Hi,
I'm writing a command that installs all src.rpms in a ISO
images to a system. I'd like to make the command require
fewer privilege as possible.
loop back mounting emits two system calls: mount and mlockall.
mount is obviously needed. mlockall is needed for encryption.
As the result both CAP_SYS_ADMIN and CAP_IPC_LOCK are needed
to do loopback mounting.
The problem is that CAP_IPC_LOCK is always needed through my
command doesn't need encryption.
With the following patch, mount calls mlockall only when
encryption is needed. Could you introduce this patch?
I'm not on the mailing list. so please put my address
to cc: of your reply.
Signed-off-by: Masatake YAMATO <jet@xxxxxxxx>
diff --git a/mount/lomount.c b/mount/lomount.c
index 88214f7..bcdd3fc 100644
--- a/mount/lomount.c
+++ b/mount/lomount.c
@@ -316,11 +316,13 @@ set_loop(const char *device, const char *file, unsigned long long offset,
* Oh-oh, sensitive data coming up. Better lock into memory to prevent
* passwd etc being swapped out and left somewhere on disk.
*/
-
- if(mlockall(MCL_CURRENT | MCL_FUTURE)) {
- perror("memlock");
- fprintf(stderr, _("Couldn't lock into memory, exiting.\n"));
- exit(1);
+
+ if (loopinfo64.lo_encrypt_type != LO_CRYPT_NONE) {
+ if(mlockall(MCL_CURRENT | MCL_FUTURE)) {
+ perror("memlock");
+ fprintf(stderr, _("Couldn't lock into memory, exiting.\n"));
+ exit(1);
+ }
}
#endif
-
To unsubscribe from this list: send the line "unsubscribe util-linux-ng" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
