xref: /illumos-gate/usr/src/cmd/tsol/misc/txzonemgr.sh (revision b8767451d156f585534afac0bf22721810d0dc63)
1#!/bin/ksh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23# Copyright 2014 Garrett D'Amore
24#
25#
26
27# This script provides a simple GUI for managing labeled zones.
28# It provides contextual menus which provide appropriate choices.
29# It must be run in the global zone as root.
30
31# These arguments are accepted, and will result in non-interactive
32# (text-only) mode:
33#
34#	txzonemgr [-c | -d[f]]
35#
36#	-c	create default zones
37#	-d	destroy all zones; prompts for confirmation unless
38#		the -f flag is also specified
39#	-f	force
40#
41
42# DISP - use GUI (otherwise use non-interactive mode)
43DISP=1
44# CREATEDEF - make default zones (non-interactive)
45CREATEDEF=0
46# DESTROYZONES - tear down all zones (non-interactive)
47DESTROYZONES=0
48# FORCE - force
49FORCE=0
50
51NSCD_PER_LABEL=0
52NSCD_INDICATOR=/var/tsol/doors/nscd_per_label
53if [ -f $NSCD_INDICATOR ] ; then
54	NSCD_PER_LABEL=1
55fi
56
57myname=$(basename $0)
58
59TXTMP=/tmp/txzonemgr
60TNRHTP=/etc/security/tsol/tnrhtp
61TNRHDB=/etc/security/tsol/tnrhdb
62TNZONECFG=/etc/security/tsol/tnzonecfg
63PUBZONE=public
64INTZONE=internal
65
66PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
67title="Labeled Zone Manager 2.1"
68
69msg_defzones=$(gettext "Create default zones using default settings?")
70msg_confirmkill=$(gettext "OK to destroy all zones?")
71msg_continue=$(gettext "(exit to resume $(basename $0) when ready)")
72msg_getlabel=$(gettext "Select a label for the")
73msg_getremote=$(gettext "Select a remote host or network from the list below:")
74msg_getnet=$(gettext "Select a network configuration for the")
75msg_getzone=$(gettext "Select a zone from the list below:
76(select global for zone creation and shared settings)")
77msg_getcmd=$(gettext "Select a command from the list below:")
78msg_inuse=$(gettext "That label is already assigned\nto the")
79msg_getmin=$(gettext "Select the minimum network label for the")
80msg_getmax=$(gettext "Select the maximum network label for the")
81msg_badip=$(gettext " is not a valid IP address")
82
83
84process_options()
85{
86	typeset opt optlist
87
88	optlist='cdf'
89
90	while getopts ":$optlist" opt
91	do
92		case $opt in
93		c)	CREATEDEF=1
94			DISP=0
95			;;
96		d)	DESTROYZONES=1
97			DISP=0
98			;;
99		f)	FORCE=1
100			;;
101		*)	gettext "invalid option -$OPTARG\n"
102			usage
103			return 2
104			;;
105		esac
106	done
107
108	if [ $CREATEDEF -eq 1 -a $DESTROYZONES -eq 1 ] ; then
109		gettext "cannot combine options -c and -d\n"
110		usage
111		return 2
112	fi
113	if [ $CREATEDEF -eq 1 -a $FORCE -eq 1 ] ; then
114		gettext "option -f not allowed with -c\n"
115		usage
116		return 2
117	fi
118	if [ $FORCE -eq 1 -a $CREATEDEF -eq 0 -a $DESTROYZONES -eq 0 ] ; then
119		gettext "option -f specified without any other options\n"
120		usage
121		return 2
122	fi
123
124	shift $((OPTIND - 1))
125	if [ "x$1" != "x" ] ; then
126		usage
127		return 2
128	fi
129
130	return 0
131}
132
133usage() {
134	gettext "usage: $myname [-c | -d[f]]\n"
135}
136
137consoleCheck() {
138	if [ $zonename != global ] ; then
139		zconsole=$(pgrep -f "zlogin -C $zonename")
140		if [ $? != 0 ] ; then
141			console="Zone Console...\n"
142		fi
143	fi
144}
145
146labelCheck() {
147	hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2);
148	if [[ $hexlabel ]] ; then
149		label=
150		if [ $zonename = global ] ; then
151			template="admin_low"
152			addcipsohost="Add Multilevel Access to Remote Host...\n"
153			removecipsohost="Remove Multilevel Access to Remote Host...\n"
154			setmlps="Configure Multilevel Ports...\n"
155		else
156			template=${zonename}_unlab
157			addcipsohost=
158			removecipsohost=
159			setmlps=
160
161			net=$(zonecfg -z $zonename info net)
162			if [[ -n $net ]] ; then
163				setmlps="Configure Multilevel Ports...\n"
164			elif [ $zonestate = configured ] ; then
165				addnet="Configure Network Interfaces...\n"
166			fi
167		fi
168		addremotehost="Add Single-level Access to Remote Host...\n"
169		remotes=$(grep -v "^#" $TNRHDB|grep $template)
170		if [ $? = 0 ] ; then
171			removeremotehost="Remove Single-level Access to Remote Host...\n"
172		else
173			removeremotehost=
174		fi
175	else
176		label="Select Label...\n"
177		addremotehost=
178		removeremotehost=
179		addcipsohost=
180		removecipsohost=
181		setmlps=
182	fi
183}
184
185cloneCheck() {
186	set -A zonelist
187	integer clone_cnt=0
188	for p in $(zoneadm list -ip) ; do
189		z=$(echo "$p"|cut -d : -f2)
190		s=$(echo "$p"|cut -d : -f3)
191		if [ $z = $zonename ] ; then
192			continue
193		elif [ $s = "installed" ] ; then
194			zonelist[clone_cnt]=$z
195			clone_cnt+=1
196		fi
197	done
198	if [ $clone_cnt -gt 0 ] ; then
199		clone="Clone...\n"; \
200	fi
201}
202
203relabelCheck() {
204	macstate=$(zonecfg -z $zonename info|grep win_mac_write)
205	if [[ -n $macstate ]] ; then
206		permitrelabel="Deny Relabeling\n"
207	else
208		permitrelabel="Permit Relabeling\n"
209	fi
210}
211
212autobootCheck() {
213	bootmode=$(zonecfg -z $zonename info autoboot)
214	if [[ $bootmode == 'autoboot: true' ]] ; then
215		autoboot="Set Manual Booting\n"
216	else
217		autoboot="Set Automatic Booting\n"
218	fi
219}
220
221newZone() {
222		if [[ ! -n $zonename ]] ; then
223			zonename=$(zenity --entry \
224			    --title="$title" \
225			    --width=330 \
226			    --entry-text="" \
227			    --text="Enter Zone Name: ")
228
229			if [[ ! -n $zonename ]] ; then
230				zonename=global
231				return
232			fi
233		fi
234		zonecfg -z $zonename "create -t SUNWtsoldef;\
235		     set zonepath=/zone/$zonename"
236}
237
238removeZoneBEs() {
239	delopt=$*
240
241	zfs list -H $ZDSET/$zonename 1>/dev/null 2>&1
242	if [ $? = 0 ] ; then
243		for zbe in $(zfs list -rHo name $ZDSET/$zonename|grep ROOT/zbe) ; do
244			zfs destroy $delopt $zbe
245		done
246	fi
247}
248
249updateTemplate () {
250	if [ $hostType = cipso ] ; then
251		template=${zonename}_cipso
252		deflabel=
253	else
254		template=${zonename}_unlab
255		deflabel="def_label=${hexlabel};"
256	fi
257
258	tnzone=$(grep "^${template}:" $TNRHTP 2>/dev/null)
259	if [ $? -eq 0 ] ; then
260		sed -e "/^${template}/d" $TNRHTP > $TXTMP/tnrhtp.$$ 2>/dev/null
261		mv $TXTMP/tnrhtp.$$ $TNRHTP
262	fi
263	print "${template}:host_type=${hostType};doi=1;min_sl=${minlabel};max_sl=${maxlabel};$deflabel" >> $TNRHTP
264	tnctl -t $template
265}
266
267setTNdata () {
268	tnzline="$zonename:${hexlabel}:0::"
269	grep "^$tnzline" $TNZONECFG 1>/dev/null 2>&1
270	if [ $? -eq 1 ] ; then
271		print "$tnzline" >> $TNZONECFG
272	fi
273
274	#
275	# Add matching entries in tnrhtp if necessary
276	#
277	minlabel=admin_low
278	maxlabel=admin_high
279	hostType=cipso
280	updateTemplate
281
282	hostType=unlabeled
283	updateTemplate
284}
285
286selectLabel() {
287	hexlabel=$(tgnome-selectlabel \
288		--title="$title" \
289		--text="$msg_getlabel $zonename zone:" \
290		--min="${DEFAULTLABEL}"  \
291		--default="${DEFAULTLABEL}"  \
292		--max=$(chk_encodings -X) \
293		--accredcheck=yes \
294		--mode=sensitivity \
295		--format=internal)
296	if [ $? = 0 ] ; then
297		x=$(grep -i :{$hexlabel}: $TNZONECFG)
298		if [ $? = 0 ] ; then
299			z=$(print $x|cut -d : -f1)
300			x=$(zenity --error \
301			    --title="$title" \
302			    --text="$msg_inuse $z zone.")
303		else
304			setTNdata
305		fi
306	fi
307}
308
309getLabelRange() {
310	deflabel=$(hextoalabel $hexlabel)
311	minlabel=$(tgnome-selectlabel \
312		--title="$title" \
313		--text="$msg_getmin $zonename zone:" \
314		--min="${DEFAULTLABEL}"  \
315		--max="$deflabel" \
316		--default="$hexlabel" \
317		--accredcheck=no \
318		--mode=sensitivity \
319		--format=internal)
320	[ $? != 0 ] && return
321
322	maxlabel=$(tgnome-selectlabel \
323		--title="$title" \
324		--text="$msg_getmax $zonename zone:" \
325		--min="$deflabel"  \
326		--max=$(chk_encodings -X) \
327		--default="$hexlabel" \
328		--accredcheck=no \
329		--mode=sensitivity \
330		--format=internal)
331	[ $? != 0 ] && return
332
333	hostType=cipso
334	updateTemplate
335}
336
337
338encryptionValues() {
339	echo $(zfs get 2>&1 | grep encryption | sed -e s/^.*YES// -e s/\|//g)
340}
341
342getPassphrase() {
343	pass1=$(zenity --entry --title="$title" --text="Enter passphrase:" \
344	    --width=330 --hide-text)
345	pass2=$(zenity --entry --title="$title" --text="Re-enter passphrase:" \
346	    --width=330 --hide-text)
347	if [[ "$pass1" != "$pass2" ]]; then
348		zenity --error --title="$title" \
349			--text="Passphrases do not match"
350		return ""
351	fi
352	file=$(mktemp)
353	echo "$pass1" > $file
354	echo "$file"
355}
356
357createZDSET() {
358	options=$1
359	pool=${2%%/*}
360
361	# First check if ZFS encrytption support is available
362	pversion=$(zpool list -H -o version $pool)
363	cversion=$(zpool upgrade -v | grep Crypto | awk '{ print $1 }')
364	if (( cversion == 0 || pversion < cversion )); then
365		zfs create $options $ZDSET
366		return
367	fi
368
369	encryption=$(zenity --list --title="$title" --height=320 \
370		--text="Select cipher for encryption of all labels:" \
371		--column="encryption" $(encryptionValues))
372
373	if [[ $? != 0 || $encryption == "off" ]]; then
374		zfs create $options $ZDSET
375		return
376	fi
377
378	format=$(zenity --list --title="$title" \
379		--text "Select encryption key source:" \
380		--column="Key format and location" \
381		"Passphrase" "Generate Key in file")
382	[ $? != 0 ] && exit
383
384	if [[ $format == "Passphrase" ]]; then
385		file=$(getPassphrase)
386		if [[ $file == "" ]]; then
387			exit
388		fi
389		keysource="passphrase,file://$file"
390		removefile=1;
391	elif [[ $format == "Generate Key in file" ]]; then
392		file=$(zenity --file-selection \
393			--title="$title: Location of key file" \
394			--save --confirm-overwrite)
395		[ $? != 0 ] && exit
396		if [[ $encryption == "on" ]]; then
397			keylen=128
398		else
399			t=${encryption#aes-} && keylen=${t%%-*}
400		fi
401		pktool genkey keystore=file keytype=aes \
402		    keylen=$keylen outkey=$file
403		keysource="raw,file:///$file"
404	fi
405
406	options="$options -o encryption=$encryption -o keysource=$keysource"
407	zfs create $options $ZDSET
408	if (( removefile == 1 )); then
409		zfs set keysource=passphrase,prompt $ZDSET
410		rm $file
411	fi
412}
413
414
415initialize() {
416	zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
417	ZONE_ETC_DIR=$zonepath/root/etc
418	SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
419
420	if [ -f /var/ldap/ldap_client_file ] ; then
421		ldapaddress=$(ldapclient list | \
422		    grep "^NS_LDAP_SERVERS" | cut -d " " -f2)
423		print "name_service=LDAP {" > ${SYSIDCFG}
424		domain=$(domainname)
425		print "domain_name=$domain" >> ${SYSIDCFG}
426		profName=$(ldapclient list | \
427		    grep "^NS_LDAP_PROFILE" | cut -d " " -f2)
428		proxyPwd=$(ldapclient list | \
429		    grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2)
430		proxyDN=$(ldapclient list | \
431		    grep "^NS_LDAP_BINDDN" | cut -d " " -f 2)
432		if [ "$proxyDN" ] ; then
433			print "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
434			print "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
435		fi
436		print "profile=$profName" >> ${SYSIDCFG}
437		print "profile_server=$ldapaddress }" >> ${SYSIDCFG}
438		cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
439	else
440		print "name_service=NONE" > ${SYSIDCFG}
441		fi
442	print "security_policy=NONE" >> ${SYSIDCFG}
443	locale=$(locale|grep LANG | cut -d "=" -f2)
444	if [[ -z $locale ]] ; then
445		locale="C"
446	fi
447	print "system_locale=$locale" >> ${SYSIDCFG}
448	timezone=$(grep "^TZ" /etc/default/init|cut -d "=" -f2)
449	print "timezone=$timezone" >> ${SYSIDCFG}
450	print "terminal=vt100" >> ${SYSIDCFG}
451	rootpwd=$(grep "^root:" /etc/shadow|cut -d : -f2)
452
453#	There are two problems with setting the root password:
454#		The zone's shadow file may be read-only
455#		The password contains unparsable characters
456#	so the following line is commented out until this is resolved.
457
458	#print "root_password=$rootpwd" >> ${SYSIDCFG}
459	print "nfs4_domain=dynamic" >> ${SYSIDCFG}
460	print "network_interface=PRIMARY {" >> ${SYSIDCFG}
461
462	net=$(zonecfg -z $zonename info net)
463	ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
464	if [ $ipType = exclusive ] ; then
465		hostname=$(zenity --entry \
466		    --title="$title" \
467		    --width=330 \
468		    --text="${zonename}0: Enter Hostname or dhcp: ")
469		[ $? != 0 ] && return
470
471		if [ $hostname = dhcp ] ; then
472			print "dhcp" >> ${SYSIDCFG}
473		else
474			print "hostname=$hostname" >> ${SYSIDCFG}
475			ipaddr=$(getent hosts $hostname|cut -f1)
476			if [ $? != 0 ] ; then
477				ipaddr=$(zenity --entry \
478				    --title="$title" \
479				    --text="$nic: Enter IP address: " \
480				    --entry-text a.b.c.d)
481				[ $? != 0 ] && return
482
483				validateIPaddr
484				if [[ -z $ipaddr ]] ; then
485					return
486				fi
487			fi
488			print "ip_address=$ipaddr" >> ${SYSIDCFG}
489			getNetmask
490			print "netmask=$nm" >> ${SYSIDCFG}
491			print "default_route=none" >> ${SYSIDCFG}
492			template=${zonename}_cipso
493			cidr=32
494			updateTnrhdb
495		fi
496	elif [[ -n $net ]] ; then
497		hostname=$(hostname)
498		hostname=$(zenity --entry \
499		    --title="$title" \
500		    --width=330 \
501		    --text="Enter Hostname: " \
502		    --entry-text $hostname)
503		[ $? != 0 ] && return
504
505		print "hostname=$hostname" >> ${SYSIDCFG}
506		ipaddr=$(getent hosts $hostname|cut -f1)
507		if [ $? = 0 ] ; then
508			print "ip_address=$ipaddr" >> ${SYSIDCFG}
509		fi
510	else
511		getAllZoneNICs
512		for i in ${aznics[*]} ; do
513			ipaddr=$(ifconfig $i|grep inet|cut -d " " -f2)
514		done
515		print "hostname=$(hostname)" >> ${SYSIDCFG}
516		print "ip_address=$ipaddr" >> ${SYSIDCFG}
517	fi
518
519	print "protocol_ipv6=no }" >> ${SYSIDCFG}
520	cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
521	touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
522}
523
524clone() {
525	image=$1
526	if [[ -z $image ]] ; then
527		msg_clone=$(gettext "Clone the $zonename zone using a
528snapshot of one of the following halted zones:")
529		image=$(zenity --list \
530		    --title="$title" \
531		    --text="$msg_clone" \
532		    --height=300 \
533		    --width=330 \
534		    --column="Installed Zones" ${zonelist[*]})
535	fi
536
537	if [[ -n $image ]] ; then
538		removeZoneBEs
539		zoneadm -z $zonename clone $image
540
541		if [ $NSCD_PER_LABEL = 0 ] ; then
542			sharePasswd $zonename
543		else
544			unsharePasswd $zonename
545		fi
546
547		ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
548		if [ $ipType = exclusive ] ; then
549			zoneadm -z $zonename ready
550			zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
551			sys-unconfig -R $zonepath/root 2>/dev/null
552			initialize
553			zoneadm -z $zonename halt
554		fi
555	fi
556}
557
558install() {
559	removeZoneBEs
560	if [ $DISP -eq 0 ] ; then
561		gettext "installing zone $zonename ...\n"
562		zoneadm -z $zonename install
563	else
564		# sleep is needed here to avoid occasional timing
565		# problem with gnome-terminal display...
566		sleep 2
567		gnome-terminal \
568		    --title="$title: Installing $zonename zone" \
569		    --command "zoneadm -z $zonename install" \
570		    --disable-factory \
571		    --hide-menubar
572	fi
573
574	zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
575	if [ $zonestate != installed ] ; then
576		gettext "error installing zone $zonename.\n"
577		return 1
578	fi
579
580	if [ $NSCD_PER_LABEL = 0 ] ; then
581		sharePasswd $zonename
582	else
583		unsharePasswd $zonename
584	fi
585
586	zoneadm -z $zonename ready
587	zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
588	if [ $zonestate != ready ] ; then
589		gettext "error making zone $zonename ready.\n"
590		return 1
591	fi
592
593	initialize
594	zoneadm -z $zonename halt
595}
596
597delete() {
598	delopt=$*
599
600	# if there is an entry for this zone in tnzonecfg, remove it
601	# before deleting the zone.
602
603	tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
604	if [ -n "${tnzone}" ] ; then
605		sed -e "/^$zonename:/d" $TNZONECFG > \
606		    $TXTMP/tnzonefg.$$ 2>/dev/null
607		mv $TXTMP/tnzonefg.$$ $TNZONECFG
608	fi
609
610	for tnzone in $(grep ":${zonename}_unlab" $TNRHDB 2>/dev/null) ; do
611		tnctl -dh "$tnzone"
612		sed -e "/:${zonename}_unlab/d" $TNRHDB > \
613		    $TXTMP/tnrhdb.$$ 2>/dev/null
614		mv $TXTMP/tnrhdb.$$ $TNRHDB
615	done
616
617	for tnzone in $(grep "^${zonename}_unlab:" $TNRHTP 2>/dev/null) ; do
618		tnctl -dt ${zonename}_unlab
619		sed -e "/^${zonename}_unlab:/d" $TNRHTP > \
620		    $TXTMP/tnrhtp.$$ 2>/dev/null
621		mv $TXTMP/tnrhtp.$$ $TNRHTP
622	done
623
624	for tnzone in $(grep ":${zonename}_cipso" $TNRHDB 2>/dev/null) ; do
625		tnctl -dh "$tnzone"
626		sed -e "/:${zonename}_cipso/d" $TNRHDB > \
627		    $TXTMP/tnrhdb.$$ 2>/dev/null
628		mv $TXTMP/tnrhdb.$$ $TNRHDB
629	done
630
631	for tnzone in $(grep "^${zonename}_cipso:" $TNRHTP 2>/dev/null) ; do
632		tnctl -dt ${zonename}_cipso
633		sed -e "/^${zonename}_cipso:/d" $TNRHTP > \
634		    $TXTMP/tnrhtp.$$ 2>/dev/null
635		mv $TXTMP/tnrhtp.$$ $TNRHTP
636	done
637
638	zonecfg -z $zonename delete -F
639
640	removeZoneBEs $delopt
641	for snap in $(zfs list -Ho name -t snapshot|grep "\@${zonename}_snap") ; do
642		zfs destroy -R $snap
643	done
644}
645
646validateIPaddr () {
647	OLDIFS=$IFS
648	IFS=.
649	integer octet_cnt=0
650	integer dummy
651	set -A octets $ipaddr
652	IFS=$OLDIFS
653	if [ ${#octets[*]} == 4 ] ; then
654		while (( octet_cnt < ${#octets[*]} )); do
655			dummy=${octets[octet_cnt]}
656			if [ $dummy = ${octets[octet_cnt]} ] ; then
657				if (( dummy >= 0 && \
658				    dummy < 256 )) ; then
659					octet_cnt+=1
660					continue
661				fi
662			else
663			x=$(zenity --error \
664			    --title="$title" \
665			    --text="$ipaddr $msg_badip")
666			ipaddr=
667			return
668			fi
669		done
670	else
671		x=$(zenity --error \
672		    --title="$title" \
673		    --text="$ipaddr $msg_badip")
674		ipaddr=
675	fi
676}
677
678getAllZoneNICs(){
679	integer count=0
680	for i in $(ifconfig -a4|grep  "^[a-z].*:")
681	do
682		print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
683		[ $? -eq 1 ] && continue
684
685		i=${i%:} # Remove colon after interface name
686		for j in $(ifconfig $i)
687		do
688			case $j in
689				all-zones)
690					aznics[count]=$i
691					count+=1
692					;;
693			esac
694		done
695        done
696}
697
698getNetmask() {
699	cidr=
700	nm=$(zenity --entry \
701	    --title="$title" \
702	    --width=330 \
703	    --text="$ipaddr: Enter netmask: " \
704	    --entry-text 255.255.255.0)
705	[ $? != 0 ] && return;
706
707	cidr=$(perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm)
708}
709
710addNet() {
711	getIPaddr
712	if [[ -z $ipaddr ]] ; then
713		return;
714	fi
715	getNetmask
716	if [[ -z $cidr ]] ; then
717		return;
718	fi
719	zonecfg -z $zonename "add net; \
720	    set address=${ipaddr}/${cidr}; \
721	    set physical=$nic; \
722	    end"
723	template=${zonename}_cipso
724	cidr=32
725	updateTnrhdb
726}
727
728getAttrs() {
729	zone=global
730	type=ignore
731	for j in $(ifconfig $nic)
732	do
733		case $j in
734			inet) type=$j;;
735			zone) type=$j;;
736			all-zones) zone=all-zones;;
737			flags*) flags=$j;;
738			*) case $type in
739				inet) ipaddr=$j ;;
740				zone) zone=$j ;;
741				*) continue ;;
742			   esac;
743			   type=ignore;;
744		esac
745	done
746	if [[ $flags == ~(E).UP, ]] ; then
747		updown=Up
748	else
749		updown=Down
750	fi
751	if [[ $nic == ~(E).: ]] ; then
752		linktype=logical
753	else
754		vnic=$(dladm show-vnic -po link $nic 2>/dev/null)
755		if [[ -n $vnic ]] ; then
756			linktype=virtual
757		else
758			linktype=physical
759		fi
760	fi
761	if [ $ipaddr != 0.0.0.0 ] ; then
762		x=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
763		if [ $? = 1 ] ; then
764			template=cipso
765			cidr=32
766			updateTnrhdb
767		else
768			template=$(print "$x"|cut -d : -f2)
769		fi
770	else
771		template="..."
772		ipaddr="..."
773	fi
774}
775deleteTnrhdbEntry() {
776	remote=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
777	if [ $? = 0 ] ; then
778		ip=$(print $remote|cut -d "/" -f1)
779			if [[ $remote == ~(E)./ ]] ; then
780				pr=$(print $remote|cut -d "/" -f2)
781				remote="$ip\\/$pr"
782			fi
783		sed -e "/^${remote}/d" $TNRHDB > /tmp/tnrhdb.$$ 2>/dev/null
784		mv /tmp/tnrhdb.$$ $TNRHDB
785	fi
786}
787
788updateTnrhdb() {
789	deleteTnrhdbEntry
790	if [[ -n $cidr ]] ; then
791		print "${ipaddr}/$cidr:$template" >> $TNRHDB
792		tnctl -h ${ipaddr}/$cidr:$template
793	else
794		print "${ipaddr}:$template" >> $TNRHDB
795		tnctl -h ${ipaddr}:$template
796	fi
797}
798
799getIPaddr() {
800        hostname=$(zenity --entry \
801            --title="$title" \
802	    --width=330 \
803            --text="$nic: Enter Hostname: ")
804
805        [ $? != 0 ] && return
806
807	ipaddr=$(getent hosts $hostname|cut -f1)
808        if [[ -z $ipaddr ]] ; then
809		ipaddr=$(zenity --entry \
810		    --title="$title" \
811		    --text="$nic: Enter IP address: " \
812		    --entry-text a.b.c.d)
813		[ $? != 0 ] && return
814		validateIPaddr
815	fi
816
817}
818
819addHost() {
820	# Update hosts
821        if [[ -z $ipaddr ]] ; then
822               return;
823	fi
824	grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
825	if [ $? -eq 1 ] ; then
826		print "$ipaddr\t$hostname" >> /etc/inet/hosts
827	fi
828
829	template=cipso
830	cidr=32
831	updateTnrhdb
832
833	ifconfig $nic $ipaddr netmask + broadcast +
834	#
835	# TODO: better integration with nwam
836	# TODO: get/set netmask for IP address
837	#
838	print $hostname > /etc/hostname.$nic
839}
840
841createInterface() {
842	msg=$(ifconfig $nic addif 0.0.0.0)
843	$(zenity --info \
844	    --title="$title" \
845	    --text="$msg" )
846	nic=$(print "$msg"|cut -d" " -f5)
847
848}
849
850createVNIC() {
851	if [ $zonename != global ] ; then
852		vnicname=${zonename}0
853	else
854		vnicname=$(zenity --entry \
855		    --title="$title" \
856		    --width=330 \
857		    --entry-text="" \
858		    --text="Enter VNIC Name: ")
859
860		if [[ ! -n $vnicname ]] ; then
861			return
862		fi
863	fi
864	x=$(dladm show-vnic|grep "^$vnicname " )
865	if [[ ! -n $x ]] ; then
866		dladm create-vnic -l $nic $vnicname
867	fi
868	if [ $zonename = global ] ; then
869		ifconfig $vnicname plumb
870	else
871		zonecfg -z $zonename "add net; \
872		    set physical=$vnicname; \
873		    end"
874	fi
875	nic=$vnicname
876}
877
878shareInterface() {
879	#
880	# TODO: better integration with nwam
881	#
882	ifconfig $nic all-zones;\
883	if_file=/etc/hostname.$nic
884	sed q | sed -e "s/$/ all-zones/" < $if_file >$TXTMP/txnetmgr.$$
885	mv $TXTMP/txnetmgr.$$ $if_file
886}
887
888unshareInterface() {
889	#
890	# TODO: better integration with nwam
891	#
892	ifconfig $nic -zone;\
893	if_file=/etc/hostname.$nic
894	sed q | sed -e "s/all-zones/ /" < $if_file >$TXTMP/txnetmgr.$$
895	mv $TXTMP/txnetmgr.$$ $if_file
896}
897
898addTnrhdb() {
899	ipaddr=$(zenity --entry \
900	    --title="$title" \
901	    --width=330 \
902	    --text="Zone:$zonename. Enter IP address of remote host or network: " \
903	    --entry-text a.b.c.d)
904	[ $? != 0 ] && return
905	validateIPaddr
906	if [[ -z $ipaddr ]] ; then
907		return;
908	fi
909	if [ ${octets[3]} = 0 ] ; then
910		nic="$ipaddr"
911		getNetmask
912		if [[ -z $cidr ]] ; then
913			return;
914		fi
915	else
916		cidr=32
917	fi
918	print "${ipaddr}/$cidr:$template" > $TXTMP/tnrhdb_new.$$
919	x=$(tnchkdb -h $TXTMP/tnrhdb_new.$$ 2>$TXTMP/syntax_error.$$)
920	if [ $? = 0 ] ; then
921		updateTnrhdb
922	else
923		syntax=$(cat $TXTMP/syntax_error.$$)
924		x=$(zenity --error \
925		    --title="$title" \
926		    --text="$syntax")
927	fi
928	rm $TXTMP/tnrhdb_new.$$
929	rm $TXTMP/syntax_error.$$
930}
931
932removeTnrhdb() {
933	while (( 1 )) do
934		remotes=$(grep "^[^#][0-9.]" $TNRHDB|grep ":$template"|cut -d : -f1-2|tr : " ")
935		if [ $template = cipso ] ; then
936			templateHeading="from All Zones":
937		else
938			templateHeading="from this Zone":
939		fi
940		if [[ -n $remotes ]] ; then
941			ipaddr=$(zenity --list \
942			    --title="$title" \
943			    --text="$msg_getremote" \
944			    --height=250 \
945			    --width=300 \
946			    --column="Remove Access to:" \
947			    --column="$templateHeading" \
948			    $remotes)
949
950			if [[ -n $ipaddr ]] ; then
951				deleteTnrhdbEntry
952				tnctl -dh ${ip}:$template
953			else
954				return
955			fi
956		else
957			return
958		fi
959	done
960}
961
962setMLPs() {
963	tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
964	zoneMLPs=:$(print "$tnzone"|cut -d : -f4)
965	sharedMLPs=:$(print "$tnzone"|cut -d : -f5)
966	attrs="Private Interfaces$zoneMLPs\nShared Interfaces$sharedMLPs"
967	ports=$(print "$attrs"|zenity --list \
968	    --title="$title" \
969	    --height=200 \
970	    --width=450 \
971	    --text="Zone: $zonename\nClick once to select, twice to edit.\nShift-click to select both rows." \
972	    --column="Multilevel Ports (example: 80-81/tcp;111/udp;)" \
973	    --editable \
974	    --multiple
975	    )
976
977	if [[ -z $ports ]] ; then
978		return
979	fi
980
981	# getopts needs another a blank and another dash
982	ports=--$(print "$ports"|sed 's/ //g'|sed 's/|/ --/g'|sed 's/Interfaces:/ :/g')
983
984	OPTIND=1
985	while getopts "z:(Private)s:(Shared)" opt $ports ; do
986		case $opt in
987			z) zoneMLPs=$OPTARG ;;
988			s) sharedMLPs=$OPTARG ;;
989		esac
990	done
991
992	sed -e "/^$zonename:*/d" $TNZONECFG > $TXTMP/tnzonecfg.$$ 2>/dev/null
993	tnzone=$(print "$tnzone"|cut -d : -f1-3)
994	echo "${tnzone}${zoneMLPs}${sharedMLPs}" >> $TXTMP/tnzonecfg.$$
995
996	x=$(tnchkdb -z $TXTMP/tnzonecfg.$$ 2>$TXTMP/syntax_error.$$)
997
998	if [ $? = 0 ] ; then
999		mv $TXTMP/tnzonecfg.$$ $TNZONECFG
1000		zenity --info \
1001		    --title="$title" \
1002		    --text="Multilevel ports for the $zonename zone\nwill be interpreted on next reboot."
1003		if [ $zonename != global ] ; then
1004			getLabelRange
1005		fi
1006	else
1007		syntax=$(cat $TXTMP/syntax_error.$$)
1008		x=$(zenity --error \
1009		    --title="$title" \
1010		    --text="$syntax")
1011		rm $TXTMP/tnzonecfg.$$
1012	fi
1013	rm $TXTMP/syntax_error.$$
1014}
1015
1016enableAuthentication() {
1017	integer file_cnt=0
1018
1019	zonepath=$(zoneadm -z $1 list -p|cut -d : -f4)
1020	ZONE_ETC_DIR=$zonepath/root/etc
1021
1022	# If the zone's shadow file was previously read-only
1023	# there may be no root password entry for this zone.
1024	# If so, replace the root password entry with the global zone's.
1025
1026	entry=$(grep ^root:: $ZONE_ETC_DIR/shadow)
1027	if [ $? -eq 0 ] ; then
1028		grep ^root: /etc/shadow > $TXTMP/shadow.$$
1029		sed -e "/^root::/d" $ZONE_ETC_DIR/shadow >> \
1030		    $TXTMP/shadow.$$ 2>/dev/null
1031		mv $TXTMP/shadow.$$ $ZONE_ETC_DIR/shadow
1032		chmod 400 $ZONE_ETC_DIR/shadow
1033	fi
1034
1035	if [ $LOGNAME = "root" ]; then
1036		return
1037	fi
1038
1039	file[0]="passwd"
1040	file[1]="shadow"
1041	file[2]="user_attr"
1042	#
1043	# Add the user who assumed the root role to each installed zone
1044	#
1045	while (( file_cnt < ${#file[*]} )); do
1046		exists=$(grep "^${LOGNAME}:" \
1047		    $ZONE_ETC_DIR/${file[file_cnt]} >/dev/null)
1048		if [ $? -ne 0 ] ; then
1049			entry=$(grep "^${LOGNAME}:" \
1050			    /etc/${file[file_cnt]})
1051			if [ $? -eq 0 ] ; then
1052				print "$entry" >> \
1053				    $ZONE_ETC_DIR/${file[file_cnt]}
1054			fi
1055		fi
1056		file_cnt+=1
1057	done
1058	chmod 400 $ZONE_ETC_DIR/shadow
1059}
1060
1061unsharePasswd() {
1062	zonecfg -z $1 remove fs dir=/etc/passwd >/dev/null 2>&1 | grep -v such
1063	zonecfg -z $1 remove fs dir=/etc/shadow >/dev/null 2>&1 | grep -v such
1064	zoneadm -z $1 ready >/dev/null 2>&1
1065	if [ $? -eq 0 ] ; then
1066		enableAuthentication $1
1067		zoneadm -z $1 halt >/dev/null 2>&1
1068	else
1069		echo Skipping $1
1070	fi
1071}
1072
1073sharePasswd() {
1074	passwd=$(zonecfg -z $1 info|grep /etc/passwd)
1075	if [ $? -eq 1 ] ; then
1076		zonecfg -z $1 "add fs; \
1077		    set special=/etc/passwd; \
1078		    set dir=/etc/passwd; \
1079		    set type=lofs; \
1080		    add options ro; \
1081		    end; \
1082		    add fs; \
1083		    set special=/etc/shadow; \
1084		    set dir=/etc/shadow; \
1085		    set type=lofs; \
1086		    add options ro; \
1087		    end"
1088	fi
1089	zoneadm -z $1 halt >/dev/null 2>&1
1090}
1091
1092# This routine is a toggle -- if we find it configured for global nscd,
1093# change to nscd-per-label and vice-versa.
1094#
1095# The user was presented with only the choice to CHANGE the existing
1096# configuration.
1097
1098manageNscd() {
1099	if [ $NSCD_PER_LABEL -eq 0 ] ; then
1100		# this MUST be a regular file for svc-nscd to detect
1101		touch $NSCD_INDICATOR
1102		NSCD_OPT="Unconfigure per-zone name service"
1103		NSCD_PER_LABEL=1
1104		for i in $(zoneadm list -i | grep -v global) ; do
1105			zoneadm -z $i halt >/dev/null 2>&1
1106			unsharePasswd $i
1107		done
1108	else
1109		rm -f $NSCD_INDICATOR
1110		NSCD_OPT="Configure per-zone name service"
1111		NSCD_PER_LABEL=0
1112		for i in $(zoneadm list -i | grep -v global) ; do
1113			zoneadm -z $i halt >/dev/null 2>&1
1114			sharePasswd $i
1115		done
1116	fi
1117}
1118
1119manageZoneNets () {
1120	ncmds[0]="Only use all-zones interfaces"
1121	ncmds[1]="Add a logical interface"
1122	ncmds[2]="Add a virtual interface (VNIC)"
1123
1124	stacks[0]="Shared Stack"
1125	stacks[1]="Exclusive Stack"
1126
1127	getAllZoneNICs
1128	netOps[0]="1\n${ncmds[0]}\nShared Stack\n${aznics[*]}"
1129
1130	integer nic_cnt=0
1131	integer netOp_cnt=2
1132
1133	set -A nics $(dladm show-phys|grep -v LINK|cut -f1 -d " ")
1134
1135	while (( nic_cnt < ${#nics[*]} )); do
1136		netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[1]}\n${stacks[0]}\n${nics[nic_cnt]}"
1137		netOp_cnt+=1
1138		netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[2]}\n${stacks[1]}\n${nics[nic_cnt]}"
1139		netOp_cnt+=1
1140		nic_cnt+=1
1141	done
1142
1143	netOp=$(print "${netOps[*]}"|zenity --list \
1144	    --title="$title" \
1145	    --text="$msg_getnet $zonename zone:" \
1146	    --height=300 \
1147	    --width=500 \
1148	    --column="#" \
1149	    --column="Network Configuration " \
1150	    --column="IP Type" \
1151	    --column="Available Interfaces" \
1152	    --hide-column=1
1153	)
1154
1155	# User picked cancel or no selection
1156	if [[ -z $netOp ]] ; then
1157		return
1158	fi
1159
1160	# All-zones is the default, so just return
1161	if [ $netOp = 1 ] ; then
1162		return
1163	fi
1164
1165	cmd=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 3)
1166	nic=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 5)
1167	case $cmd in
1168	    ${ncmds[1]} )
1169		addNet;
1170		;;
1171	    ${ncmds[2]} )
1172		zonecfg -z $zonename set ip-type=exclusive
1173		createVNIC
1174		;;
1175	esac
1176}
1177
1178manageInterface () {
1179	while (( 1 )) do
1180		getAttrs
1181
1182		# Clear list of commands
1183
1184		share=
1185		setipaddr=
1186		newlogical=
1187		newvnic=
1188		unplumb=
1189		bringup=
1190		bringdown=
1191
1192		if [ $updown = Down ] ; then
1193			bringup="Bring Up\n"
1194		else
1195			bringdown="Bring Down\n"
1196		fi
1197
1198		case $linktype in
1199		physical )
1200			newlogical="Create Logical Interface...\n";
1201			newvnic="Create Virtual Interface (VNIC)...\n";
1202			;;
1203		logical )
1204			unplumb="Remove Logical Interface\n"
1205			;;
1206		virtual )
1207			newlogical="Create Logical Interface...\n";
1208			unplumb="Remove Virtual Interface\n" ;
1209			;;
1210		esac
1211
1212		if [ $ipaddr = "..." ] ; then
1213			setipaddr="Set IP address...\n"
1214		elif [ $zone != all-zones ] ; then
1215			share="Share with Shared-IP Zones\n"
1216		else
1217			share="Remove from Shared-IP Zones\n"
1218		fi
1219
1220		command=$(print ""\
1221		    $share \
1222		    $setipaddr \
1223		    $newlogical \
1224		    $newvnic \
1225		    $unplumb \
1226		    $bringup \
1227		    $bringdown \
1228		    | zenity --list \
1229		    --title="$title" \
1230		    --text="Select a command from the list below:" \
1231		    --height=300 \
1232		    --column "Interface: $nic" )
1233
1234		case $command in
1235		    " Create Logical Interface...")
1236			createInterface;;
1237		    " Create Virtual Interface (VNIC)...")
1238			createVNIC ;;
1239		    " Set IP address...")
1240			getIPaddr
1241			addHost;;
1242		    " Share with Shared-IP Zones")
1243			shareInterface;;
1244		    " Remove from Shared-IP Zones")
1245			unshareInterface;;
1246		    " Remove Logical Interface")
1247			ifconfig $nic unplumb
1248			rm -f /etc/hostname.$nic
1249			return;;
1250		    " Remove Virtual Interface")
1251			ifconfig $nic unplumb
1252			dladm delete-vnic $nic
1253			rm -f /etc/hostname.$nic
1254			return;;
1255		    " Bring Up")
1256			ifconfig $nic up;;
1257		    " Bring Down")
1258			ifconfig $nic down;;
1259		    *) return;;
1260		esac
1261	done
1262}
1263
1264sharePrimaryNic() {
1265	set -A ip $(getent hosts $(cat /etc/nodename))
1266	for i in $(ifconfig -au4|grep  "^[a-z].*:" |grep -v LOOPBACK)
1267	do
1268		print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1269		[ $? -eq 1 ] && continue
1270
1271		nic=${i%:} # Remove colon after interface name
1272		getAttrs
1273		if [ ${ip[0]} = $ipaddr ]; then
1274			shareInterface
1275			break
1276		fi
1277	done
1278}
1279
1280manageNets() {
1281	while (( 1 )) do
1282		attrs=
1283		for i in $(ifconfig -a4|grep  "^[a-z].*:" |grep -v LOOPBACK)
1284		do
1285			print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1286			[ $? -eq 1 ] && continue
1287
1288			nic=${i%:} # Remove colon after interface name
1289			getAttrs
1290			attrs="$nic $linktype $zone $ipaddr $template $updown $attrs"
1291		done
1292
1293		nic=$(zenity --list \
1294		    --title="$title" \
1295		    --text="Select an interface from the list below:" \
1296		    --height=300 \
1297		    --width=500 \
1298		    --column="Interface" \
1299		    --column="Type" \
1300		    --column="Zone Name" \
1301		    --column="IP Address" \
1302		    --column="Template" \
1303		    --column="State" \
1304		    $attrs)
1305
1306		if [[ -z $nic ]] ; then
1307			return
1308		fi
1309		manageInterface
1310	done
1311}
1312
1313createLDAPclient() {
1314	ldaptitle="$title: Create LDAP Client"
1315	ldapdomain=$(zenity --entry \
1316	    --width=400 \
1317	    --title="$ldaptitle" \
1318	    --text="Enter Domain Name: ")
1319	if [[ -n $ldapdomain ]] ; then
1320	ldapserver=$(zenity --entry \
1321	    --width=400 \
1322	    --title="$ldaptitle" \
1323	    --text="Enter Hostname of LDAP Server: ")
1324	else
1325		return
1326	fi
1327	if [[ -n $ldapserver ]] ; then
1328	ldapserveraddr=$(zenity --entry \
1329	    --width=400 \
1330	    --title="$ldaptitle" \
1331	    --text="Enter IP adddress of LDAP Server $ldapserver: ")
1332	else
1333		return
1334	fi
1335	ldappassword=""
1336	while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]] ; do
1337	    ldappassword=$(zenity --entry \
1338		--width=400 \
1339		--title="$ldaptitle" \
1340		--hide-text \
1341		--text="Enter LDAP Proxy Password:")
1342	    ldappasswordconfirm=$(zenity --entry \
1343		--width=400 \
1344		--title="$ldaptitle" \
1345		--hide-text \
1346		--text="Confirm LDAP Proxy Password:")
1347	done
1348	ldapprofile=$(zenity --entry \
1349	    --width=400 \
1350	    --title="$ldaptitle" \
1351	    --text="Enter LDAP Profile Name: ")
1352	whatnext=$(zenity --list \
1353	    --width=400 \
1354	    --height=250 \
1355	    --title="$ldaptitle" \
1356	    --text="Proceed to create LDAP Client?" \
1357	    --column=Parameter --column=Value \
1358	    "Domain Name" "$ldapdomain" \
1359	    "Hostname" "$ldapserver" \
1360	    "IP Address" "$ldapserveraddr" \
1361	    "Password" "$(print "$ldappassword" | sed 's/./*/g')" \
1362	    "Profile" "$ldapprofile")
1363	[ $? != 0 ] && return
1364
1365	grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
1366	if [ $? -eq 1 ] ; then
1367		print "$ldapserveraddr $ldapserver" >> /etc/hosts
1368	fi
1369
1370	grep "${ldapserver}:" $TNRHDB > /dev/null
1371	if [ $? -eq 1 ] ; then
1372		print "# ${ldapserver} - ldap server" \
1373		    >> $TNRHDB
1374		print "${ldapserveraddr}:cipso" \
1375		    >> $TNRHDB
1376		tnctl -h "${ldapserveraddr}:cipso"
1377	fi
1378
1379	proxyDN=$(print $ldapdomain|awk -F"." \
1380	    "{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }")
1381
1382	zenity --info \
1383	    --title="$ldaptitle" \
1384	    --width=500 \
1385	    --text="global zone will be LDAP client of $ldapserver"
1386
1387	ldapout=$TXTMP/ldapclient.$$
1388
1389	ldapclient init -a profileName="$ldapprofile" \
1390	    -a domainName="$ldapdomain" \
1391	    -a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
1392	    -a proxyPassword="$ldappassword" \
1393	    "$ldapserveraddr" >$ldapout 2>&1
1394
1395	if [ $? -eq 0 ] ; then
1396	    ldapstatus=Success
1397	else
1398	    ldapstatus=Error
1399	fi
1400
1401	zenity --text-info \
1402	    --width=700 \
1403	    --height=300 \
1404	    --title="$ldaptitle: $ldapstatus" \
1405	    --filename=$ldapout
1406
1407	rm -f $ldapout
1408
1409
1410}
1411
1412tearDownZones() {
1413	if [ $DISP -eq 0 ] ; then
1414		if [ $FORCE -eq 0 ] ; then
1415			gettext "OK to destroy all zones [y|N]? "
1416			read ans
1417			printf "%s\n" "$ans" \
1418			    | /usr/bin/grep -Eq "$(locale yesexpr)"
1419			if [ $? -ne 0 ] ; then
1420				gettext "canceled.\n"
1421				return 1
1422			fi
1423		fi
1424		gettext "destroying all zones ...\n"
1425	else
1426		killall=$(zenity --question \
1427		    --title="$title" \
1428		    --width=330 \
1429		    --text="$msg_confirmkill")
1430		if [[ $? != 0 ]]; then
1431			return
1432		fi
1433	fi
1434
1435	for p in $(zoneadm list -cp|grep -v global:) ; do
1436		zonename=$(echo "$p"|cut -d : -f2)
1437		if [ $DISP -eq 0 ] ; then
1438			gettext "destroying zone $zonename ...\n"
1439		fi
1440		zoneadm -z $zonename halt 1>/dev/null 2>&1
1441		zoneadm -z $zonename uninstall -F 1>/dev/null 2>&1
1442		delete -rRf
1443	done
1444	zonename=global
1445}
1446
1447createDefaultZones() {
1448	# If GUI display is not used, skip the dialog
1449	if [ $DISP -eq 0 ] ; then
1450		createDefaultPublic
1451		if [ $? -ne 0 ] ; then
1452			return 1
1453		fi
1454		createDefaultInternal
1455		return
1456	fi
1457
1458	msg_choose1=$(gettext "Choose one:")
1459	defpub=$(gettext "$PUBZONE zone only")
1460	defboth=$(gettext "$PUBZONE and $INTZONE zones")
1461	defskip=$(gettext "Main Menu...")
1462	command=$(echo ""\
1463	    "$defpub\n" \
1464	    "$defboth\n" \
1465	    "$defskip\n" \
1466	    | zenity --list \
1467	    --title="$title" \
1468	    --text="$msg_defzones" \
1469	    --column="$msg_choose1" \
1470	    --height=400 \
1471	    --width=330 )
1472
1473	case $command in
1474	    " $defpub")
1475		createDefaultPublic ;;
1476
1477	    " $defboth")
1478		createDefaultPublic
1479		if [ $? -ne 0 ] ; then
1480			return 1
1481		fi
1482		createDefaultInternal ;;
1483
1484	    *)
1485		return;;
1486	esac
1487}
1488
1489createDefaultPublic() {
1490	zonename=$PUBZONE
1491	if [ $DISP -eq 0 ] ; then
1492		gettext "creating default $zonename zone ...\n"
1493	fi
1494	newZone
1495	zone_cnt+=1
1496	hexlabel=$DEFAULTLABEL
1497	setTNdata
1498	sharePrimaryNic
1499
1500	install
1501	if [ $? -ne 0 ] ; then
1502		return 1
1503	fi
1504
1505	if [ $DISP -eq 0 ] ; then
1506		gettext "booting zone $zonename ...\n"
1507		zoneadm -z $zonename boot
1508	else
1509		zoneadm -z $zonename boot &
1510		gnome-terminal \
1511		    --disable-factory \
1512		    --title="Zone Console: $zonename $msg_continue" \
1513		    --command "zlogin -C $zonename"
1514	fi
1515}
1516
1517createDefaultInternal() {
1518	zoneadm -z $PUBZONE halt
1519
1520	zonename=snapshot
1521	newZone
1522	zone_cnt+=1
1523	zonecfg -z $zonename set autoboot=false
1524
1525	clone $PUBZONE
1526	zoneadm -z $PUBZONE boot &
1527
1528	zonename=$INTZONE
1529	if [ $DISP -eq 0 ] ; then
1530		gettext "creating default $zonename zone ...\n"
1531	fi
1532	newZone
1533	zone_cnt+=1
1534
1535	hexlabel=$INTLABEL
1536	x=$(grep -i :{$hexlabel}: $TNZONECFG)
1537	if [ $? = 0 ] ; then
1538		z=$(print $x|cut -d : -f1)
1539		echo "$msg_inuse $z zone."
1540	else
1541		setTNdata
1542	fi
1543
1544	clone snapshot
1545	if [ $DISP -eq 0 ] ; then
1546		gettext "booting zone $zonename ...\n"
1547	else
1548		gnome-terminal \
1549		    --title="Zone Console: $zonename" \
1550		    --command "zlogin -C $zonename" &
1551	fi
1552	zoneadm -z $zonename boot &
1553}
1554
1555selectZone() {
1556	set -A zonelist "global\nrunning\nADMIN_HIGH"
1557	integer zone_cnt=1
1558
1559	for p in $(zoneadm list -cp|grep -v global:) ; do
1560		zone_cnt+=1
1561	done
1562	if [ $zone_cnt == 1 ] ; then
1563		createDefaultZones
1564	fi
1565	if [ $zone_cnt == 1 ] ; then
1566		zonename=global
1567		singleZone
1568		return
1569	fi
1570
1571	zone_cnt=1
1572	for p in $(zoneadm list -cp|grep -v global:) ; do
1573		zonename=$(echo "$p"|cut -d : -f2)
1574		state=$(echo "$p"|cut -d : -f3)
1575		hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2)
1576		if [[ $hexlabel ]] ; then
1577			curlabel=$(hextoalabel $hexlabel)
1578		else
1579			curlabel=...
1580		fi
1581		zonelist[zone_cnt]="\n$zonename\n$state\n$curlabel"
1582		zone_cnt+=1
1583	done
1584	zonename=$(print "${zonelist[*]}"|zenity --list \
1585	    --title="$title" \
1586	    --text="$msg_getzone" \
1587	    --height=300 \
1588	    --width=500 \
1589	    --column="Zone Name" \
1590	    --column="Status" \
1591	    --column="Sensitivity Label" \
1592	)
1593
1594	# if the menu choice was a zonename, pop up zone menu
1595	if [[ -n $zonename ]] ; then
1596		singleZone
1597	else
1598		exit
1599	fi
1600}
1601
1602# Loop for single-zone menu
1603singleZone() {
1604
1605	while (( 1 )) do
1606		# Clear list of commands
1607
1608		console=
1609		label=
1610		start=
1611		reboot=
1612		stop=
1613		clone=
1614		install=
1615		ready=
1616		uninstall=
1617		autoboot=
1618		delete=
1619		deletenet=
1620		permitrelabel=
1621
1622		if [ $zone_cnt -gt 1 ] ; then
1623			killZones="Destroy all zones...\n"
1624			xit="Select another zone..."
1625		else
1626			killZones=
1627			xit="Exit"
1628		fi
1629		if [ $zonename = global ] ; then
1630			ldapClient="Create LDAP Client...\n"
1631			nscdOpt="$NSCD_OPT\n"
1632			createZone="Create a new zone...\n"
1633			addnet="Configure Network Interfaces...\n"
1634		else
1635			ldapClient=
1636			nscdOpt=
1637			createZone=
1638			addnet=
1639			killZones=
1640		fi
1641
1642		zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
1643
1644		consoleCheck;
1645		labelCheck;
1646		delay=0
1647
1648		if [ $zonename != global ] ; then
1649			case $zonestate in
1650				running)
1651					ready="Ready\n"
1652					reboot="Reboot\n"
1653					stop="Halt\n"
1654					;;
1655				ready)
1656					start="Boot\n"
1657					stop="Halt\n"
1658					;;
1659				installed)
1660					if [[ -z $label ]] ; then
1661						ready="Ready\n"
1662						start="Boot\n"
1663					fi
1664					uninstall="Uninstall\n"
1665					relabelCheck
1666					autobootCheck
1667					;;
1668				configured)
1669					install="Install...\n"
1670					cloneCheck
1671					delete="Delete\n"
1672					console=
1673					;;
1674				incomplete)
1675					uninstall="Uninstall\n"
1676					;;
1677				*)
1678				;;
1679			esac
1680		fi
1681
1682		command=$(echo ""\
1683		    $createZone \
1684		    $console \
1685		    $label \
1686		    $start \
1687		    $reboot \
1688		    $stop \
1689		    $clone \
1690		    $install \
1691		    $ready \
1692		    $uninstall \
1693		    $delete \
1694		    $addnet \
1695		    $deletenet \
1696		    $addremotehost \
1697		    $addcipsohost \
1698		    $removeremotehost \
1699		    $removecipsohost \
1700		    $setmlps \
1701		    $permitrelabel \
1702		    $autoboot \
1703		    $ldapClient \
1704		    $nscdOpt \
1705		    $killZones \
1706		    $xit \
1707		    | zenity --list \
1708		    --title="$title" \
1709		    --text="$msg_getcmd" \
1710		    --height=400 \
1711		    --width=330 \
1712		    --column "Zone: $zonename   Status: $zonestate" )
1713
1714		case $command in
1715		    " Create a new zone...")
1716			zonename=
1717			newZone ;;
1718
1719		    " Zone Console...")
1720			delay=2
1721			gnome-terminal \
1722			    --title="Zone Console: $zonename" \
1723			    --command "zlogin -C $zonename" & ;;
1724
1725		    " Select Label...")
1726			selectLabel;;
1727
1728		    " Ready")
1729			zoneadm -z $zonename ready ;;
1730
1731		    " Boot")
1732			zoneadm -z $zonename boot ;;
1733
1734		    " Halt")
1735			zoneadm -z $zonename halt ;;
1736
1737		    " Reboot")
1738			zoneadm -z $zonename reboot ;;
1739
1740		    " Install...")
1741			install;;
1742
1743		    " Clone...")
1744			clone ;;
1745
1746		    " Uninstall")
1747			zoneadm -z $zonename uninstall -F;;
1748
1749		    " Delete")
1750			delete
1751			return ;;
1752
1753		    " Configure Network Interfaces...")
1754			if [ $zonename = global ] ; then
1755				manageNets
1756			else
1757				manageZoneNets
1758			fi;;
1759
1760		    " Add Single-level Access to Remote Host...")
1761			addTnrhdb ;;
1762
1763		    " Add Multilevel Access to Remote Host...")
1764			template=cipso
1765			addTnrhdb ;;
1766
1767		    " Remove Single-level Access to Remote Host...")
1768			removeTnrhdb ;;
1769
1770		    " Remove Multilevel Access to Remote Host...")
1771			template=cipso
1772			removeTnrhdb ;;
1773
1774		    " Configure Multilevel Ports...")
1775			setMLPs;;
1776
1777		    " Permit Relabeling")
1778			zonecfg -z $zonename set limitpriv=default,\
1779win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,\
1780file_downgrade_sl,file_upgrade_sl,sys_trans_label ;;
1781
1782		    " Deny Relabeling")
1783			zonecfg -z $zonename set limitpriv=default ;;
1784
1785		    " Set Automatic Booting")
1786			zonecfg -z $zonename set autoboot=true ;;
1787
1788		    " Set Manual Booting")
1789			zonecfg -z $zonename set autoboot=false ;;
1790
1791		    " Create LDAP Client...")
1792			createLDAPclient ;;
1793
1794		    " Configure per-zone name service")
1795			manageNscd ;;
1796
1797		    " Unconfigure per-zone name service")
1798			manageNscd ;;
1799
1800		    " Destroy all zones...")
1801			tearDownZones
1802			return ;;
1803
1804		    *)
1805			if [ $zone_cnt == 1 ] ; then
1806				exit
1807			else
1808				return
1809			fi;;
1810		esac
1811		sleep $delay;
1812	done
1813}
1814
1815# Main loop for top-level window
1816#
1817
1818/usr/bin/plabel $$ 1>/dev/null 2>&1
1819if [ $? != 0 ] ; then
1820	gettext "$0 : Trusted Extensions must be enabled.\n"
1821	exit 1
1822fi
1823
1824myzone=$(/sbin/zonename)
1825if [ $myzone != "global" ] ; then
1826	gettext "$0 : must be in global zone to run.\n"
1827	exit 1
1828fi
1829
1830
1831process_options "$@" || exit
1832
1833mkdir $TXTMP 2>/dev/null
1834deflabel=$(chk_encodings -a|grep "Default User Sensitivity"|\
1835   sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1836DEFAULTLABEL=$(atohexlabel ${deflabel})
1837intlabel=$(chk_encodings -a|grep "Default User Clearance"|\
1838   sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1839INTLABEL=$(atohexlabel -c "${intlabel}")
1840
1841# are there any zfs pools?
1842ZDSET=none
1843zpool iostat 1>/dev/null 2>&1
1844if [ $? = 0 ] ; then
1845	# is there a zfs pool named "zone"?
1846	zpool list -H zone 1>/dev/null 2>&1
1847	if [ $? = 0 ] ; then
1848		# yes
1849		ZDSET=zone
1850	else
1851		# no, but is there a root pool?
1852		rootfs=$(df -n / | awk '{print $3}')
1853		if [ $rootfs = "zfs" ] ; then
1854			# yes, use it
1855			ZDSET=$(zfs list -Ho name / | cut -d/ -f 1)/zones
1856			zfs list -H $ZDSET 1>/dev/null 2>&1
1857			if [ $? = 1 ] ; then
1858				createZDSET "-o mountpoint=/zone" $ZDSET
1859			fi
1860		fi
1861	fi
1862fi
1863
1864if [ $DISP -eq 0 ] ; then
1865	gettext "non-interactive mode ...\n"
1866
1867	if [ $DESTROYZONES -eq 1 ] ; then
1868		tearDownZones
1869	fi
1870
1871	if [ $CREATEDEF -eq 1 ] ; then
1872		if [[ $(zoneadm list -c) == global ]] ; then
1873			createDefaultZones
1874		else
1875			gettext "cannot create default zones because there are existing zones.\n"
1876		fi
1877	fi
1878
1879	exit
1880fi
1881
1882if [ $NSCD_PER_LABEL -eq 0 ] ; then
1883	NSCD_OPT="Configure per-zone name service"
1884else
1885	NSCD_OPT="Unconfigure per-zone name service"
1886fi
1887
1888
1889while (( 1 )) do
1890	selectZone
1891done
1892