OLD | NEW |
| (Empty) |
1 #!/bin/bash | |
2 # Copyright (c) 2009 The Chromium OS Authors. All rights reserved. | |
3 # Use of this source code is governed by a BSD-style license that can be | |
4 # found in the LICENSE file. | |
5 | |
6 set -e # exit on failure | |
7 set -E # share the error handler | |
8 set -u # require all variables to be defined | |
9 USERID="" | |
10 PASSWORD="" | |
11 | |
12 function error_handler() { | |
13 if ! typeset -F cryptohome::log; then | |
14 echo "An error occurred before/in cryptohome." 1>&2 | |
15 # Assume common is ok, but maybe not mount options | |
16 /bin/mount -t tmpfs "$INCOGNITO_MOUNT_NAME" \ | |
17 -onoexec,nosuid,nodev "$DEFAULT_MOUNT_POINT" | |
18 /bin/chown $DEFAULT_USER $DEFAULT_MOUNT_POINT | |
19 exit 1 | |
20 fi | |
21 | |
22 local image="$IMAGE_DIR/${USERID}/image" | |
23 cryptohome::log "entering the mount error_handler ($image)" | |
24 # We don't want to error out again if close fails | |
25 cryptohome::close || $true | |
26 # Same goes for detach | |
27 cryptohome::detach || $true | |
28 if [[ -n "$image" ]]; then | |
29 cryptohome::log "removing the failed image: $image" | |
30 $rm -f $image | |
31 fi | |
32 cryptohome::log "attempting to create a new image..." | |
33 # Let's try a new image. If that fails, use the exit trap. | |
34 trap second_chance EXIT | |
35 cryptohome::mount_or_create "$USERID" "$PASSWORD" | |
36 trap - EXIT | |
37 cryptohome::log "new image created and mounted successfully" | |
38 cryptohome::log "mount completed" | |
39 $exit 0 | |
40 } | |
41 # TODO: move traps into a single call | |
42 trap error_handler ERR; | |
43 | |
44 function incognito_error() { | |
45 cryptohome::log "failed to mount incognito!" | |
46 exit 1 | |
47 } | |
48 | |
49 function incognito_mount() { | |
50 trap incognito_error ERR; | |
51 $mount -t tmpfs -o"${MOUNT_OPTIONS}" "$INCOGNITO_MOUNT_NAME" \ | |
52 $DEFAULT_MOUNT_POINT | |
53 $chown ${DEFAULT_USER}:${DEFAULT_USER} $DEFAULT_MOUNT_POINT | |
54 cryptohome::log "incognito mount completed" | |
55 } | |
56 | |
57 function second_chance() { | |
58 cryptohome::log "new image creation failed (again)" | |
59 cryptohome::log "falling back to incognito mode" | |
60 incognito_mount | |
61 exit 0 | |
62 } | |
63 | |
64 function mount_main() { | |
65 # This catches the unexported CHROMEOS_USER. A defined, but empty | |
66 # CHROMEOS_USER will pass through and be caught later. | |
67 if ! typeset -p CHROMEOS_USER &>/dev/null ; then | |
68 cryptohome::log "CHROMEOS_USER not exported." | |
69 cryptohome::log "Assuming incognito mode..." | |
70 CHROMEOS_USER="$INCOGNITO_USER" | |
71 fi | |
72 | |
73 # Support a file to disable encryption for given users. | |
74 if $test -n "$DISABLED_ENCRYPTION_FILE" && \ | |
75 $test -e "$DISABLED_ENCRYPTION_FILE"; then | |
76 cryptohome::log "disabled_encryption_file present" | |
77 if $grep -qEe "\\b${CHROMEOS_USER}\\b" "$DISABLED_ENCRYPTION_FILE"; then | |
78 cryptohome::log "$CHROMEOS_USER has opted out of encryption" | |
79 return 0 | |
80 fi | |
81 fi | |
82 | |
83 # Cut down on the noise from pam-mount but only do so on a pam_google | |
84 # login so that we don't blow away old logs during a debug login. | |
85 $exec 1>$STDOUT_FILE | |
86 $exec 2>$STDERR_FILE | |
87 if [[ "$CHROMEOS_USER" == "$INCOGNITO_USER" ]]; then | |
88 incognito_mount | |
89 return 0 | |
90 fi | |
91 USERID="$($cat $IMAGE_DIR/salt <($echo -n $CHROMEOS_USER) | $openssl sha1)" | |
92 PASSWORD="$($cat)" | |
93 cryptohome::mount_or_create "$USERID" "$PASSWORD" | |
94 } | |
95 | |
96 # Invoke main. | |
97 if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then | |
98 source "$(dirname "$0")/../lib/chromeos-cryptohome/common" | |
99 utils::declare_commands exit | |
100 # Everything is done by default at present. | |
101 mount_main | |
102 fi | |
103 | |
OLD | NEW |