mirror of
https://github.com/veracrypt/VeraCrypt.git
synced 2026-05-14 08:31:29 +00:00
960f5993b2
When creating an APFS filesystem inside a newly created device-hosted volume, VeraCrypt prepared only the raw hdiutil device path before invoking newfs_apfs. On macOS, newfs_apfs may resolve or reopen the corresponding block device path, which can fail with Permission denied for non-root GUI runs. Prepare both raw and block aliases for the temporary formatter device, restore changed owners afterward, and share the helper between GUI and text-mode volume creation. Restore each changed alias independently so one restore failure does not skip the rest.
132 lines
3.7 KiB
C++
132 lines
3.7 KiB
C++
/*
|
|
VeraCrypt source code
|
|
Copyright (c) 2026 AM Crypto
|
|
|
|
This file is part of VeraCrypt and is governed by the Apache License 2.0
|
|
the full text of which is contained in the file License.txt included in
|
|
VeraCrypt binary and source code distribution packages.
|
|
*/
|
|
|
|
#ifndef VC_HEADER_Main_MacOSXFormatterDevice
|
|
#define VC_HEADER_Main_MacOSXFormatterDevice
|
|
|
|
#include "Main/Main.h"
|
|
|
|
#ifdef TC_MACOSX
|
|
#include <unistd.h>
|
|
|
|
namespace VeraCrypt
|
|
{
|
|
inline bool IsMacOSXDiskDevicePath (const string &deviceIdentifier, const string &prefix)
|
|
{
|
|
return deviceIdentifier.find (prefix) == 0
|
|
&& deviceIdentifier.size() > prefix.size()
|
|
&& deviceIdentifier[prefix.size()] >= '0'
|
|
&& deviceIdentifier[prefix.size()] <= '9';
|
|
}
|
|
|
|
inline string GetMacOSXRawDevicePath (const string &deviceIdentifier)
|
|
{
|
|
if (IsMacOSXDiskDevicePath (deviceIdentifier, "/dev/rdisk"))
|
|
return deviceIdentifier;
|
|
|
|
if (IsMacOSXDiskDevicePath (deviceIdentifier, "/dev/disk"))
|
|
return string ("/dev/rdisk") + deviceIdentifier.substr (9);
|
|
|
|
if (IsMacOSXDiskDevicePath (deviceIdentifier, "rdisk"))
|
|
return string ("/dev/") + deviceIdentifier;
|
|
|
|
if (IsMacOSXDiskDevicePath (deviceIdentifier, "disk"))
|
|
return string ("/dev/r") + deviceIdentifier;
|
|
|
|
return deviceIdentifier;
|
|
}
|
|
|
|
inline string GetMacOSXBlockDevicePath (const string &deviceIdentifier)
|
|
{
|
|
if (IsMacOSXDiskDevicePath (deviceIdentifier, "/dev/disk"))
|
|
return deviceIdentifier;
|
|
|
|
if (IsMacOSXDiskDevicePath (deviceIdentifier, "/dev/rdisk"))
|
|
return string ("/dev/disk") + deviceIdentifier.substr (10);
|
|
|
|
if (IsMacOSXDiskDevicePath (deviceIdentifier, "disk"))
|
|
return string ("/dev/") + deviceIdentifier;
|
|
|
|
if (IsMacOSXDiskDevicePath (deviceIdentifier, "rdisk"))
|
|
return string ("/dev/disk") + deviceIdentifier.substr (5);
|
|
|
|
return deviceIdentifier;
|
|
}
|
|
|
|
struct MacOSXFormatterDeviceOwnerRestore
|
|
{
|
|
MacOSXFormatterDeviceOwnerRestore (const FilesystemPath &path, const UserId &owner)
|
|
: Path (path), Owner (owner) { }
|
|
|
|
FilesystemPath Path;
|
|
UserId Owner;
|
|
};
|
|
|
|
typedef list <MacOSXFormatterDeviceOwnerRestore> MacOSXFormatterDeviceOwnerRestoreList;
|
|
|
|
inline void AddUniqueMacOSXDevicePath (list <FilesystemPath> &paths, const string &path)
|
|
{
|
|
if (path.empty())
|
|
return;
|
|
|
|
foreach (const FilesystemPath &existingPath, paths)
|
|
{
|
|
if (string (existingPath) == path)
|
|
return;
|
|
}
|
|
|
|
paths.push_back (FilesystemPath (path));
|
|
}
|
|
|
|
inline void PrepareMacOSXFormatterDevice (const DevicePath &devicePath, MacOSXFormatterDeviceOwnerRestoreList &changedDeviceOwners)
|
|
{
|
|
if (Core->HasAdminPrivileges())
|
|
return;
|
|
|
|
const string devicePathStr = devicePath;
|
|
list <FilesystemPath> paths;
|
|
// APFS formatters may resolve /dev/rdiskN back to /dev/diskN internally.
|
|
AddUniqueMacOSXDevicePath (paths, devicePathStr);
|
|
AddUniqueMacOSXDevicePath (paths, GetMacOSXRawDevicePath (devicePathStr));
|
|
AddUniqueMacOSXDevicePath (paths, GetMacOSXBlockDevicePath (devicePathStr));
|
|
|
|
foreach (const FilesystemPath &path, paths)
|
|
{
|
|
try
|
|
{
|
|
File file;
|
|
file.Open (path, File::OpenReadWrite);
|
|
}
|
|
catch (...)
|
|
{
|
|
UserId origDeviceOwner = path.GetOwner();
|
|
// Register before chown so service-side success followed by
|
|
// an IPC failure can still be restored.
|
|
changedDeviceOwners.push_back (MacOSXFormatterDeviceOwnerRestore (path, origDeviceOwner));
|
|
Core->SetFileOwner (path, UserId (getuid()));
|
|
}
|
|
}
|
|
}
|
|
|
|
inline void RestoreMacOSXFormatterDeviceOwners (const MacOSXFormatterDeviceOwnerRestoreList &changedDeviceOwners)
|
|
{
|
|
foreach (const MacOSXFormatterDeviceOwnerRestore &restore, changedDeviceOwners)
|
|
{
|
|
try
|
|
{
|
|
Core->SetFileOwner (restore.Path, restore.Owner);
|
|
}
|
|
catch (...) { }
|
|
}
|
|
}
|
|
}
|
|
#endif // TC_MACOSX
|
|
|
|
#endif // VC_HEADER_Main_MacOSXFormatterDevice
|