/mandos/trunk : revision 906

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to initramfs-tools-script

Committer: Teddy Hogeborn
Date: 2017-08-20 14:41:20 UTC
Revision ID: teddy@recompile.se-20170820144120-ee0hsyhvo1geg8ms

Handle multiple lines better in cryptroot file.

* initramfs-tools-script: Avoid running plugin-runner more than once
  if the root file system device is specially marked in the cryptroot
  file.  Also never run plugin-runner for a resume (usually swap)
  device.

files added:
initramfs-tools-hook-conf

files removed:
debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

initramfs-tools-script

chmod a=rwxt /tmp

test -r /conf/conf.d/cryptroot

test -w /conf/conf.d

# Get DEVICE from /conf/initramfs.conf and other files

. /conf/initramfs.conf

for conf in /conf/conf.d/*; do

102

105

103

106

104

107

105

if [ -r /conf/conf.d/cryptroot ]; then

106

test -w /conf/conf.d

107

108

# Do not replace cryptroot file unless we need to.

109

replace_cryptroot=no

110

111

# Our keyscript

112

mandos=/lib/mandos/plugin-runner

113

test -x "$mandos"

114

115

# parse /conf/conf.d/cryptroot. Format:

116

# target=sda2_crypt,source=/dev/sda2,rootdev,key=none,keyscript=/foo/bar/baz

117

# Is the root device specially marked?

118

changeall=yes

119

while read -r options; do

120

case "$options" in

121

rootdev,*|*,rootdev,*|*,rootdev)

122

# If the root device is specially marked, don't change all

123

# lines in crypttab by default.

124

changeall=no

108

# Do not replace cryptroot file unless we need to.

109

replace_cryptroot=no

110

111

# Our keyscript

112

mandos=/lib/mandos/plugin-runner

113

test -x "$mandos"

114

115

# parse /conf/conf.d/cryptroot. Format:

116

# target=sda2_crypt,source=/dev/sda2,rootdev,key=none,keyscript=/foo/bar/baz

117

# Is the root device specially marked?

118

changeall=yes

119

while read -r options; do

120

case "$options" in

121

rootdev,*|*,rootdev,*|*,rootdev)

122

# If the root device is specially marked, don't change all

123

# lines in crypttab by default.

124

changeall=no

125

;;

126

esac

127

done < /conf/conf.d/cryptroot

128

129

exec 3>/conf/conf.d/cryptroot.mandos

130

while read -r options; do

131

newopts=""

132

keyscript=""

133

changethis="$changeall"

134

# Split option line on commas

135

old_ifs="$IFS"

136

IFS="$IFS,"

137

for opt in $options; do

138

# Find the keyscript option, if any

139

case "$opt" in

140

keyscript=*)

141

keyscript="${opt#keyscript=}"

142

newopts="$newopts,$opt"

143

;;

144

"") : ;;

145

# Always use Mandos on the root device, if marked

146

rootdev)

147

changethis=yes

148

newopts="$newopts,$opt"

149

;;

150

# Don't use Mandos on resume device, if marked

151

resumedev)

152

changethis=no

153

newopts="$newopts,$opt"

154

;;

155

156

newopts="$newopts,$opt"

125

157

;;

126

158

esac

127

done < /conf/conf.d/cryptroot

128

129

exec 3>/conf/conf.d/cryptroot.mandos

130

while read -r options; do

131

newopts=""

132

keyscript=""

133

changethis="$changeall"

134

# Split option line on commas

135

old_ifs="$IFS"

136

IFS="$IFS,"

137

for opt in $options; do

138

# Find the keyscript option, if any

139

case "$opt" in

140

keyscript=*)

141

keyscript="${opt#keyscript=}"

142

newopts="$newopts,$opt"

143

;;

144

"") : ;;

145

# Always use Mandos on the root device, if marked

146

rootdev)

147

changethis=yes

148

newopts="$newopts,$opt"

149

;;

150

# Don't use Mandos on resume device, if marked

151

resumedev)

152

changethis=no

153

newopts="$newopts,$opt"

154

;;

155

156

newopts="$newopts,$opt"

157

;;

158

esac

159

done

160

IFS="$old_ifs"

161

unset old_ifs

162

# If there was no keyscript option, add one.

163

if [ "$changethis" = yes ] && [ -z "$keyscript" ]; then

164

replace_cryptroot=yes

165

newopts="$newopts,keyscript=$mandos"

166

167

newopts="${newopts#,}"

168

echo "$newopts" >&3

169

done < /conf/conf.d/cryptroot

170

exec 3>&-

171

172

# If we need to, replace the old cryptroot file with the new file.

173

if [ "$replace_cryptroot" = yes ]; then

174

mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old

175

mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot

176

else

177

rm -f /conf/conf.d/cryptroot.mandos

178

179

elif [ -x /usr/bin/cryptroot-unlock ]; then

180

# Use setsid if available

181

if command -v setsid >/dev/null 2>&1; then

182

setsid /lib/mandos/mandos-to-cryptroot-unlock &

183

else

184

/lib/mandos/mandos-to-cryptroot-unlock &

185

159

done

160

IFS="$old_ifs"

161

unset old_ifs

162

# If there was no keyscript option, add one.

163

if [ "$changethis" = yes ] && [ -z "$keyscript" ]; then

164

replace_cryptroot=yes

165

newopts="$newopts,keyscript=$mandos"

166

167

newopts="${newopts#,}"

168

echo "$newopts" >&3

169

done < /conf/conf.d/cryptroot

170

exec 3>&-

171

172

# If we need to, replace the old cryptroot file with the new file.

173

if [ "$replace_cryptroot" = yes ]; then

174

mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old

175

mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot

176

else

177

rm /conf/conf.d/cryptroot.mandos

186

178

Older »