r;
|
||||
|
||||
assert(context);
|
||||
assert(params);
|
||||
assert(ret_path);
|
||||
|
||||
if (!exec_context_has_credentials(context))
|
||||
if (!exec_context_has_credentials(context)) {
|
||||
*ret_path = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!params->prefix[EXEC_DIRECTORY_RUNTIME])
|
||||
return -EINVAL;
|
||||
|
@ -999,5 +1003,7 @@ int setup_credentials(
|
|||
* actually end up mounting anything on it. In that case we'd rather have ENOENT than EACCESS being
|
||||
* seen by users when trying access this inode. */
|
||||
(void) rmdir(p);
|
||||
|
||||
*ret_path = TAKE_PTR(p);
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -45,4 +45,5 @@ int setup_credentials(
|
|||
const ExecParameters *params,
|
||||
const char *unit,
|
||||
uid_t uid,
|
||||
gid_t gid);
|
||||
gid_t gid,
|
||||
char **ret_path);
|
||||
|
|
|
@ -1864,6 +1864,7 @@ static int build_environment(
|
|||
dev_t journal_stream_dev,
|
||||
ino_t journal_stream_ino,
|
||||
const char *memory_pressure_path,
|
||||
const char *creds_path,
|
||||
char ***ret) {
|
||||
|
||||
_cleanup_strv_free_ char **our_env = NULL;
|
||||
|
@ -2041,10 +2042,8 @@ static int build_environment(
|
|||
our_env[n_env++] = x;
|
||||
}
|
||||
|
||||
if (exec_context_has_credentials(c) &&
|
||||
p->prefix[EXEC_DIRECTORY_RUNTIME] &&
|
||||
FLAGS_SET(p->flags, EXEC_WRITE_CREDENTIALS)) {
|
||||
x = strjoin("CREDENTIALS_DIRECTORY=", p->prefix[EXEC_DIRECTORY_RUNTIME], "/credentials/", u->id);
|
||||
if (creds_path) {
|
||||
x = strjoin("CREDENTIALS_DIRECTORY=", creds_path);
|
||||
if (!x)
|
||||
return -ENOMEM;
|
||||
|
||||
|
@ -3112,12 +3111,13 @@ static int apply_mount_namespace(
|
|||
const ExecParameters *params,
|
||||
ExecRuntime *runtime,
|
||||
const char *memory_pressure_path,
|
||||
const char *creds_path,
|
||||
char **error_path) {
|
||||
|
||||
_cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT;
|
||||
_cleanup_strv_free_ char **empty_directories = NULL, **symlinks = NULL,
|
||||
**read_write_paths_cleanup = NULL;
|
||||
_cleanup_free_ char *creds_path = NULL, *incoming_dir = NULL, *propagate_dir = NULL,
|
||||
_cleanup_free_ char *incoming_dir = NULL, *propagate_dir = NULL,
|
||||
*extension_dir = NULL, *host_os_release_stage = NULL;
|
||||
const char *root_dir = NULL, *root_image = NULL, *tmp_dir = NULL, *var_tmp_dir = NULL;
|
||||
char **read_write_paths;
|
||||
|
@ -3219,14 +3219,6 @@ static int apply_mount_namespace(
|
|||
if (context->mount_propagation_flag == MS_SHARED)
|
||||
log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
|
||||
|
||||
if (exec_context_has_credentials(context) &&
|
||||
params->prefix[EXEC_DIRECTORY_RUNTIME] &&
|
||||
FLAGS_SET(params->flags, EXEC_WRITE_CREDENTIALS)) {
|
||||
creds_path = path_join(params->prefix[EXEC_DIRECTORY_RUNTIME], "credentials", u->id);
|
||||
if (!creds_path)
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
if (params->runtime_scope == RUNTIME_SCOPE_SYSTEM) {
|
||||
propagate_dir = path_join("/run/systemd/propagate/", u->id);
|
||||
if (!propagate_dir)
|
||||
|
@ -3948,7 +3940,7 @@ static int exec_child(
|
|||
int r, ngids = 0, exec_fd;
|
||||
_cleanup_free_ gid_t *supplementary_gids = NULL;
|
||||
const char *username = NULL, *groupname = NULL;
|
||||
_cleanup_free_ char *home_buffer = NULL, *memory_pressure_path = NULL;
|
||||
_cleanup_free_ char *home_buffer = NULL, *memory_pressure_path = NULL, *creds_path = NULL;
|
||||
const char *home = NULL, *shell = NULL;
|
||||
char **final_argv = NULL;
|
||||
dev_t journal_stream_dev = 0;
|
||||
|
@ -4429,7 +4421,7 @@ static int exec_child(
|
|||
}
|
||||
|
||||
if (FLAGS_SET(params->flags, EXEC_WRITE_CREDENTIALS)) {
|
||||
r = setup_credentials(context, params, unit->id, uid, gid);
|
||||
r = setup_credentials(context, params, unit->id, uid, gid, &creds_path);
|
||||
if (r < 0) {
|
||||
*exit_status = EXIT_CREDENTIALS;
|
||||
return log_unit_error_errno(unit, r, "Failed to set up credentials: %m");
|
||||
|
@ -4449,6 +4441,7 @@ static int exec_child(
|
|||
journal_stream_dev,
|
||||
journal_stream_ino,
|
||||
memory_pressure_path,
|
||||
creds_path,
|
||||
&our_env);
|
||||
if (r < 0) {
|
||||
*exit_status = EXIT_MEMORY;
|
||||
|
@ -4642,7 +4635,7 @@ static int exec_child(
|
|||
if (needs_mount_namespace) {
|
||||
_cleanup_free_ char *error_path = NULL;
|
||||
|
||||
r = apply_mount_namespace(unit, command->flags, context, params, runtime, memory_pressure_path, &error_path);
|
||||
r = apply_mount_namespace(unit, command->flags, context, params, runtime, memory_pressure_path, creds_path, &error_path);
|
||||
if (r < 0) {
|
||||
*exit_status = EXIT_NAMESPACE;
|
||||
return log_unit_error_errno(unit, r, "Failed to set up mount namespacing%s%s: %m",
|
||||
|
|
Loading…
Reference in a new issue