libdevmapper: propagate key mgmt related kernel ioctl error on _dm_create_device()

Let's not make up synthetic errors if the kernel returns a useful error to us, that tells us about key validity. Specifically, if we try to activate a dm-verity device with a signed root hash, it's import to know when we couldn't activate it due to the signing key missing in the kernel keyring. The kernel reports a nice error code in that case (ENOKEY), let's make sure this is propagated back to clients. To be on the safe side, this allowlists only the three key management related error codes ENOKEY, EKEYREVOKED, EKEYEXPIRED and returns ENOKEY for all of them. The kernel's DM stack traditionally wasn't very good with returning useful error codes, hence the conservative approach. This patch is not sufficient to fix this properly. There's a patch needed to fix errno propagation also in libdevmapper: https://gitlab.com/lvmteam/lvm2/-/merge_requests/3 With both patches applied we get correct error code reporting. Fixes: #841
2025-12-06 00:10:04 +01:00 · 2023-10-11 15:41:22 +02:00
parent 15c3a2a2a9
commit 20bfec91d8
1 changed files with 9 additions and 1 deletions
--- a/lib/libdevmapper.c
+++ b/lib/libdevmapper.c
@@ -1331,7 +1331,15 @@ static int _dm_create_device(struct crypt_device *cd, const char *name, const ch
 		goto out;

 	if (!dm_task_run(dmt)) {
-		r = dm_status_device(cd, name);;
+
+		r = -dm_task_get_errno(dmt);
+		if (r == -ENOKEY || r == -EKEYREVOKED || r == -EKEYEXPIRED) {
+			/* propagate DM errors around key managament as such */
+			r = -ENOKEY;
+			goto out;
+		}
+
+		r = dm_status_device(cd, name);
 		if (r >= 0)
 			r = -EEXIST;
 		if (r != -EEXIST && r != -ENODEV)