1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
#!/bin/sh -e
#
# This script will run in the initrd environment at boot and edit
# /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
# when no other keyscript is set, before cryptsetup.
#
# This script should be installed as
# "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
# eventually be "/scripts/init-premount/mandos" in the initrd.img
# file.
PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
for param in `cat /proc/cmdline`; do
case "$param" in
ip=*) IPOPTS="${param#ip=}" ;;
mandos=*)
# Split option line on commas
old_ifs="$IFS"
IFS="$IFS,"
for mpar in ${param#mandos=}; do
IFS="$old_ifs"
case "$mpar" in
off) exit 0 ;;
connect) connect="" ;;
connect:*) connect="${mpar#connect:}" ;;
*) log_warning_msg "$0: Bad option ${mpar}" ;;
esac
done
unset mpar
IFS="$old_ifs"
unset old_ifs
;;
esac
done
unset param
chmod a=rwxt /tmp
test -r /conf/conf.d/cryptroot
test -w /conf/conf.d
# Get DEVICE from /conf/initramfs.conf and other files
. /conf/initramfs.conf
for conf in /conf/conf.d/*; do
[ -f ${conf} ] && . ${conf}
done
if [ -e /conf/param.conf ]; then
. /conf/param.conf
fi
# Override DEVICE from sixth field of ip= kernel option, if passed
case "$IPOPTS" in
*:*:*:*:*:*) # At least six fields
# Remove the first five fields
device="${IPOPTS#*:*:*:*:*:}"
# Remove all fields except the first one
DEVICE="${device%%:*}"
;;
esac
# Add device setting (if any) to plugin-runner.conf
if [ "${DEVICE+set}" = set ]; then
# Did we get the device from an ip= option?
if [ "${device+set}" = set ]; then
# Let ip= option override local config; append:
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
--options-for=mandos-client:--interface=${DEVICE}
EOF
else
# Prepend device setting so any later options would override:
sed -i -e \
'1i--options-for=mandos-client:--interface='"${DEVICE}" \
/conf/conf.d/mandos/plugin-runner.conf
fi
fi
unset device
# If we are connecting directly, run "configure_networking" (from
# /scripts/functions); it needs IPOPTS and DEVICE
if [ "${connect+set}" = set ]; then
configure_networking
if [ -n "$connect" ]; then
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
--options-for=mandos-client:--connect=${connect}
EOF
fi
fi
# Do not replace cryptroot file unless we need to.
replace_cryptroot=no
# Our keyscript
mandos=/lib/mandos/plugin-runner
test -x "$mandos"
# parse /conf/conf.d/cryptroot. Format:
# target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz
exec 3>/conf/conf.d/cryptroot.mandos
while read options; do
newopts=""
# Split option line on commas
old_ifs="$IFS"
IFS="$IFS,"
for opt in $options; do
# Find the keyscript option, if any
case "$opt" in
keyscript=*)
keyscript="${opt#keyscript=}"
newopts="$newopts,$opt"
;;
"") : ;;
*)
newopts="$newopts,$opt"
;;
esac
done
IFS="$old_ifs"
unset old_ifs
# If there was no keyscript option, add one.
if [ -z "$keyscript" ]; then
replace_cryptroot=yes
newopts="$newopts,keyscript=$mandos"
fi
newopts="${newopts#,}"
echo "$newopts" >&3
done < /conf/conf.d/cryptroot
exec 3>&-
# If we need to, replace the old cryptroot file with the new file.
if [ "$replace_cryptroot" = yes ]; then
mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old
mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot
else
rm /conf/conf.d/cryptroot.mandos
fi
|