xref: /titanic_50/usr/src/cmd/tsol/misc/txzonemgr.sh (revision 084b846f399794cc75a24d93183771f82a9fb59a)
1#!/bin/ksh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23#
24#
25
26# This script provides a simple GUI for managing labeled zones.
27# It provides contextual menus which provide appropriate choices.
28# It must be run in the global zone as root.
29
30# These arguments are accepted, and will result in non-interactive
31# (text-only) mode:
32#
33#	txzonemgr [-c | -d[f]]
34#
35#	-c	create default zones
36#	-d	destroy all zones; prompts for confirmation unless
37#		the -f flag is also specified
38#	-f	force
39#
40
41# DISP - use GUI (otherwise use non-interactive mode)
42DISP=1
43# CREATEDEF - make default zones (non-interactive)
44CREATEDEF=0
45# DESTROYZONES - tear down all zones (non-interactive)
46DESTROYZONES=0
47# FORCE - force
48FORCE=0
49
50NSCD_PER_LABEL=0
51NSCD_INDICATOR=/var/tsol/doors/nscd_per_label
52if [ -f $NSCD_INDICATOR ] ; then
53	NSCD_PER_LABEL=1
54fi
55
56myname=$(basename $0)
57
58TXTMP=/tmp/txzonemgr
59TNRHTP=/etc/security/tsol/tnrhtp
60TNRHDB=/etc/security/tsol/tnrhdb
61TNZONECFG=/etc/security/tsol/tnzonecfg
62PUBZONE=public
63INTZONE=internal
64
65PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
66title="Labeled Zone Manager 2.1"
67
68msg_defzones=$(gettext "Create default zones using default settings?")
69msg_confirmkill=$(gettext "OK to destroy all zones?")
70msg_continue=$(gettext "(exit to resume $(basename $0) when ready)")
71msg_getlabel=$(gettext "Select a label for the")
72msg_getremote=$(gettext "Select a remote host or network from the list below:")
73msg_getnet=$(gettext "Select a network configuration for the")
74msg_getzone=$(gettext "Select a zone from the list below:
75(select global for zone creation and shared settings)")
76msg_getcmd=$(gettext "Select a command from the list below:")
77msg_inuse=$(gettext "That label is already assigned\nto the")
78msg_getmin=$(gettext "Select the minimum network label for the")
79msg_getmax=$(gettext "Select the maximum network label for the")
80msg_badip=$(gettext " is not a valid IP address")
81
82
83process_options()
84{
85	typeset opt optlist
86
87	optlist='cdf'
88
89	while getopts ":$optlist" opt
90	do
91		case $opt in
92		c)	CREATEDEF=1
93			DISP=0
94			;;
95		d)	DESTROYZONES=1
96			DISP=0
97			;;
98		f)	FORCE=1
99			;;
100		*)	gettext "invalid option -$OPTARG\n"
101			usage
102			return 2
103			;;
104		esac
105	done
106
107	if [ $CREATEDEF -eq 1 -a $DESTROYZONES -eq 1 ] ; then
108		gettext "cannot combine options -c and -d\n"
109		usage
110		return 2
111	fi
112	if [ $CREATEDEF -eq 1 -a $FORCE -eq 1 ] ; then
113		gettext "option -f not allowed with -c\n"
114		usage
115		return 2
116	fi
117	if [ $FORCE -eq 1 -a $CREATEDEF -eq 0 -a $DESTROYZONES -eq 0 ] ; then
118		gettext "option -f specified without any other options\n"
119		usage
120		return 2
121	fi
122
123	shift $((OPTIND - 1))
124	if [ "x$1" != "x" ] ; then
125		usage
126		return 2
127	fi
128
129	return 0
130}
131
132usage() {
133	gettext "usage: $myname [-c | -d[f]]\n"
134}
135
136consoleCheck() {
137	if [ $zonename != global ] ; then
138		zconsole=$(pgrep -f "zlogin -C $zonename")
139		if [ $? != 0 ] ; then
140			console="Zone Console...\n"
141		fi
142	fi
143}
144
145labelCheck() {
146	hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2);
147	if [[ $hexlabel ]] ; then
148		label=
149		if [ $zonename = global ] ; then
150			template="admin_low"
151			addcipsohost="Add Multilevel Access to Remote Host...\n"
152			removecipsohost="Remove Multilevel Access to Remote Host...\n"
153			setmlps="Configure Multilevel Ports...\n"
154		else
155			template=${zonename}_unlab
156			addcipsohost=
157			removecipsohost=
158			setmlps=
159
160			net=$(zonecfg -z $zonename info net)
161			if [[ -n $net ]] ; then
162				setmlps="Configure Multilevel Ports...\n"
163			elif [ $zonestate = configured ] ; then
164				addnet="Configure Network Interfaces...\n"
165			fi
166		fi
167		addremotehost="Add Single-level Access to Remote Host...\n"
168		remotes=$(grep -v "^#" $TNRHDB|grep $template)
169		if [ $? = 0 ] ; then
170			removeremotehost="Remove Single-level Access to Remote Host...\n"
171		else
172			removeremotehost=
173		fi
174	else
175		label="Select Label...\n"
176		addremotehost=
177		removeremotehost=
178		addcipsohost=
179		removecipsohost=
180		setmlps=
181	fi
182}
183
184cloneCheck() {
185	set -A zonelist
186	integer clone_cnt=0
187	for p in $(zoneadm list -ip) ; do
188		z=$(echo "$p"|cut -d : -f2)
189		s=$(echo "$p"|cut -d : -f3)
190		if [ $z = $zonename ] ; then
191			continue
192		elif [ $s = "installed" ] ; then
193			zonelist[clone_cnt]=$z
194			clone_cnt+=1
195		fi
196	done
197	if [ $clone_cnt -gt 0 ] ; then
198		clone="Clone...\n"; \
199	fi
200}
201
202relabelCheck() {
203	macstate=$(zonecfg -z $zonename info|grep win_mac_write)
204	if [[ -n $macstate ]] ; then
205		permitrelabel="Deny Relabeling\n"
206	else
207		permitrelabel="Permit Relabeling\n"
208	fi
209}
210
211autobootCheck() {
212	bootmode=$(zonecfg -z $zonename info autoboot)
213	if [[ $bootmode == 'autoboot: true' ]] ; then
214		autoboot="Set Manual Booting\n"
215	else
216		autoboot="Set Automatic Booting\n"
217	fi
218}
219
220newZone() {
221		if [[ ! -n $zonename ]] ; then
222			zonename=$(zenity --entry \
223			    --title="$title" \
224			    --width=330 \
225			    --entry-text="" \
226			    --text="Enter Zone Name: ")
227
228			if [[ ! -n $zonename ]] ; then
229				zonename=global
230				return
231			fi
232		fi
233		zonecfg -z $zonename "create -t SUNWtsoldef;\
234		     set zonepath=/zone/$zonename"
235}
236
237removeZoneBEs() {
238	delopt=$*
239
240	zfs list -H $ZDSET/$zonename 1>/dev/null 2>&1
241	if [ $? = 0 ] ; then
242		for zbe in $(zfs list -rHo name $ZDSET/$zonename|grep ROOT/zbe) ; do
243			zfs destroy $delopt $zbe
244		done
245	fi
246}
247
248updateTemplate () {
249	if [ $hostType = cipso ] ; then
250		template=${zonename}_cipso
251		deflabel=
252	else
253		template=${zonename}_unlab
254		deflabel="def_label=${hexlabel};"
255	fi
256
257	tnzone=$(grep "^${template}:" $TNRHTP 2>/dev/null)
258	if [ $? -eq 0 ] ; then
259		sed -e "/^${template}/d" $TNRHTP > $TXTMP/tnrhtp.$$ 2>/dev/null
260		mv $TXTMP/tnrhtp.$$ $TNRHTP
261	fi
262	print "${template}:host_type=${hostType};doi=1;min_sl=${minlabel};max_sl=${maxlabel};$deflabel" >> $TNRHTP
263	tnctl -t $template
264}
265
266setTNdata () {
267	tnzline="$zonename:${hexlabel}:0::"
268	grep "^$tnzline" $TNZONECFG 1>/dev/null 2>&1
269	if [ $? -eq 1 ] ; then
270		print "$tnzline" >> $TNZONECFG
271	fi
272
273	#
274	# Add matching entries in tnrhtp if necessary
275	#
276	minlabel=admin_low
277	maxlabel=admin_high
278	hostType=cipso
279	updateTemplate
280
281	hostType=unlabeled
282	updateTemplate
283}
284
285selectLabel() {
286	hexlabel=$(tgnome-selectlabel \
287		--title="$title" \
288		--text="$msg_getlabel $zonename zone:" \
289		--min="${DEFAULTLABEL}"  \
290		--default="${DEFAULTLABEL}"  \
291		--max=$(chk_encodings -X) \
292		--accredcheck=yes \
293		--mode=sensitivity \
294		--format=internal)
295	if [ $? = 0 ] ; then
296		x=$(grep -i :{$hexlabel}: $TNZONECFG)
297		if [ $? = 0 ] ; then
298			z=$(print $x|cut -d : -f1)
299			x=$(zenity --error \
300			    --title="$title" \
301			    --text="$msg_inuse $z zone.")
302		else
303			setTNdata
304		fi
305	fi
306}
307
308getLabelRange() {
309	deflabel=$(hextoalabel $hexlabel)
310	minlabel=$(tgnome-selectlabel \
311		--title="$title" \
312		--text="$msg_getmin $zonename zone:" \
313		--min="${DEFAULTLABEL}"  \
314		--max="$deflabel" \
315		--default="$hexlabel" \
316		--accredcheck=no \
317		--mode=sensitivity \
318		--format=internal)
319	[ $? != 0 ] && return
320
321	maxlabel=$(tgnome-selectlabel \
322		--title="$title" \
323		--text="$msg_getmax $zonename zone:" \
324		--min="$deflabel"  \
325		--max=$(chk_encodings -X) \
326		--default="$hexlabel" \
327		--accredcheck=no \
328		--mode=sensitivity \
329		--format=internal)
330	[ $? != 0 ] && return
331
332	hostType=cipso
333	updateTemplate
334}
335
336
337encryptionValues() {
338	echo $(zfs get 2>&1 | grep encryption | sed -e s/^.*YES// -e s/\|//g)
339}
340
341getPassphrase() {
342	pass1=$(zenity --entry --title="$title" --text="Enter passphrase:" \
343	    --width=330 --hide-text)
344	pass2=$(zenity --entry --title="$title" --text="Re-enter passphrase:" \
345	    --width=330 --hide-text)
346	if [[ "$pass1" != "$pass2" ]]; then
347		zenity --error --title="$title" \
348			--text="Passphrases do not match"
349		return ""
350	fi
351	file=$(mktemp)
352	echo "$pass1" > $file
353	echo "$file"
354}
355
356createZDSET() {
357	options=$1
358	pool=${2%%/*}
359
360	# First check if ZFS encrytption support is available
361	pversion=$(zpool list -H -o version $pool)
362	cversion=$(zpool upgrade -v | grep Crypto | awk '{ print $1 }')
363	if (( cversion == 0 || pversion < cversion )); then
364		zfs create $options $ZDSET
365		return
366	fi
367
368	encryption=$(zenity --list --title="$title" --height=320 \
369		--text="Select cipher for encryption of all labels:" \
370		--column="encryption" $(encryptionValues))
371
372	if [[ $? != 0 || $encryption == "off" ]]; then
373		zfs create $options $ZDSET
374		return
375	fi
376
377	format=$(zenity --list --title="$title" \
378		--text "Select encryption key source:" \
379		--column="Key format and location" \
380		"Passphrase" "Generate Key in file")
381	[ $? != 0 ] && exit
382
383	if [[ $format == "Passphrase" ]]; then
384		file=$(getPassphrase)
385		if [[ $file == "" ]]; then
386			exit
387		fi
388		keysource="passphrase,file://$file"
389		removefile=1;
390	elif [[ $format == "Generate Key in file" ]]; then
391		file=$(zenity --file-selection \
392			--title="$title: Location of key file" \
393			--save --confirm-overwrite)
394		[ $? != 0 ] && exit
395		if [[ $encryption == "on" ]]; then
396			keylen=128
397		else
398			t=${encryption#aes-} && keylen=${t%%-*}
399		fi
400		pktool genkey keystore=file keytype=aes \
401		    keylen=$keylen outkey=$file
402		keysource="raw,file:///$file"
403	fi
404
405	options="$options -o encryption=$encryption -o keysource=$keysource"
406	zfs create $options $ZDSET
407	if (( removefile == 1 )); then
408		zfs set keysource=passphrase,prompt $ZDSET
409		rm $file
410	fi
411}
412
413
414initialize() {
415	zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
416	ZONE_ETC_DIR=$zonepath/root/etc
417	SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
418
419	if [ -f /var/ldap/ldap_client_file ] ; then
420		ldapaddress=$(ldapclient list | \
421		    grep "^NS_LDAP_SERVERS" | cut -d " " -f2)
422		print "name_service=LDAP {" > ${SYSIDCFG}
423		domain=$(domainname)
424		print "domain_name=$domain" >> ${SYSIDCFG}
425		profName=$(ldapclient list | \
426		    grep "^NS_LDAP_PROFILE" | cut -d " " -f2)
427		proxyPwd=$(ldapclient list | \
428		    grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2)
429		proxyDN=$(ldapclient list | \
430		    grep "^NS_LDAP_BINDDN" | cut -d " " -f 2)
431		if [ "$proxyDN" ] ; then
432			print "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
433			print "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
434		fi
435		print "profile=$profName" >> ${SYSIDCFG}
436		print "profile_server=$ldapaddress }" >> ${SYSIDCFG}
437		cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
438	else
439		print "name_service=NONE" > ${SYSIDCFG}
440		if [ $NSCD_PER_LABEL = 0 ] ; then
441			sharePasswd
442		else
443			unsharePasswd
444		fi
445	fi
446
447	print "security_policy=NONE" >> ${SYSIDCFG}
448	locale=$(locale|grep LANG | cut -d "=" -f2)
449	if [[ -z $locale ]] ; then
450		locale="C"
451	fi
452	print "system_locale=$locale" >> ${SYSIDCFG}
453	timezone=$(grep "^TZ" /etc/TIMEZONE|cut -d "=" -f2)
454	print "timezone=$timezone" >> ${SYSIDCFG}
455	print "terminal=vt100" >> ${SYSIDCFG}
456	rootpwd=$(grep "^root:" /etc/shadow|cut -d : -f2)
457	#print "root_password=$rootpwd" >> ${SYSIDCFG}
458	print "nfs4_domain=dynamic" >> ${SYSIDCFG}
459	print "network_interface=PRIMARY {" >> ${SYSIDCFG}
460
461	net=$(zonecfg -z $zonename info net)
462	ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
463	if [ $ipType = exclusive ] ; then
464		hostname=$(zenity --entry \
465		    --title="$title" \
466		    --width=330 \
467		    --text="${zonename}0: Enter Hostname or dhcp: ")
468		[ $? != 0 ] && return
469
470		if [ $hostname = dhcp ] ; then
471			print "dhcp" >> ${SYSIDCFG}
472		else
473			print "hostname=$hostname" >> ${SYSIDCFG}
474			ipaddr=$(getent hosts $hostname|cut -f1)
475			if [ $? != 0 ] ; then
476				ipaddr=$(zenity --entry \
477				    --title="$title" \
478				    --text="$nic: Enter IP address: " \
479				    --entry-text a.b.c.d)
480				[ $? != 0 ] && return
481
482				validateIPaddr
483				if [[ -z $ipaddr ]] ; then
484					return
485				fi
486			fi
487			print "ip_address=$ipaddr" >> ${SYSIDCFG}
488			getNetmask
489			print "netmask=$nm" >> ${SYSIDCFG}
490			print "default_route=none" >> ${SYSIDCFG}
491			template=${zonename}_cipso
492			cidr=32
493			updateTnrhdb
494		fi
495	elif [[ -n $net ]] ; then
496		hostname=$(hostname)
497		hostname=$(zenity --entry \
498		    --title="$title" \
499		    --width=330 \
500		    --text="Enter Hostname: " \
501		    --entry-text $hostname)
502		[ $? != 0 ] && return
503
504		print "hostname=$hostname" >> ${SYSIDCFG}
505		ipaddr=$(getent hosts $hostname|cut -f1)
506		if [ $? = 0 ] ; then
507			print "ip_address=$ipaddr" >> ${SYSIDCFG}
508		fi
509	else
510		getAllZoneNICs
511		for i in ${aznics[*]} ; do
512			ipaddr=$(ifconfig $i|grep inet|cut -d " " -f2)
513		done
514		print "hostname=$(hostname)" >> ${SYSIDCFG}
515		print "ip_address=$ipaddr" >> ${SYSIDCFG}
516	fi
517
518	print "protocol_ipv6=no }" >> ${SYSIDCFG}
519	cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
520	touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
521}
522
523clone() {
524	image=$1
525	if [[ -z $image ]] ; then
526		msg_clone=$(gettext "Clone the $zonename zone using a
527snapshot of one of the following halted zones:")
528		image=$(zenity --list \
529		    --title="$title" \
530		    --text="$msg_clone" \
531		    --height=300 \
532		    --width=330 \
533		    --column="Installed Zones" ${zonelist[*]})
534	fi
535
536	if [[ -n $image ]] ; then
537		removeZoneBEs
538		zoneadm -z $zonename clone $image
539
540		if [ ! -f /var/ldap/ldap_client_file ] ; then
541			if [ $NSCD_PER_LABEL = 0 ] ; then
542				sharePasswd
543			else
544				unsharePasswd
545			fi
546		fi
547		ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
548		if [ $ipType = exclusive ] ; then
549			zoneadm -z $zonename ready
550			zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
551			sys-unconfig -R $zonepath/root 2>/dev/null
552			initialize
553			zoneadm -z $zonename halt
554		fi
555	fi
556}
557
558install() {
559	removeZoneBEs
560	if [ $DISP -eq 0 ] ; then
561		gettext "installing zone $zonename ...\n"
562		zoneadm -z $zonename install
563	else
564		# sleep is needed here to avoid occasional timing
565		# problem with gnome-terminal display...
566		sleep 2
567		gnome-terminal \
568		    --title="$title: Installing $zonename zone" \
569		    --command "zoneadm -z $zonename install" \
570		    --disable-factory \
571		    --hide-menubar
572	fi
573
574	zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
575	if [ $zonestate != installed ] ; then
576		gettext "error installing zone $zonename.\n"
577		return 1
578	fi
579
580	zoneadm -z $zonename ready
581	zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
582	if [ $zonestate != ready ] ; then
583		gettext "error making zone $zonename ready.\n"
584		return 1
585	fi
586
587	initialize
588	zoneadm -z $zonename halt
589}
590
591delete() {
592	delopt=$*
593
594	# if there is an entry for this zone in tnzonecfg, remove it
595	# before deleting the zone.
596
597	tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
598	if [ -n "${tnzone}" ] ; then
599		sed -e "/^$zonename:/d" $TNZONECFG > \
600		    $TXTMP/tnzonefg.$$ 2>/dev/null
601		mv $TXTMP/tnzonefg.$$ $TNZONECFG
602	fi
603
604	for tnzone in $(grep ":${zonename}_unlab" $TNRHDB 2>/dev/null) ; do
605		tnctl -dh "$tnzone"
606		sed -e "/:${zonename}_unlab/d" $TNRHDB > \
607		    $TXTMP/tnrhdb.$$ 2>/dev/null
608		mv $TXTMP/tnrhdb.$$ $TNRHDB
609	done
610
611	for tnzone in $(grep "^${zonename}_unlab:" $TNRHTP 2>/dev/null) ; do
612		tnctl -dt ${zonename}_unlab
613		sed -e "/^${zonename}_unlab:/d" $TNRHTP > \
614		    $TXTMP/tnrhtp.$$ 2>/dev/null
615		mv $TXTMP/tnrhtp.$$ $TNRHTP
616	done
617
618	for tnzone in $(grep ":${zonename}_cipso" $TNRHDB 2>/dev/null) ; do
619		tnctl -dh "$tnzone"
620		sed -e "/:${zonename}_cipso/d" $TNRHDB > \
621		    $TXTMP/tnrhdb.$$ 2>/dev/null
622		mv $TXTMP/tnrhdb.$$ $TNRHDB
623	done
624
625	for tnzone in $(grep "^${zonename}_cipso:" $TNRHTP 2>/dev/null) ; do
626		tnctl -dt ${zonename}_cipso
627		sed -e "/^${zonename}_cipso:/d" $TNRHTP > \
628		    $TXTMP/tnrhtp.$$ 2>/dev/null
629		mv $TXTMP/tnrhtp.$$ $TNRHTP
630	done
631
632	zonecfg -z $zonename delete -F
633
634	removeZoneBEs $delopt
635	for snap in $(zfs list -Ho name -t snapshot|grep "\@${zonename}_snap") ; do
636		zfs destroy -R $snap
637	done
638}
639
640validateIPaddr () {
641	OLDIFS=$IFS
642	IFS=.
643	integer octet_cnt=0
644	integer dummy
645	set -A octets $ipaddr
646	IFS=$OLDIFS
647	if [ ${#octets[*]} == 4 ] ; then
648		while (( octet_cnt < ${#octets[*]} )); do
649			dummy=${octets[octet_cnt]}
650			if [ $dummy = ${octets[octet_cnt]} ] ; then
651				if (( dummy >= 0 && \
652				    dummy < 256 )) ; then
653					octet_cnt+=1
654					continue
655				fi
656			fi
657			x=$(zenity --error \
658			    --title="$title" \
659			    --text="$ipaddr $msg_badip")
660			ipaddr=
661			return
662		done
663	else
664		x=$(zenity --error \
665		    --title="$title" \
666		    --text="$ipaddr $msg_badip")
667		ipaddr=
668	fi
669}
670
671getAllZoneNICs(){
672	integer count=0
673	for i in $(ifconfig -a4|grep  "^[a-z].*:")
674	do
675		print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
676		[ $? -eq 1 ] && continue
677
678		i=${i%:} # Remove colon after interface name
679		for j in $(ifconfig $i)
680		do
681			case $j in
682				all-zones)
683					aznics[count]=$i
684					count+=1
685					;;
686			esac
687		done
688        done
689}
690
691getNetmask() {
692	cidr=
693	nm=$(zenity --entry \
694	    --title="$title" \
695	    --width=330 \
696	    --text="$ipaddr: Enter netmask: " \
697	    --entry-text 255.255.255.0)
698	[ $? != 0 ] && return;
699
700	cidr=$(perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm)
701}
702
703addNet() {
704	getIPaddr
705	if [[ -z $ipaddr ]] ; then
706		return;
707	fi
708	getNetmask
709	if [[ -z $cidr ]] ; then
710		return;
711	fi
712	zonecfg -z $zonename "add net; \
713	    set address=${ipaddr}/${cidr}; \
714	    set physical=$nic; \
715	    end"
716	template=${zonename}_cipso
717	cidr=32
718	updateTnrhdb
719}
720
721getAttrs() {
722	zone=global
723	type=ignore
724	for j in $(ifconfig $nic)
725	do
726		case $j in
727			inet) type=$j;;
728			zone) type=$j;;
729			all-zones) zone=all-zones;;
730			flags*) flags=$j;;
731			*) case $type in
732				inet) ipaddr=$j ;;
733				zone) zone=$j ;;
734				*) continue ;;
735			   esac;
736			   type=ignore;;
737		esac
738	done
739	if [[ $flags == ~(E).UP, ]] ; then
740		updown=Up
741	else
742		updown=Down
743	fi
744	if [[ $nic == ~(E).: ]] ; then
745		linktype=logical
746	else
747		vnic=$(dladm show-vnic -po link $nic 2>/dev/null)
748		if [[ -n $vnic ]] ; then
749			linktype=virtual
750		else
751			linktype=physical
752		fi
753	fi
754	if [ $ipaddr != 0.0.0.0 ] ; then
755		x=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
756		if [ $? = 1 ] ; then
757			template=cipso
758			cidr=32
759			updateTnrhdb
760		else
761			template=$(print "$x"|cut -d : -f2)
762		fi
763	else
764		template="..."
765		ipaddr="..."
766	fi
767}
768deleteTnrhdbEntry() {
769	remote=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
770	if [ $? = 0 ] ; then
771		ip=$(print $remote|cut -d "/" -f1)
772			if [[ $remote == ~(E)./ ]] ; then
773				pr=$(print $remote|cut -d "/" -f2)
774				remote="$ip\\/$pr"
775			fi
776		sed -e "/^${remote}/d" $TNRHDB > /tmp/tnrhdb.$$ 2>/dev/null
777		mv /tmp/tnrhdb.$$ $TNRHDB
778	fi
779}
780
781updateTnrhdb() {
782	deleteTnrhdbEntry
783	if [[ -n $cidr ]] ; then
784		print "${ipaddr}/$cidr:$template" >> $TNRHDB
785		tnctl -h ${ipaddr}/$cidr:$template
786	else
787		print "${ipaddr}:$template" >> $TNRHDB
788		tnctl -h ${ipaddr}:$template
789	fi
790}
791
792getIPaddr() {
793        hostname=$(zenity --entry \
794            --title="$title" \
795	    --width=330 \
796            --text="$nic: Enter Hostname: ")
797
798        [ $? != 0 ] && return
799
800	ipaddr=$(getent hosts $hostname|cut -f1)
801        if [[ -z $ipaddr ]] ; then
802		ipaddr=$(zenity --entry \
803		    --title="$title" \
804		    --text="$nic: Enter IP address: " \
805		    --entry-text a.b.c.d)
806		[ $? != 0 ] && return
807		validateIPaddr
808	fi
809
810}
811
812addHost() {
813	# Update hosts
814        if [[ -z $ipaddr ]] ; then
815               return;
816	fi
817	grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
818	if [ $? -eq 1 ] ; then
819		print "$ipaddr\t$hostname" >> /etc/inet/hosts
820	fi
821
822	template=cipso
823	cidr=32
824	updateTnrhdb
825
826	ifconfig $nic $ipaddr netmask + broadcast +
827	#
828	# TODO: better integration with nwam
829	# TODO: get/set netmask for IP address
830	#
831	print $hostname > /etc/hostname.$nic
832}
833
834createInterface() {
835	msg=$(ifconfig $nic addif 0.0.0.0)
836	$(zenity --info \
837	    --title="$title" \
838	    --text="$msg" )
839	nic=$(print "$msg"|cut -d" " -f5)
840
841}
842
843createVNIC() {
844	if [ $zonename != global ] ; then
845		vnicname=${zonename}0
846	else
847		vnicname=$(zenity --entry \
848		    --title="$title" \
849		    --width=330 \
850		    --entry-text="" \
851		    --text="Enter VNIC Name: ")
852
853		if [[ ! -n $vnicname ]] ; then
854			return
855		fi
856	fi
857	x=$(dladm show-vnic|grep "^$vnicname " )
858	if [[ ! -n $x ]] ; then
859		dladm create-vnic -l $nic $vnicname
860	fi
861	if [ $zonename = global ] ; then
862		ifconfig $vnicname plumb
863	else
864		zonecfg -z $zonename "add net; \
865		    set physical=$vnicname; \
866		    end"
867	fi
868	nic=$vnicname
869}
870
871shareInterface() {
872	#
873	# TODO: better integration with nwam
874	#
875	ifconfig $nic all-zones;\
876	if_file=/etc/hostname.$nic
877	sed q | sed -e "s/$/ all-zones/" < $if_file >$TXTMP/txnetmgr.$$
878	mv $TXTMP/txnetmgr.$$ $if_file
879}
880
881addTnrhdb() {
882	ipaddr=$(zenity --entry \
883	    --title="$title" \
884	    --width=330 \
885	    --text="Zone:$zonename. Enter IP address of remote host or network: " \
886	    --entry-text a.b.c.d)
887	[ $? != 0 ] && return
888	validateIPaddr
889	if [[ -z $ipaddr ]] ; then
890		return;
891	fi
892	if [ ${octets[3]} = 0 ] ; then
893		nic="$ipaddr"
894		getNetmask
895		if [[ -z $cidr ]] ; then
896			return;
897		fi
898	else
899		cidr=32
900	fi
901	print "${ipaddr}/$cidr:$template" > $TXTMP/tnrhdb_new.$$
902	x=$(tnchkdb -h $TXTMP/tnrhdb_new.$$ 2>$TXTMP/syntax_error.$$)
903	if [ $? = 0 ] ; then
904		updateTnrhdb
905	else
906		syntax=$(cat $TXTMP/syntax_error.$$)
907		x=$(zenity --error \
908		    --title="$title" \
909		    --text="$syntax")
910	fi
911	rm $TXTMP/tnrhdb_new.$$
912	rm $TXTMP/syntax_error.$$
913}
914
915removeTnrhdb() {
916	while (( 1 )) do
917		remotes=$(grep "^[^#][0-9.]" $TNRHDB|grep ":$template"|cut -d : -f1-2|tr : " ")
918		if [ $template = cipso ] ; then
919			templateHeading="from All Zones":
920		else
921			templateHeading="from this Zone":
922		fi
923		if [[ -n $remotes ]] ; then
924			ipaddr=$(zenity --list \
925			    --title="$title" \
926			    --text="$msg_getremote" \
927			    --height=250 \
928			    --width=300 \
929			    --column="Remove Access to:" \
930			    --column="$templateHeading" \
931			    $remotes)
932
933			if [[ -n $ipaddr ]] ; then
934				deleteTnrhdbEntry
935				tnctl -dh ${ip}:$template
936			else
937				return
938			fi
939		else
940			return
941		fi
942	done
943}
944
945setMLPs() {
946	tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
947	zoneMLPs=:$(print "$tnzone"|cut -d : -f4)
948	sharedMLPs=:$(print "$tnzone"|cut -d : -f5)
949	attrs="Private Interfaces$zoneMLPs\nShared Interfaces$sharedMLPs"
950	ports=$(print "$attrs"|zenity --list \
951	    --title="$title" \
952	    --height=200 \
953	    --width=450 \
954	    --text="Zone: $zonename\nClick once to select, twice to edit.\nShift-click to select both rows." \
955	    --column="Multilevel Ports (example: 80-81/tcp;111/udp;)" \
956	    --editable \
957	    --multiple
958	    )
959
960	if [[ -z $ports ]] ; then
961		return
962	fi
963
964	# getopts needs another a blank and another dash
965	ports=--$(print "$ports"|sed 's/ //g'|sed 's/|/ --/g'|sed 's/Interfaces:/ :/g')
966
967	OPTIND=1
968	while getopts "z:(Private)s:(Shared)" opt $ports ; do
969		case $opt in
970			z) zoneMLPs=$OPTARG ;;
971			s) sharedMLPs=$OPTARG ;;
972		esac
973	done
974
975	sed -e "/^$zonename:*/d" $TNZONECFG > $TXTMP/tnzonecfg.$$ 2>/dev/null
976	tnzone=$(print "$tnzone"|cut -d : -f1-3)
977	echo "${tnzone}${zoneMLPs}${sharedMLPs}" >> $TXTMP/tnzonecfg.$$
978
979	x=$(tnchkdb -z $TXTMP/tnzonecfg.$$ 2>$TXTMP/syntax_error.$$)
980
981	if [ $? = 0 ] ; then
982		mv $TXTMP/tnzonecfg.$$ $TNZONECFG
983		zenity --info \
984		    --title="$title" \
985		    --text="Multilevel ports for the $zonename zone\nwill be interpreted on next reboot."
986		if [ $zonename != global ] ; then
987			getLabelRange
988		fi
989	else
990		syntax=$(cat $TXTMP/syntax_error.$$)
991		x=$(zenity --error \
992		    --title="$title" \
993		    --text="$syntax")
994		rm $TXTMP/tnzonecfg.$$
995	fi
996	rm $TXTMP/syntax_error.$$
997}
998
999unsharePasswd() {
1000	for i in $(zoneadm list -i | grep -v global) ; do
1001		zonecfg -z $i remove fs dir=/etc/passwd 2>&1 | grep -v such
1002		zonecfg -z $i remove fs dir=/etc/shadow 2>&1 | grep -v such
1003	done
1004}
1005
1006sharePasswd() {
1007	if [ $NSCD_PER_LABEL -ne 0 ] ; then
1008		return
1009	fi
1010	passwd=$(zonecfg -z $zonename info|grep /etc/passwd)
1011	if [ $? -eq 1 ] ; then
1012		zonecfg -z $zonename "add fs; \
1013		    set special=/etc/passwd; \
1014		    set dir=/etc/passwd; \
1015		    set type=lofs; \
1016		    add options ro; \
1017		    end; \
1018		    add fs; \
1019		    set special=/etc/shadow; \
1020		    set dir=/etc/shadow; \
1021		    set type=lofs; \
1022		    add options ro; \
1023		    end"
1024	fi
1025}
1026
1027# This routine is a toggle -- if we find it configured for global nscd,
1028# change to nscd-per-label and vice-versa.
1029#
1030# The user was presented with only the choice to CHANGE the existing
1031# configuration.
1032
1033manageNscd() {
1034	if [ $NSCD_PER_LABEL -eq 0 ] ; then
1035		# this MUST be a regular file for svc-nscd to detect
1036		touch $NSCD_INDICATOR
1037		NSCD_OPT="Unconfigure per-zone name service"
1038		NSCD_PER_LABEL=1
1039		unsharePasswd
1040	else
1041		rm -f $NSCD_INDICATOR
1042		NSCD_OPT="Configure per-zone name service"
1043		NSCD_PER_LABEL=0
1044		for i in $(zoneadm list -i | grep -v global) ; do
1045			zonename=$i
1046			sharePasswd
1047		done
1048		zonename=global
1049	fi
1050}
1051
1052manageZoneNets () {
1053	ncmds[0]="Only use all-zones interfaces"
1054	ncmds[1]="Add a logical interface"
1055	ncmds[2]="Add a virtual interface (VNIC)"
1056
1057	stacks[0]="Shared Stack"
1058	stacks[1]="Exclusive Stack"
1059
1060	getAllZoneNICs
1061	netOps[0]="1\n${ncmds[0]}\nShared Stack\n${aznics[*]}"
1062
1063	integer nic_cnt=0
1064	integer netOp_cnt=2
1065
1066	set -A nics $(dladm show-phys|grep -v LINK|cut -f1 -d " ")
1067
1068	while (( nic_cnt < ${#nics[*]} )); do
1069		netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[1]}\n${stacks[0]}\n${nics[nic_cnt]}"
1070		netOp_cnt+=1
1071		netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[2]}\n${stacks[1]}\n${nics[nic_cnt]}"
1072		netOp_cnt+=1
1073		nic_cnt+=1
1074	done
1075
1076	netOp=$(print "${netOps[*]}"|zenity --list \
1077	    --title="$title" \
1078	    --text="$msg_getnet $zonename zone:" \
1079	    --height=300 \
1080	    --width=500 \
1081	    --column="#" \
1082	    --column="Network Configuration " \
1083	    --column="IP Type" \
1084	    --column="Available Interfaces" \
1085	    --hide-column=1
1086	)
1087
1088	# User picked cancel or no selection
1089	if [[ -z $netOp ]] ; then
1090		return
1091	fi
1092
1093	# All-zones is the default, so just return
1094	if [ $netOp = 1 ] ; then
1095		return
1096	fi
1097
1098	cmd=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 3)
1099	nic=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 5)
1100	case $cmd in
1101	    ${ncmds[1]} )
1102		addNet;
1103		;;
1104	    ${ncmds[2]} )
1105		zonecfg -z $zonename set ip-type=exclusive
1106		createVNIC
1107		;;
1108	esac
1109}
1110
1111manageInterface () {
1112	while (( 1 )) do
1113		getAttrs
1114
1115		# Clear list of commands
1116
1117		share=
1118		setipaddr=
1119		newlogical=
1120		newvnic=
1121		unplumb=
1122		bringup=
1123		bringdown=
1124
1125		if [ $updown = Down ] ; then
1126			bringup="Bring Up\n"
1127		else
1128			bringdown="Bring Down\n"
1129		fi
1130
1131		case $linktype in
1132		physical )
1133			newlogical="Create Logical Interface...\n";
1134			newvnic="Create Virtual Interface (VNIC)...\n";
1135			;;
1136		logical )
1137			unplumb="Remove Logical Interface\n"
1138			;;
1139		virtual )
1140			newlogical="Create Logical Interface...\n";
1141			unplumb="Remove Virtual Interface\n" ;
1142			;;
1143		esac
1144
1145		if [ $ipaddr = "..." ] ; then
1146			setipaddr="Set IP address...\n"
1147		elif [ $zone != all-zones ] ; then
1148			share="Share with Shared-IP Zones\n"
1149		fi
1150
1151		command=$(print ""\
1152		    $share \
1153		    $setipaddr \
1154		    $newlogical \
1155		    $newvnic \
1156		    $unplumb \
1157		    $bringup \
1158		    $bringdown \
1159		    | zenity --list \
1160		    --title="$title" \
1161		    --text="Select a command from the list below:" \
1162		    --height=300 \
1163		    --column "Interface: $nic" )
1164
1165		case $command in
1166		    " Create Logical Interface...")
1167			createInterface;;
1168		    " Create Virtual Interface (VNIC)...")
1169			createVNIC ;;
1170		    " Set IP address...")
1171			getIPaddr
1172			addHost;;
1173		    " Share with Shared-IP Zones")
1174			shareInterface;;
1175		    " Remove Logical Interface")
1176			ifconfig $nic unplumb
1177			rm -f /etc/hostname.$nic
1178			return;;
1179		    " Remove Virtual Interface")
1180			ifconfig $nic unplumb
1181			dladm delete-vnic $nic
1182			rm -f /etc/hostname.$nic
1183			return;;
1184		    " Bring Up")
1185			ifconfig $nic up;;
1186		    " Bring Down")
1187			ifconfig $nic down;;
1188		    *) return;;
1189		esac
1190	done
1191}
1192
1193sharePrimaryNic() {
1194	set -A ip $(getent hosts $(cat /etc/nodename))
1195	for i in $(ifconfig -au4|grep  "^[a-z].*:" |grep -v LOOPBACK)
1196	do
1197		print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1198		[ $? -eq 1 ] && continue
1199
1200		nic=${i%:} # Remove colon after interface name
1201		getAttrs
1202		if [ ${ip[0]} = $ipaddr ]; then
1203			shareInterface
1204			break
1205		fi
1206	done
1207}
1208
1209manageNets() {
1210	while (( 1 )) do
1211		attrs=
1212		for i in $(ifconfig -a4|grep  "^[a-z].*:" |grep -v LOOPBACK)
1213		do
1214			print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1215			[ $? -eq 1 ] && continue
1216
1217			nic=${i%:} # Remove colon after interface name
1218			getAttrs
1219			attrs="$nic $linktype $zone $ipaddr $template $updown $attrs"
1220		done
1221
1222		nic=$(zenity --list \
1223		    --title="$title" \
1224		    --text="Select an interface from the list below:" \
1225		    --height=300 \
1226		    --width=500 \
1227		    --column="Interface" \
1228		    --column="Type" \
1229		    --column="Zone Name" \
1230		    --column="IP Address" \
1231		    --column="Template" \
1232		    --column="State" \
1233		    $attrs)
1234
1235		if [[ -z $nic ]] ; then
1236			return
1237		fi
1238		manageInterface
1239	done
1240}
1241
1242createLDAPclient() {
1243	ldaptitle="$title: Create LDAP Client"
1244	ldapdomain=$(zenity --entry \
1245	    --width=400 \
1246	    --title="$ldaptitle" \
1247	    --text="Enter Domain Name: ")
1248	if [[ -n $ldapdomain ]] ; then
1249	ldapserver=$(zenity --entry \
1250	    --width=400 \
1251	    --title="$ldaptitle" \
1252	    --text="Enter Hostname of LDAP Server: ")
1253	else
1254		return
1255	fi
1256	if [[ -n $ldapserver ]] ; then
1257	ldapserveraddr=$(zenity --entry \
1258	    --width=400 \
1259	    --title="$ldaptitle" \
1260	    --text="Enter IP adddress of LDAP Server $ldapserver: ")
1261	else
1262		return
1263	fi
1264	ldappassword=""
1265	while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]] ; do
1266	    ldappassword=$(zenity --entry \
1267		--width=400 \
1268		--title="$ldaptitle" \
1269		--hide-text \
1270		--text="Enter LDAP Proxy Password:")
1271	    ldappasswordconfirm=$(zenity --entry \
1272		--width=400 \
1273		--title="$ldaptitle" \
1274		--hide-text \
1275		--text="Confirm LDAP Proxy Password:")
1276	done
1277	ldapprofile=$(zenity --entry \
1278	    --width=400 \
1279	    --title="$ldaptitle" \
1280	    --text="Enter LDAP Profile Name: ")
1281	whatnext=$(zenity --list \
1282	    --width=400 \
1283	    --height=250 \
1284	    --title="$ldaptitle" \
1285	    --text="Proceed to create LDAP Client?" \
1286	    --column=Parameter --column=Value \
1287	    "Domain Name" "$ldapdomain" \
1288	    "Hostname" "$ldapserver" \
1289	    "IP Address" "$ldapserveraddr" \
1290	    "Password" "$(print "$ldappassword" | sed 's/./*/g')" \
1291	    "Profile" "$ldapprofile")
1292	[ $? != 0 ] && return
1293
1294	grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
1295	if [ $? -eq 1 ] ; then
1296		print "$ldapserveraddr $ldapserver" >> /etc/hosts
1297	fi
1298
1299	grep "${ldapserver}:" $TNRHDB > /dev/null
1300	if [ $? -eq 1 ] ; then
1301		print "# ${ldapserver} - ldap server" \
1302		    >> $TNRHDB
1303		print "${ldapserveraddr}:cipso" \
1304		    >> $TNRHDB
1305		tnctl -h "${ldapserveraddr}:cipso"
1306	fi
1307
1308	proxyDN=$(print $ldapdomain|awk -F"." \
1309	    "{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }")
1310
1311	zenity --info \
1312	    --title="$ldaptitle" \
1313	    --width=500 \
1314	    --text="global zone will be LDAP client of $ldapserver"
1315
1316	ldapout=$TXTMP/ldapclient.$$
1317
1318	ldapclient init -a profileName="$ldapprofile" \
1319	    -a domainName="$ldapdomain" \
1320	    -a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
1321	    -a proxyPassword="$ldappassword" \
1322	    "$ldapserveraddr" >$ldapout 2>&1
1323
1324	if [ $? -eq 0 ] ; then
1325	    ldapstatus=Success
1326	else
1327	    ldapstatus=Error
1328	fi
1329
1330	zenity --text-info \
1331	    --width=700 \
1332	    --height=300 \
1333	    --title="$ldaptitle: $ldapstatus" \
1334	    --filename=$ldapout
1335
1336	rm -f $ldapout
1337
1338
1339}
1340
1341tearDownZones() {
1342	if [ $DISP -eq 0 ] ; then
1343		if [ $FORCE -eq 0 ] ; then
1344			gettext "OK to destroy all zones [y|N]? "
1345			read ans
1346			printf "%s\n" "$ans" \
1347			    | /usr/xpg4/bin/grep -Eq "$(locale yesexpr)"
1348			if [ $? -ne 0 ] ; then
1349				gettext "canceled.\n"
1350				return 1
1351			fi
1352		fi
1353		gettext "destroying all zones ...\n"
1354	else
1355		killall=$(zenity --question \
1356		    --title="$title" \
1357		    --width=330 \
1358		    --text="$msg_confirmkill")
1359		if [[ $? != 0 ]]; then
1360			return
1361		fi
1362	fi
1363
1364	for p in $(zoneadm list -cp|grep -v global:) ; do
1365		zonename=$(echo "$p"|cut -d : -f2)
1366		if [ $DISP -eq 0 ] ; then
1367			gettext "destroying zone $zonename ...\n"
1368		fi
1369		zoneadm -z $zonename halt 1>/dev/null 2>&1
1370		zoneadm -z $zonename uninstall -F 1>/dev/null 2>&1
1371		delete -rRf
1372	done
1373	zonename=global
1374}
1375
1376createDefaultZones() {
1377	# If GUI display is not used, skip the dialog
1378	if [ $DISP -eq 0 ] ; then
1379		createDefaultPublic
1380		if [ $? -ne 0 ] ; then
1381			return 1
1382		fi
1383		createDefaultInternal
1384		return
1385	fi
1386
1387	msg_choose1=$(gettext "Choose one:")
1388	defpub=$(gettext "$PUBZONE zone only")
1389	defboth=$(gettext "$PUBZONE and $INTZONE zones")
1390	defskip=$(gettext "Main Menu...")
1391	command=$(echo ""\
1392	    "$defpub\n" \
1393	    "$defboth\n" \
1394	    "$defskip\n" \
1395	    | zenity --list \
1396	    --title="$title" \
1397	    --text="$msg_defzones" \
1398	    --column="$msg_choose1" \
1399	    --height=400 \
1400	    --width=330 )
1401
1402	case $command in
1403	    " $defpub")
1404		createDefaultPublic ;;
1405
1406	    " $defboth")
1407		createDefaultPublic
1408		if [ $? -ne 0 ] ; then
1409			return 1
1410		fi
1411		createDefaultInternal ;;
1412
1413	    *)
1414		return;;
1415	esac
1416}
1417
1418createDefaultPublic() {
1419	zonename=$PUBZONE
1420	if [ $DISP -eq 0 ] ; then
1421		gettext "creating default $zonename zone ...\n"
1422	fi
1423	newZone
1424	zone_cnt+=1
1425	hexlabel=$DEFAULTLABEL
1426	setTNdata
1427	sharePrimaryNic
1428
1429	install
1430	if [ $? -ne 0 ] ; then
1431		return 1
1432	fi
1433
1434	if [ $DISP -eq 0 ] ; then
1435		gettext "booting zone $zonename ...\n"
1436		zoneadm -z $zonename boot
1437	else
1438		zoneadm -z $zonename boot &
1439		gnome-terminal \
1440		    --disable-factory \
1441		    --title="Zone Console: $zonename $msg_continue" \
1442		    --command "zlogin -C $zonename"
1443	fi
1444}
1445
1446createDefaultInternal() {
1447	zoneadm -z $PUBZONE halt
1448
1449	zonename=snapshot
1450	newZone
1451	zone_cnt+=1
1452	zonecfg -z $zonename set autoboot=false
1453
1454	clone $PUBZONE
1455	zoneadm -z $PUBZONE boot &
1456
1457	zonename=$INTZONE
1458	if [ $DISP -eq 0 ] ; then
1459		gettext "creating default $zonename zone ...\n"
1460	fi
1461	newZone
1462	zone_cnt+=1
1463
1464	hexlabel=$INTLABEL
1465	x=$(grep -i :{$hexlabel}: $TNZONECFG)
1466	if [ $? = 0 ] ; then
1467		z=$(print $x|cut -d : -f1)
1468		echo "$msg_inuse $z zone."
1469	else
1470		setTNdata
1471	fi
1472
1473	clone snapshot
1474	if [ $DISP -eq 0 ] ; then
1475		gettext "booting zone $zonename ...\n"
1476	else
1477		gnome-terminal \
1478		    --title="Zone Console: $zonename" \
1479		    --command "zlogin -C $zonename" &
1480	fi
1481	zoneadm -z $zonename boot &
1482}
1483
1484selectZone() {
1485	set -A zonelist "global\nrunning\nADMIN_HIGH"
1486	integer zone_cnt=1
1487
1488	for p in $(zoneadm list -cp|grep -v global:) ; do
1489		zone_cnt+=1
1490	done
1491	if [ $zone_cnt == 1 ] ; then
1492		createDefaultZones
1493	fi
1494	if [ $zone_cnt == 1 ] ; then
1495		zonename=global
1496		singleZone
1497		return
1498	fi
1499
1500	zone_cnt=1
1501	for p in $(zoneadm list -cp|grep -v global:) ; do
1502		zonename=$(echo "$p"|cut -d : -f2)
1503		state=$(echo "$p"|cut -d : -f3)
1504		hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2)
1505		if [[ $hexlabel ]] ; then
1506			curlabel=$(hextoalabel $hexlabel)
1507		else
1508			curlabel=...
1509		fi
1510		zonelist[zone_cnt]="\n$zonename\n$state\n$curlabel"
1511		zone_cnt+=1
1512	done
1513	zonename=$(print "${zonelist[*]}"|zenity --list \
1514	    --title="$title" \
1515	    --text="$msg_getzone" \
1516	    --height=300 \
1517	    --width=500 \
1518	    --column="Zone Name" \
1519	    --column="Status" \
1520	    --column="Sensitivity Label" \
1521	)
1522
1523	# if the menu choice was a zonename, pop up zone menu
1524	if [[ -n $zonename ]] ; then
1525		singleZone
1526	else
1527		exit
1528	fi
1529}
1530
1531# Loop for single-zone menu
1532singleZone() {
1533
1534	while (( 1 )) do
1535		# Clear list of commands
1536
1537		console=
1538		label=
1539		start=
1540		reboot=
1541		stop=
1542		clone=
1543		install=
1544		ready=
1545		uninstall=
1546		autoboot=
1547		delete=
1548		deletenet=
1549		permitrelabel=
1550
1551		if [ $zone_cnt -gt 1 ] ; then
1552			killZones="Destroy all zones...\n"
1553			xit="Select another zone..."
1554		else
1555			killZones=
1556			xit="Exit"
1557		fi
1558		if [ $zonename = global ] ; then
1559			ldapClient="Create LDAP Client...\n"
1560			nscdOpt="$NSCD_OPT\n"
1561			createZone="Create a new zone...\n"
1562			addnet="Configure Network Interfaces...\n"
1563		else
1564			ldapClient=
1565			nscdOpt=
1566			createZone=
1567			addnet=
1568			killZones=
1569		fi
1570
1571		zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
1572
1573		consoleCheck;
1574		labelCheck;
1575		delay=0
1576
1577		if [ $zonename != global ] ; then
1578			case $zonestate in
1579				running)
1580					ready="Ready\n"
1581					reboot="Reboot\n"
1582					stop="Halt\n"
1583					;;
1584				ready)
1585					start="Boot\n"
1586					stop="Halt\n"
1587					;;
1588				installed)
1589					if [[ -z $label ]] ; then
1590						ready="Ready\n"
1591						start="Boot\n"
1592					fi
1593					uninstall="Uninstall\n"
1594					relabelCheck
1595					autobootCheck
1596					;;
1597				configured)
1598					install="Install...\n"
1599					cloneCheck
1600					delete="Delete\n"
1601					console=
1602					;;
1603				incomplete)
1604					uninstall="Uninstall\n"
1605					;;
1606				*)
1607				;;
1608			esac
1609		fi
1610
1611		command=$(echo ""\
1612		    $createZone \
1613		    $console \
1614		    $label \
1615		    $start \
1616		    $reboot \
1617		    $stop \
1618		    $clone \
1619		    $install \
1620		    $ready \
1621		    $uninstall \
1622		    $delete \
1623		    $addnet \
1624		    $deletenet \
1625		    $addremotehost \
1626		    $addcipsohost \
1627		    $removeremotehost \
1628		    $removecipsohost \
1629		    $setmlps \
1630		    $permitrelabel \
1631		    $autoboot \
1632		    $ldapClient \
1633		    $nscdOpt \
1634		    $killZones \
1635		    $xit \
1636		    | zenity --list \
1637		    --title="$title" \
1638		    --text="$msg_getcmd" \
1639		    --height=400 \
1640		    --width=330 \
1641		    --column "Zone: $zonename   Status: $zonestate" )
1642
1643		case $command in
1644		    " Create a new zone...")
1645			zonename=
1646			newZone ;;
1647
1648		    " Zone Console...")
1649			delay=2
1650			gnome-terminal \
1651			    --title="Zone Console: $zonename" \
1652			    --command "zlogin -C $zonename" & ;;
1653
1654		    " Select Label...")
1655			selectLabel;;
1656
1657		    " Ready")
1658			zoneadm -z $zonename ready ;;
1659
1660		    " Boot")
1661			zoneadm -z $zonename boot ;;
1662
1663		    " Halt")
1664			zoneadm -z $zonename halt ;;
1665
1666		    " Reboot")
1667			zoneadm -z $zonename reboot ;;
1668
1669		    " Install...")
1670			install;;
1671
1672		    " Clone...")
1673			clone ;;
1674
1675		    " Uninstall")
1676			zoneadm -z $zonename uninstall -F;;
1677
1678		    " Delete")
1679			delete
1680			return ;;
1681
1682		    " Configure Network Interfaces...")
1683			if [ $zonename = global ] ; then
1684				manageNets
1685			else
1686				manageZoneNets
1687			fi;;
1688
1689		    " Add Single-level Access to Remote Host...")
1690			addTnrhdb ;;
1691
1692		    " Add Multilevel Access to Remote Host...")
1693			template=cipso
1694			addTnrhdb ;;
1695
1696		    " Remove Single-level Access to Remote Host...")
1697			removeTnrhdb ;;
1698
1699		    " Remove Multilevel Access to Remote Host...")
1700			template=cipso
1701			removeTnrhdb ;;
1702
1703		    " Configure Multilevel Ports...")
1704			setMLPs;;
1705
1706		    " Permit Relabeling")
1707			zonecfg -z $zonename set limitpriv=default,\
1708win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,\
1709file_downgrade_sl,file_upgrade_sl,sys_trans_label ;;
1710
1711		    " Deny Relabeling")
1712			zonecfg -z $zonename set limitpriv=default ;;
1713
1714		    " Set Automatic Booting")
1715			zonecfg -z $zonename set autoboot=true ;;
1716
1717		    " Set Manual Booting")
1718			zonecfg -z $zonename set autoboot=false ;;
1719
1720		    " Create LDAP Client...")
1721			createLDAPclient ;;
1722
1723		    " Configure per-zone name service")
1724			manageNscd ;;
1725
1726		    " Unconfigure per-zone name service")
1727			manageNscd ;;
1728
1729		    " Destroy all zones...")
1730			tearDownZones
1731			return ;;
1732
1733		    *)
1734			if [ $zone_cnt == 1 ] ; then
1735				exit
1736			else
1737				return
1738			fi;;
1739		esac
1740		sleep $delay;
1741	done
1742}
1743
1744# Main loop for top-level window
1745#
1746
1747/usr/bin/plabel $$ 1>/dev/null 2>&1
1748if [ $? != 0 ] ; then
1749	gettext "$0 : Trusted Extensions must be enabled.\n"
1750	exit 1
1751fi
1752
1753myzone=$(/sbin/zonename)
1754if [ $myzone != "global" ] ; then
1755	gettext "$0 : must be in global zone to run.\n"
1756	exit 1
1757fi
1758
1759
1760process_options "$@" || exit
1761
1762mkdir $TXTMP 2>/dev/null
1763deflabel=$(chk_encodings -a|grep "Default User Sensitivity"|\
1764   sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1765DEFAULTLABEL=$(atohexlabel ${deflabel})
1766intlabel=$(chk_encodings -a|grep "Default User Clearance"|\
1767   sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1768INTLABEL=$(atohexlabel -c "${intlabel}")
1769
1770# are there any zfs pools?
1771ZDSET=none
1772zpool iostat 1>/dev/null 2>&1
1773if [ $? = 0 ] ; then
1774	# is there a zfs pool named "zone"?
1775	zpool list -H zone 1>/dev/null 2>&1
1776	if [ $? = 0 ] ; then
1777		# yes
1778		ZDSET=zone
1779	else
1780		# no, but is there a root pool?
1781		rootfs=$(df -n / | awk '{print $3}')
1782		if [ $rootfs = "zfs" ] ; then
1783			# yes, use it
1784			ZDSET=$(zfs list -Ho name / | cut -d/ -f 1)/zones
1785			zfs list -H $ZDSET 1>/dev/null 2>&1
1786			if [ $? = 1 ] ; then
1787				createZDSET "-o mountpoint=/zone" $ZDSET
1788			fi
1789		fi
1790	fi
1791fi
1792
1793if [ $DISP -eq 0 ] ; then
1794	gettext "non-interactive mode ...\n"
1795
1796	if [ $DESTROYZONES -eq 1 ] ; then
1797		tearDownZones
1798	fi
1799
1800	if [ $CREATEDEF -eq 1 ] ; then
1801		if [[ $(zoneadm list -c) == global ]] ; then
1802			createDefaultZones
1803		else
1804			gettext "cannot create default zones because there are existing zones.\n"
1805		fi
1806	fi
1807
1808	exit
1809fi
1810
1811if [ $NSCD_PER_LABEL -eq 0 ] ; then
1812	NSCD_OPT="Configure per-zone name service"
1813else
1814	NSCD_OPT="Unconfigure per-zone name service"
1815fi
1816
1817
1818while (( 1 )) do
1819	selectZone
1820done
1821