pkgs/os-specific/linux/cryptsetup/relative-token-path.patch at 24.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / pkgs / os-specific / linux / cryptsetup / relative-token-path.patch
at 24.11-pre 50 lines 2.0 kB view raw
 1From 4f95ab1f8110a8ab9d7b0e192731ce467f6e5c26 Mon Sep 17 00:00:00 2001
 2From: =?UTF-8?q?Janne=20He=C3=9F?= <janne@hess.ooo>
 3Date: Sun, 4 Sep 2022 11:15:02 -0600
 4Subject: [PATCH] Allow loading token handlers from the default search path
 5
 6Since [1] landed in cryptsetup, token handlers (libcryptsetup-token-*.so)
 7are loaded from a fixed path defined at compile-time. This is
 8problematic with NixOS since it introduces a dependency cycle
 9between cryptsetup and systemd.
10
11This downstream patch [2] allows loading token plugins from the
12default library search path. This approach is not accepted upstream [3]
13due to security concerns, but the potential attack vectors require
14root access and they are sufficiently addressed:
15
16* cryptsetup could be used as a setuid binary (not used in NixOS).
17  In this case, LD_LIBRARY_PATH is ignored because of secure-execution
18  mode.
19* cryptsetup running as root could lead to a malicious token handler
20  being loaded through LD_LIBRARY_PATH. However, fixing the path
21  doesn't prevent the same malicious .so being loaded through LD_PRELOAD.
22
23[1] https://gitlab.com/cryptsetup/cryptsetup/-/commit/5b9e98f94178d3cd179d9f6e2a0a68c7d9eb6507
24[2] https://github.com/NixOS/nixpkgs/issues/167994#issuecomment-1094249369
25[3] https://gitlab.com/cryptsetup/cryptsetup/-/issues/733
26---
27 lib/luks2/luks2_token.c | 4 +---
28 1 file changed, 1 insertion(+), 3 deletions(-)
29
30diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
31index 26467253..6f8329f0 100644
32--- a/lib/luks2/luks2_token.c
33+++ b/lib/luks2/luks2_token.c
34@@ -151,12 +151,10 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp
35 
36 	token = &ret->u.v2;
37 
38-	r = snprintf(buf, sizeof(buf), "%s/libcryptsetup-token-%s.so", crypt_token_external_path(), name);
39+	r = snprintf(buf, sizeof(buf), "libcryptsetup-token-%s.so", name);
40 	if (r < 0 || (size_t)r >= sizeof(buf))
41 		return -EINVAL;
42 
43-	assert(*buf == '/');
44-
45 	log_dbg(cd, "Trying to load %s.", buf);
46 
47 	h = dlopen(buf, RTLD_LAZY);
48-- 
492.37.2
50