1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
28 #include "generator.h"
32 #include "path-util.h"
34 #include "unit-name.h"
37 typedef struct crypto_device {
44 static const char *arg_dest = "/tmp";
45 static bool arg_enabled = true;
46 static bool arg_read_crypttab = true;
47 static bool arg_whitelist = false;
48 static Hashmap *arg_disks = NULL;
49 static char *arg_default_options = NULL;
50 static char *arg_default_keyfile = NULL;
52 static bool has_option(const char *haystack, const char *needle) {
53 const char *f = haystack;
63 while ((f = strstr(f, needle))) {
65 if (f > haystack && f[-1] != ',') {
70 if (f[l] != 0 && f[l] != ',') {
81 static int create_disk(
85 const char *options) {
87 _cleanup_free_ char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *to = NULL, *e = NULL,
89 _cleanup_fclose_ FILE *f = NULL;
90 bool noauto, nofail, tmp, swap;
97 noauto = has_option(options, "noauto");
98 nofail = has_option(options, "nofail");
99 tmp = has_option(options, "tmp");
100 swap = has_option(options, "swap");
103 log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
107 e = unit_name_escape(name);
111 n = unit_name_build("systemd-cryptsetup", e, ".service");
115 p = strjoin(arg_dest, "/", n, NULL);
119 u = fstab_node_to_udev_node(device);
123 d = unit_name_from_path(u, ".device");
129 return log_error_errno(errno, "Failed to create unit file %s: %m", p);
132 "# Automatically generated by systemd-cryptsetup-generator\n\n"
134 "Description=Cryptography Setup for %I\n"
135 "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
136 "SourcePath=/etc/crypttab\n"
137 "DefaultDependencies=no\n"
138 "Conflicts=umount.target\n"
139 "BindsTo=dev-mapper-%i.device\n"
140 "IgnoreOnIsolate=true\n"
141 "After=cryptsetup-pre.target\n",
146 "Before=cryptsetup.target\n");
149 if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
150 fputs("After=systemd-random-seed.service\n", f);
151 else if (!streq(password, "-") && !streq(password, "none")) {
152 _cleanup_free_ char *uu;
154 uu = fstab_node_to_udev_node(password);
158 if (!path_equal(uu, "/dev/null")) {
160 if (is_device_path(uu)) {
161 _cleanup_free_ char *dd;
163 dd = unit_name_from_path(uu, ".device");
167 fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
169 fprintf(f, "RequiresMountsFor=%s\n", password);
174 if (is_device_path(u))
178 "Before=umount.target\n",
182 "RequiresMountsFor=%s\n",
185 r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
192 "RemainAfterExit=yes\n"
193 "TimeoutSec=0\n" /* the binary handles timeouts anyway */
194 "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
195 "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
196 name, u, strempty(password), strempty(filtered),
201 "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
206 "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
211 return log_error_errno(errno, "Failed to write file %s: %m", p);
213 from = strappenda("../", n);
217 to = strjoin(arg_dest, "/", d, ".wants/", n, NULL);
221 mkdir_parents_label(to, 0755);
222 if (symlink(from, to) < 0)
223 return log_error_errno(errno, "Failed to create symlink %s: %m", to);
227 to = strjoin(arg_dest, "/cryptsetup.target.requires/", n, NULL);
229 to = strjoin(arg_dest, "/cryptsetup.target.wants/", n, NULL);
233 mkdir_parents_label(to, 0755);
234 if (symlink(from, to) < 0)
235 return log_error_errno(errno, "Failed to create symlink %s: %m", to);
239 to = strjoin(arg_dest, "/dev-mapper-", e, ".device.requires/", n, NULL);
243 mkdir_parents_label(to, 0755);
244 if (symlink(from, to) < 0)
245 return log_error_errno(errno, "Failed to create symlink %s: %m", to);
247 if (!noauto && !nofail) {
248 _cleanup_free_ char *dmname;
249 dmname = strjoin("dev-mapper-", e, ".device", NULL);
253 r = write_drop_in(arg_dest, dmname, 90, "device-timeout",
254 "# Automatically generated by systemd-cryptsetup-generator \n\n"
255 "[Unit]\nJobTimeoutSec=0");
257 return log_error_errno(r, "Failed to write device drop-in: %m");
263 static void free_arg_disks(void) {
266 while ((d = hashmap_steal_first(arg_disks))) {
273 hashmap_free(arg_disks);
276 static crypto_device *get_crypto_device(const char *uuid) {
282 d = hashmap_get(arg_disks, uuid);
284 d = new0(struct crypto_device, 1);
289 d->keyfile = d->options = NULL;
291 d->uuid = strdup(uuid);
297 r = hashmap_put(arg_disks, d->uuid, d);
308 static int parse_proc_cmdline_item(const char *key, const char *value) {
311 _cleanup_free_ char *uuid = NULL, *uuid_value = NULL;
313 if (STR_IN_SET(key, "luks", "rd.luks") && value) {
315 r = parse_boolean(value);
317 log_warning("Failed to parse luks switch %s. Ignoring.", value);
321 } else if (STR_IN_SET(key, "luks.crypttab", "rd.luks.crypttab") && value) {
323 r = parse_boolean(value);
325 log_warning("Failed to parse luks crypttab switch %s. Ignoring.", value);
327 arg_read_crypttab = r;
329 } else if (STR_IN_SET(key, "luks.uuid", "rd.luks.uuid") && value) {
331 d = get_crypto_device(startswith(value, "luks-") ? value+5 : value);
335 d->create = arg_whitelist = true;
337 } else if (STR_IN_SET(key, "luks.options", "rd.luks.options") && value) {
339 r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
341 d = get_crypto_device(uuid);
346 d->options = uuid_value;
348 } else if (free_and_strdup(&arg_default_options, value) < 0)
351 } else if (STR_IN_SET(key, "luks.key", "rd.luks.key") && value) {
353 r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
355 d = get_crypto_device(uuid);
360 d->keyfile = uuid_value;
362 } else if (free_and_strdup(&arg_default_keyfile, value))
370 static int add_crypttab_devices(void) {
372 unsigned crypttab_line = 0;
373 _cleanup_fclose_ FILE *f = NULL;
375 if (!arg_read_crypttab)
378 f = fopen("/etc/crypttab", "re");
381 log_error_errno(errno, "Failed to open /etc/crypttab: %m");
385 if (fstat(fileno(f), &st) < 0) {
386 log_error_errno(errno, "Failed to stat /etc/crypttab: %m");
390 /* If we readd support for specifying passphrases
391 * directly in crypttab we should upgrade the warning
392 * below, though possibly only if a passphrase is
393 * specified directly. */
394 if (st.st_mode & 0005)
395 log_debug("/etc/crypttab is world-readable. This is usually not a good idea.");
399 char line[LINE_MAX], *l, *uuid;
400 crypto_device *d = NULL;
401 _cleanup_free_ char *name = NULL, *device = NULL, *keyfile = NULL, *options = NULL;
403 if (!fgets(line, sizeof(line), f))
409 if (*l == '#' || *l == 0)
412 k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options);
413 if (k < 2 || k > 4) {
414 log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line);
418 uuid = startswith(device, "UUID=");
420 uuid = path_startswith(device, "/dev/disk/by-uuid/");
422 uuid = startswith(name, "luks-");
424 d = hashmap_get(arg_disks, uuid);
426 if (arg_whitelist && !d) {
427 log_info("Not creating device '%s' because it was not specified on the kernel command line.", name);
431 r = create_disk(name, device, keyfile, (d && d->options) ? d->options : options);
442 static int add_proc_cmdline_devices(void) {
447 HASHMAP_FOREACH(d, arg_disks, i) {
449 _cleanup_free_ char *name = NULL, *device = NULL;
454 name = strappend("luks-", d->uuid);
458 device = strappend("UUID=", d->uuid);
463 options = d->options;
464 else if (arg_default_options)
465 options = arg_default_options;
467 options = "timeout=0";
469 r = create_disk(name, device, d->keyfile ?: arg_default_keyfile, options);
477 int main(int argc, char *argv[]) {
478 int r = EXIT_FAILURE;
480 if (argc > 1 && argc != 4) {
481 log_error("This program takes three or no arguments.");
488 log_set_target(LOG_TARGET_SAFE);
489 log_parse_environment();
494 arg_disks = hashmap_new(&string_hash_ops);
498 r = parse_proc_cmdline(parse_proc_cmdline_item);
500 log_warning_errno(r, "Failed to parse kernel command line, ignoring: %m");
509 if (add_crypttab_devices() < 0)
512 if (add_proc_cmdline_devices() < 0)
519 free(arg_default_options);
520 free(arg_default_keyfile);