1f875b4ebSrica#!/sbin/sh 2f875b4ebSrica# 3f875b4ebSrica# CDDL HEADER START 4f875b4ebSrica# 5f875b4ebSrica# The contents of this file are subject to the terms of the 6f875b4ebSrica# Common Development and Distribution License (the "License"). 7f875b4ebSrica# You may not use this file except in compliance with the License. 8f875b4ebSrica# 9f875b4ebSrica# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10f875b4ebSrica# or http://www.opensolaris.org/os/licensing. 11f875b4ebSrica# See the License for the specific language governing permissions 12f875b4ebSrica# and limitations under the License. 13f875b4ebSrica# 14f875b4ebSrica# When distributing Covered Code, include this CDDL HEADER in each 15f875b4ebSrica# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16f875b4ebSrica# If applicable, add the following below this CDDL HEADER, with the 17f875b4ebSrica# fields enclosed by brackets "[]" replaced with your own identifying 18f875b4ebSrica# information: Portions Copyright [yyyy] [name of copyright owner] 19f875b4ebSrica# 20f875b4ebSrica# CDDL HEADER END 21f875b4ebSrica# 22f875b4ebSrica# Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23f875b4ebSrica# Use is subject to license terms. 24f875b4ebSrica# 25f875b4ebSrica#ident "%Z%%M% %I% %E% SMI" 26f875b4ebSrica 27f875b4ebSrica. /lib/svc/share/smf_include.sh 28f875b4ebSrica 29f875b4ebSricaROOT_PATH="" 30f875b4ebSricaif [ $# -gt 1 ]; then 31f875b4ebSrica if [ $# -ne 3 -o "$2" != "-R" ]; then 32f875b4ebSrica echo "$0: invalid syntax" 33f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 34f875b4ebSrica fi 35f875b4ebSrica if [ "$3" != "/" ]; then 36f875b4ebSrica ROOT_PATH=$3 37f875b4ebSrica fi 38f875b4ebSricafi 39f875b4ebSricaif [ -n "$ROOT_PATH" -a "$1" != "start" ]; then 40f875b4ebSrica echo "$0: invalid syntax: -R allowed for start method only" 41f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 42f875b4ebSricafi 43f875b4ebSricaif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then 44f875b4ebSrica echo "$0: invalid -R rootpath dir specified" 45f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 46f875b4ebSricafi 47f875b4ebSrica 48f875b4ebSricaif smf_is_nonglobalzone; then 49f875b4ebSrica echo "$0: not supported in a local zone" 50f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 51f875b4ebSricafi 52f875b4ebSrica 53*583b61f6Sajrewrite_logindev() 54*583b61f6Saj{ 55*583b61f6Saj from="$1" 56*583b61f6Saj to="$2" 57*583b61f6Saj # Comment out audio, usb, removable-media, and hotpluggable device 58*583b61f6Saj # entries in /etc/logindevperm. 59*583b61f6Saj LOGINDEVPERM=$ROOT_PATH/etc/logindevperm 60*583b61f6Saj if [ ! -f $LOGINDEVPERM ]; then 61*583b61f6Saj return 62*583b61f6Saj fi 63*583b61f6Saj for line in \ 64*583b61f6Saj "/dev/console 0600 /dev/sound/" \ 65*583b61f6Saj "/dev/console 0400 /dev/removable-media/" \ 66*583b61f6Saj "/dev/console 0400 /dev/hotpluggable/" \ 67*583b61f6Saj "/dev/console 0600 /dev/usb/\[0-9a-f\]" \ 68*583b61f6Saj ; do 69*583b61f6Saj sed -e "s!^$from$line!$to$line!" $LOGINDEVPERM > /tmp/tmp.$$ 70*583b61f6Saj cp /tmp/tmp.$$ $LOGINDEVPERM 71*583b61f6Saj done 72*583b61f6Saj rm -f /tmp/tmp.$$ 73*583b61f6Saj} 74*583b61f6Saj 75f875b4ebSricado_logindev() 76f875b4ebSrica{ 77*583b61f6Saj rewrite_logindev "" "#" 78f875b4ebSrica} 79f875b4ebSrica 80f875b4ebSricado_otherservices() 81f875b4ebSrica{ 82f875b4ebSrica # Setup dependent services 83f875b4ebSrica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS 84f875b4ebSrica /usr/sbin/svcadm enable -s svc:/network/tnd:default 85f875b4ebSrica /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default 86f875b4ebSrica /usr/sbin/svccfg -s svc:/application/x11/x11-server \ 87f875b4ebSrica setprop options/tcp_listen = true 88f875b4ebSrica /usr/sbin/svcadm enable svc:/network/rpc/rstat:default 89f875b4ebSrica__ENABLE_OTHERS 90f875b4ebSrica 91f875b4ebSrica} 92f875b4ebSrica 93f875b4ebSricado_bsmconv() 94f875b4ebSrica{ 95f875b4ebSrica # Run bsmconv so audit and device allocation is enabled by 96f875b4ebSrica # default with Trusted Extensions. 97f875b4ebSrica if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then 98f875b4ebSrica BSMDIR="" 99f875b4ebSrica else 100f875b4ebSrica BSMDIR=$ROOT_PATH 101f875b4ebSrica fi 102f875b4ebSrica echo "Running bsmconv ..." 103f875b4ebSrica echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \ 104f875b4ebSrica $ROOT_PATH/etc/security/bsmconv $ROOT_PATH 105f875b4ebSrica} 106f875b4ebSrica 107f875b4ebSricado_nscd() 108f875b4ebSrica{ 109f875b4ebSrica# For Trusted Extensions, make nscd service transient in local zones. 110f875b4ebSricacat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD 111f875b4ebSrica if [ `/sbin/zonename` != "global" ]; then 112f875b4ebSrica nscd="svc:/system/name-service-cache" 113f875b4ebSrica duration="" 114f875b4ebSrica if /bin/svcprop -q -c -p startd/duration $nscd ; then 115f875b4ebSrica duration=`/bin/svcprop -c -p startd/duration $nscd` 116f875b4ebSrica fi 117f875b4ebSrica if [ "$duration" != "transient" ]; then 118f875b4ebSrica /usr/sbin/svccfg -s $nscd addpg startd framework 119f875b4ebSrica /usr/sbin/svccfg -s $nscd setprop \ 120f875b4ebSrica startd/duration = astring: transient 121f875b4ebSrica /usr/sbin/svccfg -s $nscd setprop stop/exec = :true 122f875b4ebSrica /usr/sbin/svcadm refresh $nscd 123f875b4ebSrica fi 124f875b4ebSrica fi 125f875b4ebSrica_DEL_LOCAL_NSCD 126f875b4ebSrica} 127f875b4ebSrica 128f875b4ebSricado_bootupd() 129f875b4ebSrica{ 130f875b4ebSrica if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then 131f875b4ebSrica if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 132f875b4ebSrica /sbin/bootadm update-archive 133f875b4ebSrica else 134f875b4ebSrica /sbin/bootadm update-archive -R $ROOT_PATH 135f875b4ebSrica fi 136f875b4ebSrica fi 137f875b4ebSrica} 138f875b4ebSrica 1398700009eSricasetup_tx_changes(){ 1408700009eSrica# 1418700009eSrica# No comments or blanks lines allowed in entries below 1428700009eSrica# 1438700009eSricacat > ${TX_ENTRIES} << EOF 1448700009eSricadtlogin account requisite pam_roles.so.1 1458700009eSricadtlogin account required pam_unix_account.so.1 1468700009eSricadtsession account requisite pam_roles.so.1 1478700009eSricadtsession account required pam_unix_account.so.1 1488700009eSricagdm account requisite pam_roles.so.1 1498700009eSricagdm account required pam_unix_account.so.1 1508700009eSricaxscreensaver account requisite pam_roles.so.1 1518700009eSricaxscreensaver account required pam_unix_account.so.1 1528700009eSricapasswd account requisite pam_roles.so.1 1538700009eSricapasswd account required pam_unix_account.so.1 1548700009eSricadtpasswd account requisite pam_roles.so.1 1558700009eSricadtpasswd account required pam_unix_account.so.1 1568700009eSricaother account required pam_tsol_account.so.1 1578700009eSricaEOF 1588700009eSrica} 1598700009eSrica 1608700009eSricado_addpam() 1618700009eSrica{ 1628700009eSrica PAM_TMP=/tmp/pam_conf.$$ 1638700009eSrica TX_ENTRIES=$PAM_TMP/sct.$$ 1648700009eSrica PAM_DEST=$ROOT_PATH/etc/pam.conf 1658700009eSrica 1668700009eSrica mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL 1678700009eSrica setup_tx_changes 1688700009eSrica 1698700009eSrica # verify that pam.conf file exists... 1708700009eSrica if [ ! -f ${PAM_DEST} ]; then 1718700009eSrica echo "$0: ${PAM_DEST} not found; aborting" 1728700009eSrica exit $SMF_EXIT_ERR_FATAL 1738700009eSrica fi 1748700009eSrica 1758700009eSrica # 1768700009eSrica # Update pam.conf to append Trusted Extensions entries if not 1778700009eSrica # already present. 1788700009eSrica # 1798700009eSrica rm -f /tmp/pamconf.$$ 1808700009eSrica while read e1 e2 e3 e4 e5 1818700009eSrica do 1828700009eSrica # If this is the 'other' entry, add it unless it already 1838700009eSrica # exists. 1848700009eSrica if [ $e1 = "other" ]; then 1858700009eSrica grep \ 1868700009eSrica"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ 1878700009eSrica $PAM_DEST >/dev/null 2>&1 1888700009eSrica if [ $? = 1 ] ; then 1898700009eSrica # Doesn't exist, enter into pam.conf 1908700009eSrica echo "$e1\t$e2 $e3\t\t$e4 $e5" \ 1918700009eSrica >> /tmp/pamconf.$$ 1928700009eSrica fi 1938700009eSrica else 1948700009eSrica # Add other entries unless they already have a 1958700009eSrica # stack of their own. 1968700009eSrica grep "^[# ]*$e1[ ][ ]*$e2[ ]" \ 1978700009eSrica $PAM_DEST >/dev/null 2>&1 1988700009eSrica if [ $? = 1 ] ; then 1998700009eSrica echo "$e1\t$e2 $e3\t\t$e4 $e5" \ 2008700009eSrica >> /tmp/pamconf.$$ 2018700009eSrica fi 2028700009eSrica fi 2038700009eSrica done < ${TX_ENTRIES} 2048700009eSrica # Append TX lines if any were not present already. 2058700009eSrica if [ -f /tmp/pamconf.$$ ] ; then 2068700009eSrica echo "# Entries for Trusted Extensions" >> $PAM_DEST 2078700009eSrica cat /tmp/pamconf.$$ >> $PAM_DEST 2088700009eSrica echo "$0: updating $PAM_DEST entries for Trusted Extensions;" 2098700009eSrica echo "$0: please examine/update any new entries" 2108700009eSrica rm -f /tmp/pamconf.$$ 2118700009eSrica fi 2128700009eSrica 2138700009eSrica rm -rf $PAM_TMP 2148700009eSrica} 2158700009eSrica 2168700009eSricado_pamremove() 2178700009eSrica{ 2188700009eSrica PAM_TMP=/tmp/pam_conf.$$ 2198700009eSrica TX_ENTRIES=$PAM_TMP/sct.$$ 2208700009eSrica PAM_DEST=$ROOT_PATH/etc/pam.conf 2218700009eSrica TMPFILE=$PAM_TMP/pam.conf 2228700009eSrica 2238700009eSrica mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL 2248700009eSrica 2258700009eSrica # verify that pam.conf file exists... 2268700009eSrica if [ ! -f ${PAM_DEST} ]; then 2278700009eSrica echo "$0: ${PAM_DEST} not found; aborting" 2288700009eSrica exit $SMF_EXIT_ERR_FATAL 2298700009eSrica fi 2308700009eSrica 2318700009eSrica 2328700009eSrica grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1 2338700009eSrica if [ $? -ne 0 ]; then 2348700009eSrica echo "$0: pam_tsol_account module not present," 2358700009eSrica echo "$0: No changes were made to $PAM_DEST." 2368700009eSrica return 2378700009eSrica fi 2388700009eSrica 2398700009eSrica grep -v pam_tsol_account $PAM_DEST > $TMPFILE 2408700009eSrica echo "$0: $PAM_DEST "tsol" entries removed" 2418700009eSrica cp $TMPFILE $PAM_DEST 2428700009eSrica 2438700009eSrica rm -rf $PAM_TMP 2448700009eSrica} 2458700009eSrica 246f875b4ebSricado_commonstart() 247f875b4ebSrica{ 248f875b4ebSrica echo "$0: Updating $ROOT_PATH/etc/system..." 249f875b4ebSrica if [ ! -f ${ROOT_PATH}/etc/system ]; then 250f875b4ebSrica touch ${ROOT_PATH}/etc/system 251f875b4ebSrica fi 252f875b4ebSrica 253f875b4ebSrica # Set sys_labeling in etc/system 254f875b4ebSrica grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 255f875b4ebSrica echo "set sys_labeling=1" >> /tmp/etc.system.$$ 256f875b4ebSrica mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 257f875b4ebSrica grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 258f875b4ebSrica if [ $? -ne 0 ]; then 259f875b4ebSrica echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system" 260f875b4ebSrica exit $SMF_EXIT_ERR_FATAL 261f875b4ebSrica fi 262f875b4ebSrica 263f875b4ebSrica # Setup dependent services 264f875b4ebSrica do_otherservices 265f875b4ebSrica 266f875b4ebSrica do_logindev 267f875b4ebSrica do_bsmconv 268f875b4ebSrica do_nscd 2698700009eSrica do_addpam 2708700009eSrica 2718700009eSrica do_bootupd 272f875b4ebSrica} 273f875b4ebSrica 274f875b4ebSrica 275f875b4ebSricadaemon_start() 276f875b4ebSrica{ 277f875b4ebSrica # If a labeld door exists, check for a labeld process and exit 278f875b4ebSrica # if the daemon is already running. 279f875b4ebSrica if [ -r /var/tsol/doors/labeld ]; then 280f875b4ebSrica if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then 281f875b4ebSrica echo "$0: labeld is already running" 282f875b4ebSrica exit $SMF_EXIT_ERR_FATAL 283f875b4ebSrica fi 284f875b4ebSrica fi 285f875b4ebSrica /usr/bin/rm -f /var/tsol/doors/labeld 286f875b4ebSrica /usr/lib/labeld 287f875b4ebSrica} 288f875b4ebSrica 289f875b4ebSricaPATH=/usr/sbin:/usr/bin; export PATH 290f875b4ebSrica 291f875b4ebSricacase "$1" in 292f875b4ebSrica'start') 293f875b4ebSrica if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 294f875b4ebSrica # native 295f875b4ebSrica 296f875b4ebSrica if [ -z "$SMF_FMRI" ]; then 297f875b4ebSrica echo "$0: this script can only be invoked by smf(5)" 298f875b4ebSrica exit $SMF_EXIT_ERR_NOSMF 299f875b4ebSrica fi 300f875b4ebSrica 301f875b4ebSrica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 302f875b4ebSrica if [ "$tx_enabled" = "false" ]; then 303f875b4ebSrica # A sign of trying temporary enablement...no-no 304f875b4ebSrica echo "$0: Temporarily enabling Trusted Extensions is not allowed." 305f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 306f875b4ebSrica fi 307f875b4ebSrica 308f875b4ebSrica if (smf_is_system_labeled); then 309f875b4ebSrica daemon_start 310f875b4ebSrica exit $SMF_EXIT_OK 311f875b4ebSrica fi 312f875b4ebSrica 313f875b4ebSrica # Make changes to enable Trusted Extensions 314f875b4ebSrica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 315f875b4ebSrica if [ $? -eq 0 ]; then 316f875b4ebSrica echo "$0: already enabled. Exiting." 317f875b4ebSrica exit $SMF_EXIT_OK 318f875b4ebSrica fi 319f875b4ebSrica 320f875b4ebSrica if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 321f875b4ebSrica echo "$0: Must remove zones before enabling Trusted Extensions." 322f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 323f875b4ebSrica fi 324f875b4ebSrica 325f875b4ebSrica do_commonstart 326f875b4ebSrica 327f875b4ebSrica # start daemon proccess so our service doesn't go into 328f875b4ebSrica # maintenance state 329f875b4ebSrica daemon_start 330f875b4ebSrica 331f875b4ebSrica echo "$0: Started. Must reboot and configure Trusted Extensions." 332f875b4ebSrica else 333f875b4ebSrica # Support jumpstart etc 334f875b4ebSrica 335f875b4ebSrica # Make changes to enable Trusted Extensions 336f875b4ebSrica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 337f875b4ebSrica if [ $? -eq 0 ]; then 338f875b4ebSrica echo "$0: already enabled. Exiting." 339f875b4ebSrica exit $SMF_EXIT_OK 340f875b4ebSrica fi 341f875b4ebSrica 342f875b4ebSrica # Setup dependent services 343f875b4ebSrica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE 344f875b4ebSrica /usr/sbin/svcadm enable -s svc:/system/labeld:default 345f875b4ebSrica__TRUSTED_ENABLE 346f875b4ebSrica 347f875b4ebSrica do_commonstart 348f875b4ebSrica echo "$0: Started. Must configure Trusted Extensions before booting." 349f875b4ebSrica fi 350f875b4ebSrica ;; 351f875b4ebSrica 352f875b4ebSrica'stop') 353f875b4ebSrica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 354f875b4ebSrica if [ "$tx_enabled" = "true" ]; then 355f875b4ebSrica /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 356f875b4ebSrica exit $SMF_EXIT_OK 357f875b4ebSrica fi 358f875b4ebSrica 359f875b4ebSrica if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 360f875b4ebSrica echo "$0: Must remove zones before disabling Trusted Extensions." 361f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 362f875b4ebSrica fi 363f875b4ebSrica 364f875b4ebSrica # Stop Trusted services. 365f875b4ebSrica /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null 366f875b4ebSrica /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null 367f875b4ebSrica 368*583b61f6Saj # Uncomment audio, usb, removable-media, and hotpluggable device 369*583b61f6Saj # entries in /etc/logindevperm. 370*583b61f6Saj rewrite_logindev "#" "" 371f875b4ebSrica 372f875b4ebSrica # Remove sys_labeling from /etc/system 373f875b4ebSrica grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 374f875b4ebSrica mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 375f875b4ebSrica grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1 376f875b4ebSrica if [ $? -eq 0 ]; then 377f875b4ebSrica echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system" 378f875b4ebSrica exit $SMF_EXIT_ERR_FATAL 379f875b4ebSrica fi 380f875b4ebSrica 3818700009eSrica do_pamremove 3828700009eSrica 383f875b4ebSrica do_bootupd 384f875b4ebSrica 385f875b4ebSrica /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 386f875b4ebSrica echo "$0: Stopped. Will take effect at next boot." 387f875b4ebSrica ;; 388f875b4ebSrica 389f875b4ebSrica*) 390f875b4ebSrica echo "Usage: $0 { start | stop }" 391f875b4ebSrica exit 1 392f875b4ebSrica ;; 393f875b4ebSricaesac 394f875b4ebSrica 395f875b4ebSricaexit $SMF_EXIT_OK 396f875b4ebSrica 397