1*f875b4ebSrica#!/sbin/sh 2*f875b4ebSrica# 3*f875b4ebSrica# CDDL HEADER START 4*f875b4ebSrica# 5*f875b4ebSrica# The contents of this file are subject to the terms of the 6*f875b4ebSrica# Common Development and Distribution License (the "License"). 7*f875b4ebSrica# You may not use this file except in compliance with the License. 8*f875b4ebSrica# 9*f875b4ebSrica# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*f875b4ebSrica# or http://www.opensolaris.org/os/licensing. 11*f875b4ebSrica# See the License for the specific language governing permissions 12*f875b4ebSrica# and limitations under the License. 13*f875b4ebSrica# 14*f875b4ebSrica# When distributing Covered Code, include this CDDL HEADER in each 15*f875b4ebSrica# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*f875b4ebSrica# If applicable, add the following below this CDDL HEADER, with the 17*f875b4ebSrica# fields enclosed by brackets "[]" replaced with your own identifying 18*f875b4ebSrica# information: Portions Copyright [yyyy] [name of copyright owner] 19*f875b4ebSrica# 20*f875b4ebSrica# CDDL HEADER END 21*f875b4ebSrica# 22*f875b4ebSrica# Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23*f875b4ebSrica# Use is subject to license terms. 24*f875b4ebSrica# 25*f875b4ebSrica#ident "%Z%%M% %I% %E% SMI" 26*f875b4ebSrica 27*f875b4ebSrica. /lib/svc/share/smf_include.sh 28*f875b4ebSrica 29*f875b4ebSricaROOT_PATH="" 30*f875b4ebSricaif [ $# -gt 1 ]; then 31*f875b4ebSrica if [ $# -ne 3 -o "$2" != "-R" ]; then 32*f875b4ebSrica echo "$0: invalid syntax" 33*f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 34*f875b4ebSrica fi 35*f875b4ebSrica if [ "$3" != "/" ]; then 36*f875b4ebSrica ROOT_PATH=$3 37*f875b4ebSrica fi 38*f875b4ebSricafi 39*f875b4ebSricaif [ -n "$ROOT_PATH" -a "$1" != "start" ]; then 40*f875b4ebSrica echo "$0: invalid syntax: -R allowed for start method only" 41*f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 42*f875b4ebSricafi 43*f875b4ebSricaif [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then 44*f875b4ebSrica echo "$0: invalid -R rootpath dir specified" 45*f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 46*f875b4ebSricafi 47*f875b4ebSrica 48*f875b4ebSricaif smf_is_nonglobalzone; then 49*f875b4ebSrica echo "$0: not supported in a local zone" 50*f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 51*f875b4ebSricafi 52*f875b4ebSrica 53*f875b4ebSricado_logindev() 54*f875b4ebSrica{ 55*f875b4ebSrica # Comment out audio and usb device entries in /etc/logindevperm. 56*f875b4ebSrica LOGINDEVPERM=$ROOT_PATH/etc/logindevperm 57*f875b4ebSrica if [ -f $LOGINDEVPERM ]; then 58*f875b4ebSrica line="\/dev\/console 0600 \/dev\/sound\/\*" 59*f875b4ebSrica sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$ 60*f875b4ebSrica cp /tmp/tmp.$$ $LOGINDEVPERM 61*f875b4ebSrica line="\/dev\/console 0600 \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*" 62*f875b4ebSrica sed -e "s/^$line/#$line/" $LOGINDEVPERM > /tmp/tmp.$$ 63*f875b4ebSrica cp /tmp/tmp.$$ $LOGINDEVPERM 64*f875b4ebSrica rm -f /tmp/tmp.$$ 65*f875b4ebSrica fi 66*f875b4ebSrica} 67*f875b4ebSrica 68*f875b4ebSricado_otherservices() 69*f875b4ebSrica{ 70*f875b4ebSrica # Setup dependent services 71*f875b4ebSrica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS 72*f875b4ebSrica /usr/sbin/svcadm enable -s svc:/network/tnd:default 73*f875b4ebSrica /usr/sbin/svcadm enable -s svc:/system/tsol-zones:default 74*f875b4ebSrica /usr/sbin/svccfg -s svc:/application/x11/x11-server \ 75*f875b4ebSrica setprop options/tcp_listen = true 76*f875b4ebSrica /usr/sbin/svcadm enable svc:/network/rpc/rstat:default 77*f875b4ebSrica__ENABLE_OTHERS 78*f875b4ebSrica 79*f875b4ebSrica} 80*f875b4ebSrica 81*f875b4ebSricado_bsmconv() 82*f875b4ebSrica{ 83*f875b4ebSrica # Run bsmconv so audit and device allocation is enabled by 84*f875b4ebSrica # default with Trusted Extensions. 85*f875b4ebSrica if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then 86*f875b4ebSrica BSMDIR="" 87*f875b4ebSrica else 88*f875b4ebSrica BSMDIR=$ROOT_PATH 89*f875b4ebSrica fi 90*f875b4ebSrica echo "Running bsmconv ..." 91*f875b4ebSrica echo `TEXTDOMAIN="SUNW_OST_OSCMD" gettext "y"` | \ 92*f875b4ebSrica $ROOT_PATH/etc/security/bsmconv $ROOT_PATH 93*f875b4ebSrica} 94*f875b4ebSrica 95*f875b4ebSricado_nscd() 96*f875b4ebSrica{ 97*f875b4ebSrica# For Trusted Extensions, make nscd service transient in local zones. 98*f875b4ebSricacat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD 99*f875b4ebSrica if [ `/sbin/zonename` != "global" ]; then 100*f875b4ebSrica nscd="svc:/system/name-service-cache" 101*f875b4ebSrica duration="" 102*f875b4ebSrica if /bin/svcprop -q -c -p startd/duration $nscd ; then 103*f875b4ebSrica duration=`/bin/svcprop -c -p startd/duration $nscd` 104*f875b4ebSrica fi 105*f875b4ebSrica if [ "$duration" != "transient" ]; then 106*f875b4ebSrica /usr/sbin/svccfg -s $nscd addpg startd framework 107*f875b4ebSrica /usr/sbin/svccfg -s $nscd setprop \ 108*f875b4ebSrica startd/duration = astring: transient 109*f875b4ebSrica /usr/sbin/svccfg -s $nscd setprop stop/exec = :true 110*f875b4ebSrica /usr/sbin/svcadm refresh $nscd 111*f875b4ebSrica fi 112*f875b4ebSrica fi 113*f875b4ebSrica_DEL_LOCAL_NSCD 114*f875b4ebSrica} 115*f875b4ebSrica 116*f875b4ebSricado_bootupd() 117*f875b4ebSrica{ 118*f875b4ebSrica if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then 119*f875b4ebSrica if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 120*f875b4ebSrica /sbin/bootadm update-archive 121*f875b4ebSrica else 122*f875b4ebSrica /sbin/bootadm update-archive -R $ROOT_PATH 123*f875b4ebSrica fi 124*f875b4ebSrica fi 125*f875b4ebSrica} 126*f875b4ebSrica 127*f875b4ebSricado_commonstart() 128*f875b4ebSrica{ 129*f875b4ebSrica echo "$0: Updating $ROOT_PATH/etc/system..." 130*f875b4ebSrica if [ ! -f ${ROOT_PATH}/etc/system ]; then 131*f875b4ebSrica touch ${ROOT_PATH}/etc/system 132*f875b4ebSrica fi 133*f875b4ebSrica 134*f875b4ebSrica # Set sys_labeling in etc/system 135*f875b4ebSrica grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 136*f875b4ebSrica echo "set sys_labeling=1" >> /tmp/etc.system.$$ 137*f875b4ebSrica mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 138*f875b4ebSrica grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 139*f875b4ebSrica if [ $? -ne 0 ]; then 140*f875b4ebSrica echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system" 141*f875b4ebSrica exit $SMF_EXIT_ERR_FATAL 142*f875b4ebSrica fi 143*f875b4ebSrica 144*f875b4ebSrica do_bootupd 145*f875b4ebSrica 146*f875b4ebSrica # Setup dependent services 147*f875b4ebSrica do_otherservices 148*f875b4ebSrica 149*f875b4ebSrica do_logindev 150*f875b4ebSrica do_bsmconv 151*f875b4ebSrica do_nscd 152*f875b4ebSrica} 153*f875b4ebSrica 154*f875b4ebSrica 155*f875b4ebSricadaemon_start() 156*f875b4ebSrica{ 157*f875b4ebSrica # If a labeld door exists, check for a labeld process and exit 158*f875b4ebSrica # if the daemon is already running. 159*f875b4ebSrica if [ -r /var/tsol/doors/labeld ]; then 160*f875b4ebSrica if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then 161*f875b4ebSrica echo "$0: labeld is already running" 162*f875b4ebSrica exit $SMF_EXIT_ERR_FATAL 163*f875b4ebSrica fi 164*f875b4ebSrica fi 165*f875b4ebSrica /usr/bin/rm -f /var/tsol/doors/labeld 166*f875b4ebSrica /usr/lib/labeld 167*f875b4ebSrica} 168*f875b4ebSrica 169*f875b4ebSricaPATH=/usr/sbin:/usr/bin; export PATH 170*f875b4ebSrica 171*f875b4ebSricacase "$1" in 172*f875b4ebSrica'start') 173*f875b4ebSrica if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then 174*f875b4ebSrica # native 175*f875b4ebSrica 176*f875b4ebSrica if [ -z "$SMF_FMRI" ]; then 177*f875b4ebSrica echo "$0: this script can only be invoked by smf(5)" 178*f875b4ebSrica exit $SMF_EXIT_ERR_NOSMF 179*f875b4ebSrica fi 180*f875b4ebSrica 181*f875b4ebSrica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 182*f875b4ebSrica if [ "$tx_enabled" = "false" ]; then 183*f875b4ebSrica # A sign of trying temporary enablement...no-no 184*f875b4ebSrica echo "$0: Temporarily enabling Trusted Extensions is not allowed." 185*f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 186*f875b4ebSrica fi 187*f875b4ebSrica 188*f875b4ebSrica if (smf_is_system_labeled); then 189*f875b4ebSrica daemon_start 190*f875b4ebSrica exit $SMF_EXIT_OK 191*f875b4ebSrica fi 192*f875b4ebSrica 193*f875b4ebSrica # Make changes to enable Trusted Extensions 194*f875b4ebSrica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 195*f875b4ebSrica if [ $? -eq 0 ]; then 196*f875b4ebSrica echo "$0: already enabled. Exiting." 197*f875b4ebSrica exit $SMF_EXIT_OK 198*f875b4ebSrica fi 199*f875b4ebSrica 200*f875b4ebSrica if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 201*f875b4ebSrica echo "$0: Must remove zones before enabling Trusted Extensions." 202*f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 203*f875b4ebSrica fi 204*f875b4ebSrica 205*f875b4ebSrica do_commonstart 206*f875b4ebSrica 207*f875b4ebSrica # start daemon proccess so our service doesn't go into 208*f875b4ebSrica # maintenance state 209*f875b4ebSrica daemon_start 210*f875b4ebSrica 211*f875b4ebSrica echo "$0: Started. Must reboot and configure Trusted Extensions." 212*f875b4ebSrica else 213*f875b4ebSrica # Support jumpstart etc 214*f875b4ebSrica 215*f875b4ebSrica # Make changes to enable Trusted Extensions 216*f875b4ebSrica grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1 217*f875b4ebSrica if [ $? -eq 0 ]; then 218*f875b4ebSrica echo "$0: already enabled. Exiting." 219*f875b4ebSrica exit $SMF_EXIT_OK 220*f875b4ebSrica fi 221*f875b4ebSrica 222*f875b4ebSrica # Setup dependent services 223*f875b4ebSrica cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE 224*f875b4ebSrica /usr/sbin/svcadm enable -s svc:/system/labeld:default 225*f875b4ebSrica__TRUSTED_ENABLE 226*f875b4ebSrica 227*f875b4ebSrica do_commonstart 228*f875b4ebSrica echo "$0: Started. Must configure Trusted Extensions before booting." 229*f875b4ebSrica fi 230*f875b4ebSrica ;; 231*f875b4ebSrica 232*f875b4ebSrica'stop') 233*f875b4ebSrica tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI` 234*f875b4ebSrica if [ "$tx_enabled" = "true" ]; then 235*f875b4ebSrica /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 236*f875b4ebSrica exit $SMF_EXIT_OK 237*f875b4ebSrica fi 238*f875b4ebSrica 239*f875b4ebSrica if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then 240*f875b4ebSrica echo "$0: Must remove zones before disabling Trusted Extensions." 241*f875b4ebSrica exit $SMF_EXIT_ERR_CONFIG 242*f875b4ebSrica fi 243*f875b4ebSrica 244*f875b4ebSrica # Stop Trusted services. 245*f875b4ebSrica /usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null 246*f875b4ebSrica /usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null 247*f875b4ebSrica 248*f875b4ebSrica # Uncomment audio and usb device entries in /etc/logindevperm. 249*f875b4ebSrica LOGINDEVPERM=$ROOT_PATH/etc/logindevperm 250*f875b4ebSrica if [ -f $LOGINDEVPERM ]; then 251*f875b4ebSrica line="\/dev\/console 0600 \/dev\/sound\/\*" 252*f875b4ebSrica sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$ 253*f875b4ebSrica cp /tmp/tmp.$$ $LOGINDEVPERM 254*f875b4ebSrica line="\/dev\/console 0600 \/dev\/usb\/\[0-9a-f\]+\[.\]\[0-9a-f\]+\/\[0-9\]+\/\*" 255*f875b4ebSrica sed -e "s/^#$line/$line/" $LOGINDEVPERM > /tmp/tmp.$$ 256*f875b4ebSrica cp /tmp/tmp.$$ $LOGINDEVPERM 257*f875b4ebSrica rm -f /tmp/tmp.$$ 258*f875b4ebSrica fi 259*f875b4ebSrica 260*f875b4ebSrica # Remove sys_labeling from /etc/system 261*f875b4ebSrica grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$ 262*f875b4ebSrica mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system 263*f875b4ebSrica grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1 264*f875b4ebSrica if [ $? -eq 0 ]; then 265*f875b4ebSrica echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system" 266*f875b4ebSrica exit $SMF_EXIT_ERR_FATAL 267*f875b4ebSrica fi 268*f875b4ebSrica 269*f875b4ebSrica do_bootupd 270*f875b4ebSrica 271*f875b4ebSrica /usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld 272*f875b4ebSrica echo "$0: Stopped. Will take effect at next boot." 273*f875b4ebSrica ;; 274*f875b4ebSrica 275*f875b4ebSrica*) 276*f875b4ebSrica echo "Usage: $0 { start | stop }" 277*f875b4ebSrica exit 1 278*f875b4ebSrica ;; 279*f875b4ebSricaesac 280*f875b4ebSrica 281*f875b4ebSricaexit $SMF_EXIT_OK 282*f875b4ebSrica 283