From 4dc6b4953d4982b0ed7b7904b11beb85248b9ceb Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Jun 09 2015 09:29:38 +0000 Subject: add support for network disk encryption --- diff --git a/0004-cryptsetup-craft-a-unique-ID-with-the-source-device.patch b/0004-cryptsetup-craft-a-unique-ID-with-the-source-device.patch new file mode 100644 index 0000000..1be76c0 --- /dev/null +++ b/0004-cryptsetup-craft-a-unique-ID-with-the-source-device.patch @@ -0,0 +1,166 @@ +From f6373b7dd7a2b8a8e38c289f289728d289382f29 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Mon, 1 Jun 2015 17:26:27 +0200 +Subject: [PATCH 4/4] cryptsetup: craft a unique ID with the source device + +If cryptsetup is called with a source device as argv[3], then craft the +ID for the password agent with a unique device path. + +If possible "/dev/block/:" is used, otherwise the original +argv[3] is used. + +This enables password agents like petera [1] to provide a password +according to the source device. The original ID did not carry enough +information and was more targeted for a human readable string, which +is specified in the "Message" field anyway. + +With this patch the ID of the ask.XXX ini file looks like this: +ID=cryptsetup:/dev/block/: + +[1] https://github.com/npmccallum/petera +--- + src/cryptsetup/cryptsetup.c | 90 +++++++++++++++++++++++++++++---------------- + 1 file changed, 58 insertions(+), 32 deletions(-) + +diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c +index a5018f1..5c6c7c0 100644 +--- a/src/cryptsetup/cryptsetup.c ++++ b/src/cryptsetup/cryptsetup.c +@@ -238,6 +238,23 @@ static void log_glue(int level, const char *msg, void *usrptr) { + log_debug("%s", msg); + } + ++static int disk_major_minor(const char *path, char **ret) { ++ struct stat st; ++ ++ assert(path); ++ ++ if (stat(path, &st) < 0) ++ return -errno; ++ ++ if (!S_ISBLK(st.st_mode)) ++ return -EINVAL; ++ ++ if (asprintf(ret, "/dev/block/%d:%d", major(st.st_rdev), minor(st.st_rdev)) < 0) ++ return -errno; ++ ++ return 0; ++} ++ + static char* disk_description(const char *path) { + + static const char name_fields[] = +@@ -295,20 +312,55 @@ static char *disk_mount_point(const char *label) { + return NULL; + } + +-static int get_password(const char *name, usec_t until, bool accept_cached, char ***passwords) { +- int r; ++static int get_password(const char *vol, const char *src, usec_t until, bool accept_cached, char ***passwords) { ++ int r = 0; + char **p; + _cleanup_free_ char *text = NULL; + _cleanup_free_ char *escaped_name = NULL; + char *id; ++ const char *name = NULL; ++ _cleanup_free_ char *description = NULL, *name_buffer = NULL, ++ *mount_point = NULL, *maj_min = NULL; + +- assert(name); ++ assert(vol); ++ assert(src); + assert(passwords); + ++ description = disk_description(src); ++ mount_point = disk_mount_point(vol); ++ ++ if (description && streq(vol, description)) { ++ /* If the description string is simply the ++ * volume name, then let's not show this ++ * twice */ ++ free(description); ++ description = NULL; ++ } ++ ++ if (mount_point && description) ++ r = asprintf(&name_buffer, "%s (%s) on %s", description, vol, mount_point); ++ else if (mount_point) ++ r = asprintf(&name_buffer, "%s on %s", vol, mount_point); ++ else if (description) ++ r = asprintf(&name_buffer, "%s (%s)", description, vol); ++ ++ if (r < 0) ++ return log_oom(); ++ ++ name = name_buffer ? name_buffer : vol; ++ + if (asprintf(&text, "Please enter passphrase for disk %s!", name) < 0) + return log_oom(); + +- escaped_name = cescape(name); ++ if (src) ++ (void) disk_major_minor(src, &maj_min); ++ ++ if (maj_min) { ++ escaped_name = maj_min; ++ maj_min = NULL; ++ } else ++ escaped_name = cescape(name); ++ + if (!escaped_name) + return log_oom(); + +@@ -552,8 +604,7 @@ int main(int argc, char *argv[]) { + unsigned tries; + usec_t until; + crypt_status_info status; +- const char *key_file = NULL, *name = NULL; +- _cleanup_free_ char *description = NULL, *name_buffer = NULL, *mount_point = NULL; ++ const char *key_file = NULL; + + /* Arguments: systemd-cryptsetup attach VOLUME SOURCE-DEVICE [PASSWORD] [OPTIONS] */ + +@@ -581,31 +632,6 @@ int main(int argc, char *argv[]) { + /* A delicious drop of snake oil */ + mlockall(MCL_FUTURE); + +- description = disk_description(argv[3]); +- mount_point = disk_mount_point(argv[2]); +- +- if (description && streq(argv[2], description)) { +- /* If the description string is simply the +- * volume name, then let's not show this +- * twice */ +- free(description); +- description = NULL; +- } +- +- k = 0; +- if (mount_point && description) +- k = asprintf(&name_buffer, "%s (%s) on %s", description, argv[2], mount_point); +- else if (mount_point) +- k = asprintf(&name_buffer, "%s on %s", argv[2], mount_point); +- else if (description) +- k = asprintf(&name_buffer, "%s (%s)", description, argv[2]); +- +- if (k < 0) { +- log_oom(); +- goto finish; +- } +- name = name_buffer ? name_buffer : argv[2]; +- + if (arg_header) { + log_debug("LUKS header: %s", arg_header); + k = crypt_init(&cd, arg_header); +@@ -652,7 +678,7 @@ int main(int argc, char *argv[]) { + _cleanup_strv_free_ char **passwords = NULL; + + if (!key_file) { +- k = get_password(name, until, tries == 0 && !arg_verify, &passwords); ++ k = get_password(argv[2], argv[3], until, tries == 0 && !arg_verify, &passwords); + if (k == -EAGAIN) + continue; + else if (k < 0) +-- +2.4.1 + diff --git a/systemd.spec b/systemd.spec index 256b6b2..e317a68 100644 --- a/systemd.spec +++ b/systemd.spec @@ -16,7 +16,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 220 -Release: 5%{?gitcommit:.git%{gitcommit}}%{?dist} +Release: 6%{?gitcommit:.git%{gitcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: A System and Service Manager @@ -53,6 +53,9 @@ Patch1001: 0001-udevd-event-fix-event-queue-in-daemenozied-mode.patch # This is upstream commit 86c3bece38bcf5. Patch1002: 0001-udevd-fix-SIGCHLD-handling-in-daemon-mode.patch +# Add support for petera disk encryption +Patch1003: 0004-cryptsetup-craft-a-unique-ID-with-the-source-device.patch + %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);} BuildRequires: libcap-devel @@ -860,6 +863,9 @@ getent passwd systemd-journal-upload >/dev/null 2>&1 || useradd -r -l -g systemd /usr/lib/firewalld/services/* %changelog +* Tue Jun 09 2015 Harald Hoyer 220-6 +- add support for network disk encryption + * Sun Jun 7 2015 Peter Robinson 220-5 - Disable gold on aarch64 until it's fixed (tracked in rhbz #1225156)