/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to dracut-module/module-setup.sh

  • Committer: Teddy Hogeborn
  • Date: 2019-07-27 10:11:45 UTC
  • Revision ID: teddy@recompile.se-20190727101145-jnpbpf8220gldbcd
Add dracut(8) support

Add support for the dracut(8) system for generating initramfs image
files; dracut is an alternative to the "initramfs-tools" package.

* .bzrignore (dracut-module/password-agent): Ignore new binary file.
* dracut-module: New directory for the dracut module.
* INSTALL (Prerequisites/Libraries/Mandos Client): Add dracut as an
                                                   alternative to
                                                   initramfs-tools,
                                                   and also add GLib.
* Makefile (DRACUTMODULE, GLIB_CFLAGS, GLIB_LIBS): New.
  (CPROGS): Add "dracut-module/password-agent".
  (DOCS): Add "dracut-module/password-agent.8mandos".
  (dracut-module/password-agent.8mandos): New.
  (dracut-module/password-agent.8mandos.xhtml): - '' -
  (dracut-module/password-agent): - '' -
  (check): Add command to run tests of password-agent(8mandos).
  (install-client-nokey): Also install the dracut module directory,
                          its files, and the password-agent(8mandos)
                          manual page.
  (install-client): To update the initramfs image file, run
                    update-initramfs or dracut depending on what is
                    installed.
  (uninstall-client): - '' - and also uninstall the the files in the
                      dracut module directory, that directory itself,
                      and the password-agent(8mandos) manual page.
* debian/control (Build-Depends): Add "libglib2.0-dev (>=2.40)".
  (Package: mandos-client/Depends): Add "dracut (>= 044+241-3)" as an
                                    alternative dependency to
                                    initramfs-tools.
  (Package: mandos-client/Conflicts): New; set to
                                      "dracut-config-generic".
  (debian/mandos-client.README.Debian): Document alternative commands
                                        to update the initramfs image
                                        for when dracut is used.
* debian/mandos-client.postinst (update_initramfs): Use alternative
                                                    commands to update
                                                    the initramfs
                                                    image for when
                                                    dracut is used.
* debian/tests/control (password-agent, password-agent-suid): Add two
                                                              new tests.
* dracut-module/ask-password-mandos.path: New.
* dracut-module/ask-password-mandos.service: - '' -
* dracut-module/cmdline-mandos.sh: - '' -
* dracut-module/module-setup.sh: - '' -
* dracut-module/password-agent.c: - '' -
* dracut-module/password-agent.xml: - '' -
* initramfs-unpack: Use the dracut "skipcpio" command, if available.
                    Also be more flexible and try hard to detect where
                    compressed data starts.
* plugins.d/mandos-client.xml (SECURITY): Be more precise that the
                                          mandos-client binary might
                                          not always be setuid, but
                                          that the program assumes
                                          that it has been started
                                          that way.
* plugins.d/password-prompt.c: Add new "--prompt" option.
  (conflict_detection): First try to detect the new PID file of
                        plymouth.
  (main): Define and use new "prompt" variable.
* plugins.d/password-prompt.xml (SYNOPSIS): Show new --prompt option.
  (DESCRIPTION): Describe new behavior of looking for plymouth PID
                 file.
  (OPTIONS): Document new "--prompt" option.
  (ENVIRONMENT): Clarify that the CRYPTTAB_SOURCE and CRYPTTAB_NAME
                 environment variables are not used if the --prompt
                 option is used.  Remove unnecessarily specific
                 details about where the CRYPTTAB_SOURCE and
                 CRYPTTAB_NAME comes from, since this can now be
                 either initramfs-tools or dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference, and add commas
              to separate the other references.
* plugins.d/plymouth.c: Add new "--prompt" and "--debug" options.
  (debug): New global flag.
  (fprintf_plus): New function, used for debug output.
  (exec_and_wait): Add extra "const" to "argv" argument.
  (main): Define and use new "prompt" variable.  Add debug output.
  (main/options, main/parse_opt): New; used to parse options.
* plugins.d/plymouth.xml (SYNOPSIS): Show new options.
  (OPTIONS): Document new options.
  (ENVIRONMENT): Clarify that the cryptsource and crypttarget
                 environment variables are not used if the --prompt
                 option is used.  Remove unnecessarily specific
                 details about where the cryptsource and crypttarget
                 comes from, since this can now be either
                 initramfs-tools or dracut.
  (EXAMPLE): Add an example using an option.
  (SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/splashy.xml (ENVIRONMENT): Clarify that the cryptsource
                                       and crypttarget environment
                                       variables are not used if the
                                       --prompt option is used.
                                       Remove unnecessarily specific
                                       details about where the
                                       cryptsource and crypttarget
                                       comes from, since this can now
                                       be either initramfs-tools or
                                       dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference.
* plugins.d/usplash.xml (ENVIRONMENT): Clarify that the cryptsource
                                       and crypttarget environment
                                       variables are not used if the
                                       --prompt option is used.
                                       Remove unnecessarily specific
                                       details about where the
                                       cryptsource and crypttarget
                                       comes from, since this can now
                                       be either initramfs-tools or
                                       dracut.
  (SEE ALSO): Remove superfluous crypttab(5) reference.

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
#!/bin/sh
 
2
#
 
3
# This file should be present in the root file system directory
 
4
# /usr/lib/dracut/modules.d/90mandos.  When dracut creates the
 
5
# initramfs image, dracut will source this file and run the shell
 
6
# functions defined in this file: "install", "check", "depends",
 
7
# "cmdline", and "installkernel".
 
8
 
9
# Despite the above #!/bin/sh line and the executable flag, this file
 
10
# is not executed; this file is sourced by dracut when creating the
 
11
# initramfs image file.
 
12
 
 
13
mandos_libdir(){
 
14
    for dir in /usr/lib \
 
15
        "/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \
 
16
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/local/lib; do
 
17
        if [ -d "$dir"/mandos ]; then
 
18
            echo "$dir"/mandos
 
19
            return
 
20
        fi
 
21
    done
 
22
    # Mandos not found
 
23
    return 1
 
24
}
 
25
 
 
26
mandos_keydir(){
 
27
    for dir in /etc/keys/mandos /etc/mandos/keys; do
 
28
        if [ -d "$dir" ]; then
 
29
            echo "$dir"
 
30
            return
 
31
        fi
 
32
    done
 
33
    # Mandos key directory not found
 
34
    return 1
 
35
}
 
36
 
 
37
check(){
 
38
    if [ "${hostonly:-no}" = "no" ]; then
 
39
        dwarning "Mandos: Dracut not in hostonly mode"
 
40
        return 1
 
41
    fi
 
42
 
 
43
    local libdir=`mandos_libdir`
 
44
    if [ -z "$libdir" ]; then
 
45
        dwarning "Mandos lib directory not found"
 
46
        return 1
 
47
    fi
 
48
 
 
49
    local keydir=`mandos_keydir`
 
50
    if [ -z "$keydir" ]; then
 
51
        dwarning "Mandos key directory not found"
 
52
        return 1
 
53
    fi
 
54
}
 
55
 
 
56
install(){
 
57
    chmod go+w,+t "$initdir"/tmp
 
58
    local libdir=`mandos_libdir`
 
59
    local keydir=`mandos_keydir`
 
60
    set `{ getent passwd _mandos \
 
61
        || getent passwd nobody \
 
62
        || echo ::65534:65534:::; } \
 
63
        | cut --delimiter=: --fields=3,4 --only-delimited \
 
64
        --output-delimiter=" "`
 
65
    local mandos_user="$1"
 
66
    local mandos_group="$2"
 
67
    inst "${libdir}" /lib/mandos
 
68
    if dracut_module_included "systemd"; then
 
69
        plugindir=/lib/mandos
 
70
        inst "${libdir}/plugins.d/mandos-client" \
 
71
             "${plugindir}/mandos-client"
 
72
        chmod u-s "${initdir}/${plugindir}/mandos-client"
 
73
        inst "${moddir}/ask-password-mandos.service" \
 
74
             "${systemdsystemunitdir}/ask-password-mandos.service"
 
75
        if [ ${mandos_user} != 65534 ]; then
 
76
            sed --in-place \
 
77
                --expression="s,^ExecStart=/lib/mandos/password-agent ,&--user=${mandos_user} ," \
 
78
                "${initdir}/${systemdsystemunitdir}/ask-password-mandos.service"
 
79
        fi
 
80
        if [ ${mandos_group} != 65534 ]; then
 
81
            sed --in-place \
 
82
                --expression="s,^ExecStart=/lib/mandos/password-agent ,&--group=${mandos_group} ," \
 
83
                "${initdir}/${systemdsystemunitdir}/ask-password-mandos.service"
 
84
        fi
 
85
    else
 
86
        inst_hook cmdline 20 "$moddir"/cmdline-mandos.sh
 
87
        plugindir=/lib/mandos/plugins.d
 
88
        inst "${libdir}/plugin-runner" /lib/mandos/plugin-runner
 
89
        inst /etc/mandos/plugin-runner.conf
 
90
        sed --in-place \
 
91
            --expression='1i--options-for=mandos-client:--pubkey=/etc/mandos/keys/pubkey.txt,--seckey=/etc/mandos/keys/seckey.txt,--tls-pubkey=/etc/mandos/keys/tls-pubkey.pem,--tls-privkey=/etc/mandos/keys/tls-privkey.pem' \
 
92
            "${initdir}/etc/mandos/plugin-runner.conf"
 
93
        if [ ${mandos_user} != 65534 ]; then
 
94
            sed --in-place --expression="1i--userid=${mandos_user}" \
 
95
                "${initdir}/etc/mandos/plugin-runner.conf"
 
96
        fi
 
97
        if [ ${mandos_group} != 65534 ]; then
 
98
            sed --in-place \
 
99
                --expression="1i--groupid=${mandos_group}" \
 
100
                "${initdir}/etc/mandos/plugin-runner.conf"
 
101
        fi
 
102
        inst "${libdir}/plugins.d" "$plugindir"
 
103
        chown ${mandos_user}:${mandos_group} "${initdir}/${plugindir}"
 
104
        # Copy the packaged plugins
 
105
        for file in "$libdir"/plugins.d/*; do
 
106
            base="`basename \"$file\"`"
 
107
            # Is this plugin overridden?
 
108
            if [ -e "/etc/mandos/plugins.d/$base" ]; then
 
109
                continue
 
110
            fi
 
111
            case "$base" in
 
112
                *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
 
113
                    : ;;
 
114
                "*") dwarning "Mandos client plugin directory is empty." >&2 ;;
 
115
                askpass-fifo) : ;; # Ignore packaged for dracut
 
116
                *) inst "${file}" "${plugindir}/${base}" ;;
 
117
            esac
 
118
        done
 
119
        # Copy any user-supplied plugins
 
120
        for file in /etc/mandos/plugins.d/*; do
 
121
            base="`basename \"$file\"`"
 
122
            case "$base" in
 
123
                *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
 
124
                    : ;;
 
125
                "*") : ;;
 
126
                *) inst "$file" "${plugindir}/${base}" ;;
 
127
            esac
 
128
        done
 
129
        # Copy any user-supplied plugin helpers
 
130
        for file in /etc/mandos/plugin-helpers/*; do
 
131
            base="`basename \"$file\"`"
 
132
            case "$base" in
 
133
                *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
 
134
                    : ;;
 
135
                "*") : ;;
 
136
                *) inst "$file" "/lib/mandos/plugin-helpers/$base";;
 
137
            esac
 
138
        done
 
139
    fi
 
140
    # Copy network hooks
 
141
    for hook in /etc/mandos/network-hooks.d/*; do
 
142
        basename=`basename "$hook"`
 
143
        case "$basename" in
 
144
            "*") continue ;;
 
145
            *[!A-Za-z0-9_.-]*) continue ;;
 
146
            *) test -d "$hook" || inst "$hook" "/lib/mandos/network-hooks.d/$basename" ;;
 
147
        esac
 
148
        if [ -x "$hook" ]; then
 
149
            # Copy any files needed by the network hook
 
150
            MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=files \
 
151
                VERBOSITY=0 "$hook" files | while read file target; do
 
152
                if [ ! -e "${file}" ]; then
 
153
                    dwarning "WARNING: file ${file} not found, requested by Mandos network hook '${basename}'" >&2
 
154
                fi
 
155
                if [ -z "${target}" ]; then
 
156
                    inst "$file"
 
157
                else
 
158
                    inst "$file" "$target"
 
159
                fi
 
160
            done
 
161
        fi
 
162
    done
 
163
    # Copy the packaged plugin helpers
 
164
    for file in "$libdir"/plugin-helpers/*; do
 
165
        base="`basename \"$file\"`"
 
166
        # Is this plugin overridden?
 
167
        if [ -e "/etc/mandos/plugin-helpers/$base" ]; then
 
168
            continue
 
169
        fi
 
170
        case "$base" in
 
171
            *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
 
172
                : ;;
 
173
            "*") : ;;
 
174
            *) inst "$file" "/lib/mandos/plugin-helpers/$base";;
 
175
        esac
 
176
    done
 
177
    local gpg=/usr/bin/gpg
 
178
    if [ -e /usr/bin/gpgconf ]; then
 
179
        inst /usr/bin/gpgconf
 
180
        gpg="`/usr/bin/gpgconf|sed --quiet --expression='s/^gpg:[^:]*://p'`"
 
181
        gpgagent="`/usr/bin/gpgconf|sed --quiet --expression='s/^gpg-agent:[^:]*://p'`"
 
182
        # Newer versions of GnuPG 2 requires the gpg-agent binary
 
183
        if [ -e "$gpgagent" ]; then
 
184
            inst "$gpgagent"
 
185
        fi
 
186
    fi
 
187
    inst "$gpg"
 
188
    if dracut_module_included "systemd"; then
 
189
        inst "${moddir}/password-agent" /lib/mandos/password-agent
 
190
        inst "${moddir}/ask-password-mandos.path" \
 
191
             "${systemdsystemunitdir}/ask-password-mandos.path"
 
192
        ln_r "${systemdsystemunitdir}/ask-password-mandos.path" \
 
193
             "${systemdsystemunitdir}/sysinit.target.wants/ask-password-mandos.path"
 
194
    fi
 
195
    # Key files
 
196
    for file in "$keydir"/*; do
 
197
        if [ -d "$file" ]; then
 
198
            continue
 
199
        fi
 
200
        case "$file" in
 
201
            *~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
 
202
                : ;;
 
203
            "*") : ;;
 
204
            *)
 
205
                inst "$file" "/etc/mandos/keys/`basename \"$file\"`"
 
206
                chown ${mandos_user}:${mandos_group} \
 
207
                      "${initdir}/etc/mandos/keys/`basename \"$file\"`"
 
208
                if [ `basename "$file"` = dhparams.pem ]; then
 
209
                    # Use Diffie-Hellman parameters file
 
210
                    if dracut_module_included "systemd"; then
 
211
                        sed --in-place \
 
212
                            --expression='/^ExecStart/s/$/ --dh-params=\/etc\/mandos\/keys\/dhparams.pem/' \
 
213
                            "${initdir}/${systemdsystemunitdir}/ask-password-mandos.service"
 
214
                    else
 
215
                        sed --in-place \
 
216
                            --expression="1i--options-for=mandos-client:--dh-params=/etc/mandos/keys/dhparams.pem" \
 
217
                            "${initdir}/etc/mandos/plugin-runner.conf"
 
218
                    fi
 
219
                fi
 
220
                ;;
 
221
        esac
 
222
    done
 
223
}
 
224
 
 
225
installkernel(){
 
226
    instmods =drivers/net
 
227
    hostonly='' instmods ipv6
 
228
    # Copy any kernel modules needed by network hooks
 
229
    for hook in /etc/mandos/network-hooks.d/*; do
 
230
        basename=`basename "$hook"`
 
231
        case "$basename" in
 
232
            "*") continue ;;
 
233
            *[!A-Za-z0-9_.-]*) continue ;;
 
234
        esac
 
235
        if [ -x "$hook" ]; then
 
236
            # Copy and load any modules needed by the network hook
 
237
            MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=modules \
 
238
                VERBOSITY=0 "$hook" modules | while read module; do
 
239
                if [ -z "${target}" ]; then
 
240
                    instmods "$module"
 
241
                fi
 
242
            done
 
243
        fi
 
244
    done
 
245
}
 
246
 
 
247
depends(){
 
248
    echo crypt
 
249
}
 
250
 
 
251
cmdline(){
 
252
    :
 
253
}