From c53a28cea19b993b4eb138da872c544e507bdfdc Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 17 Aug 2024 02:01:51 +0900 Subject: [PATCH] network: refuse files under API VFS specified in PrivateKeyFile= and friends Addresses https://github.com/systemd/systemd/pull/34013#discussion_r1719890231. --- src/network/netdev/macsec.c | 2 +- src/network/netdev/wireguard.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c index 4b9f19cc95c..187da413441 100644 --- a/src/network/netdev/macsec.c +++ b/src/network/netdev/macsec.c @@ -777,7 +777,7 @@ int config_parse_macsec_key_file( if (!path) return log_oom(); - if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) + if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS, unit, filename, line, lvalue) < 0) return 0; free_and_replace(*dest, path); diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index ba013e3ba54..f4b7045151a 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -574,7 +574,7 @@ int config_parse_wireguard_private_key_file( if (!path) return log_oom(); - if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) + if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS, unit, filename, line, lvalue) < 0) return 0; return free_and_replace(w->private_key_file, path); @@ -652,7 +652,7 @@ int config_parse_wireguard_peer_key_file( if (!path) return log_oom(); - if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0) + if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS, unit, filename, line, lvalue) < 0) return 0; free_and_replace(*key_file, path);