1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-31 07:51:21 +03:00

Merge pull request #21161 from poettering/homed-uidmap-fscrypt

homed: teach the fscrypt backend uidmap too
This commit is contained in:
Lennart Poettering 2021-10-28 08:15:44 +02:00 committed by GitHub
commit 8622e9f2e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 93 additions and 24 deletions

View File

@ -241,13 +241,9 @@ int home_create_directory_or_subvolume(UserRecord *h, HomeSetup *setup, UserReco
setup->root_fd = safe_close(setup->root_fd); setup->root_fd = safe_close(setup->root_fd);
/* Unmount mapped mount before we move the dir into place */ /* Unmount mapped mount before we move the dir into place */
if (setup->undo_mount) { r = home_setup_undo_mount(setup, LOG_ERR);
r = umount_verbose(LOG_ERR, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW); if (r < 0)
if (r < 0) return r;
return r;
setup->undo_mount = false;
}
if (rename(temporary, ip) < 0) if (rename(temporary, ip) < 0)
return log_error_errno(errno, "Failed to rename %s to %s: %m", temporary, ip); return log_error_errno(errno, "Failed to rename %s to %s: %m", temporary, ip);

View File

@ -10,11 +10,13 @@
#include "fd-util.h" #include "fd-util.h"
#include "hexdecoct.h" #include "hexdecoct.h"
#include "homework-fscrypt.h" #include "homework-fscrypt.h"
#include "homework-mount.h"
#include "homework-quota.h" #include "homework-quota.h"
#include "memory-util.h" #include "memory-util.h"
#include "missing_keyctl.h" #include "missing_keyctl.h"
#include "missing_syscall.h" #include "missing_syscall.h"
#include "mkdir.h" #include "mkdir.h"
#include "mount-util.h"
#include "nulstr-util.h" #include "nulstr-util.h"
#include "openssl-util.h" #include "openssl-util.h"
#include "parse-util.h" #include "parse-util.h"
@ -290,8 +292,9 @@ int home_setup_fscrypt(
int r; int r;
assert(h); assert(h);
assert(setup);
assert(user_record_storage(h) == USER_FSCRYPT); assert(user_record_storage(h) == USER_FSCRYPT);
assert(setup);
assert(setup->root_fd < 0);
assert_se(ip = user_record_image_path(h)); assert_se(ip = user_record_image_path(h));
@ -361,6 +364,33 @@ int home_setup_fscrypt(
} }
} }
/* We'll bind mount the image directory to a new mount point where we'll start adjusting it. Only
* once that's complete we'll move the thing to its final place eventually. */
r = home_unshare_and_mkdir();
if (r < 0)
return r;
r = mount_follow_verbose(LOG_ERR, ip, HOME_RUNTIME_WORK_DIR, NULL, MS_BIND, NULL);
if (r < 0)
return r;
setup->undo_mount = true;
/* Turn off any form of propagation for this */
r = mount_nofollow_verbose(LOG_ERR, NULL, HOME_RUNTIME_WORK_DIR, NULL, MS_PRIVATE, NULL);
if (r < 0)
return r;
/* Adjust MS_SUID and similar flags */
r = mount_nofollow_verbose(LOG_ERR, NULL, HOME_RUNTIME_WORK_DIR, NULL, MS_BIND|MS_REMOUNT|user_record_mount_flags(h), NULL);
if (r < 0)
return r;
safe_close(setup->root_fd);
setup->root_fd = open(HOME_RUNTIME_WORK_DIR, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW);
if (setup->root_fd < 0)
return log_error_errno(errno, "Failed to open home directory: %m");
return 0; return 0;
} }
@ -456,15 +486,16 @@ finish:
int home_create_fscrypt( int home_create_fscrypt(
UserRecord *h, UserRecord *h,
HomeSetup *setup,
char **effective_passwords, char **effective_passwords,
UserRecord **ret_home) { UserRecord **ret_home) {
_cleanup_(rm_rf_physical_and_freep) char *temporary = NULL; _cleanup_(rm_rf_physical_and_freep) char *temporary = NULL;
_cleanup_(user_record_unrefp) UserRecord *new_home = NULL; _cleanup_(user_record_unrefp) UserRecord *new_home = NULL;
_cleanup_(erase_and_freep) void *volume_key = NULL; _cleanup_(erase_and_freep) void *volume_key = NULL;
_cleanup_close_ int mount_fd = -1;
struct fscrypt_policy policy = {}; struct fscrypt_policy policy = {};
size_t volume_key_size = 512 / 8; size_t volume_key_size = 512 / 8;
_cleanup_close_ int root_fd = -1;
_cleanup_free_ char *d = NULL; _cleanup_free_ char *d = NULL;
uint32_t nr = 0; uint32_t nr = 0;
const char *ip; const char *ip;
@ -473,6 +504,7 @@ int home_create_fscrypt(
assert(h); assert(h);
assert(user_record_storage(h) == USER_FSCRYPT); assert(user_record_storage(h) == USER_FSCRYPT);
assert(setup);
assert(ret_home); assert(ret_home);
assert_se(ip = user_record_image_path(h)); assert_se(ip = user_record_image_path(h));
@ -488,11 +520,15 @@ int home_create_fscrypt(
temporary = TAKE_PTR(d); /* Needs to be destroyed now */ temporary = TAKE_PTR(d); /* Needs to be destroyed now */
root_fd = open(temporary, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); r = home_unshare_and_mkdir();
if (root_fd < 0) if (r < 0)
return r;
setup->root_fd = open(temporary, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW);
if (setup->root_fd < 0)
return log_error_errno(errno, "Failed to open temporary home directory: %m"); return log_error_errno(errno, "Failed to open temporary home directory: %m");
if (ioctl(root_fd, FS_IOC_GET_ENCRYPTION_POLICY, &policy) < 0) { if (ioctl(setup->root_fd, FS_IOC_GET_ENCRYPTION_POLICY, &policy) < 0) {
if (ERRNO_IS_NOT_SUPPORTED(errno)) { if (ERRNO_IS_NOT_SUPPORTED(errno)) {
log_error_errno(errno, "File system does not support fscrypt: %m"); log_error_errno(errno, "File system does not support fscrypt: %m");
return -ENOLINK; /* make recognizable */ return -ENOLINK; /* make recognizable */
@ -526,13 +562,13 @@ int home_create_fscrypt(
log_info("Uploaded volume key to kernel."); log_info("Uploaded volume key to kernel.");
if (ioctl(root_fd, FS_IOC_SET_ENCRYPTION_POLICY, &policy) < 0) if (ioctl(setup->root_fd, FS_IOC_SET_ENCRYPTION_POLICY, &policy) < 0)
return log_error_errno(errno, "Failed to set fscrypt policy on directory: %m"); return log_error_errno(errno, "Failed to set fscrypt policy on directory: %m");
log_info("Encryption policy set."); log_info("Encryption policy set.");
STRV_FOREACH(i, effective_passwords) { STRV_FOREACH(i, effective_passwords) {
r = fscrypt_slot_set(root_fd, volume_key, volume_key_size, *i, nr); r = fscrypt_slot_set(setup->root_fd, volume_key, volume_key_size, *i, nr);
if (r < 0) if (r < 0)
return r; return r;
@ -541,11 +577,26 @@ int home_create_fscrypt(
(void) home_update_quota_classic(h, temporary); (void) home_update_quota_classic(h, temporary);
r = home_populate(h, root_fd); r = home_shift_uid(setup->root_fd, HOME_RUNTIME_WORK_DIR, h->uid, h->uid, &mount_fd);
if (r > 0)
setup->undo_mount = true; /* If uidmaps worked we have a mount to undo again */
if (mount_fd >= 0) {
/* If we have established a new mount, then we can use that as new root fd to our home directory. */
safe_close(setup->root_fd);
setup->root_fd = fd_reopen(mount_fd, O_RDONLY|O_CLOEXEC|O_DIRECTORY);
if (setup->root_fd < 0)
return log_error_errno(setup->root_fd, "Unable to convert mount fd into proper directory fd: %m");
mount_fd = safe_close(mount_fd);
}
r = home_populate(h, setup->root_fd);
if (r < 0) if (r < 0)
return r; return r;
r = home_sync_and_statfs(root_fd, NULL); r = home_sync_and_statfs(setup->root_fd, NULL);
if (r < 0) if (r < 0)
return r; return r;
@ -570,6 +621,12 @@ int home_create_fscrypt(
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to add binding to record: %m"); return log_error_errno(r, "Failed to add binding to record: %m");
setup->root_fd = safe_close(setup->root_fd);
r = home_setup_undo_mount(setup, LOG_ERR);
if (r < 0)
return r;
if (rename(temporary, ip) < 0) if (rename(temporary, ip) < 0)
return log_error_errno(errno, "Failed to rename %s to %s: %m", temporary, ip); return log_error_errno(errno, "Failed to rename %s to %s: %m", temporary, ip);
@ -635,7 +692,6 @@ int home_passwd_fscrypt(
continue; continue;
if (fremovexattr(setup->root_fd, xa) < 0) if (fremovexattr(setup->root_fd, xa) < 0)
if (errno != ENODATA) if (errno != ENODATA)
log_warning_errno(errno, "Failed to remove xattr %s: %m", xa); log_warning_errno(errno, "Failed to remove xattr %s: %m", xa);
} }

View File

@ -5,6 +5,7 @@
#include "user-record.h" #include "user-record.h"
int home_setup_fscrypt(UserRecord *h, const PasswordCache *cache, HomeSetup *setup); int home_setup_fscrypt(UserRecord *h, const PasswordCache *cache, HomeSetup *setup);
int home_create_fscrypt(UserRecord *h, char **effective_passwords, UserRecord **ret_home);
int home_create_fscrypt(UserRecord *h, HomeSetup *setup, char **effective_passwords, UserRecord **ret_home);
int home_passwd_fscrypt(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords); int home_passwd_fscrypt(UserRecord *h, HomeSetup *setup, const PasswordCache *cache, char **effective_passwords);

View File

@ -298,6 +298,22 @@ static void drop_caches_now(void) {
log_debug("Dropped caches."); log_debug("Dropped caches.");
} }
int home_setup_undo_mount(HomeSetup *setup, int level) {
int r;
assert(setup);
if (!setup->undo_mount)
return 0;
r = umount_verbose(level, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW);
if (r < 0)
return r;
setup->undo_mount = false;
return 1;
}
int home_setup_done(HomeSetup *setup) { int home_setup_done(HomeSetup *setup) {
int r = 0, q; int r = 0, q;
@ -316,11 +332,9 @@ int home_setup_done(HomeSetup *setup) {
setup->root_fd = safe_close(setup->root_fd); setup->root_fd = safe_close(setup->root_fd);
} }
if (setup->undo_mount) { q = home_setup_undo_mount(setup, LOG_DEBUG);
q = umount_verbose(LOG_DEBUG, HOME_RUNTIME_WORK_DIR, UMOUNT_NOFOLLOW); if (q < 0)
if (q < 0) r = q;
r = q;
}
if (setup->undo_dm && setup->crypt_device && setup->dm_name) { if (setup->undo_dm && setup->crypt_device && setup->dm_name) {
q = sym_crypt_deactivate_by_name(setup->crypt_device, setup->dm_name, 0); q = sym_crypt_deactivate_by_name(setup->crypt_device, setup->dm_name, 0);
@ -1272,7 +1286,7 @@ static int home_create(UserRecord *h, UserRecord **ret_home) {
break; break;
case USER_FSCRYPT: case USER_FSCRYPT:
r = home_create_fscrypt(h, effective_passwords, &new_home); r = home_create_fscrypt(h, &setup, effective_passwords, &new_home);
break; break;
case USER_CIFS: case USER_CIFS:

View File

@ -70,6 +70,8 @@ typedef enum HomeSetupFlags {
int home_setup_done(HomeSetup *setup); int home_setup_done(HomeSetup *setup);
int home_setup_undo_mount(HomeSetup *setup, int level);
int home_setup(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_header_home); int home_setup(UserRecord *h, HomeSetupFlags flags, PasswordCache *cache, HomeSetup *setup, UserRecord **ret_header_home);
int home_refresh(UserRecord *h, HomeSetup *setup, UserRecord *header_home, PasswordCache *cache, struct statfs *ret_statfs, UserRecord **ret_new_home); int home_refresh(UserRecord *h, HomeSetup *setup, UserRecord *header_home, PasswordCache *cache, struct statfs *ret_statfs, UserRecord **ret_new_home);