search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
8322 nl: misleading-indentation
[unleashed/tickless.git] / usr / src / cmd / tsol / labeld / svc-labeld
blobed8f0ab6477b1508d620ecf4706150f9b7704208
1 #!/sbin/sh
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22 # Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 #
24
25 . /lib/svc/share/smf_include.sh
26
27 ROOT_PATH=""
28 if [ $# -gt 1 ]; then
29 if [ $# -ne 3 -o "$2" != "-R" ]; then
30 echo "$0: invalid syntax"
31 exit $SMF_EXIT_ERR_CONFIG
32 fi
33 if [ "$3" != "/" ]; then
34 ROOT_PATH=$3
35 fi
36 fi
37 if [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
38 echo "$0: invalid syntax: -R allowed for start method only"
39 exit $SMF_EXIT_ERR_CONFIG
40 fi
41 if [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
42 echo "$0: invalid -R rootpath dir specified"
43 exit $SMF_EXIT_ERR_CONFIG
44 fi
45
46 if smf_is_nonglobalzone; then
47 echo "$0: not supported in a local zone"
48 exit $SMF_EXIT_ERR_CONFIG
49 fi
50
51 rewrite_logindev()
52 {
53 from="$1"
54 to="$2"
55 # Comment out audio, usb, removable-media, and hotpluggable device
56 # entries in /etc/logindevperm.
57 LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
58 if [ ! -f $LOGINDEVPERM ]; then
59 return
60 fi
61 for line in \
62 "/dev/sound/" \
63 "/dev/removable-media/" \
64 "/dev/hotpluggable/" \
65 "/dev/usb/\[0-9a-f\]" \
66 ; do
67 sed -e "s!^$from\([^# ]\{1,\}[ }\{1,\}[0-9]\{1,\}[ ]\{1,\}\)$line!$to\1$line!" \
68 $LOGINDEVPERM > /tmp/tmp.$$
69 cp /tmp/tmp.$$ $LOGINDEVPERM
70 done
71 rm -f /tmp/tmp.$$
72 }
73
74 do_logindev()
75 {
76 rewrite_logindev "" "#"
77 }
78
79 do_otherservices()
80 {
81 # Setup dependent services
82 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
83 /usr/sbin/svcadm enable -s svc:/network/tnd:default
84 /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
85 /usr/sbin/svcadm enable svc:/network/rpc/rstat:default
86 __ENABLE_OTHERS
87
88 }
89
90 do_audit_devalloc()
91 {
92 # Ensure auditing and device allocation are enabled by
93 # default with Trusted Extensions.
94 if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
95 /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
96 echo "Starting auditd ..."
97 /usr/sbin/audit -s
98 else
99 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD
100 /usr/sbin/audit -s
101 /usr/sbin/svcadm enable -s svc:/system/device/allocate:default
102 _ENABLE_AUDITD
103 fi
104 }
105
106 do_nscd()
107 {
108 # For Trusted Extensions, make nscd service transient in local zones.
109 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
110 if [ `/sbin/zonename` != "global" ]; then
111 nscd="svc:/system/name-service-cache"
112 duration=""
113 if /bin/svcprop -q -c -p startd/duration $nscd ; then
114 duration=`/bin/svcprop -c -p startd/duration $nscd`
115 fi
116 if [ "$duration" != "transient" ]; then
117 /usr/sbin/svccfg -s $nscd addpg startd framework
118 /usr/sbin/svccfg -s $nscd setprop \
119 startd/duration = astring: transient
120 /usr/sbin/svccfg -s $nscd setprop stop/exec = :true
121 /usr/sbin/svcadm refresh $nscd
122 fi
123 fi
124 _DEL_LOCAL_NSCD
125 }
126
127 do_bootupd()
128 {
129 if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
130 if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
131 /sbin/bootadm update-archive
132 else
133 /sbin/bootadm update-archive -R $ROOT_PATH
134 fi
135 fi
136 }
137
138 setup_tx_changes(){
139 #
140 # No comments or blanks lines allowed in entries below
141 #
142 cat > ${TX_ENTRIES} << EOF
143 dtlogin account requisite pam_roles.so.1
144 dtlogin account required pam_unix_account.so.1
145 dtsession account requisite pam_roles.so.1
146 dtsession account required pam_unix_account.so.1
147 gdm account requisite pam_roles.so.1
148 gdm account required pam_unix_account.so.1
149 xscreensaver account requisite pam_roles.so.1
150 xscreensaver account required pam_unix_account.so.1
151 passwd account requisite pam_roles.so.1
152 passwd account required pam_unix_account.so.1
153 dtpasswd account requisite pam_roles.so.1
154 dtpasswd account required pam_unix_account.so.1
155 tsoljds-tstripe account requisite pam_roles.so.1
156 tsoljds-tstripe account required pam_unix_account.so.1
157 other account required pam_tsol_account.so.1
158 EOF
159 }
160
161 do_addpam()
162 {
163 PAM_TMP=/tmp/pam_conf.$$
164 TX_ENTRIES=$PAM_TMP/sct.$$
165 PAM_DEST=$ROOT_PATH/etc/pam.conf
166
167 mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL
168 setup_tx_changes
169
170 # verify that pam.conf file exists...
171 if [ ! -f ${PAM_DEST} ]; then
172 echo "$0: ${PAM_DEST} not found; aborting"
173 exit $SMF_EXIT_ERR_FATAL
174 fi
175
176 #
177 # Update pam.conf to append Trusted Extensions entries if not
178 # already present.
179 #
180 rm -f /tmp/pamconf.$$
181 while read e1 e2 e3 e4 e5
182 do
183 # If this is the 'other' entry, add it unless it already
184 # exists.
185 if [ $e1 = "other" ]; then
186 grep \
187 "^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \
188 $PAM_DEST >/dev/null 2>&1
189 if [ $? = 1 ] ; then
190 # Doesn't exist, enter into pam.conf
191 echo "$e1\t$e2 $e3\t\t$e4 $e5" \
192 >> /tmp/pamconf.$$
193 fi
194 else
195 # Add other entries unless they already have a
196 # stack of their own.
197 grep "^[# ]*$e1[ ][ ]*$e2[ ]" \
198 $PAM_DEST >/dev/null 2>&1
199 if [ $? = 1 ] ; then
200 echo "$e1\t$e2 $e3\t\t$e4 $e5" \
201 >> /tmp/pamconf.$$
202 fi
203 fi
204 done < ${TX_ENTRIES}
205 # Append TX lines if any were not present already.
206 if [ -f /tmp/pamconf.$$ ] ; then
207 echo "# Entries for Trusted Extensions" >> $PAM_DEST
208 cat /tmp/pamconf.$$ >> $PAM_DEST
209 echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
210 echo "$0: please examine/update any new entries"
211 rm -f /tmp/pamconf.$$
212 fi
213
214 rm -rf $PAM_TMP
215 }
216
217 do_pamremove()
218 {
219 PAM_TMP=/tmp/pam_conf.$$
220 TX_ENTRIES=$PAM_TMP/sct.$$
221 PAM_DEST=$ROOT_PATH/etc/pam.conf
222 TMPFILE=$PAM_TMP/pam.conf
223
224 mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL
225
226 # verify that pam.conf file exists...
227 if [ ! -f ${PAM_DEST} ]; then
228 echo "$0: ${PAM_DEST} not found; aborting"
229 exit $SMF_EXIT_ERR_FATAL
230 fi
231
232
233 grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
234 if [ $? -ne 0 ]; then
235 echo "$0: pam_tsol_account module not present,"
236 echo "$0: No changes were made to $PAM_DEST."
237 return
238 fi
239
240 grep -v pam_tsol_account $PAM_DEST > $TMPFILE
241 echo "$0: $PAM_DEST "tsol" entries removed"
242 cp $TMPFILE $PAM_DEST
243
244 rm -rf $PAM_TMP
245 }
246
247 do_commonstart()
248 {
249 echo "$0: Updating $ROOT_PATH/etc/system..."
250 if [ ! -f ${ROOT_PATH}/etc/system ]; then
251 touch ${ROOT_PATH}/etc/system
252 fi
253
254 # Set sys_labeling in etc/system
255 grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
256 echo "set sys_labeling=1" >> /tmp/etc.system.$$
257 mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
258 grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
259 if [ $? -ne 0 ]; then
260 echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
261 exit $SMF_EXIT_ERR_FATAL
262 fi
263
264 # Setup dependent services
265 do_otherservices
266
267 do_logindev
268 do_audit_devalloc
269 do_nscd
270 do_addpam
271
272 do_bootupd
273 }
274
275 do_servicetag_register()
276 {
277 ROOTDIR=$1
278 SOL_ARCH=`/sbin/uname -p`
279 SOL_VERS=`/sbin/uname -r`
280 TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93"
281
282 if [ ! -x /usr/bin/stclient ]; then
283 return
284 fi
285
286 # if already registered then do nothing more here
287 inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
288 if [ -n "$inst" ]; then
289 # this instance id was saved in a SMF property
290 /usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1
291 if [ $? = 0 ]; then
292 # matching service tag found, so do nothing
293 return
294 else
295 # no match for instance id saved in SMF property
296 /usr/sbin/svccfg -s $SMF_FMRI delprop \
297 labeld/svctag_inst
298 /usr/sbin/svcadm refresh $SMF_FMRI
299 fi
300 fi
301
302
303 # fall through: no service tag, or does not match saved instance id
304
305 # determine the urn of the parent (Solaris)
306 SOL_PROD_URN=""
307 case $SOL_VERS in
308 5.11)
309 SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93"
310 ;;
311 5.10)
312 SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113"
313 ;;
314 esac
315
316 # add the service tag
317 RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions" \
318 -e $SOL_VERS -t $TX_PROD_URN -P Solaris $SOL_PROD_URN \
319 -m Sun -A $SOL_ARCH -z global -S $0 -r $ROOTDIR`
320 if [ $? = 0 ]; then
321 # save instance id in SMF property
322 inst=`echo "$RC" | grep -i urn|awk -F= '{print $2}'`
323 /usr/sbin/svccfg -s $SMF_FMRI setprop \
324 labeld/svctag_inst = astring: "$inst"
325 /usr/sbin/svcadm refresh $SMF_FMRI
326 fi
327 }
328
329 do_servicetag_delete()
330 {
331 if [ ! -x /usr/bin/stclient ]; then
332 return
333 fi
334
335 inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
336
337 if [ -n "$inst" ]; then
338 # delete service tag
339 /usr/bin/stclient -d -i $inst
340 # delete saved instance id
341 /usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst
342 /usr/sbin/svcadm refresh $SMF_FMRI
343 fi
344 }
345
346
347 daemon_start()
348 {
349 # If a labeld door exists, check for a labeld process and exit
350 # if the daemon is already running.
351 if [ -r /var/tsol/doors/labeld ]; then
352 if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
353 echo "$0: labeld is already running"
354 exit $SMF_EXIT_ERR_FATAL
355 fi
356 fi
357 /usr/bin/rm -f /var/tsol/doors/labeld
358 /usr/lib/labeld
359 }
360
361 PATH=/usr/sbin:/usr/bin; export PATH
362
363 case "$1" in
364 'start')
365 if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
366 # native
367
368 if [ -z "$SMF_FMRI" ]; then
369 echo "$0: this script can only be invoked by smf(5)"
370 exit $SMF_EXIT_ERR_NOSMF
371 fi
372
373 tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
374 if [ "$tx_enabled" = "false" ]; then
375 # A sign of trying temporary enablement...no-no
376 echo "$0: Temporarily enabling Trusted Extensions is not allowed."
377 exit $SMF_EXIT_ERR_CONFIG
378 fi
379
380 if (smf_is_system_labeled); then
381 do_servicetag_register /
382 daemon_start
383 exit $SMF_EXIT_OK
384 fi
385
386 # Make changes to enable Trusted Extensions
387 grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
388 if [ $? -eq 0 ]; then
389 echo "$0: already enabled. Exiting."
390 exit $SMF_EXIT_OK
391 fi
392
393 if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
394 echo "$0: Must remove zones before enabling Trusted Extensions."
395 exit $SMF_EXIT_ERR_CONFIG
396 fi
397
398 do_commonstart
399
400 do_servicetag_register /
401
402 # start daemon proccess so our service doesn't go into
403 # maintenance state
404 daemon_start
405
406 echo "$0: Started. Must reboot and configure Trusted Extensions."
407 else
408 # Support jumpstart etc
409
410 # Make changes to enable Trusted Extensions
411 grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
412 if [ $? -eq 0 ]; then
413 echo "$0: already enabled. Exiting."
414 exit $SMF_EXIT_OK
415 fi
416
417 # Setup dependent services
418 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
419 /usr/sbin/svcadm enable -s svc:/system/labeld:default
420 __TRUSTED_ENABLE
421
422 do_commonstart
423 do_servicetag_register $ROOT_PATH
424 echo "$0: Started. Must configure Trusted Extensions before booting."
425 fi
426 ;;
427
428 'stop')
429 tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
430 if [ "$tx_enabled" = "true" ]; then
431 /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
432 exit $SMF_EXIT_OK
433 fi
434
435 if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
436 echo "$0: Must remove zones before disabling Trusted Extensions."
437 exit $SMF_EXIT_ERR_CONFIG
438 fi
439
440 # Stop Trusted services.
441 /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
442 /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
443
444 # Uncomment audio, usb, removable-media, and hotpluggable device
445 # entries in /etc/logindevperm.
446 rewrite_logindev "#" ""
447
448 # Remove sys_labeling from /etc/system
449 grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
450 mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
451 grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
452 if [ $? -eq 0 ]; then
453 echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
454 exit $SMF_EXIT_ERR_FATAL
455 fi
456
457 do_pamremove
458 do_servicetag_delete
459
460 do_bootupd
461
462 /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
463 echo "$0: Stopped. Will take effect at next boot."
464 ;;
465
466 *)
467 echo "Usage: $0 { start | stop }"
468 exit 1
469 ;;
470 esac
471
472 exit $SMF_EXIT_OK
473
474
unleashed repo fork