Merge branch 'sfos220+qcrypto' into 220q+

polkit-1/localauthority/50-local.d/69-cryptosd.pkla

@@ -1,5 +1,5 @@
 [Root users & primary user(s): udisks2.encrypted-*lock*, except for *-system]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.encrypted-unlock;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.encrypted-lock-others
 ResultAny=yes
 ResultInactive=yes
@@ -13,14 +13,14 @@ ResultInactive=yes
 ResultActive=yes
 
 [Primary user(s): udisks2.encrypted-unlock-system]
-Identity=unix-group:media_rw
+Identity=unix-group:system
 Action=org.freedesktop.udisks2.encrypted-unlock-system
 ResultAny=auth_self
 ResultInactive=auth_self
 ResultActive=auth_self_keep
 
 [Root users & primary user(s): udisks2.encrypted-change-passphrase, but not for *-system]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.encrypted-change-passphrase
 ResultAny=auth_self
 ResultInactive=auth_self
@@ -34,21 +34,21 @@ ResultInactive=yes
 ResultActive=yes
 
 [Primary user(s): udisks2.manage-md-raid]
-Identity=unix-group:media_rw
+Identity=unix-group:system
 Action=org.freedesktop.udisks2.manage-md-raid
 ResultAny=auth_self
 ResultInactive=auth_self
 ResultActive=auth_self_keep
 
 [Root users & primary user(s): udisks2.power-off-drive*, except for *-system]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.power-off-drive;org.freedesktop.udisks2.power-off-drive-other-seat
 ResultAny=yes
 ResultInactive=yes
 ResultActive=yes
 
 [Root users & primary user(s): udisks2.eject-media*, except for *-system]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.eject-media;org.freedesktop.udisks2.eject-media-other-seat
 ResultAny=auth_self
 ResultInactive=auth_self
@@ -62,21 +62,21 @@ ResultInactive=auth_self
 ResultActive=yes
 
 [Primary user(s): udisks2.modify-device]
-Identity=unix-group:media_rw
+Identity=unix-group:system
 Action=org.freedesktop.udisks2.modify-device
 ResultAny=auth_self
 ResultInactive=auth_self
 ResultActive=auth_self_keep
 
 [Root users & primary user(s): udisks2.modify-device-system & udisks2.modify-device-other-seat]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.modify-device-system;org.freedesktop.udisks2.modify-device-other-seat
 ResultAny=auth_self
 ResultInactive=auth_self
 ResultActive=auth_self_keep
 
 [Root users & primary user(s): udisks2.rescan]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.rescan
 ResultAny=yes
 ResultInactive=yes
@@ -90,14 +90,14 @@ ResultInactive=yes
 ResultActive=yes
 
 [Primary user(s): udisks2.open-device]
-Identity=unix-group:media_rw
+Identity=unix-group:system
 Action=org.freedesktop.udisks2.open-device
 ResultAny=auth_self
 ResultInactive=auth_self
 ResultActive=yes
 
 [Root users & primary user(s): udisks2.open-device-system]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.open-device-system
 ResultAny=auth_self
 ResultInactive=auth_self
@@ -118,7 +118,7 @@ ResultInactive=auth_admin
 ResultActive=auth_admin_keep
 
 [Root users & primary user(s): <various, harmless device settings>]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.modify-drive-settings;org.freedesktop.udisks2.ata-smart-enable-disable;org.freedesktop.udisks2.ata-smart-update
 ResultAny=yes
 ResultInactive=yes
@@ -132,21 +132,21 @@ ResultInactive=yes
 ResultActive=yes
 
 [Primary user(s): udisks2.ata-smart-simulate & udisks2.ata-smart-selftest]
-Identity=unix-group:media_rw
+Identity=unix-group:system
 Action=org.freedesktop.udisks2.ata-smart-simulate;org.freedesktop.udisks2.ata-smart-selftest
 ResultAny=auth_self
 ResultInactive=auth_self
 ResultActive=auth_self_keep
 
 [Root users & primary user(s): <device power-save settings>, except for *-system]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.ata-check-power;org.freedesktop.udisks2.ata-standby;org.freedesktop.udisks2.ata-standby-other-seat
 ResultAny=yes
 ResultInactive=yes
 ResultActive=yes
 
 [Root users & primary user(s): udisks2.cancel-job*]
-Identity=unix-group:root;unix-group:media_rw
+Identity=unix-group:root;unix-group:system
 Action=org.freedesktop.udisks2.cancel-job;org.freedesktop.udisks2.cancel-job-other-user
 ResultAny=yes
 ResultInactive=yes

rpm/crypto-sdcard.spec

@@ -11,7 +11,7 @@ Version:       1.7.1
 # - An optional third field might be used by downstream packagers, who alter the package but want to
 #   retain the exact version number.  It shall consist of the packager's name appended with a natural 
 #   number greater than zero, e.g "joe8".
-Release:       1.sfosABCqcrypto
+Release:       1.sfos220qcrypto
 Group:         System/Base
 Distribution:  SailfishOS
 Vendor:        olf
@@ -31,9 +31,9 @@ Requires:      udisks2
 # Better use direct dependencies on specific versions than indirect ones (here: the line above
 # versus the one below) in general, but ultimately decided not to do so in this special case
 # (for commonality across release versions):
-Requires:      sailfish-version >= 3.4.0
+Requires:      sailfish-version >= 2.2.0
 # Omit anti-dependency on future, untested SFOS versions, until a known conflict exists:
-Requires:      sailfish-version < 3.4.0
+Requires:      sailfish-version < 3.2.1
 Requires:      cryptsetup >= 1.4.0
 # Must provide Qualcomm's qcrypto kernel module, check: find /lib/modules/ -name qcrypto.ko; rpm -qf $(find /lib/modules/ -name qcrypto.ko)
 # On a Jolla 1 (sbj) qcrypto.ko is deployed by the following RPM, currently no other SailfishOS device adaption is known to provide it.

systemd/system/cryptosd-luks@.service

@@ -2,9 +2,9 @@
 Description=Open /dev/disk/by-uuid/%I per cryptsetup
 Documentation=https://github.com/Olf0/crypto-sdcard
 DefaultDependencies=no
-After=systemd-udevd.service systemd-udev-trigger.service dev-disk-by\x2duuid-%i.device systemd-journald.service local-fs.target cryptsetup-pre.target
+After=sysinit.target dev-disk-by\x2duuid-%i.device
 Requisite=dev-disk-by\x2duuid-%i.device
-PartOf=mount-cryptosd-luks@%i.service cryptsetup.target
+PartOf=mount-cryptosd-luks@%i.service sysinit.target
 Conflicts=umount.target shutdown.target actdead.target factory-test.target
 Before=umount.target shutdown.target mount-cryptosd-luks@%i.service
 AssertPathIsDirectory=!/etc/crypto-sdcard/crypto_luks_%I.key

systemd/system/cryptosd-plain@.service

@@ -2,9 +2,9 @@
 Description=Open /dev/%I per cryptsetup
 Documentation=https://github.com/Olf0/crypto-sdcard
 DefaultDependencies=no
-After=systemd-udevd.service systemd-udev-trigger.service dev-%i.device systemd-journald.service local-fs.target cryptsetup-pre.target
+After=sysinit.target dev-%i.device
 Requisite=dev-%i.device
-PartOf=mount-cryptosd-plain@%i.service cryptsetup.target
+PartOf=mount-cryptosd-plain@%i.service sysinit.target
 Conflicts=umount.target shutdown.target actdead.target factory-test.target
 Before=umount.target shutdown.target mount-cryptosd-plain@%i.service
 AssertPathIsDirectory=!/etc/crypto-sdcard/crypto_plain_%I.key

systemd/system/mnt-cryptosd-luks@.service

@@ -2,7 +2,7 @@
 Description=Manually mount /dev/mapper/%I directly
 Documentation=https://github.com/Olf0/crypto-sdcard
 DefaultDependencies=no
-After=systemd-udevd.service systemd-udev-trigger.service cryptosd-luks@%i.service dev-mapper-%i.device systemd-journald.service local-fs.target cryptsetup.target
+After=systemd-udevd.service systemd-udev-trigger.service cryptosd-luks@%i.service dev-mapper-%i.device systemd-journald.service local-fs.target
 Requires=cryptosd-luks@%i.service
 # "Requisite=dev-mapper-%i.device" here would prevent this unit from
 # auto-starting its dependencies, when started manually:

systemd/system/mount-cryptosd-luks@.service

@@ -16,12 +16,13 @@ Conflicts=umount.target rescue.target actdead.target factory-test.target
 Before=alien-service-manager.service umount.target
 
 [Service]
+User=nemo
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=/etc/systemd/system/cryptosd.conf
 EnvironmentFile=-/etc/crypto-sdcard/cryptosd.conf
 EnvironmentFile=-/etc/crypto-sdcard/cryptosd@%I.conf
-ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
+ExecStart=/usr/bin/udisksctl mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
 ExecStop=/usr/bin/udisksctl unmount -b /dev/mapper/%I
 ExecStopPost=-/bin/umount -vrq /dev/mapper/%I
 

systemd/system/mount-cryptosd-plain@.service

@@ -16,12 +16,13 @@ Conflicts=umount.target rescue.target actdead.target factory-test.target
 Before=alien-service-manager.service umount.target
 
 [Service]
+User=nemo
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=/etc/systemd/system/cryptosd.conf
 EnvironmentFile=-/etc/crypto-sdcard/cryptosd.conf
 EnvironmentFile=-/etc/crypto-sdcard/cryptosd@%I.conf
-ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
+ExecStart=/usr/bin/udisksctl mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I
 ExecStop=/usr/bin/udisksctl unmount -b /dev/mapper/%I
 ExecStopPost=-/bin/umount -vrq /dev/mapper/%I
 

udev/rules.d/96-cryptosd.rules

@@ -30,32 +30,32 @@ SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ATTR{power/control}=="on", ENV{UD
 # For DM-Crypt LUKS, match ENV{ID_FS_TYPE}=="crypto_LUKS"
 KERNEL=="mmcblk[1-9]*", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS"
 SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS"
-ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_luks_dev-%k_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-luks@.service %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="'%c'"
+ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_luks_dev-%k_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", PROGRAM=="/bin/systemd-escape --template=cryptosd-luks@.service %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="%c"
 # When above detected and assigned devices are removed
-ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-luks@.service %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop %c"
+ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="
 
 # For DM-Crypt "plain", ensure (by ENV{ID_*}!="?*" statements) that it appears to be unused space
 # Two rules, one for partitions and a tighter one for whole disks:
 KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{UDISKS_PARTITIONABLE}="0", ENV{CRYPTOSD_TYPE}="PLAIN"
 SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{UDISKS_PARTITIONABLE}="0", ENV{CRYPTOSD_TYPE}="PLAIN"
 KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN"
 SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN"
-ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_plain_dev-%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'cryptosd-plain@%k.service'"
+ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_plain_dev-%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="cryptosd-plain@%k.service"
 # When above detected and assigned devices are removed
-ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop cryptosd-plain@%k.service"
+ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/bin/systemctl stop cryptosd-plain@%k.service"
 
 #LABEL="cryptosd_open_end"
 
 
 KERNEL!="dm-[0-9]*", GOTO="cryptosd_end"
 
 # Carefully match resulting virtual node dm-[0-9]* to trigger mounting it; see /lib/udev/rules.d/10-dm.rules for details
-ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="????????-????-????-????-????????????|????-????", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-LUKS", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_luks_%E{DM_NAME}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", ENV{SYSTEMD_WANTS}="'%c'"
-ENV{CRYPTOSD_TYPE}=="mount-LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", RUN{program}+="/usr/bin/systemctl stop %c"
+ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="????????-????-????-????-????????????|????-????", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-LUKS", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_luks_%E{DM_NAME}", MODE="0660", TAG+="systemd", PROGRAM=="/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", ENV{SYSTEMD_WANTS}="%c"
+ENV{CRYPTOSD_TYPE}=="mount-LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", RUN{program}+="/bin/systemctl stop %c"
 
 # Ditto for DM-Crypt "plain"
-ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="mmcblk[0-9]*|sd*|sr*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_plain_%E{DM_NAME}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'mount-cryptosd-plain@%E{DM_NAME}.service'"
-ENV{CRYPTOSD_TYPE}=="mount-PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop mount-cryptosd-plain@%E{DM_NAME}.service"
+ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="mmcblk[0-9]*|sd*|sr*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_plain_%E{DM_NAME}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="mount-cryptosd-plain@%E{DM_NAME}.service"
+ENV{CRYPTOSD_TYPE}=="mount-PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/bin/systemctl stop mount-cryptosd-plain@%E{DM_NAME}.service"
 
 LABEL="cryptosd_end"