mirror of
https://github.com/systemd/systemd
synced 2024-07-21 10:17:21 +00:00
b6033b7060
This adds a tmpfiles.d/ snippet for LoadCredential= style credentials directories in /etc/ and /run/. This is done primarily to ensure that the access modes for the dirs are set up properly, in the most restrictive ways. Specifically these are set to 0000, so that CAP_DAC_OVERRIDE is necessary to enumerate and read the credentials, and being UID=0 is not sufficient to do so. This creates /etc/credstore/, but leaves /run/credstore/ absent if missing, for now. Thinking is: the latter being non-persistent is created by software usually, not manually by users, and hence more likely right. But dunno, we might want to revisit this sooner or later. This is ultimately an exercise to advertise the LoadCredential= concept a bit, and do so in a reasonably secure way, underlining the safety of the concept.
60 lines
2.2 KiB
Meson
60 lines
2.2 KiB
Meson
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
|
|
enable_tmpfiles = conf.get('ENABLE_TMPFILES') == 1
|
|
|
|
files = [['README', ''],
|
|
['home.conf', ''],
|
|
['journal-nocow.conf', ''],
|
|
['portables.conf', 'ENABLE_PORTABLED'],
|
|
['systemd-network.conf', 'ENABLE_NETWORKD'],
|
|
['systemd-nologin.conf', 'HAVE_PAM'],
|
|
['systemd-nspawn.conf', 'ENABLE_MACHINED'],
|
|
['systemd-pstore.conf', 'ENABLE_PSTORE'],
|
|
['systemd-resolve.conf', 'ENABLE_RESOLVE'],
|
|
['systemd-tmp.conf', ''],
|
|
['tmp.conf', ''],
|
|
['x11.conf', ''],
|
|
['provision.conf', ''],
|
|
['credstore.conf', ''],
|
|
]
|
|
|
|
foreach pair : files
|
|
if not enable_tmpfiles
|
|
# do nothing
|
|
elif pair[1] == '' or conf.get(pair[1]) == 1
|
|
install_data(pair[0], install_dir : tmpfilesdir)
|
|
else
|
|
message('Not installing tmpfiles.d/@0@ because @1@ is @2@'
|
|
.format(pair[0], pair[1], conf.get(pair[1], 0)))
|
|
endif
|
|
endforeach
|
|
|
|
in_files = [['etc.conf', ''],
|
|
['legacy.conf', 'HAVE_SYSV_COMPAT'],
|
|
['static-nodes-permissions.conf', ''],
|
|
['systemd.conf', ''],
|
|
['var.conf', ''],
|
|
]
|
|
|
|
foreach pair : in_files
|
|
if not enable_tmpfiles
|
|
# do nothing
|
|
elif pair[1] == '' or conf.get(pair[1]) == 1
|
|
custom_target(
|
|
pair[0],
|
|
input : pair[0] + '.in',
|
|
output: pair[0],
|
|
command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
|
|
install : enable_tmpfiles,
|
|
install_dir : tmpfilesdir)
|
|
else
|
|
message('Not installing tmpfiles.d/@0@ because @1@ is @2@'
|
|
.format(pair[0], pair[1], conf.get(pair[1], 0)))
|
|
endif
|
|
endforeach
|
|
|
|
if enable_tmpfiles and install_sysconfdir
|
|
meson.add_install_script(
|
|
'sh', '-c', mkdir_p.format(sysconfdir / 'tmpfiles.d'))
|
|
endif
|