代码拉取完成,页面将自动刷新
同步操作将从 src-anolis-os/systemd 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 8ef03861b75cf0a70511760c395cb4bd228c37b9 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 4 Nov 2020 17:24:53 +0100
Subject: [PATCH] cryptsetup: port cryptsetup's main key file logic over to
read_full_file_full()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, we'd load the file with libcryptsetup's calls. Let's do that
in our own, so that we can make use of READ_FULL_FILE_CONNECT_SOCKET,
i.e. read in keys via AF_UNIX sockets, so that people can plug key
providers into our logic.
This provides functionality similar to Debian's keyscript= crypttab
option (see → #3007), as it allows key scripts to be run as socket
activated services, that have stdout connected to the activated socket.
In contrast to traditional keyscript= support this logic runs stuff out
of process however, which is beneficial, since it allows sandboxing and
similar.
(cherry picked from commit 165a476841ff1aa3aab3508771db9495ab073c7a)
Signed-off-by: Guorui Yu <GuoRui.Yu@linux.alibaba.com>
---
src/cryptsetup/cryptsetup.c | 37 ++++++++++++++++++++++++++++++++-----
1 file changed, 32 insertions(+), 5 deletions(-)
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 11162eb722..9251e0eba8 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -17,6 +17,7 @@
#include "mount-util.h"
#include "parse-util.h"
#include "path-util.h"
+#include "random-util.h"
#include "string-util.h"
#include "strv.h"
#include "util.h"
@@ -480,6 +481,15 @@ static int attach_tcrypt(
return 0;
}
+static char *make_bindname(const char *volume) {
+ char *s;
+
+ if (asprintf(&s, "@%" PRIx64"/cryptsetup/%s", random_u64(), volume) < 0)
+ return NULL;
+
+ return s;
+}
+
static int attach_luks_or_plain(struct crypt_device *cd,
const char *name,
const char *key_file,
@@ -553,13 +563,30 @@ static int attach_luks_or_plain(struct crypt_device *cd,
crypt_get_device_name(cd));
if (key_file) {
- r = crypt_activate_by_keyfile_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags);
- if (r == -EPERM) {
- log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file);
+ _cleanup_(erase_and_freep) char *kfdata = NULL;
+ _cleanup_free_ char *bindname = NULL;
+ size_t kfsize;
+
+ /* If we read the key via AF_UNIX, make this client recognizable */
+ bindname = make_bindname(name);
+ if (!bindname)
+ return log_oom();
+
+ r = read_full_file_full(
+ AT_FDCWD, key_file,
+ arg_keyfile_offset == 0 ? UINT64_MAX : arg_keyfile_offset,
+ arg_keyfile_size == 0 ? SIZE_MAX : arg_keyfile_size,
+ READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET,
+ bindname,
+ &kfdata, &kfsize);
+ if (r == -ENOENT) {
+ log_error_errno(r, "Failed to activate, key file '%s' missing.", key_file);
return -EAGAIN; /* Log actual error, but return EAGAIN */
}
- if (r == -EINVAL) {
- log_error_errno(r, "Failed to activate with key file '%s'. (Key file missing?)", key_file);
+
+ r = crypt_activate_by_passphrase(cd, name, arg_key_slot, kfdata, kfsize, flags);
+ if (r == -EPERM) {
+ log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file);
return -EAGAIN; /* Log actual error, but return EAGAIN */
}
if (r < 0)
--
2.39.1
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手