diff options
Diffstat (limited to 'rust-src/src')
| -rw-r--r-- | rust-src/src/cmd_mount.rs | 99 | ||||
| -rw-r--r-- | rust-src/src/filesystem.rs | 217 | ||||
| -rw-r--r-- | rust-src/src/key.rs | 124 | ||||
| -rw-r--r-- | rust-src/src/lib.rs | 33 |
4 files changed, 473 insertions, 0 deletions
diff --git a/rust-src/src/cmd_mount.rs b/rust-src/src/cmd_mount.rs new file mode 100644 index 00000000..7748b199 --- /dev/null +++ b/rust-src/src/cmd_mount.rs @@ -0,0 +1,99 @@ +use bch_bindgen::{error, info}; +use clap::Parser; +use colored::Colorize; +use atty::Stream; +use uuid::Uuid; +use crate::filesystem; +use crate::key; +use crate::key::KeyLoc; + +fn parse_fstab_uuid(uuid_raw: &str) -> Result<Uuid, uuid::Error> { + let mut uuid = String::from(uuid_raw); + if uuid.starts_with("UUID=") { + uuid = uuid.replacen("UUID=", "", 1); + } + return Uuid::parse_str(&uuid); +} + +fn stdout_isatty() -> &'static str { + if atty::is(Stream::Stdout) { + "true" + } else { + "false" + } +} + +/// Mount a bcachefs filesystem by its UUID. +#[derive(Parser, Debug)] +#[command(author, version, about, long_about = None)] +pub struct Cli { + /// Where the password would be loaded from. + /// + /// Possible values are: + /// "fail" - don't ask for password, fail if filesystem is encrypted; + /// "wait" - wait for password to become available before mounting; + /// "ask" - prompt the user for password; + #[arg(short, long, default_value = "", verbatim_doc_comment)] + pub key_location: KeyLoc, + + /// External UUID of the bcachefs filesystem + /// + /// Accepts the UUID as is or as fstab style UUID=<UUID> + #[arg(value_parser = parse_fstab_uuid)] + pub uuid: uuid::Uuid, + + /// Where the filesystem should be mounted. If not set, then the filesystem + /// won't actually be mounted. But all steps preceeding mounting the + /// filesystem (e.g. asking for passphrase) will still be performed. + pub mountpoint: Option<std::path::PathBuf>, + + /// Mount options + #[arg(short, default_value = "")] + pub options: String, + + /// Force color on/off. Default: autodetect tty + #[arg(short, long, action = clap::ArgAction::Set, default_value=stdout_isatty())] + pub colorize: bool, + + #[arg(short = 'v', long, action = clap::ArgAction::Count)] + pub verbose: u8, +} + +pub fn cmd_mount_inner(opt: Cli) -> anyhow::Result<()> { + unsafe { + libc::setvbuf(filesystem::stdout, std::ptr::null_mut(), libc::_IONBF, 0); + } + + let fss = filesystem::probe_filesystems()?; + let fs = fss + .get(&opt.uuid) + .ok_or_else(|| anyhow::anyhow!("filesystem was not found"))?; + + info!("found filesystem {}", fs); + if fs.encrypted() { + let key = opt + .key_location + .0 + .ok_or_else(|| anyhow::anyhow!("no keyoption specified for locked filesystem"))?; + + key::prepare_key(&fs, key)?; + } + + let mountpoint = opt + .mountpoint + .ok_or_else(|| anyhow::anyhow!("mountpoint option was not specified"))?; + + fs.mount(&mountpoint, &opt.options)?; + + Ok(()) +} + +#[no_mangle] +pub extern "C" fn cmd_mount() { + let opt = Cli::parse(); + bch_bindgen::log::set_verbose_level(opt.verbose + bch_bindgen::log::ERROR); + colored::control::set_override(opt.colorize); + if let Err(e) = cmd_mount_inner(opt) { + error!("Fatal error: {}", e); + } +} diff --git a/rust-src/src/filesystem.rs b/rust-src/src/filesystem.rs new file mode 100644 index 00000000..28a2ab9e --- /dev/null +++ b/rust-src/src/filesystem.rs @@ -0,0 +1,217 @@ +extern "C" { + pub static stdout: *mut libc::FILE; +} +use bch_bindgen::{debug, info}; +use colored::Colorize; +use getset::{CopyGetters, Getters}; +use std::path::PathBuf; +#[derive(Getters, CopyGetters)] +pub struct FileSystem { + /// External UUID of the bcachefs + #[getset(get = "pub")] + uuid: uuid::Uuid, + /// Whether filesystem is encrypted + #[getset(get_copy = "pub")] + encrypted: bool, + /// Super block + #[getset(get = "pub")] + sb: bcachefs::bch_sb_handle, + /// Member devices for this filesystem + #[getset(get = "pub")] + devices: Vec<PathBuf>, +} +impl std::fmt::Debug for FileSystem { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + f.debug_struct("FileSystem") + .field("uuid", &self.uuid) + .field("encrypted", &self.encrypted) + .field("devices", &self.device_string()) + .finish() + } +} +use std::fmt; +impl std::fmt::Display for FileSystem { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + let devs = self.device_string(); + write!( + f, + "{:?}: locked?={lock} ({}) ", + self.uuid, + devs, + lock = self.encrypted + ) + } +} + +impl FileSystem { + pub(crate) fn new(sb: bcachefs::bch_sb_handle) -> Self { + Self { + uuid: sb.sb().uuid(), + encrypted: sb.sb().crypt().is_some(), + sb: sb, + devices: Vec::new(), + } + } + + pub fn device_string(&self) -> String { + use itertools::Itertools; + self.devices.iter().map(|d| d.display()).join(":") + } + + pub fn mount( + &self, + target: impl AsRef<std::path::Path>, + options: impl AsRef<str>, + ) -> anyhow::Result<()> { + let src = self.device_string(); + let (data, mountflags) = parse_mount_options(options); + + info!( + "mounting bcachefs filesystem, {}", + target.as_ref().display() + ); + mount_inner(src, target, "bcachefs", mountflags, data) + } +} + +fn mount_inner( + src: String, + target: impl AsRef<std::path::Path>, + fstype: &str, + mountflags: u64, + data: Option<String>, +) -> anyhow::Result<()> { + use std::{ + ffi::{c_void, CString}, + os::{raw::c_char, unix::ffi::OsStrExt}, + }; + + // bind the CStrings to keep them alive + let src = CString::new(src)?; + let target = CString::new(target.as_ref().as_os_str().as_bytes())?; + let data = data.map(CString::new).transpose()?; + let fstype = CString::new(fstype)?; + + // convert to pointers for ffi + let src = src.as_c_str().to_bytes_with_nul().as_ptr() as *const c_char; + let target = target.as_c_str().to_bytes_with_nul().as_ptr() as *const c_char; + let data = data.as_ref().map_or(std::ptr::null(), |data| { + data.as_c_str().to_bytes_with_nul().as_ptr() as *const c_void + }); + let fstype = fstype.as_c_str().to_bytes_with_nul().as_ptr() as *const c_char; + + let ret = { + info!("mounting filesystem"); + // REQUIRES: CAP_SYS_ADMIN + unsafe { libc::mount(src, target, fstype, mountflags, data) } + }; + match ret { + 0 => Ok(()), + _ => Err(crate::ErrnoError(errno::errno()).into()), + } +} + +/// Parse a comma-separated mount options and split out mountflags and filesystem +/// specific options. +fn parse_mount_options(options: impl AsRef<str>) -> (Option<String>, u64) { + use either::Either::*; + debug!("parsing mount options: {}", options.as_ref()); + let (opts, flags) = options + .as_ref() + .split(",") + .map(|o| match o { + "dirsync" => Left(libc::MS_DIRSYNC), + "lazytime" => Left(1 << 25), // MS_LAZYTIME + "mand" => Left(libc::MS_MANDLOCK), + "noatime" => Left(libc::MS_NOATIME), + "nodev" => Left(libc::MS_NODEV), + "nodiratime" => Left(libc::MS_NODIRATIME), + "noexec" => Left(libc::MS_NOEXEC), + "nosuid" => Left(libc::MS_NOSUID), + "relatime" => Left(libc::MS_RELATIME), + "remount" => Left(libc::MS_REMOUNT), + "ro" => Left(libc::MS_RDONLY), + "rw" => Left(0), + "strictatime" => Left(libc::MS_STRICTATIME), + "sync" => Left(libc::MS_SYNCHRONOUS), + "" => Left(0), + o @ _ => Right(o), + }) + .fold((Vec::new(), 0), |(mut opts, flags), next| match next { + Left(f) => (opts, flags | f), + Right(o) => { + opts.push(o); + (opts, flags) + } + }); + + use itertools::Itertools; + ( + if opts.len() == 0 { + None + } else { + Some(opts.iter().join(",")) + }, + flags, + ) +} + +use bch_bindgen::bcachefs; +use std::collections::HashMap; +use uuid::Uuid; + +pub fn probe_filesystems() -> anyhow::Result<HashMap<Uuid, FileSystem>> { + debug!("enumerating udev devices"); + let mut udev = udev::Enumerator::new()?; + + udev.match_subsystem("block")?; // find kernel block devices + + let mut fs_map = HashMap::new(); + let devresults = udev + .scan_devices()? + .into_iter() + .filter_map(|dev| dev.devnode().map(ToOwned::to_owned)); + + for pathbuf in devresults { + match get_super_block_uuid(&pathbuf)? { + Ok((uuid_key, superblock)) => { + let fs = fs_map.entry(uuid_key).or_insert_with(|| { + info!("found bcachefs pool: {}", uuid_key); + FileSystem::new(superblock) + }); + + fs.devices.push(pathbuf); + } + + Err(e) => { + debug!("{}", e); + } + } + } + + info!("found {} filesystems", fs_map.len()); + Ok(fs_map) +} + +// #[tracing_attributes::instrument(skip(dev, fs_map))] +fn get_super_block_uuid( + path: &std::path::Path, +) -> std::io::Result<std::io::Result<(Uuid, bcachefs::bch_sb_handle)>> { + use gag::BufferRedirect; + // Stop libbcachefs from spamming the output + let gag = BufferRedirect::stdout().unwrap(); + + let sb = bch_bindgen::rs::read_super(&path)?; + let super_block = match sb { + Err(e) => { + return Ok(Err(e)); + } + Ok(sb) => sb, + }; + drop(gag); + + let uuid = (&super_block).sb().uuid(); + debug!("bcachefs superblock path={} uuid={}", path.display(), uuid); + + Ok(Ok((uuid, super_block))) +} diff --git a/rust-src/src/key.rs b/rust-src/src/key.rs new file mode 100644 index 00000000..e2d0e4c0 --- /dev/null +++ b/rust-src/src/key.rs @@ -0,0 +1,124 @@ +use bch_bindgen::info; +use colored::Colorize; +use crate::c_str; +use anyhow::anyhow; + +#[derive(Clone, Debug)] +pub enum KeyLocation { + Fail, + Wait, + Ask, +} + +#[derive(Clone, Debug)] +pub struct KeyLoc(pub Option<KeyLocation>); +impl std::ops::Deref for KeyLoc { + type Target = Option<KeyLocation>; + fn deref(&self) -> &Self::Target { + &self.0 + } +} + +impl std::str::FromStr for KeyLoc { + type Err = anyhow::Error; + fn from_str(s: &str) -> anyhow::Result<Self> { + match s { + "" => Ok(KeyLoc(None)), + "fail" => Ok(KeyLoc(Some(KeyLocation::Fail))), + "wait" => Ok(KeyLoc(Some(KeyLocation::Wait))), + "ask" => Ok(KeyLoc(Some(KeyLocation::Ask))), + _ => Err(anyhow!("invalid password option")), + } + } +} + +fn check_for_key(key_name: &std::ffi::CStr) -> anyhow::Result<bool> { + use bch_bindgen::keyutils::{self, keyctl_search}; + let key_name = key_name.to_bytes_with_nul().as_ptr() as *const _; + let key_type = c_str!("logon"); + + let key_id = unsafe { keyctl_search(keyutils::KEY_SPEC_USER_KEYRING, key_type, key_name, 0) }; + if key_id > 0 { + info!("Key has became available"); + Ok(true) + } else if errno::errno().0 != libc::ENOKEY { + Err(crate::ErrnoError(errno::errno()).into()) + } else { + Ok(false) + } +} + +fn wait_for_key(uuid: &uuid::Uuid) -> anyhow::Result<()> { + let key_name = std::ffi::CString::new(format!("bcachefs:{}", uuid)).unwrap(); + loop { + if check_for_key(&key_name)? { + break Ok(()); + } + + std::thread::sleep(std::time::Duration::from_secs(1)); + } +} + +const BCH_KEY_MAGIC: &str = "bch**key"; +use crate::filesystem::FileSystem; +fn ask_for_key(fs: &FileSystem) -> anyhow::Result<()> { + use bch_bindgen::bcachefs::{self, bch2_chacha_encrypt_key, bch_encrypted_key, bch_key}; + use byteorder::{LittleEndian, ReadBytesExt}; + use std::os::raw::c_char; + + let key_name = std::ffi::CString::new(format!("bcachefs:{}", fs.uuid())).unwrap(); + if check_for_key(&key_name)? { + return Ok(()); + } + + let bch_key_magic = BCH_KEY_MAGIC.as_bytes().read_u64::<LittleEndian>().unwrap(); + let crypt = fs.sb().sb().crypt().unwrap(); + let pass = rpassword::read_password_from_tty(Some("Enter passphrase: "))?; + let pass = std::ffi::CString::new(pass.trim_end())?; // bind to keep the CString alive + let mut output: bch_key = unsafe { + bcachefs::derive_passphrase( + crypt as *const _ as *mut _, + pass.as_c_str().to_bytes_with_nul().as_ptr() as *const _, + ) + }; + + let mut key = crypt.key().clone(); + let ret = unsafe { + bch2_chacha_encrypt_key( + &mut output as *mut _, + fs.sb().sb().nonce(), + &mut key as *mut _ as *mut _, + std::mem::size_of::<bch_encrypted_key>() as usize, + ) + }; + if ret != 0 { + Err(anyhow!("chacha decryption failure")) + } else if key.magic != bch_key_magic { + Err(anyhow!("failed to verify the password")) + } else { + let key_type = c_str!("logon"); + let ret = unsafe { + bch_bindgen::keyutils::add_key( + key_type, + key_name.as_c_str().to_bytes_with_nul() as *const _ as *const c_char, + &output as *const _ as *const _, + std::mem::size_of::<bch_key>() as usize, + bch_bindgen::keyutils::KEY_SPEC_USER_KEYRING, + ) + }; + if ret == -1 { + Err(anyhow!("failed to add key to keyring: {}", errno::errno())) + } else { + Ok(()) + } + } +} + +pub fn prepare_key(fs: &FileSystem, password: KeyLocation) -> anyhow::Result<()> { + info!("checking if key exists for filesystem {}", fs.uuid()); + match password { + KeyLocation::Fail => Err(anyhow!("no key available")), + KeyLocation::Wait => Ok(wait_for_key(fs.uuid())?), + KeyLocation::Ask => ask_for_key(fs), + } +} diff --git a/rust-src/src/lib.rs b/rust-src/src/lib.rs new file mode 100644 index 00000000..b2f0aaa7 --- /dev/null +++ b/rust-src/src/lib.rs @@ -0,0 +1,33 @@ +pub mod filesystem; +pub mod key; +pub mod cmd_mount; + +pub mod err { + pub enum GError { + Unknown { + message: std::borrow::Cow<'static, String>, + }, + } + pub type GResult<T, E, OE> = ::core::result::Result<::core::result::Result<T, E>, OE>; + pub type Result<T, E> = GResult<T, E, GError>; +} + +#[macro_export] +macro_rules! c_str { + ($lit:expr) => { + unsafe { + std::ffi::CStr::from_ptr(concat!($lit, "\0").as_ptr() as *const std::os::raw::c_char) + .to_bytes_with_nul() + .as_ptr() as *const std::os::raw::c_char + } + }; +} + +#[derive(Debug)] +struct ErrnoError(errno::Errno); +impl std::fmt::Display for ErrnoError { + fn fmt(&self, f: &mut std::fmt::Formatter) -> Result<(), std::fmt::Error> { + self.0.fmt(f) + } +} +impl std::error::Error for ErrnoError {} |