bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
1 |
#!/bin/sh -e
|
2 |
#
|
|
3 |
# This script will run in the initrd environment at boot and edit
|
|
4 |
# /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
|
|
5 |
# when no other keyscript is set, before cryptsetup.
|
|
6 |
#
|
|
7 |
||
8 |
# This script should be installed as
|
|
|
302
by Teddy Hogeborn
* Makefile (install-client-nokey): Move "initramfs-tools-script" from |
9 |
# "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
|
10 |
# eventually be "/scripts/init-premount/mandos" in the initrd.img
|
|
11 |
# file.
|
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
12 |
|
|
302
by Teddy Hogeborn
* Makefile (install-client-nokey): Move "initramfs-tools-script" from |
13 |
# No initramfs pre-requirements.
|
14 |
PREREQ="udev" |
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
15 |
prereqs()
|
16 |
{
|
|
|
292
by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally. |
17 |
echo "$PREREQ" |
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
18 |
}
|
19 |
||
20 |
case $1 in |
|
21 |
prereqs)
|
|
|
292
by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally. |
22 |
prereqs
|
23 |
exit 0 |
|
24 |
;; |
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
25 |
esac
|
26 |
||
|
304
by Teddy Hogeborn
Four new interrelated features: |
27 |
. /scripts/functions
|
28 |
||
|
269
by Teddy Hogeborn
* debian/watch: New file. |
29 |
for param in `cat /proc/cmdline`; do |
30 |
case "$param" in |
|
|
304
by Teddy Hogeborn
Four new interrelated features: |
31 |
ip=*) IPOPTS="${param#ip=}" ;; |
32 |
mandos=*) |
|
33 |
# Split option line on commas |
|
34 |
old_ifs="$IFS" |
|
35 |
IFS="$IFS," |
|
36 |
for mpar in ${param#mandos=}; do |
|
37 |
IFS="$old_ifs" |
|
38 |
case "$mpar" in |
|
39 |
off) exit 0 ;; |
|
40 |
connect) connect="" ;; |
|
41 |
connect:*) connect="${mpar#connect:}" ;; |
|
42 |
*) log_warning_msg "$0: Bad option ${mpar}" ;; |
|
43 |
esac |
|
44 |
done |
|
45 |
unset mpar |
|
46 |
IFS="$old_ifs" |
|
47 |
unset old_ifs |
|
48 |
;; |
|
|
269
by Teddy Hogeborn
* debian/watch: New file. |
49 |
esac |
50 |
done
|
|
|
304
by Teddy Hogeborn
Four new interrelated features: |
51 |
unset param |
|
269
by Teddy Hogeborn
* debian/watch: New file. |
52 |
|
|
178
by Teddy Hogeborn
* initramfs-tools-script: Fix permissions of "/tmp" in initrd. |
53 |
chmod a=rwxt /tmp |
54 |
||
|
292
by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally. |
55 |
test -r /conf/conf.d/cryptroot |
56 |
test -w /conf/conf.d |
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
57 |
|
|
304
by Teddy Hogeborn
Four new interrelated features: |
58 |
# Get DEVICE from /conf/initramfs.conf and other files
|
59 |
. /conf/initramfs.conf
|
|
60 |
for conf in /conf/conf.d/*; do |
|
61 |
[ -f ${conf} ] && . ${conf} |
|
62 |
done
|
|
63 |
if [ -e /conf/param.conf ]; then |
|
64 |
. /conf/param.conf |
|
65 |
fi
|
|
66 |
||
67 |
# Override DEVICE from sixth field of ip= kernel option, if passed
|
|
68 |
case "$IPOPTS" in |
|
69 |
*:*:*:*:*:*) # At least six fields |
|
70 |
# Remove the first five fields |
|
71 |
device="${IPOPTS#*:*:*:*:*:}" |
|
72 |
# Remove all fields except the first one |
|
73 |
DEVICE="${device%%:*}" |
|
74 |
;; |
|
75 |
esac
|
|
76 |
||
77 |
# Add device setting (if any) to plugin-runner.conf
|
|
78 |
if [ "${DEVICE+set}" = set ]; then |
|
79 |
# Did we get the device from an ip= option? |
|
80 |
if [ "${device+set}" = set ]; then |
|
81 |
# Let ip= option override local config; append: |
|
82 |
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf |
|
83 |
|
|
84 |
--options-for=mandos-client:--interface=${DEVICE}
|
|
85 |
EOF
|
|
86 |
else |
|
87 |
# Prepend device setting so any later options would override: |
|
88 |
sed -i -e \ |
|
89 |
'1i--options-for=mandos-client:--interface='"${DEVICE}" \ |
|
90 |
/conf/conf.d/mandos/plugin-runner.conf
|
|
91 |
fi |
|
92 |
fi
|
|
93 |
unset device |
|
94 |
||
95 |
# If we are connecting directly, run "configure_networking" (from
|
|
96 |
# /scripts/functions); it needs IPOPTS and DEVICE
|
|
97 |
if [ "${connect+set}" = set ]; then |
|
98 |
configure_networking
|
|
99 |
if [ -n "$connect" ]; then |
|
100 |
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf |
|
101 |
|
|
102 |
--options-for=mandos-client:--connect=${connect}
|
|
103 |
EOF
|
|
104 |
fi |
|
105 |
fi
|
|
106 |
||
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
107 |
# Do not replace cryptroot file unless we need to.
|
108 |
replace_cryptroot=no |
|
109 |
||
110 |
# Our keyscript
|
|
111 |
mandos=/lib/mandos/plugin-runner |
|
112 |
||
113 |
# parse /conf/conf.d/cryptroot. Format:
|
|
114 |
# target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz
|
|
115 |
exec 3>/conf/conf.d/cryptroot.mandos |
|
116 |
while read options; do |
|
117 |
newopts="" |
|
118 |
# Split option line on commas |
|
119 |
old_ifs="$IFS" |
|
120 |
IFS="$IFS," |
|
121 |
for opt in $options; do |
|
122 |
# Find the keyscript option, if any |
|
123 |
case "$opt" in |
|
124 |
keyscript=*) |
|
125 |
keyscript="${opt#keyscript=}" |
|
126 |
newopts="$newopts,$opt" |
|
127 |
;; |
|
128 |
"") : ;; |
|
129 |
*) |
|
130 |
newopts="$newopts,$opt" |
|
131 |
;; |
|
132 |
esac |
|
133 |
done |
|
134 |
IFS="$old_ifs" |
|
135 |
unset old_ifs |
|
136 |
# If there was no keyscript option, add one. |
|
137 |
if [ -z "$keyscript" ]; then |
|
138 |
replace_cryptroot=yes |
|
139 |
newopts="$newopts,keyscript=$mandos" |
|
140 |
fi |
|
141 |
newopts="${newopts#,}" |
|
142 |
echo "$newopts" >&3 |
|
143 |
done < /conf/conf.d/cryptroot |
|
144 |
exec 3>&- |
|
145 |
||
146 |
# If we need to, replace the old cryptroot file with the new file.
|
|
147 |
if [ "$replace_cryptroot" = yes ]; then |
|
148 |
mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old |
|
149 |
mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot |
|
150 |
else
|
|
151 |
rm /conf/conf.d/cryptroot.mandos |
|
152 |
fi
|