/mandos/trunk

To get this branch, use:
bzr branch /loggerhead/mandos/trunk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
#!/bin/sh -e
# 
# This script will run in the initrd environment at boot and edit
# /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
# when no other keyscript is set, before cryptsetup.
# 

# This script should be installed as
# "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
# eventually be "/scripts/init-premount/mandos" in the initrd.img
# file.

PREREQ="udev"
prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
	prereqs
	exit 0
	;;
esac

. /scripts/functions

for param in `cat /proc/cmdline`; do
    case "$param" in
        ip=*) IPOPTS="${param#ip=}" ;;
        mandos=*)
            # Split option line on commas
            old_ifs="$IFS"
            IFS="$IFS,"
            for mpar in ${param#mandos=}; do
                IFS="$old_ifs"
                case "$mpar" in
                    off) exit 0 ;;
		    connect) connect="" ;;
                    connect:*) connect="${mpar#connect:}" ;;
                    *) log_warning_msg "$0: Bad option ${mpar}" ;;
                esac
            done
	    unset mpar
            IFS="$old_ifs"
            unset old_ifs
            ;;
    esac
done
unset param

chmod a=rwxt /tmp

# Get DEVICE from /conf/initramfs.conf and other files
. /conf/initramfs.conf
for conf in /conf/conf.d/*; do
    [ -f "${conf}" ] && . "${conf}"
done
if [ -e /conf/param.conf ]; then
    . /conf/param.conf
fi

# Override DEVICE from sixth field of ip= kernel option, if passed
case "$IPOPTS" in
    *:*:*:*:*:*)		# At least six fields
        # Remove the first five fields
	device="${IPOPTS#*:*:*:*:*:}"
        # Remove all fields except the first one
	DEVICE="${device%%:*}"
	;;
esac

# Add device setting (if any) to plugin-runner.conf
if [ "${DEVICE+set}" = set ]; then
    # Did we get the device from an ip= option?
    if [ "${device+set}" = set ]; then
	# Let ip= option override local config; append:
	cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
	
	--options-for=mandos-client:--interface=${DEVICE}
EOF
    else
        # Prepend device setting so any later options would override:
	sed -i -e \
	    '1i--options-for=mandos-client:--interface='"${DEVICE}" \
	    /conf/conf.d/mandos/plugin-runner.conf
    fi
fi
unset device

# If we are connecting directly, run "configure_networking" (from
# /scripts/functions); it needs IPOPTS and DEVICE
if [ "${connect+set}" = set ]; then
    set +e			# Required by library functions
    configure_networking
    set -e
    if [ -n "$connect" ]; then
	cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
	
	--options-for=mandos-client:--connect=${connect}
EOF
    fi
fi

if [ -r /conf/conf.d/cryptroot ]; then
    test -w /conf/conf.d

    # Do not replace cryptroot file unless we need to.
    replace_cryptroot=no

    # Our keyscript
    mandos=/lib/mandos/plugin-runner
    test -x "$mandos"

    # parse /conf/conf.d/cryptroot.  Format:
    # target=sda2_crypt,source=/dev/sda2,rootdev,key=none,keyscript=/foo/bar/baz
    # Is the root device specially marked?
    changeall=yes
    while read -r options; do
	case "$options" in
	    rootdev,*|*,rootdev,*|*,rootdev)
		# If the root device is specially marked, don't change all
		# lines in crypttab by default.
		changeall=no
		;;
	esac
    done < /conf/conf.d/cryptroot

    exec 3>/conf/conf.d/cryptroot.mandos
    while read -r options; do
	newopts=""
	keyscript=""
	changethis="$changeall"
	# Split option line on commas
	old_ifs="$IFS"
	IFS="$IFS,"
	for opt in $options; do
	    # Find the keyscript option, if any
	    case "$opt" in
		keyscript=*)
		    keyscript="${opt#keyscript=}"
		    newopts="$newopts,$opt"
		    ;;
		"") : ;;
		# Always use Mandos on the root device, if marked
		rootdev)
		    changethis=yes
		    newopts="$newopts,$opt"
		    ;;
		# Don't use Mandos on resume device, if marked
		resumedev)
		    changethis=no
		    newopts="$newopts,$opt"
		    ;;
		*)
		    newopts="$newopts,$opt"
		    ;;
	    esac
	done
	IFS="$old_ifs"
	unset old_ifs
	# If there was no keyscript option, add one.
	if [ "$changethis" = yes ] && [ -z "$keyscript" ]; then
	    replace_cryptroot=yes
	    newopts="$newopts,keyscript=$mandos"
	fi
	newopts="${newopts#,}"
	echo "$newopts" >&3
    done < /conf/conf.d/cryptroot
    exec 3>&-

    # If we need to, replace the old cryptroot file with the new file.
    if [ "$replace_cryptroot" = yes ]; then
	mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old
	mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot
    else
	rm -f /conf/conf.d/cryptroot.mandos
    fi
elif [ -x /usr/bin/cryptroot-unlock ]; then
    setsid /lib/mandos/mandos-to-cryptroot-unlock &
fi