tMerge pull request #189 from dyne/fix-163 - tomb - the crypto undertaker
HTML git clone git://parazyd.org/tomb.git
DIR Log
DIR Files
DIR Refs
DIR README
DIR LICENSE
---
DIR commit bc458825336851102181c97d5a0d1fcf25ac911a
DIR parent ec5d72ae9a707b72e9c8f031c843739554d48a27
HTML Author: hellekin <hellekin@cepheide.org>
Date: Fri, 20 Feb 2015 09:58:40 -0300
Merge pull request #189 from dyne/fix-163
Detect plain swaps on encrypted partition (util-linux >= 2.22) or advise user to use -f (fixes #163)
Diffstat:
M tomb | 44 ++++++++++++++++---------------
1 file changed, 23 insertions(+), 21 deletions(-)
---
DIR diff --git a/tomb b/tomb
t@@ -278,6 +278,25 @@ _tmp_create() {
return 0
}
+# Check if a block device is encrypted
+# Synopsis: _is_encrypted_block /path/to/block/device
+# Return 0 if it is an encrypted block device
+_is_encrypted_block() {
+ local b=$1 # Path to a block device
+ local s="" # lsblk option -s (if available)
+
+ # Issue #163
+ # lsblk --inverse appeared in util-linux 2.22
+ # but --version is not consistent...
+ lsblk --help | grep -q '\-\-inverse'
+ [[ $? -eq 0 ]] && s="--inverse"
+
+ sudo lsblk $s -o type -n $b 2>/dev/null \
+ | egrep -q '^crypt$'
+
+ return $?
+}
+
# Check if swap is activated
# Return 0 if NO swap is used, 1 if swap is used.
# Return 1 if any of the swaps is not encrypted.
t@@ -293,35 +312,18 @@ _ensure_safe_swap() {
swaps="$(awk '/^\// { print $1 }' /proc/swaps 2>/dev/null)"
[[ -z "$swaps" ]] && return 0 # No swap partition is active
+ _message "An active swap partition is detected..."
for s in $=swaps; do
- bone=$(_sudo file $s)
- if [[ "$bone" =~ "swap file" ]]; then
- # It's a regular (unencrypted) swap file
- r=1
- break
-
- elif [[ "$bone" =~ "symbolic link" ]]; then
- # Might link to a block
- r=1
- [[ "/dev/mapper" == "${s%/*}" ]] || { break }
- is_crypt=$(_sudo dmsetup status "$s" | awk '/crypt/ {print $3}')
- [[ $is_crypt == "crypt" ]] && { r=2 }
-
- elif [[ "$bone" =~ "block special" ]]; then
- # It's a block
- r=1
- is_crypt=`_sudo dmsetup status "$s" | awk '/crypt/ {print $3}'`
- [[ $is_crypt == "crypt" ]] && { r=2 } || { break }
-
- fi
+ { _is_encrypted_block $s } && { r=2 } || { r=1; break }
done
- _message "An active swap partition is detected..."
+
if [[ $r -eq 2 ]]; then
_success "All your swaps are belong to crypt. Good."
else
_warning "This poses a security risk."
_warning "You can deactivate all swap partitions using the command:"
_warning " swapoff -a"
+ _warning "[#163] I may not detect plain swaps on an encrypted volume."
_warning "But if you want to proceed like this, use the -f (force) flag."
fi
return $r