From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 23 Mar 2023 12:58:34 +0000 (+0100)
Subject: core: move encrypted credential check to execute.c
X-Git-Tag: v254-rc1~946^2~1
X-Git-Url: http://git-history.diyao.me/?a=commitdiff_plain;h=50a4217bbe4ed0fea1b71d8f1bc738d8676a86c3;p=systemd%2F.git

core: move encrypted credential check to execute.c

This is an operation on an ExecContext, hence it probably should be
placed there.
---

diff --git a/src/core/execute.c b/src/core/execute.c
index 8609a0ba31..f8ac4705e7 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -6782,6 +6782,23 @@ int exec_context_get_clean_mask(ExecContext *c, ExecCleanMask *ret) {
         return 0;
 }
 
+bool exec_context_has_encrypted_credentials(ExecContext *c) {
+        ExecLoadCredential *load_cred;
+        ExecSetCredential *set_cred;
+
+        assert(c);
+
+        HASHMAP_FOREACH(load_cred, c->load_credentials)
+                if (load_cred->encrypted)
+                        return true;
+
+        HASHMAP_FOREACH(set_cred, c->set_credentials)
+                if (set_cred->encrypted)
+                        return true;
+
+        return false;
+}
+
 void exec_status_start(ExecStatus *s, pid_t pid) {
         assert(s);
 
diff --git a/src/core/execute.h b/src/core/execute.h
index 1d264782fc..ff537b77cb 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -466,6 +466,7 @@ const char* exec_context_fdname(const ExecContext *c, int fd_index);
 
 bool exec_context_may_touch_console(const ExecContext *c);
 bool exec_context_maintains_privileges(const ExecContext *c);
+bool exec_context_has_encrypted_credentials(ExecContext *c);
 
 int exec_context_get_effective_ioprio(const ExecContext *c);
 bool exec_context_get_effective_mount_apivfs(const ExecContext *c);
diff --git a/src/core/unit.c b/src/core/unit.c
index ecf3b2b7fc..70f270e874 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4216,17 +4216,7 @@ int unit_patch_contexts(Unit *u) {
                         }
 
                         /* If there are encrypted credentials we might need to access the TPM. */
-                        bool allow_tpm = false;
-                        ExecLoadCredential *load_cred;
-                        ExecSetCredential *set_cred;
-                        HASHMAP_FOREACH(load_cred, ec->load_credentials)
-                                if ((allow_tpm |= load_cred->encrypted))
-                                        break;
-                        HASHMAP_FOREACH(set_cred, ec->set_credentials)
-                                if ((allow_tpm |= set_cred->encrypted))
-                                        break;
-
-                        if (allow_tpm) {
+                        if (exec_context_has_encrypted_credentials(ec)) {
                                 r = cgroup_add_device_allow(cc, "/dev/tpmrm0", "rw");
                                 if (r < 0)
                                         return r;