[dm-crypt] unknown version
gmazyland at gmail.com
Sat Apr 23 18:51:52 CEST 2016
On 04/23/2016 03:17 PM, Julien Lepiller wrote:
> On Sat, 23 Apr 2016 10:45:52 +0200
> Milan Broz <gmazyland at gmail.com> wrote:
>> On 04/22/2016 02:01 PM, Julien Lepiller wrote:
>>> I am trying to use cryptsetup with a disk that has been encrypted
>>> some time ago. I'm using Linux From Scratch, and built cryptsetup
>>> myself. What I see when I run luksOpen is the following (all
>>> commands are run as root) :
>>> # cryptsetup 1.7.1 processing "cryptsetup --debug luksOpen /dev/sda1
>>> # Activating volume hdd [keyslot -1] using [none] passphrase.
>>> # dm version OF  (*1)
>>> # device-mapper: version ioctl on failed: Permission denied
>> This looks like you cannot access something (/dev/mapper/control?)
>> and then it just fails because of this initial failure.
>> Do you have SElinux switched on?
>> What is output of "dmsetup version" - does it work?
> Thank you for your answer, the output of the command is:
> Library version: 1.02.121 (2016-04-01)
> Driver version: 4.34.0
> Selinux is switched off (I tried to use it, so I have the libraries,
> but it just does not work at all), and their is nothing in journald.
Ok, so device mapper works.
So if it is not SElinux, something is preventing ioctl to run.
(The error is internal libdevmapper error.)
Do you compile libgcrypt yourself with POSIX capabilities enabled?
If so, gcrypt drops privileges for the whole calling process...
see comment in lib/crypto_backend/crypto_gcrypt.c:
/* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
* it drops all privileges during secure memory initialisation.
* For now, the only workaround is to disable secure memory in gcrypt.
* cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
* and it locks its memory space anyway.
If it is your case, please do not use capabilities in gcrypt or
try to change define above in cryptsetup source as a workaroung and recompile it.
More information about the dm-crypt