1#!/sbin/sh 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License (the "License"). 7# You may not use this file except in compliance with the License. 8# 9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10# or http://www.opensolaris.org/os/licensing. 11# See the License for the specific language governing permissions 12# and limitations under the License. 13# 14# When distributing Covered Code, include this CDDL HEADER in each 15# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16# If applicable, add the following below this CDDL HEADER, with the 17# fields enclosed by brackets "[]" replaced with your own identifying 18# information: Portions Copyright [yyyy] [name of copyright owner] 19# 20# CDDL HEADER END 21# 22# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 23# 24 25. /lib/svc/share/smf_include.sh 26 27ROOT_PATH="" 28if [ $# -gt 1 ]; then 29 if [ $# -ne 3 -o "$2" != "-R" ]; then 30 echo "$0: invalid syntax" 31 exit $SMF_EXIT_ERR_CONFIG 32 fi 33 if [ "$3" != "/" ]; then 34 ROOT_PATH=$3 35 fi 36fi 37if [ -n "$ROOT_PATH" -a "$1" != "start" ]; then 38 echo "$0: invalid syntax: -R allowed for start method only" 39 exit $SMF_EXIT_ERR_CONFIG 40fi 41if [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then 42 echo "$0: invalid -R rootpath dir specified" 43 exit $SMF_EXIT_ERR_CONFIG 44fi 45 46if smf_is_nonglobalzone; then 47 echo "$0: not supported in a local zone" 48 exit $SMF_EXIT_ERR_CONFIG 49fi 50 51rewrite_logindev() 52{ 53 from="$1" 54 to="$2" 55 # Comment out audio, usb, removable-media, and hotpluggable device 56 # entries in /etc/logindevperm. 57 LOGINDEVPERM=$ROOT_PATH/etc/logindevperm 58 if [ ! -f $LOGINDEVPERM ]; then 59 return 60 fi 61 for line in \ 62 "/dev/sound/" \ 63 "/dev/removable-media/" \ 64 "/dev/hotpluggable/" \ 65 "/dev/usb/\[0-9a-f\]" \ 66 ; do 67 sed -e "s!^$from\([^# ]\{1,\}[ }\{1,\}[0-9]\{1,\}[ ]\{1,\}\)$line!$to\1$line!" \ 68 $LOGINDEVPERM > /tmp/tmp.$$ 69 cp /tmp/tmp.$$ $LOGINDEVPERM 70 done 71 rm -f /tmp/tmp.$$ 72} 73 74do_logindev() 75{ 76 rewrite_logindev "" "#" 77} 78 79do_otherservices() 80{ 81 # Setup dependent services 82 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS 83 /usr/sbin/svcadm enable -s svc:/network/tnd:default 84 /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default 85 /usr/sbin/svcadm enable svc:/network/rpc/rstat:default 86__ENABLE_OTHERS 87 88} 89 90do_audit_devalloc() 91{ 92 # Ensure auditing and device allocation are enabled by 93 # default with Trusted Extensions. 94 if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then 95 /usr/sbin/svcadm enable -s svc:/system/device/allocate:default 96 echo "Starting auditd ..." 97 /usr/sbin/audit -s 98 else 99 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD 100 /usr/sbin/audit -s 101 /usr/sbin/svcadm enable -s svc:/system/device/allocate:default 102_ENABLE_AUDITD 103 fi 104} 105 106do_nscd() 107{ 108# For Trusted Extensions, make nscd service transient in local zones. 109cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD 110 if [ `/sbin/zonename` != "global" ]; then 111 nscd="svc:/system/name-service-cache" 112 duration="" 113 if /bin/svcprop -q -c -p startd/duration $nscd ; then 114 duration=`/bin/svcprop -c -p startd/duration $nscd` 115 fi 116 if [ "$duration" != "transient" ]; then 117 /usr/sbin/svccfg -s $nscd addpg startd framework 118 /usr/sbin/svccfg -s $nscd setprop \ 119 startd/duration = astring: transient 120 /usr/sbin/svccfg -s $nscd setprop stop/exec = :true 121 /usr/sbin/svcadm refresh $nscd 122 fi 123 fi 124_DEL_LOCAL_NSCD 125} 126 127do_bootupd() 128{ 129 if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then 130 if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 131 /sbin/bootadm update-archive 132 else 133 /sbin/bootadm update-archive -R $ROOT_PATH 134 fi 135 fi 136} 137 138setup_tx_changes(){ 139# 140# No comments or blanks lines allowed in entries below 141# 142cat > ${TX_ENTRIES} << EOF 143dtlogin account requisite pam_roles.so.1 144dtlogin account required pam_unix_account.so.1 145dtsession account requisite pam_roles.so.1 146dtsession account required pam_unix_account.so.1 147gdm account requisite pam_roles.so.1 148gdm account required pam_unix_account.so.1 149xscreensaver account requisite pam_roles.so.1 150xscreensaver account required pam_unix_account.so.1 151passwd account requisite pam_roles.so.1 152passwd account required pam_unix_account.so.1 153dtpasswd account requisite pam_roles.so.1 154dtpasswd account required pam_unix_account.so.1 155tsoljds-tstripe account requisite pam_roles.so.1 156tsoljds-tstripe account required pam_unix_account.so.1 157other account required pam_tsol_account.so.1 158EOF 159} 160 161do_addpam() 162{ 163 PAM_TMP=/tmp/pam_conf.$$ 164 TX_ENTRIES=$PAM_TMP/sct.$$ 165 PAM_DEST=$ROOT_PATH/etc/pam.conf 166 167 mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL 168 setup_tx_changes 169 170 # verify that pam.conf file exists... 171 if [ ! -f ${PAM_DEST} ]; then 172 echo "$0: ${PAM_DEST} not found; aborting" 173 exit $SMF_EXIT_ERR_FATAL 174 fi 175 176 # 177 # Update pam.conf to append Trusted Extensions entries if not 178 # already present. 179 # 180 rm -f /tmp/pamconf.$$ 181 while read e1 e2 e3 e4 e5 182 do 183 # If this is the 'other' entry, add it unless it already 184 # exists. 185 if [ $e1 = "other" ]; then 186 grep \ 187"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ 188 $PAM_DEST >/dev/null 2>&1 189 if [ $? = 1 ] ; then 190 # Doesn't exist, enter into pam.conf 191 echo "$e1\t$e2 $e3\t\t$e4 $e5" \ 192 >> /tmp/pamconf.$$ 193 fi 194 else 195 # Add other entries unless they already have a 196 # stack of their own. 197 grep "^[# ]*$e1[ ][ ]*$e2[ ]" \ 198 $PAM_DEST >/dev/null 2>&1 199 if [ $? = 1 ] ; then 200 echo "$e1\t$e2 $e3\t\t$e4 $e5" \ 201 >> /tmp/pamconf.$$ 202 fi 203 fi 204 done < ${TX_ENTRIES} 205 # Append TX lines if any were not present already. 206 if [ -f /tmp/pamconf.$$ ] ; then 207 echo "# Entries for Trusted Extensions" >> $PAM_DEST 208 cat /tmp/pamconf.$$ >> $PAM_DEST 209 echo "$0: updating $PAM_DEST entries for Trusted Extensions;" 210 echo "$0: please examine/update any new entries" 211 rm -f /tmp/pamconf.$$ 212 fi 213 214 rm -rf $PAM_TMP 215} 216 217do_pamremove() 218{ 219 PAM_TMP=/tmp/pam_conf.$$ 220 TX_ENTRIES=$PAM_TMP/sct.$$ 221 PAM_DEST=$ROOT_PATH/etc/pam.conf 222 TMPFILE=$PAM_TMP/pam.conf 223 224 mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL 225 226 # verify that pam.conf file exists... 227 if [ ! -f ${PAM_DEST} ]; then 228 echo "$0: ${PAM_DEST} not found; aborting" 229 exit $SMF_EXIT_ERR_FATAL 230 fi 231 232 233 grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1 234 if [ $? -ne 0 ]; then 235 echo "$0: pam_tsol_account module not present," 236 echo "$0: No changes were made to $PAM_DEST." 237 return 238 fi 239 240 grep -v pam_tsol_account $PAM_DEST > $TMPFILE 241 echo "$0: $PAM_DEST "tsol" entries removed" 242 cp $TMPFILE $PAM_DEST 243 244 rm -rf $PAM_TMP 245} 246 247do_commonstart() 248{ 249 echo "$0: Updating $ROOT_PATH/etc/system..." 250 if [ ! -f ${ROOT_PATH}/etc/system ]; then 251 touch ${ROOT_PATH}/etc/system 252 fi 253 254 # Set sys_labeling in etc/system 255 grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 256 echo "set sys_labeling=1" >> /tmp/etc.system.$$ 257 mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 258 grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 259 if [ $? -ne 0 ]; then 260 echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system" 261 exit $SMF_EXIT_ERR_FATAL 262 fi 263 264 # Setup dependent services 265 do_otherservices 266 267 do_logindev 268 do_audit_devalloc 269 do_nscd 270 do_addpam 271 272 do_bootupd 273} 274 275do_servicetag_register() 276{ 277 ROOTDIR=$1 278 SOL_ARCH=`/sbin/uname -p` 279 SOL_VERS=`/sbin/uname -r` 280 TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93" 281 282 if [ ! -x /usr/bin/stclient ]; then 283 return 284 fi 285 286 # if already registered then do nothing more here 287 inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null` 288 if [ -n "$inst" ]; then 289 # this instance id was saved in a SMF property 290 /usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1 291 if [ $? = 0 ]; then 292 # matching service tag found, so do nothing 293 return 294 else 295 # no match for instance id saved in SMF property 296 /usr/sbin/svccfg -s $SMF_FMRI delprop \ 297 labeld/svctag_inst 298 /usr/sbin/svcadm refresh $SMF_FMRI 299 fi 300 fi 301 302 303 # fall through: no service tag, or does not match saved instance id 304 305 # determine the urn of the parent (Solaris) 306 SOL_PROD_URN="" 307 case $SOL_VERS in 308 5.11) 309 SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93" 310 ;; 311 5.10) 312 SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113" 313 ;; 314 esac 315 316 # add the service tag 317 RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions" \ 318 -e $SOL_VERS -t $TX_PROD_URN -P Solaris $SOL_PROD_URN \ 319 -m Sun -A $SOL_ARCH -z global -S $0 -r $ROOTDIR` 320 if [ $? = 0 ]; then 321 # save instance id in SMF property 322 inst=`echo "$RC" | grep -i urn|awk -F= '{print $2}'` 323 /usr/sbin/svccfg -s $SMF_FMRI setprop \ 324 labeld/svctag_inst = astring: "$inst" 325 /usr/sbin/svcadm refresh $SMF_FMRI 326 fi 327} 328 329do_servicetag_delete() 330{ 331 if [ ! -x /usr/bin/stclient ]; then 332 return 333 fi 334 335 inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null` 336 337 if [ -n "$inst" ]; then 338 # delete service tag 339 /usr/bin/stclient -d -i $inst 340 # delete saved instance id 341 /usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst 342 /usr/sbin/svcadm refresh $SMF_FMRI 343 fi 344} 345 346 347daemon_start() 348{ 349 # If a labeld door exists, check for a labeld process and exit 350 # if the daemon is already running. 351 if [ -r /var/tsol/doors/labeld ]; then 352 if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then 353 echo "$0: labeld is already running" 354 exit $SMF_EXIT_ERR_FATAL 355 fi 356 fi 357 /usr/bin/rm -f /var/tsol/doors/labeld 358 /usr/lib/labeld 359} 360 361PATH=/usr/sbin:/usr/bin; export PATH 362 363case "$1" in 364'start') 365 if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 366 # native 367 368 if [ -z "$SMF_FMRI" ]; then 369 echo "$0: this script can only be invoked by smf(7)" 370 exit $SMF_EXIT_ERR_NOSMF 371 fi 372 373 tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 374 if [ "$tx_enabled" = "false" ]; then 375 # A sign of trying temporary enablement...no-no 376 echo "$0: Temporarily enabling Trusted Extensions is not allowed." 377 exit $SMF_EXIT_ERR_CONFIG 378 fi 379 380 if (smf_is_system_labeled); then 381 do_servicetag_register / 382 daemon_start 383 exit $SMF_EXIT_OK 384 fi 385 386 # Make changes to enable Trusted Extensions 387 grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 388 if [ $? -eq 0 ]; then 389 echo "$0: already enabled. Exiting." 390 exit $SMF_EXIT_OK 391 fi 392 393 if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 394 echo "$0: Must remove zones before enabling Trusted Extensions." 395 exit $SMF_EXIT_ERR_CONFIG 396 fi 397 398 do_commonstart 399 400 do_servicetag_register / 401 402 # start daemon proccess so our service doesn't go into 403 # maintenance state 404 daemon_start 405 406 echo "$0: Started. Must reboot and configure Trusted Extensions." 407 else 408 # Support jumpstart etc 409 410 # Make changes to enable Trusted Extensions 411 grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 412 if [ $? -eq 0 ]; then 413 echo "$0: already enabled. Exiting." 414 exit $SMF_EXIT_OK 415 fi 416 417 # Setup dependent services 418 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE 419 /usr/sbin/svcadm enable -s svc:/system/labeld:default 420__TRUSTED_ENABLE 421 422 do_commonstart 423 do_servicetag_register $ROOT_PATH 424 echo "$0: Started. Must configure Trusted Extensions before booting." 425 fi 426 ;; 427 428'stop') 429 tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 430 if [ "$tx_enabled" = "true" ]; then 431 /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 432 exit $SMF_EXIT_OK 433 fi 434 435 if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 436 echo "$0: Must remove zones before disabling Trusted Extensions." 437 exit $SMF_EXIT_ERR_CONFIG 438 fi 439 440 # Stop Trusted services. 441 /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null 442 /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null 443 444 # Uncomment audio, usb, removable-media, and hotpluggable device 445 # entries in /etc/logindevperm. 446 rewrite_logindev "#" "" 447 448 # Remove sys_labeling from /etc/system 449 grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 450 mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 451 grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1 452 if [ $? -eq 0 ]; then 453 echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system" 454 exit $SMF_EXIT_ERR_FATAL 455 fi 456 457 do_pamremove 458 do_servicetag_delete 459 460 do_bootupd 461 462 /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 463 echo "$0: Stopped. Will take effect at next boot." 464 ;; 465 466*) 467 echo "Usage: $0 { start | stop }" 468 exit 1 469 ;; 470esac 471 472exit $SMF_EXIT_OK 473 474 475