1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
#!/bin/sh -e
#
# This script will run in the initrd environment at boot and edit
# /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
# when no other keyscript is set, before cryptsetup.
#
# This script should be installed as
# "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
# eventually be "/scripts/init-premount/mandos" in the initrd.img
# file.
PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
for param in `cat /proc/cmdline`; do
case "$param" in
ip=*) IPOPTS="${param#ip=}" ;;
mandos=*)
# Split option line on commas
old_ifs="$IFS"
IFS="$IFS,"
for mpar in ${param#mandos=}; do
IFS="$old_ifs"
case "$mpar" in
off) exit 0 ;;
connect) connect="" ;;
connect:*) connect="${mpar#connect:}" ;;
*) log_warning_msg "$0: Bad option ${mpar}" ;;
esac
done
unset mpar
IFS="$old_ifs"
unset old_ifs
;;
esac
done
unset param
chmod a=rwxt /tmp
# Get DEVICE from /conf/initramfs.conf and other files
. /conf/initramfs.conf
for conf in /conf/conf.d/*; do
[ -f "${conf}" ] && . "${conf}"
done
if [ -e /conf/param.conf ]; then
. /conf/param.conf
fi
# Override DEVICE from sixth field of ip= kernel option, if passed
case "$IPOPTS" in
*:*:*:*:*:*) # At least six fields
# Remove the first five fields
device="${IPOPTS#*:*:*:*:*:}"
# Remove all fields except the first one
DEVICE="${device%%:*}"
;;
esac
# Add device setting (if any) to plugin-runner.conf
if [ "${DEVICE+set}" = set ]; then
# Did we get the device from an ip= option?
if [ "${device+set}" = set ]; then
# Let ip= option override local config; append:
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
--options-for=mandos-client:--interface=${DEVICE}
EOF
else
# Prepend device setting so any later options would override:
sed -i -e \
'1i--options-for=mandos-client:--interface='"${DEVICE}" \
/conf/conf.d/mandos/plugin-runner.conf
fi
fi
unset device
# If we are connecting directly, run "configure_networking" (from
# /scripts/functions); it needs IPOPTS and DEVICE
if [ "${connect+set}" = set ]; then
set +e # Required by library functions
configure_networking
set -e
if [ -n "$connect" ]; then
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
--options-for=mandos-client:--connect=${connect}
EOF
fi
fi
if [ -r /conf/conf.d/cryptroot ]; then
test -w /conf/conf.d
# Do not replace cryptroot file unless we need to.
replace_cryptroot=no
# Our keyscript
mandos=/lib/mandos/plugin-runner
test -x "$mandos"
# parse /conf/conf.d/cryptroot. Format:
# target=sda2_crypt,source=/dev/sda2,rootdev,key=none,keyscript=/foo/bar/baz
# Is the root device specially marked?
changeall=yes
while read -r options; do
case "$options" in
rootdev,*|*,rootdev,*|*,rootdev)
# If the root device is specially marked, don't change all
# lines in crypttab by default.
changeall=no
;;
esac
done < /conf/conf.d/cryptroot
exec 3>/conf/conf.d/cryptroot.mandos
while read -r options; do
newopts=""
keyscript=""
changethis="$changeall"
# Split option line on commas
old_ifs="$IFS"
IFS="$IFS,"
for opt in $options; do
# Find the keyscript option, if any
case "$opt" in
keyscript=*)
keyscript="${opt#keyscript=}"
newopts="$newopts,$opt"
;;
"") : ;;
# Always use Mandos on the root device, if marked
rootdev)
changethis=yes
newopts="$newopts,$opt"
;;
# Don't use Mandos on resume device, if marked
resumedev)
changethis=no
newopts="$newopts,$opt"
;;
*)
newopts="$newopts,$opt"
;;
esac
done
IFS="$old_ifs"
unset old_ifs
# If there was no keyscript option, add one.
if [ "$changethis" = yes ] && [ -z "$keyscript" ]; then
replace_cryptroot=yes
newopts="$newopts,keyscript=$mandos"
fi
newopts="${newopts#,}"
echo "$newopts" >&3
done < /conf/conf.d/cryptroot
exec 3>&-
# If we need to, replace the old cryptroot file with the new file.
if [ "$replace_cryptroot" = yes ]; then
mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old
mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot
else
rm -f /conf/conf.d/cryptroot.mandos
fi
elif [ -x /usr/bin/cryptroot-unlock ]; then
setsid /lib/mandos/mandos-to-cryptroot-unlock &
fi
|