bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
1 |
#!/bin/sh -e
|
2 |
#
|
|
3 |
# This script will run in the initrd environment at boot and edit
|
|
4 |
# /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
|
|
5 |
# when no other keyscript is set, before cryptsetup.
|
|
6 |
#
|
|
7 |
||
8 |
# This script should be installed as
|
|
|
302
by Teddy Hogeborn
* Makefile (install-client-nokey): Move "initramfs-tools-script" from |
9 |
# "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
|
10 |
# eventually be "/scripts/init-premount/mandos" in the initrd.img
|
|
11 |
# file.
|
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
12 |
|
|
302
by Teddy Hogeborn
* Makefile (install-client-nokey): Move "initramfs-tools-script" from |
13 |
PREREQ="udev" |
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
14 |
prereqs()
|
15 |
{
|
|
|
292
by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally. |
16 |
echo "$PREREQ" |
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
17 |
}
|
18 |
||
19 |
case $1 in |
|
20 |
prereqs)
|
|
|
292
by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally. |
21 |
prereqs
|
22 |
exit 0 |
|
23 |
;; |
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
24 |
esac
|
25 |
||
|
304
by Teddy Hogeborn
Four new interrelated features: |
26 |
. /scripts/functions
|
27 |
||
|
269
by Teddy Hogeborn
* debian/watch: New file. |
28 |
for param in `cat /proc/cmdline`; do |
29 |
case "$param" in |
|
|
304
by Teddy Hogeborn
Four new interrelated features: |
30 |
ip=*) IPOPTS="${param#ip=}" ;; |
31 |
mandos=*) |
|
32 |
# Split option line on commas |
|
33 |
old_ifs="$IFS" |
|
34 |
IFS="$IFS," |
|
35 |
for mpar in ${param#mandos=}; do |
|
36 |
IFS="$old_ifs" |
|
37 |
case "$mpar" in |
|
38 |
off) exit 0 ;; |
|
39 |
connect) connect="" ;; |
|
40 |
connect:*) connect="${mpar#connect:}" ;; |
|
41 |
*) log_warning_msg "$0: Bad option ${mpar}" ;; |
|
42 |
esac |
|
43 |
done |
|
44 |
unset mpar |
|
45 |
IFS="$old_ifs" |
|
46 |
unset old_ifs |
|
47 |
;; |
|
|
269
by Teddy Hogeborn
* debian/watch: New file. |
48 |
esac |
49 |
done
|
|
|
304
by Teddy Hogeborn
Four new interrelated features: |
50 |
unset param |
|
269
by Teddy Hogeborn
* debian/watch: New file. |
51 |
|
|
178
by Teddy Hogeborn
* initramfs-tools-script: Fix permissions of "/tmp" in initrd. |
52 |
chmod a=rwxt /tmp |
53 |
||
|
304
by Teddy Hogeborn
Four new interrelated features: |
54 |
# Get DEVICE from /conf/initramfs.conf and other files
|
55 |
. /conf/initramfs.conf
|
|
56 |
for conf in /conf/conf.d/*; do |
|
|
895
by Teddy Hogeborn
Quote file names in initramfs hook scripts |
57 |
[ -f "${conf}" ] && . "${conf}" |
|
304
by Teddy Hogeborn
Four new interrelated features: |
58 |
done
|
59 |
if [ -e /conf/param.conf ]; then |
|
60 |
. /conf/param.conf |
|
61 |
fi
|
|
62 |
||
63 |
# Override DEVICE from sixth field of ip= kernel option, if passed
|
|
64 |
case "$IPOPTS" in |
|
65 |
*:*:*:*:*:*) # At least six fields |
|
66 |
# Remove the first five fields |
|
67 |
device="${IPOPTS#*:*:*:*:*:}" |
|
68 |
# Remove all fields except the first one |
|
69 |
DEVICE="${device%%:*}" |
|
70 |
;; |
|
71 |
esac
|
|
72 |
||
73 |
# Add device setting (if any) to plugin-runner.conf
|
|
74 |
if [ "${DEVICE+set}" = set ]; then |
|
75 |
# Did we get the device from an ip= option? |
|
76 |
if [ "${device+set}" = set ]; then |
|
77 |
# Let ip= option override local config; append: |
|
78 |
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf |
|
79 |
|
|
80 |
--options-for=mandos-client:--interface=${DEVICE}
|
|
81 |
EOF
|
|
82 |
else |
|
83 |
# Prepend device setting so any later options would override: |
|
84 |
sed -i -e \ |
|
85 |
'1i--options-for=mandos-client:--interface='"${DEVICE}" \ |
|
86 |
/conf/conf.d/mandos/plugin-runner.conf
|
|
87 |
fi |
|
88 |
fi
|
|
89 |
unset device |
|
90 |
||
91 |
# If we are connecting directly, run "configure_networking" (from
|
|
92 |
# /scripts/functions); it needs IPOPTS and DEVICE
|
|
93 |
if [ "${connect+set}" = set ]; then |
|
|
815
by Teddy Hogeborn
Ignore any error from initramfs-tools' "configure_networking". |
94 |
set +e # Required by library functions |
|
304
by Teddy Hogeborn
Four new interrelated features: |
95 |
configure_networking
|
|
815
by Teddy Hogeborn
Ignore any error from initramfs-tools' "configure_networking". |
96 |
set -e |
|
304
by Teddy Hogeborn
Four new interrelated features: |
97 |
if [ -n "$connect" ]; then |
98 |
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf |
|
99 |
|
|
100 |
--options-for=mandos-client:--connect=${connect}
|
|
101 |
EOF
|
|
102 |
fi |
|
103 |
fi
|
|
104 |
||
|
953
by Teddy Hogeborn
Adapt to changes in cryptsetup; use "cryptroot-unlock" program |
105 |
if [ -r /conf/conf.d/cryptroot ]; then |
106 |
test -w /conf/conf.d |
|
107 |
||
108 |
# Do not replace cryptroot file unless we need to. |
|
109 |
replace_cryptroot=no |
|
110 |
||
111 |
# Our keyscript |
|
112 |
mandos=/lib/mandos/plugin-runner |
|
113 |
test -x "$mandos" |
|
114 |
||
115 |
# parse /conf/conf.d/cryptroot. Format: |
|
116 |
# target=sda2_crypt,source=/dev/sda2,rootdev,key=none,keyscript=/foo/bar/baz |
|
117 |
# Is the root device specially marked? |
|
118 |
changeall=yes |
|
119 |
while read -r options; do |
|
120 |
case "$options" in |
|
121 |
rootdev,*|*,rootdev,*|*,rootdev) |
|
122 |
# If the root device is specially marked, don't change all |
|
123 |
# lines in crypttab by default. |
|
124 |
changeall=no |
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
125 |
;; |
126 |
esac |
|
|
953
by Teddy Hogeborn
Adapt to changes in cryptsetup; use "cryptroot-unlock" program |
127 |
done < /conf/conf.d/cryptroot |
128 |
||
129 |
exec 3>/conf/conf.d/cryptroot.mandos |
|
130 |
while read -r options; do |
|
131 |
newopts="" |
|
132 |
keyscript="" |
|
133 |
changethis="$changeall" |
|
134 |
# Split option line on commas |
|
135 |
old_ifs="$IFS" |
|
136 |
IFS="$IFS," |
|
137 |
for opt in $options; do |
|
138 |
# Find the keyscript option, if any |
|
139 |
case "$opt" in |
|
140 |
keyscript=*) |
|
141 |
keyscript="${opt#keyscript=}" |
|
142 |
newopts="$newopts,$opt" |
|
143 |
;; |
|
144 |
"") : ;; |
|
145 |
# Always use Mandos on the root device, if marked |
|
146 |
rootdev) |
|
147 |
changethis=yes |
|
148 |
newopts="$newopts,$opt" |
|
149 |
;; |
|
150 |
# Don't use Mandos on resume device, if marked |
|
151 |
resumedev) |
|
152 |
changethis=no |
|
153 |
newopts="$newopts,$opt" |
|
154 |
;; |
|
155 |
*) |
|
156 |
newopts="$newopts,$opt" |
|
157 |
;; |
|
158 |
esac |
|
159 |
done |
|
160 |
IFS="$old_ifs" |
|
161 |
unset old_ifs |
|
162 |
# If there was no keyscript option, add one. |
|
163 |
if [ "$changethis" = yes ] && [ -z "$keyscript" ]; then |
|
164 |
replace_cryptroot=yes |
|
165 |
newopts="$newopts,keyscript=$mandos" |
|
166 |
fi |
|
167 |
newopts="${newopts#,}" |
|
168 |
echo "$newopts" >&3 |
|
169 |
done < /conf/conf.d/cryptroot |
|
170 |
exec 3>&- |
|
171 |
||
172 |
# If we need to, replace the old cryptroot file with the new file. |
|
173 |
if [ "$replace_cryptroot" = yes ]; then |
|
174 |
mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old |
|
175 |
mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot |
|
176 |
else |
|
177 |
rm -f /conf/conf.d/cryptroot.mandos |
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
178 |
fi |
|
953
by Teddy Hogeborn
Adapt to changes in cryptsetup; use "cryptroot-unlock" program |
179 |
elif [ -x /usr/bin/cryptroot-unlock ]; then |
|
1215
by teddy at recompile
In initramfs-tools boots, only use setsid when available |
180 |
# Use setsid if available |
181 |
if command -v setsid >/dev/null 2>&1; then |
|
182 |
setsid /lib/mandos/mandos-to-cryptroot-unlock & |
|
183 |
else |
|
184 |
/lib/mandos/mandos-to-cryptroot-unlock & |
|
185 |
fi |
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
186 |
fi
|