diff options
Diffstat (limited to 'libmount/src/hook_veritydev.c')
-rw-r--r-- | libmount/src/hook_veritydev.c | 39 |
1 files changed, 13 insertions, 26 deletions
diff --git a/libmount/src/hook_veritydev.c b/libmount/src/hook_veritydev.c index f91778a..6a9e644 100644 --- a/libmount/src/hook_veritydev.c +++ b/libmount/src/hook_veritydev.c @@ -349,25 +349,8 @@ static int setup_veritydev( struct libmnt_context *cxt, backing_file = mnt_fs_get_srcpath(cxt->fs); if (!backing_file) return -EINVAL; - else { - /* To avoid clashes, prefix libmnt_ to all mapper devices */ - char *p, *path = strdup(backing_file); - if (!path) - return -ENOMEM; - - p = stripoff_last_component(path); - if (p) - mapper_device = calloc(strlen(p) + sizeof("libmnt_"), sizeof(char)); - if (mapper_device) { - strcat(mapper_device, "libmnt_"); - strcat(mapper_device, p); - } - free(path); - if (!mapper_device) - return -ENOMEM; - } - DBG(HOOK, ul_debugobj(hs, "verity: setup for %s [%s]", backing_file, mapper_device)); + DBG(HOOK, ul_debugobj(hs, "verity: setup for %s", backing_file)); /* verity.hashdevice= */ if (!rc && (opt = mnt_optlist_get_opt(ol, MNT_MS_HASH_DEVICE, cxt->map_userspace))) @@ -467,6 +450,13 @@ static int setup_veritydev( struct libmnt_context *cxt, rc = -EINVAL; } + /* To avoid clashes, use the roothash as the device name. This allows us to reuse already open devices, saving + * a lot of time and resources when there are duplicated mounts. If the roothash is the same, then the volumes + * are also guaranteed to be identical. This is what systemd also does, so we can deduplicate across the whole + * system. */ + if (asprintf(&mapper_device, "%s-verity", root_hash) < 0) + rc = -ENOMEM; + if (!rc) rc = verity_call( crypt_init_data_device(&crypt_dev, hash_device, backing_file) ); if (rc) @@ -506,7 +496,9 @@ static int setup_veritydev( struct libmnt_context *cxt, * If the mapper device already exists, and if libcryptsetup supports it, get the root * hash associated with the existing one and compare it with the parameter passed by * the user. If they match, then we can be sure the user intended to mount the exact - * same device, and simply reuse it and return success. + * same device, and simply reuse it and return success. Although we use the roothash + * as the device mapper name, and root privileges are required to open them, better be + * safe than sorry, so double check that the actual root hash used matches. * The kernel does the refcounting for us. * If libcryptsetup does not support getting the root hash out of an existing device, * then return an error and tell the user that the device is already in use. @@ -562,15 +554,10 @@ static int setup_veritydev( struct libmnt_context *cxt, } if (!rc) { - hsd->devname = calloc(strlen(mapper_device) - + sizeof(_PATH_DEV_MAPPER) + 2, sizeof(char)); - if (!hsd->devname) + if (asprintf(&hsd->devname, _PATH_DEV_MAPPER "/%s", mapper_device) == -1) rc = -ENOMEM; - else { - strcat(hsd->devname, _PATH_DEV_MAPPER "/"); - strcat(hsd->devname, mapper_device); + else rc = mnt_fs_set_source(cxt->fs, hsd->devname); - } } done: |