tree-wide: use READ_FULL_FILE_CONNECT_SOCKET at various places

Let's use the new flag wherever we read key material/passphrases/hashes
off disk, so that people can plug in their own IPC service as backend if
they like, easily.

(My main goal was actually to support this for crypttab key files — i.e.
that you can specify AF_UNIX sockets as third column in crypttab — but
that's harder to implement, since the keys are read via libcryptsetup's
API, not ours.)

man/systemd-journal-gatewayd.service.xml

@@ -58,26 +58,25 @@
       <varlistentry>
         <term><option>--cert=</option></term>
 
-        <listitem><para>Specify the path to a file containing a server
+        <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the
-        certificate in PEM format. This option switches
+        server certificate from. The certificate must be in PEM format. This option switches
-        <command>systemd-journal-gatewayd</command> into HTTPS mode
+        <command>systemd-journal-gatewayd</command> into HTTPS mode and must be used together with
-        and must be used together with
         <option>--key=</option>.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--key=</option></term>
 
-        <listitem><para>Specify the path to a file containing a server
+        <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read the
-        key in PEM format corresponding to the certificate specified
+        server key corresponding to the certificate specified with <option>--cert=</option> from. The key
-        with <option>--cert=</option>.</para></listitem>
+        must be in PEM format.</para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--trust=</option></term>
 
-        <listitem><para>Specify the path to a file containing a
+        <listitem><para>Specify the path to a file or <constant>AF_UNIX</constant> stream socket to read a CA
-        CA certificate in PEM format.</para></listitem>
+        certificate from. The certificate must be in PEM format.</para></listitem>
       </varlistentry>
 
       <varlistentry>

man/systemd-journal-remote.service.xml

@@ -180,33 +180,29 @@
       <varlistentry>
         <term><option>--key=</option></term>
 
-        <listitem><para>
+        <listitem><para> Takes a path to a SSL key file in PEM format. Defaults to
-          Takes a path to a SSL key file in PEM format.
+        <filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>. This option can be used with
-          Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-remote.pem</filename>.
+        <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
-          This option can be used with <option>--listen-https=</option>.
+        in the file system a connection is made to it and the key read from it.</para></listitem>
-        </para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--cert=</option></term>
 
-        <listitem><para>
+        <listitem><para> Takes a path to a SSL certificate file in PEM format. Defaults to
-          Takes a path to a SSL certificate file in PEM format.
+        <filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>. This option can be used with
-          Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-remote.pem</filename>.
+        <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
-          This option can be used with <option>--listen-https=</option>.
+        in the file system a connection is made to it and the certificate read from it.</para></listitem>
-        </para></listitem>
       </varlistentry>
 
       <varlistentry>
         <term><option>--trust=</option></term>
 
-        <listitem><para>
+        <listitem><para> Takes a path to a SSL CA certificate file in PEM format, or <option>all</option>. If
-          Takes a path to a SSL CA certificate file in PEM format,
+        <option>all</option> is set, then certificate checking will be disabled. Defaults to
-          or <option>all</option>. If <option>all</option> is set,
+        <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>. This option can be used with
-          then certificate checking will be disabled.
+        <option>--listen-https=</option>. If the path refers to an <constant>AF_UNIX</constant> stream socket
-          Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
+        in the file system a connection is made to it and the certificate read from it.</para></listitem>
-          This option can be used with <option>--listen-https=</option>.
-        </para></listitem>
       </varlistentry>
 
       <varlistentry>

man/systemd.netdev.xml

@@ -1028,11 +1028,13 @@
       <varlistentry>
         <term><varname>KeyFile=</varname></term>
         <listitem>
-          <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
+          <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal string,
-          string, which will be used in the transmission channel. When this option is specified,
+          which will be used in the transmission channel. When this option is specified,
           <varname>Key=</varname> is ignored. Note that the file must be readable by the user
           <literal>systemd-network</literal>, so it should be, e.g., owned by
-          <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
+          <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the path
+          refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made to
+          it and the key read from it.</para>
         </listitem>
       </varlistentry>
       <varlistentry>
@@ -1518,11 +1520,12 @@
       <varlistentry>
         <term><varname>PrivateKeyFile=</varname></term>
         <listitem>
-          <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
+          <para>Takes an absolute path to a file which contains the Base64 encoded private key for the
-          When this option is specified, then <varname>PrivateKey=</varname> is ignored.
+          interface.  When this option is specified, then <varname>PrivateKey=</varname> is ignored.  Note
-          Note that the file must be readable by the user <literal>systemd-network</literal>, so it
+          that the file must be readable by the user <literal>systemd-network</literal>, so it should be,
-          should be, e.g., owned by <literal>root:systemd-network</literal> with a
+          e.g., owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If
-          <literal>0640</literal> file mode.</para>
+          the path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
+          made to it and the key read from it.</para>
         </listitem>
       </varlistentry>
       <varlistentry>
@@ -1577,10 +1580,11 @@
         <term><varname>PresharedKeyFile=</varname></term>
         <listitem>
           <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
-          peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
+          peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.  Note that
-          Note that the file must be readable by the user <literal>systemd-network</literal>, so it
+          the file must be readable by the user <literal>systemd-network</literal>, so it should be, e.g.,
-          should be, e.g., owned by <literal>root:systemd-network</literal> with a
+          owned by <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode. If the
-          <literal>0640</literal> file mode.</para>
+          path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is
+          made to it and the key read from it.</para>
         </listitem>
       </varlistentry>
       <varlistentry>

src/journal-remote/journal-gatewayd.c

@@ -906,7 +906,7 @@ static int parse_argv(int argc, char *argv[]) {
                         if (arg_key_pem)
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                        "Key file specified twice");
-                        r = read_full_file(optarg, &arg_key_pem, NULL);
+                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_key_pem, NULL);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to read key file: %m");
                         assert(arg_key_pem);
@@ -916,7 +916,7 @@ static int parse_argv(int argc, char *argv[]) {
                         if (arg_cert_pem)
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                        "Certificate file specified twice");
-                        r = read_full_file(optarg, &arg_cert_pem, NULL);
+                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_cert_pem, NULL);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to read certificate file: %m");
                         assert(arg_cert_pem);
@@ -927,7 +927,7 @@ static int parse_argv(int argc, char *argv[]) {
                         if (arg_trust_pem)
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                        "CA certificate file specified twice");
-                        r = read_full_file(optarg, &arg_trust_pem, NULL);
+                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_trust_pem, NULL);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to read CA certificate file: %m");
                         assert(arg_trust_pem);

src/journal-remote/journal-remote-main.c

@@ -1077,12 +1077,12 @@ static int parse_argv(int argc, char *argv[]) {
 static int load_certificates(char **key, char **cert, char **trust) {
         int r;
 
-        r = read_full_file(arg_key ?: PRIV_KEY_FILE, key, NULL);
+        r = read_full_file_full(AT_FDCWD, arg_key ?: PRIV_KEY_FILE, READ_FULL_FILE_CONNECT_SOCKET, key, NULL);
         if (r < 0)
                 return log_error_errno(r, "Failed to read key from file '%s': %m",
                                        arg_key ?: PRIV_KEY_FILE);
 
-        r = read_full_file(arg_cert ?: CERT_FILE, cert, NULL);
+        r = read_full_file_full(AT_FDCWD, arg_cert ?: CERT_FILE, READ_FULL_FILE_CONNECT_SOCKET, cert, NULL);
         if (r < 0)
                 return log_error_errno(r, "Failed to read certificate from file '%s': %m",
                                        arg_cert ?: CERT_FILE);
@@ -1090,7 +1090,7 @@ static int load_certificates(char **key, char **cert, char **trust) {
         if (arg_trust_all)
                 log_info("Certificate checking disabled.");
         else {
-                r = read_full_file(arg_trust ?: TRUST_FILE, trust, NULL);
+                r = read_full_file_full(AT_FDCWD, arg_trust ?: TRUST_FILE, READ_FULL_FILE_CONNECT_SOCKET, trust, NULL);
                 if (r < 0)
                         return log_error_errno(r, "Failed to read CA certificate file '%s': %m",
                                                arg_trust ?: TRUST_FILE);

src/network/netdev/macsec.c

@@ -983,7 +983,10 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
 
         (void) warn_file_is_world_accessible(sa->key_file, NULL, NULL, 0);
 
-        r = read_full_file_full(AT_FDCWD, sa->key_file, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE, (char **) &key, &key_len);
+        r = read_full_file_full(
+                        AT_FDCWD, sa->key_file,
+                        READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+                        (char **) &key, &key_len);
         if (r < 0)
                 return log_netdev_error_errno(netdev, r,
                                               "Failed to read key from '%s', ignoring: %m",

src/network/netdev/wireguard.c

@@ -888,7 +888,10 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_
 
         (void) warn_file_is_world_accessible(filename, NULL, NULL, 0);
 
-        r = read_full_file_full(AT_FDCWD, filename, READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE, &key, &key_len);
+        r = read_full_file_full(
+                        AT_FDCWD, filename,
+                        READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+                        &key, &key_len);
         if (r < 0)
                 return r;
 

src/veritysetup/veritysetup.c

@@ -100,7 +100,7 @@ static int run(int argc, char *argv[]) {
                                 if (r < 0)
                                         return log_error_errno(r, "Failed to parse root hash signature '%s': %m", argv[6]);
                         } else {
-                                r = read_full_file_full(AT_FDCWD, argv[6], 0, &hash_sig, &hash_sig_size);
+                                r = read_full_file_full(AT_FDCWD, argv[6], READ_FULL_FILE_CONNECT_SOCKET, &hash_sig, &hash_sig_size);
                                 if (r < 0)
                                         return log_error_errno(r, "Failed to read root hash signature: %m");
                         }