diff --git a/udisks-2.10.0-integration_test_force_readonly.patch b/udisks-2.10.0-integration_test_force_readonly.patch new file mode 100644 index 0000000..fefebc0 --- /dev/null +++ b/udisks-2.10.0-integration_test_force_readonly.patch @@ -0,0 +1,33 @@ +From def82f87dcc0b21e4890e12d82e6007f98551dcb Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Tue, 30 May 2023 18:23:08 +0200 +Subject: [PATCH] tests: Forcefully set scsi_debug cd drive as read-only + +There's something fishy in newer kernels and read-only detection +doesn't seem to work properly. As suggested in +https://github.com/util-linux/util-linux/issues/18#issuecomment-8453739 +setting device ro by `blockdev --setro` seems to fix the issue. +--- + src/tests/integration-test | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/tests/integration-test b/src/tests/integration-test +index 5f68217e0..10cdff85e 100755 +--- a/src/tests/integration-test ++++ b/src/tests/integration-test +@@ -1096,6 +1096,7 @@ class FS(UDisksTestCase): + time.sleep(5) + self.sync() + cd_fs = self.udisks_filesystem(cd=True) ++ subprocess.call(['blockdev', '--setro', self.cd_device]) + + # forcing mount CD drive as 'rw' should fail + try: +@@ -1748,6 +1749,7 @@ class Polkit(UDisksTestCase, test_polkitd.PolkitTestCase): + try: + fs = self.udisks_filesystem(cd=True) + self.assertNotEqual(fs, None) ++ subprocess.call(['blockdev', '--setro', self.cd_device]) + mount_path = fs.call_mount_sync(no_options, None) + self.assertIn('/media/', mount_path) + diff --git a/udisks-2.10.0-iscsi-CHAP-auth-algs.patch b/udisks-2.10.0-iscsi-CHAP-auth-algs.patch new file mode 100644 index 0000000..be7f96c --- /dev/null +++ b/udisks-2.10.0-iscsi-CHAP-auth-algs.patch @@ -0,0 +1,161 @@ +From 26fcef727d68af97b1187d2ac3cad19acc3d97c8 Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Tue, 16 May 2023 18:33:59 +0200 +Subject: [PATCH 1/2] iscsi: Set node parameters before the Login/Logout action + +This allows to properly pass required arguments like the CHAP +auth algorithms, etc. +--- + modules/iscsi/udisksiscsiutil.c | 54 ++++++++++++++++++--------------- + 1 file changed, 29 insertions(+), 25 deletions(-) + +diff --git a/modules/iscsi/udisksiscsiutil.c b/modules/iscsi/udisksiscsiutil.c +index 78890106f0..b279442876 100644 +--- a/modules/iscsi/udisksiscsiutil.c ++++ b/modules/iscsi/udisksiscsiutil.c +@@ -186,9 +186,10 @@ iscsi_perform_login_action (UDisksLinuxModuleISCSI *module, + } + + static gint +-iscsi_node_set_parameters (struct libiscsi_context *ctx, +- struct libiscsi_node *node, +- GVariant *params) ++iscsi_node_set_parameters (struct libiscsi_context *ctx, ++ struct libiscsi_node *node, ++ GVariant *params, ++ gchar **errorstr) + { + GVariantIter iter; + GVariant *value; +@@ -207,9 +208,11 @@ iscsi_node_set_parameters (struct libiscsi_context *ctx, + + /* Update the node parameter value. */ + err = libiscsi_node_set_parameter (ctx, node, key, param_value); ++ if (errorstr && err != 0) ++ *errorstr = g_strdup (libiscsi_get_error_string (ctx)); + + g_variant_unref (value); +- g_free ((gpointer) key); ++ g_free (key); + } + + return 0; +@@ -279,7 +282,7 @@ iscsi_login (UDisksLinuxModuleISCSI *module, + const gchar *password = NULL; + const gchar *reverse_username = NULL; + const gchar *reverse_password = NULL; +- gint err; ++ gint err = 0; + + g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1); + +@@ -304,17 +307,18 @@ iscsi_login (UDisksLinuxModuleISCSI *module, + /* Get iscsi context. */ + ctx = udisks_linux_module_iscsi_get_libiscsi_context (module); + +- /* Login */ +- err = iscsi_perform_login_action (module, +- ACTION_LOGIN, +- &node, +- &auth_info, +- errorstr); ++ /* Update node parameters. */ ++ if (params) ++ err = iscsi_node_set_parameters (ctx, &node, params_without_chap, errorstr); + +- if (err == 0 && params) ++ /* Login */ ++ if (err == 0) + { +- /* Update node parameters. */ +- err = iscsi_node_set_parameters (ctx, &node, params_without_chap); ++ err = iscsi_perform_login_action (module, ++ ACTION_LOGIN, ++ &node, ++ &auth_info, ++ errorstr); + } + + g_variant_unref (params_without_chap); +@@ -334,7 +338,7 @@ iscsi_logout (UDisksLinuxModuleISCSI *module, + { + struct libiscsi_context *ctx; + struct libiscsi_node node = {0,}; +- gint err; ++ gint err = 0; + + g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1); + +@@ -344,18 +348,18 @@ iscsi_logout (UDisksLinuxModuleISCSI *module, + /* Get iscsi context. */ + ctx = udisks_linux_module_iscsi_get_libiscsi_context (module); + +- /* Logout */ +- err = iscsi_perform_login_action (module, +- ACTION_LOGOUT, +- &node, +- NULL, +- errorstr); ++ /* Update node parameters. */ ++ if (params) ++ err = iscsi_node_set_parameters (ctx, &node, params, errorstr); + +- if (err == 0 && params) ++ /* Logout */ ++ if (err == 0) + { +- /* Update node parameters. */ +- err = iscsi_node_set_parameters (ctx, &node, params); +- ++ err = iscsi_perform_login_action (module, ++ ACTION_LOGOUT, ++ &node, ++ NULL, ++ errorstr); + } + + return err; + +From 749812784abcc4c0492bda0703bff5d3dae052f9 Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Tue, 16 May 2023 18:35:42 +0200 +Subject: [PATCH 2/2] tests: Disallow MD5 for iscsi CHAP login + +MD5 is unavailable in FIPS mode: + + iscsid[82167]: iscsid: Ignoring CHAP algorthm request for MD5 due to crypto lib configuration + iscsid[82167]: iscsid: Couldn't set CHAP algorithm list + kernel: rx_data returned 0, expecting 48. + kernel: iSCSI Login negotiation failed. +--- + src/tests/dbus-tests/test_30_iscsi.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py +index 09e975f30c..02ba6c92b0 100644 +--- a/src/tests/dbus-tests/test_30_iscsi.py ++++ b/src/tests/dbus-tests/test_30_iscsi.py +@@ -161,6 +161,7 @@ def test_login_chap_auth(self): + self.assertEqual(port, self.port) + + options = dbus.Dictionary(signature='sv') ++ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5 + options['username'] = self.initiator + + msg = 'Login failed: initiator reported error \(24 - iSCSI login failed due to authorization failure\)' +@@ -227,6 +228,7 @@ def test_login_mutual_auth(self): + self.assertEqual(port, self.port) + + options = dbus.Dictionary(signature='sv') ++ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5 + options['username'] = self.initiator + options['password'] = self.password + options['reverse-username'] = self.mutual_iqn +@@ -335,6 +337,7 @@ def test_login_noauth_badauth(self): + + # first attempt - wrong password + options = dbus.Dictionary(signature='sv') ++ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5 + options['username'] = self.initiator + msg = r'Login failed: initiator reported error \((19 - encountered non-retryable iSCSI login failure|24 - iSCSI login failed due to authorization failure)\)' + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): diff --git a/udisks-2.10.0-lvm2_update_epoch.patch b/udisks-2.10.0-lvm2_update_epoch.patch new file mode 100644 index 0000000..0bd70a7 --- /dev/null +++ b/udisks-2.10.0-lvm2_update_epoch.patch @@ -0,0 +1,113 @@ +From 28c39786927ad683f56c031d80a5c06f5b5b9aea Mon Sep 17 00:00:00 2001 +From: Marius Vollmer +Date: Tue, 5 Apr 2022 11:23:23 +0300 +Subject: [PATCH] lvm2: Only install results of most recently started udpates + +Fixes #966 +--- + modules/lvm2/udiskslinuxmodulelvm2.c | 13 ++++++++++++- + modules/lvm2/udiskslinuxvolumegroupobject.c | 12 ++++++++++++ + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/modules/lvm2/udiskslinuxmodulelvm2.c b/modules/lvm2/udiskslinuxmodulelvm2.c +index 8e1ea13aec..77ecf94a6d 100644 +--- a/modules/lvm2/udiskslinuxmodulelvm2.c ++++ b/modules/lvm2/udiskslinuxmodulelvm2.c +@@ -59,6 +59,8 @@ struct _UDisksLinuxModuleLVM2 { + + gint delayed_update_id; + gboolean coldplug_done; ++ ++ guint32 update_epoch; + }; + + typedef struct _UDisksLinuxModuleLVM2Class UDisksLinuxModuleLVM2Class; +@@ -86,6 +88,7 @@ udisks_linux_module_lvm2_constructed (GObject *object) + + module->name_to_volume_group = g_hash_table_new_full (g_str_hash, g_str_equal, g_free, (GDestroyNotify) g_object_unref); + module->coldplug_done = FALSE; ++ module->update_epoch = 0; + + if (G_OBJECT_CLASS (udisks_linux_module_lvm2_parent_class)->constructed) + G_OBJECT_CLASS (udisks_linux_module_lvm2_parent_class)->constructed (object); +@@ -221,6 +224,12 @@ lvm_update_vgs (GObject *source_obj, + gpointer key, value; + const gchar *vg_name; + ++ if (GPOINTER_TO_UINT (user_data) != module->update_epoch) ++ { ++ vgs_pvs_data_free (data); ++ return; ++ } ++ + if (! data) + { + if (error) +@@ -303,11 +312,13 @@ lvm_update (UDisksLinuxModuleLVM2 *module) + { + GTask *task; + ++ module->update_epoch++; ++ + /* the callback (lvm_update_vgs) is called in the default main loop (context) */ + task = g_task_new (module, + NULL /* cancellable */, + lvm_update_vgs, +- NULL /* callback_data */); ++ GUINT_TO_POINTER (module->update_epoch)); + + /* holds a reference to 'task' until it is finished */ + g_task_run_in_thread (task, (GTaskThreadFunc) vgs_task_func); +diff --git a/modules/lvm2/udiskslinuxvolumegroupobject.c b/modules/lvm2/udiskslinuxvolumegroupobject.c +index ce941cb250..ead08de7b1 100644 +--- a/modules/lvm2/udiskslinuxvolumegroupobject.c ++++ b/modules/lvm2/udiskslinuxvolumegroupobject.c +@@ -66,6 +66,7 @@ struct _UDisksLinuxVolumeGroupObject + gchar *name; + + GHashTable *logical_volumes; ++ guint32 update_epoch; + guint32 poll_epoch; + guint poll_timeout_id; + gboolean poll_requested; +@@ -99,6 +100,7 @@ static void crypttab_changed (UDisksCrypttabMonitor *monitor, + typedef struct { + BDLVMVGdata *vg_info; + GSList *vg_pvs; ++ guint32 epoch; + } VGUpdateData; + + static void +@@ -183,6 +185,7 @@ udisks_linux_volume_group_object_set_property (GObject *__object, + static void + udisks_linux_volume_group_object_init (UDisksLinuxVolumeGroupObject *object) + { ++ object->update_epoch = 0; + object->poll_epoch = 0; + object->poll_timeout_id = 0; + object->poll_requested = FALSE; +@@ -575,6 +578,12 @@ update_vg (GObject *source_obj, + BDLVMVGdata *vg_info = data->vg_info; + GSList *vg_pvs = data->vg_pvs; + ++ if (data->epoch != object->update_epoch) ++ { ++ lv_list_free (lvs); ++ return; ++ } ++ + /* free the data container (but not 'vg_info' and 'vg_pvs') */ + g_free (data); + +@@ -711,8 +720,11 @@ udisks_linux_volume_group_object_update (UDisksLinuxVolumeGroupObject *object, B + gchar *vg_name = g_strdup (vg_info->name); + GTask *task = NULL; + ++ object->update_epoch++; ++ + data->vg_info = vg_info; + data->vg_pvs = pvs; ++ data->epoch = object->update_epoch; + + /* the callback (update_vg) is called in the default main loop (context) */ + task = g_task_new (g_object_ref (object), NULL /* cancellable */, update_vg, data /* callback_data */); diff --git a/udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch b/udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch new file mode 100644 index 0000000..ae9e001 --- /dev/null +++ b/udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch @@ -0,0 +1,26 @@ +From f24601b1d1302350fff15f326bfe3cfabde05f4c Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Fri, 19 May 2023 17:17:56 +0200 +Subject: [PATCH] lvm2: Trigger uevent sync on block devices when creating new + VG + +This will likely slow down processing with the hope that +more objects have their properties updated properly. +--- + modules/lvm2/udiskslinuxmanagerlvm2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules/lvm2/udiskslinuxmanagerlvm2.c b/modules/lvm2/udiskslinuxmanagerlvm2.c +index b0c62fdcd6..5c06b921df 100644 +--- a/modules/lvm2/udiskslinuxmanagerlvm2.c ++++ b/modules/lvm2/udiskslinuxmanagerlvm2.c +@@ -384,7 +384,8 @@ handle_volume_group_create (UDisksManagerLVM2 *_object, + UDisksObject *object_for_block; + object_for_block = udisks_daemon_util_dup_object (block, &error); + if (object_for_block != NULL) +- udisks_linux_block_object_trigger_uevent (UDISKS_LINUX_BLOCK_OBJECT (object_for_block)); ++ udisks_linux_block_object_trigger_uevent_sync (UDISKS_LINUX_BLOCK_OBJECT (object_for_block), ++ UDISKS_DEFAULT_WAIT_TIMEOUT); + g_object_unref (object_for_block); + } + diff --git a/udisks-2.9.4-FIPS_LUKS_fixes.patch b/udisks-2.9.4-FIPS_LUKS_fixes.patch new file mode 100644 index 0000000..7f696e9 --- /dev/null +++ b/udisks-2.9.4-FIPS_LUKS_fixes.patch @@ -0,0 +1,418 @@ +From 9fdf616dd3a1dc8d9c17a7cd48995dd11068eedd Mon Sep 17 00:00:00 2001 +From: Tomas Bzatek +Date: Thu, 25 May 2023 14:20:05 +0200 +Subject: [PATCH] LUKS FIPS fixes + +--- + src/tests/dbus-tests/test_50_block.py | 8 ++- + src/tests/dbus-tests/test_70_encrypted.py | 67 ++++++++++------------- + src/tests/integration-test | 30 +++++----- + 3 files changed, 50 insertions(+), 55 deletions(-) + +diff --git a/src/tests/dbus-tests/test_50_block.py b/src/tests/dbus-tests/test_50_block.py +index 2154eea8..09f8fb95 100644 +--- a/src/tests/dbus-tests/test_50_block.py ++++ b/src/tests/dbus-tests/test_50_block.py +@@ -12,6 +12,8 @@ import udiskstestcase + class UdisksBlockTest(udiskstestcase.UdisksTestCase): + '''This is a basic block device test suite''' + ++ LUKS_PASSPHRASE = 'shouldnotseeme' ++ + def _close_luks(self, disk): + disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted') + +@@ -241,7 +243,7 @@ class UdisksBlockTest(udiskstestcase.UdisksTestCase): + + # format the disk + disk = self.get_object('/block_devices/' + os.path.basename(self.vdevs[0])) +- disk.Format('xfs', {'encrypt.passphrase': 'test'}, dbus_interface=self.iface_prefix + '.Block') ++ disk.Format('xfs', {'encrypt.passphrase': self.LUKS_PASSPHRASE}, dbus_interface=self.iface_prefix + '.Block') + + # cleanup -- close the luks and remove format + self.addCleanup(self.wipe_fs, self.vdevs[0]) +@@ -249,7 +251,7 @@ class UdisksBlockTest(udiskstestcase.UdisksTestCase): + + # configuration items as arrays of dbus.Byte + opts = self.str_to_ay('verify') +- passwd = self.str_to_ay('test') ++ passwd = self.str_to_ay(self.LUKS_PASSPHRASE) + + # set the new configuration + conf = dbus.Dictionary({'passphrase-contents': passwd, +@@ -294,7 +296,7 @@ class UdisksBlockTest(udiskstestcase.UdisksTestCase): + + # format the disk + disk = self.get_object('/block_devices/' + os.path.basename(self.vdevs[0])) +- disk.Format('xfs', {'encrypt.passphrase': 'test'}, dbus_interface=self.iface_prefix + '.Block') ++ disk.Format('xfs', {'encrypt.passphrase': self.LUKS_PASSPHRASE}, dbus_interface=self.iface_prefix + '.Block') + + # cleanup -- close the luks and remove format + self.addCleanup(self.wipe_fs, self.vdevs[0]) +diff --git a/src/tests/dbus-tests/test_70_encrypted.py b/src/tests/dbus-tests/test_70_encrypted.py +index effcceac..2f5a8854 100644 +--- a/src/tests/dbus-tests/test_70_encrypted.py ++++ b/src/tests/dbus-tests/test_70_encrypted.py +@@ -40,6 +40,9 @@ def _get_blkid_version(): + class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + '''This is an encrypted device test suite''' + ++ PASSPHRASE = 'shouldnotseeme' ++ LUKS_NAME = 'myshinylittleluks' ++ + def _create_luks(self, device, passphrase, binary=False): + raise NotImplementedError() + +@@ -60,7 +63,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, 'test') ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +@@ -124,7 +127,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, 'test') ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +@@ -160,11 +163,11 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + # wrong password + msg = 'org.freedesktop.UDisks2.Error.Failed: Error unlocking %s *' % self.vdevs[0] + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): +- disk.Unlock('shbdkjaf', self.no_options, ++ disk.Unlock('abcdefghijklmn', self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + + # right password +- luks = disk.Unlock('test', self.no_options, ++ luks = disk.Unlock(self.PASSPHRASE, self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks) + self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid)) +@@ -180,7 +183,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + + # read-only + ro_opts = dbus.Dictionary({'read-only': dbus.Boolean(True)}, signature=dbus.Signature('sv')) +- luks = disk.Unlock('test', ro_opts, ++ luks = disk.Unlock(self.PASSPHRASE, ro_opts, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks) + self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid)) +@@ -196,13 +199,10 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + crypttab = self.read_file('/etc/crypttab') + self.addCleanup(self.write_file, '/etc/crypttab', crypttab) + +- passwd = 'test' +- luks_name = 'myshinylittleluks' +- + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, passwd) ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +@@ -212,20 +212,20 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted') + + # add new entry to the crypttab +- new_crypttab = crypttab + '%s UUID=%s none\n' % (luks_name, disk_uuid) ++ new_crypttab = crypttab + '%s UUID=%s none\n' % (self.LUKS_NAME, disk_uuid) + self.write_file('/etc/crypttab', new_crypttab) + + dbus_conf = disk.GetSecretConfiguration(self.no_options, dbus_interface=self.iface_prefix + '.Block') + self.assertIsNotNone(dbus_conf) +- self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), luks_name) ++ self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), self.LUKS_NAME) + + # unlock the device +- luks = disk.Unlock(passwd, self.no_options, ++ luks = disk.Unlock(self.PASSPHRASE, self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks) + + # unlock should use name from crypttab for the /dev/mapper device +- dm_path = '/dev/mapper/%s' % luks_name ++ dm_path = '/dev/mapper/%s' % self.LUKS_NAME + self.assertTrue(os.path.exists(dm_path)) + + # preferred 'device' should be /dev/mapper/name too +@@ -240,8 +240,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + crypttab = self.read_file('/etc/crypttab') + self.addCleanup(self.write_file, '/etc/crypttab', crypttab) + +- passwd = b'test\0test' +- luks_name = 'myshinylittleluks' ++ passwd = b'testtesttest\0testtesttest' + + # create key file + _fd, key_file = tempfile.mkstemp() +@@ -262,12 +261,12 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted') + + # add new entry to the crypttab +- new_crypttab = crypttab + '%s UUID=%s %s\n' % (luks_name, disk_uuid, key_file) ++ new_crypttab = crypttab + '%s UUID=%s %s\n' % (self.LUKS_NAME, disk_uuid, key_file) + self.write_file('/etc/crypttab', new_crypttab) + + dbus_conf = disk.GetSecretConfiguration(self.no_options, dbus_interface=self.iface_prefix + '.Block') + self.assertIsNotNone(dbus_conf) +- self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), luks_name) ++ self.assertEqual(self.ay_to_str(dbus_conf[0][1]['name']), self.LUKS_NAME) + self.assertEqual(self.ay_to_str(dbus_conf[0][1]['passphrase-path']), key_file) + + # unlock the device using empty passphrase (should use the key file) +@@ -276,7 +275,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + self.assertIsNotNone(luks) + + # unlock should use name from crypttab for the /dev/mapper device +- dm_path = '/dev/mapper/%s' % luks_name ++ dm_path = '/dev/mapper/%s' % self.LUKS_NAME + self.assertTrue(os.path.exists(dm_path)) + + # preferred 'device' should be /dev/mapper/name too +@@ -289,7 +288,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, 'test') ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +@@ -316,11 +315,11 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +- self._create_luks(disk, 'test') ++ self._create_luks(disk, self.PASSPHRASE) + self.addCleanup(self._remove_luks, disk) + self.udev_settle() + +- disk.ChangePassphrase('test', 'password', self.no_options, ++ disk.ChangePassphrase(self.PASSPHRASE, self.PASSPHRASE + '222', self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + + disk.Lock(self.no_options, dbus_interface=self.iface_prefix + '.Encrypted') +@@ -328,11 +327,11 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + # old password, should fail + msg = 'org.freedesktop.UDisks2.Error.Failed: Error unlocking %s *' % self.vdevs[0] + with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg): +- disk.Unlock('test', self.no_options, ++ disk.Unlock(self.PASSPHRASE, self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + + # new password +- luks = disk.Unlock('password', self.no_options, ++ luks = disk.Unlock(self.PASSPHRASE + '222', self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks) + +@@ -343,7 +342,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + + def test_resize(self): + device = self.get_device(self.vdevs[0]) +- self._create_luks(device, 'test') ++ self._create_luks(device, self.PASSPHRASE) + self.addCleanup(self._remove_luks, device) + self.udev_settle() + +@@ -372,8 +371,6 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + fstab = self.read_file('/etc/fstab') + self.addCleanup(self.write_file, '/etc/fstab', fstab) + +- passphrase = 'test' +- + disk_name = os.path.basename(self.vdevs[0]) + disk = self.get_object('/block_devices/' + disk_name) + +@@ -384,7 +381,7 @@ class UdisksEncryptedTest(udiskstestcase.UdisksTestCase): + self.assertIsNotNone(part) + + # create LUKS on the partition and add it to crypttab +- self._create_luks(part, passphrase) ++ self._create_luks(part, self.PASSPHRASE) + self.udev_settle() + + conf = dbus.Dictionary({'name': self.str_to_ay('udisks_luks_test'), +@@ -521,10 +518,8 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest): + super(UdisksEncryptedTestLUKS2, self).setUp() + + def test_resize(self): +- passwd = 'test' +- + device = self.get_device(self.vdevs[0]) +- self._create_luks(device, passwd) ++ self._create_luks(device, self.PASSPHRASE) + self.addCleanup(self._remove_luks, device) + self.udev_settle() + +@@ -550,7 +545,7 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest): + + # right passphrase + d = dbus.Dictionary(signature='sv') +- d['passphrase'] = passwd ++ d['passphrase'] = self.PASSPHRASE + device.Resize(dbus.UInt64(100*1024*1024), d, + dbus_interface=self.iface_prefix + '.Encrypted') + +@@ -559,7 +554,7 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest): + + # resize back to the original size (using binary passphrase) + d = dbus.Dictionary(signature='sv') +- d['keyfile_contents'] = self.str_to_ay(passwd, False) ++ d['keyfile_contents'] = self.str_to_ay(self.PASSPHRASE, False) + device.Resize(dbus.UInt64(clear_size), d, + dbus_interface=self.iface_prefix + '.Encrypted') + +@@ -577,7 +572,7 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest): + + # create LUKS without specifying version + options = dbus.Dictionary(signature='sv') +- options['encrypt.passphrase'] = 'test' ++ options['encrypt.passphrase'] = self.PASSPHRASE + + disk.Format('xfs', options, + dbus_interface=self.iface_prefix + '.Block') +@@ -613,14 +608,12 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest): + + @udiskstestcase.tag_test(udiskstestcase.TestTags.UNSTABLE) + def test_integrity(self): +- passwd = 'test' +- + cryptsetup_version = _get_cryptsetup_version() + if cryptsetup_version < LooseVersion('2.2.0'): + self.skipTest('Integrity devices are not marked as internal in cryptsetup < 2.2.0') + + device = self.get_device(self.vdevs[0]) +- self._create_luks_integrity(self.vdevs[0], passwd) ++ self._create_luks_integrity(self.vdevs[0], self.PASSPHRASE) + + self.addCleanup(self._remove_luks, device) + self.udev_settle() +@@ -630,7 +623,7 @@ class UdisksEncryptedTestLUKS2(UdisksEncryptedTest): + # the device is not opened, we need to read the UUID from LUKS metadata + luks_uuid = BlockDev.crypto_luks_uuid(self.vdevs[0]) + +- luks_path = device.Unlock('test', self.no_options, ++ luks_path = device.Unlock(self.PASSPHRASE, self.no_options, + dbus_interface=self.iface_prefix + '.Encrypted') + self.assertIsNotNone(luks_path) + self.assertTrue(os.path.exists('/dev/disk/by-uuid/%s' % luks_uuid)) +diff --git a/src/tests/integration-test b/src/tests/integration-test +index 4499a6a9..71955559 100755 +--- a/src/tests/integration-test ++++ b/src/tests/integration-test +@@ -1336,7 +1336,7 @@ class Luks(UDisksTestCase): + + def setup_crypto_device(self): + self.fs_create(None, 'ext4', GLib.Variant('a{sv}', { +- 'encrypt.passphrase': GLib.Variant('s', 's3kr1t'), ++ 'encrypt.passphrase': GLib.Variant('s', 's3kr1ts3kr1t'), + 'label': GLib.Variant('s', 'treasure')})) + self.client.settle() + crypt_obj = self.client.get_object(self.udisks_block().get_object_path()) +@@ -1347,7 +1347,7 @@ class Luks(UDisksTestCase): + @staticmethod + def unlock_crypto_device(encrypted): + return encrypted.call_unlock_sync( +- 's3kr1t', no_options, None) ++ 's3kr1ts3kr1t', no_options, None) + + def tearDown(self): + """clean up behind failed test cases""" +@@ -1415,7 +1415,7 @@ class Luks(UDisksTestCase): + udev_dump = subprocess.Popen(['udevadm', 'info', '--export-db'], + stdout=subprocess.PIPE) + out = udev_dump.communicate()[0] +- self.assertFalse(b's3kr1t' in out, 'password in udev properties') ++ self.assertFalse(b's3kr1ts3kr1t' in out, 'password in udev properties') + self.assertFalse(b'essiv:sha' in out, 'key information in udev properties') + + finally: +@@ -1525,18 +1525,18 @@ class Luks(UDisksTestCase): + encrypted = self.setup_crypto_device() + # wrong password, has bytes after a trailing '\0' + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- '', Luks.keyfile_options(b's3kr1t\0X'), None) ++ '', Luks.keyfile_options(b's3kr1ts3kr1t\0X'), None) + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- '', Luks.keyfile_options(b's3kr1t\n'), None) ++ '', Luks.keyfile_options(b's3kr1ts3kr1t\n'), None) + # correct password, specified as keyfile +- encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1t'), None) ++ encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1ts3kr1t'), None) + encrypted.call_lock_sync(no_options, None) + + def test_plaintext_keyfile(self): + """Setup a device using a plaintext keyfile.""" + # Using a plaintext keyfile should be equivalent to passphrase + self.fs_create(None, 'ext4', GLib.Variant('a{sv}', { +- 'encrypt.passphrase': GLib.Variant('ay', _bytes_to_ay(b's3kr1t')), ++ 'encrypt.passphrase': GLib.Variant('ay', _bytes_to_ay(b's3kr1ts3kr1t')), + 'label': GLib.Variant('s', 'treasure')})) + + crypt_obj = self.client.get_object(self.udisks_block().get_object_path()) +@@ -1547,16 +1547,16 @@ class Luks(UDisksTestCase): + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, + 'h4ckpassword', no_options, None) + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- '', Luks.keyfile_options(b's3kr1t\0X'), None) ++ '', Luks.keyfile_options(b's3kr1ts3kr1t\0X'), None) + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- '', Luks.keyfile_options(b's3kr1t\n'), None) ++ '', Luks.keyfile_options(b's3kr1ts3kr1t\n'), None) + + # correct password +- encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1t'), None) ++ encrypted.call_unlock_sync('', Luks.keyfile_options(b's3kr1ts3kr1t'), None) + encrypted.call_lock_sync(no_options, None) + + # correct password, specified as passphrase +- encrypted.call_unlock_sync('s3kr1t', no_options, None) ++ encrypted.call_unlock_sync('s3kr1ts3kr1t', no_options, None) + encrypted.call_lock_sync(no_options, None) + + def test_binary_keyfile(self): +@@ -1622,11 +1622,11 @@ class Luks(UDisksTestCase): + encrypted = self.setup_crypto_device() + + # change: passphrase -> passphrase +- encrypted.call_change_passphrase_sync('s3kr1t', 'passphrase', no_options, None) ++ encrypted.call_change_passphrase_sync('s3kr1ts3kr1t', 'passphrase', no_options, None) + + # verify new password: + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, +- 's3kr1t', no_options, None) ++ 's3kr1ts3kr1t', no_options, None) + encrypted.call_unlock_sync('passphrase', no_options, None) + encrypted.call_lock_sync(no_options, None) + +@@ -1659,7 +1659,7 @@ class Luks(UDisksTestCase): + + # change: keyfile -> passphrase + encrypted.call_change_passphrase_sync( +- '', 's3kr1t', GLib.Variant('a{sv}', { ++ '', 's3kr1ts3kr1t', GLib.Variant('a{sv}', { + 'old_keyfile_contents': GLib.Variant('ay', _bytes_to_ay(key_file_1)), + }), + None) +@@ -1667,7 +1667,7 @@ class Luks(UDisksTestCase): + # verify new password: + self.assertRaises(GLib.GError, encrypted.call_unlock_sync, + '', Luks.keyfile_options(key_file_1), None) +- encrypted.call_unlock_sync('s3kr1t', no_options, None) ++ encrypted.call_unlock_sync('s3kr1ts3kr1t', no_options, None) + encrypted.call_lock_sync(no_options, None) + + +-- +2.39.1 + diff --git a/udisks-2.9.4-tests_job_unstable.patch b/udisks-2.9.4-tests_job_unstable.patch new file mode 100644 index 0000000..6ef2dcd --- /dev/null +++ b/udisks-2.9.4-tests_job_unstable.patch @@ -0,0 +1,11 @@ +diff -up udisks-2.9.4/src/tests/dbus-tests/test_job.py.bak udisks-2.9.4/src/tests/dbus-tests/test_job.py +--- udisks-2.9.4/src/tests/dbus-tests/test_job.py.bak 2021-09-29 18:00:31.000000000 +0200 ++++ udisks-2.9.4/src/tests/dbus-tests/test_job.py 2023-06-02 15:14:50.691620552 +0200 +@@ -51,6 +51,7 @@ class UdisksJobTest(udiskstestcase.Udisk + + time.sleep(0.1) + ++ @udiskstestcase.tag_test(udiskstestcase.TestTags.UNSTABLE) + def test_job(self): + '''Test basic Job functionality and properties''' + diff --git a/udisks2.spec b/udisks2.spec index aa3913a..69969d8 100644 --- a/udisks2.spec +++ b/udisks2.spec @@ -48,7 +48,7 @@ Name: udisks2 Summary: Disk Manager Version: 2.9.4 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ URL: https://github.com/storaged-project/udisks Source0: https://github.com/storaged-project/udisks/releases/download/udisks-%{version}/udisks-%{version}.tar.bz2 @@ -71,6 +71,18 @@ Patch12: udisks-2.10.0-iscsi_test_03_iscsid_cache_clean.patch Patch13: udisks-2.10.0-iscsi_test_04_fix_test_login_chap_auth.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1958932 Patch14: udisks-2.10.0-iscsi_test_05_restart_iscsid.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2188916 +Patch15: udisks-2.10.0-iscsi-CHAP-auth-algs.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2188750 +# https://bugzilla.redhat.com/show_bug.cgi?id=2188752 +Patch16: udisks-2.9.4-FIPS_LUKS_fixes.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2211191 +Patch17: udisks-2.10.0-integration_test_force_readonly.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2031673 +Patch18: udisks-2.10.0-lvm2_update_epoch.patch +Patch19: udisks-2.10.0-lvm2_vgcreate_uevent_sync.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2148844 +Patch20: udisks-2.9.4-tests_job_unstable.patch BuildRequires: make BuildRequires: glib2-devel >= %{glib2_version} @@ -446,6 +458,13 @@ fi %endif %changelog +* Fri Jun 02 2023 Tomas Bzatek - 2.9.4-8 +- iscsi: CHAP auth algorithm selection fixes (#2188916) +- tests: Use stronger passphrases for LUKS tests (#2188750,#2188752) +- integration-test: Fix scsi_debug cd drive read-only detection (#2211191) +- lvm2: Improve uevent processing (#2031673) +- tests: Mark test_job.UdisksJobTest.test_job as unstable (#2148844) + * Tue Nov 01 2022 Tomas Bzatek - 2.9.4-7 - Fix iscsi test auth failures (#1958932)