Merge pull request #189 from dyne/fix-163

Detect plain swaps on encrypted partition (util-linux >= 2.22) or advise user to use -f (fixes #163)
2024-11-12 07:46:28 +00:00 · 2015-02-20 09:58:40 -03:00 · 2015-02-20 09:58:40 -03:00 · bc45882533
commit bc45882533
parent ec5d72ae9a 8360270e65
1 changed files with 24 additions and 22 deletions
--- a/46
+++ b/46
@ -278,6 +278,25 @@ _tmp_create() {
    return 0
 }

+# Check if a block device is encrypted
+# Synopsis: _is_encrypted_block /path/to/block/device
+# Return 0 if it is an encrypted block device
+_is_encrypted_block() {
+    local    b=$1 # Path to a block device
+    local    s="" # lsblk option -s (if available)
+
+    # Issue #163
+    # lsblk --inverse appeared in util-linux 2.22
+    # but --version is not consistent...
+    lsblk --help | grep -q '\-\-inverse'
+    [[ $? -eq 0 ]] && s="--inverse"
+
+    sudo lsblk $s -o type -n $b 2>/dev/null \
+        | egrep -q '^crypt$'
+
+    return $?
+}
+
 # Check if swap is activated
 # Return 0 if NO swap is used, 1 if swap is used.
 # Return 1 if any of the swaps is not encrypted.
@ -293,35 +312,18 @@ _ensure_safe_swap() {
    swaps="$(awk '/^\// { print $1 }' /proc/swaps 2>/dev/null)"
    [[ -z "$swaps" ]] && return 0 # No swap partition is active

-    for s in $=swaps; do
-        bone=$(_sudo file $s)
-        if [[ "$bone" =~ "swap file" ]]; then
-            # It's a regular (unencrypted) swap file
-            r=1
-            break
-
-        elif [[ "$bone" =~ "symbolic link" ]]; then
-            # Might link to a block
-            r=1
-            [[ "/dev/mapper" == "${s%/*}" ]] || { break }
-            is_crypt=$(_sudo dmsetup status "$s" | awk '/crypt/ {print $3}')
-            [[ $is_crypt == "crypt" ]] && { r=2 }
-
-        elif [[ "$bone" =~ "block special" ]]; then
-            # It's a block
-            r=1
-            is_crypt=`_sudo dmsetup status "$s" | awk '/crypt/ {print $3}'`
-            [[ $is_crypt == "crypt" ]] && { r=2 } || { break }
-
-        fi
-    done
    _message "An active swap partition is detected..."
+    for s in $=swaps; do
+        { _is_encrypted_block $s } && { r=2 } || { r=1; break }
+    done
+
    if [[ $r -eq 2 ]]; then
        _success "All your swaps are belong to crypt.  Good."
    else
        _warning "This poses a security risk."
        _warning "You can deactivate all swap partitions using the command:"
        _warning " swapoff -a"
+        _warning "[#163] I may not detect plain swaps on an encrypted volume."
        _warning "But if you want to proceed like this, use the -f (force) flag."
    fi
    return $r