xref: /titanic_50/usr/src/cmd/tsol/labeld/svc-labeld (revision a856bf0569d60e1d5715fdbd2cfbf389c2a720d7)
1#!/sbin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23# Use is subject to license terms.
24#
25#ident	"%Z%%M%	%I%	%E% SMI"
26
27. /lib/svc/share/smf_include.sh
28
29ROOT_PATH=""
30if [ $# -gt 1 ]; then
31	if [ $# -ne 3 -o "$2" != "-R" ]; then
32		echo "$0: invalid syntax"
33		exit $SMF_EXIT_ERR_CONFIG
34	fi
35	if [ "$3" != "/" ]; then
36		ROOT_PATH=$3
37	fi
38fi
39if [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
40	echo "$0: invalid syntax: -R allowed for start method only"
41	exit $SMF_EXIT_ERR_CONFIG
42fi
43if [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
44	echo "$0: invalid -R rootpath dir specified"
45	exit $SMF_EXIT_ERR_CONFIG
46fi
47
48if smf_is_nonglobalzone; then
49	echo "$0: not supported in a local zone"
50	exit $SMF_EXIT_ERR_CONFIG
51fi
52
53do_logindev()
54{
55	# Comment out audio and usb device entries in /etc/logindevperm.
56	LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
57	if [ -f $LOGINDEVPERM ]; then
58		line="\/dev\/console	0600	\/dev\/sound\/\*"
59		sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
60		cp /tmp/tmp.$$ $LOGINDEVPERM
61		line="\/dev\/console	0600	\/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
62		sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$
63		cp /tmp/tmp.$$ $LOGINDEVPERM
64		rm -f /tmp/tmp.$$
65	fi
66}
67
68do_otherservices()
69{
70	# Setup dependent services
71	cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
72		/usr/sbin/svcadm enable -s svc:/network/tnd:default
73		/usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
74		/usr/sbin/svccfg -s svc:/application/x11/x11-server \
75		    setprop options/tcp_listen = true
76		/usr/sbin/svcadm enable svc:/network/rpc/rstat:default
77__ENABLE_OTHERS
78
79}
80
81do_bsmconv()
82{
83	# Run bsmconv so audit and device allocation is enabled by
84	# default with Trusted Extensions.
85	if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
86		BSMDIR=""
87	else
88		BSMDIR=$ROOT_PATH
89	fi
90	echo "Running bsmconv ..."
91	echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \
92	    $ROOT_PATH/etc/security/bsmconv $ROOT_PATH
93}
94
95do_nscd()
96{
97# For Trusted Extensions, make nscd service transient in local zones.
98cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
99	if [ `/sbin/zonename` != "global" ]; then
100		nscd="svc:/system/name-service-cache"
101		duration=""
102		if /bin/svcprop -q -c -p startd/duration $nscd ; then
103			duration=`/bin/svcprop -c -p startd/duration $nscd`
104		fi
105		if [ "$duration" != "transient" ]; then
106			/usr/sbin/svccfg -s $nscd addpg startd framework
107			/usr/sbin/svccfg -s $nscd setprop \
108			    startd/duration = astring: transient
109			/usr/sbin/svccfg -s $nscd setprop stop/exec = :true
110			/usr/sbin/svcadm refresh $nscd
111		fi
112	fi
113_DEL_LOCAL_NSCD
114}
115
116do_bootupd()
117{
118	if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
119		if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
120			/sbin/bootadm update-archive
121		else
122			/sbin/bootadm update-archive -R $ROOT_PATH
123		fi
124	fi
125}
126
127setup_tx_changes(){
128#
129# No comments or blanks lines allowed in entries below
130#
131cat > ${TX_ENTRIES} << EOF
132dtlogin		account		requisite	pam_roles.so.1
133dtlogin		account		required	pam_unix_account.so.1
134dtsession	account		requisite	pam_roles.so.1
135dtsession	account		required	pam_unix_account.so.1
136gdm		account		requisite	pam_roles.so.1
137gdm		account		required	pam_unix_account.so.1
138xscreensaver	account		requisite	pam_roles.so.1
139xscreensaver	account		required	pam_unix_account.so.1
140passwd		account		requisite	pam_roles.so.1
141passwd		account		required	pam_unix_account.so.1
142dtpasswd	account		requisite	pam_roles.so.1
143dtpasswd	account		required	pam_unix_account.so.1
144other		account		required	pam_tsol_account.so.1
145EOF
146}
147
148do_addpam()
149{
150	PAM_TMP=/tmp/pam_conf.$$
151	TX_ENTRIES=$PAM_TMP/sct.$$
152	PAM_DEST=$ROOT_PATH/etc/pam.conf
153
154	mkdir $PAM_TMP  || exit $SMF_EXIT_ERR_FATAL
155	setup_tx_changes
156
157	# verify that pam.conf file exists...
158	if [ ! -f ${PAM_DEST} ]; then
159		echo "$0: ${PAM_DEST} not found; aborting"
160		exit $SMF_EXIT_ERR_FATAL
161	fi
162
163	#
164	# Update pam.conf to append Trusted Extensions entries if not
165	# already present.
166	#
167	rm -f /tmp/pamconf.$$
168	while read e1 e2 e3 e4 e5
169	do
170		# If this is the 'other' entry, add it unless it already
171		# exists.
172		if [ $e1 = "other" ]; then
173			grep \
174"^[# 	]*$e1[ 	][ 	]*$e2[ 	][ 	]*$e3[ 	][ 	]*$e4" \
175			    $PAM_DEST >/dev/null 2>&1
176			if [ $? = 1 ] ; then
177				# Doesn't exist, enter into pam.conf
178				echo "$e1\t$e2 $e3\t\t$e4 $e5" \
179				    >> /tmp/pamconf.$$
180			fi
181		else
182			# Add other entries unless they already have a
183			# stack of their own.
184			grep "^[# 	]*$e1[ 	][ 	]*$e2[ 	]" \
185			    $PAM_DEST >/dev/null 2>&1
186			if [ $? = 1 ] ; then
187				echo "$e1\t$e2 $e3\t\t$e4 $e5" \
188				    >> /tmp/pamconf.$$
189			fi
190		fi
191	done < ${TX_ENTRIES}
192	# Append TX lines if any were not present already.
193	if [ -f /tmp/pamconf.$$ ] ; then
194		echo "# Entries for Trusted Extensions" >> $PAM_DEST
195		cat /tmp/pamconf.$$ >> $PAM_DEST
196		echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
197		echo "$0: please examine/update any new entries"
198    		rm -f /tmp/pamconf.$$
199    	fi
200
201	rm -rf $PAM_TMP
202}
203
204do_pamremove()
205{
206	PAM_TMP=/tmp/pam_conf.$$
207	TX_ENTRIES=$PAM_TMP/sct.$$
208	PAM_DEST=$ROOT_PATH/etc/pam.conf
209	TMPFILE=$PAM_TMP/pam.conf
210
211	mkdir $PAM_TMP  || exit $SMF_EXIT_ERR_FATAL
212
213	# verify that pam.conf file exists...
214	if [ ! -f ${PAM_DEST} ]; then
215		echo "$0: ${PAM_DEST} not found; aborting"
216		exit $SMF_EXIT_ERR_FATAL
217	fi
218
219
220	grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
221	if [ $? -ne 0 ]; then
222		echo "$0: pam_tsol_account module not present,"
223		echo "$0: No changes were made to $PAM_DEST."
224		return
225	fi
226
227	grep -v pam_tsol_account $PAM_DEST > $TMPFILE
228	echo "$0: $PAM_DEST "tsol" entries removed"
229	cp $TMPFILE $PAM_DEST
230
231	rm -rf $PAM_TMP
232}
233
234do_commonstart()
235{
236	echo "$0: Updating $ROOT_PATH/etc/system..."
237	if [ ! -f ${ROOT_PATH}/etc/system ]; then
238		touch ${ROOT_PATH}/etc/system
239	fi
240
241	# Set sys_labeling in etc/system
242	grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
243	echo "set sys_labeling=1" >> /tmp/etc.system.$$
244	mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
245	grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
246	if [ $? -ne 0 ]; then
247    		echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
248		exit $SMF_EXIT_ERR_FATAL
249	fi
250
251	# Setup dependent services
252	do_otherservices
253
254	do_logindev
255	do_bsmconv
256	do_nscd
257	do_addpam
258
259	do_bootupd
260}
261
262
263daemon_start()
264{
265	# If a labeld door exists, check for a labeld process and exit
266	# if the daemon is already running.
267	if [ -r /var/tsol/doors/labeld ]; then
268		if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
269			echo "$0: labeld is already running"
270			exit $SMF_EXIT_ERR_FATAL
271		fi
272	fi
273	/usr/bin/rm -f /var/tsol/doors/labeld
274	/usr/lib/labeld
275}
276
277PATH=/usr/sbin:/usr/bin; export PATH
278
279case "$1" in
280'start')
281	if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
282		# native
283
284		if [ -z "$SMF_FMRI" ]; then
285			echo "$0: this script can only be invoked by smf(5)"
286			exit $SMF_EXIT_ERR_NOSMF
287		fi
288
289		tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
290		if [ "$tx_enabled" = "false" ]; then
291			# A sign of trying temporary enablement...no-no
292			echo "$0: Temporarily enabling Trusted Extensions is not allowed."
293			exit $SMF_EXIT_ERR_CONFIG
294		fi
295
296		if (smf_is_system_labeled); then
297			daemon_start
298			exit $SMF_EXIT_OK
299		fi
300
301		# Make changes to enable Trusted Extensions
302		grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
303		if [ $? -eq 0 ]; then
304			echo "$0: already enabled. Exiting."
305			exit $SMF_EXIT_OK
306		fi
307
308		if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
309			echo "$0: Must remove zones before enabling Trusted Extensions."
310			exit $SMF_EXIT_ERR_CONFIG
311		fi
312
313		do_commonstart
314
315		# start daemon proccess so our service doesn't go into
316		# maintenance state
317		daemon_start
318
319		echo "$0: Started.  Must reboot and configure Trusted Extensions."
320	else
321		# Support jumpstart etc
322
323		# Make changes to enable Trusted Extensions
324		grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
325		if [ $? -eq 0 ]; then
326			echo "$0: already enabled. Exiting."
327			exit $SMF_EXIT_OK
328		fi
329
330		# Setup dependent services
331		cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
332			/usr/sbin/svcadm enable -s svc:/system/labeld:default
333__TRUSTED_ENABLE
334
335		do_commonstart
336		echo "$0: Started.  Must configure Trusted Extensions before booting."
337	fi
338	;;
339
340'stop')
341	tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
342	if [ "$tx_enabled" = "true" ]; then
343		/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
344		exit $SMF_EXIT_OK
345	fi
346
347	if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
348		echo "$0: Must remove zones before disabling Trusted Extensions."
349		exit $SMF_EXIT_ERR_CONFIG
350	fi
351
352	# Stop Trusted services.
353	/usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
354	/usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
355
356	# Uncomment audio and usb device entries in /etc/logindevperm.
357	LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
358	if [ -f $LOGINDEVPERM ]; then
359		line="\/dev\/console	0600	\/dev\/sound\/\*"
360		sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
361		cp /tmp/tmp.$$ $LOGINDEVPERM
362		line="\/dev\/console	0600	\/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*"
363		sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$
364		cp /tmp/tmp.$$ $LOGINDEVPERM
365		rm -f /tmp/tmp.$$
366	fi
367
368	# Remove sys_labeling from /etc/system
369	grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
370	mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
371	grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
372	if [ $? -eq 0 ]; then
373    		echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
374		exit $SMF_EXIT_ERR_FATAL
375	fi
376
377	do_pamremove
378
379	do_bootupd
380
381	/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
382	echo "$0: Stopped.  Will take effect at next boot."
383	;;
384
385*)
386	echo "Usage: $0 { start | stop }"
387	exit 1
388	;;
389esac
390
391exit $SMF_EXIT_OK
392
393