picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

tree-wide: use READ_FULL_FILE_CONNECT_SOCKET at various places 

Let's use the new flag wherever we read key material/passphrases/hashes
off disk, so that people can plug in their own IPC service as backend if
they like, easily.

(My main goal was actually to support this for crypttab key files — i.e.
that you can specify AF_UNIX sockets as third column in crypttab — but
that's harder to implement, since the keys are read via libcryptsetup's
API, not ours.)
This commit is contained in:
Lennart Poettering 2020-07-17 12:58:19 +02:00
parent c668aa8b35
commit 49f16281c9
8 changed files with 52 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
man/systemd-journal-gatewayd.service.xml
View File

@ -58,26 +58,25 @@
<varlistentry>
<term><option>--cert=</option></term>
<listitem><para>Specify the path to a file containing a server
certificate in PEM format. This option switches
<command>systemd-journal-gatewayd</command> into HTTPS mode
and must be used together with
<listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the
server certificate from. The certificate must be in PEM format. This option switches
<command>systemd-journal-gatewayd</command> into HTTPS mode and must be used together with
<option>--key=</option>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--key=</option></term>
<listitem><para>Specify the path to a file containing a server
key in PEM format corresponding to the certificate specified
with <option>--cert=</option>.</para></listitem>
<listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the
server key corresponding to the certificate specified with <option>--cert=</option> from. The key
must be in PEM format.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--trust=</option></term>
<listitem><para>Specify the path to a file containing a
CA certificate in PEM format.</para></listitem>
<listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read a CA
certificate from. The certificate must be in PEM format.</para></listitem>
</varlistentry>
<varlistentry>

30
man/systemd-journal-remote.service.xml
View File

@ -180,33 +180,29 @@
<varlistentry>
<term><option>--key=</option></term>
<listitem><para>
Takes a path to a SSL key file in PEM format.
Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>.
This option can be used with <option>--listen-https=</option>.
</para></listitem>
<listitem><para> Takes a path to a SSL key file in PEM format. Defaults to
<filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>. This option can be used with
<option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
in the file system a connection is made to it and the key read from it.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--cert=</option></term>
<listitem><para>
Takes a path to a SSL certificate file in PEM format.
Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>.
This option can be used with <option>--listen-https=</option>.
</para></listitem>
<listitem><para> Takes a path to a SSL certificate file in PEM format. Defaults to
<filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>. This option can be used with
<option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
in the file system a connection is made to it and the certificate read from it.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--trust=</option></term>
<listitem><para>
Takes a path to a SSL CA certificate file in PEM format,
or <option>all</option>. If <option>all</option> is set,
then certificate checking will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
This option can be used with <option>--listen-https=</option>.
</para></listitem>
<listitem><para> Takes a path to a SSL CA certificate file in PEM format, or <option>all</option>. If
<option>all</option> is set, then certificate checking will be disabled. Defaults to
<filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>. This option can be used with
<option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
in the file system a connection is made to it and the certificate read from it.</para></listitem>
</varlistentry>
<varlistentry>

28
man/systemd.netdev.xml
View File

@ -1028,11 +1028,13 @@
<varlistentry>
<term><varname>KeyFile=</varname></term>
<listitem>
<para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
string, which will be used in the transmission channel. When this option is specified,
<para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal string,
which will be used in the transmission channel. When this option is specified,
<varname>Key=</varname> is ignored. Note that the file must be readable by the user
<literal>systemd-network</literal>, so it should be, e.g., owned by
<literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
<literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the path
refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made to
it and the key read from it.</para>
</listitem>
</varlistentry>
<varlistentry>
@ -1518,11 +1520,12 @@
<varlistentry>
<term><varname>PrivateKeyFile=</varname></term>
<listitem>
<para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
When this option is specified, then <varname>PrivateKey=</varname> is ignored.
Note that the file must be readable by the user <literal>systemd-network</literal>, so it
should be, e.g., owned by <literal>root:systemd-network</literal> with a
<literal>0640</literal> file mode.</para>
<para>Takes an absolute path to a file which contains the Base64 encoded private key for the
interface. When this option is specified, then <varname>PrivateKey=</varname> is ignored. Note
that the file must be readable by the user <literal>systemd-network</literal>, so it should be,
e.g., owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If
the path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
made to it and the key read from it.</para>
</listitem>
</varlistentry>
<varlistentry>
@ -1577,10 +1580,11 @@
<term><varname>PresharedKeyFile=</varname></term>
<listitem>
<para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
Note that the file must be readable by the user <literal>systemd-network</literal>, so it
should be, e.g., owned by <literal>root:systemd-network</literal> with a
<literal>0640</literal> file mode.</para>
peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored. Note that
the file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g.,
owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the
path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
made to it and the key read from it.</para>
</listitem>
</varlistentry>
<varlistentry>

6
src/journal-remote/journal-gatewayd.c
View File

@ -906,7 +906,7 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_key_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Key file specified twice");
r = read_full_file(optarg, &arg_key_pem, NULL);
r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_key_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read key file: %m");
assert(arg_key_pem);
@ -916,7 +916,7 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_cert_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Certificate file specified twice");
r = read_full_file(optarg, &arg_cert_pem, NULL);
r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_cert_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read certificate file: %m");
assert(arg_cert_pem);
@ -927,7 +927,7 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_trust_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"CA certificate file specified twice");
r = read_full_file(optarg, &arg_trust_pem, NULL);
r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_trust_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read CA certificate file: %m");
assert(arg_trust_pem);

6
src/journal-remote/journal-remote-main.c
View File

@ -1077,12 +1077,12 @@ static int parse_argv(int argc, char *argv[]) {
static int load_certificates(char **key, char **cert, char **trust) {
int r;
r = read_full_file(arg_key ?: PRIV_KEY_FILE, key, NULL);
r = read_full_file_full(AT_FDCWD, arg_key ?: PRIV_KEY_FILE, READ_FULL_FILE_CONNECT_SOCKET, key, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read key from file '%s': %m",
arg_key ?: PRIV_KEY_FILE);
r = read_full_file(arg_cert ?: CERT_FILE, cert, NULL);
r = read_full_file_full(AT_FDCWD, arg_cert ?: CERT_FILE, READ_FULL_FILE_CONNECT_SOCKET, cert, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read certificate from file '%s': %m",
arg_cert ?: CERT_FILE);
@ -1090,7 +1090,7 @@ static int load_certificates(char **key, char **cert, char **trust) {
if (arg_trust_all)
log_info("Certificate checking disabled.");
else {
r = read_full_file(arg_trust ?: TRUST_FILE, trust, NULL);
r = read_full_file_full(AT_FDCWD, arg_trust ?: TRUST_FILE, READ_FULL_FILE_CONNECT_SOCKET, trust, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read CA certificate file '%s': %m",
arg_trust ?: TRUST_FILE);

5
src/network/netdev/macsec.c
View File

@ -983,7 +983,10 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
(void) warn_file_is_world_accessible(sa->key_file, NULL, NULL, 0);
r = read_full_file_full(AT_FDCWD, sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE, (char **) &key, &key_len);
r = read_full_file_full(
AT_FDCWD, sa->key_file,
READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
(char **) &key, &key_len);
if (r < 0)
return log_netdev_error_errno(netdev, r,
"Failed to read key from '%s', ignoring: %m",

5
src/network/netdev/wireguard.c
View File

@ -888,7 +888,10 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_
(void) warn_file_is_world_accessible(filename, NULL, NULL, 0);
r = read_full_file_full(AT_FDCWD, filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE, &key, &key_len);
r = read_full_file_full(
AT_FDCWD, filename,
READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
&key, &key_len);
if (r < 0)
return r;

2
src/veritysetup/veritysetup.c
View File

@ -100,7 +100,7 @@ static int run(int argc, char *argv[]) {
if (r < 0)
return log_error_errno(r, "Failed to parse root hash signature '%s': %m", argv[6]);
} else {
r = read_full_file_full(AT_FDCWD, argv[6], 0, &hash_sig, &hash_sig_size);
r = read_full_file_full(AT_FDCWD, argv[6], READ_FULL_FILE_CONNECT_SOCKET, &hash_sig, &hash_sig_size);
if (r < 0)
return log_error_errno(r, "Failed to read root hash signature: %m");
}