summaryrefslogtreecommitdiffstats
path: root/src/cryptsetup/cryptsetup.c
diff options
context:
space:
mode:
authorMichal Sekletar <msekleta@redhat.com>2017-12-12 17:49:14 +0100
committerMichal Sekletar <msekleta@redhat.com>2017-12-12 18:28:08 +0100
commit5a9f1b05ed6dad48958097fb37811668e69447fb (patch)
tree7a07b94fccc6ee1f06e0d5b52143beac621b65fc /src/cryptsetup/cryptsetup.c
parentresolve: add support for RFC 8080 (#7600) (diff)
downloadsystemd-5a9f1b05ed6dad48958097fb37811668e69447fb.tar.xz
systemd-5a9f1b05ed6dad48958097fb37811668e69447fb.zip
cryptsetup: when unlocking always put path to the object into Id
Some ask-password agents (e.g. clevis-luks-askpass) use Id option from /run/systemd/ask-password/ask* file in order to obtain the password for the device. Id option should be in the following format, e.g. Id=subsystem:data. Where data part is supposed to identify object that ask-password query is done for. Since e51b9486d1b59e72c293028fed1384f4e4ef09aa this field has format Id=cryptsetup:/dev/block/major:minor when systemd-cryptsetup is unlocking encrypted block device. However, crypttab also supports encrypted image files in which case we usually set data part of Id to "vol on mountpoint". This is unexpected and actually breaks network based device encryption as implemented by clevis. Example: $ cat /etc/crypttab clevis-unlocked /clevis-test-disk-image none luks,_netdev $ systemctl start 'systemd-cryptsetup@clevis\x2dunlocked.service' $ grep Id /run/systemd/ask-password/ask* Before: $ Id=cryptsetup:clevis-unlocked on /clevis-test-disk-image-mnt After: $ Id=cryptsetup:/clevis-test-disk-image
Diffstat (limited to '')
-rw-r--r--src/cryptsetup/cryptsetup.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index ab4d24ca3b..b6d965e24f 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -365,7 +365,7 @@ static int get_password(const char *vol, const char *src, usec_t until, bool acc
escaped_name = maj_min;
maj_min = NULL;
} else
- escaped_name = cescape(name);
+ escaped_name = cescape(src);
if (!escaped_name)
return log_oom();