Compare commits

..

No commits in common. "61c8b73a35fd71cb7cbb41b78d93a124bf347e8e" and "3f181262f4aa746177ea311827c268652bdb1c33" have entirely different histories.

9 changed files with 47 additions and 139 deletions

View File

@ -839,7 +839,10 @@ static int run(int argc, char *argv[]) {
log_setup_service(); log_setup_service();
cryptsetup_enable_logging(cd); crypt_set_log_callback(NULL, cryptsetup_log_glue, NULL);
if (DEBUG_LOGGING)
/* libcryptsetup won't even consider debug messages by default */
crypt_set_debug_level(CRYPT_DEBUG_ALL);
umask(0022); umask(0022);
@ -903,7 +906,7 @@ static int run(int argc, char *argv[]) {
if (r < 0) if (r < 0)
return log_error_errno(r, "crypt_init() failed: %m"); return log_error_errno(r, "crypt_init() failed: %m");
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
status = crypt_status(cd, argv[2]); status = crypt_status(cd, argv[2]);
if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) { if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {
@ -1029,7 +1032,7 @@ static int run(int argc, char *argv[]) {
if (r < 0) if (r < 0)
return log_error_errno(r, "crypt_init_by_name() failed: %m"); return log_error_errno(r, "crypt_init_by_name() failed: %m");
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = crypt_deactivate(cd, argv[2]); r = crypt_deactivate(cd, argv[2]);
if (r < 0) if (r < 0)

View File

@ -238,7 +238,7 @@ static int luks_setup(
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to allocate libcryptsetup context: %m"); return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = crypt_load(cd, CRYPT_LUKS2, NULL); r = crypt_load(cd, CRYPT_LUKS2, NULL);
if (r < 0) if (r < 0)
@ -338,7 +338,7 @@ static int luks_open(
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name); return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name);
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = crypt_load(cd, CRYPT_LUKS2, NULL); r = crypt_load(cd, CRYPT_LUKS2, NULL);
if (r < 0) if (r < 0)
@ -1335,7 +1335,7 @@ int home_deactivate_luks(UserRecord *h) {
else { else {
log_info("Discovered used LUKS device %s.", dm_node); log_info("Discovered used LUKS device %s.", dm_node);
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = crypt_deactivate(cd, dm_name); r = crypt_deactivate(cd, dm_name);
if (IN_SET(r, -ENODEV, -EINVAL, -ENOENT)) { if (IN_SET(r, -ENODEV, -EINVAL, -ENOENT)) {
@ -1494,7 +1494,7 @@ static int luks_format(
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to allocate libcryptsetup context: %m"); return log_error_errno(r, "Failed to allocate libcryptsetup context: %m");
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
/* Normally we'd, just leave volume key generation to libcryptsetup. However, we can't, since we /* Normally we'd, just leave volume key generation to libcryptsetup. However, we can't, since we
* can't extract the volume key from the library again, but we need it in order to encrypt the JSON * can't extract the volume key from the library again, but we need it in order to encrypt the JSON
@ -2971,7 +2971,7 @@ int home_lock_luks(UserRecord *h) {
return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name); return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name);
log_info("Discovered used LUKS device %s.", dm_node); log_info("Discovered used LUKS device %s.", dm_node);
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
if (syncfs(root_fd) < 0) /* Snake oil, but let's better be safe than sorry */ if (syncfs(root_fd) < 0) /* Snake oil, but let's better be safe than sorry */
return log_error_errno(errno, "Failed to synchronize file system %s: %m", p); return log_error_errno(errno, "Failed to synchronize file system %s: %m", p);
@ -3036,7 +3036,7 @@ int home_unlock_luks(UserRecord *h, PasswordCache *cache) {
return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name); return log_error_errno(r, "Failed to initialize cryptsetup context for %s: %m", dm_name);
log_info("Discovered used LUKS device %s.", dm_node); log_info("Discovered used LUKS device %s.", dm_node);
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = -ENOKEY; r = -ENOKEY;
FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) { FOREACH_POINTER(list, cache->pkcs11_passwords, cache->fido2_passwords, h->password) {

View File

@ -56,7 +56,7 @@ static int resize_crypt_luks_device(dev_t devno, const char *fstype, dev_t main_
if (r < 0) if (r < 0)
return log_error_errno(r, "crypt_init(\"%s\") failed: %m", devpath); return log_error_errno(r, "crypt_init(\"%s\") failed: %m", devpath);
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = crypt_load(cd, CRYPT_LUKS, NULL); r = crypt_load(cd, CRYPT_LUKS, NULL);
if (r < 0) if (r < 0)
@ -85,7 +85,9 @@ static int maybe_resize_underlying_device(const char *mountpath, dev_t main_devn
int r; int r;
#if HAVE_LIBCRYPTSETUP #if HAVE_LIBCRYPTSETUP
cryptsetup_enable_logging(NULL); crypt_set_log_callback(NULL, cryptsetup_log_glue, NULL);
if (DEBUG_LOGGING)
crypt_set_debug_level(CRYPT_DEBUG_ALL);
#endif #endif
r = get_block_device_harder(mountpath, &devno); r = get_block_device_harder(mountpath, &devno);

View File

@ -4,7 +4,7 @@
#include "crypt-util.h" #include "crypt-util.h"
#include "log.h" #include "log.h"
static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) { void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
switch (level) { switch (level) {
case CRYPT_LOG_NORMAL: case CRYPT_LOG_NORMAL:
level = LOG_NOTICE; level = LOG_NOTICE;
@ -25,10 +25,4 @@ static void cryptsetup_log_glue(int level, const char *msg, void *usrptr) {
log_full(level, "%s", msg); log_full(level, "%s", msg);
} }
void cryptsetup_enable_logging(struct crypt_device *cd) {
crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
crypt_set_debug_level(DEBUG_LOGGING ? CRYPT_DEBUG_ALL : CRYPT_DEBUG_NONE);
}
#endif #endif

View File

@ -8,5 +8,5 @@
DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, crypt_free); DEFINE_TRIVIAL_CLEANUP_FUNC(struct crypt_device *, crypt_free);
void cryptsetup_enable_logging(struct crypt_device *cd); void cryptsetup_log_glue(int level, const char *msg, void *usrptr);
#endif #endif

View File

@ -1277,7 +1277,7 @@ static int decrypt_partition(
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to initialize dm-crypt: %m"); return log_debug_errno(r, "Failed to initialize dm-crypt: %m");
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = crypt_load(cd, CRYPT_LUKS, NULL); r = crypt_load(cd, CRYPT_LUKS, NULL);
if (r < 0) if (r < 0)
@ -1399,7 +1399,7 @@ static int verity_partition(
if (r < 0) if (r < 0)
return r; return r;
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = crypt_load(cd, CRYPT_VERITY, NULL); r = crypt_load(cd, CRYPT_VERITY, NULL);
if (r < 0) if (r < 0)
@ -1430,44 +1430,28 @@ static int verity_partition(
* Improvements in libcrypsetup can ensure this never happens: https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/96 */ * Improvements in libcrypsetup can ensure this never happens: https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/96 */
if (r == -EINVAL && FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE)) if (r == -EINVAL && FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE))
return verity_partition(m, v, root_hash, root_hash_size, verity_data, NULL, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, flags & ~DISSECT_IMAGE_VERITY_SHARE, d); return verity_partition(m, v, root_hash, root_hash_size, verity_data, NULL, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, flags & ~DISSECT_IMAGE_VERITY_SHARE, d);
if (!IN_SET(r, if (!IN_SET(r, 0, -EEXIST, -ENODEV))
0, /* Success */
-EEXIST, /* Volume is already open and ready to be used */
-EBUSY, /* Volume is being opened but not ready, crypt_init_by_name can fetch details */
-ENODEV /* Volume is being opened but not ready, crypt_init_by_name would fail, try to open again */))
return r; return r;
if (IN_SET(r, -EEXIST, -EBUSY)) { if (r == -EEXIST) {
struct crypt_device *existing_cd = NULL; struct crypt_device *existing_cd = NULL;
if (!restore_deferred_remove){ if (!restore_deferred_remove){
/* To avoid races, disable automatic removal on umount while setting up the new device. Restore it on failure. */ /* To avoid races, disable automatic removal on umount while setting up the new device. Restore it on failure. */
r = dm_deferred_remove_cancel(name); r = dm_deferred_remove_cancel(name);
/* If activation returns EBUSY there might be no deferred removal to cancel, that's fine */ if (r < 0)
if (r < 0 && r != -ENXIO)
return log_debug_errno(r, "Disabling automated deferred removal for verity device %s failed: %m", node); return log_debug_errno(r, "Disabling automated deferred removal for verity device %s failed: %m", node);
if (r == 0) {
restore_deferred_remove = strdup(name); restore_deferred_remove = strdup(name);
if (!restore_deferred_remove) if (!restore_deferred_remove)
return -ENOMEM; return -ENOMEM;
} }
}
r = verity_can_reuse(root_hash, root_hash_size, !!root_hash_sig || !!hash_sig_from_file, name, &existing_cd); r = verity_can_reuse(root_hash, root_hash_size, !!root_hash_sig || !!hash_sig_from_file, name, &existing_cd);
/* Same as above, -EINVAL can randomly happen when it actually means -EEXIST */ /* Same as above, -EINVAL can randomly happen when it actually means -EEXIST */
if (r == -EINVAL && FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE)) if (r == -EINVAL && FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE))
return verity_partition(m, v, root_hash, root_hash_size, verity_data, NULL, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, flags & ~DISSECT_IMAGE_VERITY_SHARE, d); return verity_partition(m, v, root_hash, root_hash_size, verity_data, NULL, root_hash_sig ?: hash_sig_from_file, root_hash_sig_size, flags & ~DISSECT_IMAGE_VERITY_SHARE, d);
if (!IN_SET(r, 0, -ENODEV, -ENOENT, -EBUSY)) if (!IN_SET(r, 0, -ENODEV, -ENOENT))
return log_debug_errno(r, "Checking whether existing verity device %s can be reused failed: %m", node); return log_debug_errno(r, "Checking whether existing verity device %s can be reused failed: %m", node);
if (r == 0) { if (r == 0) {
/* devmapper might say that the device exists, but the devlink might not yet have been
* created. Check and wait for the udev event in that case. */
r = device_wait_for_devlink(node, "block", 100 * USEC_PER_MSEC, NULL);
/* Fallback to activation with a unique device if it's taking too long */
if (r == -ETIMEDOUT)
break;
if (r < 0)
return r;
if (cd) if (cd)
crypt_free(cd); crypt_free(cd);
cd = existing_cd; cd = existing_cd;
@ -1475,11 +1459,12 @@ static int verity_partition(
} }
if (r == 0) if (r == 0)
break; break;
/* Device is being opened by another process, but it has not finished yet, yield for 2ms */
(void) usleep(2 * USEC_PER_MSEC);
} }
/* Sanity check: libdevmapper is known to report that the device already exists and is active,
* but it's actually not there, so the later filesystem probe or mount would fail. */
if (r == 0)
r = access(node, F_OK);
/* An existing verity device was reported by libcryptsetup/libdevmapper, but we can't use it at this time. /* An existing verity device was reported by libcryptsetup/libdevmapper, but we can't use it at this time.
* Fall back to activating it with a unique device name. */ * Fall back to activating it with a unique device name. */
if (r != 0 && FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE)) if (r != 0 && FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE))

View File

@ -1,14 +1,12 @@
/* SPDX-License-Identifier: LGPL-2.1+ */ /* SPDX-License-Identifier: LGPL-2.1+ */
#include <errno.h> #include <errno.h>
#include <unistd.h>
#include "alloc-util.h" #include "alloc-util.h"
#include "device-util.h" #include "device-util.h"
#include "env-file.h" #include "env-file.h"
#include "log.h" #include "log.h"
#include "parse-util.h" #include "parse-util.h"
#include "path-util.h"
#include "signal-util.h" #include "signal-util.h"
#include "string-table.h" #include "string-table.h"
#include "string-util.h" #include "string-util.h"
@ -110,108 +108,48 @@ int udev_parse_config_full(
return 0; return 0;
} }
/* Note that if -ENOENT is returned, it will be logged at debug level rather than error,
* because it's an expected, common occurrence that the caller will handle with a fallback */
static int device_new_from_dev_path(const char *devlink, sd_device **ret_device) {
struct stat st;
int r;
assert(devlink);
r = stat(devlink, &st);
if (r < 0)
return log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_ERR, errno, "Failed to stat() %s: %m", devlink);
if (!S_ISBLK(st.st_mode))
return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK), "%s does not point to a block device: %m", devlink);
r = sd_device_new_from_devnum(ret_device, 'b', st.st_rdev);
if (r < 0)
return log_error_errno(r, "Failed to initialize device from %s: %m", devlink);
return 0;
}
struct DeviceMonitorData { struct DeviceMonitorData {
const char *sysname; const char *sysname;
const char *devlink;
sd_device *device; sd_device *device;
}; };
static void device_monitor_data_free(struct DeviceMonitorData *d) {
assert(d);
sd_device_unref(d->device);
}
static int device_monitor_handler(sd_device_monitor *monitor, sd_device *device, void *userdata) { static int device_monitor_handler(sd_device_monitor *monitor, sd_device *device, void *userdata) {
struct DeviceMonitorData *data = userdata; struct DeviceMonitorData *data = userdata;
const char *sysname; const char *sysname;
assert(device); assert(device);
assert(data); assert(data);
assert(data->sysname || data->devlink); assert(data->sysname);
assert(!data->device); assert(!data->device);
if (data->sysname && sd_device_get_sysname(device, &sysname) >= 0 && streq(sysname, data->sysname)) if (sd_device_get_sysname(device, &sysname) >= 0 && streq(sysname, data->sysname)) {
goto found; data->device = sd_device_ref(device);
return sd_event_exit(sd_device_monitor_get_event(monitor), 0);
if (data->devlink) {
const char *devlink;
FOREACH_DEVICE_DEVLINK(device, devlink)
if (path_equal(devlink, data->devlink))
goto found;
if (sd_device_get_devname(device, &devlink) >= 0 && path_equal(devlink, data->devlink))
goto found;
} }
return 0; return 0;
found:
data->device = sd_device_ref(device);
return sd_event_exit(sd_device_monitor_get_event(monitor), 0);
} }
static int device_timeout_handler(sd_event_source *s, uint64_t usec, void *userdata) { static int device_timeout_handler(sd_event_source *s, uint64_t usec, void *userdata) {
return sd_event_exit(sd_event_source_get_event(s), -ETIMEDOUT); return sd_event_exit(sd_event_source_get_event(s), -ETIMEDOUT);
} }
static int device_wait_for_initialization_internal( int device_wait_for_initialization(sd_device *device, const char *subsystem, usec_t timeout, sd_device **ret) {
sd_device *_device,
const char *devlink,
const char *subsystem,
usec_t timeout,
sd_device **ret) {
_cleanup_(sd_device_monitor_unrefp) sd_device_monitor *monitor = NULL; _cleanup_(sd_device_monitor_unrefp) sd_device_monitor *monitor = NULL;
_cleanup_(sd_event_source_unrefp) sd_event_source *timeout_source = NULL; _cleanup_(sd_event_source_unrefp) sd_event_source *timeout_source = NULL;
_cleanup_(sd_event_unrefp) sd_event *event = NULL; _cleanup_(sd_event_unrefp) sd_event *event = NULL;
/* Ensure that if !_device && devlink, device gets unrefd on errors since it will be new */ struct DeviceMonitorData data = {};
_cleanup_(sd_device_unrefp) sd_device *device = sd_device_ref(_device);
_cleanup_(device_monitor_data_free) struct DeviceMonitorData data = {
.devlink = devlink,
};
int r; int r;
assert(device || (subsystem && devlink)); assert(device);
/* Devlink might already exist, if it does get the device to use the sysname filtering */
if (!device && devlink) {
r = device_new_from_dev_path(devlink, &device);
if (r < 0 && r != -ENOENT)
return r;
}
if (device) {
if (sd_device_get_is_initialized(device) > 0) { if (sd_device_get_is_initialized(device) > 0) {
if (ret) if (ret)
*ret = sd_device_ref(device); *ret = sd_device_ref(device);
return 0; return 0;
} }
/* We need either the sysname or the devlink for filtering */
assert_se(sd_device_get_sysname(device, &data.sysname) >= 0 || devlink); assert_se(sd_device_get_sysname(device, &data.sysname) >= 0);
}
/* Wait until the device is initialized, so that we can get access to the ID_PATH property */ /* Wait until the device is initialized, so that we can get access to the ID_PATH property */
@ -223,7 +161,7 @@ static int device_wait_for_initialization_internal(
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to acquire monitor: %m"); return log_error_errno(r, "Failed to acquire monitor: %m");
if (device && !subsystem) { if (!subsystem) {
r = sd_device_get_subsystem(device, &subsystem); r = sd_device_get_subsystem(device, &subsystem);
if (r < 0 && r != -ENOENT) if (r < 0 && r != -ENOENT)
return log_device_error_errno(device, r, "Failed to get subsystem: %m"); return log_device_error_errno(device, r, "Failed to get subsystem: %m");
@ -254,12 +192,7 @@ static int device_wait_for_initialization_internal(
/* Check again, maybe things changed. Udev will re-read the db if the device wasn't initialized /* Check again, maybe things changed. Udev will re-read the db if the device wasn't initialized
* yet. */ * yet. */
if (!device && devlink) { if (sd_device_get_is_initialized(device) > 0) {
r = device_new_from_dev_path(devlink, &device);
if (r < 0 && r != -ENOENT)
return r;
}
if (device && sd_device_get_is_initialized(device) > 0) {
if (ret) if (ret)
*ret = sd_device_ref(device); *ret = sd_device_ref(device);
return 0; return 0;
@ -274,14 +207,6 @@ static int device_wait_for_initialization_internal(
return 0; return 0;
} }
int device_wait_for_initialization(sd_device *device, const char *subsystem, usec_t timeout, sd_device **ret) {
return device_wait_for_initialization_internal(device, NULL, subsystem, timeout, ret);
}
int device_wait_for_devlink(const char *devlink, const char *subsystem, usec_t timeout, sd_device **ret) {
return device_wait_for_initialization_internal(NULL, devlink, subsystem, timeout, ret);
}
int device_is_renaming(sd_device *dev) { int device_is_renaming(sd_device *dev) {
int r; int r;

View File

@ -29,6 +29,5 @@ static inline int udev_parse_config(void) {
} }
int device_wait_for_initialization(sd_device *device, const char *subsystem, usec_t timeout, sd_device **ret); int device_wait_for_initialization(sd_device *device, const char *subsystem, usec_t timeout, sd_device **ret);
int device_wait_for_devlink(const char *path, const char *subsystem, usec_t timeout, sd_device **ret);
int device_is_renaming(sd_device *dev); int device_is_renaming(sd_device *dev);
bool device_for_action(sd_device *dev, DeviceAction action); bool device_for_action(sd_device *dev, DeviceAction action);

View File

@ -73,7 +73,7 @@ static int run(int argc, char *argv[]) {
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to open verity device %s: %m", argv[4]); return log_error_errno(r, "Failed to open verity device %s: %m", argv[4]);
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
status = crypt_status(cd, argv[2]); status = crypt_status(cd, argv[2]);
if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) { if (IN_SET(status, CRYPT_ACTIVE, CRYPT_BUSY)) {
@ -124,7 +124,7 @@ static int run(int argc, char *argv[]) {
if (r < 0) if (r < 0)
return log_error_errno(r, "crypt_init_by_name() failed: %m"); return log_error_errno(r, "crypt_init_by_name() failed: %m");
cryptsetup_enable_logging(cd); crypt_set_log_callback(cd, cryptsetup_log_glue, NULL);
r = crypt_deactivate(cd, argv[2]); r = crypt_deactivate(cd, argv[2]);
if (r < 0) if (r < 0)