| /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
| |
| #include <errno.h> |
| #include <stdbool.h> |
| #include <stdlib.h> |
| #include <sys/stat.h> |
| #include <unistd.h> |
| |
| #include "alloc-util.h" |
| #include "fd-util.h" |
| #include "fileio.h" |
| #include "fstab-util.h" |
| #include "generator.h" |
| #include "hexdecoct.h" |
| #include "id128-util.h" |
| #include "integrity-util.h" |
| #include "main-func.h" |
| #include "mkdir.h" |
| #include "parse-util.h" |
| #include "path-util.h" |
| #include "proc-cmdline.h" |
| #include "specifier.h" |
| #include "string-util.h" |
| #include "unit-name.h" |
| |
| static const char *arg_dest = NULL; |
| static const char *arg_integritytab = NULL; |
| static char *arg_options = NULL; |
| STATIC_DESTRUCTOR_REGISTER(arg_options, freep); |
| |
| static int create_disk( |
| const char *name, |
| const char *device, |
| const char *key_file, |
| const char *options) { |
| |
| _cleanup_free_ char *n = NULL, *dd = NULL, *e = NULL, *name_escaped = NULL, *key_file_escaped = NULL; |
| _cleanup_fclose_ FILE *f = NULL; |
| int r; |
| char *dmname = NULL; |
| |
| assert(name); |
| assert(device); |
| |
| name_escaped = specifier_escape(name); |
| if (!name_escaped) |
| return log_oom(); |
| |
| e = unit_name_escape(name); |
| if (!e) |
| return log_oom(); |
| |
| r = unit_name_build("systemd-integritysetup", e, ".service", &n); |
| if (r < 0) |
| return log_error_errno(r, "Failed to generate unit name: %m"); |
| |
| r = unit_name_from_path(device, ".device", &dd); |
| if (r < 0) |
| return log_error_errno(r, "Failed to generate unit name: %m"); |
| |
| r = generator_open_unit_file(arg_dest, NULL, n, &f); |
| if (r < 0) |
| return r; |
| |
| if (key_file) { |
| if (!path_is_absolute(key_file)) |
| return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "key file not absolute file path %s", key_file); |
| |
| key_file_escaped = specifier_escape(key_file); |
| if (!key_file_escaped) |
| return log_oom(); |
| } |
| |
| if (options) { |
| r = parse_integrity_options(options, NULL, NULL, NULL, NULL, NULL); |
| if (r < 0) |
| return r; |
| } |
| |
| fprintf(f, |
| "[Unit]\n" |
| "Description=Integrity Setup for %%I\n" |
| "Documentation=man:integritytab(5) man:systemd-integritysetup-generator(8) man:systemd-integritysetup@.service(8)\n" |
| "SourcePath=%s\n" |
| "DefaultDependencies=no\n" |
| "IgnoreOnIsolate=true\n" |
| "After=integritysetup-pre.target systemd-udevd-kernel.socket\n" |
| "Before=blockdev@dev-mapper-%%i.target\n" |
| "Wants=blockdev@dev-mapper-%%i.target\n" |
| "Conflicts=umount.target\n" |
| "Before=integritysetup.target\n" |
| "BindsTo=%s\n" |
| "After=%s\n" |
| "Before=umount.target\n", |
| arg_integritytab, |
| dd, dd); |
| |
| fprintf(f, |
| "\n" |
| "[Service]\n" |
| "Type=oneshot\n" |
| "RemainAfterExit=yes\n" |
| "TimeoutSec=0\n" |
| "ExecStart=" ROOTLIBEXECDIR "/systemd-integritysetup attach '%s' '%s' '%s' '%s'\n" |
| "ExecStop=" ROOTLIBEXECDIR "/systemd-integritysetup detach '%s'\n", |
| name_escaped, device, empty_to_dash(key_file_escaped), empty_to_dash(options), |
| name_escaped); |
| |
| r = fflush_and_check(f); |
| if (r < 0) |
| return log_error_errno(r, "Failed to write unit file %s: %m", n); |
| |
| r = generator_add_symlink(arg_dest, "integritysetup.target", "requires", n); |
| if (r < 0) |
| return r; |
| |
| dmname = strjoina("dev-mapper-", e, ".device"); |
| return generator_add_symlink(arg_dest, dmname, "requires", n); |
| } |
| |
| static int add_integritytab_devices(void) { |
| _cleanup_fclose_ FILE *f = NULL; |
| unsigned integritytab_line = 0; |
| int r; |
| |
| r = fopen_unlocked(arg_integritytab, "re", &f); |
| if (r < 0) { |
| if (errno != ENOENT) |
| log_error_errno(errno, "Failed to open %s: %m", arg_integritytab); |
| return 0; |
| } |
| |
| for (;;) { |
| _cleanup_free_ char *line = NULL, *name = NULL, *device_id = NULL, *device_path = NULL, *key_file = NULL, *options = NULL; |
| char *l; |
| |
| r = read_line(f, LONG_LINE_MAX, &line); |
| if (r < 0) |
| return log_error_errno(r, "Failed to read %s: %m", arg_integritytab); |
| if (r == 0) |
| break; |
| |
| integritytab_line++; |
| |
| l = strstrip(line); |
| if (!l) |
| continue; |
| |
| if (IN_SET(l[0], 0, '#')) |
| continue; |
| |
| /* The key file and the options are optional */ |
| r = sscanf(l, "%ms %ms %ms %ms", &name, &device_id, &key_file, &options); |
| if (!IN_SET(r, 2, 3, 4)) { |
| log_error("Failed to parse %s:%u, ignoring.", l, integritytab_line); |
| continue; |
| } |
| |
| device_path = fstab_node_to_udev_node(device_id); |
| if (!device_path) { |
| log_error("Failed to find device %s:%u, ignoring.", device_id, integritytab_line); |
| continue; |
| } |
| |
| r = create_disk(name, device_path, empty_or_dash_to_null(key_file), empty_or_dash_to_null(options)); |
| if (r < 0) |
| return r; |
| } |
| |
| return 0; |
| } |
| |
| static int run(const char *dest, const char *dest_early, const char *dest_late) { |
| assert_se(arg_dest = dest); |
| |
| arg_integritytab = getenv("SYSTEMD_INTEGRITYTAB") ?: "/etc/integritytab"; |
| |
| return add_integritytab_devices(); |
| } |
| |
| DEFINE_MAIN_GENERATOR_FUNCTION(run); |