From: Shawn Landden Date: Mon, 15 Jul 2013 03:13:09 +0000 (-0700) Subject: journalctl: add --force option to recreate FSS X-Git-Tag: v206~103 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=b8547c10c82994f2b8eab4510629139439b49371;hp=6c5a28255bea4385289149b4617c86a24eec519f journalctl: add --force option to recreate FSS --- diff --git a/man/journalctl.xml b/man/journalctl.xml index 8dbfb3f0f..71b1babb1 100644 --- a/man/journalctl.xml +++ b/man/journalctl.xml @@ -600,6 +600,14 @@ for details. + + + + When --setup-keys is passed and + Forward Secure Sealing has already been set up, + recreate FSS keys. + + diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c index 32665b7f7..5f44fce08 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c @@ -79,6 +79,7 @@ static int arg_priorities = 0xFF; static const char *arg_verify_key = NULL; #ifdef HAVE_GCRYPT static usec_t arg_interval = DEFAULT_FSS_INTERVAL_USEC; +static bool arg_force = false; #endif static usec_t arg_since, arg_until; static bool arg_since_set = false, arg_until_set = false; @@ -149,6 +150,7 @@ static int help(void) { " --update-catalog Update the message catalog database\n" #ifdef HAVE_GCRYPT " --setup-keys Generate new FSS key pair\n" + " --force Force overriding new FSS key pair with --setup-keys\n" " --verify Verify journal file consistency\n" #endif , program_invocation_short_name); @@ -179,6 +181,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_LIST_CATALOG, ARG_DUMP_CATALOG, ARG_UPDATE_CATALOG, + ARG_FORCE, }; static const struct option options[] = { @@ -187,6 +190,7 @@ static int parse_argv(int argc, char *argv[]) { { "no-pager", no_argument, NULL, ARG_NO_PAGER }, { "pager-end", no_argument, NULL, 'e' }, { "follow", no_argument, NULL, 'f' }, + { "force", no_argument, NULL, ARG_FORCE }, { "output", required_argument, NULL, 'o' }, { "all", no_argument, NULL, 'a' }, { "full", no_argument, NULL, 'l' }, @@ -375,6 +379,10 @@ static int parse_argv(int argc, char *argv[]) { break; #ifdef HAVE_GCRYPT + case ARG_FORCE: + arg_force = true; + break; + case ARG_SETUP_KEYS: arg_action = ACTION_SETUP_KEYS; break; @@ -397,6 +405,7 @@ static int parse_argv(int argc, char *argv[]) { case ARG_SETUP_KEYS: case ARG_VERIFY_KEY: case ARG_INTERVAL: + case ARG_FORCE: log_error("Forward-secure sealing not available."); return -ENOTSUP; #endif @@ -756,9 +765,18 @@ static int setup_keys(void) { return log_oom(); if (access(p, F_OK) >= 0) { - log_error("Sealing key file %s exists already.", p); - r = -EEXIST; - goto finish; + if (arg_force) { + r = unlink(p); + if (r < 0) { + log_error("unlink(\"%s\") failed: %m", p); + r = -errno; + goto finish; + } + } else { + log_error("Sealing key file %s exists already. (--force to recreate)", p); + r = -EEXIST; + goto finish; + } } if (asprintf(&k, "/var/log/journal/" SD_ID128_FORMAT_STR "/fss.tmp.XXXXXX",