fileio: beef up READ_FULL_FILE_CONNECT_SOCKET to allow setting sender socket name

poettering · poettering · commit d3dcf4e3b95e · 2020-11-03T09:48:04.000+01:00
This beefs up the READ_FULL_FILE_CONNECT_SOCKET logic of
read_full_file_full() a bit: when used a sender socket name may be
specified. If specified as NULL behaviour is as before: the client
socket name is picked by the kernel. But if specified as non-NULL the
client can pick a socket name to use when connecting. This is useful to
communicate a minimal amount of metainformation from client to server,
outside of the transport payload.

Specifically, these beefs up the service credential logic to pass an
abstract AF_UNIX socket name as client socket name when connecting via
READ_FULL_FILE_CONNECT_SOCKET, that includes the requesting unit name
and the eventual credential name. This allows servers implementing the
trivial credential socket logic to distinguish clients: via a simple
getpeername() it can be determined which unit is requesting a
credential, and which credential specifically.

Example: with this patch in place, in a unit file "waldo.service" a
configuration line like the following:

    LoadCredential=foo:/run/quux/creds.sock

will result in a connection to the AF_UNIX socket /run/quux/creds.sock,
originating from an abstract namespace AF_UNIX socket:

    @$RANDOM/unit/waldo.service/foo

(The $RANDOM is replaced by some randomized string. This is included in
the socket name order to avoid namespace squatting issues: the abstract
socket namespace is open to unprivileged users after all, and care needs
to be taken not to use guessable names)

The services listening on the /run/quux/creds.sock socket may thus
easily retrieve the name of the unit the credential is requested for
plus the credential name, via a simpler getpeername(), discarding the
random preifx and the /unit/ string.

This logic uses "/" as separator between the fields, since both unit
names and credential names appear in the file system, and thus are
designed to use "/" as outer separators. Given that it's a good safe
choice to use as separators here, too avoid any conflicts.

This is a minimal patch only: the new logic is used only for the unit
file credential logic. For other places where we use
READ_FULL_FILE_CONNECT_SOCKET it is probably a good idea to use this
scheme too, but this should be done carefully in later patches, since
the socket names become API that way, and we should determine the right
amount of info to pass over.
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
@@ -2706,15 +2706,16 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
         credential plus a file system path. The ID must be a short ASCII string suitable as filename in the
         filesystem, and may be chosen freely by the user. If the specified path is absolute it is opened as
         regular file and the credential data is read from it. If the absolute path refers to an
-        <constant>AF_UNIX</constant> stream socket in the file system a connection is made to it and the
-        credential data read from the connection, providing an easy IPC integration point for dynamically
-        providing credentials from other services. If the specified path is not absolute and itself qualifies
-        as valid credential identifier it is understood to refer to a credential that the service manager
-        itself received via the <varname>$CREDENTIALS_DIRECTORY</varname> environment variable, which may be
-        used to propagate credentials from an invoking environment (e.g. a container manager that invoked the
-        service manager) into a service. The contents of the file/socket may be arbitrary binary or textual
-        data, including newline characters and NUL bytes. This option may be used multiple times, each time
-        defining an additional credential to pass to the unit.</para>
+        <constant>AF_UNIX</constant> stream socket in the file system a connection is made to it (only once
+        at unit start-up) and the credential data read from the connection, providing an easy IPC integration
+        point for dynamically providing credentials from other services. If the specified path is not
+        absolute and itself qualifies as valid credential identifier it is understood to refer to a
+        credential that the service manager itself received via the <varname>$CREDENTIALS_DIRECTORY</varname>
+        environment variable, which may be used to propagate credentials from an invoking environment (e.g. a
+        container manager that invoked the service manager) into a service. The contents of the file/socket
+        may be arbitrary binary or textual data, including newline characters and <constant>NUL</constant>
+        bytes. This option may be used multiple times, each time defining an additional credential to pass to
+        the unit.</para>
 
         <para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
         be directly accessible to the unit's processes: the credential data is read and copied into separate,
@@ -2728,7 +2729,22 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
         e.g. <literal>ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred</literal>.</para>
 
         <para>Currently, an accumulated credential size limit of 1M bytes per unit is
-        enforced.</para></listitem>
+        enforced.</para>
+
+        <para>If referencing an <constant>AF_UNIX</constant> stream socket to connect to, the connection will
+        originate from an abstract namespace socket, that includes information about the unit and the
+        credential ID in its socket name. Use <citerefentry
+        project='man-pages'><refentrytitle>getpeername</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+        to query this information. The returned socket name is formatted as <constant>NUL</constant>
+        <replaceable>RANDOM</replaceable> <literal>/unit/</literal> <replaceable>UNIT</replaceable>
+        <literal>/</literal> <replaceable>ID</replaceable>, i.e. a <constant>NUL</constant> byte (as required
+        for abstract namespace socket names), followed by a random string (consisting of alphadecimal
+        characters), followed by the literal string <literal>/unit/</literal>, followed by the requesting
+        unit name, followed by the literal character <literal>/</literal>, followed by the textual credential
+        ID requested. Example: <literal>\0adf9d86b6eda275e/unit/foobar.service/credx</literal> in case the
+        credential <literal>credx</literal> is requested for a unit <literal>foobar.service</literal>. This
+        functionality is useful for using a single listening socket to serve credentials to multiple
+        consumers.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/src/basic/fileio.c b/src/basic/fileio.c
@@ -602,7 +602,13 @@ int read_full_stream_full(
         return r;
 }
 
-int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size) {
+int read_full_file_full(
+                int dir_fd,
+                const char *filename,
+                ReadFullFileFlags flags,
+                const char *bind_name,
+                char **contents, size_t *size) {
+
         _cleanup_fclose_ FILE *f = NULL;
         int r;
 
@@ -645,6 +651,20 @@ int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flag
                 if (sk < 0)
                         return -errno;
 
+                if (bind_name) {
+                        /* If the caller specified a socket name to bind to, do so before connecting. This is
+                         * useful to communicate some minor, short meta-information token from the client to
+                         * the server. */
+                        union sockaddr_union bsa;
+
+                        r = sockaddr_un_set_path(&bsa.un, bind_name);
+                        if (r < 0)
+                                return r;
+
+                        if (bind(sk, &bsa.sa, r) < 0)
+                                return r;
+                }
+
                 if (connect(sk, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0)
                         return errno == ENOTSOCK ? -ENXIO : -errno; /* propagate original error if this is
                                                                      * not a socket after all */
diff --git a/src/basic/fileio.h b/src/basic/fileio.h
@@ -60,9 +60,9 @@ static inline int write_string_file(const char *fn, const char *line, WriteStrin
 int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4);
 
 int read_one_line_file(const char *filename, char **line);
-int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size);
+int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, const char *bind_name, char **contents, size_t *size);
 static inline int read_full_file(const char *filename, char **contents, size_t *size) {
-        return read_full_file_full(AT_FDCWD, filename, 0, contents, size);
+        return read_full_file_full(AT_FDCWD, filename, 0, NULL, contents, size);
 }
 int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size);
 int read_full_stream_full(FILE *f, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size);
diff --git a/src/core/execute.c b/src/core/execute.c
@@ -73,6 +73,7 @@
 #include "parse-util.h"
 #include "path-util.h"
 #include "process-util.h"
+#include "random-util.h"
 #include "rlimit-util.h"
 #include "rm-rf.h"
 #if HAVE_SECCOMP
@@ -2509,6 +2510,7 @@ static int write_credential(
 static int acquire_credentials(
                 const ExecContext *context,
                 const ExecParameters *params,
+                const char *unit,
                 const char *p,
                 uid_t uid,
                 bool ownership_ok) {
@@ -2546,14 +2548,20 @@ static int acquire_credentials(
         STRV_FOREACH_PAIR(id, fn, context->load_credentials) {
                 ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
                 _cleanup_(erase_and_freep) char *data = NULL;
-                _cleanup_free_ char *j = NULL;
+                _cleanup_free_ char *j = NULL, *bindname = NULL;
                 const char *source;
                 size_t size, add;
 
                 if (path_is_absolute(*fn)) {
                         /* If this is an absolute path, read the data directly from it, and support AF_UNIX sockets */
                         source = *fn;
                         flags |= READ_FULL_FILE_CONNECT_SOCKET;
+
+                        /* Pass some minimal info about the unit and the credential name we are looking to acquire
+                         * via the source socket address in case we read off an AF_UNIX socket. */
+                        if (asprintf(&bindname, "@%" PRIx64"/unit/%s/%s", random_u64(), unit, *id) < 0)
+                                return -ENOMEM;
+
                 } else if (params->received_credentials) {
                         /* If this is a relative path, take it relative to the credentials we received
                          * ourselves. We don't support the AF_UNIX stuff in this mode, since we are operating
@@ -2566,8 +2574,9 @@ static int acquire_credentials(
                 } else
                         source = NULL;
 
+
                 if (source)
-                        r = read_full_file_full(AT_FDCWD, source, flags, &data, &size);
+                        r = read_full_file_full(AT_FDCWD, source, flags, bindname, &data, &size);
                 else
                         r = -ENOENT;
                 if (r == -ENOENT &&
@@ -2613,6 +2622,7 @@ static int acquire_credentials(
 static int setup_credentials_internal(
                 const ExecContext *context,
                 const ExecParameters *params,
+                const char *unit,
                 const char *final,        /* This is where the credential store shall eventually end up at */
                 const char *workspace,    /* This is where we can prepare it before moving it to the final place */
                 bool reuse_workspace,     /* Whether to reuse any existing workspace mount if it already is a mount */
@@ -2724,7 +2734,7 @@ static int setup_credentials_internal(
         assert(!must_mount || workspace_mounted > 0);
         where = workspace_mounted ? workspace : final;
 
-        r = acquire_credentials(context, params, where, uid, workspace_mounted);
+        r = acquire_credentials(context, params, unit, where, uid, workspace_mounted);
         if (r < 0)
                 return r;
 
@@ -2824,6 +2834,7 @@ static int setup_credentials(
                 r = setup_credentials_internal(
                                 context,
                                 params,
+                                unit,
                                 p,       /* final mount point */
                                 u,       /* temporary workspace to overmount */
                                 true,    /* reuse the workspace if it is already a mount */
@@ -2861,6 +2872,7 @@ static int setup_credentials(
                 r = setup_credentials_internal(
                                 context,
                                 params,
+                                unit,
                                 p,           /* final mount point */
                                 "/dev/shm",  /* temporary workspace to overmount */
                                 false,       /* do not reuse /dev/shm if it is already a mount, under no circumstances */
diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c
@@ -896,7 +896,7 @@ static int parse_argv(int argc, char *argv[]) {
                         if (arg_key_pem)
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                        "Key file specified twice");
-                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_key_pem, NULL);
+                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, NULL, &arg_key_pem, NULL);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to read key file: %m");
                         assert(arg_key_pem);
@@ -906,7 +906,7 @@ static int parse_argv(int argc, char *argv[]) {
                         if (arg_cert_pem)
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                        "Certificate file specified twice");
-                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_cert_pem, NULL);
+                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, NULL, &arg_cert_pem, NULL);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to read certificate file: %m");
                         assert(arg_cert_pem);
@@ -917,7 +917,7 @@ static int parse_argv(int argc, char *argv[]) {
                         if (arg_trust_pem)
                                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                                        "CA certificate file specified twice");
-                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, &arg_trust_pem, NULL);
+                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, NULL, &arg_trust_pem, NULL);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to read CA certificate file: %m");
                         assert(arg_trust_pem);
diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c
@@ -1077,20 +1077,20 @@ static int parse_argv(int argc, char *argv[]) {
 static int load_certificates(char **key, char **cert, char **trust) {
         int r;
 
-        r = read_full_file_full(AT_FDCWD, arg_key ?: PRIV_KEY_FILE, READ_FULL_FILE_CONNECT_SOCKET, key, NULL);
+        r = read_full_file_full(AT_FDCWD, arg_key ?: PRIV_KEY_FILE, READ_FULL_FILE_CONNECT_SOCKET, NULL, key, NULL);
         if (r < 0)
                 return log_error_errno(r, "Failed to read key from file '%s': %m",
                                        arg_key ?: PRIV_KEY_FILE);
 
-        r = read_full_file_full(AT_FDCWD, arg_cert ?: CERT_FILE, READ_FULL_FILE_CONNECT_SOCKET, cert, NULL);
+        r = read_full_file_full(AT_FDCWD, arg_cert ?: CERT_FILE, READ_FULL_FILE_CONNECT_SOCKET, NULL, cert, NULL);
         if (r < 0)
                 return log_error_errno(r, "Failed to read certificate from file '%s': %m",
                                        arg_cert ?: CERT_FILE);
 
         if (arg_trust_all)
                 log_info("Certificate checking disabled.");
         else {
-                r = read_full_file_full(AT_FDCWD, arg_trust ?: TRUST_FILE, READ_FULL_FILE_CONNECT_SOCKET, trust, NULL);
+                r = read_full_file_full(AT_FDCWD, arg_trust ?: TRUST_FILE, READ_FULL_FILE_CONNECT_SOCKET, NULL, trust, NULL);
                 if (r < 0)
                         return log_error_errno(r, "Failed to read CA certificate file '%s': %m",
                                                arg_trust ?: TRUST_FILE);
diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
@@ -989,7 +989,7 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
         r = read_full_file_full(
                         AT_FDCWD, sa->key_file,
                         READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
-                        (char **) &key, &key_len);
+                        NULL, (char **) &key, &key_len);
         if (r < 0)
                 return log_netdev_error_errno(netdev, r,
                                               "Failed to read key from '%s', ignoring: %m",
diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
@@ -871,7 +871,7 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_
         r = read_full_file_full(
                         AT_FDCWD, filename,
                         READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
-                        &key, &key_len);
+                        NULL, &key, &key_len);
         if (r < 0)
                 return r;
 
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
@@ -1589,7 +1589,7 @@ static int parse_argv(int argc, char *argv[]) {
                                         return log_oom();
                         }
 
-                        r = read_full_file_full(AT_FDCWD, j ?: p, flags, &data, &size);
+                        r = read_full_file_full(AT_FDCWD, j ?: p, flags, NULL, &data, &size);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to read credential '%s': %m", j ?: p);
 
diff --git a/src/partition/repart.c b/src/partition/repart.c
@@ -3630,7 +3630,7 @@ static int parse_argv(int argc, char *argv[]) {
                         _cleanup_(erase_and_freep) char *k = NULL;
                         size_t n = 0;
 
-                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_SECURE|READ_FULL_FILE_CONNECT_SOCKET, &k, &n);
+                        r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_SECURE|READ_FULL_FILE_CONNECT_SOCKET, NULL, &k, &n);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to read key file '%s': %m", optarg);
 
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
@@ -2115,7 +2115,7 @@ int verity_settings_load(
 
         if (verity->root_hash && !verity->root_hash_sig) {
                 if (root_hash_sig_path) {
-                        r = read_full_file_full(AT_FDCWD, root_hash_sig_path, 0, (char**) &root_hash_sig, &root_hash_sig_size);
+                        r = read_full_file_full(AT_FDCWD, root_hash_sig_path, 0, NULL, (char**) &root_hash_sig, &root_hash_sig_size);
                         if (r < 0 && r != -ENOENT)
                                 return r;
 
@@ -2131,7 +2131,7 @@ int verity_settings_load(
                                 if (!p)
                                         return -ENOMEM;
 
-                                r = read_full_file_full(AT_FDCWD, p, 0, (char**) &root_hash_sig, &root_hash_sig_size);
+                                r = read_full_file_full(AT_FDCWD, p, 0, NULL, (char**) &root_hash_sig, &root_hash_sig_size);
                                 if (r < 0 && r != -ENOENT)
                                         return r;
                                 if (r >= 0)
@@ -2145,7 +2145,7 @@ int verity_settings_load(
                                 if (!p)
                                         return -ENOMEM;
 
-                                r = read_full_file_full(AT_FDCWD, p, 0, (char**) &root_hash_sig, &root_hash_sig_size);
+                                r = read_full_file_full(AT_FDCWD, p, 0, NULL, (char**) &root_hash_sig, &root_hash_sig_size);
                                 if (r < 0 && r != -ENOENT)
                                         return r;
                                 if (r >= 0)
diff --git a/src/shared/json.c b/src/shared/json.c
@@ -3195,7 +3195,7 @@ int json_parse_file_at(FILE *f, int dir_fd, const char *path, JsonParseFlags fla
         if (f)
                 r = read_full_stream(f, &text, NULL);
         else if (path)
-                r = read_full_file_full(dir_fd, path, 0, &text, NULL);
+                r = read_full_file_full(dir_fd, path, 0, NULL, &text, NULL);
         else
                 return -EINVAL;
         if (r < 0)
diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c
diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c

Original file line number	Diff line number	Diff line change
`@@ -1589,7 +1589,7 @@ static int parse_argv(int argc, char *argv[]) {`
`1589`	`1589`	`return log_oom();`
`1590`	`1590`	`}`
`1591`	`1591`
`1592`		`- r = read_full_file_full(AT_FDCWD, j ?: p, flags, &data, &size);`
	`1592`	`+ r = read_full_file_full(AT_FDCWD, j ?: p, flags, NULL, &data, &size);`
`1593`	`1593`	`if (r < 0)`
`1594`	`1594`	`return log_error_errno(r, "Failed to read credential '%s': %m", j ?: p);`
`1595`	`1595`