If gcrypt compiled with capabilities, document workaround for cryptsetup (see lib/gcrypt.c).

git-svn-id: https://cryptsetup.googlecode.com/svn/trunk@180 36d66b0a-2a48-0410-832c-cd162a569da5
2025-12-12 19:30:04 +01:00 · 2010-01-17 10:20:15 +00:00
parent 6c3a4cf331
commit 1a947a573b
2 changed files with 14 additions and 0 deletions
--- a/lib/gcrypt.c
+++ b/lib/gcrypt.c
@@ -15,9 +15,20 @@ int init_crypto(void)
 	if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
 		if (!gcry_check_version (GCRYPT_REQ_VERSION))
 			return -ENOSYS;
+
+/* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
+ * it drops all privileges during secure memory initialisation.
+ * For now, the only workaround is to disable secure memory in gcrypt.
+ * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
+ * and it locks its memory space anyway.
+ */
+#if 0
+		gcry_control (GCRYCTL_DISABLE_SECMEM);
+#else
 		gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
 		gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
 		gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
+#endif
 		gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
 	}