cryptsetup: lock ourselves into memory as long as we deal with passwords

[elogind.git] / src / cryptsetup.c

diff --git a/src/cryptsetup.c b/src/cryptsetup.c
index 91a4436ae1531f75bb75230817ca35dfba63f20a..c103aa9e03e329735b7e702f3802276d8dbb3e9c 100644 (file)
--- a/src/cryptsetup.c
+++ b/src/cryptsetup.c
@@ -21,6 +21,7 @@
 
 #include <string.h>
 #include <errno.h>
+#include <sys/mman.h>
 
 #include <libcryptsetup.h>
 
@@ -37,6 +38,18 @@ static bool opt_readonly = false;
 static bool opt_verify = false;
 static usec_t opt_timeout = 0;
 
+/* Options Debian's crypttab knows we don't:
+
+    offset=
+    skip=
+    precheck=
+    check=
+    checkargs=
+    noearly=
+    loud=
+    keyscript=
+*/
+
 static int parse_one_option(const char *option) {
         assert(option);
 
@@ -155,7 +168,10 @@ int main(int argc, char *argv[]) {
                         goto finish;
                 }
 
-                if (argc >= 5 && argv[4][0] && !streq(argv[4], "-")) {
+                if (argc >= 5 &&
+                    argv[4][0] &&
+                    !streq(argv[4], "-") &&
+                    !streq(argv[4], "none")) {
 
                         if (!path_is_absolute(argv[4]))
                                 log_error("Password file path %s is not absolute. Ignoring.", argv[4]);
@@ -166,6 +182,9 @@ int main(int argc, char *argv[]) {
                 if (argc >= 6 && argv[5][0] && !streq(argv[5], "-"))
                         parse_options(argv[5]);
 
+                /* A delicious drop of snake oil */
+                mlockall(MCL_FUTURE);
+
                 if ((k = crypt_init(&cd, argv[3]))) {
                         log_error("crypt_init() failed: %s", strerror(-k));
                         goto finish;