From dba4fe9a60e8876addcd6a597c9e1d5f529309ca Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sun, 13 Jul 2025 04:52:36 +0900
Subject: [PATCH] quotacheck: add quotacheck.mode credential support

---
 man/systemd-quotacheck@.service.xml      | 26 ++++++++++++++++++++++++
 man/systemd.system-credentials.xml       | 13 ++++++++++++
 src/quotacheck/quotacheck.c              | 17 ++++++++++++++++
 units/systemd-quotacheck-root.service.in |  1 +
 units/systemd-quotacheck@.service.in     |  1 +
 5 files changed, 58 insertions(+)

diff --git a/man/systemd-quotacheck@.service.xml b/man/systemd-quotacheck@.service.xml
index 503df381e0..56397ff7bd 100644
--- a/man/systemd-quotacheck@.service.xml
+++ b/man/systemd-quotacheck@.service.xml
@@ -62,6 +62,32 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>Credentials</title>
+
+    <para><command>systemd-quotacheck</command> supports the service credentials logic as implemented by
+    <varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
+    (see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+    details). The following credentials are used when passed in:</para>
+
+    <variablelist class='system-credentials'>
+      <varlistentry>
+        <term><varname>quotacheck.mode</varname></term>
+
+        <listitem>
+          <para>The contents of the credential is parsed as same as the kernel command line option with the
+          same name. See above for more details.</para>
+
+          <xi:include href="version-info.xml" xpointer="v258"/>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Note that by default the <filename>systemd-quotacheck@.service</filename> and
+    <filename>systemd-quotacheck-root.service</filename> unit files are set up to inherit
+    <varname>quotacheck.mode</varname> credential from the service manager.</para>
+  </refsect1>
+
   <refsect1>
     <title>See Also</title>
     <para><simplelist type="inline">
diff --git a/man/systemd.system-credentials.xml b/man/systemd.system-credentials.xml
index 0411061ca3..fd0d12320d 100644
--- a/man/systemd.system-credentials.xml
+++ b/man/systemd.system-credentials.xml
@@ -524,6 +524,19 @@
           <xi:include href="version-info.xml" xpointer="v258"/>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>quotacheck.*</varname></term>
+
+        <listitem>
+          <para>Read by <filename>systemd-quotacheck@.service</filename> and
+          <filename>systemd-quotacheck-root.service</filename>. See
+          <citerefentry><refentrytitle>systemd-quotacheck</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+          for more details.</para>
+
+          <xi:include href="version-info.xml" xpointer="v258"/>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/src/quotacheck/quotacheck.c b/src/quotacheck/quotacheck.c
index 49d63d77d0..f686621348 100644
--- a/src/quotacheck/quotacheck.c
+++ b/src/quotacheck/quotacheck.c
@@ -3,6 +3,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 
+#include "creds-util.h"
 #include "log.h"
 #include "main-func.h"
 #include "proc-cmdline.h"
@@ -45,6 +46,20 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
         return 0;
 }
 
+static void parse_credentials(void) {
+        _cleanup_free_ char *value = NULL;
+        int r;
+
+        r = read_credential("quotacheck.mode", (void**) &value, /* ret_size = */ NULL);
+        if (r < 0)
+                log_debug_errno(r, "Failed to read credential 'quotacheck.mode', ignoring: %m");
+        else {
+                arg_mode = quota_check_mode_from_string(value);
+                if (arg_mode < 0)
+                        log_warning_errno(arg_mode, "Invalid 'quotacheck.mode' credential, ignoring: %s", value);
+        }
+}
+
 static int run(int argc, char *argv[]) {
         int r;
 
@@ -60,6 +75,8 @@ static int run(int argc, char *argv[]) {
         if (r < 0)
                 log_warning_errno(r, "Failed to parse kernel command line, ignoring: %m");
 
+        parse_credentials();
+
         if (arg_mode == QUOTA_CHECK_SKIP)
                 return 0;
 
diff --git a/units/systemd-quotacheck-root.service.in b/units/systemd-quotacheck-root.service.in
index 4792e5bdd5..eea656c562 100644
--- a/units/systemd-quotacheck-root.service.in
+++ b/units/systemd-quotacheck-root.service.in
@@ -23,3 +23,4 @@ Type=oneshot
 RemainAfterExit=yes
 ExecStart={{LIBEXECDIR}}/systemd-quotacheck /
 TimeoutSec=infinity
+ImportCredential=quotacheck.*
diff --git a/units/systemd-quotacheck@.service.in b/units/systemd-quotacheck@.service.in
index b38450ed09..7569052d82 100644
--- a/units/systemd-quotacheck@.service.in
+++ b/units/systemd-quotacheck@.service.in
@@ -25,3 +25,4 @@ Type=oneshot
 RemainAfterExit=yes
 ExecStart={{LIBEXECDIR}}/systemd-quotacheck %f
 TimeoutSec=infinity
+ImportCredential=quotacheck.*