| Line | Revision | Contents |
| 1 | 74 | #!/bin/sh -e |
| 2 | # | |
| 3 | # This script will run in the initrd environment at boot and edit | |
| 4 | # /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript | |
| 5 | # when no other keyscript is set, before cryptsetup. | |
| 6 | # | |
| 7 | ||
| 8 | # This script should be installed as | |
| 9 | 302 | # "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will |
| 10 | # eventually be "/scripts/init-premount/mandos" in the initrd.img | |
| 11 | # file. | |
| 12 | 74 | |
| 13 | 302 | PREREQ="udev" |
| 14 | 74 | prereqs() |
| 15 | { | |
| 16 | 292 | echo "$PREREQ" |
| 17 | 74 | } |
| 18 | ||
| 19 | case $1 in | |
| 20 | prereqs) | |
| 21 | 292 | prereqs |
| 22 | exit 0 | |
| 23 | ;; | |
| 24 | 74 | esac |
| 25 | ||
| 26 | 304 | . /scripts/functions |
| 27 | ||
| 28 | 269 | for param in `cat /proc/cmdline`; do |
| 29 | case "$param" in | |
| 30 | 304 | ip=*) IPOPTS="${param#ip=}" ;; |
| 31 | mandos=*) | |
| 32 | # Split option line on commas | |
| 33 | old_ifs="$IFS" | |
| 34 | IFS="$IFS," | |
| 35 | for mpar in ${param#mandos=}; do | |
| 36 | IFS="$old_ifs" | |
| 37 | case "$mpar" in | |
| 38 | off) exit 0 ;; | |
| 39 | connect) connect="" ;; | |
| 40 | connect:*) connect="${mpar#connect:}" ;; | |
| 41 | *) log_warning_msg "$0: Bad option ${mpar}" ;; | |
| 42 | esac | |
| 43 | done | |
| 44 | unset mpar | |
| 45 | IFS="$old_ifs" | |
| 46 | unset old_ifs | |
| 47 | ;; | |
| 48 | 269 | esac |
| 49 | done | |
| 50 | 304 | unset param |
| 51 | 269 | |
| 52 | 178 | chmod a=rwxt /tmp |
| 53 | ||
| 54 | 292 | test -r /conf/conf.d/cryptroot |
| 55 | test -w /conf/conf.d | |
| 56 | 74 | |
| 57 | 304 | # Get DEVICE from /conf/initramfs.conf and other files |
| 58 | . /conf/initramfs.conf | |
| 59 | for conf in /conf/conf.d/*; do | |
| 60 | [ -f ${conf} ] && . ${conf} | |
| 61 | done | |
| 62 | if [ -e /conf/param.conf ]; then | |
| 63 | . /conf/param.conf | |
| 64 | fi | |
| 65 | ||
| 66 | # Override DEVICE from sixth field of ip= kernel option, if passed | |
| 67 | case "$IPOPTS" in | |
| 68 | *:*:*:*:*:*) # At least six fields | |
| 69 | # Remove the first five fields | |
| 70 | device="${IPOPTS#*:*:*:*:*:}" | |
| 71 | # Remove all fields except the first one | |
| 72 | DEVICE="${device%%:*}" | |
| 73 | ;; | |
| 74 | esac | |
| 75 | ||
| 76 | # Add device setting (if any) to plugin-runner.conf | |
| 77 | if [ "${DEVICE+set}" = set ]; then | |
| 78 | # Did we get the device from an ip= option? | |
| 79 | if [ "${device+set}" = set ]; then | |
| 80 | # Let ip= option override local config; append: | |
| 81 | cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf | |
| 82 | ||
| 83 | --options-for=mandos-client:--interface=${DEVICE} | |
| 84 | EOF | |
| 85 | else | |
| 86 | # Prepend device setting so any later options would override: | |
| 87 | sed -i -e \ | |
| 88 | '1i--options-for=mandos-client:--interface='"${DEVICE}" \ | |
| 89 | /conf/conf.d/mandos/plugin-runner.conf | |
| 90 | fi | |
| 91 | fi | |
| 92 | unset device | |
| 93 | ||
| 94 | # If we are connecting directly, run "configure_networking" (from | |
| 95 | # /scripts/functions); it needs IPOPTS and DEVICE | |
| 96 | if [ "${connect+set}" = set ]; then | |
| 97 | configure_networking | |
| 98 | if [ -n "$connect" ]; then | |
| 99 | cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf | |
| 100 | ||
| 101 | --options-for=mandos-client:--connect=${connect} | |
| 102 | EOF | |
| 103 | fi | |
| 104 | fi | |
| 105 | ||
| 106 | 74 | # Do not replace cryptroot file unless we need to. |
| 107 | replace_cryptroot=no | |
| 108 | ||
| 109 | # Our keyscript | |
| 110 | mandos=/lib/mandos/plugin-runner | |
| 111 | ||
| 112 | # parse /conf/conf.d/cryptroot. Format: | |
| 113 | # target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz | |
| 114 | exec 3>/conf/conf.d/cryptroot.mandos | |
| 115 | while read options; do | |
| 116 | newopts="" | |
| 117 | # Split option line on commas | |
| 118 | old_ifs="$IFS" | |
| 119 | IFS="$IFS," | |
| 120 | for opt in $options; do | |
| 121 | # Find the keyscript option, if any | |
| 122 | case "$opt" in | |
| 123 | keyscript=*) | |
| 124 | keyscript="${opt#keyscript=}" | |
| 125 | newopts="$newopts,$opt" | |
| 126 | ;; | |
| 127 | "") : ;; | |
| 128 | *) | |
| 129 | newopts="$newopts,$opt" | |
| 130 | ;; | |
| 131 | esac | |
| 132 | done | |
| 133 | IFS="$old_ifs" | |
| 134 | unset old_ifs | |
| 135 | # If there was no keyscript option, add one. | |
| 136 | if [ -z "$keyscript" ]; then | |
| 137 | replace_cryptroot=yes | |
| 138 | newopts="$newopts,keyscript=$mandos" | |
| 139 | fi | |
| 140 | newopts="${newopts#,}" | |
| 141 | echo "$newopts" >&3 | |
| 142 | done < /conf/conf.d/cryptroot | |
| 143 | exec 3>&- | |
| 144 | ||
| 145 | # If we need to, replace the old cryptroot file with the new file. | |
| 146 | if [ "$replace_cryptroot" = yes ]; then | |
| 147 | mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old | |
| 148 | mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot | |
| 149 | else | |
| 150 | rm /conf/conf.d/cryptroot.mandos | |
| 151 | fi |
Loggerhead is a web-based interface for Bazaar branches