[systemd-devel] [v2] journalctl: add --force option to recreate FSS

Shawn Landden shawnlandden at gmail.com
Sun Jul 14 20:13:09 PDT 2013


---
 man/journalctl.xml       |  8 ++++++++
 src/journal/journalctl.c | 24 +++++++++++++++++++++---
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/man/journalctl.xml b/man/journalctl.xml
index 8dbfb3f..8c4ccd5 100644
--- a/man/journalctl.xml
+++ b/man/journalctl.xml
@@ -601,6 +601,14 @@
                         </varlistentry>
 
                         <varlistentry>
+                                <term><option>--force</option></term>
+
+                                <listitem><para>When --setup-keys is passed and
+                                Forward Secure Sealing has already been setup,
+                                recreate FSS keys.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
                                 <term><option>--interval=</option></term>
 
                                 <listitem><para>Specifies the change
diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
index 32665b7..5f44fce 100644
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -79,6 +79,7 @@ static int arg_priorities = 0xFF;
 static const char *arg_verify_key = NULL;
 #ifdef HAVE_GCRYPT
 static usec_t arg_interval = DEFAULT_FSS_INTERVAL_USEC;
+static bool arg_force = false;
 #endif
 static usec_t arg_since, arg_until;
 static bool arg_since_set = false, arg_until_set = false;
@@ -149,6 +150,7 @@ static int help(void) {
                "     --update-catalog    Update the message catalog database\n"
 #ifdef HAVE_GCRYPT
                "     --setup-keys        Generate new FSS key pair\n"
+               "     --force             Force overriding new FSS key pair with --setup-keys\n"
                "     --verify            Verify journal file consistency\n"
 #endif
                , program_invocation_short_name);
@@ -179,6 +181,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_LIST_CATALOG,
                 ARG_DUMP_CATALOG,
                 ARG_UPDATE_CATALOG,
+                ARG_FORCE,
         };
 
         static const struct option options[] = {
@@ -187,6 +190,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "no-pager",     no_argument,       NULL, ARG_NO_PAGER     },
                 { "pager-end",    no_argument,       NULL, 'e'              },
                 { "follow",       no_argument,       NULL, 'f'              },
+                { "force",        no_argument,       NULL, ARG_FORCE        },
                 { "output",       required_argument, NULL, 'o'              },
                 { "all",          no_argument,       NULL, 'a'              },
                 { "full",         no_argument,       NULL, 'l'              },
@@ -375,6 +379,10 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
 #ifdef HAVE_GCRYPT
+                case ARG_FORCE:
+                        arg_force = true;
+                        break;
+
                 case ARG_SETUP_KEYS:
                         arg_action = ACTION_SETUP_KEYS;
                         break;
@@ -397,6 +405,7 @@ static int parse_argv(int argc, char *argv[]) {
                 case ARG_SETUP_KEYS:
                 case ARG_VERIFY_KEY:
                 case ARG_INTERVAL:
+                case ARG_FORCE:
                         log_error("Forward-secure sealing not available.");
                         return -ENOTSUP;
 #endif
@@ -756,9 +765,18 @@ static int setup_keys(void) {
                 return log_oom();
 
         if (access(p, F_OK) >= 0) {
-                log_error("Sealing key file %s exists already.", p);
-                r = -EEXIST;
-                goto finish;
+                if (arg_force) {
+                        r = unlink(p);
+                        if (r < 0) {
+                                log_error("unlink(\"%s\") failed: %m", p);
+                                r = -errno;
+                                goto finish;
+                        }
+                } else {
+                        log_error("Sealing key file %s exists already. (--force to recreate)", p);
+                        r = -EEXIST;
+                        goto finish;
+                }
         }
 
         if (asprintf(&k, "/var/log/journal/" SD_ID128_FORMAT_STR "/fss.tmp.XXXXXX",
-- 
1.8.3.2



More information about the systemd-devel mailing list