diff options
Diffstat (limited to 'scrub')
| -rw-r--r-- | scrub/Makefile.in | 22 | ||||
| -rw-r--r-- | scrub/e2scrub.in | 7 | ||||
| -rw-r--r-- | scrub/e2scrub@.service.in | 4 | ||||
| -rw-r--r-- | scrub/e2scrub_all.cron.in | 2 | ||||
| -rw-r--r-- | scrub/e2scrub_all.in | 26 | ||||
| -rw-r--r-- | scrub/e2scrub_fail.in | 10 | ||||
| -rw-r--r-- | scrub/e2scrub_fail@.service.in | 4 | ||||
| -rw-r--r-- | scrub/ext4.rules.in | 13 |
8 files changed, 54 insertions, 34 deletions
diff --git a/scrub/Makefile.in b/scrub/Makefile.in index 387f650..c97a1dd 100644 --- a/scrub/Makefile.in +++ b/scrub/Makefile.in @@ -18,6 +18,7 @@ CONFFILES= e2scrub.conf ifeq ($(HAVE_UDEV),yes) UDEV_RULES = e2scrub.rules +UDISKS_RULES = ext4.rules INSTALLDIRS_TGT += installdirs-udev INSTALL_TGT += install-udev UNINSTALL_TGT += uninstall-udev @@ -39,7 +40,7 @@ INSTALL_TGT += install-systemd install-libprogs UNINSTALL_TGT += uninstall-systemd uninstall-libprogs endif -all:: $(PROGS) $(MANPAGES) $(CONFFILES) $(UDEV_RULES) $(SERVICE_FILES) $(CRONTABS) $(LIBPROGS) +all:: $(PROGS) $(MANPAGES) $(CONFFILES) $(UDEV_RULES) $(UDISKS_RULES) $(SERVICE_FILES) $(CRONTABS) $(LIBPROGS) e2scrub: $(DEP_SUBSTITUTE) e2scrub.in $(E) " SUBST $@" @@ -94,8 +95,8 @@ installdirs-crond: $(Q) $(MKDIR_P) $(DESTDIR)$(CROND_DIR) installdirs-libprogs: - $(E) " MKDIR_P $(pkglibdir)" - $(Q) $(MKDIR_P) $(DESTDIR)$(pkglibdir) + $(E) " MKDIR_P $(pkglibexecdir)" + $(Q) $(MKDIR_P) $(DESTDIR)$(pkglibexecdir) installdirs-systemd: $(E) " MKDIR_P $(SYSTEMD_SYSTEM_UNIT_DIR)" @@ -111,6 +112,10 @@ install-udev: installdirs-udev $(ES) " INSTALL $(UDEV_RULES_DIR)/$$i"; \ $(INSTALL_DATA) $$i $(DESTDIR)$(UDEV_RULES_DIR)/96-$$i; \ done + $(Q) for i in $(UDISKS_RULES); do \ + $(ES) " INSTALL $(UDEV_RULES_DIR)/$$i"; \ + $(INSTALL_DATA) $$i $(DESTDIR)$(UDEV_RULES_DIR)/64-$$i; \ + done install-crond: installdirs-crond $(Q) if test -n "$(CRONTABS)" ; then \ @@ -120,8 +125,8 @@ install-crond: installdirs-crond install-libprogs: $(LIBPROGS) installdirs-libprogs $(Q) for i in $(LIBPROGS); do \ - $(ES) " INSTALL $(pkglibdir)/$$i"; \ - $(INSTALL_PROGRAM) $$i $(DESTDIR)$(pkglibdir)/$$i; \ + $(ES) " INSTALL $(pkglibexecdir)/$$i"; \ + $(INSTALL_PROGRAM) $$i $(DESTDIR)$(pkglibexecdir)/$$i; \ done install-systemd: $(SERVICE_FILES) installdirs-systemd @@ -153,6 +158,9 @@ uninstall-udev: for i in $(UDEV_RULES); do \ $(RM) -f $(DESTDIR)$(UDEV_RULES_DIR)/96-$$i; \ done + for i in $(UDISKS_RULES); do \ + $(RM) -f $(DESTDIR)$(UDEV_RULES_DIR)/64-$$i; \ + done uninstall-crond: if test -n "$(CRONTABS)" ; then \ @@ -161,7 +169,7 @@ uninstall-crond: uninstall-libprogs: for i in $(LIBPROGS); do \ - $(RM) -f $(DESTDIR)$(pkglibdir)/$$i; \ + $(RM) -f $(DESTDIR)$(pkglibexecdir)/$$i; \ done uninstall-systemd: @@ -181,7 +189,7 @@ uninstall: $(UNINSTALL_TGT) done clean:: - $(RM) -f $(PROGS) $(MANPAGES) $(CONFFILES) $(UDEV_RULES) $(SERVICE_FILES) $(CRONTABS) $(LIBPROGS) + $(RM) -f $(PROGS) $(MANPAGES) $(CONFFILES) $(UDEV_RULES) $(UDISKS_RULES) $(SERVICE_FILES) $(CRONTABS) $(LIBPROGS) mostlyclean: clean distclean: clean diff --git a/scrub/e2scrub.in b/scrub/e2scrub.in index 7ed57f2..043bc12 100644 --- a/scrub/e2scrub.in +++ b/scrub/e2scrub.in @@ -159,6 +159,13 @@ if [ ! -e "${dev}" ]; then exitcode 16 fi +# Do not scrub unjournalled filesystems; they are inconsistent when mounted +if [ "${reap}" -eq 0 ] && ! dumpe2fs -h "${dev}" | grep -q 'has_journal'; then + echo "${arg}: Filesystem has no journal, cannot check." + print_help + exitcode 16 +fi + # Make sure this is an LVM device we can snapshot lvm_vars="$(lvs --nameprefixes -o name,vgname,lv_role --noheadings "${dev}" 2> /dev/null)" eval "${lvm_vars}" diff --git a/scrub/e2scrub@.service.in b/scrub/e2scrub@.service.in index 496f894..6425263 100644 --- a/scrub/e2scrub@.service.in +++ b/scrub/e2scrub@.service.in @@ -1,5 +1,5 @@ [Unit] -Description=Online ext4 Metadata Check for %I +Description=Online ext4 Metadata Check for %f OnFailure=e2scrub_fail@%i.service Documentation=man:e2scrub(8) @@ -16,5 +16,5 @@ User=root IOSchedulingClass=idle CPUSchedulingPolicy=idle Environment=SERVICE_MODE=1 -ExecStart=@root_sbindir@/e2scrub -t %I +ExecStart=@root_sbindir@/e2scrub -t %f SyslogIdentifier=%N diff --git a/scrub/e2scrub_all.cron.in b/scrub/e2scrub_all.cron.in index 395fb2a..8e2640d 100644 --- a/scrub/e2scrub_all.cron.in +++ b/scrub/e2scrub_all.cron.in @@ -1,2 +1,2 @@ -30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 @pkglibdir@/e2scrub_all_cron +30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 @pkglibexecdir@/e2scrub_all_cron 10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 @root_sbindir@/e2scrub_all -A -r diff --git a/scrub/e2scrub_all.in b/scrub/e2scrub_all.in index 4288b96..f0593d8 100644 --- a/scrub/e2scrub_all.in +++ b/scrub/e2scrub_all.in @@ -125,6 +125,10 @@ ls_scan_targets() { while read vars ; do eval "${vars}" + # Skip unjournalled filesystems; they are inconsistent when + # mounted + dumpe2fs -h "${NAME}" | grep -q 'has_journal' || continue + if [ "${scrub_all}" -eq 1 ] || [ -n "${MOUNTPOINT}" ]; then echo ${MOUNTPOINT:-${NAME}} fi @@ -146,22 +150,10 @@ ls_targets() { fi } -# systemd doesn't know to do path escaping on the instance variable we pass -# to the e2scrub service, which breaks things if there is a dash in the path -# name. Therefore, do the path escaping ourselves if needed. -# -# systemd path escaping also drops the initial slash so we add that back in so -# that log messages from the service units preserve the full path and users can -# look up log messages using full paths. However, for "/" the escaping rules -# do /not/ drop the initial slash, so we have to special-case that here. +# Turn our mount path into a service name that systemd will recognize escape_path_for_systemd() { local path="$1" - - if [ "${path}" != "/" ]; then - echo "-$(systemd-escape --path "${path}")" - else - echo "-" - fi + systemd-escape --template 'e2scrub@.service' --path "${path}" } # Scrub any mounted fs on lvm by creating a snapshot and fscking that. @@ -169,9 +161,9 @@ mapfile -t targets < <(ls_targets) for tgt in "${targets[@]}"; do # If we're not reaping and systemd is present, try invoking the # systemd service. - if [ "${reap}" -ne 1 ] && type systemctl > /dev/null 2>&1; then - tgt_esc="$(escape_path_for_systemd "${tgt}")" - ${DBG} systemctl start "e2scrub@${tgt_esc}" 2> /dev/null + if [ "${reap}" -ne 1 ] && [ -e /run/systemd/system ]; then + svcname="$(escape_path_for_systemd "${tgt}")" + ${DBG} systemctl start "${svcname}" 2> /dev/null res=$? if [ "${res}" -eq 0 ] || [ "${res}" -eq 1 ]; then continue; diff --git a/scrub/e2scrub_fail.in b/scrub/e2scrub_fail.in index 2c0754a..6899c47 100644 --- a/scrub/e2scrub_fail.in +++ b/scrub/e2scrub_fail.in @@ -2,8 +2,8 @@ # Email logs of failed e2scrub unit runs when the systemd service fails. -device="$1" -test -z "${device}" && exit 0 +mntpoint="$1" +test -z "${mntpoint}" && exit 0 if ! type sendmail > /dev/null 2>&1; then echo "$0: sendmail program not found." @@ -16,7 +16,7 @@ fi hostname="$(hostname -f 2>/dev/null)" test -z "${hostname}" && hostname="${HOSTNAME}" -service_name="e2scrub@$(systemd-escape ${device})" +service_name="$(systemd-escape --template "e2scrub@.service" --path "${mntpoint}")" if test -z "${recipient}" ; then recipient="root" @@ -29,9 +29,9 @@ fi (cat << ENDL To: ${recipient} From: ${sender} -Subject: e2scrub failure on ${device} +Subject: e2scrub failure on ${mntpoint} -So sorry, the automatic e2scrub of ${device} on ${hostname} failed. +So sorry, the automatic e2scrub of ${mntpoint} on ${hostname} failed. A log of what happened follows: ENDL diff --git a/scrub/e2scrub_fail@.service.in b/scrub/e2scrub_fail@.service.in index 4bad311..462daee 100644 --- a/scrub/e2scrub_fail@.service.in +++ b/scrub/e2scrub_fail@.service.in @@ -1,10 +1,10 @@ [Unit] -Description=Online ext4 Metadata Check Failure Reporting for %I +Description=Online ext4 Metadata Check Failure Reporting for %f Documentation=man:e2scrub(8) [Service] Type=oneshot -ExecStart=@pkglibdir@/e2scrub_fail "%I" +ExecStart=@pkglibexecdir@/e2scrub_fail "%f" User=mail Group=mail SupplementaryGroups=systemd-journal diff --git a/scrub/ext4.rules.in b/scrub/ext4.rules.in new file mode 100644 index 0000000..6fe5a7a --- /dev/null +++ b/scrub/ext4.rules.in @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: GPL-2.0-or-later +# +# Copyright (C) 2023 Oracle. All rights reserved. +# Author: Darrick J. Wong <djwong@kernel.org> +# +# Don't let udisks automount ext4 filesystems without even asking a user. +# This doesn't eliminate filesystems as an attack surface; it only prevents +# evil maid attacks when all sessions are locked. +# +# According to http://storaged.org/doc/udisks2-api/latest/udisks.8.html, +# supplying UDISKS_AUTO=0 here changes the HintAuto property of the block +# device abstraction to mean "do not automatically start" (e.g. mount). +SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="ext2|ext3|ext4|ext4dev|jbd", ENV{UDISKS_AUTO}="0" |