cryptsetup-generator.c 17.4 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <string.h>
#include <errno.h>
#include <unistd.h>

#include "log.h"
#include "util.h"
#include "unit-name.h"
#include "mkdir.h"
#include "strv.h"
#include "fileio.h"
Michael Biebl's avatar
Michael Biebl committed
32 33 34
#include "path-util.h"
#include "dropin.h"
#include "generator.h"
35 36 37 38

static const char *arg_dest = "/tmp";
static bool arg_enabled = true;
static bool arg_read_crypttab = true;
39 40 41
static char **arg_disks = NULL;
static char **arg_options = NULL;
static char *arg_keyfile = NULL;
42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77

static bool has_option(const char *haystack, const char *needle) {
        const char *f = haystack;
        size_t l;

        assert(needle);

        if (!haystack)
                return false;

        l = strlen(needle);

        while ((f = strstr(f, needle))) {

                if (f > haystack && f[-1] != ',') {
                        f++;
                        continue;
                }

                if (f[l] != 0 && f[l] != ',') {
                        f++;
                        continue;
                }

                return true;
        }

        return false;
}

static int create_disk(
                const char *name,
                const char *device,
                const char *password,
                const char *options) {

Michael Biebl's avatar
Michael Biebl committed
78 79
        _cleanup_free_ char *p = NULL, *n = NULL, *d = NULL, *u = NULL, *to = NULL, *e = NULL,
                *filtered = NULL;
80
        _cleanup_fclose_ FILE *f = NULL;
Michael Biebl's avatar
Michael Biebl committed
81
        bool noauto, nofail, tmp, swap;
82 83
        char *from;
        int r;
84 85 86 87 88 89

        assert(name);
        assert(device);

        noauto = has_option(options, "noauto");
        nofail = has_option(options, "nofail");
Michael Biebl's avatar
Michael Biebl committed
90 91 92 93 94 95 96
        tmp = has_option(options, "tmp");
        swap = has_option(options, "swap");

        if (tmp && swap) {
                log_error("Device '%s' cannot be both 'tmp' and 'swap'. Ignoring.", name);
                return -EINVAL;
        }
97

98 99 100 101 102
        e = unit_name_escape(name);
        if (!e)
                return log_oom();

        n = unit_name_build("systemd-cryptsetup", e, ".service");
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127
        if (!n)
                return log_oom();

        p = strjoin(arg_dest, "/", n, NULL);
        if (!p)
                return log_oom();

        u = fstab_node_to_udev_node(device);
        if (!u)
                return log_oom();

        d = unit_name_from_path(u, ".device");
        if (!d)
                return log_oom();

        f = fopen(p, "wxe");
        if (!f) {
                log_error("Failed to create unit file %s: %m", p);
                return -errno;
        }

        fputs(
                "# Automatically generated by systemd-cryptsetup-generator\n\n"
                "[Unit]\n"
                "Description=Cryptography Setup for %I\n"
128
                "Documentation=man:crypttab(5) man:systemd-cryptsetup-generator(8) man:systemd-cryptsetup@.service(8)\n"
129 130
                "SourcePath=/etc/crypttab\n"
                "DefaultDependencies=no\n"
131
                "Conflicts=umount.target\n"
132
                "BindsTo=dev-mapper-%i.device\n"
Michael Biebl's avatar
Michael Biebl committed
133
                "IgnoreOnIsolate=true\n"
Michael Biebl's avatar
Michael Biebl committed
134
                "After=systemd-readahead-collect.service systemd-readahead-replay.service cryptsetup-pre.target\n",
135 136 137 138 139 140 141
                f);

        if (!nofail)
                fprintf(f,
                        "Before=cryptsetup.target\n");

        if (password) {
142
                if (STR_IN_SET(password, "/dev/urandom", "/dev/random", "/dev/hw_random"))
Michael Biebl's avatar
Michael Biebl committed
143
                        fputs("After=systemd-random-seed.service\n", f);
144 145 146 147 148 149 150
                else if (!streq(password, "-") && !streq(password, "none")) {
                        _cleanup_free_ char *uu;

                        uu = fstab_node_to_udev_node(password);
                        if (!uu)
                                return log_oom();

Michael Biebl's avatar
Michael Biebl committed
151
                        if (!path_equal(uu, "/dev/null")) {
152

Michael Biebl's avatar
Michael Biebl committed
153 154
                                if (is_device_path(uu)) {
                                        _cleanup_free_ char *dd;
155

Michael Biebl's avatar
Michael Biebl committed
156 157 158 159 160 161 162 163
                                        dd = unit_name_from_path(uu, ".device");
                                        if (!dd)
                                                return log_oom();

                                        fprintf(f, "After=%1$s\nRequires=%1$s\n", dd);
                                } else
                                        fprintf(f, "RequiresMountsFor=%s\n", password);
                        }
164
                }
165 166 167 168 169 170 171 172 173 174 175 176 177
        }

        if (is_device_path(u))
                fprintf(f,
                        "BindsTo=%s\n"
                        "After=%s\n"
                        "Before=umount.target\n",
                        d, d);
        else
                fprintf(f,
                        "RequiresMountsFor=%s\n",
                        u);

Michael Biebl's avatar
Michael Biebl committed
178 179 180 181
        r = generator_write_timeouts(arg_dest, device, name, options, &filtered);
        if (r < 0)
                return r;

182 183 184 185 186 187 188
        fprintf(f,
                "\n[Service]\n"
                "Type=oneshot\n"
                "RemainAfterExit=yes\n"
                "TimeoutSec=0\n" /* the binary handles timeouts anyway */
                "ExecStart=" SYSTEMD_CRYPTSETUP_PATH " attach '%s' '%s' '%s' '%s'\n"
                "ExecStop=" SYSTEMD_CRYPTSETUP_PATH " detach '%s'\n",
Michael Biebl's avatar
Michael Biebl committed
189
                name, u, strempty(password), strempty(filtered),
190 191
                name);

Michael Biebl's avatar
Michael Biebl committed
192
        if (tmp)
193 194 195 196
                fprintf(f,
                        "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
                        name);

Michael Biebl's avatar
Michael Biebl committed
197
        if (swap)
198 199 200 201 202 203 204 205 206 207
                fprintf(f,
                        "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
                        name);

        fflush(f);
        if (ferror(f)) {
                log_error("Failed to write file %s: %m", p);
                return -errno;
        }

208
        from = strappenda("../", n);
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248

        if (!noauto) {

                to = strjoin(arg_dest, "/", d, ".wants/", n, NULL);
                if (!to)
                        return log_oom();

                mkdir_parents_label(to, 0755);
                if (symlink(from, to) < 0) {
                        log_error("Failed to create symlink %s: %m", to);
                        return -errno;
                }

                free(to);
                if (!nofail)
                        to = strjoin(arg_dest, "/cryptsetup.target.requires/", n, NULL);
                else
                        to = strjoin(arg_dest, "/cryptsetup.target.wants/", n, NULL);
                if (!to)
                        return log_oom();

                mkdir_parents_label(to, 0755);
                if (symlink(from, to) < 0) {
                        log_error("Failed to create symlink %s: %m", to);
                        return -errno;
                }
        }

        free(to);
        to = strjoin(arg_dest, "/dev-mapper-", e, ".device.requires/", n, NULL);
        if (!to)
                return log_oom();

        mkdir_parents_label(to, 0755);
        if (symlink(from, to) < 0) {
                log_error("Failed to create symlink %s: %m", to);
                return -errno;
        }

        if (!noauto && !nofail) {
Michael Biebl's avatar
Michael Biebl committed
249 250 251
                r = write_drop_in(arg_dest, name, 90, "device-timeout",
                                  "# Automatically generated by systemd-cryptsetup-generator \n\n"
                                  "[Unit]\nJobTimeoutSec=0");
252 253
                if (r < 0) {
                        log_error("Failed to write device drop-in: %s", strerror(-r));
254
                        return r;
255
                }
256 257 258 259 260
        }

        return 0;
}

261
static int parse_proc_cmdline_item(const char *key, const char *value) {
262 263
        int r;

264
        if (STR_IN_SET(key, "luks", "rd.luks") && value) {
265

266 267 268 269 270
                r = parse_boolean(value);
                if (r < 0)
                        log_warning("Failed to parse luks switch %s. Ignoring.", value);
                else
                        arg_enabled = r;
271

272
        } else if (STR_IN_SET(key, "luks.crypttab", "rd.luks.crypttab") && value) {
Michael Biebl's avatar
Michael Biebl committed
273

274 275 276 277 278
                r = parse_boolean(value);
                if (r < 0)
                        log_warning("Failed to parse luks crypttab switch %s. Ignoring.", value);
                else
                        arg_read_crypttab = r;
Michael Biebl's avatar
Michael Biebl committed
279

280
        } else if (STR_IN_SET(key, "luks.uuid", "rd.luks.uuid") && value) {
Michael Biebl's avatar
Michael Biebl committed
281

282 283
                if (strv_extend(&arg_disks, value) < 0)
                        return log_oom();
284

285
        } else if (STR_IN_SET(key, "luks.options", "rd.luks.options") && value) {
286

287 288
                if (strv_extend(&arg_options, value) < 0)
                        return log_oom();
289

290
        } else if (STR_IN_SET(key, "luks.key", "rd.luks.key") && value) {
291

292 293 294 295
                free(arg_keyfile);
                arg_keyfile = strdup(value);
                if (!arg_keyfile)
                        return log_oom();
296

Michael Biebl's avatar
Michael Biebl committed
297
        }
298 299 300 301 302

        return 0;
}

int main(int argc, char *argv[]) {
303
        _cleanup_strv_free_ char **disks_done = NULL;
304 305
        _cleanup_fclose_ FILE *f = NULL;
        unsigned n = 0;
306
        int r = EXIT_FAILURE, r2 = EXIT_FAILURE;
307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322
        char **i;

        if (argc > 1 && argc != 4) {
                log_error("This program takes three or no arguments.");
                return EXIT_FAILURE;
        }

        if (argc > 1)
                arg_dest = argv[1];

        log_set_target(LOG_TARGET_SAFE);
        log_parse_environment();
        log_open();

        umask(0022);

323 324 325 326 327 328 329
        if (parse_proc_cmdline(parse_proc_cmdline_item) < 0)
                goto cleanup;

        if (!arg_enabled) {
                r = r2 = EXIT_SUCCESS;
                goto cleanup;
        }
330

331
        strv_uniq(arg_disks);
332 333 334 335 336 337 338 339

        if (arg_read_crypttab) {
                struct stat st;

                f = fopen("/etc/crypttab", "re");
                if (!f) {
                        if (errno == ENOENT)
                                r = EXIT_SUCCESS;
340
                        else
341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377
                                log_error("Failed to open /etc/crypttab: %m");

                        goto next;
                }

                if (fstat(fileno(f), &st) < 0) {
                        log_error("Failed to stat /etc/crypttab: %m");
                        goto next;
                }

                /* If we readd support for specifying passphrases
                 * directly in crypttabe we should upgrade the warning
                 * below, though possibly only if a passphrase is
                 * specified directly. */
                if (st.st_mode & 0005)
                        log_debug("/etc/crypttab is world-readable. This is usually not a good idea.");

                for (;;) {
                        char line[LINE_MAX], *l;
                        _cleanup_free_ char *name = NULL, *device = NULL, *password = NULL, *options = NULL;
                        int k;

                        if (!fgets(line, sizeof(line), f))
                                break;

                        n++;

                        l = strstrip(line);
                        if (*l == '#' || *l == 0)
                                continue;

                        k = sscanf(l, "%ms %ms %ms %ms", &name, &device, &password, &options);
                        if (k < 2 || k > 4) {
                                log_error("Failed to parse /etc/crypttab:%u, ignoring.", n);
                                continue;
                        }

378 379 380 381 382 383 384 385 386 387 388 389 390 391 392
                        /*
                          If options are specified on the kernel commandline, let them override
                          the ones from crypttab.
                        */
                        STRV_FOREACH(i, arg_options) {
                                _cleanup_free_ char *proc_uuid = NULL, *proc_options = NULL;
                                const char *p = *i;

                                k = sscanf(p, "%m[0-9a-fA-F-]=%ms", &proc_uuid, &proc_options);
                                if (k == 2 && streq(proc_uuid, device + 5)) {
                                        free(options);
                                        options = strdup(p);
                                        if (!proc_options) {
                                                log_oom();
                                                goto cleanup;
Michael Biebl's avatar
Michael Biebl committed
393 394 395 396
                                        }
                                }
                        }

397
                        if (arg_disks) {
398 399 400 401
                                /*
                                  If luks UUIDs are specified on the kernel command line, use them as a filter
                                  for /etc/crypttab and only generate units for those.
                                */
402
                                STRV_FOREACH(i, arg_disks) {
403 404 405 406 407 408 409 410 411
                                        _cleanup_free_ char *proc_device = NULL, *proc_name = NULL;
                                        const char *p = *i;

                                        if (startswith(p, "luks-"))
                                                p += 5;

                                        proc_name = strappend("luks-", p);
                                        proc_device = strappend("UUID=", p);

412 413 414 415
                                        if (!proc_name || !proc_device) {
                                                log_oom();
                                                goto cleanup;
                                        }
416 417 418

                                        if (streq(proc_device, device) || streq(proc_name, name)) {
                                                if (create_disk(name, device, password, options) < 0)
419
                                                        goto cleanup;
420

421 422 423 424
                                                if (strv_extend(&disks_done, p) < 0) {
                                                        log_oom();
                                                        goto cleanup;
                                                }
425 426
                                        }
                                }
427 428 429
                        } else if (create_disk(name, device, password, options) < 0)
                                goto cleanup;

430 431 432
                }
        }

433 434
        r = EXIT_SUCCESS;

435
next:
436
        STRV_FOREACH(i, arg_disks) {
437 438 439 440 441
                /*
                  Generate units for those UUIDs, which were specified
                  on the kernel command line and not yet written.
                */

Michael Biebl's avatar
Michael Biebl committed
442
                _cleanup_free_ char *name = NULL, *device = NULL, *options = NULL;
443 444 445 446 447
                const char *p = *i;

                if (startswith(p, "luks-"))
                        p += 5;

448
                if (strv_contains(disks_done, p))
449 450 451 452 453
                        continue;

                name = strappend("luks-", p);
                device = strappend("UUID=", p);

454 455 456 457
                if (!name || !device) {
                        log_oom();
                        goto cleanup;
                }
458

459
                if (arg_options) {
Michael Biebl's avatar
Michael Biebl committed
460 461 462 463 464
                        /*
                          If options are specified on the kernel commandline, use them.
                        */
                        char **j;

465
                        STRV_FOREACH(j, arg_options) {
Michael Biebl's avatar
Michael Biebl committed
466 467 468 469 470 471 472
                                _cleanup_free_ char *proc_uuid = NULL, *proc_options = NULL;
                                const char *s = *j;
                                int k;

                                k = sscanf(s, "%m[0-9a-fA-F-]=%ms", &proc_uuid, &proc_options);
                                if (k == 2) {
                                        if (streq(proc_uuid, device + 5)) {
473 474 475
                                                free(options);
                                                options = proc_options;
                                                proc_options = NULL;
Michael Biebl's avatar
Michael Biebl committed
476 477 478 479 480 481
                                        }
                                } else if (!options) {
                                        /*
                                          Fall back to options without a specified UUID
                                        */
                                        options = strdup(s);
482 483 484 485
                                        if (!options) {
                                                log_oom();
                                                goto cleanup;
                                        };
Michael Biebl's avatar
Michael Biebl committed
486 487 488 489 490 491
                                }
                        }
                }

                if (!options) {
                        options = strdup("timeout=0");
492 493 494 495
                        if (!options) {
                                log_oom();
                                goto cleanup;
                        }
Michael Biebl's avatar
Michael Biebl committed
496 497
                }

498 499
                if (create_disk(name, device, arg_keyfile, options) < 0)
                        goto cleanup;
500 501
        }

502 503 504 505 506 507 508 509
        r2 = EXIT_SUCCESS;

cleanup:
        strv_free(arg_disks);
        strv_free(arg_options);
        free(arg_keyfile);

        return r != EXIT_SUCCESS ? r : r2;
510
}