update TODO

Let's iterate through the slaves/ directory to find backing devices of
the block devices we care about.

TODO

@@ -22,6 +22,14 @@ Janitorial Clean-ups:
 
 Features:
 
+* random-util: make user of new GRND_INSECURE flag wherever possible
+
+* nspawn: support time namespaces
+
+* pid1: Move to tracking of main pid/control pid of units per pidfd
+
+* pid1: support new clone3() fork-into-cgroup feature
+
 * All tools that support --root= should also learn --image= so that they can
   operate on disk images directly. Specifically: bootctl, firstboot, tmpfiles,
   sysusers, systemctl, repart, journalctl, coredumpctl.
@@ -45,8 +53,9 @@ Features:
   resize to diskSize if possible, but leave a certain amount (configured by a
   new value diskLeaveFreeSize) of space free on the backing fs.
 
-* homed: permit multiple private keys to be used locally, and pick the right
+* homed: permit multiple user record signing keys to be used locally, and pick
-  one for signing records automatically depending on a pre-existing signature
+  the right one for signing records automatically depending on a pre-existing
+  signature
 
 * homed: add a way to "adopt" a home directory, i.e. strip foreign signatures
   and insert a local signature instead.
@@ -59,6 +68,8 @@ Features:
   though: if noone is logged in (or no other user even exists yet), how do you
   unlock the volume in order to create the first user and add the first pw.
 
+* homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
+
 * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
   exists and responds.
 
@@ -169,7 +180,7 @@ Features:
 
 * userdb: allow existence checks
 
-* pid: activation by journal search expression
+* pid1: activation by journal search expression
 
 * when switching root from initrd to host, set the machine_id env var so that
   if the host has no machine ID set yet we continue to use the random one the

src/basic/fs-util.c

@@ -1491,9 +1491,77 @@ int open_parent(const char *path, int flags, mode_t mode) {
         return fd;
 }
 
+static int blockdev_is_encrypted(const char *sysfs_path, unsigned depth_left) {
+        _cleanup_free_ char *p = NULL, *uuids = NULL;
+        _cleanup_closedir_ DIR *d = NULL;
+        int r, found_encrypted = false;
+
+        assert(sysfs_path);
+
+        if (depth_left == 0)
+                return -EINVAL;
+
+        p = path_join(sysfs_path, "dm/uuid");
+        if (!p)
+                return -ENOMEM;
+
+        r = read_one_line_file(p, &uuids);
+        if (r != -ENOENT) {
+                if (r < 0)
+                        return r;
+
+                /* The DM device's uuid attribute is prefixed with "CRYPT-" if this is a dm-crypt device. */
+                if (startswith(uuids, "CRYPT-"))
+                        return true;
+        }
+
+        /* Not a dm-crypt device itself. But maybe it is on top of one? Follow the links in the "slaves/"
+         * subdir. */
+
+        p = mfree(p);
+        p = path_join(sysfs_path, "slaves");
+        if (!p)
+                return -ENOMEM;
+
+        d = opendir(p);
+        if (!d) {
+                if (errno == ENOENT) /* Doesn't have slaves */
+                        return false;
+
+                return -errno;
+        }
+
+        for (;;) {
+                _cleanup_free_ char *q = NULL;
+                struct dirent *de;
+
+                errno = 0;
+                de = readdir_no_dot(d);
+                if (!de) {
+                        if (errno != 0)
+                                return -errno;
+
+                        break; /* No more slaves */
+                }
+
+                q = path_join(p, de->d_name);
+                if (!q)
+                        return -ENOMEM;
+
+                r = blockdev_is_encrypted(q, depth_left - 1);
+                if (r < 0)
+                        return r;
+                if (r == 0) /* we found one that is not encrypted? then propagate that immediately */
+                        return false;
+
+                found_encrypted = true;
+        }
+
+        return found_encrypted;
+}
+
 int path_is_encrypted(const char *path) {
-        _cleanup_free_ char *uuids = NULL;
+        char p[SYS_BLOCK_PATH_MAX(NULL)];
-        char p[SYS_BLOCK_PATH_MAX("/dm/uuid")];
         dev_t devt;
         int r;
 
@@ -1503,13 +1571,7 @@ int path_is_encrypted(const char *path) {
         if (r == 0) /* doesn't have a block device */
                 return false;
 
-        xsprintf_sys_block_path(p, "/dm/uuid", devt);
+        xsprintf_sys_block_path(p, NULL, devt);
-        r = read_one_line_file(p, &uuids);
-        if (r == -ENOENT)
-                return false;
-        if (r < 0)
-                return r;
 
-        /* The DM device's uuid attribute is prefixed with "CRYPT-" if this is a dm-crypt device. */
+        return blockdev_is_encrypted(p, 10 /* safety net: maximum recursion depth */);
-        return !!startswith(uuids, "CRYPT-");
 }

src/core/unit.c

@@ -2777,7 +2777,7 @@ void unit_unwatch_pid(Unit *u, pid_t pid) {
 
                 if (m == 0) {
                         /* The array is now empty, remove the entire entry */
-                        assert(hashmap_remove(u->manager->watch_pids, PID_TO_PTR(-pid)) == array);
+                        assert_se(hashmap_remove(u->manager->watch_pids, PID_TO_PTR(-pid)) == array);
                         free(array);
                 }
         }

src/import/import-fs.c

@@ -220,8 +220,8 @@ static int import_fs(int argc, char *argv[], void *userdata) {
 
 finish:
         /* Put old signal handlers into place */
-        assert(sigaction(SIGINT, &old_sigint_sa, NULL) >= 0);
+        assert_se(sigaction(SIGINT, &old_sigint_sa, NULL) >= 0);
-        assert(sigaction(SIGTERM, &old_sigterm_sa, NULL) >= 0);
+        assert_se(sigaction(SIGTERM, &old_sigterm_sa, NULL) >= 0);
 
         return 0;
 }

src/test/test-sleep.c

@@ -20,7 +20,7 @@ static void test_parse_sleep_config(void) {
         _cleanup_(free_sleep_configp) SleepConfig *sleep_config = NULL;
         log_info("/* %s */", __func__);
 
-        assert(parse_sleep_config(&sleep_config) == 0);
+        assert_se(parse_sleep_config(&sleep_config) == 0);
 
         _cleanup_free_ char *sum, *sus, *him, *his, *hym, *hys;