xref: /titanic_44/usr/src/cmd/tsol/misc/txzonemgr.sh (revision 56b2bdd1f04d465cfe4a95b88ae5cba5884154e4)
1#!/bin/ksh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23#
24#
25
26# This script provides a simple GUI for managing labeled zones.
27# It provides contextual menus which provide appropriate choices.
28# It must be run in the global zone as root.
29
30# These arguments are accepted, and will result in non-interactive
31# (text-only) mode:
32#
33#	txzonemgr [-c | -d[f]]
34#
35#	-c	create default zones
36#	-d	destroy all zones; prompts for confirmation unless
37#		the -f flag is also specified
38#	-f	force
39#
40
41# DISP - use GUI (otherwise use non-interactive mode)
42DISP=1
43# CREATEDEF - make default zones (non-interactive)
44CREATEDEF=0
45# DESTROYZONES - tear down all zones (non-interactive)
46DESTROYZONES=0
47# FORCE - force
48FORCE=0
49
50NSCD_PER_LABEL=0
51NSCD_INDICATOR=/var/tsol/doors/nscd_per_label
52if [ -f $NSCD_INDICATOR ] ; then
53	NSCD_PER_LABEL=1
54fi
55
56myname=$(basename $0)
57
58TXTMP=/tmp/txzonemgr
59TNRHTP=/etc/security/tsol/tnrhtp
60TNRHDB=/etc/security/tsol/tnrhdb
61TNZONECFG=/etc/security/tsol/tnzonecfg
62PUBZONE=public
63INTZONE=internal
64
65PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
66title="Labeled Zone Manager 2.1"
67
68msg_defzones=$(gettext "Create default zones using default settings?")
69msg_confirmkill=$(gettext "OK to destroy all zones?")
70msg_continue=$(gettext "(exit to resume $(basename $0) when ready)")
71msg_getlabel=$(gettext "Select a label for the")
72msg_getremote=$(gettext "Select a remote host or network from the list below:")
73msg_getnet=$(gettext "Select a network configuration for the")
74msg_getzone=$(gettext "Select a zone from the list below:
75(select global for zone creation and shared settings)")
76msg_getcmd=$(gettext "Select a command from the list below:")
77msg_inuse=$(gettext "That label is already assigned\nto the")
78msg_getmin=$(gettext "Select the minimum network label for the")
79msg_getmax=$(gettext "Select the maximum network label for the")
80msg_badip=$(gettext " is not a valid IP address")
81
82
83process_options()
84{
85	typeset opt optlist
86
87	optlist='cdf'
88
89	while getopts ":$optlist" opt
90	do
91		case $opt in
92		c)	CREATEDEF=1
93			DISP=0
94			;;
95		d)	DESTROYZONES=1
96			DISP=0
97			;;
98		f)	FORCE=1
99			;;
100		*)	gettext "invalid option -$OPTARG\n"
101			usage
102			return 2
103			;;
104		esac
105	done
106
107	if [ $CREATEDEF -eq 1 -a $DESTROYZONES -eq 1 ] ; then
108		gettext "cannot combine options -c and -d\n"
109		usage
110		return 2
111	fi
112	if [ $CREATEDEF -eq 1 -a $FORCE -eq 1 ] ; then
113		gettext "option -f not allowed with -c\n"
114		usage
115		return 2
116	fi
117	if [ $FORCE -eq 1 -a $CREATEDEF -eq 0 -a $DESTROYZONES -eq 0 ] ; then
118		gettext "option -f specified without any other options\n"
119		usage
120		return 2
121	fi
122
123	shift $((OPTIND - 1))
124	if [ "x$1" != "x" ] ; then
125		usage
126		return 2
127	fi
128
129	return 0
130}
131
132usage() {
133	gettext "usage: $myname [-c | -d[f]]\n"
134}
135
136consoleCheck() {
137	if [ $zonename != global ] ; then
138		zconsole=$(pgrep -f "zlogin -C $zonename")
139		if [ $? != 0 ] ; then
140			console="Zone Console...\n"
141		fi
142	fi
143}
144
145labelCheck() {
146	hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2);
147	if [[ $hexlabel ]] ; then
148		label=
149		if [ $zonename = global ] ; then
150			template="admin_low"
151			addcipsohost="Add Multilevel Access to Remote Host...\n"
152			removecipsohost="Remove Multilevel Access to Remote Host...\n"
153			setmlps="Configure Multilevel Ports...\n"
154		else
155			template=${zonename}_unlab
156			addcipsohost=
157			removecipsohost=
158			setmlps=
159
160			net=$(zonecfg -z $zonename info net)
161			if [[ -n $net ]] ; then
162				setmlps="Configure Multilevel Ports...\n"
163			elif [ $zonestate = configured ] ; then
164				addnet="Configure Network Interfaces...\n"
165			fi
166		fi
167		addremotehost="Add Single-level Access to Remote Host...\n"
168		remotes=$(grep -v "^#" $TNRHDB|grep $template)
169		if [ $? = 0 ] ; then
170			removeremotehost="Remove Single-level Access to Remote Host...\n"
171		else
172			removeremotehost=
173		fi
174	else
175		label="Select Label...\n"
176		addremotehost=
177		removeremotehost=
178		addcipsohost=
179		removecipsohost=
180		setmlps=
181	fi
182}
183
184cloneCheck() {
185	set -A zonelist
186	integer clone_cnt=0
187	for p in $(zoneadm list -ip) ; do
188		z=$(echo "$p"|cut -d : -f2)
189		s=$(echo "$p"|cut -d : -f3)
190		if [ $z = $zonename ] ; then
191			continue
192		elif [ $s = "installed" ] ; then
193			zonelist[clone_cnt]=$z
194			clone_cnt+=1
195		fi
196	done
197	if [ $clone_cnt -gt 0 ] ; then
198		clone="Clone...\n"; \
199	fi
200}
201
202relabelCheck() {
203	macstate=$(zonecfg -z $zonename info|grep win_mac_write)
204	if [[ -n $macstate ]] ; then
205		permitrelabel="Deny Relabeling\n"
206	else
207		permitrelabel="Permit Relabeling\n"
208	fi
209}
210
211autobootCheck() {
212	bootmode=$(zonecfg -z $zonename info autoboot)
213	if [[ $bootmode == 'autoboot: true' ]] ; then
214		autoboot="Set Manual Booting\n"
215	else
216		autoboot="Set Automatic Booting\n"
217	fi
218}
219
220newZone() {
221		if [[ ! -n $zonename ]] ; then
222			zonename=$(zenity --entry \
223			    --title="$title" \
224			    --width=330 \
225			    --entry-text="" \
226			    --text="Enter Zone Name: ")
227
228			if [[ ! -n $zonename ]] ; then
229				zonename=global
230				return
231			fi
232		fi
233		zonecfg -z $zonename "create -t SUNWtsoldef;\
234		     set zonepath=/zone/$zonename"
235}
236
237removeZoneBEs() {
238	delopt=$*
239
240	zfs list -H $ZDSET/$zonename 1>/dev/null 2>&1
241	if [ $? = 0 ] ; then
242		for zbe in $(zfs list -rHo name $ZDSET/$zonename|grep ROOT/zbe) ; do
243			zfs destroy $delopt $zbe
244		done
245	fi
246}
247
248updateTemplate () {
249	if [ $hostType = cipso ] ; then
250		template=${zonename}_cipso
251		deflabel=
252	else
253		template=${zonename}_unlab
254		deflabel="def_label=${hexlabel};"
255	fi
256
257	tnzone=$(grep "^${template}:" $TNRHTP 2>/dev/null)
258	if [ $? -eq 0 ] ; then
259		sed -e "/^${template}/d" $TNRHTP > $TXTMP/tnrhtp.$$ 2>/dev/null
260		mv $TXTMP/tnrhtp.$$ $TNRHTP
261	fi
262	print "${template}:host_type=${hostType};doi=1;min_sl=${minlabel};max_sl=${maxlabel};$deflabel" >> $TNRHTP
263	tnctl -t $template
264}
265
266setTNdata () {
267	tnzline="$zonename:${hexlabel}:0::"
268	grep "^$tnzline" $TNZONECFG 1>/dev/null 2>&1
269	if [ $? -eq 1 ] ; then
270		print "$tnzline" >> $TNZONECFG
271	fi
272
273	#
274	# Add matching entries in tnrhtp if necessary
275	#
276	minlabel=admin_low
277	maxlabel=admin_high
278	hostType=cipso
279	updateTemplate
280
281	hostType=unlabeled
282	updateTemplate
283}
284
285selectLabel() {
286	hexlabel=$(tgnome-selectlabel \
287		--title="$title" \
288		--text="$msg_getlabel $zonename zone:" \
289		--min="${DEFAULTLABEL}"  \
290		--default="${DEFAULTLABEL}"  \
291		--max=$(chk_encodings -X) \
292		--accredcheck=yes \
293		--mode=sensitivity \
294		--format=internal)
295	if [ $? = 0 ] ; then
296		x=$(grep -i :{$hexlabel}: $TNZONECFG)
297		if [ $? = 0 ] ; then
298			z=$(print $x|cut -d : -f1)
299			x=$(zenity --error \
300			    --title="$title" \
301			    --text="$msg_inuse $z zone.")
302		else
303			setTNdata
304		fi
305	fi
306}
307
308getLabelRange() {
309	deflabel=$(hextoalabel $hexlabel)
310	minlabel=$(tgnome-selectlabel \
311		--title="$title" \
312		--text="$msg_getmin $zonename zone:" \
313		--min="${DEFAULTLABEL}"  \
314		--max="$deflabel" \
315		--default="$hexlabel" \
316		--accredcheck=no \
317		--mode=sensitivity \
318		--format=internal)
319	[ $? != 0 ] && return
320
321	maxlabel=$(tgnome-selectlabel \
322		--title="$title" \
323		--text="$msg_getmax $zonename zone:" \
324		--min="$deflabel"  \
325		--max=$(chk_encodings -X) \
326		--default="$hexlabel" \
327		--accredcheck=no \
328		--mode=sensitivity \
329		--format=internal)
330	[ $? != 0 ] && return
331
332	hostType=cipso
333	updateTemplate
334}
335
336
337encryptionValues() {
338	echo $(zfs get 2>&1 | grep encryption | sed -e s/^.*YES// -e s/\|//g)
339}
340
341getPassphrase() {
342	pass1=$(zenity --entry --title="$title" --text="Enter passphrase:" \
343	    --width=330 --hide-text)
344	pass2=$(zenity --entry --title="$title" --text="Re-enter passphrase:" \
345	    --width=330 --hide-text)
346	if [[ "$pass1" != "$pass2" ]]; then
347		zenity --error --title="$title" \
348			--text="Passphrases do not match"
349		return ""
350	fi
351	file=$(mktemp)
352	echo "$pass1" > $file
353	echo "$file"
354}
355
356createZDSET() {
357	options=$1
358	pool=${2%%/*}
359
360	# First check if ZFS encrytption support is available
361	pversion=$(zpool list -H -o version $pool)
362	cversion=$(zpool upgrade -v | grep Crypto | awk '{ print $1 }')
363	if (( cversion == 0 || pversion < cversion )); then
364		zfs create $options $ZDSET
365		return
366	fi
367
368	encryption=$(zenity --list --title="$title" --height=320 \
369		--text="Select cipher for encryption of all labels:" \
370		--column="encryption" $(encryptionValues))
371
372	if [[ $? != 0 || $encryption == "off" ]]; then
373		zfs create $options $ZDSET
374		return
375	fi
376
377	format=$(zenity --list --title="$title" \
378		--text "Select encryption key source:" \
379		--column="Key format and location" \
380		"Passphrase" "Generate Key in file")
381	[ $? != 0 ] && exit
382
383	if [[ $format == "Passphrase" ]]; then
384		file=$(getPassphrase)
385		if [[ $file == "" ]]; then
386			exit
387		fi
388		keysource="passphrase,file://$file"
389		removefile=1;
390	elif [[ $format == "Generate Key in file" ]]; then
391		file=$(zenity --file-selection \
392			--title="$title: Location of key file" \
393			--save --confirm-overwrite)
394		[ $? != 0 ] && exit
395		if [[ $encryption == "on" ]]; then
396			keylen=128
397		else
398			t=${encryption#aes-} && keylen=${t%%-*}
399		fi
400		pktool genkey keystore=file keytype=aes \
401		    keylen=$keylen outkey=$file
402		keysource="raw,file:///$file"
403	fi
404
405	options="$options -o encryption=$encryption -o keysource=$keysource"
406	zfs create $options $ZDSET
407	if (( removefile == 1 )); then
408		zfs set keysource=passphrase,prompt $ZDSET
409		rm $file
410	fi
411}
412
413
414initialize() {
415	zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
416	ZONE_ETC_DIR=$zonepath/root/etc
417	SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
418
419	if [ -f /var/ldap/ldap_client_file ] ; then
420		ldapaddress=$(ldapclient list | \
421		    grep "^NS_LDAP_SERVERS" | cut -d " " -f2)
422		print "name_service=LDAP {" > ${SYSIDCFG}
423		domain=$(domainname)
424		print "domain_name=$domain" >> ${SYSIDCFG}
425		profName=$(ldapclient list | \
426		    grep "^NS_LDAP_PROFILE" | cut -d " " -f2)
427		proxyPwd=$(ldapclient list | \
428		    grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2)
429		proxyDN=$(ldapclient list | \
430		    grep "^NS_LDAP_BINDDN" | cut -d " " -f 2)
431		if [ "$proxyDN" ] ; then
432			print "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
433			print "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
434		fi
435		print "profile=$profName" >> ${SYSIDCFG}
436		print "profile_server=$ldapaddress }" >> ${SYSIDCFG}
437		cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
438	else
439		print "name_service=NONE" > ${SYSIDCFG}
440		fi
441	print "security_policy=NONE" >> ${SYSIDCFG}
442	locale=$(locale|grep LANG | cut -d "=" -f2)
443	if [[ -z $locale ]] ; then
444		locale="C"
445	fi
446	print "system_locale=$locale" >> ${SYSIDCFG}
447	timezone=$(grep "^TZ" /etc/TIMEZONE|cut -d "=" -f2)
448	print "timezone=$timezone" >> ${SYSIDCFG}
449	print "terminal=vt100" >> ${SYSIDCFG}
450	rootpwd=$(grep "^root:" /etc/shadow|cut -d : -f2)
451
452#	There are two problems with setting the root password:
453#		The zone's shadow file may be read-only
454#		The password contains unparsable characters
455#	so the following line is commented out until this is resolved.
456
457	#print "root_password=$rootpwd" >> ${SYSIDCFG}
458	print "nfs4_domain=dynamic" >> ${SYSIDCFG}
459	print "network_interface=PRIMARY {" >> ${SYSIDCFG}
460
461	net=$(zonecfg -z $zonename info net)
462	ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
463	if [ $ipType = exclusive ] ; then
464		hostname=$(zenity --entry \
465		    --title="$title" \
466		    --width=330 \
467		    --text="${zonename}0: Enter Hostname or dhcp: ")
468		[ $? != 0 ] && return
469
470		if [ $hostname = dhcp ] ; then
471			print "dhcp" >> ${SYSIDCFG}
472		else
473			print "hostname=$hostname" >> ${SYSIDCFG}
474			ipaddr=$(getent hosts $hostname|cut -f1)
475			if [ $? != 0 ] ; then
476				ipaddr=$(zenity --entry \
477				    --title="$title" \
478				    --text="$nic: Enter IP address: " \
479				    --entry-text a.b.c.d)
480				[ $? != 0 ] && return
481
482				validateIPaddr
483				if [[ -z $ipaddr ]] ; then
484					return
485				fi
486			fi
487			print "ip_address=$ipaddr" >> ${SYSIDCFG}
488			getNetmask
489			print "netmask=$nm" >> ${SYSIDCFG}
490			print "default_route=none" >> ${SYSIDCFG}
491			template=${zonename}_cipso
492			cidr=32
493			updateTnrhdb
494		fi
495	elif [[ -n $net ]] ; then
496		hostname=$(hostname)
497		hostname=$(zenity --entry \
498		    --title="$title" \
499		    --width=330 \
500		    --text="Enter Hostname: " \
501		    --entry-text $hostname)
502		[ $? != 0 ] && return
503
504		print "hostname=$hostname" >> ${SYSIDCFG}
505		ipaddr=$(getent hosts $hostname|cut -f1)
506		if [ $? = 0 ] ; then
507			print "ip_address=$ipaddr" >> ${SYSIDCFG}
508		fi
509	else
510		getAllZoneNICs
511		for i in ${aznics[*]} ; do
512			ipaddr=$(ifconfig $i|grep inet|cut -d " " -f2)
513		done
514		print "hostname=$(hostname)" >> ${SYSIDCFG}
515		print "ip_address=$ipaddr" >> ${SYSIDCFG}
516	fi
517
518	print "protocol_ipv6=no }" >> ${SYSIDCFG}
519	cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
520	touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
521}
522
523clone() {
524	image=$1
525	if [[ -z $image ]] ; then
526		msg_clone=$(gettext "Clone the $zonename zone using a
527snapshot of one of the following halted zones:")
528		image=$(zenity --list \
529		    --title="$title" \
530		    --text="$msg_clone" \
531		    --height=300 \
532		    --width=330 \
533		    --column="Installed Zones" ${zonelist[*]})
534	fi
535
536	if [[ -n $image ]] ; then
537		removeZoneBEs
538		zoneadm -z $zonename clone $image
539
540		if [ $NSCD_PER_LABEL = 0 ] ; then
541			sharePasswd $zonename
542		else
543			unsharePasswd $zonename
544		fi
545
546		ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
547		if [ $ipType = exclusive ] ; then
548			zoneadm -z $zonename ready
549			zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
550			sys-unconfig -R $zonepath/root 2>/dev/null
551			initialize
552			zoneadm -z $zonename halt
553		fi
554	fi
555}
556
557install() {
558	removeZoneBEs
559	if [ $DISP -eq 0 ] ; then
560		gettext "installing zone $zonename ...\n"
561		zoneadm -z $zonename install
562	else
563		# sleep is needed here to avoid occasional timing
564		# problem with gnome-terminal display...
565		sleep 2
566		gnome-terminal \
567		    --title="$title: Installing $zonename zone" \
568		    --command "zoneadm -z $zonename install" \
569		    --disable-factory \
570		    --hide-menubar
571	fi
572
573	zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
574	if [ $zonestate != installed ] ; then
575		gettext "error installing zone $zonename.\n"
576		return 1
577	fi
578
579	if [ $NSCD_PER_LABEL = 0 ] ; then
580		sharePasswd $zonename
581	else
582		unsharePasswd $zonename
583	fi
584
585	zoneadm -z $zonename ready
586	zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
587	if [ $zonestate != ready ] ; then
588		gettext "error making zone $zonename ready.\n"
589		return 1
590	fi
591
592	initialize
593	zoneadm -z $zonename halt
594}
595
596delete() {
597	delopt=$*
598
599	# if there is an entry for this zone in tnzonecfg, remove it
600	# before deleting the zone.
601
602	tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
603	if [ -n "${tnzone}" ] ; then
604		sed -e "/^$zonename:/d" $TNZONECFG > \
605		    $TXTMP/tnzonefg.$$ 2>/dev/null
606		mv $TXTMP/tnzonefg.$$ $TNZONECFG
607	fi
608
609	for tnzone in $(grep ":${zonename}_unlab" $TNRHDB 2>/dev/null) ; do
610		tnctl -dh "$tnzone"
611		sed -e "/:${zonename}_unlab/d" $TNRHDB > \
612		    $TXTMP/tnrhdb.$$ 2>/dev/null
613		mv $TXTMP/tnrhdb.$$ $TNRHDB
614	done
615
616	for tnzone in $(grep "^${zonename}_unlab:" $TNRHTP 2>/dev/null) ; do
617		tnctl -dt ${zonename}_unlab
618		sed -e "/^${zonename}_unlab:/d" $TNRHTP > \
619		    $TXTMP/tnrhtp.$$ 2>/dev/null
620		mv $TXTMP/tnrhtp.$$ $TNRHTP
621	done
622
623	for tnzone in $(grep ":${zonename}_cipso" $TNRHDB 2>/dev/null) ; do
624		tnctl -dh "$tnzone"
625		sed -e "/:${zonename}_cipso/d" $TNRHDB > \
626		    $TXTMP/tnrhdb.$$ 2>/dev/null
627		mv $TXTMP/tnrhdb.$$ $TNRHDB
628	done
629
630	for tnzone in $(grep "^${zonename}_cipso:" $TNRHTP 2>/dev/null) ; do
631		tnctl -dt ${zonename}_cipso
632		sed -e "/^${zonename}_cipso:/d" $TNRHTP > \
633		    $TXTMP/tnrhtp.$$ 2>/dev/null
634		mv $TXTMP/tnrhtp.$$ $TNRHTP
635	done
636
637	zonecfg -z $zonename delete -F
638
639	removeZoneBEs $delopt
640	for snap in $(zfs list -Ho name -t snapshot|grep "\@${zonename}_snap") ; do
641		zfs destroy -R $snap
642	done
643}
644
645validateIPaddr () {
646	OLDIFS=$IFS
647	IFS=.
648	integer octet_cnt=0
649	integer dummy
650	set -A octets $ipaddr
651	IFS=$OLDIFS
652	if [ ${#octets[*]} == 4 ] ; then
653		while (( octet_cnt < ${#octets[*]} )); do
654			dummy=${octets[octet_cnt]}
655			if [ $dummy = ${octets[octet_cnt]} ] ; then
656				if (( dummy >= 0 && \
657				    dummy < 256 )) ; then
658					octet_cnt+=1
659					continue
660				fi
661			else
662			x=$(zenity --error \
663			    --title="$title" \
664			    --text="$ipaddr $msg_badip")
665			ipaddr=
666			return
667			fi
668		done
669	else
670		x=$(zenity --error \
671		    --title="$title" \
672		    --text="$ipaddr $msg_badip")
673		ipaddr=
674	fi
675}
676
677getAllZoneNICs(){
678	integer count=0
679	for i in $(ifconfig -a4|grep  "^[a-z].*:")
680	do
681		print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
682		[ $? -eq 1 ] && continue
683
684		i=${i%:} # Remove colon after interface name
685		for j in $(ifconfig $i)
686		do
687			case $j in
688				all-zones)
689					aznics[count]=$i
690					count+=1
691					;;
692			esac
693		done
694        done
695}
696
697getNetmask() {
698	cidr=
699	nm=$(zenity --entry \
700	    --title="$title" \
701	    --width=330 \
702	    --text="$ipaddr: Enter netmask: " \
703	    --entry-text 255.255.255.0)
704	[ $? != 0 ] && return;
705
706	cidr=$(perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm)
707}
708
709addNet() {
710	getIPaddr
711	if [[ -z $ipaddr ]] ; then
712		return;
713	fi
714	getNetmask
715	if [[ -z $cidr ]] ; then
716		return;
717	fi
718	zonecfg -z $zonename "add net; \
719	    set address=${ipaddr}/${cidr}; \
720	    set physical=$nic; \
721	    end"
722	template=${zonename}_cipso
723	cidr=32
724	updateTnrhdb
725}
726
727getAttrs() {
728	zone=global
729	type=ignore
730	for j in $(ifconfig $nic)
731	do
732		case $j in
733			inet) type=$j;;
734			zone) type=$j;;
735			all-zones) zone=all-zones;;
736			flags*) flags=$j;;
737			*) case $type in
738				inet) ipaddr=$j ;;
739				zone) zone=$j ;;
740				*) continue ;;
741			   esac;
742			   type=ignore;;
743		esac
744	done
745	if [[ $flags == ~(E).UP, ]] ; then
746		updown=Up
747	else
748		updown=Down
749	fi
750	if [[ $nic == ~(E).: ]] ; then
751		linktype=logical
752	else
753		vnic=$(dladm show-vnic -po link $nic 2>/dev/null)
754		if [[ -n $vnic ]] ; then
755			linktype=virtual
756		else
757			linktype=physical
758		fi
759	fi
760	if [ $ipaddr != 0.0.0.0 ] ; then
761		x=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
762		if [ $? = 1 ] ; then
763			template=cipso
764			cidr=32
765			updateTnrhdb
766		else
767			template=$(print "$x"|cut -d : -f2)
768		fi
769	else
770		template="..."
771		ipaddr="..."
772	fi
773}
774deleteTnrhdbEntry() {
775	remote=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
776	if [ $? = 0 ] ; then
777		ip=$(print $remote|cut -d "/" -f1)
778			if [[ $remote == ~(E)./ ]] ; then
779				pr=$(print $remote|cut -d "/" -f2)
780				remote="$ip\\/$pr"
781			fi
782		sed -e "/^${remote}/d" $TNRHDB > /tmp/tnrhdb.$$ 2>/dev/null
783		mv /tmp/tnrhdb.$$ $TNRHDB
784	fi
785}
786
787updateTnrhdb() {
788	deleteTnrhdbEntry
789	if [[ -n $cidr ]] ; then
790		print "${ipaddr}/$cidr:$template" >> $TNRHDB
791		tnctl -h ${ipaddr}/$cidr:$template
792	else
793		print "${ipaddr}:$template" >> $TNRHDB
794		tnctl -h ${ipaddr}:$template
795	fi
796}
797
798getIPaddr() {
799        hostname=$(zenity --entry \
800            --title="$title" \
801	    --width=330 \
802            --text="$nic: Enter Hostname: ")
803
804        [ $? != 0 ] && return
805
806	ipaddr=$(getent hosts $hostname|cut -f1)
807        if [[ -z $ipaddr ]] ; then
808		ipaddr=$(zenity --entry \
809		    --title="$title" \
810		    --text="$nic: Enter IP address: " \
811		    --entry-text a.b.c.d)
812		[ $? != 0 ] && return
813		validateIPaddr
814	fi
815
816}
817
818addHost() {
819	# Update hosts
820        if [[ -z $ipaddr ]] ; then
821               return;
822	fi
823	grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
824	if [ $? -eq 1 ] ; then
825		print "$ipaddr\t$hostname" >> /etc/inet/hosts
826	fi
827
828	template=cipso
829	cidr=32
830	updateTnrhdb
831
832	ifconfig $nic $ipaddr netmask + broadcast +
833	#
834	# TODO: better integration with nwam
835	# TODO: get/set netmask for IP address
836	#
837	print $hostname > /etc/hostname.$nic
838}
839
840createInterface() {
841	msg=$(ifconfig $nic addif 0.0.0.0)
842	$(zenity --info \
843	    --title="$title" \
844	    --text="$msg" )
845	nic=$(print "$msg"|cut -d" " -f5)
846
847}
848
849createVNIC() {
850	if [ $zonename != global ] ; then
851		vnicname=${zonename}0
852	else
853		vnicname=$(zenity --entry \
854		    --title="$title" \
855		    --width=330 \
856		    --entry-text="" \
857		    --text="Enter VNIC Name: ")
858
859		if [[ ! -n $vnicname ]] ; then
860			return
861		fi
862	fi
863	x=$(dladm show-vnic|grep "^$vnicname " )
864	if [[ ! -n $x ]] ; then
865		dladm create-vnic -l $nic $vnicname
866	fi
867	if [ $zonename = global ] ; then
868		ifconfig $vnicname plumb
869	else
870		zonecfg -z $zonename "add net; \
871		    set physical=$vnicname; \
872		    end"
873	fi
874	nic=$vnicname
875}
876
877shareInterface() {
878	#
879	# TODO: better integration with nwam
880	#
881	ifconfig $nic all-zones;\
882	if_file=/etc/hostname.$nic
883	sed q | sed -e "s/$/ all-zones/" < $if_file >$TXTMP/txnetmgr.$$
884	mv $TXTMP/txnetmgr.$$ $if_file
885}
886
887unshareInterface() {
888	#
889	# TODO: better integration with nwam
890	#
891	ifconfig $nic -zone;\
892	if_file=/etc/hostname.$nic
893	sed q | sed -e "s/all-zones/ /" < $if_file >$TXTMP/txnetmgr.$$
894	mv $TXTMP/txnetmgr.$$ $if_file
895}
896
897addTnrhdb() {
898	ipaddr=$(zenity --entry \
899	    --title="$title" \
900	    --width=330 \
901	    --text="Zone:$zonename. Enter IP address of remote host or network: " \
902	    --entry-text a.b.c.d)
903	[ $? != 0 ] && return
904	validateIPaddr
905	if [[ -z $ipaddr ]] ; then
906		return;
907	fi
908	if [ ${octets[3]} = 0 ] ; then
909		nic="$ipaddr"
910		getNetmask
911		if [[ -z $cidr ]] ; then
912			return;
913		fi
914	else
915		cidr=32
916	fi
917	print "${ipaddr}/$cidr:$template" > $TXTMP/tnrhdb_new.$$
918	x=$(tnchkdb -h $TXTMP/tnrhdb_new.$$ 2>$TXTMP/syntax_error.$$)
919	if [ $? = 0 ] ; then
920		updateTnrhdb
921	else
922		syntax=$(cat $TXTMP/syntax_error.$$)
923		x=$(zenity --error \
924		    --title="$title" \
925		    --text="$syntax")
926	fi
927	rm $TXTMP/tnrhdb_new.$$
928	rm $TXTMP/syntax_error.$$
929}
930
931removeTnrhdb() {
932	while (( 1 )) do
933		remotes=$(grep "^[^#][0-9.]" $TNRHDB|grep ":$template"|cut -d : -f1-2|tr : " ")
934		if [ $template = cipso ] ; then
935			templateHeading="from All Zones":
936		else
937			templateHeading="from this Zone":
938		fi
939		if [[ -n $remotes ]] ; then
940			ipaddr=$(zenity --list \
941			    --title="$title" \
942			    --text="$msg_getremote" \
943			    --height=250 \
944			    --width=300 \
945			    --column="Remove Access to:" \
946			    --column="$templateHeading" \
947			    $remotes)
948
949			if [[ -n $ipaddr ]] ; then
950				deleteTnrhdbEntry
951				tnctl -dh ${ip}:$template
952			else
953				return
954			fi
955		else
956			return
957		fi
958	done
959}
960
961setMLPs() {
962	tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
963	zoneMLPs=:$(print "$tnzone"|cut -d : -f4)
964	sharedMLPs=:$(print "$tnzone"|cut -d : -f5)
965	attrs="Private Interfaces$zoneMLPs\nShared Interfaces$sharedMLPs"
966	ports=$(print "$attrs"|zenity --list \
967	    --title="$title" \
968	    --height=200 \
969	    --width=450 \
970	    --text="Zone: $zonename\nClick once to select, twice to edit.\nShift-click to select both rows." \
971	    --column="Multilevel Ports (example: 80-81/tcp;111/udp;)" \
972	    --editable \
973	    --multiple
974	    )
975
976	if [[ -z $ports ]] ; then
977		return
978	fi
979
980	# getopts needs another a blank and another dash
981	ports=--$(print "$ports"|sed 's/ //g'|sed 's/|/ --/g'|sed 's/Interfaces:/ :/g')
982
983	OPTIND=1
984	while getopts "z:(Private)s:(Shared)" opt $ports ; do
985		case $opt in
986			z) zoneMLPs=$OPTARG ;;
987			s) sharedMLPs=$OPTARG ;;
988		esac
989	done
990
991	sed -e "/^$zonename:*/d" $TNZONECFG > $TXTMP/tnzonecfg.$$ 2>/dev/null
992	tnzone=$(print "$tnzone"|cut -d : -f1-3)
993	echo "${tnzone}${zoneMLPs}${sharedMLPs}" >> $TXTMP/tnzonecfg.$$
994
995	x=$(tnchkdb -z $TXTMP/tnzonecfg.$$ 2>$TXTMP/syntax_error.$$)
996
997	if [ $? = 0 ] ; then
998		mv $TXTMP/tnzonecfg.$$ $TNZONECFG
999		zenity --info \
1000		    --title="$title" \
1001		    --text="Multilevel ports for the $zonename zone\nwill be interpreted on next reboot."
1002		if [ $zonename != global ] ; then
1003			getLabelRange
1004		fi
1005	else
1006		syntax=$(cat $TXTMP/syntax_error.$$)
1007		x=$(zenity --error \
1008		    --title="$title" \
1009		    --text="$syntax")
1010		rm $TXTMP/tnzonecfg.$$
1011	fi
1012	rm $TXTMP/syntax_error.$$
1013}
1014
1015enableAuthentication() {
1016	integer file_cnt=0
1017
1018	zonepath=$(zoneadm -z $1 list -p|cut -d : -f4)
1019	ZONE_ETC_DIR=$zonepath/root/etc
1020
1021	# If the zone's shadow file was previously read-only
1022	# there may be no root password entry for this zone.
1023	# If so, replace the root password entry with the global zone's.
1024
1025	entry=$(grep ^root:: $ZONE_ETC_DIR/shadow)
1026	if [ $? -eq 0 ] ; then
1027		grep ^root: /etc/shadow > $TXTMP/shadow.$$
1028		sed -e "/^root::/d" $ZONE_ETC_DIR/shadow >> \
1029		    $TXTMP/shadow.$$ 2>/dev/null
1030		mv $TXTMP/shadow.$$ $ZONE_ETC_DIR/shadow
1031		chmod 400 $ZONE_ETC_DIR/shadow
1032	fi
1033
1034	if [ $LOGNAME = "root" ]; then
1035		return
1036	fi
1037
1038	file[0]="passwd"
1039	file[1]="shadow"
1040	file[2]="user_attr"
1041	#
1042	# Add the user who assumed the root role to each installed zone
1043	#
1044	while (( file_cnt < ${#file[*]} )); do
1045		exists=$(grep "^${LOGNAME}:" \
1046		    $ZONE_ETC_DIR/${file[file_cnt]} >/dev/null)
1047		if [ $? -ne 0 ] ; then
1048			entry=$(grep "^${LOGNAME}:" \
1049			    /etc/${file[file_cnt]})
1050			if [ $? -eq 0 ] ; then
1051				print "$entry" >> \
1052				    $ZONE_ETC_DIR/${file[file_cnt]}
1053			fi
1054		fi
1055		file_cnt+=1
1056	done
1057	chmod 400 $ZONE_ETC_DIR/shadow
1058}
1059
1060unsharePasswd() {
1061	zonecfg -z $1 remove fs dir=/etc/passwd >/dev/null 2>&1 | grep -v such
1062	zonecfg -z $1 remove fs dir=/etc/shadow >/dev/null 2>&1 | grep -v such
1063	zoneadm -z $1 ready >/dev/null 2>&1
1064	if [ $? -eq 0 ] ; then
1065		enableAuthentication $1
1066		zoneadm -z $1 halt >/dev/null 2>&1
1067	else
1068		echo Skipping $1
1069	fi
1070}
1071
1072sharePasswd() {
1073	passwd=$(zonecfg -z $1 info|grep /etc/passwd)
1074	if [ $? -eq 1 ] ; then
1075		zonecfg -z $1 "add fs; \
1076		    set special=/etc/passwd; \
1077		    set dir=/etc/passwd; \
1078		    set type=lofs; \
1079		    add options ro; \
1080		    end; \
1081		    add fs; \
1082		    set special=/etc/shadow; \
1083		    set dir=/etc/shadow; \
1084		    set type=lofs; \
1085		    add options ro; \
1086		    end"
1087	fi
1088	zoneadm -z $1 halt >/dev/null 2>&1
1089}
1090
1091# This routine is a toggle -- if we find it configured for global nscd,
1092# change to nscd-per-label and vice-versa.
1093#
1094# The user was presented with only the choice to CHANGE the existing
1095# configuration.
1096
1097manageNscd() {
1098	if [ $NSCD_PER_LABEL -eq 0 ] ; then
1099		# this MUST be a regular file for svc-nscd to detect
1100		touch $NSCD_INDICATOR
1101		NSCD_OPT="Unconfigure per-zone name service"
1102		NSCD_PER_LABEL=1
1103		for i in $(zoneadm list -i | grep -v global) ; do
1104			zoneadm -z $i halt >/dev/null 2>&1
1105			unsharePasswd $i
1106		done
1107	else
1108		rm -f $NSCD_INDICATOR
1109		NSCD_OPT="Configure per-zone name service"
1110		NSCD_PER_LABEL=0
1111		for i in $(zoneadm list -i | grep -v global) ; do
1112			zoneadm -z $i halt >/dev/null 2>&1
1113			sharePasswd $i
1114		done
1115	fi
1116}
1117
1118manageZoneNets () {
1119	ncmds[0]="Only use all-zones interfaces"
1120	ncmds[1]="Add a logical interface"
1121	ncmds[2]="Add a virtual interface (VNIC)"
1122
1123	stacks[0]="Shared Stack"
1124	stacks[1]="Exclusive Stack"
1125
1126	getAllZoneNICs
1127	netOps[0]="1\n${ncmds[0]}\nShared Stack\n${aznics[*]}"
1128
1129	integer nic_cnt=0
1130	integer netOp_cnt=2
1131
1132	set -A nics $(dladm show-phys|grep -v LINK|cut -f1 -d " ")
1133
1134	while (( nic_cnt < ${#nics[*]} )); do
1135		netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[1]}\n${stacks[0]}\n${nics[nic_cnt]}"
1136		netOp_cnt+=1
1137		netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[2]}\n${stacks[1]}\n${nics[nic_cnt]}"
1138		netOp_cnt+=1
1139		nic_cnt+=1
1140	done
1141
1142	netOp=$(print "${netOps[*]}"|zenity --list \
1143	    --title="$title" \
1144	    --text="$msg_getnet $zonename zone:" \
1145	    --height=300 \
1146	    --width=500 \
1147	    --column="#" \
1148	    --column="Network Configuration " \
1149	    --column="IP Type" \
1150	    --column="Available Interfaces" \
1151	    --hide-column=1
1152	)
1153
1154	# User picked cancel or no selection
1155	if [[ -z $netOp ]] ; then
1156		return
1157	fi
1158
1159	# All-zones is the default, so just return
1160	if [ $netOp = 1 ] ; then
1161		return
1162	fi
1163
1164	cmd=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 3)
1165	nic=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 5)
1166	case $cmd in
1167	    ${ncmds[1]} )
1168		addNet;
1169		;;
1170	    ${ncmds[2]} )
1171		zonecfg -z $zonename set ip-type=exclusive
1172		createVNIC
1173		;;
1174	esac
1175}
1176
1177manageInterface () {
1178	while (( 1 )) do
1179		getAttrs
1180
1181		# Clear list of commands
1182
1183		share=
1184		setipaddr=
1185		newlogical=
1186		newvnic=
1187		unplumb=
1188		bringup=
1189		bringdown=
1190
1191		if [ $updown = Down ] ; then
1192			bringup="Bring Up\n"
1193		else
1194			bringdown="Bring Down\n"
1195		fi
1196
1197		case $linktype in
1198		physical )
1199			newlogical="Create Logical Interface...\n";
1200			newvnic="Create Virtual Interface (VNIC)...\n";
1201			;;
1202		logical )
1203			unplumb="Remove Logical Interface\n"
1204			;;
1205		virtual )
1206			newlogical="Create Logical Interface...\n";
1207			unplumb="Remove Virtual Interface\n" ;
1208			;;
1209		esac
1210
1211		if [ $ipaddr = "..." ] ; then
1212			setipaddr="Set IP address...\n"
1213		elif [ $zone != all-zones ] ; then
1214			share="Share with Shared-IP Zones\n"
1215		else
1216			share="Remove from Shared-IP Zones\n"
1217		fi
1218
1219		command=$(print ""\
1220		    $share \
1221		    $setipaddr \
1222		    $newlogical \
1223		    $newvnic \
1224		    $unplumb \
1225		    $bringup \
1226		    $bringdown \
1227		    | zenity --list \
1228		    --title="$title" \
1229		    --text="Select a command from the list below:" \
1230		    --height=300 \
1231		    --column "Interface: $nic" )
1232
1233		case $command in
1234		    " Create Logical Interface...")
1235			createInterface;;
1236		    " Create Virtual Interface (VNIC)...")
1237			createVNIC ;;
1238		    " Set IP address...")
1239			getIPaddr
1240			addHost;;
1241		    " Share with Shared-IP Zones")
1242			shareInterface;;
1243		    " Remove from Shared-IP Zones")
1244			unshareInterface;;
1245		    " Remove Logical Interface")
1246			ifconfig $nic unplumb
1247			rm -f /etc/hostname.$nic
1248			return;;
1249		    " Remove Virtual Interface")
1250			ifconfig $nic unplumb
1251			dladm delete-vnic $nic
1252			rm -f /etc/hostname.$nic
1253			return;;
1254		    " Bring Up")
1255			ifconfig $nic up;;
1256		    " Bring Down")
1257			ifconfig $nic down;;
1258		    *) return;;
1259		esac
1260	done
1261}
1262
1263sharePrimaryNic() {
1264	set -A ip $(getent hosts $(cat /etc/nodename))
1265	for i in $(ifconfig -au4|grep  "^[a-z].*:" |grep -v LOOPBACK)
1266	do
1267		print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1268		[ $? -eq 1 ] && continue
1269
1270		nic=${i%:} # Remove colon after interface name
1271		getAttrs
1272		if [ ${ip[0]} = $ipaddr ]; then
1273			shareInterface
1274			break
1275		fi
1276	done
1277}
1278
1279manageNets() {
1280	while (( 1 )) do
1281		attrs=
1282		for i in $(ifconfig -a4|grep  "^[a-z].*:" |grep -v LOOPBACK)
1283		do
1284			print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1285			[ $? -eq 1 ] && continue
1286
1287			nic=${i%:} # Remove colon after interface name
1288			getAttrs
1289			attrs="$nic $linktype $zone $ipaddr $template $updown $attrs"
1290		done
1291
1292		nic=$(zenity --list \
1293		    --title="$title" \
1294		    --text="Select an interface from the list below:" \
1295		    --height=300 \
1296		    --width=500 \
1297		    --column="Interface" \
1298		    --column="Type" \
1299		    --column="Zone Name" \
1300		    --column="IP Address" \
1301		    --column="Template" \
1302		    --column="State" \
1303		    $attrs)
1304
1305		if [[ -z $nic ]] ; then
1306			return
1307		fi
1308		manageInterface
1309	done
1310}
1311
1312createLDAPclient() {
1313	ldaptitle="$title: Create LDAP Client"
1314	ldapdomain=$(zenity --entry \
1315	    --width=400 \
1316	    --title="$ldaptitle" \
1317	    --text="Enter Domain Name: ")
1318	if [[ -n $ldapdomain ]] ; then
1319	ldapserver=$(zenity --entry \
1320	    --width=400 \
1321	    --title="$ldaptitle" \
1322	    --text="Enter Hostname of LDAP Server: ")
1323	else
1324		return
1325	fi
1326	if [[ -n $ldapserver ]] ; then
1327	ldapserveraddr=$(zenity --entry \
1328	    --width=400 \
1329	    --title="$ldaptitle" \
1330	    --text="Enter IP adddress of LDAP Server $ldapserver: ")
1331	else
1332		return
1333	fi
1334	ldappassword=""
1335	while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]] ; do
1336	    ldappassword=$(zenity --entry \
1337		--width=400 \
1338		--title="$ldaptitle" \
1339		--hide-text \
1340		--text="Enter LDAP Proxy Password:")
1341	    ldappasswordconfirm=$(zenity --entry \
1342		--width=400 \
1343		--title="$ldaptitle" \
1344		--hide-text \
1345		--text="Confirm LDAP Proxy Password:")
1346	done
1347	ldapprofile=$(zenity --entry \
1348	    --width=400 \
1349	    --title="$ldaptitle" \
1350	    --text="Enter LDAP Profile Name: ")
1351	whatnext=$(zenity --list \
1352	    --width=400 \
1353	    --height=250 \
1354	    --title="$ldaptitle" \
1355	    --text="Proceed to create LDAP Client?" \
1356	    --column=Parameter --column=Value \
1357	    "Domain Name" "$ldapdomain" \
1358	    "Hostname" "$ldapserver" \
1359	    "IP Address" "$ldapserveraddr" \
1360	    "Password" "$(print "$ldappassword" | sed 's/./*/g')" \
1361	    "Profile" "$ldapprofile")
1362	[ $? != 0 ] && return
1363
1364	grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
1365	if [ $? -eq 1 ] ; then
1366		print "$ldapserveraddr $ldapserver" >> /etc/hosts
1367	fi
1368
1369	grep "${ldapserver}:" $TNRHDB > /dev/null
1370	if [ $? -eq 1 ] ; then
1371		print "# ${ldapserver} - ldap server" \
1372		    >> $TNRHDB
1373		print "${ldapserveraddr}:cipso" \
1374		    >> $TNRHDB
1375		tnctl -h "${ldapserveraddr}:cipso"
1376	fi
1377
1378	proxyDN=$(print $ldapdomain|awk -F"." \
1379	    "{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }")
1380
1381	zenity --info \
1382	    --title="$ldaptitle" \
1383	    --width=500 \
1384	    --text="global zone will be LDAP client of $ldapserver"
1385
1386	ldapout=$TXTMP/ldapclient.$$
1387
1388	ldapclient init -a profileName="$ldapprofile" \
1389	    -a domainName="$ldapdomain" \
1390	    -a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
1391	    -a proxyPassword="$ldappassword" \
1392	    "$ldapserveraddr" >$ldapout 2>&1
1393
1394	if [ $? -eq 0 ] ; then
1395	    ldapstatus=Success
1396	else
1397	    ldapstatus=Error
1398	fi
1399
1400	zenity --text-info \
1401	    --width=700 \
1402	    --height=300 \
1403	    --title="$ldaptitle: $ldapstatus" \
1404	    --filename=$ldapout
1405
1406	rm -f $ldapout
1407
1408
1409}
1410
1411tearDownZones() {
1412	if [ $DISP -eq 0 ] ; then
1413		if [ $FORCE -eq 0 ] ; then
1414			gettext "OK to destroy all zones [y|N]? "
1415			read ans
1416			printf "%s\n" "$ans" \
1417			    | /usr/xpg4/bin/grep -Eq "$(locale yesexpr)"
1418			if [ $? -ne 0 ] ; then
1419				gettext "canceled.\n"
1420				return 1
1421			fi
1422		fi
1423		gettext "destroying all zones ...\n"
1424	else
1425		killall=$(zenity --question \
1426		    --title="$title" \
1427		    --width=330 \
1428		    --text="$msg_confirmkill")
1429		if [[ $? != 0 ]]; then
1430			return
1431		fi
1432	fi
1433
1434	for p in $(zoneadm list -cp|grep -v global:) ; do
1435		zonename=$(echo "$p"|cut -d : -f2)
1436		if [ $DISP -eq 0 ] ; then
1437			gettext "destroying zone $zonename ...\n"
1438		fi
1439		zoneadm -z $zonename halt 1>/dev/null 2>&1
1440		zoneadm -z $zonename uninstall -F 1>/dev/null 2>&1
1441		delete -rRf
1442	done
1443	zonename=global
1444}
1445
1446createDefaultZones() {
1447	# If GUI display is not used, skip the dialog
1448	if [ $DISP -eq 0 ] ; then
1449		createDefaultPublic
1450		if [ $? -ne 0 ] ; then
1451			return 1
1452		fi
1453		createDefaultInternal
1454		return
1455	fi
1456
1457	msg_choose1=$(gettext "Choose one:")
1458	defpub=$(gettext "$PUBZONE zone only")
1459	defboth=$(gettext "$PUBZONE and $INTZONE zones")
1460	defskip=$(gettext "Main Menu...")
1461	command=$(echo ""\
1462	    "$defpub\n" \
1463	    "$defboth\n" \
1464	    "$defskip\n" \
1465	    | zenity --list \
1466	    --title="$title" \
1467	    --text="$msg_defzones" \
1468	    --column="$msg_choose1" \
1469	    --height=400 \
1470	    --width=330 )
1471
1472	case $command in
1473	    " $defpub")
1474		createDefaultPublic ;;
1475
1476	    " $defboth")
1477		createDefaultPublic
1478		if [ $? -ne 0 ] ; then
1479			return 1
1480		fi
1481		createDefaultInternal ;;
1482
1483	    *)
1484		return;;
1485	esac
1486}
1487
1488createDefaultPublic() {
1489	zonename=$PUBZONE
1490	if [ $DISP -eq 0 ] ; then
1491		gettext "creating default $zonename zone ...\n"
1492	fi
1493	newZone
1494	zone_cnt+=1
1495	hexlabel=$DEFAULTLABEL
1496	setTNdata
1497	sharePrimaryNic
1498
1499	install
1500	if [ $? -ne 0 ] ; then
1501		return 1
1502	fi
1503
1504	if [ $DISP -eq 0 ] ; then
1505		gettext "booting zone $zonename ...\n"
1506		zoneadm -z $zonename boot
1507	else
1508		zoneadm -z $zonename boot &
1509		gnome-terminal \
1510		    --disable-factory \
1511		    --title="Zone Console: $zonename $msg_continue" \
1512		    --command "zlogin -C $zonename"
1513	fi
1514}
1515
1516createDefaultInternal() {
1517	zoneadm -z $PUBZONE halt
1518
1519	zonename=snapshot
1520	newZone
1521	zone_cnt+=1
1522	zonecfg -z $zonename set autoboot=false
1523
1524	clone $PUBZONE
1525	zoneadm -z $PUBZONE boot &
1526
1527	zonename=$INTZONE
1528	if [ $DISP -eq 0 ] ; then
1529		gettext "creating default $zonename zone ...\n"
1530	fi
1531	newZone
1532	zone_cnt+=1
1533
1534	hexlabel=$INTLABEL
1535	x=$(grep -i :{$hexlabel}: $TNZONECFG)
1536	if [ $? = 0 ] ; then
1537		z=$(print $x|cut -d : -f1)
1538		echo "$msg_inuse $z zone."
1539	else
1540		setTNdata
1541	fi
1542
1543	clone snapshot
1544	if [ $DISP -eq 0 ] ; then
1545		gettext "booting zone $zonename ...\n"
1546	else
1547		gnome-terminal \
1548		    --title="Zone Console: $zonename" \
1549		    --command "zlogin -C $zonename" &
1550	fi
1551	zoneadm -z $zonename boot &
1552}
1553
1554selectZone() {
1555	set -A zonelist "global\nrunning\nADMIN_HIGH"
1556	integer zone_cnt=1
1557
1558	for p in $(zoneadm list -cp|grep -v global:) ; do
1559		zone_cnt+=1
1560	done
1561	if [ $zone_cnt == 1 ] ; then
1562		createDefaultZones
1563	fi
1564	if [ $zone_cnt == 1 ] ; then
1565		zonename=global
1566		singleZone
1567		return
1568	fi
1569
1570	zone_cnt=1
1571	for p in $(zoneadm list -cp|grep -v global:) ; do
1572		zonename=$(echo "$p"|cut -d : -f2)
1573		state=$(echo "$p"|cut -d : -f3)
1574		hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2)
1575		if [[ $hexlabel ]] ; then
1576			curlabel=$(hextoalabel $hexlabel)
1577		else
1578			curlabel=...
1579		fi
1580		zonelist[zone_cnt]="\n$zonename\n$state\n$curlabel"
1581		zone_cnt+=1
1582	done
1583	zonename=$(print "${zonelist[*]}"|zenity --list \
1584	    --title="$title" \
1585	    --text="$msg_getzone" \
1586	    --height=300 \
1587	    --width=500 \
1588	    --column="Zone Name" \
1589	    --column="Status" \
1590	    --column="Sensitivity Label" \
1591	)
1592
1593	# if the menu choice was a zonename, pop up zone menu
1594	if [[ -n $zonename ]] ; then
1595		singleZone
1596	else
1597		exit
1598	fi
1599}
1600
1601# Loop for single-zone menu
1602singleZone() {
1603
1604	while (( 1 )) do
1605		# Clear list of commands
1606
1607		console=
1608		label=
1609		start=
1610		reboot=
1611		stop=
1612		clone=
1613		install=
1614		ready=
1615		uninstall=
1616		autoboot=
1617		delete=
1618		deletenet=
1619		permitrelabel=
1620
1621		if [ $zone_cnt -gt 1 ] ; then
1622			killZones="Destroy all zones...\n"
1623			xit="Select another zone..."
1624		else
1625			killZones=
1626			xit="Exit"
1627		fi
1628		if [ $zonename = global ] ; then
1629			ldapClient="Create LDAP Client...\n"
1630			nscdOpt="$NSCD_OPT\n"
1631			createZone="Create a new zone...\n"
1632			addnet="Configure Network Interfaces...\n"
1633		else
1634			ldapClient=
1635			nscdOpt=
1636			createZone=
1637			addnet=
1638			killZones=
1639		fi
1640
1641		zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
1642
1643		consoleCheck;
1644		labelCheck;
1645		delay=0
1646
1647		if [ $zonename != global ] ; then
1648			case $zonestate in
1649				running)
1650					ready="Ready\n"
1651					reboot="Reboot\n"
1652					stop="Halt\n"
1653					;;
1654				ready)
1655					start="Boot\n"
1656					stop="Halt\n"
1657					;;
1658				installed)
1659					if [[ -z $label ]] ; then
1660						ready="Ready\n"
1661						start="Boot\n"
1662					fi
1663					uninstall="Uninstall\n"
1664					relabelCheck
1665					autobootCheck
1666					;;
1667				configured)
1668					install="Install...\n"
1669					cloneCheck
1670					delete="Delete\n"
1671					console=
1672					;;
1673				incomplete)
1674					uninstall="Uninstall\n"
1675					;;
1676				*)
1677				;;
1678			esac
1679		fi
1680
1681		command=$(echo ""\
1682		    $createZone \
1683		    $console \
1684		    $label \
1685		    $start \
1686		    $reboot \
1687		    $stop \
1688		    $clone \
1689		    $install \
1690		    $ready \
1691		    $uninstall \
1692		    $delete \
1693		    $addnet \
1694		    $deletenet \
1695		    $addremotehost \
1696		    $addcipsohost \
1697		    $removeremotehost \
1698		    $removecipsohost \
1699		    $setmlps \
1700		    $permitrelabel \
1701		    $autoboot \
1702		    $ldapClient \
1703		    $nscdOpt \
1704		    $killZones \
1705		    $xit \
1706		    | zenity --list \
1707		    --title="$title" \
1708		    --text="$msg_getcmd" \
1709		    --height=400 \
1710		    --width=330 \
1711		    --column "Zone: $zonename   Status: $zonestate" )
1712
1713		case $command in
1714		    " Create a new zone...")
1715			zonename=
1716			newZone ;;
1717
1718		    " Zone Console...")
1719			delay=2
1720			gnome-terminal \
1721			    --title="Zone Console: $zonename" \
1722			    --command "zlogin -C $zonename" & ;;
1723
1724		    " Select Label...")
1725			selectLabel;;
1726
1727		    " Ready")
1728			zoneadm -z $zonename ready ;;
1729
1730		    " Boot")
1731			zoneadm -z $zonename boot ;;
1732
1733		    " Halt")
1734			zoneadm -z $zonename halt ;;
1735
1736		    " Reboot")
1737			zoneadm -z $zonename reboot ;;
1738
1739		    " Install...")
1740			install;;
1741
1742		    " Clone...")
1743			clone ;;
1744
1745		    " Uninstall")
1746			zoneadm -z $zonename uninstall -F;;
1747
1748		    " Delete")
1749			delete
1750			return ;;
1751
1752		    " Configure Network Interfaces...")
1753			if [ $zonename = global ] ; then
1754				manageNets
1755			else
1756				manageZoneNets
1757			fi;;
1758
1759		    " Add Single-level Access to Remote Host...")
1760			addTnrhdb ;;
1761
1762		    " Add Multilevel Access to Remote Host...")
1763			template=cipso
1764			addTnrhdb ;;
1765
1766		    " Remove Single-level Access to Remote Host...")
1767			removeTnrhdb ;;
1768
1769		    " Remove Multilevel Access to Remote Host...")
1770			template=cipso
1771			removeTnrhdb ;;
1772
1773		    " Configure Multilevel Ports...")
1774			setMLPs;;
1775
1776		    " Permit Relabeling")
1777			zonecfg -z $zonename set limitpriv=default,\
1778win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,\
1779file_downgrade_sl,file_upgrade_sl,sys_trans_label ;;
1780
1781		    " Deny Relabeling")
1782			zonecfg -z $zonename set limitpriv=default ;;
1783
1784		    " Set Automatic Booting")
1785			zonecfg -z $zonename set autoboot=true ;;
1786
1787		    " Set Manual Booting")
1788			zonecfg -z $zonename set autoboot=false ;;
1789
1790		    " Create LDAP Client...")
1791			createLDAPclient ;;
1792
1793		    " Configure per-zone name service")
1794			manageNscd ;;
1795
1796		    " Unconfigure per-zone name service")
1797			manageNscd ;;
1798
1799		    " Destroy all zones...")
1800			tearDownZones
1801			return ;;
1802
1803		    *)
1804			if [ $zone_cnt == 1 ] ; then
1805				exit
1806			else
1807				return
1808			fi;;
1809		esac
1810		sleep $delay;
1811	done
1812}
1813
1814# Main loop for top-level window
1815#
1816
1817/usr/bin/plabel $$ 1>/dev/null 2>&1
1818if [ $? != 0 ] ; then
1819	gettext "$0 : Trusted Extensions must be enabled.\n"
1820	exit 1
1821fi
1822
1823myzone=$(/sbin/zonename)
1824if [ $myzone != "global" ] ; then
1825	gettext "$0 : must be in global zone to run.\n"
1826	exit 1
1827fi
1828
1829
1830process_options "$@" || exit
1831
1832mkdir $TXTMP 2>/dev/null
1833deflabel=$(chk_encodings -a|grep "Default User Sensitivity"|\
1834   sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1835DEFAULTLABEL=$(atohexlabel ${deflabel})
1836intlabel=$(chk_encodings -a|grep "Default User Clearance"|\
1837   sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1838INTLABEL=$(atohexlabel -c "${intlabel}")
1839
1840# are there any zfs pools?
1841ZDSET=none
1842zpool iostat 1>/dev/null 2>&1
1843if [ $? = 0 ] ; then
1844	# is there a zfs pool named "zone"?
1845	zpool list -H zone 1>/dev/null 2>&1
1846	if [ $? = 0 ] ; then
1847		# yes
1848		ZDSET=zone
1849	else
1850		# no, but is there a root pool?
1851		rootfs=$(df -n / | awk '{print $3}')
1852		if [ $rootfs = "zfs" ] ; then
1853			# yes, use it
1854			ZDSET=$(zfs list -Ho name / | cut -d/ -f 1)/zones
1855			zfs list -H $ZDSET 1>/dev/null 2>&1
1856			if [ $? = 1 ] ; then
1857				createZDSET "-o mountpoint=/zone" $ZDSET
1858			fi
1859		fi
1860	fi
1861fi
1862
1863if [ $DISP -eq 0 ] ; then
1864	gettext "non-interactive mode ...\n"
1865
1866	if [ $DESTROYZONES -eq 1 ] ; then
1867		tearDownZones
1868	fi
1869
1870	if [ $CREATEDEF -eq 1 ] ; then
1871		if [[ $(zoneadm list -c) == global ]] ; then
1872			createDefaultZones
1873		else
1874			gettext "cannot create default zones because there are existing zones.\n"
1875		fi
1876	fi
1877
1878	exit
1879fi
1880
1881if [ $NSCD_PER_LABEL -eq 0 ] ; then
1882	NSCD_OPT="Configure per-zone name service"
1883else
1884	NSCD_OPT="Unconfigure per-zone name service"
1885fi
1886
1887
1888while (( 1 )) do
1889	selectZone
1890done
1891