aboutsummaryrefslogtreecommitdiffstats
path: root/rc.d/init.d/functions
diff options
context:
space:
mode:
authorBill Nottingham <notting@redhat.com>2010-06-23 13:49:30 -0400
committerBill Nottingham <notting@redhat.com>2010-06-23 13:50:00 -0400
commitf15d4585ba5fe2e56fa07e54752c6d91830377f2 (patch)
treefe8b81c19bfe2154f58754909e199de0e44dd482 /rc.d/init.d/functions
parent7b2d2b5db67765ff6ac0a1ce94f3ee06665fa2f7 (diff)
downloadinitscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.tar
initscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.tar.gz
initscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.tar.bz2
initscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.tar.xz
initscripts-f15d4585ba5fe2e56fa07e54752c6d91830377f2.zip
Also init_crypto for encrypyed network block devices. (#605600)
Diffstat (limited to 'rc.d/init.d/functions')
-rw-r--r--rc.d/init.d/functions160
1 files changed, 160 insertions, 0 deletions
diff --git a/rc.d/init.d/functions b/rc.d/init.d/functions
index 6768c71d..15fc6415 100644
--- a/rc.d/init.d/functions
+++ b/rc.d/init.d/functions
@@ -604,5 +604,165 @@ is_false() {
return 1
}
+key_is_random() {
+ [ "$1" = "/dev/urandom" -o "$1" = "/dev/hw_random" \
+ -o "$1" = "/dev/random" ]
+}
+
+find_crypto_mount_point() {
+ local fs_spec fs_file fs_vfstype remaining_fields
+ local fs
+ while read fs_spec fs_file remaining_fields; do
+ if [ "$fs_spec" = "/dev/mapper/$1" ]; then
+ echo $fs_file
+ break;
+ fi
+ done < /etc/fstab
+}
+
+# Because of a chicken/egg problem, init_crypto must be run twice. /var may be
+# encrypted but /var/lib/random-seed is needed to initialize swap.
+init_crypto() {
+ local have_random dst src key opt mode owner params makeswap skip arg opt
+ local param value rc ret mke2fs mdir prompt mount_point
+
+ ret=0
+ have_random=$1
+ while read dst src key opt; do
+ [ -z "$dst" -o "${dst#\#}" != "$dst" ] && continue
+ [ -b "/dev/mapper/$dst" ] && continue;
+ if [ "$have_random" = 0 ] && key_is_random "$key"; then
+ continue
+ fi
+ if [ -n "$key" -a "x$key" != "xnone" ]; then
+ if test -e "$key" ; then
+ owner=$(ls -l $key | (read a b owner rest; echo $owner))
+ if ! key_is_random "$key"; then
+ mode=$(ls -l "$key" | cut -c 5-10)
+ if [ "$mode" != "------" ]; then
+ echo $"INSECURE MODE FOR $key"
+ fi
+ fi
+ if [ "$owner" != root ]; then
+ echo $"INSECURE OWNER FOR $key"
+ fi
+ else
+ echo $"Key file for $dst not found, skipping"
+ ret=1
+ continue
+ fi
+ else
+ key=""
+ fi
+ params=""
+ makeswap=""
+ mke2fs=""
+ skip=""
+ # Parse the src field for UUID= and convert to real device names
+ if [ "${src%%=*}" == "UUID" ]; then
+ src=$(/sbin/blkid -t "$src" -l -o device)
+ elif [ "${src/^\/dev\/disk\/by-uuid\/}" != "$src" ]; then
+ src=$(__readlink $src)
+ fi
+ # Is it a block device?
+ [ -b "$src" ] || continue
+ # Is it already a device mapper slave? (this is gross)
+ devesc=${src##/dev/}
+ devesc=${devesc//\//!}
+ for d in /sys/block/dm-*/slaves ; do
+ [ -e $d/$devesc ] && continue 2
+ done
+ # Parse the options field, convert to cryptsetup parameters and
+ # contruct the command line
+ while [ -n "$opt" ]; do
+ arg=${opt%%,*}
+ opt=${opt##$arg}
+ opt=${opt##,}
+ param=${arg%%=*}
+ value=${arg##$param=}
+
+ case "$param" in
+ cipher)
+ params="$params -c $value"
+ if [ -z "$value" ]; then
+ echo $"$dst: no value for cipher option, skipping"
+ skip="yes"
+ fi
+ ;;
+ size)
+ params="$params -s $value"
+ if [ -z "$value" ]; then
+ echo $"$dst: no value for size option, skipping"
+ skip="yes"
+ fi
+ ;;
+ hash)
+ params="$params -h $value"
+ if [ -z "$value" ]; then
+ echo $"$dst: no value for hash option, skipping"
+ skip="yes"
+ fi
+ ;;
+ verify)
+ params="$params -y"
+ ;;
+ swap)
+ makeswap=yes
+ ;;
+ tmp)
+ mke2fs=yes
+ esac
+ done
+ if [ "$skip" = "yes" ]; then
+ ret=1
+ continue
+ fi
+ if [ -z "$makeswap" ] && cryptsetup isLuks "$src" 2>/dev/null ; then
+ if key_is_random "$key"; then
+ echo $"$dst: LUKS requires non-random key, skipping"
+ ret=1
+ continue
+ fi
+ if [ -n "$params" ]; then
+ echo "$dst: options are invalid for LUKS partitions," \
+ "ignoring them"
+ fi
+ if [ -n "$key" ]; then
+ /sbin/cryptsetup -d $key luksOpen "$src" "$dst" <&1 2>/dev/null && success || failure
+ rc=$?
+ else
+ mount_point="$(find_crypto_mount_point $dst)"
+ [ -n "$mount_point" ] || mount_point=${src##*/}
+ prompt=$(printf $"%s is password protected" "$mount_point")
+ plymouth ask-for-password --prompt "$prompt" --command="/sbin/cryptsetup luksOpen -T1 $src $dst" <&1
+ rc=$?
+ fi
+ else
+ [ -z "$key" ] && plymouth --hide-splash
+ /sbin/cryptsetup $params ${key:+-d $key} create "$dst" "$src" <&1 2>/dev/null && success || failure
+ rc=$?
+ [ -z "$key" ] && plymouth --show-splash
+ fi
+ if [ $rc -ne 0 ]; then
+ ret=1
+ continue
+ fi
+ if [ -b "/dev/mapper/$dst" ]; then
+ if [ "$makeswap" = "yes" ]; then
+ mkswap "/dev/mapper/$dst" 2>/dev/null >/dev/null
+ fi
+ if [ "$mke2fs" = "yes" ]; then
+ if mke2fs "/dev/mapper/$dst" 2>/dev/null >/dev/null \
+ && mdir=$(mktemp -d /tmp/mountXXXXXX); then
+ mount "/dev/mapper/$dst" "$mdir" && chmod 1777 "$mdir"
+ umount "$mdir"
+ rmdir "$mdir"
+ fi
+ fi
+ fi
+ done < /etc/crypttab
+ return $ret
+}
+
# A sed expression to filter out the files that is_ignored_file recognizes
__sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d'