| Server IP : 127.0.0.2 / Your IP : 3.16.56.30 Web Server : Apache/2.4.18 (Ubuntu) System : User : www-data ( ) PHP Version : 7.0.33-0ubuntu0.16.04.16 Disable Function : disk_free_space,disk_total_space,diskfreespace,dl,exec,fpaththru,getmyuid,getmypid,highlight_file,ignore_user_abord,leak,listen,link,opcache_get_configuration,opcache_get_status,passthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,php_uname,phpinfo,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,pclose,popen,proc_open,proc_close,proc_get_status,proc_nice,proc_terminate,shell_exec,source,show_source,system,virtual MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/share/initramfs-tools/hooks/ |
Upload File : |
#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
get_fs_devices() {
local device mount type options dump pass
local wantmount="$1"
if [ ! -r /etc/fstab ]; then
return 1
fi
grep -s '^[^#]' /etc/fstab | \
while read device mount type options dump pass; do
if [ "$mount" = "$wantmount" ]; then
local devices
if [ "$type" = "btrfs" ]; then
for dev in $(btrfs filesystem show $(canonical_device "$device" --no-simplify) 2>/dev/null | sed -r -e 's/.*devid .+ path (.+)/\1/;tx;d;:x') ; do
devices="$devices $(canonical_device "$dev")"
done
else
devices=$(canonical_device "$device") || return 0
fi
echo "$devices"
return
fi
done
}
get_resume_devices() {
local device opt count dupe candidates devices derived
candidates=""
# First, get a list of potential resume devices
# uswsusp
if [ -e /etc/uswsusp.conf ]; then
device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/uswsusp.conf)
if [ -n "$device" ]; then
candidates="$candidates $device"
fi
fi
# uswsusp - again...
if [ -e /etc/suspend.conf ]; then
device=$(sed -rn 's/^resume device[[:space:]]*[:=][[:space:]]*// p' /etc/suspend.conf)
if [ -n "$device" ]; then
candidates="$candidates $device"
fi
fi
# regular swsusp
for opt in $(cat /proc/cmdline); do
case $opt in
resume=*)
device="${opt#resume=}"
candidates="$candidates $device"
;;
esac
done
# initramfs-tools
if [ -e /etc/initramfs-tools/conf.d/resume ]; then
device=$(sed -rn 's/^RESUME[[:space:]]*=[[:space:]]*// p' /etc/initramfs-tools/conf.d/resume)
if [ -n "$device" ]; then
candidates="$candidates $device"
fi
fi
# Now check the sanity of all candidates
devices=""
count=0
for device in $candidates; do
# Remove quotes around device candidate
device=$(echo $device | sed -e 's/^"\(.*\)"[[:space:]]*$/\1/' -e "s/^'\(.*\)'[[:space:]]*$/\1/")
# Weed out clever defaults
if [ "$device" = "<path_to_resume_device_file>" ]; then
continue
fi
# Detect devices required by decrypt_derived
derived=$(get_derived_device "$device")
if [ -n "$derived" ]; then
devices="$devices $derived"
fi
device=$(canonical_device "$device") || return 0
# Weed out duplicates
dupe=0
for opt in $devices; do
if [ "$device" = "$opt" ]; then
dupe=1
fi
done
if [ $dupe -eq 1 ]; then
continue
fi
# This device seems ok
devices="$devices $device"
count=$(( $count + 1 ))
done
if [ $count -gt 1 ]; then
echo "cryptsetup: WARNING: found more than one resume device candidate:" >&2
for device in $devices; do
echo " $device" >&2
done
fi
if [ $count -gt 0 ]; then
echo $devices
fi
return 0
}
get_initramfs_devices() {
local device opt count dupe target source key options candidates devices derived
candidates="$(grep -s '^[^#]' /etc/crypttab | \
while read target source key options; do
if echo $options | grep -q "\binitramfs\b"; then
echo " /dev/mapper/$target"
fi
done;)"
devices=""
count=0
for device in $candidates; do
# Detect devices required by decrypt_derived
derived=$(get_derived_device "$device")
if [ -n "$derived" ]; then
devices="$devices $derived"
fi
device=$(canonical_device "$device") || return 0
# Weed out duplicates
dupe=0
for opt in $devices; do
if [ "$device" = "$opt" ]; then
dupe=1
fi
done
if [ $dupe -eq 1 ]; then
continue
fi
# This device seems ok
devices="$devices $device"
count=$(( $count + 1 ))
done
if [ $count -gt 0 ]; then
echo $devices
fi
return 0
}
get_derived_device() {
# Detect device required by decrypt_derived
local device derived
device="$1"
derived="$(grep "^${device#/dev/mapper/}\b.*decrypt_derived" /etc/crypttab 2>/dev/null | awk '{print $3}')"
if [ -n "$derived" ]; then
if grep -q "^$derived\b" /etc/crypttab; then
derived=$(canonical_device "/dev/mapper/$derived") || return 0
if ! echo "$rootdevs" | grep -q "\b$derived\b"; then
echo "$derived"
fi
else
echo "cryptsetup: WARNING: decrypt_derived device $derived not found in crypttab" >&2
fi
fi
}
node_is_in_crypttab() {
local node
node="$1"
grep -q "^$node\b" /etc/crypttab
return $?
}
get_lvm_deps() {
local node deps maj min depnode
node="$1"
if [ -z $node ]; then
echo "cryptsetup: WARNING: get_lvm_deps - invalid arguments" >&2
return 1
fi
if ! deps=$(vgs --noheadings -o pv_name $(dmsetup --noheadings splitname $node | cut -d':' -f1) 2>/dev/null); then
# $node is not a LVM node, stopping here
return 0
fi
# We should now have a list physical volumes for the VG
for dep in $deps; do
depnode=$(dmsetup info -c --noheadings -o name "$dep" 2>/dev/null)
if [ -z "$depnode" ]; then
continue
fi
if [ "$(dmsetup table "$depnode" 2>/dev/null | cut -d' ' -f3)" != "crypt" ]; then
get_lvm_deps "$depnode"
continue
fi
echo "$depnode"
done
return 0
}
get_device_opts() {
local target source link extraopts rootopts opt
target="$1"
extraopts="$2"
KEYSCRIPT=""
CRYPTHEADER=""
OPTIONS=""
if [ -z "$target" ]; then
echo "cryptsetup: WARNING: get_device_opts - invalid arguments" >&2
return 1
fi
opt=$( grep "^$target\b" /etc/crypttab | head -1 | sed 's/[[:space:]]\+/ /g' )
source=$( echo $opt | cut -d " " -f2 )
key=$( echo $opt | cut -d " " -f3 )
rootopts=$( echo $opt | cut -d " " -f4- )
if [ -z "$opt" ] || [ -z "$source" ] || [ -z "$key" ] || [ -z "$rootopts" ]; then
echo "cryptsetup: WARNING: invalid line in /etc/crypttab for $target - $opt" >&2
return 1
fi
# Sanity checks for $source
if [ -h "$source" ]; then
link=$(readlink -nqe "$source")
if [ -z "$link" ]; then
echo "cryptsetup: WARNING: $source is a dangling symlink" >&2
return 1
fi
if [ "$link" != "${link#/dev/mapper/}" ]; then
echo "cryptsetup: NOTE: using $link instead of $source for $target" >&2
source="$link"
fi
fi
# Sanity checks for $key
if [ "$key" = "/dev/random" ] || [ "$key" = "/dev/urandom" ]; then
echo "cryptsetup: WARNING: target $target has a random key, skipped" >&2
return 1
fi
if [ -n "$extraopts" ]; then
rootopts="$extraopts,$rootopts"
fi
# We have all the basic options, let's go trough them
OPTIONS="target=$target,source=$source,key=$key"
local IFS=", "
unset HASH_FOUND
unset LUKS_FOUND
for opt in $rootopts; do
case $opt in
cipher=*)
OPTIONS="$OPTIONS,$opt"
;;
size=*)
OPTIONS="$OPTIONS,$opt"
;;
hash=*)
OPTIONS="$OPTIONS,$opt"
HASH_FOUND=1
;;
tries=*)
OPTIONS="$OPTIONS,$opt"
;;
discard)
OPTIONS="$OPTIONS,$opt"
;;
luks)
LUKS_FOUND=1
;;
header=*)
opt="${opt#header=}"
if [ ! -e "$opt" ]; then
echo "cryptsetup: WARNING: target $target has an invalid header, skipped" >&2
return 1
fi
CRYPTHEADER="$opt"
OPTIONS="$OPTIONS,header=$CRYPTHEADER"
;;
tcrypt)
OPTIONS="$OPTIONS,$opt"
;;
keyscript=*)
opt="${opt#keyscript=}"
if [ ! -x "/lib/cryptsetup/scripts/$opt" ] && [ ! -x "$opt" ]; then
echo "cryptsetup: WARNING: target $target has an invalid keyscript, skipped" >&2
return 1
fi
KEYSCRIPT="$opt"
OPTIONS="$OPTIONS,keyscript=/lib/cryptsetup/scripts/$(basename "$opt")"
;;
lvm=*)
OPTIONS="$OPTIONS,$opt"
;;
rootdev)
OPTIONS="$OPTIONS,$opt"
;;
*)
# Presumably a non-supported option
;;
esac
done
# Warn for missing hash option, unless we have a LUKS partition
if [ -z "$HASH_FOUND" ] && [ -z "$LUKS_FOUND" ]; then
echo "WARNING: Option hash missing in crypttab for target $target, assuming ripemd160." >&2
echo " If this is wrong, this initramfs image will not boot." >&2
echo " Please read /usr/share/doc/cryptsetup/README.initramfs.gz and add" >&2
echo " the correct hash option to your /etc/crypttab." >&2
fi
# Warn that header only applies to a LUKS partition currently
if [ -n "$CRYPTHEADER" ] && [ -z "$LUKS_FOUND" ]; then
echo "WARNING: Option LUKS missing in crypttab for target $target." >&2
echo " Headers are only supported for LUKS devices." >&2
fi
# If keyscript is set, the "key" is just an argument to the script
if [ "$key" != "none" ] && [ -z "$KEYSCRIPT" ]; then
echo "cryptsetup: WARNING: target $target uses a key file, skipped" >&2
return 1
fi
}
get_device_modules() {
local node value cipher blockcipher ivhash
node="$1"
# Check the ciphers used by the active root mapping
value=$(dmsetup table "$node" | cut -d " " -f4)
cipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f1)
blockcipher=$(echo "$value" | cut -d ":" -f1 | cut -d "-" -f2)
ivhash=$(echo "$value" | cut -d ":" -s -f2)
if [ -n "$cipher" ]; then
echo "$cipher"
else
return 1
fi
if [ -n "$blockcipher" ] && [ "$blockcipher" != "plain" ]; then
echo "$blockcipher"
fi
if [ -n "$ivhash" ] && [ "$ivhash" != "plain" ]; then
echo "$ivhash"
fi
return 0
}
canonical_device() {
local dev altdev original
dev="$1"
opt="$2"
altdev="${dev#LABEL=}"
if [ "$altdev" != "$dev" ]; then
dev="/dev/disk/by-label/$altdev"
fi
altdev="${dev#UUID=}"
if [ "$altdev" != "$dev" ]; then
dev="/dev/disk/by-uuid/$altdev"
fi
original="$dev"
if [ -h "$dev" ]; then
dev=$(readlink -e "$dev")
fi
if [ "$opt" = "--no-simplify" ]; then
echo "$dev"
return 0
fi
if [ "x${dev%/dev/dm-*}" = "x" ]; then
# try to detect corresponding symlink in /dev/mapper/
for dmdev in /dev/mapper/*; do
if [ "$(readlink -e "$dmdev")" = "$dev" ]; then
dev="$dmdev"
fi
done
fi
altdev="${dev#/dev/mapper/}"
if [ "$altdev" != "$dev" ]; then
echo "$altdev"
return 0
elif [ "x${original%/dev/disk/by-*/*}" = "x" ]; then
# support crypttab UUID/LABEL entries
# this is a /dev/disk/by-*/ path so return just the 'basename'
echo "${original##/dev/disk/by-*/}"
return 0
fi
echo "cryptsetup: WARNING: failed to detect canonical device of $original" >&2
return 1
}
add_device() {
local node nodes opts lastopts i count
nodes="$1"
opts="" # Applied to all nodes
lastopts="" # Applied to last node
if [ -z "$nodes" ]; then
return 0
fi
# Flag root device
if echo "$rootdevs" | grep -q "\b$nodes\b"; then
if [ -z "$opts" ]; then
opts="rootdev"
else
opts="$opts,rootdev"
fi
fi
# Check that it is a node under /dev/mapper/
# nodes=$(canonical_device "$nodes") || return 0
# Can we find this node in crypttab
if ! node_is_in_crypttab "$nodes"; then
# dm node but not in crypttab, is it a lvm device backed by dm-crypt nodes?
lvmnodes=$(get_lvm_deps "$nodes") || return 1
# not backed by any dm-crypt nodes; stop here
if [ -z "$lvmnodes" ]; then
return 0
fi
# It is a lvm device!
if [ -z "$opts" ]; then
opts="lvm=$nodes"
else
opts="$opts,lvm=$nodes"
fi
nodes="$lvmnodes"
fi
# Prepare to setup each node
count=$(echo "$nodes" | wc -w)
i=1
for node in $nodes; do
# Prepare the additional options
if [ $i -eq $count ]; then
if [ -z "$opts" ]; then
opts="$lastopts"
elif [ -n "$lastopts" ]; then
opts="$opts,$lastopts"
fi
fi
# Get crypttab root options
if ! get_device_opts "$node" "$opts"; then
continue
fi
echo "$OPTIONS" >>"$DESTDIR/conf/conf.d/cryptroot"
# If we have a keyscript, make sure it is included
if [ -n "$KEYSCRIPT" ]; then
if [ ! -d "$DESTDIR/lib/cryptsetup/scripts" ]; then
mkdir -p "$DESTDIR/lib/cryptsetup/scripts"
fi
if [ -e "/lib/cryptsetup/scripts/$KEYSCRIPT" ]; then
copy_exec "/lib/cryptsetup/scripts/$KEYSCRIPT" /lib/cryptsetup/scripts >&2
elif [ -e "$KEYSCRIPT" ]; then
copy_exec "$KEYSCRIPT" /lib/cryptsetup/scripts >&2
elif KSTYPE="$(type "$KEYSCRIPT" 2>&1)"; then
if [ -x "${KSTYPE#"$KEYSCRIPT" is }" ]; then
copy_exec "${KSTYPE#"$KEYSCRIPT" is }" /lib/cryptsetup/scripts >&2
fi
else
echo "cryptsetup: WARNING: failed to find keyscript $KEYSCRIPT" >&2
continue
fi
fi
# If we have a LUKS header, make sure it is included
# TODO: make it configurable to include the LUKS header into initramfs
# disabled for now due to security reasons
if [ -n "$CRYPTHEADER" ]; then
if [ ! -d "$DESTDIR/conf/conf.d/cryptheader" ]; then
mkdir -p "$DESTDIR/conf/conf.d/cryptheader"
fi
#if [ -e "$CONFDIR/conf.d/cryptheader/$CRYPTHEADER" ]; then
# copy_exec "$CONFDIR/conf.d/cryptheader/$CRYPTHEADER" /conf/conf.d/cryptheader >&2
#elif [ -e "$CRYPTHEADER" ]; then
# copy_exec "$CRYPTHEADER" /conf/conf.d/cryptheader >&2
#else
# echo "cryptsetup: WARNING: failed to find LUKS header $CRYPTHEADER" >&2
# continue
#fi
fi
# Calculate needed modules
modules=$(get_device_modules $node | sort | uniq)
if [ -z "$modules" ]; then
echo "cryptsetup: WARNING: failed to determine cipher modules to load for $node" >&2
continue
fi
echo dm_mod
echo dm_crypt
echo "$modules"
# Load hardware aes module
if cpu_has_aesni; then
echo aesni
fi
i=$(( $i + 1 ))
done
return 0
}
cpu_has_aesni() {
return $(grep -q "^flags\s*:\s*.*aes" /proc/cpuinfo)
}
add_crypto_modules() {
local mod file altmod found genericfound
mod="$1"
found=""
genericfound=""
if [ -z "$mod" ]; then
return 1
fi
# We have several potential sources of modules (in order of preference):
#
# a) /lib/modules/$VERSION/kernel/arch/$ARCH/crypto/$mod-$specific.ko
# b) /lib/modules/$VERSION/kernel/crypto/$mod_generic.ko
# c) /lib/modules/$VERSION/kernel/crypto/$mod.ko
#
# and (currently ignored):
#
# d) /lib/modules/$VERSION/kernel/drivers/crypto/$specific-$mod.ko
for file in $(find "$MODULESDIR/kernel/arch/" -name "$mod-*.ko" 2>/dev/null); do
altmod="${file##*/}"
altmod="${altmod%.ko}"
manual_add_modules "$altmod"
found="yes"
done
for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}_generic.ko" 2>/dev/null); do
altmod="${file##*/}"
altmod="${altmod%.ko}"
manual_add_modules "$altmod"
found="yes"
genericfound="yes"
done
if [ -z "$genericfound" ]; then
for file in $(find "$MODULESDIR/kernel/crypto/" -name "${mod}.ko" 2>/dev/null); do
altmod="${file##*/}"
altmod="${altmod%.ko}"
manual_add_modules "$altmod"
found="yes"
done
fi
if [ -z "$found" ]; then
return 1
fi
return 0
}
#
# Begin real processing
#
setup="no"
rootdevs=""
usrdevs=""
resumedevs=""
# Include cryptsetup modules, regardless of _this_ machine
# configuration
if [ -n "$CRYPTSETUP" ] && [ "$CRYPTSETUP" != "n" ]; then
setup="yes"
fi
# Find the root and resume device(s)
if [ -r /etc/crypttab ]; then
rootdevs=$(get_fs_devices /)
if [ -z "$rootdevs" ]; then
echo "cryptsetup: WARNING: could not determine root device from /etc/fstab" >&2
fi
usrdevs=$(get_fs_devices /usr)
resumedevs=$(get_resume_devices)
initramfsdevs=$(get_initramfs_devices)
fi
# Load the config opts and modules for each device
for dev in $rootdevs $usrdevs $resumedevs $initramfsdevs; do
if ! modules=$(add_device "$dev"); then
echo "cryptsetup: FAILURE: could not determine configuration for $dev" >&2
continue
fi
if [ -n "$modules" ]; then
setup="yes"
fi
if [ "$setup" = "no" ]; then
continue
fi
if [ "$MODULES" = "most" ]; then
archcrypto="$(find "$MODULESDIR/kernel/arch" -type d -name "crypto" 2>/dev/null)"
if [ -n "$archcrypto" ]; then
copy_modules_dir "${archcrypto##*${MODULESDIR}/}"
fi
copy_modules_dir "kernel/crypto"
else
for mod in $modules; do
add_crypto_modules $mod
done
fi
done
# With large initramfs, we always add a basic subset of modules
if [ "$MODULES" != "dep" ] && [ "$setup" = "yes" ]; then
for mod in aes cbc chainiv cryptomgr krng sha256 xts; do
add_crypto_modules $mod
done
fi
# See if we need to add the basic components
if [ "$setup" = "yes" ]; then
for mod in dm_mod dm_crypt; do
manual_add_modules $mod
done
copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
copy_exec /lib/cryptsetup/askpass
# We need sed. Either via busybox or as standalone binary.
if [ "$BUSYBOX" = "n" ] || [ ! -e ${BUSYBOXDIR}/busybox ]; then
copy_exec /bin/sed
fi
fi
exit 0