Re: [dm-crypt] cryptsetup problem with memory allocation

[Milan Broz <gmazyland@gmail.com>]

On 07/04/2014 05:02 PM, Belisko Marek wrote:
> Hi,
> 
> On Tue, Jun 24, 2014 at 1:12 AM, Alasdair G Kergon <agk@redhat.com> wrote:
>>>> I track it down that malloc fails (ENONMEM) in libdevmapper and then
>>>> _dm_check_versions() fails when creating dm task (dmt =
>>>> dm_task_create(DM_DEVICE_LIST_VERSIONS).
>>
>> After updating to the most recent version you are able to use,
>> run it under strace and let us see the relevant output (at least the
>> failing system call itself, what leads up to it, including all early
>> memory-related system calls and DM ioctls) and any environment variables
>> set that could modify behaviour.
> when update to latest cryptsetup (1.64) I can see different error as with 1.62:
> ioctl(6, DM_VERSION, 0x1e340)     = -1 EACCES (Permission denied)
> So it seems that gcrypt probably drop privileges (as running on
> embedded system I'm root)?

Just guess, but do you have gcrypt compiled with Posix capabilities?

If so, it cannot work. See this comment in cryptsetup gcrypt wrapper
(you can workaround it by uncommenting this #if and rebuild cryptsetup)

lib/crypto_backend/crypto_gcrypt.c:

/* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
 * it drops all privileges during secure memory initialisation.
 * For now, the only workaround is to disable secure memory in gcrypt.
 * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
 * and it locks its memory space anyway.
 */
#if 0
                gcry_control (GCRYCTL_DISABLE_SECMEM);
                crypto_backend_secmem = 0;
#else

                gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
                gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
                gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
#endif

Milan