xref: /titanic_50/usr/src/cmd/tsol/misc/txzonemgr.sh (revision 940d71d237794874e18a0eb72f6564821a823517)
1#!/bin/pfksh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23# Use is subject to license terms.
24#
25#ident	"%Z%%M%	%I%	%E% SMI"
26#
27
28# This script provides a simple GUI for managing labeled zones.
29# It takes no arguments, but provides contextual menus which
30# provide appropriate choices. It must be run in the global
31# zone as root.
32
33NSCD_PER_LABEL=0
34NSCD_INDICATOR="/var/tsol/doors/nscd_per_label"
35export NSCD_PER_LABEL
36export NSCD_INDICATOR
37if [ -f $NSCD_INDICATOR ] ; then
38	NSCD_PER_LABEL=1
39fi
40PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
41title="Labeled Zone Manager"
42maxlabel=`chk_encodings -X 2>/dev/null`
43if [[ ! -n $maxlabel ]]; then
44	maxlabel=0x000a-08-f8
45fi
46zonename=""
47export zonename
48config=/tmp/zfg.$$ ;
49
50consoleCheck() {
51	zconsole=`pgrep -f "zlogin -C $zonename"`
52	if [ $? != 0 ]; then
53		console="Zone Console...\n"
54	fi
55}
56
57labelCheck() {
58	hexlabel=`/bin/grep "^$zonename:" \
59	    /etc/security/tsol/tnzonecfg|cut -d ":" -f2`;
60	if [ $hexlabel ] ; then
61		label=
62		curlabel=`hextoalabel $hexlabel`
63	else
64		label="Select Label...\n"
65		curlabel=...
66	fi
67}
68
69snapshotCheck() {
70	filesystem=`zfs list |grep zone/$zonename |cut -d " " -f1`
71	if [[ -n $filesystem ]]; then
72		snapshot="Create Snapshot\n"
73	fi
74}
75
76copyCheck() {
77	zonelist=""
78	for p in `zoneadm list -ip`; do
79		q=`echo $p|cut -d ":" -f2`
80		if [ $q != $zonename ]; then
81			zonelist="$zonelist $q"
82		fi
83	done
84	if [[ -n $zonelist ]]; then
85		copy="Copy...\n"; \
86		clone="Clone\n"; \
87	fi
88}
89
90relabelCheck() {
91	macstate=`zonecfg -z $zonename info|grep win_mac_write`
92	if [[ -n $macstate ]]; then
93		permitrelabel="Deny Relabeling\n"
94	else
95		permitrelabel="Permit Relabeling\n"
96	fi
97}
98
99selectLabel() {
100	labelList=""
101	for p in `lslabels -h $maxlabel`; do
102		hexlabel=`/bin/grep :$p: /etc/security/tsol/tnzonecfg`
103		if [ $? != 0 ]; then
104			newlabel=`hextoalabel $p`
105			labelList="$labelList $newlabel\n"
106		fi
107	done
108	alabel=$(echo $labelList|zenity --list \
109	    --title="$title" \
110	    --height=300 \
111	    --width=400 \
112	    --column="Available Sensitivity Labels")
113
114	if [[ -n $alabel ]]; then
115		newlabel=`atohexlabel "$alabel" 2>null`
116		if [[ -n $newlabel ]]; then
117			echo $zonename:$newlabel:0:: >> /etc/security/tsol/tnzonecfg
118		else
119			x=$(zenity --error \
120			    --title="$title" \
121			    --text="$alabel is not valid")
122		fi
123	fi
124}
125
126resolveXdisplay() {
127	export ZONE_PATH
128	export ZONE_ETC_DIR
129	export IPNODES
130	export LIST
131	ERRORLIST=""
132	export ERRORLIST
133	# if using nscd-per-label then we have to be sure the global zone's
134	# hostname resolves because it is used for DISPLAY in X
135	ghostname=`hostname`
136	export ghostname
137
138	if [[ -n "$1" ]] ; then
139		LIST=`zoneadm list -ip | grep ":$1:"`
140	else
141		LIST=`zoneadm list -ip | grep -v "global"`
142	fi
143
144	gipaddress=`getent hosts $ghostname|cut -f1`
145	for i in $LIST; do
146		ZONE_PATH=`echo "$i" |cut -d ":" -f4`
147		ZONE_ETC_DIR=$ZONE_PATH/root/etc
148		IPNODES=${ZONE_ETC_DIR}/inet/ipnodes
149
150		# Rather than toggle on and off with NSCD_PER_LABEL, put the
151		# information in there and a sysadmin can remove it if necessary
152		# $DISPLAY will not work in X without global hostname
153		ENTRY=`grep $ghostname $IPNODES`
154		case "$ENTRY" in
155			127.0.0.1* )
156				if [[ -z $ERRORLIST ]] ; then
157					ERRORLIST="$ghostname address 127.0.0.1 found in:\n"
158				fi
159				ERRORLIST="$ERRORLIST $IPNODES\n"
160				;;
161			"")
162				gipaddress=`getent hosts $ghostname|cut -f1`
163				echo "$gipaddress\t$ghostname" >>  $IPNODES
164				;;
165			*)
166				continue
167				;;
168
169		esac
170	done
171	if [[ -n "$ERRORLIST" ]] ; then
172		x=$(zenity --error \
173		    --title="$title" \
174		    --text="WARNING:\n\n\n$ERRORLIST\n\n")
175	fi
176}
177
178clone() {
179	image=`zfs list |grep snapshot|cut -d " " -f1| \
180	    zenity --list \
181		--title="$title" \
182	        --height=300 \
183		--column="ZFS Zone Snapshots"`
184	if [[ -n $image ]]; then
185		dataset=`zfs list |grep zone/$zonename |cut -d " " -f1`
186		if [[ -n $dataset ]]; then
187			/usr/sbin/zfs destroy zone/$zonename
188		fi
189		/usr/sbin/zfs clone $image zone/$zonename
190		/usr/sbin/zoneadm -z $zonename attach -F
191		if [ ! -f /var/ldap/ldap_client_file ]; then
192			if [ $NSCD_PER_LABEL = 0 ] ; then
193				sharePasswd
194			else
195				unsharePasswd
196				resolveXdisplay
197			fi
198		fi
199	fi
200}
201
202copy() {
203
204	image=`zenity --list \
205	    --title="$title: Copy From" \
206	    --height=300 \
207	    --column="Installed Zones" $zonelist`
208
209	/usr/bin/gnome-terminal \
210	    --title="$title: Copying $image to $zonename zone" \
211	    --command "zoneadm -z $zonename clone -m copy $image" \
212	    --disable-factory \
213	    --hide-menubar
214
215	if [ ! -f /var/ldap/ldap_client_file ]; then
216		if [ $NSCD_PER_LABEL = 0 ] ; then
217			sharePasswd
218		else
219			unsharePasswd
220			resolveXdisplay
221		fi
222	fi
223}
224
225initialize() {
226	hostname=`hostname`
227	hostname=$(zenity --entry \
228	    --title="$title" \
229	    --text="Enter Host Name: " \
230	    --entry-text $hostname)
231	if [ $? != 0 ]; then
232		exit 1
233	fi
234
235	ZONE_PATH=`zoneadm list -ip|grep ":${zonename}:"|cut -d ":" -f4`
236	if [ -z "$ZONE_PATH" ] ; then
237		x=$(zenity --error \
238		    --title="$title" \
239		    --text="$zonename is not an installed zone")
240		exit 1
241	fi
242	ZONE_ETC_DIR=$ZONE_PATH/root/etc
243	ipaddress=`getent hosts $hostname|cut -f1`
244	SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
245
246	if [ -f /var/ldap/ldap_client_file ]; then
247		ldapaddress=`ldapclient list | \
248		    /bin/grep "^NS_LDAP_SERVERS" | cut -d " " -f2`
249		echo "name_service=LDAP {" > ${SYSIDCFG}
250		domain=`domainname`
251		echo "domain_name=$domain" >> ${SYSIDCFG}
252		profName=`ldapclient list | \
253		    /bin/grep "^NS_LDAP_PROFILE" | cut -d " " -f2`
254		proxyPwd=`ldapclient list | \
255		    /bin/grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2`
256		proxyDN=`ldapclient list | \
257		    /bin/grep "^NS_LDAP_BINDDN" | cut -d " " -f 2`
258		if [ "$proxyDN" ]; then
259			echo "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
260			echo "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
261		fi
262		echo "profile=$profName" >> ${SYSIDCFG}
263		echo "profile_server=$ldapaddress }" >> ${SYSIDCFG}
264		cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
265	else
266		echo "name_service=NONE" > ${SYSIDCFG}
267		if [ $NSCD_PER_LABEL = 0 ] ; then
268			sharePasswd
269		else
270			# had to put resolveXdisplay lower down for this case
271			unsharePasswd
272		fi
273	fi
274
275	echo "security_policy=NONE" >> ${SYSIDCFG}
276	locale=`locale|grep LANG | cut -d "=" -f2`
277	if [[ -z $locale ]]; then
278		locale="C"
279	fi
280	echo "system_locale=$locale" >> ${SYSIDCFG}
281	timezone=`/bin/grep "^TZ" /etc/TIMEZONE|cut -d "=" -f2`
282	echo "timezone=$timezone" >> ${SYSIDCFG}
283	echo "terminal=vt100" >> ${SYSIDCFG}
284	rootpwd=`/bin/grep "^root:" /etc/shadow|cut -d ":" -f2`
285	echo "root_password=$rootpwd" >> ${SYSIDCFG}
286	echo "network_interface=PRIMARY {" >> ${SYSIDCFG}
287	echo "protocol_ipv6=no" >> ${SYSIDCFG}
288	echo "hostname=$hostname" >> ${SYSIDCFG}
289	echo "ip_address=$ipaddress }" >> ${SYSIDCFG}
290	cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
291	touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
292	if [ $NSCD_PER_LABEL = 1 ] ; then
293		resolveXdisplay
294	fi
295}
296
297install() {
298	# if there is a zfs pool for zone
299	# create a new dataset for the zone
300	# This step is done automatically by zonecfg
301	# in Solaris Express 8/06 or newer
302
303	zp=`zpool list -H zone 2>/dev/null`
304	if [ $? = 0 ]; then
305		zfs create zone/$zonename
306		chmod 700 /zone/$zonename
307	fi
308
309	/usr/bin/gnome-terminal \
310	    --title="$title: Installing $zonename zone" \
311	    --command "zoneadm -z $zonename install" \
312	    --disable-factory \
313	    --hide-menubar
314
315	initialize
316}
317
318delete() {
319	# if there is an entry for this zone in tnzonecfg, remove it
320	# before deleting the zone.
321
322	tnzone=`egrep "^$zonename:" /etc/security/tsol/tnzonecfg 2>/dev/null`
323	if [ -n "${tnzone}" ]; then
324		sed -e "/^$tnzone:*/d" /etc/security/tsol/tnzonecfg > \
325		    /tmp/tnzonefg.$$ 2>/dev/null
326		mv /tmp/tnzonefg.$$ /etc/security/tsol/tnzonecfg
327	fi
328	zonecfg -z $zonename delete -F
329	zonename=
330}
331
332getNIC(){
333
334	nics=
335	for i in `ifconfig -a4|grep  "^[a-z].*:" |grep -v LOOPBACK`
336	do
337		echo $i |grep "^[a-z].*:" >/dev/null 2>&1
338		if [ $? -eq 1 ]; then
339			continue
340		fi
341		i=${i%:} # Remove colon after interface name
342		echo $i |grep ":" >/dev/null 2>&1
343		if [ $? -eq 0 ]; then
344			continue
345		fi
346		nics="$nics $i"
347	done
348
349	nic=$(zenity --list \
350	    --title="$title" \
351	    --column="Interface" \
352	    $nics)
353}
354
355getNetmask() {
356
357	cidr=
358	nm=$(zenity --entry \
359	    --title="$title" \
360	    --text="$ipaddr: Enter netmask: " \
361	    --entry-text 255.255.255.0)
362	if [ $? != 0 ]; then
363	       return;
364	fi
365
366	cidr=`perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm`
367}
368
369addNet() {
370	getNIC
371	if [[ -z $nic ]]; then
372		return;
373	fi
374	getIPaddr
375	if [[ -z $ipaddr ]]; then
376		return;
377	fi
378	getNetmask
379	if [[ -z $cidr ]]; then
380		return;
381	fi
382	zcfg="
383add net
384set address=${ipaddr}/${cidr}
385set physical=$nic
386end
387commit
388"
389	echo "$zcfg" > $config ;
390	zonecfg -z $zonename -f $config ;
391	rm $config
392}
393
394getAttrs() {
395	zone=global
396	type=ignore
397	for j in `ifconfig $nic`
398	do
399		case $j in
400			inet) type=$j;;
401			zone) type=$j;;
402			all-zones) zone=all-zones;;
403			flags*) flags=$j;;
404			*) case $type in
405				inet) ipaddr=$j ;;
406				zone) zone=$j ;;
407				*) continue ;;
408			   esac;\
409			   type=ignore;;
410		esac
411	done
412	if [ $ipaddr != 0.0.0.0 ]; then
413		template=`tninfo -h $ipaddr|grep Template| cut -d" " -f3`
414	else
415		template="..."
416		ipaddr="..."
417	fi
418}
419
420updateTnrhdb() {
421	tnctl -h ${ipaddr}:$template
422	x=`grep "^${ipaddr}[^0-9]" /etc/security/tsol/tnrhdb`
423	if [ $? = 0 ]; then
424		sed s/$x/${ipaddr}:$template/g /etc/security/tsol/tnrhdb \
425		    > /tmp/txnetmgr.$$
426		mv /tmp/txnetmgr.$$ /etc/security/tsol/tnrhdb
427	else
428		echo ${ipaddr}:$template >> /etc/security/tsol/tnrhdb
429	fi
430}
431
432getIPaddr() {
433        hostname=$(zenity --entry \
434            --title="$title" \
435            --text="$nic: Enter hostname: ")
436
437        if [ $? != 0 ]; then
438               return;
439	fi
440
441	ipaddr=`getent hosts $hostname|cut -f1`
442        if [[ -z $ipaddr ]]; then
443
444		ipaddr=$(zenity --entry \
445		    --title="$title" \
446		    --text="$nic: Enter IP address: " \
447		    --entry-text a.b.c.d)
448		if [ $? != 0 ]; then
449		       return;
450		fi
451	fi
452
453}
454
455addHost() {
456	# Update hosts and ipnodes
457        if [[ -z $ipaddr ]]; then
458               return;
459	fi
460	grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
461	if [ $? -eq 1 ]; then
462		echo "$ipaddr\t$hostname" >> /etc/inet/hosts
463	fi
464
465	grep "^${ipaddr}[^0-9]" /etc/inet/ipnodes >/dev/null
466	if [ $? -eq 1 ]; then
467		echo "$ipaddr\t$hostname" >> /etc/inet/ipnodes
468	fi
469
470	template=cipso
471	updateTnrhdb
472
473	ifconfig $nic $ipaddr netmask + broadcast +
474	echo $hostname > /etc/hostname.$nic
475}
476
477getTemplate() {
478	templates=$(cat /etc/security/tsol/tnrhtp|\
479	    grep "^[A-z]"|grep "type=cipso"|cut -f1 -d":")
480
481	while [ 1 -gt 0 ]; do
482		t_cmd=$(zenity --list \
483		    --title="$title" \
484		    --height=300 \
485		    --column="Network Templates" \
486		    $templates)
487
488		if [ $? != 0 ]; then
489		       break;
490		fi
491
492		t_label=$(tninfo -t $t_cmd | grep sl|zenity --list \
493		    --title="$title" \
494		    --height=300 \
495		    --width=450 \
496		    --column="Click OK to associate $t_cmd template with $ipaddr" )
497
498		if [ $? != 0 ]; then
499			continue
500		fi
501		template=$t_cmd
502		updateTnrhdb
503		break
504	done
505}
506
507createInterface() {
508	msg=`ifconfig $nic addif 0.0.0.0`
509	$(zenity --info \
510	    --title="$title" \
511	    --text="$msg" )
512}
513
514shareInterface() {
515	ifconfig $nic all-zones;\
516	if_file=/etc/hostname.$nic
517	sed q | sed -e "s/$/ all-zones/" < $if_file >/tmp/txnetmgr.$$
518	mv /tmp/txnetmgr.$$ $if_file
519}
520
521setMacPrivs() {
522	zcfg="
523set limitpriv=default,win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,file_downgrade_sl,file_upgrade_sl,sys_trans_label
524commit
525"
526	echo "$zcfg" > $config ;
527	zonecfg -z $zonename -f $config ;
528	rm $config
529}
530
531resetMacPrivs() {
532	zcfg="
533set limitpriv=default
534commit
535"
536	echo "$zcfg" > $config ;
537	zonecfg -z $zonename -f $config ;
538	rm $config
539}
540
541unsharePasswd() {
542	for i in `zoneadm list -i | grep -v global`; do
543		zonecfg -z $i remove fs dir=/etc/passwd 2>&1 | grep -v such
544		zonecfg -z $i remove fs dir=/etc/shadow 2>&1 | grep -v such
545	done
546}
547
548sharePasswd() {
549	if [ $NSCD_PER_LABEL -ne 0 ] ; then
550		return
551	fi
552	passwd=`zonecfg -z $zonename info|grep /etc/passwd`
553	if [[ $? -eq 1 ]]; then
554		zcfg="
555add fs
556set special=/etc/passwd
557set dir=/etc/passwd
558set type=lofs
559add options ro
560end
561add fs
562set special=/etc/shadow
563set dir=/etc/shadow
564set type=lofs
565add options ro
566end
567commit
568"
569		echo "$zcfg" > $config ;
570		zonecfg -z $zonename -f $config ;
571		rm $config
572	fi
573}
574
575# This routine is a toggle -- if we find it configured for global nscd,
576# change to nscd-per-label and vice-versa.
577#
578# The user was presented with only the choice to CHANGE the existing
579# configuration.
580
581manageNscd() {
582	if [ $NSCD_PER_LABEL -eq 0 ] ; then
583		# this MUST be a regular file for svc-nscd to detect
584		touch $NSCD_INDICATOR
585		NSCD_PER_LABEL=1
586		unsharePasswd
587		resolveXdisplay
588	else
589		export zonename
590		rm -f $NSCD_INDICATOR
591		NSCD_PER_LABEL=0
592		for i in `zoneadm list -i | grep -v global`; do
593			zonename=$i
594			sharePasswd
595		done
596		zonename=
597	fi
598}
599
600manageNets() {
601	while [ 1 -gt 0 ]; do
602		attrs=
603		for i in `ifconfig -au4|grep  "^[a-z].*:" |grep -v LOOPBACK`
604		do
605			echo $i |grep "^[a-z].*:" >/dev/null 2>&1
606			if [ $? -eq 1 ]; then
607				continue
608			fi
609			nic=${i%:} # Remove colon after interface name
610			getAttrs
611			attrs="$nic $zone $ipaddr $template Up $attrs"
612		done
613
614		for i in `ifconfig -ad4 |grep  "^[a-z].*:" |grep -v LOOPBACK`
615		do
616			echo $i |grep "^[a-z].*:" >/dev/null 2>&1
617			if [ $? -eq 1 ]; then
618				continue
619			fi
620			nic=${i%:} # Remove colon after interface name
621			getAttrs
622			attrs="$nic $zone $ipaddr $template Down $attrs"
623		done
624
625		nic=$(zenity --list \
626		    --title="$title" \
627		    --height=300 \
628		    --width=450 \
629		    --column="Interface" \
630		    --column="Zone Name" \
631		    --column="IP Address" \
632		    --column="Template" \
633		    --column="State" \
634		    $attrs)
635
636		if [[ -z $nic ]]; then
637			return
638		fi
639
640		getAttrs
641
642		# Clear list of commands
643
644		share=
645		setipaddr=
646		settemplate=
647		newlogical=
648		unplumb=
649		bringup=
650		bringdown=
651
652		# Check for physical interface
653
654		hascolon=`echo $nic |grep :`
655		if [ $? != 0 ]; then
656			newlogical="Create Logical Interface\n";
657		else
658			up=`echo $flags|grep "UP,"`
659			if [ $? != 0 ]; then
660				unplumb="Remove Logical Interface\n"
661				if [ $ipaddr != "..." ]; then
662					bringup="Bring Up\n"
663				fi
664			else
665				bringdown="Bring Down\n"
666			fi
667		fi
668
669		if [ $ipaddr = "..." ]; then
670			setipaddr="Set IP address...\n";
671		else
672			settemplate="View Templates...\n"
673			if [ $zone = global ]; then
674				share="Share\n"
675			fi
676		fi
677
678		command=$(echo ""\
679		    $share \
680		    $setipaddr \
681		    $settemplate \
682		    $newlogical \
683		    $unplumb \
684		    $bringup \
685		    $bringdown \
686		    | zenity --list \
687		    --title="$title" \
688		    --height=300 \
689		    --column "Interface: $nic" )
690
691		case $command in
692		    " Create Logical Interface")\
693			createInterface;;
694		    " Set IP address...")\
695			getIPaddr
696			addHost;;
697		    " Share")\
698			shareInterface;;
699		    " View Templates...")\
700			getTemplate;;
701		    " Remove Logical Interface")\
702			ifconfig $nic unplumb;\
703			rm -f /etc/hostname.$nic;;
704		    " Bring Up")\
705			ifconfig $nic up;;
706		    " Bring Down")\
707			ifconfig $nic down;;
708		    *) continue;;
709		esac
710	done
711}
712
713createLDAPclient() {
714	ldaptitle="$title: Create LDAP Client"
715	ldapdomain=$(zenity --entry \
716	    --width=400 \
717	    --title="$ldaptitle" \
718	    --text="Enter Domain Name: ")
719	ldapserver=$(zenity --entry \
720	    --width=400 \
721	    --title="$ldaptitle" \
722	    --text="Enter Hostname of LDAP Server: ")
723	ldapserveraddr=$(zenity --entry \
724	    --width=400 \
725	    --title="$ldaptitle" \
726	    --text="Enter IP adddress of LDAP Server $ldapserver: ")
727	ldappassword=""
728	while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]]; do
729	    ldappassword=$(zenity --entry \
730		--width=400 \
731		--title="$ldaptitle" \
732		--hide-text \
733		--text="Enter LDAP Proxy Password:")
734	    ldappasswordconfirm=$(zenity --entry \
735		--width=400 \
736		--title="$ldaptitle" \
737		--hide-text \
738		--text="Confirm LDAP Proxy Password:")
739	done
740	ldapprofile=$(zenity --entry \
741	    --width=400 \
742	    --title="$ldaptitle" \
743	    --text="Enter LDAP Profile Name: ")
744	whatnext=$(zenity --list \
745	    --width=400 \
746	    --height=250 \
747	    --title="$ldaptitle" \
748	    --text="Proceed to create LDAP Client?" \
749	    --column=Parameter --column=Value \
750	    "Domain Name" "$ldapdomain" \
751	    "Hostname" "$ldapserver" \
752	    "IP Address" "$ldapserveraddr" \
753	    "Password" "`echo "$ldappassword" | sed 's/./*/g'`" \
754	    "Profile" "$ldapprofile")
755	if [ $? != 0 ]; then
756		return
757	fi
758
759	/bin/grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
760	if [ $? -eq 1 ]; then
761		/bin/echo "$ldapserveraddr $ldapserver" >> /etc/hosts
762	fi
763
764	/bin/grep "${ldapserver}:" /etc/security/tsol/tnrhdb > /dev/null
765	if [ $? -eq 1 ]; then
766		/bin/echo "# ${ldapserver} - ldap server" \
767		    >> /etc/security/tsol/tnrhdb
768		/bin/echo "${ldapserveraddr}:cipso" \
769		    >> /etc/security/tsol/tnrhdb
770		/usr/sbin/tnctl -h "${ldapserveraddr}:cipso"
771	fi
772
773	proxyDN=`echo $ldapdomain|awk -F"." \
774	    "{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }"`
775
776	zenity --info \
777	    --title="$ldaptitle" \
778	    --width=500 \
779	    --text="global zone will be LDAP client of $ldapserver"
780
781	ldapout=/tmp/ldapclient.$$
782
783	ldapclient init -a profileName="$ldapprofile" \
784	    -a domainName="$ldapdomain" \
785	    -a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
786	    -a proxyPassword="$ldappassword" \
787	    "$ldapserveraddr" >$ldapout 2>&1
788
789	if [ $? -eq 0 ]; then
790	    ldapstatus=Success
791	else
792	    ldapstatus=Error
793	fi
794
795	zenity --text-info \
796	    --width=700 \
797	    --height=300 \
798	    --title="$ldaptitle: $ldapstatus" \
799	    --filename=$ldapout
800
801	rm -f $ldapout
802
803
804}
805
806# Loop for single-zone menu
807singleZone() {
808
809	while [ "${command}" != Exit ]; do
810		if [[ ! -n $zonename ]]; then
811			x=$(zenity --error \
812			    --title="$title" \
813			    --text="zonename \"$zonename\" is not valid")
814			return
815		fi
816		# Clear list of commands
817
818		console=
819		label=
820		start=
821		reboot=
822		stop=
823		clone=
824		copy=
825		install=
826		ready=
827		uninstall=
828		delete=
829		snapshot=
830		addnet=
831		deletenet=
832		permitrelabel=
833
834		zonestate=`zoneadm -z $zonename list -p | cut -d ":" -f 3`
835
836		consoleCheck;
837		labelCheck;
838		delay=0
839
840		case $zonestate in
841			running) ready="Ready\n"; \
842			       reboot="Reboot\n"; \
843			       stop="Halt\n"; \
844			;;
845			ready) start="Boot\n"; \
846			       stop="Halt\n" \
847			;;
848			installed)
849				if [[ -z $label ]]; then \
850					ready="Ready\n"; \
851					start="Boot\n"; \
852				fi; \
853				uninstall="Uninstall\n"; \
854				snapshotCheck; \
855				relabelCheck;
856				addnet="Add Network...\n"
857			;;
858			configured) install="Install...\n"; \
859				copyCheck; \
860				delete="Delete\n"; \
861				console=; \
862			;;
863			incomplete) delete="Delete\n"; \
864			;;
865			*)
866			;;
867		esac
868
869		command=$(echo ""\
870		    $console \
871		    $label \
872		    $start \
873		    $reboot \
874		    $stop \
875		    $clone \
876		    $copy \
877		    $install \
878		    $ready \
879		    $uninstall \
880		    $delete \
881		    $snapshot \
882		    $addnet \
883		    $deletenet \
884		    $permitrelabel \
885		    "Return to Main Menu" \
886		    | zenity --list \
887		    --title="$title" \
888		    --height=300 \
889		    --column "$zonename: $zonestate" )
890
891		case $command in
892		    " Zone Console...")
893			delay=2; \
894			/usr/bin/gnome-terminal \
895			    --title="Zone Terminal Console: $zonename" \
896			    --command "/usr/sbin/zlogin -C $zonename" &;;
897
898		    " Select Label...")
899			selectLabel;;
900
901		    " Ready")
902			zoneadm -z $zonename ready ;;
903
904		    " Boot")
905			zoneadm -z $zonename boot ;;
906
907		    " Halt")
908			zoneadm -z $zonename halt ;;
909
910		    " Reboot")
911			zoneadm -z $zonename reboot ;;
912
913		    " Install...")
914			install;;
915
916		    " Clone")
917			clone ;;
918
919		    " Copy...")
920			copy ;;
921
922		    " Uninstall")
923			zoneadm -z $zonename uninstall -F;;
924
925		    " Delete")
926			delete
927			return ;;
928
929		    " Create Snapshot")
930			zfs snapshot zone/${zonename}@snapshot;;
931
932		    " Add Network...")
933			addNet ;;
934
935		    " Permit Relabeling")
936			setMacPrivs ;;
937
938		    " Deny Relabeling")
939			resetMacPrivs ;;
940
941		    *)
942			zonename=
943			return ;;
944		esac
945		sleep $delay;
946	done
947}
948
949# Main loop for top-level window
950#
951# Always display vni0 since it is useful for cross-zone networking
952#
953ifconfig vni0 > /dev/null 2>&1
954if [ $? != 0 ]; then
955	ifconfig vni0 plumb >/dev/null 2>&1
956fi
957export NSCD_OPT
958while [ "${command}" != Exit ]; do
959	zonelist=""
960	for p in `zoneadm list -cp |grep -v global:`; do
961		zonename=`echo $p|cut -d : -f2`
962		state=`echo $p|cut -d : -f3`
963		labelCheck
964		zonelist="$zonelist$zonename\n$state\n$curlabel\n"
965	done
966
967	if [ $NSCD_PER_LABEL -eq 0 ]  ; then
968		NSCD_OPT="Configure per-zone name service"
969	else
970		NSCD_OPT="Unconfigure per-zone name service"
971	fi
972	zonelist=${zonelist}"Manage Network Interfaces...\n\n\n"
973	zonelist=${zonelist}"Create a new zone...\n\n\n"
974	zonelist=${zonelist}"${NSCD_OPT}"
975	zonelist=${zonelist}"\n\n\nCreate LDAP Client...\n\n\n"
976	zonelist=${zonelist}"Exit\n\n"
977
978	zonename=""
979	topcommand=$(echo $zonelist|zenity --list \
980	    --title="$title" \
981	    --height=300 \
982	    --width=500 \
983	    --column="Zone Name" \
984	    --column="Status" \
985	    --column="Sensitivity Label" \
986	    )
987
988	if [[ ! -n $topcommand ]]; then
989		command=Exit
990		exit
991	fi
992
993	if [ "$topcommand" = "$NSCD_OPT" ]; then
994		topcommand=
995		manageNscd
996		continue
997	elif [ "$topcommand" = "Manage Network Interfaces..." ]; then
998		topcommand=
999		manageNets
1000		continue
1001	elif [ "$topcommand" = "Exit" ]; then
1002		command=Exit
1003		exit
1004	elif [ "$topcommand" = "Create a new zone..." ]; then
1005		zonename=$(zenity --entry \
1006		    --title="$title" \
1007		    --entry-text="" \
1008		    --text="Enter Zone Name: ")
1009
1010		if [[ ! -n $zonename ]]; then
1011			continue
1012		fi
1013
1014		zcfg="
1015create -t SUNWtsoldef
1016set zonepath=/zone/$zonename
1017commit
1018"
1019		echo "$zcfg" > $config ;
1020		zonecfg -z $zonename -f $config ;
1021		rm $config
1022		# Now, go to the singleZone menu, using the global
1023		# variable zonename, and continue with zone creation
1024		singleZone
1025		continue
1026	elif [ "$topcommand" = "Create LDAP Client..." ]; then
1027		command=LDAPclient
1028		createLDAPclient
1029		continue
1030	fi
1031	# if the menu choice was a zonename, pop up zone menu
1032	zonename=$topcommand
1033	singleZone
1034done
1035