]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
e23a0ce8 | 2 | |
e23a0ce8 | 3 | #include <errno.h> |
0d536673 | 4 | #include <stdio_ext.h> |
e23a0ce8 | 5 | |
b5efdb8a | 6 | #include "alloc-util.h" |
0fa9e53d | 7 | #include "dropin.h" |
3ffd4af2 | 8 | #include "fd-util.h" |
0d39fa9c | 9 | #include "fileio.h" |
07630cea | 10 | #include "fstab-util.h" |
0fa9e53d JJ |
11 | #include "generator.h" |
12 | #include "hashmap.h" | |
e23a0ce8 | 13 | #include "log.h" |
49e942b2 | 14 | #include "mkdir.h" |
6bedfcbb | 15 | #include "parse-util.h" |
bde29068 | 16 | #include "path-util.h" |
4e731273 | 17 | #include "proc-cmdline.h" |
98bad05e | 18 | #include "specifier.h" |
07630cea | 19 | #include "string-util.h" |
0fa9e53d JJ |
20 | #include "strv.h" |
21 | #include "unit-name.h" | |
22 | #include "util.h" | |
23 | ||
24 | typedef struct crypto_device { | |
25 | char *uuid; | |
6cd5b12a | 26 | char *keyfile; |
baade8cc | 27 | char *name; |
0fa9e53d JJ |
28 | char *options; |
29 | bool create; | |
30 | } crypto_device; | |
e23a0ce8 | 31 | |
66a78c2b LP |
32 | static const char *arg_dest = "/tmp"; |
33 | static bool arg_enabled = true; | |
34 | static bool arg_read_crypttab = true; | |
0fa9e53d JJ |
35 | static bool arg_whitelist = false; |
36 | static Hashmap *arg_disks = NULL; | |
37 | static char *arg_default_options = NULL; | |
38 | static char *arg_default_keyfile = NULL; | |
141a79f4 | 39 | |
e23a0ce8 LP |
40 | static int create_disk( |
41 | const char *name, | |
42 | const char *device, | |
43 | const char *password, | |
44 | const char *options) { | |
45 | ||
fb883e75 | 46 | _cleanup_free_ char *n = NULL, *d = NULL, *u = NULL, *e = NULL, |
98bad05e | 47 | *filtered = NULL, *u_escaped = NULL, *password_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL; |
7fd1b19b | 48 | _cleanup_fclose_ FILE *f = NULL; |
b559616f | 49 | const char *dmname; |
b001ad61 | 50 | bool noauto, nofail, tmp, swap, netdev; |
744198e9 | 51 | int r; |
e23a0ce8 LP |
52 | |
53 | assert(name); | |
54 | assert(device); | |
55 | ||
b9f111b9 ZJS |
56 | noauto = fstab_test_yes_no_option(options, "noauto\0" "auto\0"); |
57 | nofail = fstab_test_yes_no_option(options, "nofail\0" "fail\0"); | |
a6dba978 ZJS |
58 | tmp = fstab_test_option(options, "tmp\0"); |
59 | swap = fstab_test_option(options, "swap\0"); | |
b001ad61 | 60 | netdev = fstab_test_option(options, "_netdev\0"); |
8c11d3c1 TG |
61 | |
62 | if (tmp && swap) { | |
63 | log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name); | |
64 | return -EINVAL; | |
65 | } | |
155da457 | 66 | |
98bad05e LP |
67 | name_escaped = specifier_escape(name); |
68 | if (!name_escaped) | |
69 | return log_oom(); | |
70 | ||
744198e9 LP |
71 | e = unit_name_escape(name); |
72 | if (!e) | |
73 | return log_oom(); | |
74 | ||
f7f21d33 | 75 | u = fstab_node_to_udev_node(device); |
24a988e9 HH |
76 | if (!u) |
77 | return log_oom(); | |
e23a0ce8 | 78 | |
fb883e75 ZJS |
79 | r = unit_name_build("systemd-cryptsetup", e, ".service", &n); |
80 | if (r < 0) | |
81 | return log_error_errno(r, "Failed to generate unit name: %m"); | |
82 | ||
98bad05e LP |
83 | u_escaped = specifier_escape(u); |
84 | if (!u_escaped) | |
85 | return log_oom(); | |
86 | ||
7410616c LP |
87 | r = unit_name_from_path(u, ".device", &d); |
88 | if (r < 0) | |
89 | return log_error_errno(r, "Failed to generate unit name: %m"); | |
e23a0ce8 | 90 | |
d31eb24f LP |
91 | if (password) { |
92 | password_escaped = specifier_escape(password); | |
93 | if (!password_escaped) | |
94 | return log_oom(); | |
95 | } | |
98bad05e | 96 | |
fb883e75 ZJS |
97 | r = generator_open_unit_file(arg_dest, NULL, n, &f); |
98 | if (r < 0) | |
99 | return r; | |
0d536673 | 100 | |
b001ad61 | 101 | fprintf(f, |
b001ad61 ZJS |
102 | "[Unit]\n" |
103 | "Description=Cryptography Setup for %%I\n" | |
104 | "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n" | |
105 | "SourcePath=/etc/crypttab\n" | |
106 | "DefaultDependencies=no\n" | |
107 | "Conflicts=umount.target\n" | |
108 | "IgnoreOnIsolate=true\n" | |
109 | "After=%s\n", | |
a0dd2097 | 110 | netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target"); |
e23a0ce8 | 111 | |
155da457 LP |
112 | if (!nofail) |
113 | fprintf(f, | |
b001ad61 ZJS |
114 | "Before=%s\n", |
115 | netdev ? "remote-cryptsetup.target" : "cryptsetup.target"); | |
155da457 | 116 | |
ceca9501 | 117 | if (password) { |
744198e9 | 118 | if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random")) |
0d536673 | 119 | fputs("After=systemd-random-seed.service\n", f); |
b559616f | 120 | else if (!STR_IN_SET(password, "-", "none")) { |
744198e9 LP |
121 | _cleanup_free_ char *uu; |
122 | ||
123 | uu = fstab_node_to_udev_node(password); | |
124 | if (!uu) | |
66a5dbdf DR |
125 | return log_oom(); |
126 | ||
bde29068 | 127 | if (!path_equal(uu, "/dev/null")) { |
744198e9 | 128 | |
048dd629 | 129 | if (path_startswith(uu, "/dev/")) { |
7410616c | 130 | _cleanup_free_ char *dd = NULL; |
66a5dbdf | 131 | |
7410616c LP |
132 | r = unit_name_from_path(uu, ".device", &dd); |
133 | if (r < 0) | |
134 | return log_error_errno(r, "Failed to generate unit name: %m"); | |
bde29068 LP |
135 | |
136 | fprintf(f, "After=%1$s\nRequires=%1$s\n", dd); | |
137 | } else | |
98bad05e | 138 | fprintf(f, "RequiresMountsFor=%s\n", password_escaped); |
bde29068 | 139 | } |
66a5dbdf | 140 | } |
ceca9501 | 141 | } |
e23a0ce8 | 142 | |
048dd629 | 143 | if (path_startswith(u, "/dev/")) { |
9ece938a TW |
144 | fprintf(f, |
145 | "BindsTo=%s\n" | |
146 | "After=%s\n" | |
147 | "Before=umount.target\n", | |
148 | d, d); | |
a6f8786a MFO |
149 | |
150 | if (swap) | |
0d536673 LP |
151 | fputs("Before=dev-mapper-%i.swap\n", |
152 | f); | |
a6f8786a | 153 | } else |
9ece938a TW |
154 | fprintf(f, |
155 | "RequiresMountsFor=%s\n", | |
98bad05e LP |
156 | u_escaped); |
157 | ||
8eea8687 ZJS |
158 | r = generator_write_timeouts(arg_dest, device, name, options, &filtered); |
159 | if (r < 0) | |
160 | return r; | |
161 | ||
d31eb24f LP |
162 | if (filtered) { |
163 | filtered_escaped = specifier_escape(filtered); | |
164 | if (!filtered_escaped) | |
165 | return log_oom(); | |
166 | } | |
98bad05e | 167 | |
e23a0ce8 LP |
168 | fprintf(f, |
169 | "\n[Service]\n" | |
170 | "Type=oneshot\n" | |
171 | "RemainAfterExit=yes\n" | |
90724929 | 172 | "TimeoutSec=0\n" /* the binary handles timeouts anyway */ |
0b1f68ac | 173 | "KeyringMode=shared\n" /* make sure we can share cached keys among instances */ |
260ab287 | 174 | "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n" |
7f4e0805 | 175 | "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n", |
98bad05e LP |
176 | name_escaped, u_escaped, strempty(password_escaped), strempty(filtered_escaped), |
177 | name_escaped); | |
e23a0ce8 | 178 | |
8c11d3c1 | 179 | if (tmp) |
e23a0ce8 | 180 | fprintf(f, |
50109038 | 181 | "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n", |
98bad05e | 182 | name_escaped); |
e23a0ce8 | 183 | |
8c11d3c1 | 184 | if (swap) |
e23a0ce8 | 185 | fprintf(f, |
50109038 | 186 | "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n", |
98bad05e | 187 | name_escaped); |
e23a0ce8 | 188 | |
4652c56c ZJS |
189 | r = fflush_and_check(f); |
190 | if (r < 0) | |
fb883e75 | 191 | return log_error_errno(r, "Failed to write unit file %s: %m", n); |
e23a0ce8 | 192 | |
155da457 | 193 | if (!noauto) { |
b559616f ZJS |
194 | r = generator_add_symlink(arg_dest, d, "wants", n); |
195 | if (r < 0) | |
196 | return r; | |
e23a0ce8 | 197 | |
b001ad61 ZJS |
198 | r = generator_add_symlink(arg_dest, |
199 | netdev ? "remote-cryptsetup.target" : "cryptsetup.target", | |
b559616f ZJS |
200 | nofail ? "wants" : "requires", n); |
201 | if (r < 0) | |
202 | return r; | |
f7f21d33 | 203 | } |
74715b82 | 204 | |
b559616f ZJS |
205 | dmname = strjoina("dev-mapper-", e, ".device"); |
206 | r = generator_add_symlink(arg_dest, dmname, "requires", n); | |
207 | if (r < 0) | |
208 | return r; | |
74715b82 | 209 | |
68395007 | 210 | if (!noauto && !nofail) { |
a6fb0dc1 | 211 | r = write_drop_in(arg_dest, dmname, 90, "device-timeout", |
8eea8687 ZJS |
212 | "# Automatically generated by systemd-cryptsetup-generator \n\n" |
213 | "[Unit]\nJobTimeoutSec=0"); | |
23bbb0de MS |
214 | if (r < 0) |
215 | return log_error_errno(r, "Failed to write device drop-in: %m"); | |
68395007 HH |
216 | } |
217 | ||
24a988e9 | 218 | return 0; |
e23a0ce8 LP |
219 | } |
220 | ||
6dd1c368 ZJS |
221 | static void crypt_device_free(crypto_device *d) { |
222 | free(d->uuid); | |
223 | free(d->keyfile); | |
224 | free(d->name); | |
225 | free(d->options); | |
226 | free(d); | |
0fa9e53d JJ |
227 | } |
228 | ||
229 | static crypto_device *get_crypto_device(const char *uuid) { | |
230 | int r; | |
231 | crypto_device *d; | |
232 | ||
233 | assert(uuid); | |
234 | ||
235 | d = hashmap_get(arg_disks, uuid); | |
236 | if (!d) { | |
237 | d = new0(struct crypto_device, 1); | |
238 | if (!d) | |
239 | return NULL; | |
240 | ||
241 | d->create = false; | |
baade8cc | 242 | d->keyfile = d->options = d->name = NULL; |
0fa9e53d JJ |
243 | |
244 | d->uuid = strdup(uuid); | |
6b430fdb ZJS |
245 | if (!d->uuid) |
246 | return mfree(d); | |
0fa9e53d JJ |
247 | |
248 | r = hashmap_put(arg_disks, d->uuid, d); | |
249 | if (r < 0) { | |
250 | free(d->uuid); | |
6b430fdb | 251 | return mfree(d); |
0fa9e53d JJ |
252 | } |
253 | } | |
254 | ||
255 | return d; | |
256 | } | |
257 | ||
96287a49 | 258 | static int parse_proc_cmdline_item(const char *key, const char *value, void *data) { |
0fa9e53d | 259 | _cleanup_free_ char *uuid = NULL, *uuid_value = NULL; |
1d84ad94 LP |
260 | crypto_device *d; |
261 | int r; | |
66a78c2b | 262 | |
1d84ad94 | 263 | if (streq(key, "luks")) { |
059cb385 | 264 | |
1d84ad94 | 265 | r = value ? parse_boolean(value) : 1; |
141a79f4 | 266 | if (r < 0) |
1d84ad94 | 267 | log_warning("Failed to parse luks= kernel command line switch %s. Ignoring.", value); |
141a79f4 ZJS |
268 | else |
269 | arg_enabled = r; | |
66a78c2b | 270 | |
1d84ad94 | 271 | } else if (streq(key, "luks.crypttab")) { |
66a78c2b | 272 | |
1d84ad94 | 273 | r = value ? parse_boolean(value) : 1; |
141a79f4 | 274 | if (r < 0) |
1d84ad94 | 275 | log_warning("Failed to parse luks.crypttab= kernel command line switch %s. Ignoring.", value); |
141a79f4 ZJS |
276 | else |
277 | arg_read_crypttab = r; | |
66a78c2b | 278 | |
1d84ad94 LP |
279 | } else if (streq(key, "luks.uuid")) { |
280 | ||
281 | if (proc_cmdline_value_missing(key, value)) | |
282 | return 0; | |
66a78c2b | 283 | |
0fa9e53d JJ |
284 | d = get_crypto_device(startswith(value, "luks-") ? value+5 : value); |
285 | if (!d) | |
141a79f4 | 286 | return log_oom(); |
66a78c2b | 287 | |
0fa9e53d JJ |
288 | d->create = arg_whitelist = true; |
289 | ||
1d84ad94 LP |
290 | } else if (streq(key, "luks.options")) { |
291 | ||
292 | if (proc_cmdline_value_missing(key, value)) | |
293 | return 0; | |
66a78c2b | 294 | |
0fa9e53d JJ |
295 | r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value); |
296 | if (r == 2) { | |
297 | d = get_crypto_device(uuid); | |
298 | if (!d) | |
299 | return log_oom(); | |
300 | ||
1d84ad94 | 301 | free_and_replace(d->options, uuid_value); |
0fa9e53d | 302 | } else if (free_and_strdup(&arg_default_options, value) < 0) |
141a79f4 | 303 | return log_oom(); |
66a78c2b | 304 | |
1d84ad94 LP |
305 | } else if (streq(key, "luks.key")) { |
306 | ||
307 | if (proc_cmdline_value_missing(key, value)) | |
308 | return 0; | |
66a78c2b | 309 | |
6cd5b12a JJ |
310 | r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value); |
311 | if (r == 2) { | |
312 | d = get_crypto_device(uuid); | |
313 | if (!d) | |
314 | return log_oom(); | |
315 | ||
1d84ad94 | 316 | free_and_replace(d->keyfile, uuid_value); |
c802a730 | 317 | } else if (free_and_strdup(&arg_default_keyfile, value) < 0) |
141a79f4 | 318 | return log_oom(); |
7ab064a6 | 319 | |
1d84ad94 LP |
320 | } else if (streq(key, "luks.name")) { |
321 | ||
322 | if (proc_cmdline_value_missing(key, value)) | |
323 | return 0; | |
baade8cc JJ |
324 | |
325 | r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value); | |
326 | if (r == 2) { | |
327 | d = get_crypto_device(uuid); | |
328 | if (!d) | |
329 | return log_oom(); | |
330 | ||
331 | d->create = arg_whitelist = true; | |
332 | ||
f9ecfd3b | 333 | free_and_replace(d->name, uuid_value); |
baade8cc JJ |
334 | } else |
335 | log_warning("Failed to parse luks name switch %s. Ignoring.", value); | |
85013844 | 336 | } |
66a78c2b | 337 | |
24a988e9 | 338 | return 0; |
66a78c2b LP |
339 | } |
340 | ||
0fa9e53d JJ |
341 | static int add_crypttab_devices(void) { |
342 | struct stat st; | |
343 | unsigned crypttab_line = 0; | |
7fd1b19b | 344 | _cleanup_fclose_ FILE *f = NULL; |
e23a0ce8 | 345 | |
0fa9e53d JJ |
346 | if (!arg_read_crypttab) |
347 | return 0; | |
348 | ||
349 | f = fopen("/etc/crypttab", "re"); | |
350 | if (!f) { | |
351 | if (errno != ENOENT) | |
352 | log_error_errno(errno, "Failed to open /etc/crypttab: %m"); | |
353 | return 0; | |
e23a0ce8 LP |
354 | } |
355 | ||
0d536673 LP |
356 | (void) __fsetlocking(f, FSETLOCKING_BYCALLER); |
357 | ||
0fa9e53d JJ |
358 | if (fstat(fileno(f), &st) < 0) { |
359 | log_error_errno(errno, "Failed to stat /etc/crypttab: %m"); | |
360 | return 0; | |
361 | } | |
e23a0ce8 | 362 | |
0fa9e53d JJ |
363 | for (;;) { |
364 | int r, k; | |
365 | char line[LINE_MAX], *l, *uuid; | |
366 | crypto_device *d = NULL; | |
367 | _cleanup_free_ char *name = NULL, *device = NULL, *keyfile = NULL, *options = NULL; | |
4c12626c | 368 | |
0fa9e53d JJ |
369 | if (!fgets(line, sizeof(line), f)) |
370 | break; | |
66a78c2b | 371 | |
0fa9e53d | 372 | crypttab_line++; |
141a79f4 | 373 | |
0fa9e53d | 374 | l = strstrip(line); |
4c701096 | 375 | if (IN_SET(*l, 0, '#')) |
0fa9e53d | 376 | continue; |
66a78c2b | 377 | |
0fa9e53d JJ |
378 | k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &keyfile, &options); |
379 | if (k < 2 || k > 4) { | |
380 | log_error("Failed to parse /etc/crypttab:%u, ignoring.", crypttab_line); | |
381 | continue; | |
382 | } | |
66a78c2b | 383 | |
0fa9e53d JJ |
384 | uuid = startswith(device, "UUID="); |
385 | if (!uuid) | |
386 | uuid = path_startswith(device, "/dev/disk/by-uuid/"); | |
387 | if (!uuid) | |
388 | uuid = startswith(name, "luks-"); | |
389 | if (uuid) | |
390 | d = hashmap_get(arg_disks, uuid); | |
8973790e | 391 | |
0fa9e53d JJ |
392 | if (arg_whitelist && !d) { |
393 | log_info("Not creating device '%s' because it was not specified on the kernel command line.", name); | |
394 | continue; | |
8973790e LP |
395 | } |
396 | ||
0fa9e53d JJ |
397 | r = create_disk(name, device, keyfile, (d && d->options) ? d->options : options); |
398 | if (r < 0) | |
399 | return r; | |
8973790e | 400 | |
0fa9e53d JJ |
401 | if (d) |
402 | d->create = false; | |
403 | } | |
8973790e | 404 | |
0fa9e53d JJ |
405 | return 0; |
406 | } | |
66a78c2b | 407 | |
0fa9e53d JJ |
408 | static int add_proc_cmdline_devices(void) { |
409 | int r; | |
410 | Iterator i; | |
411 | crypto_device *d; | |
66a78c2b | 412 | |
0fa9e53d JJ |
413 | HASHMAP_FOREACH(d, arg_disks, i) { |
414 | const char *options; | |
baade8cc | 415 | _cleanup_free_ char *device = NULL; |
66a78c2b | 416 | |
0fa9e53d JJ |
417 | if (!d->create) |
418 | continue; | |
e23a0ce8 | 419 | |
baade8cc JJ |
420 | if (!d->name) { |
421 | d->name = strappend("luks-", d->uuid); | |
422 | if (!d->name) | |
423 | return log_oom(); | |
424 | } | |
e23a0ce8 | 425 | |
0fa9e53d JJ |
426 | device = strappend("UUID=", d->uuid); |
427 | if (!device) | |
428 | return log_oom(); | |
7ab064a6 | 429 | |
0fa9e53d JJ |
430 | if (d->options) |
431 | options = d->options; | |
432 | else if (arg_default_options) | |
433 | options = arg_default_options; | |
434 | else | |
435 | options = "timeout=0"; | |
141a79f4 | 436 | |
baade8cc | 437 | r = create_disk(d->name, device, d->keyfile ?: arg_default_keyfile, options); |
0fa9e53d JJ |
438 | if (r < 0) |
439 | return r; | |
e23a0ce8 LP |
440 | } |
441 | ||
0fa9e53d JJ |
442 | return 0; |
443 | } | |
e23a0ce8 | 444 | |
0fa9e53d | 445 | int main(int argc, char *argv[]) { |
5f4bfe56 | 446 | int r; |
e23a0ce8 | 447 | |
0fa9e53d JJ |
448 | if (argc > 1 && argc != 4) { |
449 | log_error("This program takes three or no arguments."); | |
450 | return EXIT_FAILURE; | |
451 | } | |
e23a0ce8 | 452 | |
0fa9e53d JJ |
453 | if (argc > 1) |
454 | arg_dest = argv[1]; | |
e23a0ce8 | 455 | |
6c347d50 LP |
456 | log_set_prohibit_ipc(true); |
457 | log_set_target(LOG_TARGET_AUTO); | |
0fa9e53d JJ |
458 | log_parse_environment(); |
459 | log_open(); | |
e2cb60fa | 460 | |
0fa9e53d | 461 | umask(0022); |
e23a0ce8 | 462 | |
0fa9e53d | 463 | arg_disks = hashmap_new(&string_hash_ops); |
5f4bfe56 LP |
464 | if (!arg_disks) { |
465 | r = log_oom(); | |
466 | goto finish; | |
467 | } | |
7ab064a6 | 468 | |
1d84ad94 | 469 | r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX); |
0fa9e53d | 470 | if (r < 0) { |
5f4bfe56 LP |
471 | log_warning_errno(r, "Failed to parse kernel command line: %m"); |
472 | goto finish; | |
0fa9e53d | 473 | } |
7ab064a6 | 474 | |
0fa9e53d | 475 | if (!arg_enabled) { |
5f4bfe56 LP |
476 | r = 0; |
477 | goto finish; | |
e23a0ce8 LP |
478 | } |
479 | ||
5f4bfe56 LP |
480 | r = add_crypttab_devices(); |
481 | if (r < 0) | |
482 | goto finish; | |
0fa9e53d | 483 | |
5f4bfe56 LP |
484 | r = add_proc_cmdline_devices(); |
485 | if (r < 0) | |
486 | goto finish; | |
0fa9e53d | 487 | |
5f4bfe56 | 488 | r = 0; |
141a79f4 | 489 | |
5f4bfe56 | 490 | finish: |
6dd1c368 | 491 | hashmap_free_with_destructor(arg_disks, crypt_device_free); |
0fa9e53d JJ |
492 | free(arg_default_options); |
493 | free(arg_default_keyfile); | |
141a79f4 | 494 | |
5f4bfe56 | 495 | return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS; |
e23a0ce8 | 496 | } |