mirror of
https://github.com/systemd/systemd
synced 2025-11-22 10:14:45 +01:00
Compare commits
No commits in common. "5c7be924941456c10e7c0c290160c4baa84f776d" and "9b89aee4afa10c19b8109bdfa50abdc297e249a3" have entirely different histories.
5c7be92494
...
9b89aee4af
@ -520,7 +520,7 @@ static int maybe_decrypt_and_write_credential(
|
||||
}
|
||||
if (r < 0) {
|
||||
if (graceful) {
|
||||
log_warning_errno(r, "Unable to decrypt credential '%s', skipping: %m", id);
|
||||
log_warning_errno(r, "Unable to decrypt credential '%s', skipping.", id);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -739,7 +739,7 @@ static int load_credential(
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to read credential '%s': %m", path);
|
||||
|
||||
return maybe_decrypt_and_write_credential(args, id, data, size, /* graceful= */ false);
|
||||
return maybe_decrypt_and_write_credential(args, id, data, size, /* graceful= */ true);
|
||||
}
|
||||
|
||||
static int load_cred_recurse_dir_cb(
|
||||
|
||||
@ -1409,15 +1409,28 @@ static int vl_method_decrypt(sd_varlink *link, sd_json_variant *parameters, sd_v
|
||||
ask_polkit = true;
|
||||
}
|
||||
|
||||
if (r == -EBADMSG)
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.BadFormat", NULL);
|
||||
if (r == -EDESTADDRREQ)
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.NameMismatch", NULL);
|
||||
if (r == -ESTALE)
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.TimeMismatch", NULL);
|
||||
if (r == -ESRCH)
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.NoSuchUser", NULL);
|
||||
if (r == -EMEDIUMTYPE)
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.BadScope", NULL);
|
||||
if (r == -EHOSTDOWN)
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.CantFindPCRSignature", NULL);
|
||||
if (r == -EHWPOISON)
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.NullKeyNotAllowed", NULL);
|
||||
if (r == -EREMOTE)
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.KeyBelongsToOtherTPM", NULL);
|
||||
if (r == -ENOLCK)
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.TPMInDictionaryLockout", NULL);
|
||||
if (IN_SET(r, -EREMCHG, -ENOANO, -EUCLEAN, -EPERM))
|
||||
return sd_varlink_error(link, "io.systemd.Credentials.UnexpectedPCRState", NULL);
|
||||
if (r < 0) {
|
||||
const CredentialsVarlinkError *e = credentials_varlink_error_by_errno(r);
|
||||
if (e)
|
||||
return sd_varlink_error(link, e->id, NULL);
|
||||
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
||||
|
||||
_cleanup_(sd_json_variant_unrefp) sd_json_variant *reply = NULL;
|
||||
|
||||
|
||||
@ -403,11 +403,9 @@ int machine_load(Machine *m) {
|
||||
log_warning_errno(r, "Failed to parse AF_VSOCK CID, ignoring: %s", vsock_cid);
|
||||
}
|
||||
|
||||
if (uid) {
|
||||
r = parse_uid(uid, &m->uid);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to parse owning UID, ignoring: %s", uid);
|
||||
}
|
||||
r = parse_uid(uid, &m->uid);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to parse owning UID, ignoring: %s", uid);
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
@ -1652,9 +1652,26 @@ int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp,
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to call Decrypt() varlink call.");
|
||||
if (!isempty(error_id)) {
|
||||
const CredentialsVarlinkError *e = credentials_varlink_error_by_id(error_id);
|
||||
if (e)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(e->errnum), "%s", e->msg);
|
||||
static struct {
|
||||
const char *id;
|
||||
int errnum;
|
||||
const char *msg;
|
||||
} table[] = {
|
||||
{ "io.systemd.Credentials.BadFormat", EBADMSG, "Bad credential format." },
|
||||
{ "io.systemd.Credentials.NameMismatch", EDESTADDRREQ, "Name in credential doesn't match expectations." },
|
||||
{ "io.systemd.Credentials.TimeMismatch", ESTALE, "Outside of credential validity time window." },
|
||||
{ "io.systemd.Credentials.NoSuchUser", ESRCH, "No such user." },
|
||||
{ "io.systemd.Credentials.BadScope", EMEDIUMTYPE, "Scope mismatch." },
|
||||
{ "io.systemd.Credentials.CantFindPCRSignature", EHOSTDOWN, "PCR signature required for decryption, but could not be found." },
|
||||
{ "io.systemd.Credentials.NullKeyNotAllowed", EHWPOISON, "The key was encrypted with a null key, but that's now allowed during decryption." },
|
||||
{ "io.systemd.Credentials.KeyBelongsToOtherTPM", EREMOTE, "The TPM integrity check for this key failed, key probably belongs to another TPM, or was corrupted." },
|
||||
{ "io.systemd.Credentials.TPMInDictionaryLockout", ENOLCK, "The TPM is in dictionary lockout mode, cannot operate." },
|
||||
{ "io.systemd.Credentials.UnexpectedPCRState" , EUCLEAN, "Unexpected TPM PCR state of the system." },
|
||||
};
|
||||
|
||||
FOREACH_ELEMENT(i, table)
|
||||
if (streq(i->id, error_id))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(i->errnum), "%s", i->msg);
|
||||
|
||||
return log_error_errno(sd_varlink_error_to_errno(error_id, reply), "Failed to decrypt: %s", error_id);
|
||||
}
|
||||
@ -1807,38 +1824,3 @@ int pick_up_credentials(const PickUpCredential *table, size_t n_table_entry) {
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static const CredentialsVarlinkError credentials_varlink_error_table[] = {
|
||||
{ "io.systemd.Credentials.BadFormat", EBADMSG, "Bad credential format." },
|
||||
{ "io.systemd.Credentials.NameMismatch", EDESTADDRREQ, "Name in credential doesn't match expectations." },
|
||||
{ "io.systemd.Credentials.TimeMismatch", ESTALE, "Outside of credential validity time window." },
|
||||
{ "io.systemd.Credentials.NoSuchUser", ESRCH, "No such user." },
|
||||
{ "io.systemd.Credentials.BadScope", EMEDIUMTYPE, "Scope mismatch." },
|
||||
{ "io.systemd.Credentials.CantFindPCRSignature", EHOSTDOWN, "PCR signature required for decryption, but could not be found." },
|
||||
{ "io.systemd.Credentials.NullKeyNotAllowed", EHWPOISON, "The key was encrypted with a null key, but that's now allowed during decryption." },
|
||||
{ "io.systemd.Credentials.KeyBelongsToOtherTPM", EREMOTE, "The TPM integrity check for this key failed, key probably belongs to another TPM, or was corrupted." },
|
||||
{ "io.systemd.Credentials.TPMInDictionaryLockout", ENOLCK, "The TPM is in dictionary lockout mode, cannot operate." },
|
||||
{ "io.systemd.Credentials.UnexpectedPCRState" , EUCLEAN, "Unexpected TPM PCR state of the system." },
|
||||
};
|
||||
|
||||
const CredentialsVarlinkError* credentials_varlink_error_by_id(const char *id) {
|
||||
assert(id);
|
||||
|
||||
FOREACH_ELEMENT(i, credentials_varlink_error_table)
|
||||
if (streq(id, i->id))
|
||||
return i;
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const CredentialsVarlinkError* credentials_varlink_error_by_errno(int errnum) {
|
||||
assert(errnum != 0);
|
||||
|
||||
errnum = ABS(errnum);
|
||||
|
||||
FOREACH_ELEMENT(i, credentials_varlink_error_table)
|
||||
if (errnum == i->errnum)
|
||||
return i;
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@ -102,12 +102,3 @@ typedef struct PickUpCredential {
|
||||
} PickUpCredential;
|
||||
|
||||
int pick_up_credentials(const PickUpCredential *table, size_t n_table_entry);
|
||||
|
||||
typedef struct CredentialsVarlinkError {
|
||||
const char *id;
|
||||
int errnum;
|
||||
const char *msg;
|
||||
} CredentialsVarlinkError;
|
||||
|
||||
const CredentialsVarlinkError* credentials_varlink_error_by_id(const char *id) _pure_;
|
||||
const CredentialsVarlinkError* credentials_varlink_error_by_errno(int errnum) _const_;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user