0

I am trying to mount ecryptfs from within a C++ program. I can definitely mount it without it asking questions by issuing this command at the prompt:

sudo mount -t ecryptfs -o "rw,key=passphrase:passphrase_passwd=geoff,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,no_sig_cache" ~/source/ ~/target/

Note that in reality, I am passing a full canonical path in case that matters.

But from within the program I get failure with errno=EINVAL after trying by using the mount() function with the same arguments:

mount("~/source/", "~/target/", "ecryptfs", MS_NODEV, "rw,key=passphrase:passphrase_passwd=geoff,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,no_sig_cache")

The program does launch with root privileges and I have checked that I have CAP_SYS_ADMIN.

The mount() function returns -1 and sets errno to EINVAL.

Have I got the arguments correct? Is this maybe a privileges issue?

EDIT: I got it to work by executing mount externally via system(), but would still like to use the function because of reasons.

Akib Azmain Turja
  • 1,142
  • 7
  • 27
Derf Skren
  • 479
  • 2
  • 22
  • 2
    I'm not sure "~/source" is a correct canonical path, I'd try with a full path, because for me that's as big an invalid value as they get – Jaffa Jun 01 '20 at 06:04
  • Yep already doing that, I just kept it in the example to keep it short. – Derf Skren Jun 01 '20 at 06:23
  • `mount` is a POSIX function and has nothing to do with C++ – phuclv Jan 10 '23 at 01:41
  • @phuclv incorrect. Read the actual question. – Derf Skren Jan 22 '23 at 07:46
  • @DerfSkren I've read that and what do you mean? **`mount()` is not a C++ function**. Where do you find it in the standard? `C++ mount function` is absolutely incorrect – phuclv Jan 25 '23 at 02:50
  • @phuclv that's pure semantics and you know it. Many c++ functions are part of libraries such as those in the Linux OS. Claiming that this doesn't exist is pointless. – Derf Skren Jan 31 '23 at 22:59

1 Answers1

3

I believe this is because mount -t ecryptfs is actually calling the helper executable mount.ecryptfs, and it's processing some of the options (in particular, key=) itself. What's actually passed to the kernel is different (you can see this by looking at /proc/mounts afterward).

If you look closely at https://manpages.ubuntu.com/manpages/kinetic/en/man7/ecryptfs.7.html, key= and ecryptfs_enable_filename_crypto= are listed under "MOUNT HELPER OPTIONS" - the actual kernel module's options are ecryptfs_sig=(fekek_sig) and ecryptfs_fnek_sig=(fnek_sig).

So, if you want to bypass the helper and do the mount directly, you'd need to load the tokens into the kernel's keyring with https://man7.org/linux/man-pages/man2/keyctl.2.html and replace key= with the resulting token signatures, like mount.ecryptfs did.

It does appear that there is a libecrytpfs with functions in ecryptfs.h like ecryptfs_add_passphrase_key_to_keyring which you can (presumably, not tested) use to do this in a way matching the mount.ecryptfs

puetzk
  • 10,534
  • 3
  • 28
  • 32
  • Thank you for this detailed response. It was too late to help me (the hack I had went into production) but I hope it helps someone else. – Derf Skren Jan 22 '23 at 07:49