1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
#!/bin/sh
# This script will be run by 'mkinitramfs' when it creates the image.
# Its job is to decide which files to install, then install them into
# the staging area, where the initramfs is being created. This
# happens when a new 'linux-image' package is installed, or when the
# administrator runs 'update-initramfs' by hand to update an initramfs
# image.
# The environment contains at least:
#
# DESTDIR -- The staging directory where the image is being built.
# No initramfs pre-requirements
PREREQ="cryptroot"
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
if [ -d /usr/lib/mandos ]; then
prefix=/usr
elif [ -d /usr/local/lib/mandos ]; then
prefix=/usr/local
else
# Mandos not found
exit 1
fi
# The Mandos network client uses the network
auto_add_modules net
# The Mandos network client uses IPv6
force_load ipv6
# These are directories inside the initrd
CONFDIR="/conf/conf.d/mandos"
MANDOSDIR="/lib/mandos"
PLUGINDIR="${MANDOSDIR}/plugins.d"
# Make directories
mkdir --parents "${DESTDIR}${CONFDIR}"
mkdir --parents "${DESTDIR}${PLUGINDIR}"
# Copy the Mandos plugin runner
copy_exec "$prefix"/lib/mandos/plugin-runner "${DESTDIR}${MANDOSDIR}"
# Copy the plugins
# Copy the packaged plugins
for file in "$prefix"/lib/mandos/plugins.d/*; do
base="`basename \"$file\"`"
# Is this plugin overridden?
if [ -e "/etc/mandos/plugins.d/$base" ]; then
continue
fi
case "$base" in
*~|.*|\#*\#|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;;
*) copy_exec "$file" "${PLUGINDIR}";;
esac
done
# Copy any user-supplied plugins
for file in /etc/mandos/plugins.d/*; do
base="`basename \"$file\"`"
case "$base" in
*~|.*|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;;
*) copy_exec "$file" "${PLUGINDIR}";;
esac
done
# GPGME needs /usr/bin/gpg
if ! [ -e "${DESTDIR}/usr/bin/gpg" ] \
&& [ -n "`ls \"${DESTDIR}\"/usr/lib/libgpgme.so* 2>/dev/null`" ]; then
copy_exec /usr/bin/gpg
fi
# Key files
for file in /etc/mandos/*; do
if [ -d "$file" ]; then
continue
fi
cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}"
done
# Create key ring files
gpg --no-random-seed-file --quiet --batch --no-tty --armor \
--no-default-keyring --no-options --enable-dsa2 \
--homedir "${DESTDIR}${CONFDIR}" --no-permission-warning \
--trust-model always --import-options import-minimal \
--import "${DESTDIR}${CONFDIR}/seckey.txt"
chown nobody "${DESTDIR}${CONFDIR}/secring.gpg"
# /lib/mandos/plugin-runner will drop priviliges, but needs access to
# its plugin directory and its config file. However, since almost all
# files in initrd have been created with umask 027, this opening of
# permissions is needed.
#
# (The umask is not really intended to affect the files inside the
# initrd; it is intended to affect the initrd.img file itself, since
# it now contains secret key files. There is, however, no other way
# to set the permission of the initrd.img file without a race
# condition. This umask is set by "initramfs-tools-hook-conf",
# installed as "/usr/share/initramfs-tools/conf-hooks.d/mandos".)
#
for full in "${PLUGINDIR}" "${CONFDIR}"; do
while [ "$full" != "/" ]; do
chmod a+rX "${DESTDIR}$full"
full="`dirname \"$full\"`"
done
done
# Reset some other things to sane permissions which we have
# inadvertently affected with our umask setting.
for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin; do
chmod a+rX "${DESTDIR}$dir"
done
for dir in /lib /usr/lib; do
chmod --recursive a+rX "${DESTDIR}$dir"
done
|