xref: /illumos-gate/usr/src/cmd/tsol/misc/txzonemgr.sh (revision 3e2c06821003697f97716f7c084864c5bf606aa3)
1#!/bin/ksh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23# Use is subject to license terms.
24#
25#
26
27# This script provides a simple GUI for managing labeled zones.
28# It takes no arguments, but provides contextual menus which
29# provide appropriate choices. It must be run in the global
30# zone as root.
31
32NSCD_PER_LABEL=0
33NSCD_INDICATOR="/var/tsol/doors/nscd_per_label"
34export NSCD_PER_LABEL
35export NSCD_INDICATOR
36if [ -f $NSCD_INDICATOR ] ; then
37	NSCD_PER_LABEL=1
38fi
39PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
40title="Labeled Zone Manager"
41maxlabel=`chk_encodings -X 2>/dev/null`
42if [[ ! -n $maxlabel ]]; then
43	maxlabel=0x000a-08-f8
44fi
45zonename=""
46export zonename
47config=/tmp/zfg.$$ ;
48
49consoleCheck() {
50	zconsole=`pgrep -f "zlogin -C $zonename"`
51	if [ $? != 0 ]; then
52		console="Zone Console...\n"
53	fi
54}
55
56labelCheck() {
57	hexlabel=`/bin/grep "^$zonename:" \
58	    /etc/security/tsol/tnzonecfg|cut -d ":" -f2`;
59	if [ $hexlabel ] ; then
60		label=
61		curlabel=`hextoalabel $hexlabel`
62	else
63		label="Select Label...\n"
64		curlabel=...
65	fi
66}
67
68copyCheck() {
69	zonelist=""
70	for p in `zoneadm list -ip`; do
71		q=`echo $p|cut -d ":" -f2`
72		if [ $q != $zonename ]; then
73			zonelist="$zonelist $q"
74		fi
75	done
76	if [[ -n $zonelist ]]; then
77		copy="Copy...\n"; \
78		clone="Clone\n"; \
79	fi
80}
81
82relabelCheck() {
83	macstate=`zonecfg -z $zonename info|grep win_mac_write`
84	if [[ -n $macstate ]]; then
85		permitrelabel="Deny Relabeling\n"
86	else
87		permitrelabel="Permit Relabeling\n"
88	fi
89}
90
91selectLabel() {
92	labelList=""
93	for p in `lslabels -h $maxlabel`; do
94		hexlabel=`/bin/grep :$p: /etc/security/tsol/tnzonecfg`
95		if [ $? != 0 ]; then
96			newlabel=`hextoalabel $p`
97			labelList="$labelList $newlabel\n"
98		fi
99	done
100	alabel=$(echo $labelList|zenity --list \
101	    --title="$title" \
102	    --height=300 \
103	    --width=400 \
104	    --column="Available Sensitivity Labels")
105
106	if [[ -n $alabel ]]; then
107		newlabel=`atohexlabel "$alabel" 2>/dev/null`
108		if [[ -n $newlabel ]]; then
109			echo $zonename:$newlabel:0:: >> /etc/security/tsol/tnzonecfg
110		else
111			x=$(zenity --error \
112			    --title="$title" \
113			    --text="$alabel is not valid")
114		fi
115	fi
116}
117
118resolveXdisplay() {
119	export ZONE_PATH
120	export ZONE_ETC_DIR
121	export IPNODES
122	export LIST
123	ERRORLIST=""
124	export ERRORLIST
125	# if using nscd-per-label then we have to be sure the global zone's
126	# hostname resolves because it is used for DISPLAY in X
127	ghostname=`hostname`
128	export ghostname
129
130	if [[ -n "$1" ]] ; then
131		LIST=`zoneadm list -ip | grep ":$1:"`
132	else
133		LIST=`zoneadm list -ip | grep -v "global"`
134	fi
135
136	gipaddress=`getent hosts $ghostname|cut -f1`
137	for i in $LIST; do
138		ZONE_PATH=`echo "$i" |cut -d ":" -f4`
139		ZONE_ETC_DIR=$ZONE_PATH/root/etc
140		IPNODES=${ZONE_ETC_DIR}/inet/ipnodes
141
142		# Rather than toggle on and off with NSCD_PER_LABEL, put the
143		# information in there and a sysadmin can remove it if necessary
144		# $DISPLAY will not work in X without global hostname
145		ENTRY=`grep $ghostname $IPNODES`
146		case "$ENTRY" in
147			127.0.0.1* )
148				if [[ -z $ERRORLIST ]] ; then
149					ERRORLIST="$ghostname address 127.0.0.1 found in:\n"
150				fi
151				ERRORLIST="$ERRORLIST $IPNODES\n"
152				;;
153			"")
154				gipaddress=`getent hosts $ghostname|cut -f1`
155				echo "$gipaddress\t$ghostname" >>  $IPNODES
156				;;
157			*)
158				continue
159				;;
160
161		esac
162	done
163	if [[ -n "$ERRORLIST" ]] ; then
164		x=$(zenity --error \
165		    --title="$title" \
166		    --text="WARNING:\n\n\n$ERRORLIST\n\n")
167	fi
168}
169
170clone() {
171	image=`zenity --list \
172	    --title="$title: Clone From" \
173	    --height=300 \
174	    --column="Installed Zones" $zonelist`
175	if [[ -n $image ]]; then
176		dataset=`zfs list |grep $ZDSET/$zonename |cut -d " " -f1`
177		if [[ -n $dataset ]]; then
178			/usr/sbin/zfs destroy -r $ZDSET/$zonename
179		fi
180		/usr/sbin/zoneadm -z $zonename clone $image
181		/usr/sbin/zoneadm -z $zonename ready
182
183		if [ ! -f /var/ldap/ldap_client_file ]; then
184			if [ $NSCD_PER_LABEL = 0 ] ; then
185				sharePasswd
186			else
187				unsharePasswd
188				resolveXdisplay
189			fi
190		fi
191		initialize
192		/usr/sbin/zoneadm -z $zonename halt
193	fi
194}
195
196copy() {
197
198	image=`zenity --list \
199	    --title="$title: Copy From" \
200	    --height=300 \
201	    --column="Installed Zones" $zonelist`
202
203	/usr/bin/gnome-terminal \
204	    --title="$title: Copying $image to $zonename zone" \
205	    --command "zoneadm -z $zonename clone -m copy $image" \
206	    --disable-factory \
207	    --hide-menubar
208
209	if [ ! -f /var/ldap/ldap_client_file ]; then
210		if [ $NSCD_PER_LABEL = 0 ] ; then
211			sharePasswd
212		else
213			unsharePasswd
214			resolveXdisplay
215		fi
216	fi
217}
218
219initialize() {
220	hostname=`hostname`
221	hostname=$(zenity --entry \
222	    --title="$title" \
223	    --text="Enter Host Name: " \
224	    --entry-text $hostname)
225	if [ $? != 0 ]; then
226		exit 1
227	fi
228
229	ZONE_PATH=`zoneadm list -ip|grep ":${zonename}:"|cut -d ":" -f4`
230	if [ -z "$ZONE_PATH" ] ; then
231		x=$(zenity --error \
232		    --title="$title" \
233		    --text="$zonename is not an installed zone")
234		exit 1
235	fi
236	ZONE_ETC_DIR=$ZONE_PATH/root/etc
237	ipaddress=`getent hosts $hostname|cut -f1`
238	SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
239
240	if [ -f /var/ldap/ldap_client_file ]; then
241		ldapaddress=`ldapclient list | \
242		    /bin/grep "^NS_LDAP_SERVERS" | cut -d " " -f2`
243		echo "name_service=LDAP {" > ${SYSIDCFG}
244		domain=`domainname`
245		echo "domain_name=$domain" >> ${SYSIDCFG}
246		profName=`ldapclient list | \
247		    /bin/grep "^NS_LDAP_PROFILE" | cut -d " " -f2`
248		proxyPwd=`ldapclient list | \
249		    /bin/grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2`
250		proxyDN=`ldapclient list | \
251		    /bin/grep "^NS_LDAP_BINDDN" | cut -d " " -f 2`
252		if [ "$proxyDN" ]; then
253			echo "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
254			echo "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
255		fi
256		echo "profile=$profName" >> ${SYSIDCFG}
257		echo "profile_server=$ldapaddress }" >> ${SYSIDCFG}
258		cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
259	else
260		echo "name_service=NONE" > ${SYSIDCFG}
261		if [ $NSCD_PER_LABEL = 0 ] ; then
262			sharePasswd
263		else
264			# had to put resolveXdisplay lower down for this case
265			unsharePasswd
266		fi
267	fi
268
269	echo "security_policy=NONE" >> ${SYSIDCFG}
270	locale=`locale|grep LANG | cut -d "=" -f2`
271	if [[ -z $locale ]]; then
272		locale="C"
273	fi
274	echo "system_locale=$locale" >> ${SYSIDCFG}
275	timezone=`/bin/grep "^TZ" /etc/TIMEZONE|cut -d "=" -f2`
276	echo "timezone=$timezone" >> ${SYSIDCFG}
277	echo "terminal=vt100" >> ${SYSIDCFG}
278	rootpwd=`/bin/grep "^root:" /etc/shadow|cut -d ":" -f2`
279	#echo "root_password=$rootpwd" >> ${SYSIDCFG}
280	echo "nfs4_domain=dynamic" >> ${SYSIDCFG}
281	echo "network_interface=PRIMARY {" >> ${SYSIDCFG}
282	echo "protocol_ipv6=no" >> ${SYSIDCFG}
283	echo "hostname=$hostname" >> ${SYSIDCFG}
284	echo "ip_address=$ipaddress }" >> ${SYSIDCFG}
285	cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
286	touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
287	rm -f ${ZONE_ETC_DIR}/.UNCONFIGURED
288	if [ $NSCD_PER_LABEL = 1 ] ; then
289		resolveXdisplay
290	fi
291}
292
293install() {
294	# if there is a zfs pool for zone
295	# create a new dataset for the zone
296	# This step is done automatically by zonecfg
297	# in Solaris Express 8/06 or newer
298
299	if [ $ZDSET != none ]; then
300		zfs create -o mountpoint=/zone/$zonename \
301		    $ZDSET/$zonename
302		chmod 700 /zone/$zonename
303	fi
304
305	/usr/bin/gnome-terminal \
306	    --title="$title: Installing $zonename zone" \
307	    --command "zoneadm -z $zonename install" \
308	    --disable-factory \
309	    --hide-menubar
310
311	zoneadm -z $zonename ready
312	initialize
313	zoneadm -z $zonename halt
314}
315
316delete() {
317	# if there is an entry for this zone in tnzonecfg, remove it
318	# before deleting the zone.
319
320	tnzone=`egrep "^$zonename:" /etc/security/tsol/tnzonecfg 2>/dev/null`
321	if [ -n "${tnzone}" ]; then
322		sed -e "/^$tnzone:*/d" /etc/security/tsol/tnzonecfg > \
323		    /tmp/tnzonefg.$$ 2>/dev/null
324		mv /tmp/tnzonefg.$$ /etc/security/tsol/tnzonecfg
325	fi
326	zonecfg -z $zonename delete -F
327	dataset=`zfs list |grep $ZDSET/$zonename |cut -d " " -f1`
328	if [[ -n $dataset ]]; then
329		/usr/sbin/zfs destroy $ZDSET/$zonename
330	fi
331	zonename=
332}
333
334getNIC(){
335
336	nics=
337	for i in `ifconfig -a4|grep  "^[a-z].*:" |grep -v LOOPBACK`
338	do
339		echo $i |grep "^[a-z].*:" >/dev/null 2>&1
340		if [ $? -eq 1 ]; then
341			continue
342		fi
343		i=${i%:} # Remove colon after interface name
344		echo $i |grep ":" >/dev/null 2>&1
345		if [ $? -eq 0 ]; then
346			continue
347		fi
348		nics="$nics $i"
349	done
350
351	nic=$(zenity --list \
352	    --title="$title" \
353	    --column="Interface" \
354	    $nics)
355}
356
357getNetmask() {
358
359	cidr=
360	nm=$(zenity --entry \
361	    --title="$title" \
362	    --text="$ipaddr: Enter netmask: " \
363	    --entry-text 255.255.255.0)
364	if [ $? != 0 ]; then
365	       return;
366	fi
367
368	cidr=`perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm`
369}
370
371addNet() {
372	getNIC
373	if [[ -z $nic ]]; then
374		return;
375	fi
376	getIPaddr
377	if [[ -z $ipaddr ]]; then
378		return;
379	fi
380	getNetmask
381	if [[ -z $cidr ]]; then
382		return;
383	fi
384	zcfg="
385add net
386set address=${ipaddr}/${cidr}
387set physical=$nic
388end
389commit
390"
391	echo "$zcfg" > $config ;
392	zonecfg -z $zonename -f $config ;
393	rm $config
394}
395
396getAttrs() {
397	zone=global
398	type=ignore
399	for j in `ifconfig $nic`
400	do
401		case $j in
402			inet) type=$j;;
403			zone) type=$j;;
404			all-zones) zone=all-zones;;
405			flags*) flags=$j;;
406			*) case $type in
407				inet) ipaddr=$j ;;
408				zone) zone=$j ;;
409				*) continue ;;
410			   esac;\
411			   type=ignore;;
412		esac
413	done
414	if [ $ipaddr != 0.0.0.0 ]; then
415		template=`tninfo -h $ipaddr|grep Template| cut -d" " -f3`
416	else
417		template="..."
418		ipaddr="..."
419	fi
420}
421
422updateTnrhdb() {
423	tnctl -h ${ipaddr}:$template
424	x=`grep "^${ipaddr}[^0-9]" /etc/security/tsol/tnrhdb`
425	if [ $? = 0 ]; then
426		sed s/$x/${ipaddr}:$template/g /etc/security/tsol/tnrhdb \
427		    > /tmp/txnetmgr.$$
428		mv /tmp/txnetmgr.$$ /etc/security/tsol/tnrhdb
429	else
430		echo ${ipaddr}:$template >> /etc/security/tsol/tnrhdb
431	fi
432}
433
434getIPaddr() {
435        hostname=$(zenity --entry \
436            --title="$title" \
437            --text="$nic: Enter hostname: ")
438
439        if [ $? != 0 ]; then
440               return;
441	fi
442
443	ipaddr=`getent hosts $hostname|cut -f1`
444        if [[ -z $ipaddr ]]; then
445
446		ipaddr=$(zenity --entry \
447		    --title="$title" \
448		    --text="$nic: Enter IP address: " \
449		    --entry-text a.b.c.d)
450		if [ $? != 0 ]; then
451		       return;
452		fi
453	fi
454
455}
456
457addHost() {
458	# Update hosts and ipnodes
459        if [[ -z $ipaddr ]]; then
460               return;
461	fi
462	grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
463	if [ $? -eq 1 ]; then
464		echo "$ipaddr\t$hostname" >> /etc/inet/hosts
465	fi
466
467	grep "^${ipaddr}[^0-9]" /etc/inet/ipnodes >/dev/null
468	if [ $? -eq 1 ]; then
469		echo "$ipaddr\t$hostname" >> /etc/inet/ipnodes
470	fi
471
472	template=cipso
473	updateTnrhdb
474
475	ifconfig $nic $ipaddr netmask + broadcast +
476	echo $hostname > /etc/hostname.$nic
477}
478
479getTemplate() {
480	templates=$(cat /etc/security/tsol/tnrhtp|\
481	    grep "^[A-z]"|grep "type=cipso"|cut -f1 -d":")
482
483	while [ 1 -gt 0 ]; do
484		t_cmd=$(zenity --list \
485		    --title="$title" \
486		    --height=300 \
487		    --column="Network Templates" \
488		    $templates)
489
490		if [ $? != 0 ]; then
491		       break;
492		fi
493
494		t_label=$(tninfo -t $t_cmd | grep sl|zenity --list \
495		    --title="$title" \
496		    --height=300 \
497		    --width=450 \
498		    --column="Click OK to associate $t_cmd template with $ipaddr" )
499
500		if [ $? != 0 ]; then
501			continue
502		fi
503		template=$t_cmd
504		updateTnrhdb
505		break
506	done
507}
508
509createInterface() {
510	msg=`ifconfig $nic addif 0.0.0.0`
511	$(zenity --info \
512	    --title="$title" \
513	    --text="$msg" )
514}
515
516shareInterface() {
517	ifconfig $nic all-zones;\
518	if_file=/etc/hostname.$nic
519	sed q | sed -e "s/$/ all-zones/" < $if_file >/tmp/txnetmgr.$$
520	mv /tmp/txnetmgr.$$ $if_file
521}
522
523setMacPrivs() {
524	zcfg="
525set limitpriv=default,win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,file_downgrade_sl,file_upgrade_sl,sys_trans_label
526commit
527"
528	echo "$zcfg" > $config ;
529	zonecfg -z $zonename -f $config ;
530	rm $config
531}
532
533resetMacPrivs() {
534	zcfg="
535set limitpriv=default
536commit
537"
538	echo "$zcfg" > $config ;
539	zonecfg -z $zonename -f $config ;
540	rm $config
541}
542
543unsharePasswd() {
544	for i in `zoneadm list -i | grep -v global`; do
545		zonecfg -z $i remove fs dir=/etc/passwd 2>&1 | grep -v such
546		zonecfg -z $i remove fs dir=/etc/shadow 2>&1 | grep -v such
547	done
548}
549
550sharePasswd() {
551	if [ $NSCD_PER_LABEL -ne 0 ] ; then
552		return
553	fi
554	passwd=`zonecfg -z $zonename info|grep /etc/passwd`
555	if [[ $? -eq 1 ]]; then
556		zcfg="
557add fs
558set special=/etc/passwd
559set dir=/etc/passwd
560set type=lofs
561add options ro
562end
563add fs
564set special=/etc/shadow
565set dir=/etc/shadow
566set type=lofs
567add options ro
568end
569commit
570"
571		echo "$zcfg" > $config ;
572		zonecfg -z $zonename -f $config ;
573		rm $config
574	fi
575}
576
577# This routine is a toggle -- if we find it configured for global nscd,
578# change to nscd-per-label and vice-versa.
579#
580# The user was presented with only the choice to CHANGE the existing
581# configuration.
582
583manageNscd() {
584	if [ $NSCD_PER_LABEL -eq 0 ] ; then
585		# this MUST be a regular file for svc-nscd to detect
586		touch $NSCD_INDICATOR
587		NSCD_PER_LABEL=1
588		unsharePasswd
589		resolveXdisplay
590	else
591		export zonename
592		rm -f $NSCD_INDICATOR
593		NSCD_PER_LABEL=0
594		for i in `zoneadm list -i | grep -v global`; do
595			zonename=$i
596			sharePasswd
597		done
598		zonename=
599	fi
600}
601
602manageNets() {
603	while [ 1 -gt 0 ]; do
604		attrs=
605		for i in `ifconfig -au4|grep  "^[a-z].*:" |grep -v LOOPBACK`
606		do
607			echo $i |grep "^[a-z].*:" >/dev/null 2>&1
608			if [ $? -eq 1 ]; then
609				continue
610			fi
611			nic=${i%:} # Remove colon after interface name
612			getAttrs
613			attrs="$nic $zone $ipaddr $template Up $attrs"
614		done
615
616		for i in `ifconfig -ad4 |grep  "^[a-z].*:" |grep -v LOOPBACK`
617		do
618			echo $i |grep "^[a-z].*:" >/dev/null 2>&1
619			if [ $? -eq 1 ]; then
620				continue
621			fi
622			nic=${i%:} # Remove colon after interface name
623			getAttrs
624			attrs="$nic $zone $ipaddr $template Down $attrs"
625		done
626
627		nic=$(zenity --list \
628		    --title="$title" \
629		    --height=300 \
630		    --width=450 \
631		    --column="Interface" \
632		    --column="Zone Name" \
633		    --column="IP Address" \
634		    --column="Template" \
635		    --column="State" \
636		    $attrs)
637
638		if [[ -z $nic ]]; then
639			return
640		fi
641
642		getAttrs
643
644		# Clear list of commands
645
646		share=
647		setipaddr=
648		settemplate=
649		newlogical=
650		unplumb=
651		bringup=
652		bringdown=
653
654		# Check for physical interface
655
656		hascolon=`echo $nic |grep :`
657		if [ $? != 0 ]; then
658			newlogical="Create Logical Interface\n";
659		else
660			up=`echo $flags|grep "UP,"`
661			if [ $? != 0 ]; then
662				unplumb="Remove Logical Interface\n"
663				if [ $ipaddr != "..." ]; then
664					bringup="Bring Up\n"
665				fi
666			else
667				bringdown="Bring Down\n"
668			fi
669		fi
670
671		if [ $ipaddr = "..." ]; then
672			setipaddr="Set IP address...\n";
673		else
674			settemplate="View Templates...\n"
675			if [ $zone = global ]; then
676				share="Share\n"
677			fi
678		fi
679
680		command=$(echo ""\
681		    $share \
682		    $setipaddr \
683		    $settemplate \
684		    $newlogical \
685		    $unplumb \
686		    $bringup \
687		    $bringdown \
688		    | zenity --list \
689		    --title="$title" \
690		    --height=300 \
691		    --column "Interface: $nic" )
692
693		case $command in
694		    " Create Logical Interface")\
695			createInterface;;
696		    " Set IP address...")\
697			getIPaddr
698			addHost;;
699		    " Share")\
700			shareInterface;;
701		    " View Templates...")\
702			getTemplate;;
703		    " Remove Logical Interface")\
704			ifconfig $nic unplumb;\
705			rm -f /etc/hostname.$nic;;
706		    " Bring Up")\
707			ifconfig $nic up;;
708		    " Bring Down")\
709			ifconfig $nic down;;
710		    *) continue;;
711		esac
712	done
713}
714
715createLDAPclient() {
716	ldaptitle="$title: Create LDAP Client"
717	ldapdomain=$(zenity --entry \
718	    --width=400 \
719	    --title="$ldaptitle" \
720	    --text="Enter Domain Name: ")
721	ldapserver=$(zenity --entry \
722	    --width=400 \
723	    --title="$ldaptitle" \
724	    --text="Enter Hostname of LDAP Server: ")
725	ldapserveraddr=$(zenity --entry \
726	    --width=400 \
727	    --title="$ldaptitle" \
728	    --text="Enter IP adddress of LDAP Server $ldapserver: ")
729	ldappassword=""
730	while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]]; do
731	    ldappassword=$(zenity --entry \
732		--width=400 \
733		--title="$ldaptitle" \
734		--hide-text \
735		--text="Enter LDAP Proxy Password:")
736	    ldappasswordconfirm=$(zenity --entry \
737		--width=400 \
738		--title="$ldaptitle" \
739		--hide-text \
740		--text="Confirm LDAP Proxy Password:")
741	done
742	ldapprofile=$(zenity --entry \
743	    --width=400 \
744	    --title="$ldaptitle" \
745	    --text="Enter LDAP Profile Name: ")
746	whatnext=$(zenity --list \
747	    --width=400 \
748	    --height=250 \
749	    --title="$ldaptitle" \
750	    --text="Proceed to create LDAP Client?" \
751	    --column=Parameter --column=Value \
752	    "Domain Name" "$ldapdomain" \
753	    "Hostname" "$ldapserver" \
754	    "IP Address" "$ldapserveraddr" \
755	    "Password" "`echo "$ldappassword" | sed 's/./*/g'`" \
756	    "Profile" "$ldapprofile")
757	if [ $? != 0 ]; then
758		return
759	fi
760
761	/bin/grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
762	if [ $? -eq 1 ]; then
763		/bin/echo "$ldapserveraddr $ldapserver" >> /etc/hosts
764	fi
765
766	/bin/grep "${ldapserver}:" /etc/security/tsol/tnrhdb > /dev/null
767	if [ $? -eq 1 ]; then
768		/bin/echo "# ${ldapserver} - ldap server" \
769		    >> /etc/security/tsol/tnrhdb
770		/bin/echo "${ldapserveraddr}:cipso" \
771		    >> /etc/security/tsol/tnrhdb
772		/usr/sbin/tnctl -h "${ldapserveraddr}:cipso"
773	fi
774
775	proxyDN=`echo $ldapdomain|awk -F"." \
776	    "{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }"`
777
778	zenity --info \
779	    --title="$ldaptitle" \
780	    --width=500 \
781	    --text="global zone will be LDAP client of $ldapserver"
782
783	ldapout=/tmp/ldapclient.$$
784
785	ldapclient init -a profileName="$ldapprofile" \
786	    -a domainName="$ldapdomain" \
787	    -a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
788	    -a proxyPassword="$ldappassword" \
789	    "$ldapserveraddr" >$ldapout 2>&1
790
791	if [ $? -eq 0 ]; then
792	    ldapstatus=Success
793	else
794	    ldapstatus=Error
795	fi
796
797	zenity --text-info \
798	    --width=700 \
799	    --height=300 \
800	    --title="$ldaptitle: $ldapstatus" \
801	    --filename=$ldapout
802
803	rm -f $ldapout
804
805
806}
807
808# Loop for single-zone menu
809singleZone() {
810
811	while [ "${command}" != Exit ]; do
812		if [[ ! -n $zonename ]]; then
813			x=$(zenity --error \
814			    --title="$title" \
815			    --text="zonename \"$zonename\" is not valid")
816			return
817		fi
818		# Clear list of commands
819
820		console=
821		label=
822		start=
823		reboot=
824		stop=
825		clone=
826		copy=
827		install=
828		ready=
829		uninstall=
830		delete=
831		addnet=
832		deletenet=
833		permitrelabel=
834
835		zonestate=`zoneadm -z $zonename list -p | cut -d ":" -f 3`
836
837		consoleCheck;
838		labelCheck;
839		delay=0
840
841		case $zonestate in
842			running) ready="Ready\n"; \
843			       reboot="Reboot\n"; \
844			       stop="Halt\n"; \
845			;;
846			ready) start="Boot\n"; \
847			       stop="Halt\n" \
848			;;
849			installed)
850				if [[ -z $label ]]; then \
851					ready="Ready\n"; \
852					start="Boot\n"; \
853				fi; \
854				uninstall="Uninstall\n"; \
855				relabelCheck;
856				addnet="Add Network...\n"
857			;;
858			configured) install="Install...\n"; \
859				copyCheck; \
860				delete="Delete\n"; \
861				console=; \
862			;;
863			incomplete) delete="Delete\n"; \
864			;;
865			*)
866			;;
867		esac
868
869		command=$(echo ""\
870		    $console \
871		    $label \
872		    $start \
873		    $reboot \
874		    $stop \
875		    $clone \
876		    $copy \
877		    $install \
878		    $ready \
879		    $uninstall \
880		    $delete \
881		    $addnet \
882		    $deletenet \
883		    $permitrelabel \
884		    "Return to Main Menu" \
885		    | zenity --list \
886		    --title="$title" \
887		    --height=300 \
888		    --column "$zonename: $zonestate" )
889
890		case $command in
891		    " Zone Console...")
892			delay=2; \
893			/usr/bin/gnome-terminal \
894			    --title="Zone Terminal Console: $zonename" \
895			    --command "/usr/sbin/zlogin -C $zonename" &;;
896
897		    " Select Label...")
898			selectLabel;;
899
900		    " Ready")
901			zoneadm -z $zonename ready ;;
902
903		    " Boot")
904			zoneadm -z $zonename boot ;;
905
906		    " Halt")
907			zoneadm -z $zonename halt ;;
908
909		    " Reboot")
910			zoneadm -z $zonename reboot ;;
911
912		    " Install...")
913			install;;
914
915		    " Clone")
916			clone ;;
917
918		    " Copy...")
919			copy ;;
920
921		    " Uninstall")
922			zoneadm -z $zonename uninstall -F;;
923
924		    " Delete")
925			delete
926			return ;;
927
928		    " Add Network...")
929			addNet ;;
930
931		    " Permit Relabeling")
932			setMacPrivs ;;
933
934		    " Deny Relabeling")
935			resetMacPrivs ;;
936
937		    *)
938			zonename=
939			return ;;
940		esac
941		sleep $delay;
942	done
943}
944
945# Main loop for top-level window
946#
947
948
949ZDSET=none
950# are there any zfs pools?
951zpool iostat 1>/dev/null 2>&1
952if [ $? = 0 ]; then
953	# is there a zfs pool named "zone"?
954	zpool list -H zone 1>/dev/null 2>&1
955	if [ $? = 0 ]; then
956		# yes
957		ZDSET=zone
958	else
959		# no, but is there a root pool?
960		rootfs=`df -n / | awk '{print $3}'`
961		if [ $rootfs = "zfs" ]; then
962			# yes, use it
963			ZDSET=`zfs list -Ho name / | cut -d/ -f 1`/zones
964			zfs list -H $ZDSET 1>/dev/null 2>&1
965			if [ $? = 1 ]; then
966				zfs create -o mountpoint=/zone $ZDSET
967			fi
968		fi
969	fi
970fi
971
972export NSCD_OPT
973while [ "${command}" != Exit ]; do
974	zonelist=""
975	for p in `zoneadm list -cp |grep -v global:`; do
976		zonename=`echo $p|cut -d : -f2`
977		state=`echo $p|cut -d : -f3`
978		labelCheck
979		zonelist="$zonelist$zonename\n$state\n$curlabel\n"
980	done
981
982	if [ $NSCD_PER_LABEL -eq 0 ]  ; then
983		NSCD_OPT="Configure per-zone name service"
984	else
985		NSCD_OPT="Unconfigure per-zone name service"
986	fi
987	zonelist=${zonelist}"Manage Network Interfaces...\n\n\n"
988	zonelist=${zonelist}"Create a new zone...\n\n\n"
989	zonelist=${zonelist}"${NSCD_OPT}"
990	zonelist=${zonelist}"\n\n\nCreate LDAP Client...\n\n\n"
991	zonelist=${zonelist}"Exit\n\n"
992
993	zonename=""
994	topcommand=$(echo $zonelist|zenity --list \
995	    --title="$title" \
996	    --height=300 \
997	    --width=500 \
998	    --column="Zone Name" \
999	    --column="Status" \
1000	    --column="Sensitivity Label" \
1001	    )
1002
1003	if [[ ! -n $topcommand ]]; then
1004		command=Exit
1005		exit
1006	fi
1007
1008	if [ "$topcommand" = "$NSCD_OPT" ]; then
1009		topcommand=
1010		manageNscd
1011		continue
1012	elif [ "$topcommand" = "Manage Network Interfaces..." ]; then
1013		topcommand=
1014		manageNets
1015		continue
1016	elif [ "$topcommand" = "Exit" ]; then
1017		command=Exit
1018		exit
1019	elif [ "$topcommand" = "Create a new zone..." ]; then
1020		zonename=$(zenity --entry \
1021		    --title="$title" \
1022		    --entry-text="" \
1023		    --text="Enter Zone Name: ")
1024
1025		if [[ ! -n $zonename ]]; then
1026			continue
1027		fi
1028
1029		zcfg="
1030create -t SUNWtsoldef
1031set zonepath=/zone/$zonename
1032commit
1033"
1034		echo "$zcfg" > $config ;
1035		zonecfg -z $zonename -f $config ;
1036		rm $config
1037		# Now, go to the singleZone menu, using the global
1038		# variable zonename, and continue with zone creation
1039		singleZone
1040		continue
1041	elif [ "$topcommand" = "Create LDAP Client..." ]; then
1042		command=LDAPclient
1043		createLDAPclient
1044		continue
1045	fi
1046	# if the menu choice was a zonename, pop up zone menu
1047	zonename=$topcommand
1048	singleZone
1049done
1050