bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 1 | #!/bin/sh -e
 | 
| 2 | # 
 | |
| 3 | # This script will run in the initrd environment at boot and edit
 | |
| 4 | # /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
 | |
| 5 | # when no other keyscript is set, before cryptsetup.
 | |
| 6 | # 
 | |
| 7 | ||
| 8 | # This script should be installed as
 | |
| 302
by Teddy Hogeborn * Makefile (install-client-nokey): Move "initramfs-tools-script" from | 9 | # "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
 | 
| 10 | # eventually be "/scripts/init-premount/mandos" in the initrd.img
 | |
| 11 | # file.
 | |
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 12 | |
| 302
by Teddy Hogeborn * Makefile (install-client-nokey): Move "initramfs-tools-script" from | 13 | PREREQ="udev" | 
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 14 | prereqs()
 | 
| 15 | {
 | |
| 292
by Teddy Hogeborn * Makefile (run-server): Use "--no-dbus" unconditionally. | 16 | echo "$PREREQ" | 
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 17 | }
 | 
| 18 | ||
| 19 | case $1 in | |
| 20 | prereqs)
 | |
| 292
by Teddy Hogeborn * Makefile (run-server): Use "--no-dbus" unconditionally. | 21 | 	prereqs
 | 
| 22 | exit 0 | |
| 23 | ;; | |
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 24 | esac
 | 
| 25 | ||
| 304
by Teddy Hogeborn Four new interrelated features: | 26 | . /scripts/functions
 | 
| 27 | ||
| 269
by Teddy Hogeborn * debian/watch: New file. | 28 | for param in `cat /proc/cmdline`; do | 
| 29 | case "$param" in | |
| 304
by Teddy Hogeborn Four new interrelated features: | 30 | ip=*) IPOPTS="${param#ip=}" ;; | 
| 31 | mandos=*) | |
| 32 | # Split option line on commas | |
| 33 | old_ifs="$IFS" | |
| 34 | IFS="$IFS," | |
| 35 | for mpar in ${param#mandos=}; do | |
| 36 | IFS="$old_ifs" | |
| 37 | case "$mpar" in | |
| 38 | off) exit 0 ;; | |
| 39 | connect) connect="" ;; | |
| 40 | connect:*) connect="${mpar#connect:}" ;; | |
| 41 | *) log_warning_msg "$0: Bad option ${mpar}" ;; | |
| 42 | esac | |
| 43 | done | |
| 44 | unset mpar | |
| 45 | IFS="$old_ifs" | |
| 46 | unset old_ifs | |
| 47 | ;; | |
| 269
by Teddy Hogeborn * debian/watch: New file. | 48 | esac | 
| 49 | done
 | |
| 304
by Teddy Hogeborn Four new interrelated features: | 50 | unset param | 
| 269
by Teddy Hogeborn * debian/watch: New file. | 51 | |
| 178
by Teddy Hogeborn * initramfs-tools-script: Fix permissions of "/tmp" in initrd. | 52 | chmod a=rwxt /tmp | 
| 53 | ||
| 304
by Teddy Hogeborn Four new interrelated features: | 54 | # Get DEVICE from /conf/initramfs.conf and other files
 | 
| 55 | . /conf/initramfs.conf
 | |
| 56 | for conf in /conf/conf.d/*; do | |
| 895
by Teddy Hogeborn Quote file names in initramfs hook scripts | 57 | [ -f "${conf}" ] && . "${conf}" | 
| 304
by Teddy Hogeborn Four new interrelated features: | 58 | done
 | 
| 59 | if [ -e /conf/param.conf ]; then | |
| 60 | . /conf/param.conf | |
| 61 | fi
 | |
| 62 | ||
| 63 | # Override DEVICE from sixth field of ip= kernel option, if passed
 | |
| 64 | case "$IPOPTS" in | |
| 65 | *:*:*:*:*:*) # At least six fields | |
| 66 | # Remove the first five fields | |
| 67 | device="${IPOPTS#*:*:*:*:*:}" | |
| 68 | # Remove all fields except the first one | |
| 69 | DEVICE="${device%%:*}" | |
| 70 | ;; | |
| 71 | esac
 | |
| 72 | ||
| 73 | # Add device setting (if any) to plugin-runner.conf
 | |
| 74 | if [ "${DEVICE+set}" = set ]; then | |
| 75 | # Did we get the device from an ip= option? | |
| 76 | if [ "${device+set}" = set ]; then | |
| 77 | # Let ip= option override local config; append: | |
| 78 | cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf | |
| 79 | 	
 | |
| 80 | 	--options-for=mandos-client:--interface=${DEVICE}
 | |
| 81 | EOF
 | |
| 82 | else | |
| 83 | # Prepend device setting so any later options would override: | |
| 84 | sed -i -e \ | |
| 85 | '1i--options-for=mandos-client:--interface='"${DEVICE}" \ | |
| 86 | 	    /conf/conf.d/mandos/plugin-runner.conf
 | |
| 87 | fi | |
| 88 | fi
 | |
| 89 | unset device | |
| 90 | ||
| 91 | # If we are connecting directly, run "configure_networking" (from
 | |
| 92 | # /scripts/functions); it needs IPOPTS and DEVICE
 | |
| 93 | if [ "${connect+set}" = set ]; then | |
| 815
by Teddy Hogeborn Ignore any error from initramfs-tools' "configure_networking". | 94 | set +e # Required by library functions | 
| 304
by Teddy Hogeborn Four new interrelated features: | 95 |     configure_networking
 | 
| 815
by Teddy Hogeborn Ignore any error from initramfs-tools' "configure_networking". | 96 | set -e | 
| 304
by Teddy Hogeborn Four new interrelated features: | 97 | if [ -n "$connect" ]; then | 
| 98 | cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf | |
| 99 | 	
 | |
| 100 | 	--options-for=mandos-client:--connect=${connect}
 | |
| 101 | EOF
 | |
| 102 | fi | |
| 103 | fi
 | |
| 104 | ||
| 953
by Teddy Hogeborn Adapt to changes in cryptsetup; use "cryptroot-unlock" program | 105 | if [ -r /conf/conf.d/cryptroot ]; then | 
| 106 | test -w /conf/conf.d | |
| 107 | ||
| 108 | # Do not replace cryptroot file unless we need to. | |
| 109 | replace_cryptroot=no | |
| 110 | ||
| 111 | # Our keyscript | |
| 112 | mandos=/lib/mandos/plugin-runner | |
| 113 | test -x "$mandos" | |
| 114 | ||
| 115 | # parse /conf/conf.d/cryptroot. Format: | |
| 116 | # target=sda2_crypt,source=/dev/sda2,rootdev,key=none,keyscript=/foo/bar/baz | |
| 117 | # Is the root device specially marked? | |
| 118 | changeall=yes | |
| 119 | while read -r options; do | |
| 120 | case "$options" in | |
| 121 | rootdev,*|*,rootdev,*|*,rootdev) | |
| 122 | # If the root device is specially marked, don't change all | |
| 123 | # lines in crypttab by default. | |
| 124 | changeall=no | |
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 125 | ;; | 
| 126 | esac | |
| 953
by Teddy Hogeborn Adapt to changes in cryptsetup; use "cryptroot-unlock" program | 127 | done < /conf/conf.d/cryptroot | 
| 128 | ||
| 129 | exec 3>/conf/conf.d/cryptroot.mandos | |
| 130 | while read -r options; do | |
| 131 | newopts="" | |
| 132 | keyscript="" | |
| 133 | changethis="$changeall" | |
| 134 | # Split option line on commas | |
| 135 | old_ifs="$IFS" | |
| 136 | IFS="$IFS," | |
| 137 | for opt in $options; do | |
| 138 | # Find the keyscript option, if any | |
| 139 | case "$opt" in | |
| 140 | keyscript=*) | |
| 141 | keyscript="${opt#keyscript=}" | |
| 142 | newopts="$newopts,$opt" | |
| 143 | ;; | |
| 144 | "") : ;; | |
| 145 | # Always use Mandos on the root device, if marked | |
| 146 | rootdev) | |
| 147 | changethis=yes | |
| 148 | newopts="$newopts,$opt" | |
| 149 | ;; | |
| 150 | # Don't use Mandos on resume device, if marked | |
| 151 | resumedev) | |
| 152 | changethis=no | |
| 153 | newopts="$newopts,$opt" | |
| 154 | ;; | |
| 155 | *) | |
| 156 | newopts="$newopts,$opt" | |
| 157 | ;; | |
| 158 | esac | |
| 159 | done | |
| 160 | IFS="$old_ifs" | |
| 161 | unset old_ifs | |
| 162 | # If there was no keyscript option, add one. | |
| 163 | if [ "$changethis" = yes ] && [ -z "$keyscript" ]; then | |
| 164 | replace_cryptroot=yes | |
| 165 | newopts="$newopts,keyscript=$mandos" | |
| 166 | fi | |
| 167 | newopts="${newopts#,}" | |
| 168 | echo "$newopts" >&3 | |
| 169 | done < /conf/conf.d/cryptroot | |
| 170 | exec 3>&- | |
| 171 | ||
| 172 | # If we need to, replace the old cryptroot file with the new file. | |
| 173 | if [ "$replace_cryptroot" = yes ]; then | |
| 174 | mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old | |
| 175 | mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot | |
| 176 | else | |
| 177 | rm -f /conf/conf.d/cryptroot.mandos | |
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 178 | fi | 
| 953
by Teddy Hogeborn Adapt to changes in cryptsetup; use "cryptroot-unlock" program | 179 | elif [ -x /usr/bin/cryptroot-unlock ]; then | 
| 1215
by teddy at recompile In initramfs-tools boots, only use setsid when available | 180 | # Use setsid if available | 
| 181 | if command -v setsid >/dev/null 2>&1; then | |
| 182 | setsid /lib/mandos/mandos-to-cryptroot-unlock & | |
| 183 | else | |
| 184 | /lib/mandos/mandos-to-cryptroot-unlock & | |
| 185 | fi | |
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 186 | fi
 |