X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fcryptsetup%2Fcryptsetup-generator.c;h=c7f30f6a156cc334216545d2ab90ba85afc09d2a;hp=de64afd7274dc7f4d091c1bfc40f52a1d85e88d4;hb=0e2f14014c65b4d8b30146e414579154cfa932da;hpb=07719a21b6425d378b36bb8d7f47ad5ec5296d28 diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c index de64afd72..c7f30f6a1 100644 --- a/src/cryptsetup/cryptsetup-generator.c +++ b/src/cryptsetup/cryptsetup-generator.c @@ -27,8 +27,18 @@ #include "util.h" #include "unit-name.h" #include "mkdir.h" - -const char *arg_dest = "/tmp"; +#include "strv.h" +#include "fileio.h" +#include "path-util.h" +#include "dropin.h" +#include "generator.h" + +static const char *arg_dest = "/tmp"; +static bool arg_enabled = true; +static bool arg_read_crypttab = true; +static char **arg_disks = NULL; +static char **arg_options = NULL; +static char *arg_keyfile = NULL; static bool has_option(const char *haystack, const char *needle) { const char *f = haystack; @@ -65,74 +75,109 @@ static int create_disk( const char *password, const char *options) { - char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *from = NULL, *to = NULL, *e = NULL; + _cleanup_free_ char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *to = NULL, *e = NULL, + *filtered = NULL; + _cleanup_fclose_ FILE *f = NULL; + bool noauto, nofail, tmp, swap; + char *from; int r; - FILE *f = NULL; - bool noauto, nofail; assert(name); assert(device); noauto = has_option(options, "noauto"); nofail = has_option(options, "nofail"); + tmp = has_option(options, "tmp"); + swap = has_option(options, "swap"); - n = unit_name_build_escape("cryptsetup", name, ".service"); - if (!n) { - r = -ENOMEM; - log_error("Failed to allocate unit name."); - goto fail; + if (tmp && swap) { + log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name); + return -EINVAL; } - p = join(arg_dest, "/", n, NULL); - if (!p) { - r = -ENOMEM; - log_error("Failed to allocate unit file name."); - goto fail; - } + e = unit_name_escape(name); + if (!e) + return log_oom(); + + n = unit_name_build("systemd-cryptsetup", e, ".service"); + if (!n) + return log_oom(); + + p = strjoin(arg_dest, "/", n, NULL); + if (!p) + return log_oom(); u = fstab_node_to_udev_node(device); - if (!u) { - r = -ENOMEM; - log_error("Failed to allocate device node."); - goto fail; - } + if (!u) + return log_oom(); d = unit_name_from_path(u, ".device"); - if (!d) { - r = -ENOMEM; - log_error("Failed to allocate device name."); - goto fail; - } + if (!d) + return log_oom(); f = fopen(p, "wxe"); if (!f) { - r = -errno; - log_error("Failed to create unit file: %m"); - goto fail; + log_error("Failed to create unit file %s: %m", p); + return -errno; } - fprintf(f, + fputs( "# Automatically generated by systemd-cryptsetup-generator\n\n" "[Unit]\n" - "Description=Cryptography Setup for %%I\n" + "Description=Cryptography Setup for %I\n" + "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n" "SourcePath=/etc/crypttab\n" - "Conflicts=umount.target\n" "DefaultDependencies=no\n" - "BindTo=%s dev-mapper-%%i.device\n" - "After=systemd-readahead-collect.service systemd-readahead-replay.service %s\n" - "Before=umount.target\n", - d, d); + "Conflicts=umount.target\n" + "BindsTo=dev-mapper-%i.device\n" + "IgnoreOnIsolate=true\n" + "After=cryptsetup-pre.target\n", + f); if (!nofail) fprintf(f, "Before=cryptsetup.target\n"); - if (password && (streq(password, "/dev/urandom") || - streq(password, "/dev/random") || - streq(password, "/dev/hw_random"))) - fputs("After=systemd-random-seed-load.service\n", f); + if (password) { + if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random")) + fputs("After=systemd-random-seed.service\n", f); + else if (!streq(password, "-") && !streq(password, "none")) { + _cleanup_free_ char *uu; + + uu = fstab_node_to_udev_node(password); + if (!uu) + return log_oom(); + + if (!path_equal(uu, "/dev/null")) { + + if (is_device_path(uu)) { + _cleanup_free_ char *dd; + + dd = unit_name_from_path(uu, ".device"); + if (!dd) + return log_oom(); + + fprintf(f, "After=%1$s\nRequires=%1$s\n", dd); + } else + fprintf(f, "RequiresMountsFor=%s\n", password); + } + } + } + + if (is_device_path(u)) + fprintf(f, + "BindsTo=%s\n" + "After=%s\n" + "Before=umount.target\n", + d, d); else - fputs("Before=local-fs.target\n", f); + fprintf(f, + "RequiresMountsFor=%s\n", + u); + + r = generator_write_timeouts(arg_dest, device, name, options, &filtered); + if (r < 0) + return r; fprintf(f, "\n[Service]\n" @@ -141,104 +186,125 @@ static int create_disk( "TimeoutSec=0\n" /* the binary handles timeouts anyway */ "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n" "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n", - name, u, strempty(password), strempty(options), + name, u, strempty(password), strempty(filtered), name); - if (has_option(options, "tmp")) + if (tmp) fprintf(f, "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n", name); - if (has_option(options, "swap")) + if (swap) fprintf(f, "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n", name); fflush(f); - if (ferror(f)) { - r = -errno; - log_error("Failed to write file: %m"); - goto fail; + log_error("Failed to write file %s: %m", p); + return -errno; } - if (asprintf(&from, "../%s", n) < 0) { - r = -ENOMEM; - goto fail; - } + from = strappenda("../", n); if (!noauto) { - to = join(arg_dest, "/", d, ".wants/", n, NULL); - if (!to) { - r = -ENOMEM; - goto fail; - } + to = strjoin(arg_dest, "/", d, ".wants/", n, NULL); + if (!to) + return log_oom(); - mkdir_parents(to, 0755); + mkdir_parents_label(to, 0755); if (symlink(from, to) < 0) { - log_error("Failed to create symlink '%s' to '%s': %m", from, to); - r = -errno; - goto fail; + log_error("Failed to create symlink %s: %m", to); + return -errno; } free(to); - if (!nofail) - to = join(arg_dest, "/cryptsetup.target.requires/", n, NULL); + to = strjoin(arg_dest, "/cryptsetup.target.requires/", n, NULL); else - to = join(arg_dest, "/cryptsetup.target.wants/", n, NULL); - if (!to) { - r = -ENOMEM; - goto fail; - } + to = strjoin(arg_dest, "/cryptsetup.target.wants/", n, NULL); + if (!to) + return log_oom(); - mkdir_parents(to, 0755); + mkdir_parents_label(to, 0755); if (symlink(from, to) < 0) { - log_error("Failed to create symlink '%s' to '%s': %m", from, to); - r = -errno; - goto fail; + log_error("Failed to create symlink %s: %m", to); + return -errno; } - - free(to); - to = NULL; } - e = unit_name_escape(name); - to = join(arg_dest, "/dev-mapper-", e, ".device.requires/", n, NULL); - if (!to) { - r = -ENOMEM; - goto fail; - } + free(to); + to = strjoin(arg_dest, "/dev-mapper-", e, ".device.requires/", n, NULL); + if (!to) + return log_oom(); - mkdir_parents(to, 0755); + mkdir_parents_label(to, 0755); if (symlink(from, to) < 0) { - log_error("Failed to create symlink '%s' to '%s': %m", from, to); - r = -errno; - goto fail; + log_error("Failed to create symlink %s: %m", to); + return -errno; } - r = 0; + if (!noauto && !nofail) { + r = write_drop_in(arg_dest, name, 90, "device-timeout", + "# Automatically generated by systemd-cryptsetup-generator \n\n" + "[Unit]\nJobTimeoutSec=0"); + if (r < 0) { + log_error("Failed to write device drop-in: %s", strerror(-r)); + return r; + } + } -fail: - free(p); - free(n); - free(d); - free(e); + return 0; +} - free(from); - free(to); +static int parse_proc_cmdline_item(const char *key, const char *value) { + int r; + + if (STR_IN_SET(key, "luks", "rd.luks") && value) { + + r = parse_boolean(value); + if (r < 0) + log_warning("Failed to parse luks switch %s. Ignoring.", value); + else + arg_enabled = r; + + } else if (STR_IN_SET(key, "luks.crypttab", "rd.luks.crypttab") && value) { + + r = parse_boolean(value); + if (r < 0) + log_warning("Failed to parse luks crypttab switch %s. Ignoring.", value); + else + arg_read_crypttab = r; + + } else if (STR_IN_SET(key, "luks.uuid", "rd.luks.uuid") && value) { + + if (strv_extend(&arg_disks, value) < 0) + return log_oom(); - if (f) - fclose(f); + } else if (STR_IN_SET(key, "luks.options", "rd.luks.options") && value) { - return r; + if (strv_extend(&arg_options, value) < 0) + return log_oom(); + + } else if (STR_IN_SET(key, "luks.key", "rd.luks.key") && value) { + + free(arg_keyfile); + arg_keyfile = strdup(value); + if (!arg_keyfile) + return log_oom(); + + } + + return 0; } int main(int argc, char *argv[]) { - FILE *f; - int r = EXIT_SUCCESS; + _cleanup_strv_free_ char **disks_done = NULL; + _cleanup_fclose_ FILE *f = NULL; unsigned n = 0; + int r = EXIT_FAILURE, r2 = EXIT_FAILURE; + char **i; if (argc > 1 && argc != 4) { log_error("This program takes three or no arguments."); @@ -254,50 +320,191 @@ int main(int argc, char *argv[]) { umask(0022); - f = fopen("/etc/crypttab", "re"); - if (!f) { + if (parse_proc_cmdline(parse_proc_cmdline_item) < 0) + goto cleanup; + + if (!arg_enabled) { + r = r2 = EXIT_SUCCESS; + goto cleanup; + } - if (errno == ENOENT) - r = EXIT_SUCCESS; - else { - r = EXIT_FAILURE; - log_error("Failed to open /etc/crypttab: %m"); + strv_uniq(arg_disks); + + if (arg_read_crypttab) { + struct stat st; + + f = fopen("/etc/crypttab", "re"); + if (!f) { + if (errno == ENOENT) + r = EXIT_SUCCESS; + else + log_error("Failed to open /etc/crypttab: %m"); + + goto next; } - goto finish; + if (fstat(fileno(f), &st) < 0) { + log_error("Failed to stat /etc/crypttab: %m"); + goto next; + } + + /* If we readd support for specifying passphrases + * directly in crypttabe we should upgrade the warning + * below, though possibly only if a passphrase is + * specified directly. */ + if (st.st_mode & 0005) + log_debug("/etc/crypttab is world-readable. This is usually not a good idea."); + + for (;;) { + char line[LINE_MAX], *l; + _cleanup_free_ char *name = NULL, *device = NULL, *password = NULL, *options = NULL; + int k; + + if (!fgets(line, sizeof(line), f)) + break; + + n++; + + l = strstrip(line); + if (*l == '#' || *l == 0) + continue; + + k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &password, &options); + if (k < 2 || k > 4) { + log_error("Failed to parse /etc/crypttab:%u, ignoring.", n); + continue; + } + + /* + If options are specified on the kernel commandline, let them override + the ones from crypttab. + */ + STRV_FOREACH(i, arg_options) { + _cleanup_free_ char *proc_uuid = NULL, *proc_options = NULL; + const char *p = *i; + + k = sscanf(p, "%m[0-9a-fA-F-]=%ms", &proc_uuid, &proc_options); + if (k == 2 && streq(proc_uuid, device + 5)) { + free(options); + options = strdup(p); + if (!options) { + log_oom(); + goto cleanup; + } + } + } + + if (arg_disks) { + /* + If luks UUIDs are specified on the kernel command line, use them as a filter + for /etc/crypttab and only generate units for those. + */ + STRV_FOREACH(i, arg_disks) { + _cleanup_free_ char *proc_device = NULL, *proc_name = NULL; + const char *p = *i; + + if (startswith(p, "luks-")) + p += 5; + + proc_name = strappend("luks-", p); + proc_device = strappend("UUID=", p); + + if (!proc_name || !proc_device) { + log_oom(); + goto cleanup; + } + + if (streq(proc_device, device) || streq(proc_name, name)) { + if (create_disk(name, device, password, options) < 0) + goto cleanup; + + if (strv_extend(&disks_done, p) < 0) { + log_oom(); + goto cleanup; + } + } + } + } else if (create_disk(name, device, password, options) < 0) + goto cleanup; + + } } - for (;;) { - char line[LINE_MAX], *l; - char *name = NULL, *device = NULL, *password = NULL, *options = NULL; - int k; + r = EXIT_SUCCESS; - if (!fgets(line, sizeof(line), f)) - break; +next: + STRV_FOREACH(i, arg_disks) { + /* + Generate units for those UUIDs, which were specified + on the kernel command line and not yet written. + */ - n++; + _cleanup_free_ char *name = NULL, *device = NULL, *options = NULL; + const char *p = *i; - l = strstrip(line); - if (*l == '#' || *l == 0) + if (startswith(p, "luks-")) + p += 5; + + if (strv_contains(disks_done, p)) continue; - k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &password, &options); - if (k < 2 || k > 4) { - log_error("Failed to parse /etc/crypttab:%u, ignoring.", n); - r = EXIT_FAILURE; - goto next; + name = strappend("luks-", p); + device = strappend("UUID=", p); + + if (!name || !device) { + log_oom(); + goto cleanup; + } + + if (arg_options) { + /* + If options are specified on the kernel commandline, use them. + */ + char **j; + + STRV_FOREACH(j, arg_options) { + _cleanup_free_ char *proc_uuid = NULL, *proc_options = NULL; + const char *s = *j; + int k; + + k = sscanf(s, "%m[0-9a-fA-F-]=%ms", &proc_uuid, &proc_options); + if (k == 2) { + if (streq(proc_uuid, device + 5)) { + free(options); + options = proc_options; + proc_options = NULL; + } + } else if (!options) { + /* + Fall back to options without a specified UUID + */ + options = strdup(s); + if (!options) { + log_oom(); + goto cleanup; + }; + } + } } - if (create_disk(name, device, password, options) < 0) - r = EXIT_FAILURE; + if (!options) { + options = strdup("timeout=0"); + if (!options) { + log_oom(); + goto cleanup; + } + } - next: - free(name); - free(device); - free(password); - free(options); + if (create_disk(name, device, arg_keyfile, options) < 0) + goto cleanup; } -finish: - return r; + r2 = EXIT_SUCCESS; + +cleanup: + strv_free(arg_disks); + strv_free(arg_options); + free(arg_keyfile); + + return r != EXIT_SUCCESS ? r : r2; }