kyle/arca
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix privileged mount for unlocked-but-not-mounted devices

Browse Source 
When a device was unlocked via arca's cryptsetup path (FIDO2/TPM2) but
not yet mounted, the mount command tried the udisks2 path which failed
with "Not authorized". Now detects arca-managed mappings by checking
/dev/mapper/arca-* and uses privileged mount automatically.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-24 09:36:40 -07:00
parent 9c59e78e38
commit aadc01383b
1 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
cmd/mount.go
View File

@@ -3,11 +3,13 @@ package cmd
import (
"fmt"
"os"
"strings"
"git.wntrmute.dev/kyle/arca/internal/config"
"git.wntrmute.dev/kyle/arca/internal/cryptsetup"
"git.wntrmute.dev/kyle/arca/internal/udisks"
"git.wntrmute.dev/kyle/arca/internal/unlock"
"git.wntrmute.dev/kyle/arca/internal/verbose"
"github.com/spf13/cobra"
"golang.org/x/term"
)
@@ -57,7 +59,18 @@ func runMount(cmd *cobra.Command, args []string) error {
fmt.Println(existing)
return nil
}
// Unlocked but not mounted — just mount it.
// Unlocked but not mounted — mount it. If the mapper name
// indicates arca opened it via cryptsetup (privileged path),
// use privileged mount since udisks2 won't authorize it.
if isPrivilegedMapping(dev) {
verbose.Printf("detected arca-managed mapping, using privileged mount")
mnt, err := cryptsetup.Mount(cleartext.DevicePath, mp)
if err != nil {
return fmt.Errorf("mounting: %w", err)
}
fmt.Println(mnt)
return nil
}
return doMount(client, cleartext, mp)
}
@@ -105,6 +118,14 @@ func doMount(client *udisks.Client, cleartext *udisks.BlockDevice, mp string) er
return nil
}
// isPrivilegedMapping checks if a LUKS device was opened via arca's
// cryptsetup path by checking if the expected mapper name exists.
func isPrivilegedMapping(dev *udisks.BlockDevice) bool {
expected := cryptsetup.MapperName(dev.DevicePath)
_, err := os.Stat("/dev/mapper/" + expected)
return err == nil && strings.HasPrefix(expected, "arca-")
}
func readPassphrase() (string, error) {
fmt.Fprint(os.Stderr, "Passphrase: ")
pass, err := term.ReadPassword(int(os.Stdin.Fd()))