fix(crypt): shellcheck for modules.d/90crypt

modules.d/90crypt/crypt-cleanup.sh

@@ -7,7 +7,7 @@ if ! getarg rd.luks.uuid -d rd_LUKS_UUID > /dev/null 2>&1 && getargbool 1 rd.luk
     while true; do
         local do_break="y"
         for i in /dev/mapper/luks-*; do
-            cryptsetup luksClose $i > /dev/null 2>&1 && do_break=n
+            cryptsetup luksClose "$i" > /dev/null 2>&1 && do_break=n
         done
         [ "$do_break" = "y" ] && break
     done

modules.d/90crypt/crypt-lib.sh

@@ -8,11 +8,11 @@ crypttab_contains() {
     local dev="$2"
     local l d rest
     if [ -f /etc/crypttab ]; then
-        while read l d rest || [ -n "$l" ]; do
+        while read -r l d rest || [ -n "$l" ]; do
             strstr "${l##luks-}" "${luks##luks-}" && return 0
             strstr "$d" "${luks##luks-}" && return 0
             if [ -n "$dev" ]; then
-                for _dev in $(devnames $d); do
+                for _dev in $(devnames "$d"); do
                     [ "$dev" -ef "$_dev" ] && return 0
                 done
             fi
@@ -21,7 +21,7 @@ crypttab_contains() {
                 _line=$(sed -n "\,^$d .*$,{p}" /etc/block_uuid.map)
                 [ -z "$_line" ] && continue
                 # get second column with uuid
-                _uuid="$(echo $_line | sed 's,^.* \(.*$\),\1,')"
+                _uuid="$(echo "$_line" | sed 's,^.* \(.*$\),\1,')"
                 strstr "$_uuid" "${luks##luks-}" && return 0
             fi
         done < /etc/crypttab
@@ -49,9 +49,6 @@ crypttab_contains() {
 #   Turn off input echo before tty command is executed and turn on after.
 #   It's useful when password is read from stdin.
 ask_for_password() {
-    local cmd
-    local prompt
-    local tries=3
     local ply_cmd
     local ply_prompt
     local ply_tries=3
@@ -111,7 +108,7 @@ ask_for_password() {
         # Prompt for password with plymouth, if installed and running.
         if type plymouth > /dev/null 2>&1 && plymouth --ping 2> /dev/null; then
             plymouth ask-for-password \
-                --prompt "$ply_prompt" --number-of-tries=$ply_tries \
+                --prompt "$ply_prompt" --number-of-tries="$ply_tries" \
                 --command="$ply_cmd"
             ret=$?
         else
@@ -121,16 +118,16 @@ ask_for_password() {
             fi
 
             local i=1
-            while [ $i -le $tty_tries ]; do
+            while [ $i -le "$tty_tries" ]; do
                 [ -n "$tty_prompt" ] \
-                    && printf "$tty_prompt [$i/$tty_tries]:" >&2
+                    && printf "%s" "$tty_prompt [$i/$tty_tries]:" >&2
                 eval "$tty_cmd" && ret=0 && break
                 ret=$?
                 i=$((i + 1))
                 [ -n "$tty_prompt" ] && printf '\n' >&2
             done
 
-            [ "$tty_echo_off" = yes ] && stty $stty_orig
+            [ "$tty_echo_off" = yes ] && stty "$stty_orig"
         fi
     } 9> /.console_lock
 
@@ -148,14 +145,14 @@ test_dev() {
     local dev="$2"
     local f="$3"
     local ret=1
-    local mount_point=$(mkuniqdir /mnt testdev)
-    local path
+    local mount_point
 
+    mount_point=$(mkuniqdir /mnt testdev)
     [ -n "$dev" -a -n "$*" ] || return 1
     [ -d "$mount_point" ] || die 'Mount point does not exist!'
 
     if mount -r "$dev" "$mount_point" > /dev/null 2>&1; then
-        test $test_op "${mount_point}/${f}"
+        test "$test_op" "${mount_point}/${f}"
         ret=$?
         umount "$mount_point"
     fi
@@ -212,8 +209,7 @@ getkey() {
     [ -z "$keys_file" -o -z "$for_dev" ] && die 'getkey: wrong usage!'
     [ -f "$keys_file" ] || return 1
 
-    local IFS=:
-    while read luks_dev key_dev key_path || [ -n "$luks_dev" ]; do
+    while IFS=: read -r luks_dev key_dev key_path _ || [ -n "$luks_dev" ]; do
         if match_dev "$luks_dev" "$for_dev"; then
             echo "${key_dev}:${key_path}"
             return 0
@@ -241,7 +237,8 @@ readkey() {
         # This creates a unique single mountpoint for *, or several for explicitly
         # given LUKS devices. It accomplishes unlocking multiple LUKS devices with
         # a single password entry.
-        local mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
+        local mntp
+        mntp="/mnt/$(str_replace "keydev-$keydev-$keypath" '/' '-')"
 
         if [ ! -d "$mntp" ]; then
             mkdir -p "$mntp"
@@ -262,7 +259,7 @@ readkey() {
             if [ -f /lib/dracut-crypt-loop-lib.sh ]; then
                 . /lib/dracut-crypt-loop-lib.sh
                 loop_decrypt "$mntp" "$keypath" "$keydev" "$device"
-                printf "%s\n" "umount \"$mntp\"; rmdir \"$mntp\";" > ${hookdir}/cleanup/"crypt-loop-cleanup-99-${mntp##*/}".sh
+                printf "%s\n" "umount \"$mntp\"; rmdir \"$mntp\";" > "${hookdir}/cleanup/crypt-loop-cleanup-99-${mntp##*/}".sh
                 return 0
             else
                 die "No loop file support to decrypt '$keypath' on '$keydev'."

modules.d/90crypt/cryptroot-ask.sh

@@ -4,7 +4,7 @@ PATH=/usr/sbin:/usr/bin:/sbin:/bin
 NEWROOT=${NEWROOT:-"/sysroot"}
 
 # do not ask, if we already have root
-[ -f $NEWROOT/proc ] && exit 0
+[ -f "$NEWROOT"/proc ] && exit 0
 
 . /lib/dracut-lib.sh
 
@@ -28,7 +28,7 @@ numtries=${4:-10}
 
 # TODO: improve to support what cmdline does
 if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; then
-    while read name dev luksfile luksoptions || [ -n "$name" ]; do
+    while read -r name dev luksfile luksoptions || [ -n "$name" ]; do
         # ignore blank lines and comments
         if [ -z "$name" -o "${name#\#}" != "$name" ]; then
             continue
@@ -57,8 +57,8 @@ if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; t
 
         # path used in crypttab
         else
-            cdev=$(readlink -f $dev)
-            mdev=$(readlink -f $device)
+            cdev=$(readlink -f "$dev")
+            mdev=$(readlink -f "$device")
             if [ "$cdev" = "$mdev" ]; then
                 luksname="$name"
                 break
@@ -69,11 +69,11 @@ if [ -f /etc/crypttab ] && getargbool 1 rd.luks.crypttab -d -n rd_NO_CRYPTTAB; t
 fi
 
 # check if destination already exists
-[ -b /dev/mapper/$luksname ] && exit 0
+[ -b /dev/mapper/"$luksname" ] && exit 0
 
 # we already asked for this device
 asked_file=/tmp/cryptroot-asked-$luksname
-[ -f $asked_file ] && exit 0
+[ -f "$asked_file" ] && exit 0
 
 # load dm_crypt if it is not already loaded
 [ -d /sys/module/dm_crypt ] || modprobe dm_crypt
@@ -88,6 +88,7 @@ info "luksOpen $device $luksname $luksfile $luksoptions"
 
 OLD_IFS="$IFS"
 IFS=,
+# shellcheck disable=SC2086
 set -- $luksoptions
 IFS="$OLD_IFS"
 
@@ -138,33 +139,33 @@ ask_passphrase=1
 
 if [ -n "$luksfile" -a "$luksfile" != "none" -a -e "$luksfile" ]; then
     if readkey "$luksfile" / "$device" \
-        | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname"; then
+        | cryptsetup -d - "$cryptsetupopts" luksOpen "$device" "$luksname"; then
         ask_passphrase=0
     fi
 elif [ "$is_keysource" -ne 0 ]; then
     info "Asking for passphrase because $device is a keysource."
 else
     while [ -n "$(getarg rd.luks.key)" ]; do
-        if tmp=$(getkey /tmp/luks.keys $device); then
+        if tmp=$(getkey /tmp/luks.keys "$device"); then
             keydev="${tmp%%:*}"
             keypath="${tmp#*:}"
         else
-            if [ $numtries -eq 0 ]; then
+            if [ "$numtries" -eq 0 ]; then
                 warn "No key found for $device.  Fallback to passphrase mode."
                 break
             fi
             sleep 1
             info "No key found for $device.  Will try $numtries time(s) more later."
             initqueue --unique --onetime --settled \
-                --name cryptroot-ask-$luksname \
-                $(command -v cryptroot-ask) "$device" "$luksname" "$is_keysource" "$((numtries - 1))"
+                --name cryptroot-ask-"$luksname" \
+                "$(command -v cryptroot-ask)" "$device" "$luksname" "$is_keysource" "$((numtries - 1))"
             exit 0
         fi
         unset tmp
 
         info "Using '$keypath' on '$keydev'"
         readkey "$keypath" "$keydev" "$device" \
-            | cryptsetup -d - $cryptsetupopts luksOpen "$device" "$luksname" \
+            | cryptsetup -d - "$cryptsetupopts" luksOpen "$device" "$luksname" \
             && ask_passphrase=0
         unset keypath keydev
         break
@@ -184,7 +185,7 @@ if [ $ask_passphrase -ne 0 ]; then
     unset _timeout
 fi
 
-if [ "$is_keysource" -ne 0 -a ${luksname##luks-} != "$luksname" ]; then
+if [ "$is_keysource" -ne 0 -a "${luksname##luks-}" != "$luksname" ]; then
     luks_close="$(command -v cryptsetup) close"
     {
         printf -- '[ -e /dev/mapper/%s ] && ' "$luksname"
@@ -196,7 +197,7 @@ fi
 unset device luksname luksfile
 
 # mark device as asked
->> $asked_file
+: >> "$asked_file"
 
 need_shutdown
 udevsettle

modules.d/90crypt/module-setup.sh

@@ -2,9 +2,9 @@
 
 # called by dracut
 check() {
-    local _rootdev
+    local fs
     # if cryptsetup is not installed, then we cannot support encrypted devices.
-    require_any_binary $systemdutildir/systemd-cryptsetup cryptsetup || return 1
+    require_any_binary "$systemdutildir"/systemd-cryptsetup cryptsetup || return 1
 
     [[ $hostonly ]] || [[ $mount_needs ]] && {
         for fs in "${host_fs_types[@]}"; do
@@ -33,20 +33,18 @@ installkernel() {
     [[ $hostonly ]] || [[ $mount_needs ]] && {
         # dmsetup returns s.th. like
         # cryptvol: 0 2064384 crypt aes-xts-plain64 :64:logon:cryptsetup:....
-        dmsetup table | while read name _ _ is_crypt cipher _; do
-            [[ $is_crypt != "crypt" ]] && continue
+        dmsetup table | while read -r name _ _ is_crypt cipher _; do
+            [[ $is_crypt == "crypt" ]] || continue
             # get the device name
-            name=/dev/$(dmsetup info -c --noheadings -o blkdevname ${name%:})
-            # check if the device exists as a key in our host_fs_types
+            name=/dev/$(dmsetup info -c --noheadings -o blkdevname "${name%:}")
+            # check if the device exists as a key in our host_fs_types (even with null string)
+            # shellcheck disable=SC2030  # this is a shellcheck bug
             if [[ ${host_fs_types[$name]+_} ]]; then
                 # split the cipher aes-xts-plain64 in pieces
-                _OLD_IFS=$IFS
-                IFS='-:'
-                set -- $cipher
-                IFS=$_OLD_IFS
+                IFS='-:' read -ra mods <<< "$cipher"
                 # try to load the cipher part with "crypto-" prepended
                 # in non-hostonly mode
-                hostonly= instmods $(for k in "$@"; do echo "crypto-$k"; done)
+                hostonly='' instmods "${mods[@]/#/crypto-}" "crypto-$cipher"
             fi
         done
     }
@@ -60,9 +58,9 @@ cmdline() {
         [[ ${host_fs_types[$dev]} != "crypto_LUKS" ]] && continue
 
         UUID=$(
-            blkid -u crypto -o export $dev \
-                | while read line || [ -n "$line" ]; do
-                    [[ ${line#UUID} == $line ]] && continue
+            blkid -u crypto -o export "$dev" \
+                | while read -r line || [ -n "$line" ]; do
+                    [[ ${line#UUID} == "$line" ]] && continue
                     printf "%s" "${line#UUID=}"
                     break
                 done
@@ -76,7 +74,8 @@ cmdline() {
 install() {
 
     if [[ $hostonly_cmdline == "yes" ]]; then
-        local _cryptconf=$(cmdline)
+        local _cryptconf
+        _cryptconf=$(cmdline)
         [[ $_cryptconf ]] && printf "%s\n" "$_cryptconf" >> "${initdir}/etc/cmdline.d/90crypt.conf"
     fi
 
@@ -91,7 +90,7 @@ install() {
 
     if [[ $hostonly ]] && [[ -f $dracutsysrootdir/etc/crypttab ]]; then
         # filter /etc/crypttab for the devices we need
-        while read _mapper _dev _luksfile _luksoptions || [ -n "$_mapper" ]; do
+        while read -r _mapper _dev _luksfile _luksoptions || [ -n "$_mapper" ]; do
             [[ $_mapper == \#* ]] && continue
             [[ $_dev ]] || continue
 
@@ -104,12 +103,13 @@ install() {
             [[ $_dev == ID=* ]] \
                 && _dev="/dev/disk/by-id/${_dev#ID=}"
 
-            echo "$_dev $(blkid $_dev -s UUID -o value)" >> "${initdir}/etc/block_uuid.map"
+            echo "$_dev $(blkid "$_dev" -s UUID -o value)" >> "${initdir}/etc/block_uuid.map"
 
             # loop through the options to check for the force option
             luksoptions=${_luksoptions}
             OLD_IFS="${IFS}"
             IFS=,
+            # shellcheck disable=SC2086
             set -- ${luksoptions}
             IFS="${OLD_IFS}"
 
@@ -147,14 +147,14 @@ install() {
         # the cryptsetup targets are already pulled in by 00systemd, but not
         # the enablement symlinks
         inst_multiple -o \
-            $systemdutildir/system-generators/systemd-cryptsetup-generator \
-            $systemdutildir/systemd-cryptsetup \
-            $systemdsystemunitdir/systemd-ask-password-console.path \
-            $systemdsystemunitdir/systemd-ask-password-console.service \
-            $systemdsystemunitdir/cryptsetup.target \
-            $systemdsystemunitdir/sysinit.target.wants/cryptsetup.target \
-            $systemdsystemunitdir/remote-cryptsetup.target \
-            $systemdsystemunitdir/initrd-root-device.target.wants/remote-cryptsetup.target \
+            "$systemdutildir"/system-generators/systemd-cryptsetup-generator \
+            "$systemdutildir"/systemd-cryptsetup \
+            "$systemdsystemunitdir"/systemd-ask-password-console.path \
+            "$systemdsystemunitdir"/systemd-ask-password-console.service \
+            "$systemdsystemunitdir"/cryptsetup.target \
+            "$systemdsystemunitdir"/sysinit.target.wants/cryptsetup.target \
+            "$systemdsystemunitdir"/remote-cryptsetup.target \
+            "$systemdsystemunitdir"/initrd-root-device.target.wants/remote-cryptsetup.target \
             systemd-ask-password systemd-tty-ask-password-agent
     fi