diff options
-rw-r--r-- | discover/device-handler.c | 148 | ||||
-rw-r--r-- | discover/device-handler.h | 8 | ||||
-rw-r--r-- | discover/discover-server.c | 18 | ||||
-rw-r--r-- | discover/udev.c | 33 | ||||
-rw-r--r-- | test/parser/handler.c | 6 |
5 files changed, 206 insertions, 7 deletions
diff --git a/discover/device-handler.c b/discover/device-handler.c index e75f412..d41bb4b 100644 --- a/discover/device-handler.c +++ b/discover/device-handler.c @@ -60,6 +60,13 @@ struct progress_info { struct list_item list; }; +struct crypt_info { + struct discover_device *source_device; + char *dm_name; + + struct list_item list; +}; + struct device_handler { struct discover_server *server; int dry_run; @@ -95,6 +102,8 @@ struct device_handler { struct plugin_option **plugins; unsigned int n_plugins; bool plugin_installing; + + struct list crypt_devices; }; static int mount_device(struct discover_device *dev); @@ -265,9 +274,30 @@ void device_handler_destroy(struct device_handler *handler) static int destroy_device(void *arg) { struct discover_device *dev = arg; + struct process *p; umount_device(dev); + devmapper_destroy_snapshot(dev); + + if (dev->crypt_device) { + const char *argv[] = { + pb_system_apps.cryptsetup, + "luksClose", + dev->device->id, + NULL + }; + + p = process_create(dev); + p->path = pb_system_apps.cryptsetup; + p->argv = argv; + + if (process_run_async(p)) { + pb_log("Failed to run cryptsetup\n"); + return -1; + } + } + return 0; } @@ -376,6 +406,7 @@ struct device_handler *device_handler_init(struct discover_server *server, list_init(&handler->unresolved_boot_options); list_init(&handler->progress); + list_init(&handler->crypt_devices); /* set up our mount point base */ pb_mkdir_recursive(mount_base()); @@ -399,6 +430,7 @@ struct device_handler *device_handler_init(struct discover_server *server, void device_handler_reinit(struct device_handler *handler) { struct discover_boot_option *opt, *tmp; + struct crypt_info *crypt, *c; struct ramdisk_device *ramdisk; struct config *config; unsigned int i; @@ -449,6 +481,11 @@ void device_handler_reinit(struct device_handler *handler) discover_server_notify_plugins_remove(handler->server); + /* forget encrypted devices */ + list_for_each_entry_safe(&handler->crypt_devices, crypt, c, list) + talloc_free(crypt); + list_init(&handler->crypt_devices); + set_env_variables(config_get()); /* If the safe mode warning was active disable it now */ @@ -1230,6 +1267,116 @@ void device_handler_release_ramdisk(struct discover_device *device) device->ramdisk = NULL; } +/* + * Check if a device name matches the name of an encrypted device that has been + * opened. If it matches remove it from the list and remove the original crypt + * discover device. + */ +bool device_handler_found_crypt_device(struct device_handler *handler, + const char *name) +{ + struct crypt_info *crypt, *c; + + list_for_each_entry_safe(&handler->crypt_devices, crypt, c, list) { + if (!strncmp(crypt->dm_name, name, strlen(crypt->dm_name))) { + device_handler_remove(handler, crypt->source_device); + list_remove(&crypt->list); + talloc_free(crypt); + return true; + } + } + + return false; +} + +static void cryptsetup_cb(struct process *process) +{ + struct device_handler *handler = process->data; + struct crypt_info *crypt, *c; + + if (process->exit_status == 0) + return; + device_handler_status_err(handler, + _("Failed to open encrypted device %s"), + process->argv[2]); + + /* + * Failed to open the device; stop tracking it, but don't remove + * the source device. + */ + list_for_each_entry_safe(&handler->crypt_devices, crypt, c, list) { + if (!strncmp(crypt->dm_name, process->argv[3], + strlen(crypt->dm_name))) { + list_remove(&crypt->list); + talloc_free(crypt); + break; + } + } +} + +void device_handler_open_encrypted_dev(struct device_handler *handler, + char *password, char *device_id) +{ + struct discover_device *dev; + struct crypt_info *crypt; + const char *device_path, **argv; + struct process *p; + char *name; + int result; + + dev = device_lookup_by_id(handler, device_id); + if (!dev) { + pb_log_fn("Can't find device %s\n", device_id); + device_handler_status_err(handler, + _("Encrypted device %s does not exist"), + device_id); + return; + } + + device_path = dev->device_path; + name = talloc_asprintf(handler, "luks_%s", device_id); + + p = process_create(handler); + /* talloc argv under the process so we can access it in cryptsetup_cb */ + argv = talloc_zero_array(p, const char *, 6); + argv[0] = talloc_strdup(argv, pb_system_apps.cryptsetup); + argv[1] = talloc_asprintf(argv, "luksOpen"); + argv[2] = talloc_strdup(argv, device_path); + argv[3] = talloc_strdup(argv, name); + argv[4] = talloc_asprintf(argv, "-"); + argv[5] = NULL; + + p->path = pb_system_apps.cryptsetup; + p->argv = (const char **)argv; + p->exit_cb = cryptsetup_cb; + p->data = handler; + p->keep_stdout = true; + p->pipe_stdin = talloc_asprintf(p, "%s\n", password); + + result = process_run_async(p); + if (result) { + pb_log("Failed to run cryptsetup\n"); + return; + } + + crypt = talloc(handler, struct crypt_info); + crypt->source_device = dev; + crypt->dm_name = name; + talloc_steal(crypt, name); + list_add(&handler->crypt_devices, &crypt->list); +} + +void device_handler_add_encrypted_dev(struct device_handler *handler, + struct discover_device *dev) +{ + system_info_register_blockdev(dev->device->id, dev->uuid, ""); + discover_server_notify_device_add(handler->server, + dev->device); + dev->notified = true; + if (!device_lookup_by_uuid(handler, dev->uuid)) + device_handler_add_device(handler, dev); +} + /* Start discovery on a hotplugged device. The device will be in our devices * array, but has only just been initialised by the hotplug source. */ @@ -2121,7 +2268,6 @@ static int umount_device(struct discover_device *dev) return -1; dev->mounted = false; - devmapper_destroy_snapshot(dev); pb_rmdir_recursive(mount_base(), dev->mount_path); diff --git a/discover/device-handler.h b/discover/device-handler.h index 9619a2d..6591120 100644 --- a/discover/device-handler.h +++ b/discover/device-handler.h @@ -33,6 +33,7 @@ struct discover_device { bool mounted; bool mounted_rw; bool unmount; + bool crypt_device; bool notified; @@ -89,6 +90,9 @@ const struct plugin_option *device_handler_get_plugin( struct network *device_handler_get_network( const struct device_handler *handler); +bool device_handler_found_crypt_device(struct device_handler *handler, + const char *name); + struct discover_device *discover_device_create(struct device_handler *handler, const char *uuid, const char *id); void device_handler_add_device(struct device_handler *handler, @@ -98,6 +102,10 @@ void device_handler_add_ramdisk(struct device_handler *handler, struct ramdisk_device *device_handler_get_ramdisk( struct device_handler *handler); void device_handler_release_ramdisk(struct discover_device *device); +void device_handler_open_encrypted_dev(struct device_handler *handler, + char *password, char *device_id); +void device_handler_add_encrypted_dev(struct device_handler *handler, + struct discover_device *dev); int device_handler_discover(struct device_handler *handler, struct discover_device *dev); int device_handler_dhcp(struct device_handler *handler, diff --git a/discover/discover-server.c b/discover/discover-server.c index 23d6113..1a332cb 100644 --- a/discover/discover-server.c +++ b/discover/discover-server.c @@ -365,13 +365,29 @@ static int discover_server_handle_auth_message(struct client *client, _("Password updated successfully")); } break; + case AUTH_MSG_DECRYPT: + if (!client->can_modify) { + pb_log("Unauthenticated client tried to open encrypted device %s\n", + auth_msg->decrypt_dev.device_id); + rc = -1; + status->type = STATUS_ERROR; + status->message = talloc_asprintf(status, + _("Must authenticate before opening encrypted device")); + break; + } + + device_handler_open_encrypted_dev(client->server->device_handler, + auth_msg->decrypt_dev.password, + auth_msg->decrypt_dev.device_id); + break; default: pb_log("%s: unknown op\n", __func__); rc = -1; break; } - write_boot_status_message(client->server, client, status); + if (status->message) + write_boot_status_message(client->server, client, status); talloc_free(status); return rc; diff --git a/discover/udev.c b/discover/udev.c index fa5d4b4..0c3da66 100644 --- a/discover/udev.c +++ b/discover/udev.c @@ -106,7 +106,7 @@ static int udev_handle_block_add(struct pb_udev *udev, struct udev_device *dev, "swap", NULL, }; - bool cdrom, usb; + bool cdrom, usb, luks = false; typestr = udev_device_get_devtype(dev); if (!typestr) { @@ -142,11 +142,18 @@ static int udev_handle_block_add(struct pb_udev *udev, struct udev_device *dev, } } - /* Ignore any device mapper devices that aren't logical volumes */ + /* + * Ignore any device mapper devices that aren't logical volumes or + * opened encrypted devices + */ devname = udev_device_get_property_value(dev, "DM_NAME"); - if (devname && ! udev_device_get_property_value(dev, "DM_LV_NAME")) { - pb_debug("SKIP: dm-device %s\n", devname); - return 0; + if (devname) { + if (device_handler_found_crypt_device(udev->handler, devname)) { + luks = true; + } else if (!udev_device_get_property_value(dev, "DM_LV_NAME")) { + pb_debug("SKIP: dm-device %s\n", devname); + return 0; + } } type = udev_device_get_property_value(dev, "ID_FS_TYPE"); @@ -216,16 +223,32 @@ static int udev_handle_block_add(struct pb_udev *udev, struct udev_device *dev, usb = !!udev_device_get_property_value(dev, "ID_USB_DRIVER"); if (cdrom) ddev->device->type = DEVICE_TYPE_OPTICAL; + else if (strncmp(type, "crypto_LUKS", strlen("crypto_LUKS")) == 0) + ddev->device->type = DEVICE_TYPE_LUKS; else ddev->device->type = usb ? DEVICE_TYPE_USB : DEVICE_TYPE_DISK; udev_setup_device_params(dev, ddev); + /* + * Don't perform discovery on encrypted devices, just register and + * notify clients. + */ + if (ddev->device->type == DEVICE_TYPE_LUKS) { + pb_log("Notifying clients about encrypted device %s\n", + name); + device_handler_add_encrypted_dev(udev->handler, ddev); + return 0; + } + /* Create a snapshot for all disk devices */ if ((ddev->device->type == DEVICE_TYPE_DISK || ddev->device->type == DEVICE_TYPE_USB)) devmapper_init_snapshot(udev->handler, ddev); + /* Note if this is an opened LUKS device */ + ddev->crypt_device = luks; + device_handler_discover(udev->handler, ddev); return 0; diff --git a/test/parser/handler.c b/test/parser/handler.c index a9856b4..1589570 100644 --- a/test/parser/handler.c +++ b/test/parser/handler.c @@ -116,3 +116,9 @@ void discover_server_notify_plugins_remove(struct discover_server *server) { (void)server; } + +int devmapper_destroy_snapshot(struct discover_device *device) +{ + (void)device; + return 0; +} |