Re: cryptsetup problem with memory allocation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Milan,

On Fri, Jul 4, 2014 at 6:44 PM, Milan Broz <gmazyland@xxxxxxxxx> wrote:
> On 07/04/2014 05:02 PM, Belisko Marek wrote:
>> Hi,
>>
>> On Tue, Jun 24, 2014 at 1:12 AM, Alasdair G Kergon <agk@xxxxxxxxxx> wrote:
>>>>> I track it down that malloc fails (ENONMEM) in libdevmapper and then
>>>>> _dm_check_versions() fails when creating dm task (dmt =
>>>>> dm_task_create(DM_DEVICE_LIST_VERSIONS).
>>>
>>> After updating to the most recent version you are able to use,
>>> run it under strace and let us see the relevant output (at least the
>>> failing system call itself, what leads up to it, including all early
>>> memory-related system calls and DM ioctls) and any environment variables
>>> set that could modify behaviour.
>> when update to latest cryptsetup (1.64) I can see different error as with 1.62:
>> ioctl(6, DM_VERSION, 0x1e340)     = -1 EACCES (Permission denied)
>> So it seems that gcrypt probably drop privileges (as running on
>> embedded system I'm root)?
>
> Just guess, but do you have gcrypt compiled with Posix capabilities?
>
> If so, it cannot work. See this comment in cryptsetup gcrypt wrapper
> (you can workaround it by uncommenting this #if and rebuild cryptsetup)
#if 1 fixed my problem. Thanks for help!
>
> lib/crypto_backend/crypto_gcrypt.c:
>
> /* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
>  * it drops all privileges during secure memory initialisation.
>  * For now, the only workaround is to disable secure memory in gcrypt.
>  * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
>  * and it locks its memory space anyway.
>  */
> #if 0
>                 gcry_control (GCRYCTL_DISABLE_SECMEM);
>                 crypto_backend_secmem = 0;
> #else
>
>                 gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
>                 gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
>                 gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
> #endif
>
> Milan

BR,

marek

-- 
as simple and primitive as possible
-------------------------------------------------
Marek Belisko - OPEN-NANDRA
Freelance Developer

Ruska Nova Ves 219 | Presov, 08005 Slovak Republic
Tel: +421 915 052 184
skype: marekwhite
twitter: #opennandra
web: http://open-nandra.com
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt




[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux