diff options
author | Bill Nottingham <notting@redhat.com> | 2010-06-23 13:49:30 -0400 |
---|---|---|
committer | Bill Nottingham <notting@redhat.com> | 2010-06-23 13:50:00 -0400 |
commit | f15d4585ba5fe2e56fa07e54752c6d91830377f2 (patch) | |
tree | fe8b81c19bfe2154f58754909e199de0e44dd482 | |
parent | 7b2d2b5db67765ff6ac0a1ce94f3ee06665fa2f7 (diff) | |
download | initscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.tar initscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.tar.gz initscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.tar.bz2 initscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.tar.xz initscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.zip |
Also init_crypto for encrypyed network block devices. (#605600)
-rw-r--r-- | rc.d/init.d/functions | 160 | ||||
-rwxr-xr-x | rc.d/init.d/netfs | 5 | ||||
-rwxr-xr-x | rc.d/rc.sysinit | 160 |
3 files changed, 165 insertions, 160 deletions
diff --git a/rc.d/init.d/functions b/rc.d/init.d/functions index 6768c71d..15fc6415 100644 --- a/rc.d/init.d/functions +++ b/rc.d/init.d/functions @@ -604,5 +604,165 @@ is_false() { return 1 } +key_is_random() { + [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" \ + -o "$1" = "/dev/random" ] +} + +find_crypto_mount_point() { + local fs_spec fs_file fs_vfstype remaining_fields + local fs + while read fs_spec fs_file remaining_fields; do + if [ "$fs_spec" = "/dev/mapper/$1" ]; then + echo $fs_file + break; + fi + done < /etc/fstab +} + +# Because of a chicken/egg problem, init_crypto must be run twice. /var may be +# encrypted but /var/lib/random-seed is needed to initialize swap. +init_crypto() { + local have_random dst src key opt mode owner params makeswap skip arg opt + local param value rc ret mke2fs mdir prompt mount_point + + ret=0 + have_random=$1 + while read dst src key opt; do + [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue + [ -b "/dev/mapper/$dst" ] && continue; + if [ "$have_random" = 0 ] && key_is_random "$key"; then + continue + fi + if [ -n "$key" -a "x$key" != "xnone" ]; then + if test -e "$key" ; then + owner=$(ls -l $key | (read a b owner rest; echo $owner)) + if ! key_is_random "$key"; then + mode=$(ls -l "$key" | cut -c 5-10) + if [ "$mode" != "------" ]; then + echo $"INSECURE MODE FOR $key" + fi + fi + if [ "$owner" != root ]; then + echo $"INSECURE OWNER FOR $key" + fi + else + echo $"Key file for $dst not found, skipping" + ret=1 + continue + fi + else + key="" + fi + params="" + makeswap="" + mke2fs="" + skip="" + # Parse the src field for UUID= and convert to real device names + if [ "${src%%=*}" == "UUID" ]; then + src=$(/sbin/blkid -t "$src" -l -o device) + elif [ "${src/^\/dev\/disk\/by-uuid\/}" != "$src" ]; then + src=$(__readlink $src) + fi + # Is it a block device? + [ -b "$src" ] || continue + # Is it already a device mapper slave? (this is gross) + devesc=${src##/dev/} + devesc=${devesc//\//!} + for d in /sys/block/dm-*/slaves ; do + [ -e $d/$devesc ] && continue 2 + done + # Parse the options field, convert to cryptsetup parameters and + # contruct the command line + while [ -n "$opt" ]; do + arg=${opt%%,*} + opt=${opt##$arg} + opt=${opt##,} + param=${arg%%=*} + value=${arg##$param=} + + case "$param" in + cipher) + params="$params -c $value" + if [ -z "$value" ]; then + echo $"$dst: no value for cipher option, skipping" + skip="yes" + fi + ;; + size) + params="$params -s $value" + if [ -z "$value" ]; then + echo $"$dst: no value for size option, skipping" + skip="yes" + fi + ;; + hash) + params="$params -h $value" + if [ -z "$value" ]; then + echo $"$dst: no value for hash option, skipping" + skip="yes" + fi + ;; + verify) + params="$params -y" + ;; + swap) + makeswap=yes + ;; + tmp) + mke2fs=yes + esac + done + if [ "$skip" = "yes" ]; then + ret=1 + continue + fi + if [ -z "$makeswap" ] && cryptsetup isLuks "$src" 2>/dev/null ; then + if key_is_random "$key"; then + echo $"$dst: LUKS requires non-random key, skipping" + ret=1 + continue + fi + if [ -n "$params" ]; then + echo "$dst: options are invalid for LUKS partitions," \ + "ignoring them" + fi + if [ -n "$key" ]; then + /sbin/cryptsetup -d $key luksOpen "$src" "$dst" <&1 2>/dev/null && success || failure + rc=$? + else + mount_point="$(find_crypto_mount_point $dst)" + [ -n "$mount_point" ] || mount_point=${src##*/} + prompt=$(printf $"%s is password protected" "$mount_point") + plymouth ask-for-password --prompt "$prompt" --command="/sbin/cryptsetup luksOpen -T1 $src $dst" <&1 + rc=$? + fi + else + [ -z "$key" ] && plymouth --hide-splash + /sbin/cryptsetup $params ${key:+-d $key} create "$dst" "$src" <&1 2>/dev/null && success || failure + rc=$? + [ -z "$key" ] && plymouth --show-splash + fi + if [ $rc -ne 0 ]; then + ret=1 + continue + fi + if [ -b "/dev/mapper/$dst" ]; then + if [ "$makeswap" = "yes" ]; then + mkswap "/dev/mapper/$dst" 2>/dev/null >/dev/null + fi + if [ "$mke2fs" = "yes" ]; then + if mke2fs "/dev/mapper/$dst" 2>/dev/null >/dev/null \ + && mdir=$(mktemp -d /tmp/mountXXXXXX); then + mount "/dev/mapper/$dst" "$mdir" && chmod 1777 "$mdir" + umount "$mdir" + rmdir "$mdir" + fi + fi + fi + done < /etc/crypttab + return $ret +} + # A sed expression to filter out the files that is_ignored_file recognizes __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d' diff --git a/rc.d/init.d/netfs b/rc.d/init.d/netfs index 96bc117a..501a8cb0 100755 --- a/rc.d/init.d/netfs +++ b/rc.d/init.d/netfs @@ -58,6 +58,11 @@ case "$1" in action $"Setting up Logical Volume Management:" /sbin/lvm vgchange -a y fi fi + + if [ -f /etc/crypttab ]; then + init_crypto 1 + fi + STRING=$"Checking network-attached filesystems" echo $STRING diff --git a/rc.d/rc.sysinit b/rc.d/rc.sysinit index 25c7503b..46c5ccdd 100755 --- a/rc.d/rc.sysinit +++ b/rc.d/rc.sysinit @@ -85,166 +85,6 @@ relabel_selinux() { reboot -f } -key_is_random() { - [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" \ - -o "$1" = "/dev/random" ] -} - -find_crypto_mount_point() { - local fs_spec fs_file fs_vfstype remaining_fields - local fs - while read fs_spec fs_file remaining_fields; do - if [ "$fs_spec" = "/dev/mapper/$1" ]; then - echo $fs_file - break; - fi - done < /etc/fstab -} - -# Because of a chicken/egg problem, init_crypto must be run twice. /var may be -# encrypted but /var/lib/random-seed is needed to initialize swap. -init_crypto() { - local have_random dst src key opt mode owner params makeswap skip arg opt - local param value rc ret mke2fs mdir prompt mount_point - - ret=0 - have_random=$1 - while read dst src key opt; do - [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue - [ -b "/dev/mapper/$dst" ] && continue; - if [ "$have_random" = 0 ] && key_is_random "$key"; then - continue - fi - if [ -n "$key" -a "x$key" != "xnone" ]; then - if test -e "$key" ; then - owner=$(ls -l $key | (read a b owner rest; echo $owner)) - if ! key_is_random "$key"; then - mode=$(ls -l "$key" | cut -c 5-10) - if [ "$mode" != "------" ]; then - echo $"INSECURE MODE FOR $key" - fi - fi - if [ "$owner" != root ]; then - echo $"INSECURE OWNER FOR $key" - fi - else - echo $"Key file for $dst not found, skipping" - ret=1 - continue - fi - else - key="" - fi - params="" - makeswap="" - mke2fs="" - skip="" - # Parse the src field for UUID= and convert to real device names - if [ "${src%%=*}" == "UUID" ]; then - src=$(/sbin/blkid -t "$src" -l -o device) - elif [ "${src/^\/dev\/disk\/by-uuid\/}" != "$src" ]; then - src=$(__readlink $src) - fi - # Is it a block device? - [ -b "$src" ] || continue - # Is it already a device mapper slave? (this is gross) - devesc=${src##/dev/} - devesc=${devesc//\//!} - for d in /sys/block/dm-*/slaves ; do - [ -e $d/$devesc ] && continue 2 - done - # Parse the options field, convert to cryptsetup parameters and - # contruct the command line - while [ -n "$opt" ]; do - arg=${opt%%,*} - opt=${opt##$arg} - opt=${opt##,} - param=${arg%%=*} - value=${arg##$param=} - - case "$param" in - cipher) - params="$params -c $value" - if [ -z "$value" ]; then - echo $"$dst: no value for cipher option, skipping" - skip="yes" - fi - ;; - size) - params="$params -s $value" - if [ -z "$value" ]; then - echo $"$dst: no value for size option, skipping" - skip="yes" - fi - ;; - hash) - params="$params -h $value" - if [ -z "$value" ]; then - echo $"$dst: no value for hash option, skipping" - skip="yes" - fi - ;; - verify) - params="$params -y" - ;; - swap) - makeswap=yes - ;; - tmp) - mke2fs=yes - esac - done - if [ "$skip" = "yes" ]; then - ret=1 - continue - fi - if [ -z "$makeswap" ] && cryptsetup isLuks "$src" 2>/dev/null ; then - if key_is_random "$key"; then - echo $"$dst: LUKS requires non-random key, skipping" - ret=1 - continue - fi - if [ -n "$params" ]; then - echo "$dst: options are invalid for LUKS partitions," \ - "ignoring them" - fi - if [ -n "$key" ]; then - /sbin/cryptsetup -d $key luksOpen "$src" "$dst" <&1 2>/dev/null && success || failure - rc=$? - else - mount_point="$(find_crypto_mount_point $dst)" - [ -n "$mount_point" ] || mount_point=${src##*/} - prompt=$(printf $"%s is password protected" "$mount_point") - plymouth ask-for-password --prompt "$prompt" --command="/sbin/cryptsetup luksOpen -T1 $src $dst" <&1 - rc=$? - fi - else - [ -z "$key" ] && plymouth --hide-splash - /sbin/cryptsetup $params ${key:+-d $key} create "$dst" "$src" <&1 2>/dev/null && success || failure - rc=$? - [ -z "$key" ] && plymouth --show-splash - fi - if [ $rc -ne 0 ]; then - ret=1 - continue - fi - if [ -b "/dev/mapper/$dst" ]; then - if [ "$makeswap" = "yes" ]; then - mkswap "/dev/mapper/$dst" 2>/dev/null >/dev/null - fi - if [ "$mke2fs" = "yes" ]; then - if mke2fs "/dev/mapper/$dst" 2>/dev/null >/dev/null \ - && mdir=$(mktemp -d /tmp/mountXXXXXX); then - mount "/dev/mapper/$dst" "$mdir" && chmod 1777 "$mdir" - umount "$mdir" - rmdir "$mdir" - fi - fi - fi - done < /etc/crypttab - return $ret -} - # Print a text banner. echo -en $"\t\tWelcome to " read -r system_release < /etc/system-release |