Index: defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.294 diff -u -r1.294 rc.conf --- defaults/rc.conf 17 Aug 2006 20:13:24 -0000 1.294 +++ defaults/rc.conf 30 Aug 2006 17:40:58 -0000 @@ -55,13 +55,17 @@ # Experimental - test before enabling gbde_autoattach_all="NO" # YES automatically mounts gbde devices from fstab -gbde_devices="NO" # Devices to automatically attach (list, or AUTO) +gbde_devices="ENCTMP" # Devices to automatically attach (list, or AUTO/ENCTMP) + # Set to ENCTMP to auto-mount enctmp devices only +gbde_enctmp_devices="" # Encrypted /tmp devices listed in /etc/fstab gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices gbde_lockdir="/etc" # Where to look for gbde lockfiles # GELI disk encryption configuration. geli_devices="" # List of devices to automatically attach in addition to # GELI devices listed in /etc/fstab. +geli_enctmp_devices="" # GELI encrypted /tmp devices listed in /etc/fstab +geli_enctmp_flags="-e AES -l 256 -s 4096" # Encrypted /tmp flags geli_tries="" # Number of times to attempt attaching geli device. # If empty, kern.geom.eli.tries will be used. geli_default_flags="" # Default flags for geli(8). Index: rc.d/gbde =================================================================== RCS file: /home/ncvs/src/etc/rc.d/gbde,v retrieving revision 1.13 diff -u -r1.13 gbde --- rc.d/gbde 14 Aug 2005 17:28:15 -0000 1.13 +++ rc.d/gbde 30 Aug 2006 17:40:59 -0000 @@ -7,6 +7,7 @@ # # PROVIDE: disks +# REQUIRE: initrandom # KEYWORD: nojail . /etc/rc.subr @@ -19,10 +20,13 @@ find_gbde_devices() { - case "${gbde_devices-auto}" in + case "${gbde_devices:-enctmp}" in [Aa][Uu][Tt][Oo]) gbde_devices="" ;; + [Ee][Nn][Cc][Tt][Mm][Pp]) + gbde_devices="${gbde_enctmp_devices}" + ;; *) return 0 ;; @@ -82,24 +86,45 @@ parent=${device%.bde} parent=${parent#/dev/} parent_=`ltr ${parent} '/' '_'` - eval "lock=\${gbde_lock_${parent_}-\"${gbde_lockdir}/${parent_}.lock\"}" - if [ -e "/dev/${parent}" -a ! -e "/dev/${parent}.bde" ]; then - echo "Configuring Disk Encryption for ${parent}." - count=1 - while [ ${count} -le ${gbde_attach_attempts} ]; do - if [ -e "${lock}" ]; then - gbde attach ${parent} -l ${lock} - else - gbde attach ${parent} - fi - if [ -e "/dev/${parent}.bde" ]; then + istmp=0 + + if [ ! -z "${gbde_enctmp_devices}" ]; then + for dev in ${gbde_enctmp_devices}; do + if [ ${dev} = ${parent} ]; then + istmp=1 break fi - echo "Attach failed; attempt ${count} of ${gbde_attach_attempts}." - count=$((${count} + 1)) done fi + + eval "lock=\${gbde_lock_${parent_}-\"${gbde_lockdir}/${parent_}.lock\"}" + if [ -e "/dev/${parent}" -a ! -e "/dev/${parent}.bde" ]; then + if [ ${istmp} -eq 1 ]; then + echo "Configuring Encrypted Temporary Space for ${parent}." + + passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q` + gbde init "${device}" -P "${passphrase}" \ + && gbde attach "${device}" -p "${passphrase}" \ + && newfs -U /dev/${device}.bde + else + echo "Configuring Disk Encryption for ${parent}." + + count=1 + while [ ${count} -le ${gbde_attach_attempts} ]; do + if [ -e "${lock}" ]; then + gbde attach ${parent} -l ${lock} + else + gbde attach ${parent} + fi + if [ -e "/dev/${parent}.bde" ]; then + break + fi + echo "Attach failed; attempt ${count} of ${gbde_attach_attempts}." + count=$((${count} + 1)) + done + fi + fi done } Index: rc.d/gbde2 =================================================================== RCS file: rc.d/gbde2 diff -N rc.d/gbde2 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ rc.d/gbde2 30 Aug 2006 17:40:59 -0000 @@ -0,0 +1,53 @@ +#!/bin/sh +# +# Copyright (c) 2006 Shaun Amott +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# PROVIDE: gbde2 +# REQUIRE: mountcritlocal +# KEYWORD: nojail +# BEFORE: tmp + +. /etc/rc.subr + +name="gbde2" +start_cmd="gbde2_start" +stop_cmd=":" + +gbde2_start() +{ + for provider in ${gbde_enctmp_devices}; do + mountpoint=`awk "/^\/dev\/${provider}/ {print \\$2}" /etc/fstab` + ismounted=`mount | awk "/^\/dev\/${provider}/ {print \\$3}"` + if [ ! -z "${mountpoint}" -a "${mountpoint}" = "${ismounted}" ]; then + chmod 1777 ${mountpoint} + fi + done +} + +load_rc_config $name +run_rc_command "$1" Index: rc.d/geli =================================================================== RCS file: /home/ncvs/src/etc/rc.d/geli,v retrieving revision 1.3 diff -u -r1.3 geli --- rc.d/geli 23 Sep 2005 23:53:35 -0000 1.3 +++ rc.d/geli 30 Aug 2006 17:40:59 -0000 @@ -60,21 +60,42 @@ for provider in ${devices}; do provider_=`ltr ${provider} '/' '_'` + istmp=0 + + if [ ! -z "${geli_enctmp_devices}" ]; then + for prov in ${geli_enctmp_devices}; do + if [ ${prov} = ${provider} ]; then + istmp=1 + break + fi + done + fi + eval "flags=\${geli_${provider_}_flags}" if [ -z "${flags}" ]; then - flags=${geli_default_flags} + if [ ${istmp} -eq 1 ]; then + flags=${geli_enctmp_flags} + else + flags=${geli_default_flags} + fi fi if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then - echo "Configuring Disk Encryption for ${provider}." - count=1 - while [ ${count} -le ${geli_tries} ]; do - geli attach ${flags} ${provider} - if [ -e "/dev/${provider}.eli" ]; then - break - fi - echo "Attach failed; attempt ${count} of ${geli_tries}." - count=$((count+1)) - done + if [ ${istmp} -eq 1 ]; then + echo "Configuring Encrypted Temporary Space for ${provider}." + geli onetime ${flags} ${provider} \ + && newfs -U /dev/${provider}.eli + else + echo "Configuring Disk Encryption for ${provider}." + count=1 + while [ ${count} -le ${geli_tries} ]; do + geli attach ${flags} ${provider} + if [ -e "/dev/${provider}.eli" ]; then + break + fi + echo "Attach failed; attempt ${count} of ${geli_tries}." + count=$((count+1)) + done + fi fi done } Index: rc.d/geli2 =================================================================== RCS file: /home/ncvs/src/etc/rc.d/geli2,v retrieving revision 1.1 diff -u -r1.1 geli2 --- rc.d/geli2 14 Aug 2005 18:02:21 -0000 1.1 +++ rc.d/geli2 30 Aug 2006 17:40:59 -0000 @@ -30,6 +30,7 @@ # PROVIDE: geli2 # REQUIRE: mountcritlocal # KEYWORD: nojail +# BEFORE: tmp . /etc/rc.subr @@ -44,6 +45,25 @@ for provider in ${devices}; do provider_=`ltr ${provider} '/' '_'` + istmp=0 + + if [ ! -z "${geli_enctmp_devices}" ]; then + for prov in ${geli_enctmp_devices}; do + if [ ${prov} = ${provider} ]; then + istmp=1 + break + fi + done + fi + + if [ ${istmp} -eq 1 ]; then + mountpoint=`awk "/^\/dev\/${provider}/ {print \\$2}" /etc/fstab` + ismounted=`mount | awk "/^\/dev\/${provider}/ {print \\$3}"` + if [ ! -z "${mountpoint}" -a "${mountpoint}" = "${ismounted}" ]; then + chmod 1777 ${mountpoint} + fi + fi + eval "autodetach=\${geli_${provider_}_autodetach}" if [ -z "${autodetach}" ]; then autodetach=${geli_autodetach}