bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 1 | #!/bin/sh -e
 | 
| 2 | # 
 | |
| 3 | # This script will run in the initrd environment at boot and edit
 | |
| 4 | # /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
 | |
| 5 | # when no other keyscript is set, before cryptsetup.
 | |
| 6 | # 
 | |
| 7 | ||
| 8 | # This script should be installed as
 | |
| 302
by Teddy Hogeborn * Makefile (install-client-nokey): Move "initramfs-tools-script" from | 9 | # "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
 | 
| 10 | # eventually be "/scripts/init-premount/mandos" in the initrd.img
 | |
| 11 | # file.
 | |
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 12 | |
| 302
by Teddy Hogeborn * Makefile (install-client-nokey): Move "initramfs-tools-script" from | 13 | PREREQ="udev" | 
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 14 | prereqs()
 | 
| 15 | {
 | |
| 292
by Teddy Hogeborn * Makefile (run-server): Use "--no-dbus" unconditionally. | 16 | echo "$PREREQ" | 
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 17 | }
 | 
| 18 | ||
| 19 | case $1 in | |
| 20 | prereqs)
 | |
| 292
by Teddy Hogeborn * Makefile (run-server): Use "--no-dbus" unconditionally. | 21 | 	prereqs
 | 
| 22 | exit 0 | |
| 23 | ;; | |
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 24 | esac
 | 
| 25 | ||
| 304
by Teddy Hogeborn Four new interrelated features: | 26 | . /scripts/functions
 | 
| 27 | ||
| 269
by Teddy Hogeborn * debian/watch: New file. | 28 | for param in `cat /proc/cmdline`; do | 
| 29 | case "$param" in | |
| 304
by Teddy Hogeborn Four new interrelated features: | 30 | ip=*) IPOPTS="${param#ip=}" ;; | 
| 31 | mandos=*) | |
| 32 | # Split option line on commas | |
| 33 | old_ifs="$IFS" | |
| 34 | IFS="$IFS," | |
| 35 | for mpar in ${param#mandos=}; do | |
| 36 | IFS="$old_ifs" | |
| 37 | case "$mpar" in | |
| 38 | off) exit 0 ;; | |
| 39 | connect) connect="" ;; | |
| 40 | connect:*) connect="${mpar#connect:}" ;; | |
| 41 | *) log_warning_msg "$0: Bad option ${mpar}" ;; | |
| 42 | esac | |
| 43 | done | |
| 44 | unset mpar | |
| 45 | IFS="$old_ifs" | |
| 46 | unset old_ifs | |
| 47 | ;; | |
| 269
by Teddy Hogeborn * debian/watch: New file. | 48 | esac | 
| 49 | done
 | |
| 304
by Teddy Hogeborn Four new interrelated features: | 50 | unset param | 
| 269
by Teddy Hogeborn * debian/watch: New file. | 51 | |
| 178
by Teddy Hogeborn * initramfs-tools-script: Fix permissions of "/tmp" in initrd. | 52 | chmod a=rwxt /tmp | 
| 53 | ||
| 292
by Teddy Hogeborn * Makefile (run-server): Use "--no-dbus" unconditionally. | 54 | test -r /conf/conf.d/cryptroot | 
| 55 | test -w /conf/conf.d | |
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 56 | |
| 304
by Teddy Hogeborn Four new interrelated features: | 57 | # Get DEVICE from /conf/initramfs.conf and other files
 | 
| 58 | . /conf/initramfs.conf
 | |
| 59 | for conf in /conf/conf.d/*; do | |
| 60 | [ -f ${conf} ] && . ${conf} | |
| 61 | done
 | |
| 62 | if [ -e /conf/param.conf ]; then | |
| 63 | . /conf/param.conf | |
| 64 | fi
 | |
| 65 | ||
| 66 | # Override DEVICE from sixth field of ip= kernel option, if passed
 | |
| 67 | case "$IPOPTS" in | |
| 68 | *:*:*:*:*:*) # At least six fields | |
| 69 | # Remove the first five fields | |
| 70 | device="${IPOPTS#*:*:*:*:*:}" | |
| 71 | # Remove all fields except the first one | |
| 72 | DEVICE="${device%%:*}" | |
| 73 | ;; | |
| 74 | esac
 | |
| 75 | ||
| 76 | # Add device setting (if any) to plugin-runner.conf
 | |
| 77 | if [ "${DEVICE+set}" = set ]; then | |
| 78 | # Did we get the device from an ip= option? | |
| 79 | if [ "${device+set}" = set ]; then | |
| 80 | # Let ip= option override local config; append: | |
| 81 | cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf | |
| 82 | 	
 | |
| 83 | 	--options-for=mandos-client:--interface=${DEVICE}
 | |
| 84 | EOF
 | |
| 85 | else | |
| 86 | # Prepend device setting so any later options would override: | |
| 87 | sed -i -e \ | |
| 88 | '1i--options-for=mandos-client:--interface='"${DEVICE}" \ | |
| 89 | 	    /conf/conf.d/mandos/plugin-runner.conf
 | |
| 90 | fi | |
| 91 | fi
 | |
| 92 | unset device | |
| 93 | ||
| 94 | # If we are connecting directly, run "configure_networking" (from
 | |
| 95 | # /scripts/functions); it needs IPOPTS and DEVICE
 | |
| 96 | if [ "${connect+set}" = set ]; then | |
| 97 |     configure_networking
 | |
| 98 | if [ -n "$connect" ]; then | |
| 99 | cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf | |
| 100 | 	
 | |
| 101 | 	--options-for=mandos-client:--connect=${connect}
 | |
| 102 | EOF
 | |
| 103 | fi | |
| 104 | fi
 | |
| 105 | ||
| 74
by Teddy Hogeborn * Makefile (PREFIX, CONFDIR): New. | 106 | # Do not replace cryptroot file unless we need to.
 | 
| 107 | replace_cryptroot=no | |
| 108 | ||
| 109 | # Our keyscript
 | |
| 110 | mandos=/lib/mandos/plugin-runner | |
| 111 | ||
| 112 | # parse /conf/conf.d/cryptroot.  Format:
 | |
| 113 | # target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz
 | |
| 114 | exec 3>/conf/conf.d/cryptroot.mandos | |
| 115 | while read options; do | |
| 116 | newopts="" | |
| 117 | # Split option line on commas | |
| 118 | old_ifs="$IFS" | |
| 119 | IFS="$IFS," | |
| 120 | for opt in $options; do | |
| 121 | # Find the keyscript option, if any | |
| 122 | case "$opt" in | |
| 123 | keyscript=*) | |
| 124 | keyscript="${opt#keyscript=}" | |
| 125 | newopts="$newopts,$opt" | |
| 126 | ;; | |
| 127 | "") : ;; | |
| 128 | *) | |
| 129 | newopts="$newopts,$opt" | |
| 130 | ;; | |
| 131 | esac | |
| 132 | done | |
| 133 | IFS="$old_ifs" | |
| 134 | unset old_ifs | |
| 135 | # If there was no keyscript option, add one. | |
| 136 | if [ -z "$keyscript" ]; then | |
| 137 | replace_cryptroot=yes | |
| 138 | newopts="$newopts,keyscript=$mandos" | |
| 139 | fi | |
| 140 | newopts="${newopts#,}" | |
| 141 | echo "$newopts" >&3 | |
| 142 | done < /conf/conf.d/cryptroot | |
| 143 | exec 3>&- | |
| 144 | ||
| 145 | # If we need to, replace the old cryptroot file with the new file.
 | |
| 146 | if [ "$replace_cryptroot" = yes ]; then | |
| 147 | mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old | |
| 148 | mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot | |
| 149 | else
 | |
| 150 | rm /conf/conf.d/cryptroot.mandos | |
| 151 | fi
 |