tmpfiles: automatically create /etc/credstore/ and friends

This adds a tmpfiles.d/ snippet for LoadCredential= style credentials
directories in /etc/ and /run/.

This is done primarily to ensure that the access modes for the dirs are
set up properly, in the most restrictive ways. Specifically these are
set to 0000, so that CAP_DAC_OVERRIDE is necessary to enumerate and read
the credentials, and being UID=0 is not sufficient to do so.

This creates /etc/credstore/, but leaves /run/credstore/ absent if
missing, for now. Thinking is: the latter being non-persistent is
created by software usually, not manually by users, and hence more
likely right. But dunno, we might want to revisit this sooner or later.

This is ultimately an exercise to advertise the LoadCredential= concept
a bit, and do so in a reasonably secure way, underlining the safety of
the concept.

Author: poettering

tmpfiles.d/credstore.conf

@@ -0,0 +1,13 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+d /etc/credstore 0000 root root
+d /etc/credstore.encrypted 0000 root root
+z /run/credstore 0000 root root
+z /run/credstore.encrypted 0000 root root

tmpfiles.d/meson.build

@@ -15,6 +15,7 @@ files = [['README',               ''],
          ['tmp.conf',             ''],
          ['x11.conf',             ''],
          ['provision.conf',       ''],
+         ['credstore.conf',       ''],
         ]
 
 foreach pair : files