xref: /illumos-gate/usr/src/cmd/tsol/labeld/svc-labeld (revision bbf21555) 
1#!/sbin/sh
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23#
24
25. /lib/svc/share/smf_include.sh
26
27ROOT_PATH=""
28if [ $# -gt 1 ]; then
29	if [ $# -ne 3 -o "$2" != "-R" ]; then
30		echo "$0: invalid syntax"
31		exit $SMF_EXIT_ERR_CONFIG
32	fi
33	if [ "$3" != "/" ]; then
34		ROOT_PATH=$3
35	fi
36fi
37if [ -n "$ROOT_PATH" -a "$1" != "start" ]; then
38	echo "$0: invalid syntax: -R allowed for start method only"
39	exit $SMF_EXIT_ERR_CONFIG
40fi
41if [ -n "$ROOT_PATH" -a ! -d "$ROOT_PATH" ]; then
42	echo "$0: invalid -R rootpath dir specified"
43	exit $SMF_EXIT_ERR_CONFIG
44fi
45
46if smf_is_nonglobalzone; then
47	echo "$0: not supported in a local zone"
48	exit $SMF_EXIT_ERR_CONFIG
49fi
50
51rewrite_logindev()
52{
53	from="$1"
54	to="$2"
55	# Comment out audio, usb, removable-media, and hotpluggable device
56	# entries in /etc/logindevperm.
57	LOGINDEVPERM=$ROOT_PATH/etc/logindevperm
58	if [ ! -f $LOGINDEVPERM ]; then
59		return
60	fi
61	for line in \
62		"/dev/sound/" \
63		"/dev/removable-media/" \
64		"/dev/hotpluggable/" \
65		"/dev/usb/\[0-9a-f\]" \
66			; do
67		sed -e "s!^$from\([^# 	]\{1,\}[ 	}\{1,\}[0-9]\{1,\}[ 	]\{1,\}\)$line!$to\1$line!" \
68		    $LOGINDEVPERM > /tmp/tmp.$$
69		cp /tmp/tmp.$$ $LOGINDEVPERM
70	done
71	rm -f /tmp/tmp.$$
72}
73
74do_logindev()
75{
76	rewrite_logindev "" "#"
77}
78
79do_otherservices()
80{
81	# Setup dependent services
82	cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__ENABLE_OTHERS
83		/usr/sbin/svcadm enable -s svc:/network/tnd:default
84		/usr/sbin/svcadm enable -s svc:/system/tsol-zones:default
85		/usr/sbin/svcadm enable svc:/network/rpc/rstat:default
86__ENABLE_OTHERS
87
88}
89
90do_audit_devalloc()
91{
92	# Ensure auditing and device allocation are enabled by
93	# default with Trusted Extensions.
94	if [ "$ROOT_PATH" = "/" -o "$ROOT_PATH" = "" ]; then
95		/usr/sbin/svcadm enable -s svc:/system/device/allocate:default
96		echo "Starting auditd ..."
97		/usr/sbin/audit -s
98	else
99		cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_ENABLE_AUDITD
100			/usr/sbin/audit -s
101			/usr/sbin/svcadm enable -s svc:/system/device/allocate:default
102_ENABLE_AUDITD
103	fi
104}
105
106do_nscd()
107{
108# For Trusted Extensions, make nscd service transient in local zones.
109cat >> $ROOT_PATH/var/svc/profile/upgrade <<\_DEL_LOCAL_NSCD
110	if [ `/sbin/zonename` != "global" ]; then
111		nscd="svc:/system/name-service-cache"
112		duration=""
113		if /bin/svcprop -q -c -p startd/duration $nscd ; then
114			duration=`/bin/svcprop -c -p startd/duration $nscd`
115		fi
116		if [ "$duration" != "transient" ]; then
117			/usr/sbin/svccfg -s $nscd addpg startd framework
118			/usr/sbin/svccfg -s $nscd setprop \
119			    startd/duration = astring: transient
120			/usr/sbin/svccfg -s $nscd setprop stop/exec = :true
121			/usr/sbin/svcadm refresh $nscd
122		fi
123	fi
124_DEL_LOCAL_NSCD
125}
126
127do_bootupd()
128{
129	if [ -f $ROOT_PATH/platform/`/sbin/uname -m`/boot_archive ]; then
130		if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
131			/sbin/bootadm update-archive
132		else
133			/sbin/bootadm update-archive -R $ROOT_PATH
134		fi
135	fi
136}
137
138setup_tx_changes(){
139#
140# No comments or blanks lines allowed in entries below
141#
142cat > ${TX_ENTRIES} << EOF
143dtlogin		account		requisite	pam_roles.so.1
144dtlogin		account		required	pam_unix_account.so.1
145dtsession	account		requisite	pam_roles.so.1
146dtsession	account		required	pam_unix_account.so.1
147gdm		account		requisite	pam_roles.so.1
148gdm		account		required	pam_unix_account.so.1
149xscreensaver	account		requisite	pam_roles.so.1
150xscreensaver	account		required	pam_unix_account.so.1
151passwd		account		requisite	pam_roles.so.1
152passwd		account		required	pam_unix_account.so.1
153dtpasswd	account		requisite	pam_roles.so.1
154dtpasswd	account		required	pam_unix_account.so.1
155tsoljds-tstripe	account		requisite	pam_roles.so.1
156tsoljds-tstripe	account		required	pam_unix_account.so.1
157other		account		required	pam_tsol_account.so.1
158EOF
159}
160
161do_addpam()
162{
163	PAM_TMP=/tmp/pam_conf.$$
164	TX_ENTRIES=$PAM_TMP/sct.$$
165	PAM_DEST=$ROOT_PATH/etc/pam.conf
166
167	mkdir $PAM_TMP  || exit $SMF_EXIT_ERR_FATAL
168	setup_tx_changes
169
170	# verify that pam.conf file exists...
171	if [ ! -f ${PAM_DEST} ]; then
172		echo "$0: ${PAM_DEST} not found; aborting"
173		exit $SMF_EXIT_ERR_FATAL
174	fi
175
176	#
177	# Update pam.conf to append Trusted Extensions entries if not
178	# already present.
179	#
180	rm -f /tmp/pamconf.$$
181	while read e1 e2 e3 e4 e5
182	do
183		# If this is the 'other' entry, add it unless it already
184		# exists.
185		if [ $e1 = "other" ]; then
186			grep \
187"^[# 	]*$e1[ 	][ 	]*$e2[ 	][ 	]*$e3[ 	][ 	]*$e4" \
188			    $PAM_DEST >/dev/null 2>&1
189			if [ $? = 1 ] ; then
190				# Doesn't exist, enter into pam.conf
191				echo "$e1\t$e2 $e3\t\t$e4 $e5" \
192				    >> /tmp/pamconf.$$
193			fi
194		else
195			# Add other entries unless they already have a
196			# stack of their own.
197			grep "^[# 	]*$e1[ 	][ 	]*$e2[ 	]" \
198			    $PAM_DEST >/dev/null 2>&1
199			if [ $? = 1 ] ; then
200				echo "$e1\t$e2 $e3\t\t$e4 $e5" \
201				    >> /tmp/pamconf.$$
202			fi
203		fi
204	done < ${TX_ENTRIES}
205	# Append TX lines if any were not present already.
206	if [ -f /tmp/pamconf.$$ ] ; then
207		echo "# Entries for Trusted Extensions" >> $PAM_DEST
208		cat /tmp/pamconf.$$ >> $PAM_DEST
209		echo "$0: updating $PAM_DEST entries for Trusted Extensions;"
210		echo "$0: please examine/update any new entries"
211    		rm -f /tmp/pamconf.$$
212    	fi
213
214	rm -rf $PAM_TMP
215}
216
217do_pamremove()
218{
219	PAM_TMP=/tmp/pam_conf.$$
220	TX_ENTRIES=$PAM_TMP/sct.$$
221	PAM_DEST=$ROOT_PATH/etc/pam.conf
222	TMPFILE=$PAM_TMP/pam.conf
223
224	mkdir $PAM_TMP  || exit $SMF_EXIT_ERR_FATAL
225
226	# verify that pam.conf file exists...
227	if [ ! -f ${PAM_DEST} ]; then
228		echo "$0: ${PAM_DEST} not found; aborting"
229		exit $SMF_EXIT_ERR_FATAL
230	fi
231
232
233	grep '^[a-z].*pam_tsol_account' $PAM_DEST > /dev/null 2>&1
234	if [ $? -ne 0 ]; then
235		echo "$0: pam_tsol_account module not present,"
236		echo "$0: No changes were made to $PAM_DEST."
237		return
238	fi
239
240	grep -v pam_tsol_account $PAM_DEST > $TMPFILE
241	echo "$0: $PAM_DEST "tsol" entries removed"
242	cp $TMPFILE $PAM_DEST
243
244	rm -rf $PAM_TMP
245}
246
247do_commonstart()
248{
249	echo "$0: Updating $ROOT_PATH/etc/system..."
250	if [ ! -f ${ROOT_PATH}/etc/system ]; then
251		touch ${ROOT_PATH}/etc/system
252	fi
253
254	# Set sys_labeling in etc/system
255	grep -v "sys_labeling=" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
256	echo "set sys_labeling=1" >> /tmp/etc.system.$$
257	mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
258	grep "set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
259	if [ $? -ne 0 ]; then
260    		echo "$0: ERROR: cannot set sys_labeling in $ROOT_PATH/etc/system"
261		exit $SMF_EXIT_ERR_FATAL
262	fi
263
264	# Setup dependent services
265	do_otherservices
266
267	do_logindev
268	do_audit_devalloc
269	do_nscd
270	do_addpam
271
272	do_bootupd
273}
274
275do_servicetag_register()
276{
277	ROOTDIR=$1
278	SOL_ARCH=`/sbin/uname -p`
279	SOL_VERS=`/sbin/uname -r`
280	TX_PROD_URN="urn:uuid:fc720df3-410f-11dc-9b8e-080020a9ed93"
281
282	if [ ! -x /usr/bin/stclient ]; then
283		return
284	fi
285
286	# if already registered then do nothing more here
287	inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
288	if [ -n "$inst" ]; then
289		# this instance id was saved in a SMF property
290		/usr/bin/stclient -g -i $inst -r $ROOTDIR >/dev/null 2>&1
291		if [ $? = 0 ]; then
292			# matching service tag found, so do nothing
293			return
294		else
295			# no match for instance id saved in SMF property
296			/usr/sbin/svccfg -s $SMF_FMRI delprop \
297			    labeld/svctag_inst
298			/usr/sbin/svcadm refresh $SMF_FMRI
299		fi
300	fi
301
302
303	# fall through: no service tag, or does not match saved instance id
304
305	# determine the urn of the parent (Solaris)
306	SOL_PROD_URN=""
307	case $SOL_VERS in
308	5.11)
309		SOL_PROD_URN="-F urn:uuid:6df19e63-7ef5-11db-a4bd-080020a9ed93"
310		;;
311	5.10)
312		SOL_PROD_URN="-F urn:uuid:5005588c-36f3-11d6-9cec-fc96f718e113"
313		;;
314	esac
315
316	# add the service tag
317	RC=`/usr/bin/stclient -a -p "Solaris Trusted Extensions"	\
318	    -e $SOL_VERS -t $TX_PROD_URN -P Solaris $SOL_PROD_URN	\
319	    -m Sun -A $SOL_ARCH -z global -S $0 -r $ROOTDIR`
320	if [ $? = 0 ]; then
321		# save instance id in SMF property
322		inst=`echo "$RC" | grep -i urn|awk -F=  '{print $2}'`
323		/usr/sbin/svccfg -s $SMF_FMRI setprop \
324		    labeld/svctag_inst = astring: "$inst"
325		/usr/sbin/svcadm refresh $SMF_FMRI
326	fi
327}
328
329do_servicetag_delete()
330{
331	if [ ! -x /usr/bin/stclient ]; then
332		return
333	fi
334
335	inst=`/usr/bin/svcprop -p labeld/svctag_inst $SMF_FMRI 2>/dev/null`
336
337	if [ -n "$inst" ]; then
338		# delete service tag
339		/usr/bin/stclient -d -i $inst
340		# delete saved instance id
341		/usr/sbin/svccfg -s $SMF_FMRI delprop labeld/svctag_inst
342		/usr/sbin/svcadm refresh $SMF_FMRI
343	fi
344}
345
346
347daemon_start()
348{
349	# If a labeld door exists, check for a labeld process and exit
350	# if the daemon is already running.
351	if [ -r /var/tsol/doors/labeld ]; then
352		if /usr/bin/pgrep -x -u 0 -P 1 labeld >/dev/null 2>&1; then
353			echo "$0: labeld is already running"
354			exit $SMF_EXIT_ERR_FATAL
355		fi
356	fi
357	/usr/bin/rm -f /var/tsol/doors/labeld
358	/usr/lib/labeld
359}
360
361PATH=/usr/sbin:/usr/bin; export PATH
362
363case "$1" in
364'start')
365	if [ -z "$ROOT_PATH" -o "$ROOT_PATH" = "/" ]; then
366		# native
367
368		if [ -z "$SMF_FMRI" ]; then
369			echo "$0: this script can only be invoked by smf(7)"
370			exit $SMF_EXIT_ERR_NOSMF
371		fi
372
373		tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
374		if [ "$tx_enabled" = "false" ]; then
375			# A sign of trying temporary enablement...no-no
376			echo "$0: Temporarily enabling Trusted Extensions is not allowed."
377			exit $SMF_EXIT_ERR_CONFIG
378		fi
379
380		if (smf_is_system_labeled); then
381			do_servicetag_register /
382			daemon_start
383			exit $SMF_EXIT_OK
384		fi
385
386		# Make changes to enable Trusted Extensions
387		grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
388		if [ $? -eq 0 ]; then
389			echo "$0: already enabled. Exiting."
390			exit $SMF_EXIT_OK
391		fi
392
393		if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
394			echo "$0: Must remove zones before enabling Trusted Extensions."
395			exit $SMF_EXIT_ERR_CONFIG
396		fi
397
398		do_commonstart
399
400		do_servicetag_register /
401
402		# start daemon proccess so our service doesn't go into
403		# maintenance state
404		daemon_start
405
406		echo "$0: Started.  Must reboot and configure Trusted Extensions."
407	else
408		# Support jumpstart etc
409
410		# Make changes to enable Trusted Extensions
411		grep "^set sys_labeling=1" ${ROOT_PATH}/etc/system > /dev/null 2>&1
412		if [ $? -eq 0 ]; then
413			echo "$0: already enabled. Exiting."
414			exit $SMF_EXIT_OK
415		fi
416
417		# Setup dependent services
418		cat >> $ROOT_PATH/var/svc/profile/upgrade <<\__TRUSTED_ENABLE
419			/usr/sbin/svcadm enable -s svc:/system/labeld:default
420__TRUSTED_ENABLE
421
422		do_commonstart
423		do_servicetag_register $ROOT_PATH
424		echo "$0: Started.  Must configure Trusted Extensions before booting."
425	fi
426	;;
427
428'stop')
429	tx_enabled=`/usr/bin/svcprop -c -p general/enabled $SMF_FMRI`
430	if [ "$tx_enabled" = "true" ]; then
431		/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
432		exit $SMF_EXIT_OK
433	fi
434
435	if [ "`/usr/sbin/zoneadm list -c`" != "global" ]; then
436		echo "$0: Must remove zones before disabling Trusted Extensions."
437		exit $SMF_EXIT_ERR_CONFIG
438	fi
439
440	# Stop Trusted services.
441	/usr/sbin/svcadm disable svc:/system/tsol-zones:default 2>/dev/null
442	/usr/sbin/svcadm disable svc:/network/tnd:default 2>/dev/null
443
444	# Uncomment audio, usb, removable-media, and hotpluggable device
445	# entries in /etc/logindevperm.
446	rewrite_logindev "#" ""
447
448	# Remove sys_labeling from /etc/system
449	grep -v "sys_labeling" ${ROOT_PATH}/etc/system > /tmp/etc.system.$$
450	mv /tmp/etc.system.$$ ${ROOT_PATH}/etc/system
451	grep "sys_labeling" ${ROOT_PATH}/etc/system > /dev/null 2>&1
452	if [ $? -eq 0 ]; then
453    		echo "$0: ERROR: cannot remove sys_labeling in $ROOT_PATH/etc/system"
454		exit $SMF_EXIT_ERR_FATAL
455	fi
456
457	do_pamremove
458	do_servicetag_delete
459
460	do_bootupd
461
462	/usr/bin/pkill -x -u 0 -P 1 -z `smf_zonename` labeld
463	echo "$0: Stopped.  Will take effect at next boot."
464	;;
465
466*)
467	echo "Usage: $0 { start | stop }"
468	exit 1
469	;;
470esac
471
472exit $SMF_EXIT_OK
473
474
475