From: Masatake YAMATO <jet@gyve.org>
Date: Tue, 8 May 2007 11:52:18 +0000 (+0000)
Subject: lomount.c: don't use mlockall if CRYPT_NONE
X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d33279c2e3bdaff7a3c9c7f6df60da75d7969ad4;p=util-linux

lomount.c: don't use mlockall if CRYPT_NONE

loop back mounting emits two system calls: mount and mlockall.
mount is obviously needed. mlockall is needed for encryption.
As the result both CAP_SYS_ADMIN and CAP_IPC_LOCK are needed
to do loopback mounting.

The problem is that CAP_IPC_LOCK is always needed through my
command doesn't need encryption.

With the following patch, mount calls mlockall only when
encryption is needed.

Signed-off-by: Masatake YAMATO <jet@gyve.org>
---

diff --git a/mount/lomount.c b/mount/lomount.c
index f8fd0e28..ae9eb36e 100644
--- a/mount/lomount.c
+++ b/mount/lomount.c
@@ -311,16 +311,17 @@ set_loop(const char *device, const char *file, unsigned long long offset,
 
 	loopinfo64.lo_offset = offset;
 
-#ifdef MCL_FUTURE  
+#ifdef MCL_FUTURE
 	/*
 	 * Oh-oh, sensitive data coming up. Better lock into memory to prevent
 	 * passwd etc being swapped out and left somewhere on disk.
 	 */
-                                                
-	if(mlockall(MCL_CURRENT | MCL_FUTURE)) {
-		perror("memlock");
-		fprintf(stderr, _("Couldn't lock into memory, exiting.\n"));
-		exit(1);
+	if (loopinfo64.lo_encrypt_type != LO_CRYPT_NONE) {
+		if(mlockall(MCL_CURRENT | MCL_FUTURE)) {
+			perror("memlock");
+			fprintf(stderr, _("Couldn't lock into memory, exiting.\n"));
+			exit(1);
+		}
 	}
 #endif