Hi Milan, On Fri, Jul 4, 2014 at 6:44 PM, Milan Broz <gmazyland@xxxxxxxxx> wrote: > On 07/04/2014 05:02 PM, Belisko Marek wrote: >> Hi, >> >> On Tue, Jun 24, 2014 at 1:12 AM, Alasdair G Kergon <agk@xxxxxxxxxx> wrote: >>>>> I track it down that malloc fails (ENONMEM) in libdevmapper and then >>>>> _dm_check_versions() fails when creating dm task (dmt = >>>>> dm_task_create(DM_DEVICE_LIST_VERSIONS). >>> >>> After updating to the most recent version you are able to use, >>> run it under strace and let us see the relevant output (at least the >>> failing system call itself, what leads up to it, including all early >>> memory-related system calls and DM ioctls) and any environment variables >>> set that could modify behaviour. >> when update to latest cryptsetup (1.64) I can see different error as with 1.62: >> ioctl(6, DM_VERSION, 0x1e340) = -1 EACCES (Permission denied) >> So it seems that gcrypt probably drop privileges (as running on >> embedded system I'm root)? > > Just guess, but do you have gcrypt compiled with Posix capabilities? > > If so, it cannot work. See this comment in cryptsetup gcrypt wrapper > (you can workaround it by uncommenting this #if and rebuild cryptsetup) #if 1 fixed my problem. Thanks for help! > > lib/crypto_backend/crypto_gcrypt.c: > > /* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities, > * it drops all privileges during secure memory initialisation. > * For now, the only workaround is to disable secure memory in gcrypt. > * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl > * and it locks its memory space anyway. > */ > #if 0 > gcry_control (GCRYCTL_DISABLE_SECMEM); > crypto_backend_secmem = 0; > #else > > gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); > gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); > gcry_control (GCRYCTL_RESUME_SECMEM_WARN); > #endif > > Milan BR, marek -- as simple and primitive as possible ------------------------------------------------- Marek Belisko - OPEN-NANDRA Freelance Developer Ruska Nova Ves 219 | Presov, 08005 Slovak Republic Tel: +421 915 052 184 skype: marekwhite twitter: #opennandra web: http://open-nandra.com _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
