1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
28 #include "generator.h"
32 #include "path-util.h"
34 #include "unit-name.h"
37 typedef struct crypto_device {
45 static const char *arg_dest = "/tmp";
46 static bool arg_enabled = true;
47 static bool arg_read_crypttab = true;
48 static bool arg_whitelist = false;
49 static Hashmap *arg_disks = NULL;
50 static char *arg_default_options = NULL;
51 static char *arg_default_keyfile = NULL;
53 static bool has_option(const char *haystack, const char *needle) {
54 const char *f = haystack;
64 while ((f = strstr(f, needle))) {
66 if (f > haystack && f[-1] != ',') {
71 if (f[l] != 0 && f[l] != ',') {
82 static int create_disk(
86 const char *options) {
88 _cleanup_free_ char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *to = NULL, *e = NULL,
90 _cleanup_fclose_ FILE *f = NULL;
91 bool noauto, nofail, tmp, swap;
98 noauto = has_option(options, "noauto");
99 nofail = has_option(options, "nofail");
100 tmp = has_option(options, "tmp");
101 swap = has_option(options, "swap");
104 log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
108 e = unit_name_escape(name);
112 n = unit_name_build("systemd-cryptsetup", e, ".service");
116 p = strjoin(arg_dest, "/", n, NULL);
120 u = fstab_node_to_udev_node(device);
124 d = unit_name_from_path(u, ".device");
130 return log_error_errno(errno, "Failed to create unit file %s: %m", p);
133 "# Automatically generated by systemd-cryptsetup-generator\n\n"
135 "Description=Cryptography Setup for %I\n"
136 "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
137 "SourcePath=/etc/crypttab\n"
138 "DefaultDependencies=no\n"
139 "Conflicts=umount.target\n"
140 "BindsTo=dev-mapper-%i.device\n"
141 "IgnoreOnIsolate=true\n"
142 "After=cryptsetup-pre.target\n",
147 "Before=cryptsetup.target\n");
150 if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
151 fputs("After=systemd-random-seed.service\n", f);
152 else if (!streq(password, "-") && !streq(password, "none")) {
153 _cleanup_free_ char *uu;
155 uu = fstab_node_to_udev_node(password);
159 if (!path_equal(uu, "/dev/null")) {
161 if (is_device_path(uu)) {
162 _cleanup_free_ char *dd;
164 dd = unit_name_from_path(uu, ".device");
168 fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
170 fprintf(f, "RequiresMountsFor=%s\n", password);
175 if (is_device_path(u))
179 "Before=umount.target\n",
183 "RequiresMountsFor=%s\n",
186 r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
193 "RemainAfterExit=yes\n"
194 "TimeoutSec=0\n" /* the binary handles timeouts anyway */
195 "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
196 "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
197 name, u, strempty(password), strempty(filtered),
202 "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
207 "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
212 return log_error_errno(errno, "Failed to write file %s: %m", p);
214 from = strappenda("../", n);
218 to = strjoin(arg_dest, "/", d, ".wants/", n, NULL);
222 mkdir_parents_label(to, 0755);
223 if (symlink(from, to) < 0)
224 return log_error_errno(errno, "Failed to create symlink %s: %m", to);
228 to = strjoin(arg_dest, "/cryptsetup.target.requires/", n, NULL);
230 to = strjoin(arg_dest, "/cryptsetup.target.wants/", n, NULL);
234 mkdir_parents_label(to, 0755);
235 if (symlink(from, to) < 0)
236 return log_error_errno(errno, "Failed to create symlink %s: %m", to);
240 to = strjoin(arg_dest, "/dev-mapper-", e, ".device.requires/", n, NULL);
244 mkdir_parents_label(to, 0755);
245 if (symlink(from, to) < 0)
246 return log_error_errno(errno, "Failed to create symlink %s: %m", to);
248 if (!noauto && !nofail) {
249 _cleanup_free_ char *dmname;
250 dmname = strjoin("dev-mapper-", e, ".device", NULL);
254 r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
255 "# Automatically generated by systemd-cryptsetup-generator \n\n"
256 "[Unit]\nJobTimeoutSec=0");
258 return log_error_errno(r, "Failed to write device drop-in: %m");
264 static void free_arg_disks(void) {
267 while ((d = hashmap_steal_first(arg_disks))) {
275 hashmap_free(arg_disks);
278 static crypto_device *get_crypto_device(const char *uuid) {
284 d = hashmap_get(arg_disks, uuid);
286 d = new0(struct crypto_device, 1);
291 d->keyfile = d->options = d->name = NULL;
293 d->uuid = strdup(uuid);
299 r = hashmap_put(arg_disks, d->uuid, d);
310 static int parse_proc_cmdline_item(const char *key, const char *value) {
313 _cleanup_free_ char *uuid = NULL, *uuid_value = NULL;
315 if (STR_IN_SET(key, "luks", "rd.luks") && value) {
317 r = parse_boolean(value);
319 log_warning("Failed to parse luks switch %s. Ignoring.", value);
323 } else if (STR_IN_SET(key, "luks.crypttab", "rd.luks.crypttab") && value) {
325 r = parse_boolean(value);
327 log_warning("Failed to parse luks crypttab switch %s. Ignoring.", value);
329 arg_read_crypttab = r;
331 } else if (STR_IN_SET(key, "luks.uuid", "rd.luks.uuid") && value) {
333 d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
337 d->create = arg_whitelist = true;
339 } else if (STR_IN_SET(key, "luks.options", "rd.luks.options") && value) {
341 r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
343 d = get_crypto_device(uuid);
348 d->options = uuid_value;
350 } else if (free_and_strdup(&arg_default_options, value) < 0)
353 } else if (STR_IN_SET(key, "luks.key", "rd.luks.key") && value) {
355 r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
357 d = get_crypto_device(uuid);
362 d->keyfile = uuid_value;
364 } else if (free_and_strdup(&arg_default_keyfile, value))
367 } else if (STR_IN_SET(key, "luks.name", "rd.luks.name") && value) {
369 r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
371 d = get_crypto_device(uuid);
375 d->create = arg_whitelist = true;
378 d->name = uuid_value;
381 log_warning("Failed to parse luks name switch %s. Ignoring.", value);
388 static int add_crypttab_devices(void) {
390 unsigned crypttab_line = 0;
391 _cleanup_fclose_ FILE *f = NULL;
393 if (!arg_read_crypttab)
396 f = fopen("/etc/crypttab", "re");
399 log_error_errno(errno, "Failed to open /etc/crypttab: %m");
403 if (fstat(fileno(f), &st) < 0) {
404 log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
408 /* If we readd support for specifying passphrases
409 * directly in crypttab we should upgrade the warning
410 * below, though possibly only if a passphrase is
411 * specified directly. */
412 if (st.st_mode & 0005)
413 log_debug("/etc/crypttab is world-readable. This is usually not a good idea.");
417 char line[LINE_MAX], *l, *uuid;
418 crypto_device *d = NULL;
419 _cleanup_free_ char *name = NULL, *device = NULL, *keyfile = NULL, *options = NULL;
421 if (!fgets(line, sizeof(line), f))
427 if (*l == '#' || *l == 0)
430 k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
431 if (k < 2 || k > 4) {
432 log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
436 uuid = startswith(device, "UUID=");
438 uuid = path_startswith(device, "/dev/disk/by-uuid/");
440 uuid = startswith(name, "luks-");
442 d = hashmap_get(arg_disks, uuid);
444 if (arg_whitelist && !d) {
445 log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
449 r = create_disk(name, device, keyfile, (d && d->options) ? d->options : options);
460 static int add_proc_cmdline_devices(void) {
465 HASHMAP_FOREACH(d, arg_disks, i) {
467 _cleanup_free_ char *device = NULL;
473 d->name = strappend("luks-", d->uuid);
478 device = strappend("UUID=", d->uuid);
483 options = d->options;
484 else if (arg_default_options)
485 options = arg_default_options;
487 options = "timeout=0";
489 r = create_disk(d->name, device, d->keyfile ?: arg_default_keyfile, options);
497 int main(int argc, char *argv[]) {
498 int r = EXIT_FAILURE;
500 if (argc > 1 && argc != 4) {
501 log_error("This program takes three or no arguments.");
508 log_set_target(LOG_TARGET_SAFE);
509 log_parse_environment();
514 arg_disks = hashmap_new(&string_hash_ops);
518 r = parse_proc_cmdline(parse_proc_cmdline_item);
520 log_warning_errno(r, "Failed to parse kernel command line, ignoring: %m");
529 if (add_crypttab_devices() < 0)
532 if (add_proc_cmdline_devices() < 0)
539 free(arg_default_options);
540 free(arg_default_keyfile);