Hi,
We currently can only do dump filtering based on a fully qualified
object reference (eg: anaconda.id.bootloader.password). This is somewhat
problematic w/ encrypted block device passphrases since they can live in
partRequest instances and therefore cannot be referenced as previously
described. Initially I set out to implement dump filtering based on
class name and member name, but I stumbled onto a much simpler solution:
just make passphrase member into __passphrase and then filter out and
private members (those with leading "__") from the dump.
This is intended to go into rawhide after F10, but a case could be made
to add it for both F10 and RHEL5.3 since it prevents passphrases from
appearing in anacdump.txt.
See attached patch.
diff --git a/exception.py b/exception.py
index e4e7c08..b146315 100644
--- a/exception.py
+++ b/exception.py
@@ -89,6 +89,9 @@ class AnacondaExceptionDump:
pad = ' ' * ((level) * 2)
for key, value in instance.__dict__.items():
+ if key.startswith("_%s__" % instance.__class__.__name__):
+ continue
+
if parentkey != "":
curkey = parentkey + "." + key
else:
diff --git a/cryptodev.py b/cryptodev.py
index 95d7483..63dcd4a 100644
--- a/cryptodev.py
+++ b/cryptodev.py
@@ -55,7 +55,7 @@ class LUKSDevice:
functional."""
def __init__(self, device=None, passphrase=None, format=0):
self._device = None
- self.passphrase = ""
+ self.__passphrase = ""
self.name = ""
self.uuid = None
self.nameLocked = False
@@ -124,7 +124,10 @@ class LUKSDevice:
def setPassphrase(self, passphrase):
"""Set the (plaintext) passphrase used to access the device."""
- self.passphrase = passphrase
+ self.__passphrase = passphrase
+
+ def hasPassphrase(self):
+ return self.__passphrase not in (None, "")
def crypttab(self):
"""Return a crypttab formatted line describing this mapping."""
@@ -155,7 +158,7 @@ class LUKSDevice:
log.debug("refusing to format active mapping %s" % (self.name,))
return 1
- if not self.passphrase:
+ if not self.hasPassphrase():
raise RuntimeError, "Cannot create mapping without a passphrase."
device = self.getDevice(encrypted=1)
@@ -164,7 +167,7 @@ class LUKSDevice:
log.info("formatting %s as %s" % (device, self.getScheme()))
p = os.pipe()
- os.write(p[1], "%s\n" % (self.passphrase,))
+ os.write(p[1], "%s\n" % (self.__passphrase,))
os.close(p[1])
rc = iutil.execWithRedirect("cryptsetup",
@@ -182,7 +185,7 @@ class LUKSDevice:
# already mapped
return 0
- if not self.passphrase:
+ if not self.hasPassphrase():
raise RuntimeError, "Cannot create mapping without a passphrase."
device = self.getDevice(encrypted=1)
@@ -200,7 +203,7 @@ class LUKSDevice:
self.name))
p = os.pipe()
- os.write(p[1], "%s\n" % (self.passphrase,))
+ os.write(p[1], "%s\n" % (self.__passphrase,))
os.close(p[1])
rc = iutil.execWithRedirect("cryptsetup",
@@ -230,11 +233,11 @@ class LUKSDevice:
if not newpass:
return 1
- if newpass == self.passphrase:
+ if newpass == self.__passphrase:
return 0
p = os.pipe()
- os.write(p[1], "%s\n%s" % (self.passphrase, newpass))
+ os.write(p[1], "%s\n%s" % (self.__passphrase, newpass))
os.close(p[1])
device = self.getDevice(encrypted=1)
diff --git a/partitions.py b/partitions.py
index baf8faf..35ba42c 100644
--- a/partitions.py
+++ b/partitions.py
@@ -104,7 +104,7 @@ def partitioningComplete(anaconda):
continue
if request.encryption and request.encryption.format:
- if anaconda.isKickstart and request.encryption.passphrase:
+ if anaconda.isKickstart and request.encryption.hasPassphrase():
# they set a passphrase for this device explicitly
pass
elif partitions.encryptionPassphrase:
@@ -369,6 +369,8 @@ class Partitions:
"""Clear the delete list and set self.requests to reflect disk."""
self.deletes = []
self.requests = []
+ if diskset.anaconda.isKickstart:
+ self.getEncryptedDevices(diskset)
labels = diskset.getInfo()
drives = diskset.disks.keys()
drives.sort()
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
