xref: /illumos-gate/usr/src/cmd/tsol/labeld/svc-labeld (revision ac88567a7a5bb7f01cf22cf366bc9d6203e24d7a)
1#!/sbin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23# Use is subject to license terms.
24#
25
26. /lib/svc/share/smf_include.sh
27
28ROOT_PATH=""
29if [ $# -gt 1 ]; then
30	if [ $# -ne 3 -o "$2" != "-R" ]; then
31		echo "$0: invalid syntax"
32		exit $SMF_EXIT_ERR_CONFIG
33	fi
34	if [ "$3" != "/" ]; then
35		ROOT_PATH=$3
36	fi
37fi
38if [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
39	echo "$0: invalid syntax: -R allowed for start method only"
40	exit $SMF_EXIT_ERR_CONFIG
41fi
42if [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
43	echo "$0: invalid -R rootpath dir specified"
44	exit $SMF_EXIT_ERR_CONFIG
45fi
46
47if smf_is_nonglobalzone; then
48	echo "$0: not supported in a local zone"
49	exit $SMF_EXIT_ERR_CONFIG
50fi
51
52rewrite_logindev()
53{
54	from="$1"
55	to="$2"
56	# Comment out audio, usb, removable-media, and hotpluggable device
57	# entries in /etc/logindevperm.
58	LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
59	if [ ! -f $LOGINDEVPERM ]; then
60		return
61	fi
62	for line in \
63		"/dev/sound/" \
64		"/dev/removable-media/" \
65		"/dev/hotpluggable/" \
66		"/dev/usb/\[0-9a-f\]" \
67			; do
68		sed -e "s!^$from\([^# 	]\{1,\}[ 	}\{1,\}[0-9]\{1,\}[ 	]\{1,\}\)$line!$to\1$line!" \
69		    $LOGINDEVPERM > /tmp/tmp.$$
70		cp /tmp/tmp.$$ $LOGINDEVPERM
71	done
72	rm -f /tmp/tmp.$$
73}
74
75do_logindev()
76{
77	rewrite_logindev "" "#"
78}
79
80do_otherservices()
81{
82	# Setup dependent services
83	cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
84		/usr/sbin/svcadm enable -s svc:/network/tnd:default
85		/usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
86		/usr/sbin/svcadm enable svc:/network/rpc/rstat:default
87__ENABLE_OTHERS
88
89}
90
91do_bsmconv()
92{
93	# Run bsmconv so device allocation is enabled by
94	# default with Trusted Extensions.
95	if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
96		BSMDIR=""
97	else
98		BSMDIR=$ROOT_PATH
99	fi
100	echo "Running bsmconv ..."
101	echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \
102	    $ROOT_PATH/etc/security/bsmconv $ROOT_PATH
103	# Run auditd so auditing is enabled by default
104	# with Trusted Extensions.
105	if [ "$BSMDIR" = "" ]; then
106		echo "Starting auditd ..."
107		/usr/sbin/audit -s
108	else
109		cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD
110			/usr/sbin/audit -s
111_ENABLE_AUDITD
112	fi
113}
114
115do_nscd()
116{
117# For Trusted Extensions, make nscd service transient in local zones.
118cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
119	if [ `/sbin/zonename` != "global" ]; then
120		nscd="svc:/system/name-service-cache"
121		duration=""
122		if /bin/svcprop -q -c -p startd/duration $nscd ; then
123			duration=`/bin/svcprop -c -p startd/duration $nscd`
124		fi
125		if [ "$duration" != "transient" ]; then
126			/usr/sbin/svccfg -s $nscd addpg startd framework
127			/usr/sbin/svccfg -s $nscd setprop \
128			    startd/duration = astring: transient
129			/usr/sbin/svccfg -s $nscd setprop stop/exec = :true
130			/usr/sbin/svcadm refresh $nscd
131		fi
132	fi
133_DEL_LOCAL_NSCD
134}
135
136do_bootupd()
137{
138	if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
139		if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
140			/sbin/bootadm update-archive
141		else
142			/sbin/bootadm update-archive -R $ROOT_PATH
143		fi
144	fi
145}
146
147setup_tx_changes(){
148#
149# No comments or blanks lines allowed in entries below
150#
151cat > ${TX_ENTRIES} << EOF
152dtlogin		account		requisite	pam_roles.so.1
153dtlogin		account		required	pam_unix_account.so.1
154dtsession	account		requisite	pam_roles.so.1
155dtsession	account		required	pam_unix_account.so.1
156gdm		account		requisite	pam_roles.so.1
157gdm		account		required	pam_unix_account.so.1
158xscreensaver	account		requisite	pam_roles.so.1
159xscreensaver	account		required	pam_unix_account.so.1
160passwd		account		requisite	pam_roles.so.1
161passwd		account		required	pam_unix_account.so.1
162dtpasswd	account		requisite	pam_roles.so.1
163dtpasswd	account		required	pam_unix_account.so.1
164tsoljds-tstripe	account		requisite	pam_roles.so.1
165tsoljds-tstripe	account		required	pam_unix_account.so.1
166other		account		required	pam_tsol_account.so.1
167EOF
168}
169
170do_addpam()
171{
172	PAM_TMP=/tmp/pam_conf.$$
173	TX_ENTRIES=$PAM_TMP/sct.$$
174	PAM_DEST=$ROOT_PATH/etc/pam.conf
175
176	mkdir $PAM_TMP  || exit $SMF_EXIT_ERR_FATAL
177	setup_tx_changes
178
179	# verify that pam.conf file exists...
180	if [ ! -f ${PAM_DEST} ]; then
181		echo "$0: ${PAM_DEST} not found; aborting"
182		exit $SMF_EXIT_ERR_FATAL
183	fi
184
185	#
186	# Update pam.conf to append Trusted Extensions entries if not
187	# already present.
188	#
189	rm -f /tmp/pamconf.$$
190	while read e1 e2 e3 e4 e5
191	do
192		# If this is the 'other' entry, add it unless it already
193		# exists.
194		if [ $e1 = "other" ]; then
195			grep \
196"^[# 	]*$e1[ 	][ 	]*$e2[ 	][ 	]*$e3[ 	][ 	]*$e4" \
197			    $PAM_DEST >/dev/null 2>&1
198			if [ $? = 1 ] ; then
199				# Doesn't exist, enter into pam.conf
200				echo "$e1\t$e2 $e3\t\t$e4 $e5" \
201				    >> /tmp/pamconf.$$
202			fi
203		else
204			# Add other entries unless they already have a
205			# stack of their own.
206			grep "^[# 	]*$e1[ 	][ 	]*$e2[ 	]" \
207			    $PAM_DEST >/dev/null 2>&1
208			if [ $? = 1 ] ; then
209				echo "$e1\t$e2 $e3\t\t$e4 $e5" \
210				    >> /tmp/pamconf.$$
211			fi
212		fi
213	done < ${TX_ENTRIES}
214	# Append TX lines if any were not present already.
215	if [ -f /tmp/pamconf.$$ ] ; then
216		echo "# Entries for Trusted Extensions" >> $PAM_DEST
217		cat /tmp/pamconf.$$ >> $PAM_DEST
218		echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
219		echo "$0: please examine/update any new entries"
220    		rm -f /tmp/pamconf.$$
221    	fi
222
223	rm -rf $PAM_TMP
224}
225
226do_pamremove()
227{
228	PAM_TMP=/tmp/pam_conf.$$
229	TX_ENTRIES=$PAM_TMP/sct.$$
230	PAM_DEST=$ROOT_PATH/etc/pam.conf
231	TMPFILE=$PAM_TMP/pam.conf
232
233	mkdir $PAM_TMP  || exit $SMF_EXIT_ERR_FATAL
234
235	# verify that pam.conf file exists...
236	if [ ! -f ${PAM_DEST} ]; then
237		echo "$0: ${PAM_DEST} not found; aborting"
238		exit $SMF_EXIT_ERR_FATAL
239	fi
240
241
242	grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
243	if [ $? -ne 0 ]; then
244		echo "$0: pam_tsol_account module not present,"
245		echo "$0: No changes were made to $PAM_DEST."
246		return
247	fi
248
249	grep -v pam_tsol_account $PAM_DEST > $TMPFILE
250	echo "$0: $PAM_DEST "tsol" entries removed"
251	cp $TMPFILE $PAM_DEST
252
253	rm -rf $PAM_TMP
254}
255
256do_commonstart()
257{
258	echo "$0: Updating $ROOT_PATH/etc/system..."
259	if [ ! -f ${ROOT_PATH}/etc/system ]; then
260		touch ${ROOT_PATH}/etc/system
261	fi
262
263	# Set sys_labeling in etc/system
264	grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
265	echo "set sys_labeling=1" >> /tmp/etc.system.$$
266	mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
267	grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
268	if [ $? -ne 0 ]; then
269    		echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
270		exit $SMF_EXIT_ERR_FATAL
271	fi
272
273	# Setup dependent services
274	do_otherservices
275
276	do_logindev
277	do_bsmconv
278	do_nscd
279	do_addpam
280
281	do_bootupd
282}
283
284do_servicetag_register()
285{
286	ROOTDIR=$1
287	SOL_ARCH=`/sbin/uname -p`
288	SOL_VERS=`/sbin/uname -r`
289	TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93"
290
291	if [ ! -x /usr/bin/stclient ]; then
292		return
293	fi
294
295	# if already registered then do nothing more here
296	inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
297	if [ -n "$inst" ]; then
298		# this instance id was saved in a SMF property
299		/usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1
300		if [ $? = 0 ]; then
301			# matching service tag found, so do nothing
302			return
303		else
304			# no match for instance id saved in SMF property
305			/usr/sbin/svccfg -s $SMF_FMRI delprop \
306			    labeld/svctag_inst
307			/usr/sbin/svcadm refresh $SMF_FMRI
308		fi
309	fi
310
311
312	# fall through: no service tag, or does not match saved instance id
313
314	# determine the urn of the parent (Solaris)
315	SOL_PROD_URN=""
316	case $SOL_VERS in
317	5.11)
318		SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93"
319		;;
320	5.10)
321		SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113"
322		;;
323	esac
324
325	# add the service tag
326	RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions"	\
327	    -e $SOL_VERS -t $TX_PROD_URN -P Solaris $SOL_PROD_URN	\
328	    -m Sun -A $SOL_ARCH -z global -S $0 -r $ROOTDIR`
329	if [ $? = 0 ]; then
330		# save instance id in SMF property
331		inst=`echo "$RC" | grep -i urn|awk -F=  '{print $2}'`
332		/usr/sbin/svccfg -s $SMF_FMRI setprop \
333		    labeld/svctag_inst = astring: "$inst"
334		/usr/sbin/svcadm refresh $SMF_FMRI
335	fi
336}
337
338do_servicetag_delete()
339{
340	if [ ! -x /usr/bin/stclient ]; then
341		return
342	fi
343
344	inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
345
346	if [ -n "$inst" ]; then
347		# delete service tag
348		/usr/bin/stclient -d -i $inst
349		# delete saved instance id
350		/usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst
351		/usr/sbin/svcadm refresh $SMF_FMRI
352	fi
353}
354
355
356daemon_start()
357{
358	# If a labeld door exists, check for a labeld process and exit
359	# if the daemon is already running.
360	if [ -r /var/tsol/doors/labeld ]; then
361		if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
362			echo "$0: labeld is already running"
363			exit $SMF_EXIT_ERR_FATAL
364		fi
365	fi
366	/usr/bin/rm -f /var/tsol/doors/labeld
367	/usr/lib/labeld
368}
369
370PATH=/usr/sbin:/usr/bin; export PATH
371
372case "$1" in
373'start')
374	if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
375		# native
376
377		if [ -z "$SMF_FMRI" ]; then
378			echo "$0: this script can only be invoked by smf(5)"
379			exit $SMF_EXIT_ERR_NOSMF
380		fi
381
382		tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
383		if [ "$tx_enabled" = "false" ]; then
384			# A sign of trying temporary enablement...no-no
385			echo "$0: Temporarily enabling Trusted Extensions is not allowed."
386			exit $SMF_EXIT_ERR_CONFIG
387		fi
388
389		if (smf_is_system_labeled); then
390			do_servicetag_register /
391			daemon_start
392			exit $SMF_EXIT_OK
393		fi
394
395		# Make changes to enable Trusted Extensions
396		grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
397		if [ $? -eq 0 ]; then
398			echo "$0: already enabled. Exiting."
399			exit $SMF_EXIT_OK
400		fi
401
402		if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
403			echo "$0: Must remove zones before enabling Trusted Extensions."
404			exit $SMF_EXIT_ERR_CONFIG
405		fi
406
407		do_commonstart
408
409		do_servicetag_register /
410
411		# start daemon proccess so our service doesn't go into
412		# maintenance state
413		daemon_start
414
415		echo "$0: Started.  Must reboot and configure Trusted Extensions."
416	else
417		# Support jumpstart etc
418
419		# Make changes to enable Trusted Extensions
420		grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
421		if [ $? -eq 0 ]; then
422			echo "$0: already enabled. Exiting."
423			exit $SMF_EXIT_OK
424		fi
425
426		# Setup dependent services
427		cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
428			/usr/sbin/svcadm enable -s svc:/system/labeld:default
429__TRUSTED_ENABLE
430
431		do_commonstart
432		do_servicetag_register $ROOT_PATH
433		echo "$0: Started.  Must configure Trusted Extensions before booting."
434	fi
435	;;
436
437'stop')
438	tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
439	if [ "$tx_enabled" = "true" ]; then
440		/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
441		exit $SMF_EXIT_OK
442	fi
443
444	if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
445		echo "$0: Must remove zones before disabling Trusted Extensions."
446		exit $SMF_EXIT_ERR_CONFIG
447	fi
448
449	# Stop Trusted services.
450	/usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
451	/usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
452
453	# Uncomment audio, usb, removable-media, and hotpluggable device
454	# entries in /etc/logindevperm.
455	rewrite_logindev "#" ""
456
457	# Remove sys_labeling from /etc/system
458	grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
459	mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
460	grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
461	if [ $? -eq 0 ]; then
462    		echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
463		exit $SMF_EXIT_ERR_FATAL
464	fi
465
466	do_pamremove
467	do_servicetag_delete
468
469	do_bootupd
470
471	/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
472	echo "$0: Stopped.  Will take effect at next boot."
473	;;
474
475*)
476	echo "Usage: $0 { start | stop }"
477	exit 1
478	;;
479esac
480
481exit $SMF_EXIT_OK
482
483
484