diff --git a/polkit-1/localauthority/50-local.d/69-cryptosd.pkla b/polkit-1/localauthority/50-local.d/69-cryptosd.pkla index 0b9e8d87..1ce60c26 100644 --- a/polkit-1/localauthority/50-local.d/69-cryptosd.pkla +++ b/polkit-1/localauthority/50-local.d/69-cryptosd.pkla @@ -1,5 +1,5 @@ [Root users & primary user(s): udisks2.encrypted-*lock*, except for *-system] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.encrypted-unlock;org.freedesktop.udisks2.encrypted-unlock-other-seat;org.freedesktop.udisks2.encrypted-lock-others ResultAny=yes ResultInactive=yes @@ -13,14 +13,14 @@ ResultInactive=yes ResultActive=yes [Primary user(s): udisks2.encrypted-unlock-system] -Identity=unix-group:media_rw +Identity=unix-group:system Action=org.freedesktop.udisks2.encrypted-unlock-system ResultAny=auth_self ResultInactive=auth_self ResultActive=auth_self_keep [Root users & primary user(s): udisks2.encrypted-change-passphrase, but not for *-system] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.encrypted-change-passphrase ResultAny=auth_self ResultInactive=auth_self @@ -34,21 +34,21 @@ ResultInactive=yes ResultActive=yes [Primary user(s): udisks2.manage-md-raid] -Identity=unix-group:media_rw +Identity=unix-group:system Action=org.freedesktop.udisks2.manage-md-raid ResultAny=auth_self ResultInactive=auth_self ResultActive=auth_self_keep [Root users & primary user(s): udisks2.power-off-drive*, except for *-system] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.power-off-drive;org.freedesktop.udisks2.power-off-drive-other-seat ResultAny=yes ResultInactive=yes ResultActive=yes [Root users & primary user(s): udisks2.eject-media*, except for *-system] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.eject-media;org.freedesktop.udisks2.eject-media-other-seat ResultAny=auth_self ResultInactive=auth_self @@ -62,21 +62,21 @@ ResultInactive=auth_self ResultActive=yes [Primary user(s): udisks2.modify-device] -Identity=unix-group:media_rw +Identity=unix-group:system Action=org.freedesktop.udisks2.modify-device ResultAny=auth_self ResultInactive=auth_self ResultActive=auth_self_keep [Root users & primary user(s): udisks2.modify-device-system & udisks2.modify-device-other-seat] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.modify-device-system;org.freedesktop.udisks2.modify-device-other-seat ResultAny=auth_self ResultInactive=auth_self ResultActive=auth_self_keep [Root users & primary user(s): udisks2.rescan] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.rescan ResultAny=yes ResultInactive=yes @@ -90,14 +90,14 @@ ResultInactive=yes ResultActive=yes [Primary user(s): udisks2.open-device] -Identity=unix-group:media_rw +Identity=unix-group:system Action=org.freedesktop.udisks2.open-device ResultAny=auth_self ResultInactive=auth_self ResultActive=yes [Root users & primary user(s): udisks2.open-device-system] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.open-device-system ResultAny=auth_self ResultInactive=auth_self @@ -118,7 +118,7 @@ ResultInactive=auth_admin ResultActive=auth_admin_keep [Root users & primary user(s): ] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.modify-drive-settings;org.freedesktop.udisks2.ata-smart-enable-disable;org.freedesktop.udisks2.ata-smart-update ResultAny=yes ResultInactive=yes @@ -132,21 +132,21 @@ ResultInactive=yes ResultActive=yes [Primary user(s): udisks2.ata-smart-simulate & udisks2.ata-smart-selftest] -Identity=unix-group:media_rw +Identity=unix-group:system Action=org.freedesktop.udisks2.ata-smart-simulate;org.freedesktop.udisks2.ata-smart-selftest ResultAny=auth_self ResultInactive=auth_self ResultActive=auth_self_keep [Root users & primary user(s): , except for *-system] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.ata-check-power;org.freedesktop.udisks2.ata-standby;org.freedesktop.udisks2.ata-standby-other-seat ResultAny=yes ResultInactive=yes ResultActive=yes [Root users & primary user(s): udisks2.cancel-job*] -Identity=unix-group:root;unix-group:media_rw +Identity=unix-group:root;unix-group:system Action=org.freedesktop.udisks2.cancel-job;org.freedesktop.udisks2.cancel-job-other-user ResultAny=yes ResultInactive=yes diff --git a/rpm/crypto-sdcard.spec b/rpm/crypto-sdcard.spec index b6b11380..e86cf894 100644 --- a/rpm/crypto-sdcard.spec +++ b/rpm/crypto-sdcard.spec @@ -11,7 +11,7 @@ Version: 1.7.1 # - An optional third field might be used by downstream packagers, who alter the package but want to # retain the exact version number. It shall consist of the packager's name appended with a natural # number greater than zero, e.g "joe8". -Release: 1.sfosABCqcrypto +Release: 1.sfos220qcrypto Group: System/Base Distribution: SailfishOS Vendor: olf @@ -31,9 +31,9 @@ Requires: udisks2 # Better use direct dependencies on specific versions than indirect ones (here: the line above # versus the one below) in general, but ultimately decided not to do so in this special case # (for commonality across release versions): -Requires: sailfish-version >= 3.4.0 +Requires: sailfish-version >= 2.2.0 # Omit anti-dependency on future, untested SFOS versions, until a known conflict exists: -Requires: sailfish-version < 3.4.0 +Requires: sailfish-version < 3.2.1 Requires: cryptsetup >= 1.4.0 # Must provide Qualcomm's qcrypto kernel module, check: find /lib/modules/ -name qcrypto.ko; rpm -qf $(find /lib/modules/ -name qcrypto.ko) # On a Jolla 1 (sbj) qcrypto.ko is deployed by the following RPM, currently no other SailfishOS device adaption is known to provide it. diff --git a/systemd/system/cryptosd-luks@.service b/systemd/system/cryptosd-luks@.service index 4ba94a3f..446b9ea5 100644 --- a/systemd/system/cryptosd-luks@.service +++ b/systemd/system/cryptosd-luks@.service @@ -2,9 +2,9 @@ Description=Open /dev/disk/by-uuid/%I per cryptsetup Documentation=https://github.com/Olf0/crypto-sdcard DefaultDependencies=no -After=systemd-udevd.service systemd-udev-trigger.service dev-disk-by\x2duuid-%i.device systemd-journald.service local-fs.target cryptsetup-pre.target +After=sysinit.target dev-disk-by\x2duuid-%i.device Requisite=dev-disk-by\x2duuid-%i.device -PartOf=mount-cryptosd-luks@%i.service cryptsetup.target +PartOf=mount-cryptosd-luks@%i.service sysinit.target Conflicts=umount.target shutdown.target actdead.target factory-test.target Before=umount.target shutdown.target mount-cryptosd-luks@%i.service AssertPathIsDirectory=!/etc/crypto-sdcard/crypto_luks_%I.key diff --git a/systemd/system/cryptosd-plain@.service b/systemd/system/cryptosd-plain@.service index 0cdf9fee..e0d64c57 100644 --- a/systemd/system/cryptosd-plain@.service +++ b/systemd/system/cryptosd-plain@.service @@ -2,9 +2,9 @@ Description=Open /dev/%I per cryptsetup Documentation=https://github.com/Olf0/crypto-sdcard DefaultDependencies=no -After=systemd-udevd.service systemd-udev-trigger.service dev-%i.device systemd-journald.service local-fs.target cryptsetup-pre.target +After=sysinit.target dev-%i.device Requisite=dev-%i.device -PartOf=mount-cryptosd-plain@%i.service cryptsetup.target +PartOf=mount-cryptosd-plain@%i.service sysinit.target Conflicts=umount.target shutdown.target actdead.target factory-test.target Before=umount.target shutdown.target mount-cryptosd-plain@%i.service AssertPathIsDirectory=!/etc/crypto-sdcard/crypto_plain_%I.key diff --git a/systemd/system/mnt-cryptosd-luks@.service b/systemd/system/mnt-cryptosd-luks@.service index 2e5a9ff2..8966d5ed 100644 --- a/systemd/system/mnt-cryptosd-luks@.service +++ b/systemd/system/mnt-cryptosd-luks@.service @@ -2,7 +2,7 @@ Description=Manually mount /dev/mapper/%I directly Documentation=https://github.com/Olf0/crypto-sdcard DefaultDependencies=no -After=systemd-udevd.service systemd-udev-trigger.service cryptosd-luks@%i.service dev-mapper-%i.device systemd-journald.service local-fs.target cryptsetup.target +After=systemd-udevd.service systemd-udev-trigger.service cryptosd-luks@%i.service dev-mapper-%i.device systemd-journald.service local-fs.target Requires=cryptosd-luks@%i.service # "Requisite=dev-mapper-%i.device" here would prevent this unit from # auto-starting its dependencies, when started manually: diff --git a/systemd/system/mount-cryptosd-luks@.service b/systemd/system/mount-cryptosd-luks@.service index 18608bc1..fcbd83f4 100644 --- a/systemd/system/mount-cryptosd-luks@.service +++ b/systemd/system/mount-cryptosd-luks@.service @@ -16,12 +16,13 @@ Conflicts=umount.target rescue.target actdead.target factory-test.target Before=alien-service-manager.service umount.target [Service] +User=nemo Type=oneshot RemainAfterExit=yes EnvironmentFile=/etc/systemd/system/cryptosd.conf EnvironmentFile=-/etc/crypto-sdcard/cryptosd.conf EnvironmentFile=-/etc/crypto-sdcard/cryptosd@%I.conf -ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I +ExecStart=/usr/bin/udisksctl mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I ExecStop=/usr/bin/udisksctl unmount -b /dev/mapper/%I ExecStopPost=-/bin/umount -vrq /dev/mapper/%I diff --git a/systemd/system/mount-cryptosd-plain@.service b/systemd/system/mount-cryptosd-plain@.service index 98605a06..369bf0e0 100644 --- a/systemd/system/mount-cryptosd-plain@.service +++ b/systemd/system/mount-cryptosd-plain@.service @@ -16,12 +16,13 @@ Conflicts=umount.target rescue.target actdead.target factory-test.target Before=alien-service-manager.service umount.target [Service] +User=nemo Type=oneshot RemainAfterExit=yes EnvironmentFile=/etc/systemd/system/cryptosd.conf EnvironmentFile=-/etc/crypto-sdcard/cryptosd.conf EnvironmentFile=-/etc/crypto-sdcard/cryptosd@%I.conf -ExecStart=/usr/bin/udisksctl-user mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I +ExecStart=/usr/bin/udisksctl mount $UDISKS2_MOUNT_OPTIONS -b /dev/mapper/%I ExecStop=/usr/bin/udisksctl unmount -b /dev/mapper/%I ExecStopPost=-/bin/umount -vrq /dev/mapper/%I diff --git a/udev/rules.d/96-cryptosd.rules b/udev/rules.d/96-cryptosd.rules index 35777c9d..507670ba 100644 --- a/udev/rules.d/96-cryptosd.rules +++ b/udev/rules.d/96-cryptosd.rules @@ -30,9 +30,9 @@ SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ATTR{power/control}=="on", ENV{UD # For DM-Crypt LUKS, match ENV{ID_FS_TYPE}=="crypto_LUKS" KERNEL=="mmcblk[1-9]*", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS" SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{ID_FS_TYPE}=="crypto_LUKS", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_luks_%E{ID_FS_UUID}.key", ENV{CRYPTOSD_TYPE}="LUKS" -ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_luks_dev-%k_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-luks@.service %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="'%c'" +ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_luks_dev-%k_%E{ID_FS_UUID}", MODE="0660", TAG+="systemd", PROGRAM=="/bin/systemd-escape --template=cryptosd-luks@.service %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="%c" # When above detected and assigned devices are removed -ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", PROGRAM=="/usr/bin/systemd-escape --template=cryptosd-luks@.service %E{ID_FS_UUID}", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop %c" +ENV{CRYPTOSD_TYPE}=="LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}=" # For DM-Crypt "plain", ensure (by ENV{ID_*}!="?*" statements) that it appears to be unused space # Two rules, one for partitions and a tighter one for whole disks: @@ -40,9 +40,9 @@ KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_ SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="disk", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ENV{ID_PART_TABLE_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{UDISKS_PARTITIONABLE}="0", ENV{CRYPTOSD_TYPE}="PLAIN" KERNEL=="mmcblk[1-9]*", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN" SUBSYSTEMS=="usb", KERNEL=="mmcblk0*|sd*|sr*", ENV{DEVTYPE}=="partition", ENV{ID_FS_USAGE}!="?*", ENV{ID_FS_TYPE}!="?*", ACTION=="add|change", TEST=="/etc/crypto-sdcard/crypto_plain_%k.key", ENV{CRYPTOSD_TYPE}="PLAIN" -ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_plain_dev-%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'cryptosd-plain@%k.service'" +ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="add|change", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="cryptosd_plain_dev-%k", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="cryptosd-plain@%k.service" # When above detected and assigned devices are removed -ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop cryptosd-plain@%k.service" +ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV{UDISKS_NAME}="cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/bin/systemctl stop cryptosd-plain@%k.service" #LABEL="cryptosd_open_end" @@ -50,12 +50,12 @@ ENV{CRYPTOSD_TYPE}=="PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="removed", ENV KERNEL!="dm-[0-9]*", GOTO="cryptosd_end" # Carefully match resulting virtual node dm-[0-9]* to trigger mounting it; see /lib/udev/rules.d/10-dm.rules for details -ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="????????-????-????-????-????????????|????-????", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-LUKS", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_luks_%E{DM_NAME}", MODE="0660", TAG+="systemd", PROGRAM=="/usr/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", ENV{SYSTEMD_WANTS}="'%c'" -ENV{CRYPTOSD_TYPE}=="mount-LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/usr/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", RUN{program}+="/usr/bin/systemctl stop %c" +ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="????????-????-????-????-????????????|????-????", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-LUKS", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_luks_%E{DM_NAME}", MODE="0660", TAG+="systemd", PROGRAM=="/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", ENV{SYSTEMD_WANTS}="%c" +ENV{CRYPTOSD_TYPE}=="mount-LUKS", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", PROGRAM=="/bin/systemd-escape --template=mount-cryptosd-luks@.service %E{DM_NAME}", RUN{program}+="/bin/systemctl stop %c" # Ditto for DM-Crypt "plain" -ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="mmcblk[0-9]*|sd*|sr*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_plain_%E{DM_NAME}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="'mount-cryptosd-plain@%E{DM_NAME}.service'" -ENV{CRYPTOSD_TYPE}=="mount-PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/usr/bin/systemctl stop mount-cryptosd-plain@%E{DM_NAME}.service" +ENV{ID_FS_USAGE}=="filesystem", ENV{DM_UDEV_RULES_VSN}=="[2-9]", ENV{DM_NAME}=="mmcblk[0-9]*|sd*|sr*", ACTION=="change", ENV{DM_UDEV_PRIMARY_SOURCE_FLAG}=="1", ENV{DM_ACTIVATION}=="1", ENV{DM_SUSPENDED}=="0", ENV{CRYPTOSD_TYPE}="mount-PLAIN", ENV{UDISKS_SYSTEM}="0", ENV{UDISKS_AUTO}="0", ENV{UDISKS_NAME}="mount_cryptosd_plain_%E{DM_NAME}", MODE="0660", TAG+="systemd", ENV{SYSTEMD_WANTS}="mount-cryptosd-plain@%E{DM_NAME}.service" +ENV{CRYPTOSD_TYPE}=="mount-PLAIN", ACTION=="remove", ENV{CRYPTOSD_TYPE}="mount-removed", ENV{UDISKS_NAME}="mount_cryptosd_removed", ENV{SYSTEMD_WANTS}="", ENV{SYSTEMD_USER_WANTS}="", RUN{program}+="/bin/systemctl stop mount-cryptosd-plain@%E{DM_NAME}.service" LABEL="cryptosd_end"