FreeBSD Bugzilla – Attachment 70373 Details for
Bug 102700
[geli] [patch] Add encrypted /tmp support to GELI/GBDE rc.d scripts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
encswap.diff
encswap.diff (text/plain), 8.33 KB, created by
Shaun Amott
on 2006-08-30 18:50:20 UTC
(
hide
)
Description:
encswap.diff
Filename:
MIME Type:
Creator:
Shaun Amott
Created:
2006-08-30 18:50:20 UTC
Size:
8.33 KB
patch
obsolete
>Index: defaults/rc.conf >=================================================================== >RCS file: /home/ncvs/src/etc/defaults/rc.conf,v >retrieving revision 1.294 >diff -u -r1.294 rc.conf >--- defaults/rc.conf 17 Aug 2006 20:13:24 -0000 1.294 >+++ defaults/rc.conf 30 Aug 2006 17:40:58 -0000 >@@ -55,13 +55,17 @@ > > # Experimental - test before enabling > gbde_autoattach_all="NO" # YES automatically mounts gbde devices from fstab >-gbde_devices="NO" # Devices to automatically attach (list, or AUTO) >+gbde_devices="ENCTMP" # Devices to automatically attach (list, or AUTO/ENCTMP) >+ # Set to ENCTMP to auto-mount enctmp devices only >+gbde_enctmp_devices="" # Encrypted /tmp devices listed in /etc/fstab > gbde_attach_attempts="3" # Number of times to attempt attaching gbde devices > gbde_lockdir="/etc" # Where to look for gbde lockfiles > > # GELI disk encryption configuration. > geli_devices="" # List of devices to automatically attach in addition to > # GELI devices listed in /etc/fstab. >+geli_enctmp_devices="" # GELI encrypted /tmp devices listed in /etc/fstab >+geli_enctmp_flags="-e AES -l 256 -s 4096" # Encrypted /tmp flags > geli_tries="" # Number of times to attempt attaching geli device. > # If empty, kern.geom.eli.tries will be used. > geli_default_flags="" # Default flags for geli(8). >Index: rc.d/gbde >=================================================================== >RCS file: /home/ncvs/src/etc/rc.d/gbde,v >retrieving revision 1.13 >diff -u -r1.13 gbde >--- rc.d/gbde 14 Aug 2005 17:28:15 -0000 1.13 >+++ rc.d/gbde 30 Aug 2006 17:40:59 -0000 >@@ -7,6 +7,7 @@ > # > > # PROVIDE: disks >+# REQUIRE: initrandom > # KEYWORD: nojail > > . /etc/rc.subr >@@ -19,10 +20,13 @@ > > find_gbde_devices() > { >- case "${gbde_devices-auto}" in >+ case "${gbde_devices:-enctmp}" in > [Aa][Uu][Tt][Oo]) > gbde_devices="" > ;; >+ [Ee][Nn][Cc][Tt][Mm][Pp]) >+ gbde_devices="${gbde_enctmp_devices}" >+ ;; > *) > return 0 > ;; >@@ -82,24 +86,45 @@ > parent=${device%.bde} > parent=${parent#/dev/} > parent_=`ltr ${parent} '/' '_'` >- eval "lock=\${gbde_lock_${parent_}-\"${gbde_lockdir}/${parent_}.lock\"}" >- if [ -e "/dev/${parent}" -a ! -e "/dev/${parent}.bde" ]; then >- echo "Configuring Disk Encryption for ${parent}." > >- count=1 >- while [ ${count} -le ${gbde_attach_attempts} ]; do >- if [ -e "${lock}" ]; then >- gbde attach ${parent} -l ${lock} >- else >- gbde attach ${parent} >- fi >- if [ -e "/dev/${parent}.bde" ]; then >+ istmp=0 >+ >+ if [ ! -z "${gbde_enctmp_devices}" ]; then >+ for dev in ${gbde_enctmp_devices}; do >+ if [ ${dev} = ${parent} ]; then >+ istmp=1 > break > fi >- echo "Attach failed; attempt ${count} of ${gbde_attach_attempts}." >- count=$((${count} + 1)) > done > fi >+ >+ eval "lock=\${gbde_lock_${parent_}-\"${gbde_lockdir}/${parent_}.lock\"}" >+ if [ -e "/dev/${parent}" -a ! -e "/dev/${parent}.bde" ]; then >+ if [ ${istmp} -eq 1 ]; then >+ echo "Configuring Encrypted Temporary Space for ${parent}." >+ >+ passphrase=`dd if=/dev/random count=1 2>/dev/null | md5 -q` >+ gbde init "${device}" -P "${passphrase}" \ >+ && gbde attach "${device}" -p "${passphrase}" \ >+ && newfs -U /dev/${device}.bde >+ else >+ echo "Configuring Disk Encryption for ${parent}." >+ >+ count=1 >+ while [ ${count} -le ${gbde_attach_attempts} ]; do >+ if [ -e "${lock}" ]; then >+ gbde attach ${parent} -l ${lock} >+ else >+ gbde attach ${parent} >+ fi >+ if [ -e "/dev/${parent}.bde" ]; then >+ break >+ fi >+ echo "Attach failed; attempt ${count} of ${gbde_attach_attempts}." >+ count=$((${count} + 1)) >+ done >+ fi >+ fi > done > } > >Index: rc.d/gbde2 >=================================================================== >RCS file: rc.d/gbde2 >diff -N rc.d/gbde2 >--- /dev/null 1 Jan 1970 00:00:00 -0000 >+++ rc.d/gbde2 30 Aug 2006 17:40:59 -0000 >@@ -0,0 +1,53 @@ >+#!/bin/sh >+# >+# Copyright (c) 2006 Shaun Amott <shaun@FreeBSD.org> >+# All rights reserved. >+# >+# Redistribution and use in source and binary forms, with or without >+# modification, are permitted provided that the following conditions >+# are met: >+# 1. Redistributions of source code must retain the above copyright >+# notice, this list of conditions and the following disclaimer. >+# 2. Redistributions in binary form must reproduce the above copyright >+# notice, this list of conditions and the following disclaimer in the >+# documentation and/or other materials provided with the distribution. >+# >+# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND >+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE >+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE >+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE >+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL >+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS >+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) >+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT >+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY >+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF >+# SUCH DAMAGE. >+# >+# $FreeBSD$ >+# >+ >+# PROVIDE: gbde2 >+# REQUIRE: mountcritlocal >+# KEYWORD: nojail >+# BEFORE: tmp >+ >+. /etc/rc.subr >+ >+name="gbde2" >+start_cmd="gbde2_start" >+stop_cmd=":" >+ >+gbde2_start() >+{ >+ for provider in ${gbde_enctmp_devices}; do >+ mountpoint=`awk "/^\/dev\/${provider}/ {print \\$2}" /etc/fstab` >+ ismounted=`mount | awk "/^\/dev\/${provider}/ {print \\$3}"` >+ if [ ! -z "${mountpoint}" -a "${mountpoint}" = "${ismounted}" ]; then >+ chmod 1777 ${mountpoint} >+ fi >+ done >+} >+ >+load_rc_config $name >+run_rc_command "$1" >Index: rc.d/geli >=================================================================== >RCS file: /home/ncvs/src/etc/rc.d/geli,v >retrieving revision 1.3 >diff -u -r1.3 geli >--- rc.d/geli 23 Sep 2005 23:53:35 -0000 1.3 >+++ rc.d/geli 30 Aug 2006 17:40:59 -0000 >@@ -60,21 +60,42 @@ > for provider in ${devices}; do > provider_=`ltr ${provider} '/' '_'` > >+ istmp=0 >+ >+ if [ ! -z "${geli_enctmp_devices}" ]; then >+ for prov in ${geli_enctmp_devices}; do >+ if [ ${prov} = ${provider} ]; then >+ istmp=1 >+ break >+ fi >+ done >+ fi >+ > eval "flags=\${geli_${provider_}_flags}" > if [ -z "${flags}" ]; then >- flags=${geli_default_flags} >+ if [ ${istmp} -eq 1 ]; then >+ flags=${geli_enctmp_flags} >+ else >+ flags=${geli_default_flags} >+ fi > fi > if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then >- echo "Configuring Disk Encryption for ${provider}." >- count=1 >- while [ ${count} -le ${geli_tries} ]; do >- geli attach ${flags} ${provider} >- if [ -e "/dev/${provider}.eli" ]; then >- break >- fi >- echo "Attach failed; attempt ${count} of ${geli_tries}." >- count=$((count+1)) >- done >+ if [ ${istmp} -eq 1 ]; then >+ echo "Configuring Encrypted Temporary Space for ${provider}." >+ geli onetime ${flags} ${provider} \ >+ && newfs -U /dev/${provider}.eli >+ else >+ echo "Configuring Disk Encryption for ${provider}." >+ count=1 >+ while [ ${count} -le ${geli_tries} ]; do >+ geli attach ${flags} ${provider} >+ if [ -e "/dev/${provider}.eli" ]; then >+ break >+ fi >+ echo "Attach failed; attempt ${count} of ${geli_tries}." >+ count=$((count+1)) >+ done >+ fi > fi > done > } >Index: rc.d/geli2 >=================================================================== >RCS file: /home/ncvs/src/etc/rc.d/geli2,v >retrieving revision 1.1 >diff -u -r1.1 geli2 >--- rc.d/geli2 14 Aug 2005 18:02:21 -0000 1.1 >+++ rc.d/geli2 30 Aug 2006 17:40:59 -0000 >@@ -30,6 +30,7 @@ > # PROVIDE: geli2 > # REQUIRE: mountcritlocal > # KEYWORD: nojail >+# BEFORE: tmp > > . /etc/rc.subr > >@@ -44,6 +45,25 @@ > for provider in ${devices}; do > provider_=`ltr ${provider} '/' '_'` > >+ istmp=0 >+ >+ if [ ! -z "${geli_enctmp_devices}" ]; then >+ for prov in ${geli_enctmp_devices}; do >+ if [ ${prov} = ${provider} ]; then >+ istmp=1 >+ break >+ fi >+ done >+ fi >+ >+ if [ ${istmp} -eq 1 ]; then >+ mountpoint=`awk "/^\/dev\/${provider}/ {print \\$2}" /etc/fstab` >+ ismounted=`mount | awk "/^\/dev\/${provider}/ {print \\$3}"` >+ if [ ! -z "${mountpoint}" -a "${mountpoint}" = "${ismounted}" ]; then >+ chmod 1777 ${mountpoint} >+ fi >+ fi >+ > eval "autodetach=\${geli_${provider_}_autodetach}" > if [ -z "${autodetach}" ]; then > autodetach=${geli_autodetach}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=70373">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 102700
: 70373