← Back to branch summary

~ubuntu-core-dev/cryptsetup/ubuntu

« back to all changes in this revision

Viewing changes to debian/cryptdisks.functions

  • Committer: Robert Ancell
  • Date: 2015-06-26 02:19:22 UTC
  • Revision ID: robert.ancell@canonical.com-20150626021922-iyytp1v5rlnizqh5
Update branch with current changes

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/cryptdisks.functions
30
30
        # Strip comments - https://bugs.launchpad.net/bugs/185380
31
31
        opts=$(echo -n $1 | sed 's/ *#.*//')
32
32
        PARAMS=""
 
33
        LUKSPARAMS=""
33
34
        PLAINPARAMS=""
34
35
        CHECK=""
35
36
        CHECKARGS=""
139
140
                        ;;
140
141
                tmp)
141
142
                        if [ -z "$VALUE" ]; then
142
 
                                TMPFS="ext2"
 
143
                                TMPFS="ext4"
143
144
                        else
144
145
                                TMPFS="$VALUE"
145
146
                        fi
181
182
                                return 1
182
183
                        fi
183
184
                        ;;
 
185
                keyslot)
 
186
                        if [ -z "$VALUE" ]; then
 
187
                                log_warning_msg "$dst: no value for keyslot option, skipping"
 
188
                                return 1
 
189
                        fi
 
190
                        LUKSPARAMS="$LUKSPARAMS --key-slot $VALUE"
 
191
                        ;;
184
192
                esac
185
193
 
186
194
                CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
219
227
        fi
220
228
 
221
229
        # Check ownership of $key
222
 
        OWNER=$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')
 
230
        OWNER="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
223
231
        if [ "$OWNER" != "root" ]; then
224
232
                log_warning_msg "$dst: INSECURE OWNER FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
225
233
        fi
230
238
        fi
231
239
 
232
240
        # Check owner group of $key
233
 
        GROUP=$(ls -l "$key" | sed 's/^.\{10\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')
 
241
        GROUP="$(/bin/ls -l "$(readlink -f $key)" | sed 's/^.\{12\}[+\.]\?.[^[:space:]]* \([^[:space:]]*\).*/\1/')"
234
242
        if [ "$GROUP" != "root" ]; then
235
243
                log_warning_msg "$dst: INSECURE OWNER GROUP FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
236
244
        fi
237
245
 
238
246
        # Check group and other permissions
239
 
        GMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')
240
 
        OMODE=$(ls -l "$key" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')
 
247
        GMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{4\}\(.\{3\}\).*/\1/')"
 
248
        OMODE="$(/bin/ls -l "$(readlink -f $key)" | sed 's/[[:space:]].*//;s/^.\{7\}\(.\{3\}\).*/\1/')"
241
249
        if [ "$GMODE" != "---" ] && [ "$OMODE" != "---" ]; then
242
250
                log_warning_msg "$dst: INSECURE MODE FOR $key, see /usr/share/doc/cryptsetup/README.Debian."
243
251
        fi
285
293
        PARAMS="$PARAMS --key-file=$key"
286
294
 
287
295
        while [ "$tried" -lt "$TRIES" ] || [ "$TRIES" -eq "0" ]; do
 
296
                export CRYPTTAB_TRIED="$tried"
288
297
                if [ -n "$KEYSCRIPT" ]; then
289
 
                        if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then
 
298
                        if $KEYSCRIPT "$keyscriptarg" | cryptsetup $PARAMS $LUKSPARAMS luksOpen "$src" "${dst}_unformatted"; then
290
299
                                break
291
300
                        fi
292
301
                else
293
 
                        if cryptsetup $PARAMS luksOpen "$src" "${dst}_unformatted"; then
 
302
                        if cryptsetup $PARAMS $LUKSPARAMS luksOpen "$src" "${dst}_unformatted"; then
294
303
                                break
295
304
                        fi
296
305
                fi
320
329
                PRECHECK="/lib/cryptsetup/checks/un_blkid"
321
330
        fi
322
331
 
323
 
        if ! pre_out=$("$PRECHECK" "$src" 2> /dev/null) && \
 
332
        if ! pre_out="$($PRECHECK "$src" 2>/dev/null)" && \
324
333
           ! /lib/cryptsetup/checks/blkid "$src" swap >/dev/null; then
325
334
                log_warning_msg "$dst: the precheck for '$src' failed: $pre_out"
326
335
                return 1
350
359
        PARAMS="$PARAMS --key-file=$key"
351
360
 
352
361
        while [ "$tried" -lt "$TRIES" ]; do
 
362
                export CRYPTTAB_TRIED="$tried"
353
363
                if [ -n "$KEYSCRIPT" ]; then
354
364
                        $KEYSCRIPT "$keyscriptarg" | cryptsetup $PLAINPARAMS $PARAMS create "${dst}_unformatted" "$src"
355
365
                else
401
411
                return 0
402
412
        fi
403
413
 
404
 
        if swap_out=$(/lib/cryptsetup/checks/un_blkid "/dev/mapper/${dst}_unformatted" 2> /dev/null) || \
405
 
           /lib/cryptsetup/checks/blkid "/dev/mapper/${dst}_unformatted" swap > /dev/null 2>&1; then
406
 
                mkswap "/dev/mapper/${dst}_unformatted" > /dev/null 2>&1
 
414
        if swap_out="$(/lib/cryptsetup/checks/un_blkid "/dev/mapper/${dst}_unformatted" 2>/dev/null)" || \
 
415
           /lib/cryptsetup/checks/blkid "/dev/mapper/${dst}_unformatted" swap >/dev/null 2>&1; then
 
416
                mkswap "/dev/mapper/${dst}_unformatted" >/dev/null 2>&1
407
417
        else
408
418
                log_warning_msg "$dst: the check for '/dev/mapper/$dst' failed. /dev/mapper/$dst contains data: $swap_out"
409
419
                do_close
419
429
                return 0
420
430
        fi
421
431
 
422
 
        mkfs -t $TMPFS -q "/dev/mapper/${dst}_unformatted" > /dev/null 2>&1 || return 1
 
432
        mkfs -t $TMPFS -q "/dev/mapper/${dst}_unformatted" >/dev/null 2>&1 || return 1
423
433
        mkdir -p "/var/run/cryptsetup/$dst"
424
434
        mount -t $TMPFS "/dev/mapper/${dst}_unformatted" "/var/run/cryptsetup/$dst" || return 1
425
435
        chmod 1777 "/var/run/cryptsetup/$dst"
430
440
# Rename the device from its temp name to its final name, which will
431
441
# trigger mountall
432
442
finalize_device () {
433
 
        udevadm settle
434
 
        dmsetup rename "${dst}_unformatted" "$dst"
 
443
        if command -v udevadm >/dev/null 2>&1; then
 
444
                udevadm settle
 
445
        fi
 
446
        dmsetup rename "${dst}_unformatted" "$dst"
435
447
}
436
448
 
437
449
# Removes a mapping
459
471
        local module optmodule
460
472
        module="$1"
461
473
 
462
 
        optmodule=$(find "/lib/modules/$(uname -r)/kernel/arch" -name "${module}*.ko" 2> /dev/null)
 
474
        optmodule=$(find "/lib/modules/$(uname -r)/kernel/arch" -name "${module}*.ko" 2>/dev/null)
463
475
        if [ -n "$optmodule" ] && [ "$(echo -n "$optmodule" | wc -l)" -eq 1 ]; then
464
476
                modprobe "$optmodule" 2>/dev/null && return 0
465
477
        fi
561
573
                return 0
562
574
        fi
563
575
 
564
 
        opencount=$(dmsetup info -c --noheadings -o open "$dst" 2> /dev/null || true)
 
576
        opencount=$(dmsetup info -c --noheadings -o open "$dst" 2>/dev/null || true)
565
577
        if [ -z "$opencount" ]; then
566
578
                device_msg "$dst" "error"
567
579
                return 1
573
585
                return 0
574
586
        fi
575
587
 
576
 
        #major=$(dmsetup info -c --noheadings -o major "$dst" 2> /dev/null || true)
577
 
        #minor=$(dmsetup info -c --noheadings -o minor "$dst" 2> /dev/null || true)
578
 
        src_major=$(dmsetup deps "$dst" 2> /dev/null | sed -e 's/^.*(\([0-9]*\), [0-9]*)$/\1/g' || true)
579
 
        src_minor=$(dmsetup deps "$dst" 2> /dev/null | sed -e 's/^.*([0-9]*, \([0-9]*\))$/\1/g' || true)
 
588
        #major=$(dmsetup info -c --noheadings -o major "$dst" 2>/dev/null || true)
 
589
        #minor=$(dmsetup info -c --noheadings -o minor "$dst" 2>/dev/null || true)
 
590
        src_major="$(dmsetup deps "$dst" 2>/dev/null | sed -e 's/^.*(\([0-9]*\), [0-9]*)$/\1/g' || true)"
 
591
        src_minor="$(dmsetup deps "$dst" 2>/dev/null | sed -e 's/^.*([0-9]*, \([0-9]*\))$/\1/g' || true)"
580
592
 
581
593
        if [ -z "$src_major" ] || [ -z "$src_minor" ]; then
582
594
                device_msg "$dst" "error"
591
603
}
592
604
 
593
605
crypttab_start_one_disk () {
594
 
    local dst src key opts result
595
 
    local ret=0
 
606
        local dst src key opts result
 
607
        local ret=0
596
608
 
597
 
    egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
598
 
        if [ "xUUID=$ID_FS_UUID" = "x$src" ]; then
599
 
                src="/dev/disk/by-uuid/${src#UUID=}"
600
 
        elif [ "xLABEL=$ID_FS_LABEL_ENC" = "x$src" ]; then
601
 
                src="/dev/disk/by-label/${src#LABEL=}"
602
 
        elif [ "x$1" != "x$src" ]; then
603
 
            found=
604
 
            for link in $DEVLINKS; do
605
 
                if [ "x$link" = "x$src" ]; then
606
 
                    found=1
607
 
                    break
 
609
        egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
 
610
                if [ "xUUID=$ID_FS_UUID" = "x$src" ]; then
 
611
                        src="/dev/disk/by-uuid/${src#UUID=}"
 
612
                elif [ "xLABEL=$ID_FS_LABEL_ENC" = "x$src" ]; then
 
613
                        src="/dev/disk/by-label/${src#LABEL=}"
 
614
                elif [ "x$1" != "x$src" ]; then
 
615
                        found=
 
616
                        for link in $DEVLINKS; do
 
617
                                if [ "x$link" = "x$src" ]; then
 
618
                                        found=1
 
619
                                        break
 
620
                                fi
 
621
                        done
 
622
                        if [ -z "$found" ]; then
 
623
                                continue
 
624
                        fi
608
625
                fi
609
 
            done
610
 
            if [ -z "$found" ]; then
611
 
                continue
612
 
            fi
613
 
        fi
614
 
        modprobe -qb dm-mod || true
615
 
        modprobe -qb dm-crypt || true
616
 
        dmsetup mknodes > /dev/null 2>&1 || true
617
 
        # FIXME: no locking
618
 
        mount_fs
619
 
        handle_crypttab_line_start "$dst" "$src" "$key" "$opts" || ret=$?
620
 
        umount_fs
621
 
    done
622
 
    return $ret
 
626
                modprobe -qb dm-mod || true
 
627
                modprobe -qb dm-crypt || true
 
628
                dmsetup mknodes > /dev/null 2>&1 || true
 
629
                # FIXME: no locking
 
630
                mount_fs
 
631
                handle_crypttab_line_start "$dst" "$src" "$key" "$opts" || ret=$?
 
632
                umount_fs
 
633
        done
 
634
        return $ret
623
635
}
624
636
 
625
637
do_start () {
627
639
 
628
640
        modprobe -qb dm-mod || true
629
641
        modprobe -qb dm-crypt || true
630
 
        dmsetup mknodes > /dev/null 2>&1 || true
 
642
        dmsetup mknodes >/dev/null 2>&1 || true
631
643
        if [ "$INITSTATE" != "init" ]; then
632
 
                log_action_begin_msg "Starting $INITSTATE crypto disks"
 
644
                log_action_begin_msg "Starting $INITSTATE crypto disks"
633
645
        fi
634
646
        mount_fs
635
647
 
636
648
        egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
637
 
                dev_match="$src"
638
 
                if [ "${dev_match#UUID=}" != "$dev_match" ]; then
639
 
                        dev_match="$(readlink -f /dev/disk/by-uuid/${dev_match#UUID=})"
 
649
                dev_match="$src"
 
650
                if [ "${dev_match#UUID=}" != "$dev_match" ]; then
 
651
                        dev_match="$(readlink -f /dev/disk/by-uuid/${dev_match#UUID=})"
640
652
                elif [ "${dev_match#LABEL=}" != "$dev_match" ]; then
641
 
                        dev_match="$(readlink -f /dev/disk/by-label/${dev_match#LABEL=})"
642
 
                fi
643
 
                # if there's already a udev-triggered job running for this
644
 
                # device, wait for it to finish, then re-process to confirm
645
 
                # that it's started successfully.  In the general case this
646
 
                # will just be a no-op, but we don't want to defer to the
647
 
                # other job entirely because this is the fallback for fixing
648
 
                # up any ordering-dependent decrypting.
649
 
                while status cryptdisks-udev DEVNAME="$dev_match" 2>&1 | grep -q 'start'
650
 
                do
651
 
                    sleep 1
652
 
                done
 
653
                        dev_match="$(readlink -f /dev/disk/by-label/${dev_match#LABEL=})"
 
654
                fi
 
655
                # if there's already a udev-triggered job running for this
 
656
                # device, wait for it to finish, then re-process to confirm
 
657
                # that it's started successfully.  In the general case this
 
658
                # will just be a no-op, but we don't want to defer to the
 
659
                # other job entirely because this is the fallback for fixing
 
660
                # up any ordering-dependent decrypting.
 
661
                while status cryptdisks-udev DEVNAME="$dev_match" 2>&1 | grep -q 'start'
 
662
                do
 
663
                        sleep 1
 
664
                done
653
665
                handle_crypttab_line_start "$dst" "$src" "$key" "$opts" <&3 || log_action_end_msg $?
654
666
        done 3<&1
655
667
        umount_fs