bus-unit-util: make sure we can set LoadCredentials= property with a single string

LoadCredentials= in unit files supports a syntax passing a single string only (in which case the credentials are propagated down from the host). but systemd-run's --property= setting doesn't allow that yet. Fix that.
Merge pull request #23148 from poettering/creds-util-mini-tweaks
2026-04-25 16:34:50 +02:00 · 2022-04-21 15:28:57 +02:00 · 2022-04-21 15:07:45 +02:00 · 2022-04-21 10:51:00 +02:00 · 2022-04-21 10:50:09 +02:00
2 changed files with 30 additions and 13 deletions
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@ -1156,9 +1156,12 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
                                return log_oom();
                        if (r < 0)
                                return log_error_errno(r, "Failed to parse %s= parameter: %s", field, eq);
-                        if (r == 0 || !p)
+                        if (r == 0)
                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Missing argument to %s=.", field);

+                        if (isempty(p)) /* If only one field is specified, then this means "inherit from above" */
+                                p = eq;
+
                        r = sd_bus_message_append(m, "a(ss)", 1, word, p);
                }
                if (r < 0)
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@ -94,9 +94,30 @@ struct credential_host_secret_format {
        uint8_t data[CREDENTIAL_HOST_SECRET_SIZE];
 } _packed_;

+static void warn_not_encrypted(int fd, CredentialSecretFlags flags, const char *dirname, const char *filename) {
+        int r;
+
+        assert(fd >= 0);
+        assert(dirname);
+        assert(filename);
+
+        if (!FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED))
+                return;
+
+        r = fd_is_encrypted(fd);
+        if (r < 0)
+                log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.",
+                                dirname, filename);
+        else if (r == 0)
+                log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.",
+                            dirname, filename);
+}
+
 static int make_credential_host_secret(
                int dfd,
                const sd_id128_t machine_id,
+                CredentialSecretFlags flags,
+                const char *dirname,
                const char *fn,
                void **ret_data,
                size_t *ret_size) {
@ -142,6 +163,8 @@ static int make_credential_host_secret(
                goto finish;
        }

+        warn_not_encrypted(fd, flags, dirname, fn);
+
        if (t) {
                r = rename_noreplace(dfd, t, dfd, fn);
                if (r < 0)
@ -248,7 +271,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *
                                                       "Failed to open %s/%s: %m", dirname, filename);


-                        r = make_credential_host_secret(dfd, machine_id, filename, ret, ret_size);
+                        r = make_credential_host_secret(dfd, machine_id, flags, dirname, filename, ret, ret_size);
                        if (r == -EEXIST) {
                                log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.",
                                                dirname, filename);
@ -257,7 +280,6 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *
                        if (r < 0)
                                return log_debug_errno(r, "Failed to create credential secret %s/%s: %m",
                                                       dirname, filename);
-
                        return 0;
                }

@ -302,15 +324,7 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *
                if (sd_id128_equal(machine_id, f->machine_id)) {
                        size_t sz;

-                        if (FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) {
-                                r = fd_is_encrypted(fd);
-                                if (r < 0)
-                                        log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.",
-                                                        dirname, filename);
-                                else if (r == 0)
-                                        log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.",
-                                                    dirname, filename);
-                        }
+                        warn_not_encrypted(fd, flags, dirname, filename);

                        sz = l - offsetof(struct credential_host_secret_format, data);
                        assert(sz > 0);
@ -570,7 +584,7 @@ int encrypt_credential_and_warn(
                        else if (!sd_id128_equal(with_key, _CRED_AUTO))
                                return r;

-                        log_debug_errno(r, "TPM2 sealing didn't work, not using: %m");
+                        log_notice_errno(r, "TPM2 sealing didn't work, continuing without TPM2: %m");
                }

                assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX);
Author	SHA1	Message	Date
Lennart Poettering	255689ae92	bus-unit-util: make sure we can set LoadCredentials= property with a single string LoadCredentials= in unit files supports a syntax passing a single string only (in which case the credentials are propagated down from the host). but systemd-run's --property= setting doesn't allow that yet. Fix that.	2022-04-21 15:28:57 +02:00
Lennart Poettering	6a25ce4380	Merge pull request #23148 from poettering/creds-util-mini-tweaks creds-util: two minor tweaks	2022-04-21 15:07:45 +02:00
Lennart Poettering	fa998da2df	creds-util: upgrade message about TPM2 not working	2022-04-21 10:51:00 +02:00
Lennart Poettering	d2cba923be	creds-util: also warn about unencrypted creds host key if we are creating it Previously we'd only warn when we consume it, but it's even more relevant to warn if we save it to an unencrypted storage location.	2022-04-21 10:50:09 +02:00