1#!/sbin/sh 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License (the "License"). 7# You may not use this file except in compliance with the License. 8# 9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10# or http://www.opensolaris.org/os/licensing. 11# See the License for the specific language governing permissions 12# and limitations under the License. 13# 14# When distributing Covered Code, include this CDDL HEADER in each 15# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16# If applicable, add the following below this CDDL HEADER, with the 17# fields enclosed by brackets "[]" replaced with your own identifying 18# information: Portions Copyright [yyyy] [name of copyright owner] 19# 20# CDDL HEADER END 21# 22# Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23# Use is subject to license terms. 24# 25 26. /lib/svc/share/smf_include.sh 27 28ROOT_PATH="" 29if [ $# -gt 1 ]; then 30 if [ $# -ne 3 -o "$2" != "-R" ]; then 31 echo "$0: invalid syntax" 32 exit $SMF_EXIT_ERR_CONFIG 33 fi 34 if [ "$3" != "/" ]; then 35 ROOT_PATH=$3 36 fi 37fi 38if [ -n "$ROOT_PATH" -a "$1" != "start" ]; then 39 echo "$0: invalid syntax: -R allowed for start method only" 40 exit $SMF_EXIT_ERR_CONFIG 41fi 42if [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then 43 echo "$0: invalid -R rootpath dir specified" 44 exit $SMF_EXIT_ERR_CONFIG 45fi 46 47if smf_is_nonglobalzone; then 48 echo "$0: not supported in a local zone" 49 exit $SMF_EXIT_ERR_CONFIG 50fi 51 52rewrite_logindev() 53{ 54 from="$1" 55 to="$2" 56 # Comment out audio, usb, removable-media, and hotpluggable device 57 # entries in /etc/logindevperm. 58 LOGINDEVPERM=$ROOT_PATH/etc/logindevperm 59 if [ ! -f $LOGINDEVPERM ]; then 60 return 61 fi 62 for line in \ 63 "/dev/sound/" \ 64 "/dev/removable-media/" \ 65 "/dev/hotpluggable/" \ 66 "/dev/usb/\[0-9a-f\]" \ 67 ; do 68 sed -e "s!^$from\([^# ]\{1,\}[ }\{1,\}[0-9]\{1,\}[ ]\{1,\}\)$line!$to\1$line!" \ 69 $LOGINDEVPERM > /tmp/tmp.$$ 70 cp /tmp/tmp.$$ $LOGINDEVPERM 71 done 72 rm -f /tmp/tmp.$$ 73} 74 75do_logindev() 76{ 77 rewrite_logindev "" "#" 78} 79 80do_otherservices() 81{ 82 # Setup dependent services 83 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS 84 /usr/sbin/svcadm enable -s svc:/network/tnd:default 85 /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default 86 /usr/sbin/svcadm enable svc:/network/rpc/rstat:default 87__ENABLE_OTHERS 88 89} 90 91do_bsmconv() 92{ 93 # Run bsmconv so device allocation is enabled by 94 # default with Trusted Extensions. 95 if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then 96 BSMDIR="" 97 else 98 BSMDIR=$ROOT_PATH 99 fi 100 echo "Running bsmconv ..." 101 echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \ 102 $ROOT_PATH/etc/security/bsmconv $ROOT_PATH 103 # Run auditd so auditing is enabled by default 104 # with Trusted Extensions. 105 if [ "$BSMDIR" = "" ]; then 106 echo "Starting auditd ..." 107 /usr/sbin/audit -s 108 else 109 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD 110 /usr/sbin/audit -s 111_ENABLE_AUDITD 112 fi 113} 114 115do_nscd() 116{ 117# For Trusted Extensions, make nscd service transient in local zones. 118cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD 119 if [ `/sbin/zonename` != "global" ]; then 120 nscd="svc:/system/name-service-cache" 121 duration="" 122 if /bin/svcprop -q -c -p startd/duration $nscd ; then 123 duration=`/bin/svcprop -c -p startd/duration $nscd` 124 fi 125 if [ "$duration" != "transient" ]; then 126 /usr/sbin/svccfg -s $nscd addpg startd framework 127 /usr/sbin/svccfg -s $nscd setprop \ 128 startd/duration = astring: transient 129 /usr/sbin/svccfg -s $nscd setprop stop/exec = :true 130 /usr/sbin/svcadm refresh $nscd 131 fi 132 fi 133_DEL_LOCAL_NSCD 134} 135 136do_bootupd() 137{ 138 if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then 139 if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 140 /sbin/bootadm update-archive 141 else 142 /sbin/bootadm update-archive -R $ROOT_PATH 143 fi 144 fi 145} 146 147setup_tx_changes(){ 148# 149# No comments or blanks lines allowed in entries below 150# 151cat > ${TX_ENTRIES} << EOF 152dtlogin account requisite pam_roles.so.1 153dtlogin account required pam_unix_account.so.1 154dtsession account requisite pam_roles.so.1 155dtsession account required pam_unix_account.so.1 156gdm account requisite pam_roles.so.1 157gdm account required pam_unix_account.so.1 158xscreensaver account requisite pam_roles.so.1 159xscreensaver account required pam_unix_account.so.1 160passwd account requisite pam_roles.so.1 161passwd account required pam_unix_account.so.1 162dtpasswd account requisite pam_roles.so.1 163dtpasswd account required pam_unix_account.so.1 164tsoljds-tstripe account requisite pam_roles.so.1 165tsoljds-tstripe account required pam_unix_account.so.1 166other account required pam_tsol_account.so.1 167EOF 168} 169 170do_addpam() 171{ 172 PAM_TMP=/tmp/pam_conf.$$ 173 TX_ENTRIES=$PAM_TMP/sct.$$ 174 PAM_DEST=$ROOT_PATH/etc/pam.conf 175 176 mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL 177 setup_tx_changes 178 179 # verify that pam.conf file exists... 180 if [ ! -f ${PAM_DEST} ]; then 181 echo "$0: ${PAM_DEST} not found; aborting" 182 exit $SMF_EXIT_ERR_FATAL 183 fi 184 185 # 186 # Update pam.conf to append Trusted Extensions entries if not 187 # already present. 188 # 189 rm -f /tmp/pamconf.$$ 190 while read e1 e2 e3 e4 e5 191 do 192 # If this is the 'other' entry, add it unless it already 193 # exists. 194 if [ $e1 = "other" ]; then 195 grep \ 196"^[# ]*$e1[ ][ ]*$e2[ ][ ]*$e3[ ][ ]*$e4" \ 197 $PAM_DEST >/dev/null 2>&1 198 if [ $? = 1 ] ; then 199 # Doesn't exist, enter into pam.conf 200 echo "$e1\t$e2 $e3\t\t$e4 $e5" \ 201 >> /tmp/pamconf.$$ 202 fi 203 else 204 # Add other entries unless they already have a 205 # stack of their own. 206 grep "^[# ]*$e1[ ][ ]*$e2[ ]" \ 207 $PAM_DEST >/dev/null 2>&1 208 if [ $? = 1 ] ; then 209 echo "$e1\t$e2 $e3\t\t$e4 $e5" \ 210 >> /tmp/pamconf.$$ 211 fi 212 fi 213 done < ${TX_ENTRIES} 214 # Append TX lines if any were not present already. 215 if [ -f /tmp/pamconf.$$ ] ; then 216 echo "# Entries for Trusted Extensions" >> $PAM_DEST 217 cat /tmp/pamconf.$$ >> $PAM_DEST 218 echo "$0: updating $PAM_DEST entries for Trusted Extensions;" 219 echo "$0: please examine/update any new entries" 220 rm -f /tmp/pamconf.$$ 221 fi 222 223 rm -rf $PAM_TMP 224} 225 226do_pamremove() 227{ 228 PAM_TMP=/tmp/pam_conf.$$ 229 TX_ENTRIES=$PAM_TMP/sct.$$ 230 PAM_DEST=$ROOT_PATH/etc/pam.conf 231 TMPFILE=$PAM_TMP/pam.conf 232 233 mkdir $PAM_TMP || exit $SMF_EXIT_ERR_FATAL 234 235 # verify that pam.conf file exists... 236 if [ ! -f ${PAM_DEST} ]; then 237 echo "$0: ${PAM_DEST} not found; aborting" 238 exit $SMF_EXIT_ERR_FATAL 239 fi 240 241 242 grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1 243 if [ $? -ne 0 ]; then 244 echo "$0: pam_tsol_account module not present," 245 echo "$0: No changes were made to $PAM_DEST." 246 return 247 fi 248 249 grep -v pam_tsol_account $PAM_DEST > $TMPFILE 250 echo "$0: $PAM_DEST "tsol" entries removed" 251 cp $TMPFILE $PAM_DEST 252 253 rm -rf $PAM_TMP 254} 255 256do_commonstart() 257{ 258 echo "$0: Updating $ROOT_PATH/etc/system..." 259 if [ ! -f ${ROOT_PATH}/etc/system ]; then 260 touch ${ROOT_PATH}/etc/system 261 fi 262 263 # Set sys_labeling in etc/system 264 grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 265 echo "set sys_labeling=1" >> /tmp/etc.system.$$ 266 mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 267 grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 268 if [ $? -ne 0 ]; then 269 echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system" 270 exit $SMF_EXIT_ERR_FATAL 271 fi 272 273 # Setup dependent services 274 do_otherservices 275 276 do_logindev 277 do_bsmconv 278 do_nscd 279 do_addpam 280 281 do_bootupd 282} 283 284do_servicetag_register() 285{ 286 ROOTDIR=$1 287 SOL_ARCH=`/sbin/uname -p` 288 SOL_VERS=`/sbin/uname -r` 289 TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93" 290 291 if [ ! -x /usr/bin/stclient ]; then 292 return 293 fi 294 295 # if already registered then do nothing more here 296 inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null` 297 if [ -n "$inst" ]; then 298 # this instance id was saved in a SMF property 299 /usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1 300 if [ $? = 0 ]; then 301 # matching service tag found, so do nothing 302 return 303 else 304 # no match for instance id saved in SMF property 305 /usr/sbin/svccfg -s $SMF_FMRI delprop \ 306 labeld/svctag_inst 307 /usr/sbin/svcadm refresh $SMF_FMRI 308 fi 309 fi 310 311 312 # fall through: no service tag, or does not match saved instance id 313 314 # determine the urn of the parent (Solaris) 315 SOL_PROD_URN="" 316 case $SOL_VERS in 317 5.11) 318 SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93" 319 ;; 320 5.10) 321 SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113" 322 ;; 323 esac 324 325 # add the service tag 326 RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions" \ 327 -e $SOL_VERS -t $TX_PROD_URN -P Solaris $SOL_PROD_URN \ 328 -m Sun -A $SOL_ARCH -z global -S $0 -r $ROOTDIR` 329 if [ $? = 0 ]; then 330 # save instance id in SMF property 331 inst=`echo "$RC" | grep -i urn|awk -F= '{print $2}'` 332 /usr/sbin/svccfg -s $SMF_FMRI setprop \ 333 labeld/svctag_inst = astring: "$inst" 334 /usr/sbin/svcadm refresh $SMF_FMRI 335 fi 336} 337 338do_servicetag_delete() 339{ 340 if [ ! -x /usr/bin/stclient ]; then 341 return 342 fi 343 344 inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null` 345 346 if [ -n "$inst" ]; then 347 # delete service tag 348 /usr/bin/stclient -d -i $inst 349 # delete saved instance id 350 /usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst 351 /usr/sbin/svcadm refresh $SMF_FMRI 352 fi 353} 354 355 356daemon_start() 357{ 358 # If a labeld door exists, check for a labeld process and exit 359 # if the daemon is already running. 360 if [ -r /var/tsol/doors/labeld ]; then 361 if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then 362 echo "$0: labeld is already running" 363 exit $SMF_EXIT_ERR_FATAL 364 fi 365 fi 366 /usr/bin/rm -f /var/tsol/doors/labeld 367 /usr/lib/labeld 368} 369 370PATH=/usr/sbin:/usr/bin; export PATH 371 372case "$1" in 373'start') 374 if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 375 # native 376 377 if [ -z "$SMF_FMRI" ]; then 378 echo "$0: this script can only be invoked by smf(5)" 379 exit $SMF_EXIT_ERR_NOSMF 380 fi 381 382 tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 383 if [ "$tx_enabled" = "false" ]; then 384 # A sign of trying temporary enablement...no-no 385 echo "$0: Temporarily enabling Trusted Extensions is not allowed." 386 exit $SMF_EXIT_ERR_CONFIG 387 fi 388 389 if (smf_is_system_labeled); then 390 do_servicetag_register / 391 daemon_start 392 exit $SMF_EXIT_OK 393 fi 394 395 # Make changes to enable Trusted Extensions 396 grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 397 if [ $? -eq 0 ]; then 398 echo "$0: already enabled. Exiting." 399 exit $SMF_EXIT_OK 400 fi 401 402 if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 403 echo "$0: Must remove zones before enabling Trusted Extensions." 404 exit $SMF_EXIT_ERR_CONFIG 405 fi 406 407 do_commonstart 408 409 do_servicetag_register / 410 411 # start daemon proccess so our service doesn't go into 412 # maintenance state 413 daemon_start 414 415 echo "$0: Started. Must reboot and configure Trusted Extensions." 416 else 417 # Support jumpstart etc 418 419 # Make changes to enable Trusted Extensions 420 grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 421 if [ $? -eq 0 ]; then 422 echo "$0: already enabled. Exiting." 423 exit $SMF_EXIT_OK 424 fi 425 426 # Setup dependent services 427 cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE 428 /usr/sbin/svcadm enable -s svc:/system/labeld:default 429__TRUSTED_ENABLE 430 431 do_commonstart 432 do_servicetag_register $ROOT_PATH 433 echo "$0: Started. Must configure Trusted Extensions before booting." 434 fi 435 ;; 436 437'stop') 438 tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 439 if [ "$tx_enabled" = "true" ]; then 440 /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 441 exit $SMF_EXIT_OK 442 fi 443 444 if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 445 echo "$0: Must remove zones before disabling Trusted Extensions." 446 exit $SMF_EXIT_ERR_CONFIG 447 fi 448 449 # Stop Trusted services. 450 /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null 451 /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null 452 453 # Uncomment audio, usb, removable-media, and hotpluggable device 454 # entries in /etc/logindevperm. 455 rewrite_logindev "#" "" 456 457 # Remove sys_labeling from /etc/system 458 grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 459 mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 460 grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1 461 if [ $? -eq 0 ]; then 462 echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system" 463 exit $SMF_EXIT_ERR_FATAL 464 fi 465 466 do_pamremove 467 do_servicetag_delete 468 469 do_bootupd 470 471 /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 472 echo "$0: Stopped. Will take effect at next boot." 473 ;; 474 475*) 476 echo "Usage: $0 { start | stop }" 477 exit 1 478 ;; 479esac 480 481exit $SMF_EXIT_OK 482 483 484