1 #!/bin/ksh
   2 #
   3 # CDDL HEADER START
   4 #
   5 # The contents of this file are subject to the terms of the
   6 # Common Development and Distribution License (the "License").
   7 # You may not use this file except in compliance with the License.
   8 #
   9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10 # or http://www.opensolaris.org/os/licensing.
  11 # See the License for the specific language governing permissions
  12 # and limitations under the License.
  13 #
  14 # When distributing Covered Code, include this CDDL HEADER in each
  15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16 # If applicable, add the following below this CDDL HEADER, with the
  17 # fields enclosed by brackets "[]" replaced with your own identifying
  18 # information: Portions Copyright [yyyy] [name of copyright owner]
  19 #
  20 # CDDL HEADER END
  21 #
  22 # Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23 # Copyright 2014 Garrett D'Amore
  24 #
  25 #
  26 
  27 # This script provides a simple GUI for managing labeled zones.
  28 # It provides contextual menus which provide appropriate choices.
  29 # It must be run in the global zone as root.
  30 
  31 # These arguments are accepted, and will result in non-interactive
  32 # (text-only) mode:
  33 #
  34 #       txzonemgr [-c | -d[f]]
  35 #
  36 #       -c      create default zones
  37 #       -d      destroy all zones; prompts for confirmation unless
  38 #               the -f flag is also specified
  39 #       -f      force
  40 #
  41 
  42 # DISP - use GUI (otherwise use non-interactive mode)
  43 DISP=1
  44 # CREATEDEF - make default zones (non-interactive)
  45 CREATEDEF=0
  46 # DESTROYZONES - tear down all zones (non-interactive)
  47 DESTROYZONES=0
  48 # FORCE - force
  49 FORCE=0
  50 
  51 NSCD_PER_LABEL=0
  52 NSCD_INDICATOR=/var/tsol/doors/nscd_per_label
  53 if [ -f $NSCD_INDICATOR ] ; then
  54         NSCD_PER_LABEL=1
  55 fi
  56 
  57 myname=$(basename $0)
  58 
  59 TXTMP=/tmp/txzonemgr
  60 TNRHTP=/etc/security/tsol/tnrhtp
  61 TNRHDB=/etc/security/tsol/tnrhdb
  62 TNZONECFG=/etc/security/tsol/tnzonecfg
  63 PUBZONE=public
  64 INTZONE=internal
  65 
  66 PATH=/usr/bin:/usr/sbin:/usr/lib export PATH
  67 title="Labeled Zone Manager 2.1"
  68 
  69 msg_defzones=$(gettext "Create default zones using default settings?")
  70 msg_confirmkill=$(gettext "OK to destroy all zones?")
  71 msg_continue=$(gettext "(exit to resume $(basename $0) when ready)")
  72 msg_getlabel=$(gettext "Select a label for the")
  73 msg_getremote=$(gettext "Select a remote host or network from the list below:")
  74 msg_getnet=$(gettext "Select a network configuration for the")
  75 msg_getzone=$(gettext "Select a zone from the list below:
  76 (select global for zone creation and shared settings)")
  77 msg_getcmd=$(gettext "Select a command from the list below:")
  78 msg_inuse=$(gettext "That label is already assigned\nto the")
  79 msg_getmin=$(gettext "Select the minimum network label for the")
  80 msg_getmax=$(gettext "Select the maximum network label for the")
  81 msg_badip=$(gettext " is not a valid IP address")
  82 
  83 
  84 process_options()
  85 {
  86         typeset opt optlist
  87 
  88         optlist='cdf'
  89 
  90         while getopts ":$optlist" opt
  91         do
  92                 case $opt in
  93                 c)      CREATEDEF=1
  94                         DISP=0
  95                         ;;
  96                 d)      DESTROYZONES=1
  97                         DISP=0
  98                         ;;
  99                 f)      FORCE=1
 100                         ;;
 101                 *)      gettext "invalid option -$OPTARG\n"
 102                         usage
 103                         return 2
 104                         ;;
 105                 esac
 106         done
 107 
 108         if [ $CREATEDEF -eq 1 -a $DESTROYZONES -eq 1 ] ; then
 109                 gettext "cannot combine options -c and -d\n"
 110                 usage
 111                 return 2
 112         fi
 113         if [ $CREATEDEF -eq 1 -a $FORCE -eq 1 ] ; then
 114                 gettext "option -f not allowed with -c\n"
 115                 usage
 116                 return 2
 117         fi
 118         if [ $FORCE -eq 1 -a $CREATEDEF -eq 0 -a $DESTROYZONES -eq 0 ] ; then
 119                 gettext "option -f specified without any other options\n"
 120                 usage
 121                 return 2
 122         fi
 123 
 124         shift $((OPTIND - 1))
 125         if [ "x$1" != "x" ] ; then
 126                 usage
 127                 return 2
 128         fi
 129 
 130         return 0
 131 }
 132 
 133 usage() {
 134         gettext "usage: $myname [-c | -d[f]]\n"
 135 }
 136 
 137 consoleCheck() {
 138         if [ $zonename != global ] ; then
 139                 zconsole=$(pgrep -f "zlogin -C $zonename")
 140                 if [ $? != 0 ] ; then
 141                         console="Zone Console...\n"
 142                 fi
 143         fi
 144 }
 145 
 146 labelCheck() {
 147         hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2);
 148         if [[ $hexlabel ]] ; then
 149                 label=
 150                 if [ $zonename = global ] ; then
 151                         template="admin_low"
 152                         addcipsohost="Add Multilevel Access to Remote Host...\n"
 153                         removecipsohost="Remove Multilevel Access to Remote Host...\n"
 154                         setmlps="Configure Multilevel Ports...\n"
 155                 else
 156                         template=${zonename}_unlab
 157                         addcipsohost=
 158                         removecipsohost=
 159                         setmlps=
 160 
 161                         net=$(zonecfg -z $zonename info net)
 162                         if [[ -n $net ]] ; then
 163                                 setmlps="Configure Multilevel Ports...\n"
 164                         elif [ $zonestate = configured ] ; then
 165                                 addnet="Configure Network Interfaces...\n"
 166                         fi
 167                 fi
 168                 addremotehost="Add Single-level Access to Remote Host...\n"
 169                 remotes=$(grep -v "^#" $TNRHDB|grep $template)
 170                 if [ $? = 0 ] ; then
 171                         removeremotehost="Remove Single-level Access to Remote Host...\n"
 172                 else
 173                         removeremotehost=
 174                 fi
 175         else
 176                 label="Select Label...\n"
 177                 addremotehost=
 178                 removeremotehost=
 179                 addcipsohost=
 180                 removecipsohost=
 181                 setmlps=
 182         fi
 183 }
 184 
 185 cloneCheck() {
 186         set -A zonelist
 187         integer clone_cnt=0
 188         for p in $(zoneadm list -ip) ; do
 189                 z=$(echo "$p"|cut -d : -f2)
 190                 s=$(echo "$p"|cut -d : -f3)
 191                 if [ $z = $zonename ] ; then
 192                         continue
 193                 elif [ $s = "installed" ] ; then
 194                         zonelist[clone_cnt]=$z
 195                         clone_cnt+=1
 196                 fi
 197         done
 198         if [ $clone_cnt -gt 0 ] ; then
 199                 clone="Clone...\n"; \
 200         fi
 201 }
 202 
 203 relabelCheck() {
 204         macstate=$(zonecfg -z $zonename info|grep win_mac_write)
 205         if [[ -n $macstate ]] ; then
 206                 permitrelabel="Deny Relabeling\n"
 207         else
 208                 permitrelabel="Permit Relabeling\n"
 209         fi
 210 }
 211 
 212 autobootCheck() {
 213         bootmode=$(zonecfg -z $zonename info autoboot)
 214         if [[ $bootmode == 'autoboot: true' ]] ; then
 215                 autoboot="Set Manual Booting\n"
 216         else
 217                 autoboot="Set Automatic Booting\n"
 218         fi
 219 }
 220 
 221 newZone() { 
 222                 if [[ ! -n $zonename ]] ; then
 223                         zonename=$(zenity --entry \
 224                             --title="$title" \
 225                             --width=330 \
 226                             --entry-text="" \
 227                             --text="Enter Zone Name: ")
 228 
 229                         if [[ ! -n $zonename ]] ; then
 230                                 zonename=global
 231                                 return
 232                         fi
 233                 fi
 234                 zonecfg -z $zonename "create -t SUNWtsoldef;\
 235                      set zonepath=/zone/$zonename"
 236 }
 237 
 238 removeZoneBEs() {
 239         delopt=$*
 240 
 241         zfs list -H $ZDSET/$zonename 1>/dev/null 2>&1
 242         if [ $? = 0 ] ; then
 243                 for zbe in $(zfs list -rHo name $ZDSET/$zonename|grep ROOT/zbe) ; do
 244                         zfs destroy $delopt $zbe
 245                 done
 246         fi
 247 }
 248 
 249 updateTemplate () {
 250         if [ $hostType = cipso ] ; then
 251                 template=${zonename}_cipso
 252                 deflabel=
 253         else
 254                 template=${zonename}_unlab
 255                 deflabel="def_label=${hexlabel};"
 256         fi
 257 
 258         tnzone=$(grep "^${template}:" $TNRHTP 2>/dev/null)
 259         if [ $? -eq 0 ] ; then
 260                 sed -e "/^${template}/d" $TNRHTP > $TXTMP/tnrhtp.$$ 2>/dev/null
 261                 mv $TXTMP/tnrhtp.$$ $TNRHTP
 262         fi
 263         print "${template}:host_type=${hostType};doi=1;min_sl=${minlabel};max_sl=${maxlabel};$deflabel" >> $TNRHTP
 264         tnctl -t $template
 265 }
 266                 
 267 setTNdata () {
 268         tnzline="$zonename:${hexlabel}:0::"
 269         grep "^$tnzline" $TNZONECFG 1>/dev/null 2>&1
 270         if [ $? -eq 1 ] ; then
 271                 print "$tnzline" >> $TNZONECFG
 272         fi
 273 
 274         #
 275         # Add matching entries in tnrhtp if necessary
 276         #
 277         minlabel=admin_low
 278         maxlabel=admin_high
 279         hostType=cipso
 280         updateTemplate
 281 
 282         hostType=unlabeled
 283         updateTemplate
 284 }
 285 
 286 selectLabel() {
 287         hexlabel=$(tgnome-selectlabel \
 288                 --title="$title" \
 289                 --text="$msg_getlabel $zonename zone:" \
 290                 --min="${DEFAULTLABEL}"  \
 291                 --default="${DEFAULTLABEL}"  \
 292                 --max=$(chk_encodings -X) \
 293                 --accredcheck=yes \
 294                 --mode=sensitivity \
 295                 --format=internal)
 296         if [ $? = 0 ] ; then
 297                 x=$(grep -i :{$hexlabel}: $TNZONECFG)
 298                 if [ $? = 0 ] ; then
 299                         z=$(print $x|cut -d : -f1)
 300                         x=$(zenity --error \
 301                             --title="$title" \
 302                             --text="$msg_inuse $z zone.")
 303                 else
 304                         setTNdata
 305                 fi
 306         fi      
 307 }
 308 
 309 getLabelRange() {
 310         deflabel=$(hextoalabel $hexlabel)
 311         minlabel=$(tgnome-selectlabel \
 312                 --title="$title" \
 313                 --text="$msg_getmin $zonename zone:" \
 314                 --min="${DEFAULTLABEL}"  \
 315                 --max="$deflabel" \
 316                 --default="$hexlabel" \
 317                 --accredcheck=no \
 318                 --mode=sensitivity \
 319                 --format=internal)
 320         [ $? != 0 ] && return
 321         
 322         maxlabel=$(tgnome-selectlabel \
 323                 --title="$title" \
 324                 --text="$msg_getmax $zonename zone:" \
 325                 --min="$deflabel"  \
 326                 --max=$(chk_encodings -X) \
 327                 --default="$hexlabel" \
 328                 --accredcheck=no \
 329                 --mode=sensitivity \
 330                 --format=internal)
 331         [ $? != 0 ] && return
 332 
 333         hostType=cipso
 334         updateTemplate
 335 }
 336 
 337 
 338 encryptionValues() {
 339         echo $(zfs get 2>&1 | grep encryption | sed -e s/^.*YES// -e s/\|//g)
 340 }
 341 
 342 getPassphrase() {
 343         pass1=$(zenity --entry --title="$title" --text="Enter passphrase:" \
 344             --width=330 --hide-text)
 345         pass2=$(zenity --entry --title="$title" --text="Re-enter passphrase:" \
 346             --width=330 --hide-text)
 347         if [[ "$pass1" != "$pass2" ]]; then
 348                 zenity --error --title="$title" \
 349                         --text="Passphrases do not match"
 350                 return ""
 351         fi
 352         file=$(mktemp)
 353         echo "$pass1" > $file
 354         echo "$file"
 355 }
 356 
 357 createZDSET() {
 358         options=$1
 359         pool=${2%%/*}
 360 
 361         # First check if ZFS encrytption support is available
 362         pversion=$(zpool list -H -o version $pool)
 363         cversion=$(zpool upgrade -v | grep Crypto | awk '{ print $1 }')
 364         if (( cversion == 0 || pversion < cversion )); then
 365                 zfs create $options $ZDSET
 366                 return
 367         fi
 368 
 369         encryption=$(zenity --list --title="$title" --height=320 \
 370                 --text="Select cipher for encryption of all labels:" \
 371                 --column="encryption" $(encryptionValues))
 372 
 373         if [[ $? != 0 || $encryption == "off" ]]; then
 374                 zfs create $options $ZDSET
 375                 return
 376         fi
 377 
 378         format=$(zenity --list --title="$title" \
 379                 --text "Select encryption key source:" \
 380                 --column="Key format and location" \
 381                 "Passphrase" "Generate Key in file")
 382         [ $? != 0 ] && exit 
 383 
 384         if [[ $format == "Passphrase" ]]; then
 385                 file=$(getPassphrase)
 386                 if [[ $file == "" ]]; then
 387                         exit
 388                 fi
 389                 keysource="passphrase,file://$file"
 390                 removefile=1;
 391         elif [[ $format == "Generate Key in file" ]]; then
 392                 file=$(zenity --file-selection \
 393                         --title="$title: Location of key file" \
 394                         --save --confirm-overwrite)
 395                 [ $? != 0 ] && exit 
 396                 if [[ $encryption == "on" ]]; then
 397                         keylen=128
 398                 else
 399                         t=${encryption#aes-} && keylen=${t%%-*}
 400                 fi
 401                 pktool genkey keystore=file keytype=aes \
 402                     keylen=$keylen outkey=$file
 403                 keysource="raw,file:///$file"
 404         fi
 405 
 406         options="$options -o encryption=$encryption -o keysource=$keysource"
 407         zfs create $options $ZDSET
 408         if (( removefile == 1 )); then
 409                 zfs set keysource=passphrase,prompt $ZDSET
 410                 rm $file
 411         fi
 412 }
 413 
 414 
 415 initialize() {
 416         zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
 417         ZONE_ETC_DIR=$zonepath/root/etc
 418         SYSIDCFG=${ZONE_ETC_DIR}/sysidcfg
 419 
 420         if [ -f /var/ldap/ldap_client_file ] ; then
 421                 ldapaddress=$(ldapclient list | \
 422                     grep "^NS_LDAP_SERVERS" | cut -d " " -f2)
 423                 print "name_service=LDAP {" > ${SYSIDCFG}
 424                 domain=$(domainname)
 425                 print "domain_name=$domain" >> ${SYSIDCFG}
 426                 profName=$(ldapclient list | \
 427                     grep "^NS_LDAP_PROFILE" | cut -d " " -f2)
 428                 proxyPwd=$(ldapclient list | \
 429                     grep "^NS_LDAP_BINDPASSWD" | cut -d " " -f2)
 430                 proxyDN=$(ldapclient list | \
 431                     grep "^NS_LDAP_BINDDN" | cut -d " " -f 2)
 432                 if [ "$proxyDN" ] ; then
 433                         print "proxy_dn=\"$proxyDN\"" >> ${SYSIDCFG}
 434                         print "proxy_password=\"$proxyPwd\"" >> ${SYSIDCFG}
 435                 fi
 436                 print "profile=$profName" >> ${SYSIDCFG}
 437                 print "profile_server=$ldapaddress }" >> ${SYSIDCFG}
 438                 cp /etc/nsswitch.conf $ZONE_ETC_DIR/nsswitch.ldap
 439         else
 440                 print "name_service=NONE" > ${SYSIDCFG}
 441                 fi
 442         print "security_policy=NONE" >> ${SYSIDCFG}
 443         locale=$(locale|grep LANG | cut -d "=" -f2)
 444         if [[ -z $locale ]] ; then
 445                 locale="C"
 446         fi
 447         print "system_locale=$locale" >> ${SYSIDCFG}
 448         timezone=$(grep "^TZ" /etc/default/init|cut -d "=" -f2)
 449         print "timezone=$timezone" >> ${SYSIDCFG}
 450         print "terminal=vt100" >> ${SYSIDCFG}
 451         rootpwd=$(grep "^root:" /etc/shadow|cut -d : -f2)
 452  
 453 #       There are two problems with setting the root password:
 454 #               The zone's shadow file may be read-only
 455 #               The password contains unparsable characters
 456 #       so the following line is commented out until this is resolved.
 457 
 458         #print "root_password=$rootpwd" >> ${SYSIDCFG}
 459         print "nfs4_domain=dynamic" >> ${SYSIDCFG}
 460         print "network_interface=PRIMARY {" >> ${SYSIDCFG}
 461 
 462         net=$(zonecfg -z $zonename info net)
 463         ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
 464         if [ $ipType = exclusive ] ; then
 465                 hostname=$(zenity --entry \
 466                     --title="$title" \
 467                     --width=330 \
 468                     --text="${zonename}0: Enter Hostname or dhcp: ")
 469                 [ $? != 0 ] && return
 470 
 471                 if [ $hostname = dhcp ] ; then
 472                         print "dhcp" >> ${SYSIDCFG}
 473                 else
 474                         print "hostname=$hostname" >> ${SYSIDCFG}
 475                         ipaddr=$(getent hosts $hostname|cut -f1)
 476                         if [ $? != 0 ] ; then
 477                                 ipaddr=$(zenity --entry \
 478                                     --title="$title" \
 479                                     --text="$nic: Enter IP address: " \
 480                                     --entry-text a.b.c.d)
 481                                 [ $? != 0 ] && return
 482                                 
 483                                 validateIPaddr
 484                                 if [[ -z $ipaddr ]] ; then
 485                                         return
 486                                 fi
 487                         fi
 488                         print "ip_address=$ipaddr" >> ${SYSIDCFG}
 489                         getNetmask
 490                         print "netmask=$nm" >> ${SYSIDCFG}
 491                         print "default_route=none" >> ${SYSIDCFG}
 492                         template=${zonename}_cipso
 493                         cidr=32
 494                         updateTnrhdb
 495                 fi
 496         elif [[ -n $net ]] ; then
 497                 hostname=$(hostname)
 498                 hostname=$(zenity --entry \
 499                     --title="$title" \
 500                     --width=330 \
 501                     --text="Enter Hostname: " \
 502                     --entry-text $hostname)
 503                 [ $? != 0 ] && return
 504                 
 505                 print "hostname=$hostname" >> ${SYSIDCFG}
 506                 ipaddr=$(getent hosts $hostname|cut -f1)
 507                 if [ $? = 0 ] ; then
 508                         print "ip_address=$ipaddr" >> ${SYSIDCFG}
 509                 fi
 510         else
 511                 getAllZoneNICs
 512                 for i in ${aznics[*]} ; do
 513                         ipaddr=$(ifconfig $i|grep inet|cut -d " " -f2)
 514                 done
 515                 print "hostname=$(hostname)" >> ${SYSIDCFG}
 516                 print "ip_address=$ipaddr" >> ${SYSIDCFG}
 517         fi
 518                 
 519         print "protocol_ipv6=no }" >> ${SYSIDCFG}
 520         cp /etc/default/nfs ${ZONE_ETC_DIR}/default/nfs
 521         touch ${ZONE_ETC_DIR}/.NFS4inst_state.domain
 522 }
 523 
 524 clone() {
 525         image=$1
 526         if [[ -z $image ]] ; then
 527                 msg_clone=$(gettext "Clone the $zonename zone using a
 528 snapshot of one of the following halted zones:")
 529                 image=$(zenity --list \
 530                     --title="$title" \
 531                     --text="$msg_clone" \
 532                     --height=300 \
 533                     --width=330 \
 534                     --column="Installed Zones" ${zonelist[*]})
 535         fi
 536 
 537         if [[ -n $image ]] ; then
 538                 removeZoneBEs
 539                 zoneadm -z $zonename clone $image
 540 
 541                 if [ $NSCD_PER_LABEL = 0 ] ; then
 542                         sharePasswd $zonename
 543                 else
 544                         unsharePasswd $zonename
 545                 fi
 546 
 547                 ipType=$(zonecfg -z $zonename info ip-type|cut -d" " -f2)
 548                 if [ $ipType = exclusive ] ; then
 549                         zoneadm -z $zonename ready
 550                         zonepath=$(zoneadm -z $zonename list -p|cut -d : -f4)
 551                         sys-unconfig -R $zonepath/root 2>/dev/null
 552                         initialize
 553                         zoneadm -z $zonename halt
 554                 fi
 555         fi
 556 }
 557 
 558 install() {
 559         removeZoneBEs
 560         if [ $DISP -eq 0 ] ; then
 561                 gettext "installing zone $zonename ...\n"
 562                 zoneadm -z $zonename install
 563         else
 564                 # sleep is needed here to avoid occasional timing
 565                 # problem with gnome-terminal display...
 566                 sleep 2
 567                 gnome-terminal \
 568                     --title="$title: Installing $zonename zone" \
 569                     --command "zoneadm -z $zonename install" \
 570                     --disable-factory \
 571                     --hide-menubar
 572         fi
 573 
 574         zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
 575         if [ $zonestate != installed ] ; then
 576                 gettext "error installing zone $zonename.\n"
 577                 return 1
 578         fi
 579 
 580         if [ $NSCD_PER_LABEL = 0 ] ; then
 581                 sharePasswd $zonename
 582         else
 583                 unsharePasswd $zonename
 584         fi
 585 
 586         zoneadm -z $zonename ready
 587         zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
 588         if [ $zonestate != ready ] ; then
 589                 gettext "error making zone $zonename ready.\n"
 590                 return 1
 591         fi
 592 
 593         initialize
 594         zoneadm -z $zonename halt
 595 }
 596 
 597 delete() {
 598         delopt=$*
 599 
 600         # if there is an entry for this zone in tnzonecfg, remove it
 601         # before deleting the zone.
 602 
 603         tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
 604         if [ -n "${tnzone}" ] ; then
 605                 sed -e "/^$zonename:/d" $TNZONECFG > \
 606                     $TXTMP/tnzonefg.$$ 2>/dev/null
 607                 mv $TXTMP/tnzonefg.$$ $TNZONECFG
 608         fi
 609 
 610         for tnzone in $(grep ":${zonename}_unlab" $TNRHDB 2>/dev/null) ; do
 611                 tnctl -dh "$tnzone"
 612                 sed -e "/:${zonename}_unlab/d" $TNRHDB > \
 613                     $TXTMP/tnrhdb.$$ 2>/dev/null
 614                 mv $TXTMP/tnrhdb.$$ $TNRHDB
 615         done
 616 
 617         for tnzone in $(grep "^${zonename}_unlab:" $TNRHTP 2>/dev/null) ; do
 618                 tnctl -dt ${zonename}_unlab
 619                 sed -e "/^${zonename}_unlab:/d" $TNRHTP > \
 620                     $TXTMP/tnrhtp.$$ 2>/dev/null
 621                 mv $TXTMP/tnrhtp.$$ $TNRHTP
 622         done
 623 
 624         for tnzone in $(grep ":${zonename}_cipso" $TNRHDB 2>/dev/null) ; do
 625                 tnctl -dh "$tnzone"
 626                 sed -e "/:${zonename}_cipso/d" $TNRHDB > \
 627                     $TXTMP/tnrhdb.$$ 2>/dev/null
 628                 mv $TXTMP/tnrhdb.$$ $TNRHDB
 629         done
 630 
 631         for tnzone in $(grep "^${zonename}_cipso:" $TNRHTP 2>/dev/null) ; do
 632                 tnctl -dt ${zonename}_cipso
 633                 sed -e "/^${zonename}_cipso:/d" $TNRHTP > \
 634                     $TXTMP/tnrhtp.$$ 2>/dev/null
 635                 mv $TXTMP/tnrhtp.$$ $TNRHTP
 636         done
 637 
 638         zonecfg -z $zonename delete -F
 639 
 640         removeZoneBEs $delopt
 641         for snap in $(zfs list -Ho name -t snapshot|grep "\@${zonename}_snap") ; do
 642                 zfs destroy -R $snap
 643         done
 644 }
 645 
 646 validateIPaddr () {
 647         OLDIFS=$IFS
 648         IFS=.
 649         integer octet_cnt=0
 650         integer dummy
 651         set -A octets $ipaddr
 652         IFS=$OLDIFS
 653         if [ ${#octets[*]} == 4 ] ; then
 654                 while (( octet_cnt < ${#octets[*]} )); do
 655                         dummy=${octets[octet_cnt]}
 656                         if [ $dummy = ${octets[octet_cnt]} ] ; then
 657                                 if (( dummy >= 0 && \
 658                                     dummy < 256 )) ; then
 659                                         octet_cnt+=1
 660                                         continue
 661                                 fi
 662                         else
 663                         x=$(zenity --error \
 664                             --title="$title" \
 665                             --text="$ipaddr $msg_badip")
 666                         ipaddr=
 667                         return
 668                         fi
 669                 done
 670         else
 671                 x=$(zenity --error \
 672                     --title="$title" \
 673                     --text="$ipaddr $msg_badip")
 674                 ipaddr=
 675         fi
 676 }
 677 
 678 getAllZoneNICs(){
 679         integer count=0
 680         for i in $(ifconfig -a4|grep  "^[a-z].*:")
 681         do
 682                 print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
 683                 [ $? -eq 1 ] && continue
 684                 
 685                 i=${i%:} # Remove colon after interface name
 686                 for j in $(ifconfig $i)
 687                 do
 688                         case $j in
 689                                 all-zones)
 690                                         aznics[count]=$i
 691                                         count+=1
 692                                         ;;
 693                         esac
 694                 done
 695         done
 696 }
 697 
 698 getNetmask() {
 699         cidr=
 700         nm=$(zenity --entry \
 701             --title="$title" \
 702             --width=330 \
 703             --text="$ipaddr: Enter netmask: " \
 704             --entry-text 255.255.255.0)
 705         [ $? != 0 ] && return;
 706 
 707         cidr=$(perl -e 'use Socket; print unpack("%32b*",inet_aton($ARGV[0])), "\n";' $nm)
 708 }
 709 
 710 addNet() {
 711         getIPaddr
 712         if [[ -z $ipaddr ]] ; then
 713                 return;
 714         fi
 715         getNetmask
 716         if [[ -z $cidr ]] ; then
 717                 return;
 718         fi
 719         zonecfg -z $zonename "add net; \
 720             set address=${ipaddr}/${cidr}; \
 721             set physical=$nic; \
 722             end"
 723         template=${zonename}_cipso
 724         cidr=32
 725         updateTnrhdb
 726 }
 727 
 728 getAttrs() {
 729         zone=global
 730         type=ignore
 731         for j in $(ifconfig $nic)
 732         do
 733                 case $j in
 734                         inet) type=$j;;
 735                         zone) type=$j;;
 736                         all-zones) zone=all-zones;;
 737                         flags*) flags=$j;;
 738                         *) case $type in
 739                                 inet) ipaddr=$j ;;
 740                                 zone) zone=$j ;;
 741                                 *) continue ;;
 742                            esac;
 743                            type=ignore;;
 744                 esac
 745         done
 746         if [[ $flags == ~(E).UP, ]] ; then
 747                 updown=Up
 748         else
 749                 updown=Down
 750         fi
 751         if [[ $nic == ~(E).: ]] ; then
 752                 linktype=logical
 753         else
 754                 vnic=$(dladm show-vnic -po link $nic 2>/dev/null)
 755                 if [[ -n $vnic ]] ; then
 756                         linktype=virtual
 757                 else
 758                         linktype=physical
 759                 fi
 760         fi
 761         if [ $ipaddr != 0.0.0.0 ] ; then
 762                 x=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
 763                 if [ $? = 1 ] ; then
 764                         template=cipso
 765                         cidr=32
 766                         updateTnrhdb
 767                 else
 768                         template=$(print "$x"|cut -d : -f2)
 769                 fi
 770         else
 771                 template="..."
 772                 ipaddr="..."
 773         fi
 774 }
 775 deleteTnrhdbEntry() {
 776         remote=$(grep "^${ipaddr}[^0-9]" $TNRHDB)
 777         if [ $? = 0 ] ; then
 778                 ip=$(print $remote|cut -d "/" -f1)
 779                         if [[ $remote == ~(E)./ ]] ; then
 780                                 pr=$(print $remote|cut -d "/" -f2)
 781                                 remote="$ip\\/$pr"
 782                         fi
 783                 sed -e "/^${remote}/d" $TNRHDB > /tmp/tnrhdb.$$ 2>/dev/null
 784                 mv /tmp/tnrhdb.$$ $TNRHDB
 785         fi
 786 }
 787 
 788 updateTnrhdb() {
 789         deleteTnrhdbEntry
 790         if [[ -n $cidr ]] ; then
 791                 print "${ipaddr}/$cidr:$template" >> $TNRHDB
 792                 tnctl -h ${ipaddr}/$cidr:$template
 793         else
 794                 print "${ipaddr}:$template" >> $TNRHDB
 795                 tnctl -h ${ipaddr}:$template
 796         fi
 797 }
 798 
 799 getIPaddr() {
 800         hostname=$(zenity --entry \
 801             --title="$title" \
 802             --width=330 \
 803             --text="$nic: Enter Hostname: ")
 804 
 805         [ $? != 0 ] && return
 806 
 807         ipaddr=$(getent hosts $hostname|cut -f1)
 808         if [[ -z $ipaddr ]] ; then
 809                 ipaddr=$(zenity --entry \
 810                     --title="$title" \
 811                     --text="$nic: Enter IP address: " \
 812                     --entry-text a.b.c.d)
 813                 [ $? != 0 ] && return
 814                 validateIPaddr
 815         fi
 816 
 817 }
 818 
 819 addHost() {
 820         # Update hosts
 821         if [[ -z $ipaddr ]] ; then
 822                return;
 823         fi
 824         grep "^${ipaddr}[^0-9]" /etc/inet/hosts >/dev/null
 825         if [ $? -eq 1 ] ; then
 826                 print "$ipaddr\t$hostname" >> /etc/inet/hosts
 827         fi
 828 
 829         template=cipso
 830         cidr=32
 831         updateTnrhdb
 832 
 833         ifconfig $nic $ipaddr netmask + broadcast +
 834         #
 835         # TODO: better integration with nwam
 836         # TODO: get/set netmask for IP address
 837         #
 838         print $hostname > /etc/hostname.$nic
 839 }
 840 
 841 createInterface() {
 842         msg=$(ifconfig $nic addif 0.0.0.0)
 843         $(zenity --info \
 844             --title="$title" \
 845             --text="$msg" )
 846         nic=$(print "$msg"|cut -d" " -f5)
 847 
 848 }
 849                     
 850 createVNIC() {
 851         if [ $zonename != global ] ; then
 852                 vnicname=${zonename}0
 853         else
 854                 vnicname=$(zenity --entry \
 855                     --title="$title" \
 856                     --width=330 \
 857                     --entry-text="" \
 858                     --text="Enter VNIC Name: ")
 859 
 860                 if [[ ! -n $vnicname ]] ; then
 861                         return
 862                 fi
 863         fi
 864         x=$(dladm show-vnic|grep "^$vnicname " )
 865         if [[ ! -n $x ]] ; then
 866                 dladm create-vnic -l $nic $vnicname
 867         fi
 868         if [ $zonename = global ] ; then
 869                 ifconfig $vnicname plumb
 870         else
 871                 zonecfg -z $zonename "add net; \
 872                     set physical=$vnicname; \
 873                     end"
 874         fi
 875         nic=$vnicname
 876 }
 877 
 878 shareInterface() {
 879         #
 880         # TODO: better integration with nwam
 881         #
 882         ifconfig $nic all-zones;\
 883         if_file=/etc/hostname.$nic
 884         sed q | sed -e "s/$/ all-zones/" < $if_file >$TXTMP/txnetmgr.$$
 885         mv $TXTMP/txnetmgr.$$ $if_file
 886 }
 887 
 888 unshareInterface() {
 889         #
 890         # TODO: better integration with nwam
 891         #
 892         ifconfig $nic -zone;\
 893         if_file=/etc/hostname.$nic
 894         sed q | sed -e "s/all-zones/ /" < $if_file >$TXTMP/txnetmgr.$$
 895         mv $TXTMP/txnetmgr.$$ $if_file
 896 }
 897 
 898 addTnrhdb() {
 899         ipaddr=$(zenity --entry \
 900             --title="$title" \
 901             --width=330 \
 902             --text="Zone:$zonename. Enter IP address of remote host or network: " \
 903             --entry-text a.b.c.d)
 904         [ $? != 0 ] && return
 905         validateIPaddr
 906         if [[ -z $ipaddr ]] ; then
 907                 return;
 908         fi
 909         if [ ${octets[3]} = 0 ] ; then
 910                 nic="$ipaddr"
 911                 getNetmask
 912                 if [[ -z $cidr ]] ; then
 913                         return;
 914                 fi
 915         else
 916                 cidr=32
 917         fi
 918         print "${ipaddr}/$cidr:$template" > $TXTMP/tnrhdb_new.$$
 919         x=$(tnchkdb -h $TXTMP/tnrhdb_new.$$ 2>$TXTMP/syntax_error.$$)
 920         if [ $? = 0 ] ; then
 921                 updateTnrhdb
 922         else
 923                 syntax=$(cat $TXTMP/syntax_error.$$)
 924                 x=$(zenity --error \
 925                     --title="$title" \
 926                     --text="$syntax")
 927         fi
 928         rm $TXTMP/tnrhdb_new.$$
 929         rm $TXTMP/syntax_error.$$
 930 }
 931 
 932 removeTnrhdb() {
 933         while (( 1 )) do
 934                 remotes=$(grep "^[^#][0-9.]" $TNRHDB|grep ":$template"|cut -d : -f1-2|tr : " ")
 935                 if [ $template = cipso ] ; then
 936                         templateHeading="from All Zones":
 937                 else
 938                         templateHeading="from this Zone":
 939                 fi
 940                 if [[ -n $remotes ]] ; then
 941                         ipaddr=$(zenity --list \
 942                             --title="$title" \
 943                             --text="$msg_getremote" \
 944                             --height=250 \
 945                             --width=300 \
 946                             --column="Remove Access to:" \
 947                             --column="$templateHeading" \
 948                             $remotes)
 949 
 950                         if [[ -n $ipaddr ]] ; then
 951                                 deleteTnrhdbEntry
 952                                 tnctl -dh ${ip}:$template
 953                         else
 954                                 return
 955                         fi
 956                 else
 957                         return
 958                 fi
 959         done
 960 }
 961 
 962 setMLPs() {
 963         tnzone=$(grep "^$zonename:" $TNZONECFG 2>/dev/null)
 964         zoneMLPs=:$(print "$tnzone"|cut -d : -f4)
 965         sharedMLPs=:$(print "$tnzone"|cut -d : -f5)
 966         attrs="Private Interfaces$zoneMLPs\nShared Interfaces$sharedMLPs"
 967         ports=$(print "$attrs"|zenity --list \
 968             --title="$title" \
 969             --height=200 \
 970             --width=450 \
 971             --text="Zone: $zonename\nClick once to select, twice to edit.\nShift-click to select both rows." \
 972             --column="Multilevel Ports (example: 80-81/tcp;111/udp;)" \
 973             --editable \
 974             --multiple
 975             )
 976 
 977         if [[ -z $ports ]] ; then
 978                 return
 979         fi
 980 
 981         # getopts needs another a blank and another dash
 982         ports=--$(print "$ports"|sed 's/ //g'|sed 's/|/ --/g'|sed 's/Interfaces:/ :/g')
 983 
 984         OPTIND=1
 985         while getopts "z:(Private)s:(Shared)" opt $ports ; do
 986                 case $opt in
 987                         z) zoneMLPs=$OPTARG ;;
 988                         s) sharedMLPs=$OPTARG ;;
 989                 esac
 990         done
 991 
 992         sed -e "/^$zonename:*/d" $TNZONECFG > $TXTMP/tnzonecfg.$$ 2>/dev/null
 993         tnzone=$(print "$tnzone"|cut -d : -f1-3)
 994         echo "${tnzone}${zoneMLPs}${sharedMLPs}" >> $TXTMP/tnzonecfg.$$
 995 
 996         x=$(tnchkdb -z $TXTMP/tnzonecfg.$$ 2>$TXTMP/syntax_error.$$)
 997 
 998         if [ $? = 0 ] ; then
 999                 mv $TXTMP/tnzonecfg.$$ $TNZONECFG
1000                 zenity --info \
1001                     --title="$title" \
1002                     --text="Multilevel ports for the $zonename zone\nwill be interpreted on next reboot."
1003                 if [ $zonename != global ] ; then
1004                         getLabelRange
1005                 fi
1006         else
1007                 syntax=$(cat $TXTMP/syntax_error.$$)
1008                 x=$(zenity --error \
1009                     --title="$title" \
1010                     --text="$syntax")
1011                 rm $TXTMP/tnzonecfg.$$
1012         fi
1013         rm $TXTMP/syntax_error.$$
1014 }
1015 
1016 enableAuthentication() {
1017         integer file_cnt=0
1018 
1019         zonepath=$(zoneadm -z $1 list -p|cut -d : -f4)
1020         ZONE_ETC_DIR=$zonepath/root/etc
1021 
1022         # If the zone's shadow file was previously read-only
1023         # there may be no root password entry for this zone.
1024         # If so, replace the root password entry with the global zone's.
1025 
1026         entry=$(grep ^root:: $ZONE_ETC_DIR/shadow)
1027         if [ $? -eq 0 ] ; then
1028                 grep ^root: /etc/shadow > $TXTMP/shadow.$$
1029                 sed -e "/^root::/d" $ZONE_ETC_DIR/shadow >> \
1030                     $TXTMP/shadow.$$ 2>/dev/null
1031                 mv $TXTMP/shadow.$$ $ZONE_ETC_DIR/shadow
1032                 chmod 400 $ZONE_ETC_DIR/shadow
1033         fi
1034 
1035         if [ $LOGNAME = "root" ]; then
1036                 return
1037         fi
1038 
1039         file[0]="passwd"
1040         file[1]="shadow"
1041         file[2]="user_attr"
1042         #
1043         # Add the user who assumed the root role to each installed zone
1044         #
1045         while (( file_cnt < ${#file[*]} )); do
1046                 exists=$(grep "^${LOGNAME}:" \
1047                     $ZONE_ETC_DIR/${file[file_cnt]} >/dev/null)
1048                 if [ $? -ne 0 ] ; then
1049                         entry=$(grep "^${LOGNAME}:" \
1050                             /etc/${file[file_cnt]})
1051                         if [ $? -eq 0 ] ; then
1052                                 print "$entry" >> \
1053                                     $ZONE_ETC_DIR/${file[file_cnt]}
1054                         fi
1055                 fi
1056                 file_cnt+=1
1057         done
1058         chmod 400 $ZONE_ETC_DIR/shadow
1059 }
1060 
1061 unsharePasswd() {
1062         zonecfg -z $1 remove fs dir=/etc/passwd >/dev/null 2>&1 | grep -v such
1063         zonecfg -z $1 remove fs dir=/etc/shadow >/dev/null 2>&1 | grep -v such
1064         zoneadm -z $1 ready >/dev/null 2>&1
1065         if [ $? -eq 0 ] ; then
1066                 enableAuthentication $1
1067                 zoneadm -z $1 halt >/dev/null 2>&1
1068         else
1069                 echo Skipping $1
1070         fi
1071 }
1072 
1073 sharePasswd() {
1074         passwd=$(zonecfg -z $1 info|grep /etc/passwd)
1075         if [ $? -eq 1 ] ; then
1076                 zonecfg -z $1 "add fs; \
1077                     set special=/etc/passwd; \
1078                     set dir=/etc/passwd; \
1079                     set type=lofs; \
1080                     add options ro; \
1081                     end; \
1082                     add fs; \
1083                     set special=/etc/shadow; \
1084                     set dir=/etc/shadow; \
1085                     set type=lofs; \
1086                     add options ro; \
1087                     end"
1088         fi
1089         zoneadm -z $1 halt >/dev/null 2>&1
1090 }
1091 
1092 # This routine is a toggle -- if we find it configured for global nscd,
1093 # change to nscd-per-label and vice-versa.
1094 #
1095 # The user was presented with only the choice to CHANGE the existing
1096 # configuration.
1097 
1098 manageNscd() {
1099         if [ $NSCD_PER_LABEL -eq 0 ] ; then
1100                 # this MUST be a regular file for svc-nscd to detect
1101                 touch $NSCD_INDICATOR
1102                 NSCD_OPT="Unconfigure per-zone name service"
1103                 NSCD_PER_LABEL=1
1104                 for i in $(zoneadm list -i | grep -v global) ; do
1105                         zoneadm -z $i halt >/dev/null 2>&1
1106                         unsharePasswd $i
1107                 done
1108         else
1109                 rm -f $NSCD_INDICATOR
1110                 NSCD_OPT="Configure per-zone name service"
1111                 NSCD_PER_LABEL=0
1112                 for i in $(zoneadm list -i | grep -v global) ; do
1113                         zoneadm -z $i halt >/dev/null 2>&1
1114                         sharePasswd $i
1115                 done
1116         fi
1117 }
1118 
1119 manageZoneNets () {
1120         ncmds[0]="Only use all-zones interfaces"
1121         ncmds[1]="Add a logical interface"
1122         ncmds[2]="Add a virtual interface (VNIC)"
1123 
1124         stacks[0]="Shared Stack"
1125         stacks[1]="Exclusive Stack"
1126 
1127         getAllZoneNICs
1128         netOps[0]="1\n${ncmds[0]}\nShared Stack\n${aznics[*]}"
1129 
1130         integer nic_cnt=0
1131         integer netOp_cnt=2
1132 
1133         set -A nics $(dladm show-phys|grep -v LINK|cut -f1 -d " ")
1134 
1135         while (( nic_cnt < ${#nics[*]} )); do
1136                 netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[1]}\n${stacks[0]}\n${nics[nic_cnt]}"
1137                 netOp_cnt+=1
1138                 netOps[netOp_cnt - 1]="\n$netOp_cnt\n${ncmds[2]}\n${stacks[1]}\n${nics[nic_cnt]}"
1139                 netOp_cnt+=1
1140                 nic_cnt+=1
1141         done
1142 
1143         netOp=$(print "${netOps[*]}"|zenity --list \
1144             --title="$title" \
1145             --text="$msg_getnet $zonename zone:" \
1146             --height=300 \
1147             --width=500 \
1148             --column="#" \
1149             --column="Network Configuration " \
1150             --column="IP Type" \
1151             --column="Available Interfaces" \
1152             --hide-column=1
1153         )
1154         
1155         # User picked cancel or no selection
1156         if [[ -z $netOp ]] ; then
1157                 return
1158         fi
1159 
1160         # All-zones is the default, so just return
1161         if [ $netOp = 1 ] ; then
1162                 return
1163         fi
1164 
1165         cmd=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 3)
1166         nic=$(print "${netOps[$netOp - 1]}"|tr '\n' ';' |cut -d';' -f 5) 
1167         case $cmd in
1168             ${ncmds[1]} )
1169                 addNet;
1170                 ;;      
1171             ${ncmds[2]} )
1172                 zonecfg -z $zonename set ip-type=exclusive
1173                 createVNIC
1174                 ;;
1175         esac
1176 }
1177 
1178 manageInterface () {
1179         while (( 1 )) do
1180                 getAttrs
1181 
1182                 # Clear list of commands
1183 
1184                 share=
1185                 setipaddr=
1186                 newlogical=
1187                 newvnic=
1188                 unplumb=
1189                 bringup=
1190                 bringdown=
1191 
1192                 if [ $updown = Down ] ; then
1193                         bringup="Bring Up\n"
1194                 else
1195                         bringdown="Bring Down\n"
1196                 fi
1197 
1198                 case $linktype in
1199                 physical )
1200                         newlogical="Create Logical Interface...\n";
1201                         newvnic="Create Virtual Interface (VNIC)...\n";
1202                         ;;
1203                 logical )
1204                         unplumb="Remove Logical Interface\n"
1205                         ;;
1206                 virtual )
1207                         newlogical="Create Logical Interface...\n";
1208                         unplumb="Remove Virtual Interface\n" ;
1209                         ;;
1210                 esac
1211 
1212                 if [ $ipaddr = "..." ] ; then
1213                         setipaddr="Set IP address...\n"
1214                 elif [ $zone != all-zones ] ; then
1215                         share="Share with Shared-IP Zones\n"
1216                 else 
1217                         share="Remove from Shared-IP Zones\n"
1218                 fi
1219 
1220                 command=$(print ""\
1221                     $share \
1222                     $setipaddr \
1223                     $newlogical \
1224                     $newvnic \
1225                     $unplumb \
1226                     $bringup \
1227                     $bringdown \
1228                     | zenity --list \
1229                     --title="$title" \
1230                     --text="Select a command from the list below:" \
1231                     --height=300 \
1232                     --column "Interface: $nic" )
1233 
1234                 case $command in
1235                     " Create Logical Interface...")
1236                         createInterface;;
1237                     " Create Virtual Interface (VNIC)...")
1238                         createVNIC ;;   
1239                     " Set IP address...")
1240                         getIPaddr
1241                         addHost;;
1242                     " Share with Shared-IP Zones")
1243                         shareInterface;;
1244                     " Remove from Shared-IP Zones")
1245                         unshareInterface;;
1246                     " Remove Logical Interface")
1247                         ifconfig $nic unplumb
1248                         rm -f /etc/hostname.$nic
1249                         return;;
1250                     " Remove Virtual Interface")
1251                         ifconfig $nic unplumb
1252                         dladm delete-vnic $nic
1253                         rm -f /etc/hostname.$nic
1254                         return;;
1255                     " Bring Up")
1256                         ifconfig $nic up;;
1257                     " Bring Down")
1258                         ifconfig $nic down;;
1259                     *) return;;
1260                 esac
1261         done
1262 }
1263 
1264 sharePrimaryNic() {
1265         set -A ip $(getent hosts $(cat /etc/nodename))
1266         for i in $(ifconfig -au4|grep  "^[a-z].*:" |grep -v LOOPBACK)
1267         do
1268                 print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1269                 [ $? -eq 1 ] && continue
1270                 
1271                 nic=${i%:} # Remove colon after interface name
1272                 getAttrs
1273                 if [ ${ip[0]} = $ipaddr ]; then
1274                         shareInterface
1275                         break
1276                 fi
1277         done
1278 }
1279 
1280 manageNets() {
1281         while (( 1 )) do
1282                 attrs=
1283                 for i in $(ifconfig -a4|grep  "^[a-z].*:" |grep -v LOOPBACK)
1284                 do
1285                         print "$i" |grep "^[a-z].*:" >/dev/null 2>&1
1286                         [ $? -eq 1 ] && continue
1287                         
1288                         nic=${i%:} # Remove colon after interface name
1289                         getAttrs
1290                         attrs="$nic $linktype $zone $ipaddr $template $updown $attrs"
1291                 done
1292 
1293                 nic=$(zenity --list \
1294                     --title="$title" \
1295                     --text="Select an interface from the list below:" \
1296                     --height=300 \
1297                     --width=500 \
1298                     --column="Interface" \
1299                     --column="Type" \
1300                     --column="Zone Name" \
1301                     --column="IP Address" \
1302                     --column="Template" \
1303                     --column="State" \
1304                     $attrs)
1305 
1306                 if [[ -z $nic ]] ; then
1307                         return
1308                 fi
1309                 manageInterface
1310         done
1311 }
1312 
1313 createLDAPclient() {
1314         ldaptitle="$title: Create LDAP Client"
1315         ldapdomain=$(zenity --entry \
1316             --width=400 \
1317             --title="$ldaptitle" \
1318             --text="Enter Domain Name: ")
1319         if [[ -n $ldapdomain ]] ; then
1320         ldapserver=$(zenity --entry \
1321             --width=400 \
1322             --title="$ldaptitle" \
1323             --text="Enter Hostname of LDAP Server: ")
1324         else
1325                 return
1326         fi
1327         if [[ -n $ldapserver ]] ; then
1328         ldapserveraddr=$(zenity --entry \
1329             --width=400 \
1330             --title="$ldaptitle" \
1331             --text="Enter IP adddress of LDAP Server $ldapserver: ")
1332         else
1333                 return
1334         fi
1335         ldappassword=""
1336         while [[ -z ${ldappassword} || "x$ldappassword" != "x$ldappasswordconfirm" ]] ; do
1337             ldappassword=$(zenity --entry \
1338                 --width=400 \
1339                 --title="$ldaptitle" \
1340                 --hide-text \
1341                 --text="Enter LDAP Proxy Password:")
1342             ldappasswordconfirm=$(zenity --entry \
1343                 --width=400 \
1344                 --title="$ldaptitle" \
1345                 --hide-text \
1346                 --text="Confirm LDAP Proxy Password:")
1347         done
1348         ldapprofile=$(zenity --entry \
1349             --width=400 \
1350             --title="$ldaptitle" \
1351             --text="Enter LDAP Profile Name: ")
1352         whatnext=$(zenity --list \
1353             --width=400 \
1354             --height=250 \
1355             --title="$ldaptitle" \
1356             --text="Proceed to create LDAP Client?" \
1357             --column=Parameter --column=Value \
1358             "Domain Name" "$ldapdomain" \
1359             "Hostname" "$ldapserver" \
1360             "IP Address" "$ldapserveraddr" \
1361             "Password" "$(print "$ldappassword" | sed 's/./*/g')" \
1362             "Profile" "$ldapprofile")
1363         [ $? != 0 ] && return
1364 
1365         grep "^${ldapserveraddr}[^0-9]" /etc/hosts > /dev/null
1366         if [ $? -eq 1 ] ; then
1367                 print "$ldapserveraddr $ldapserver" >> /etc/hosts
1368         fi
1369 
1370         grep "${ldapserver}:" $TNRHDB > /dev/null
1371         if [ $? -eq 1 ] ; then
1372                 print "# ${ldapserver} - ldap server" \
1373                     >> $TNRHDB
1374                 print "${ldapserveraddr}:cipso" \
1375                     >> $TNRHDB
1376                 tnctl -h "${ldapserveraddr}:cipso"
1377         fi
1378 
1379         proxyDN=$(print $ldapdomain|awk -F"." \
1380             "{ ORS = \"\" } { for (i = 1; i < NF; i++) print \"dc=\"\\\$i\",\" }{ print \"dc=\"\\\$NF }")
1381 
1382         zenity --info \
1383             --title="$ldaptitle" \
1384             --width=500 \
1385             --text="global zone will be LDAP client of $ldapserver"
1386 
1387         ldapout=$TXTMP/ldapclient.$$
1388 
1389         ldapclient init -a profileName="$ldapprofile" \
1390             -a domainName="$ldapdomain" \
1391             -a proxyDN"=cn=proxyagent,ou=profile,$proxyDN" \
1392             -a proxyPassword="$ldappassword" \
1393             "$ldapserveraddr" >$ldapout 2>&1
1394 
1395         if [ $? -eq 0 ] ; then
1396             ldapstatus=Success
1397         else
1398             ldapstatus=Error
1399         fi
1400 
1401         zenity --text-info \
1402             --width=700 \
1403             --height=300 \
1404             --title="$ldaptitle: $ldapstatus" \
1405             --filename=$ldapout
1406 
1407         rm -f $ldapout
1408 
1409 
1410 }
1411 
1412 tearDownZones() {
1413         if [ $DISP -eq 0 ] ; then
1414                 if [ $FORCE -eq 0 ] ; then
1415                         gettext "OK to destroy all zones [y|N]? "
1416                         read ans
1417                         printf "%s\n" "$ans" \
1418                             | /usr/bin/grep -Eq "$(locale yesexpr)"
1419                         if [ $? -ne 0 ] ; then
1420                                 gettext "canceled.\n"
1421                                 return 1
1422                         fi
1423                 fi
1424                 gettext "destroying all zones ...\n"
1425         else
1426                 killall=$(zenity --question \
1427                     --title="$title" \
1428                     --width=330 \
1429                     --text="$msg_confirmkill")
1430                 if [[ $? != 0 ]]; then
1431                         return
1432                 fi
1433         fi
1434 
1435         for p in $(zoneadm list -cp|grep -v global:) ; do
1436                 zonename=$(echo "$p"|cut -d : -f2)
1437                 if [ $DISP -eq 0 ] ; then
1438                         gettext "destroying zone $zonename ...\n"
1439                 fi
1440                 zoneadm -z $zonename halt 1>/dev/null 2>&1
1441                 zoneadm -z $zonename uninstall -F 1>/dev/null 2>&1
1442                 delete -rRf
1443         done
1444         zonename=global
1445 }
1446 
1447 createDefaultZones() {
1448         # If GUI display is not used, skip the dialog
1449         if [ $DISP -eq 0 ] ; then
1450                 createDefaultPublic
1451                 if [ $? -ne 0 ] ; then
1452                         return 1
1453                 fi
1454                 createDefaultInternal
1455                 return
1456         fi
1457 
1458         msg_choose1=$(gettext "Choose one:")
1459         defpub=$(gettext "$PUBZONE zone only")
1460         defboth=$(gettext "$PUBZONE and $INTZONE zones")
1461         defskip=$(gettext "Main Menu...")
1462         command=$(echo ""\
1463             "$defpub\n" \
1464             "$defboth\n" \
1465             "$defskip\n" \
1466             | zenity --list \
1467             --title="$title" \
1468             --text="$msg_defzones" \
1469             --column="$msg_choose1" \
1470             --height=400 \
1471             --width=330 )
1472 
1473         case $command in
1474             " $defpub")
1475                 createDefaultPublic ;;
1476 
1477             " $defboth")
1478                 createDefaultPublic
1479                 if [ $? -ne 0 ] ; then
1480                         return 1
1481                 fi
1482                 createDefaultInternal ;;
1483 
1484             *)
1485                 return;;
1486         esac
1487 }
1488 
1489 createDefaultPublic() {
1490         zonename=$PUBZONE
1491         if [ $DISP -eq 0 ] ; then
1492                 gettext "creating default $zonename zone ...\n"
1493         fi
1494         newZone 
1495         zone_cnt+=1 
1496         hexlabel=$DEFAULTLABEL
1497         setTNdata
1498         sharePrimaryNic
1499 
1500         install
1501         if [ $? -ne 0 ] ; then
1502                 return 1
1503         fi
1504 
1505         if [ $DISP -eq 0 ] ; then
1506                 gettext "booting zone $zonename ...\n"
1507                 zoneadm -z $zonename boot
1508         else
1509                 zoneadm -z $zonename boot &
1510                 gnome-terminal \
1511                     --disable-factory \
1512                     --title="Zone Console: $zonename $msg_continue" \
1513                     --command "zlogin -C $zonename"
1514         fi
1515 }
1516 
1517 createDefaultInternal() {
1518         zoneadm -z $PUBZONE halt
1519 
1520         zonename=snapshot
1521         newZone 
1522         zone_cnt+=1 
1523         zonecfg -z $zonename set autoboot=false
1524 
1525         clone $PUBZONE
1526         zoneadm -z $PUBZONE boot &
1527 
1528         zonename=$INTZONE
1529         if [ $DISP -eq 0 ] ; then
1530                 gettext "creating default $zonename zone ...\n"
1531         fi
1532         newZone 
1533         zone_cnt+=1 
1534 
1535         hexlabel=$INTLABEL
1536         x=$(grep -i :{$hexlabel}: $TNZONECFG)
1537         if [ $? = 0 ] ; then
1538                 z=$(print $x|cut -d : -f1)
1539                 echo "$msg_inuse $z zone."
1540         else
1541                 setTNdata
1542         fi
1543 
1544         clone snapshot
1545         if [ $DISP -eq 0 ] ; then
1546                 gettext "booting zone $zonename ...\n"
1547         else
1548                 gnome-terminal \
1549                     --title="Zone Console: $zonename" \
1550                     --command "zlogin -C $zonename" &
1551         fi
1552         zoneadm -z $zonename boot &
1553 }
1554 
1555 selectZone() {
1556         set -A zonelist "global\nrunning\nADMIN_HIGH"
1557         integer zone_cnt=1
1558 
1559         for p in $(zoneadm list -cp|grep -v global:) ; do
1560                 zone_cnt+=1
1561         done
1562         if [ $zone_cnt == 1 ] ; then
1563                 createDefaultZones
1564         fi
1565         if [ $zone_cnt == 1 ] ; then
1566                 zonename=global
1567                 singleZone
1568                 return
1569         fi
1570 
1571         zone_cnt=1
1572         for p in $(zoneadm list -cp|grep -v global:) ; do
1573                 zonename=$(echo "$p"|cut -d : -f2)
1574                 state=$(echo "$p"|cut -d : -f3)
1575                 hexlabel=$(grep "^$zonename:" $TNZONECFG|cut -d : -f2)
1576                 if [[ $hexlabel ]] ; then
1577                         curlabel=$(hextoalabel $hexlabel)
1578                 else
1579                         curlabel=...
1580                 fi
1581                 zonelist[zone_cnt]="\n$zonename\n$state\n$curlabel"
1582                 zone_cnt+=1
1583         done
1584         zonename=$(print "${zonelist[*]}"|zenity --list \
1585             --title="$title" \
1586             --text="$msg_getzone" \
1587             --height=300 \
1588             --width=500 \
1589             --column="Zone Name" \
1590             --column="Status" \
1591             --column="Sensitivity Label" \
1592         )
1593 
1594         # if the menu choice was a zonename, pop up zone menu
1595         if [[ -n $zonename ]] ; then
1596                 singleZone
1597         else
1598                 exit
1599         fi
1600 }
1601 
1602 # Loop for single-zone menu
1603 singleZone() {
1604 
1605         while (( 1 )) do
1606                 # Clear list of commands
1607 
1608                 console=
1609                 label=
1610                 start=
1611                 reboot=
1612                 stop=
1613                 clone=
1614                 install=
1615                 ready=
1616                 uninstall=
1617                 autoboot=
1618                 delete=
1619                 deletenet=
1620                 permitrelabel=
1621 
1622                 if [ $zone_cnt -gt 1 ] ; then
1623                         killZones="Destroy all zones...\n"
1624                         xit="Select another zone..."
1625                 else
1626                         killZones=
1627                         xit="Exit"
1628                 fi
1629                 if [ $zonename = global ] ; then
1630                         ldapClient="Create LDAP Client...\n"
1631                         nscdOpt="$NSCD_OPT\n"
1632                         createZone="Create a new zone...\n"
1633                         addnet="Configure Network Interfaces...\n"
1634                 else
1635                         ldapClient=
1636                         nscdOpt=
1637                         createZone=
1638                         addnet=
1639                         killZones=
1640                 fi
1641 
1642                 zonestate=$(zoneadm -z $zonename list -p | cut -d : -f 3)
1643 
1644                 consoleCheck;
1645                 labelCheck;
1646                 delay=0
1647 
1648                 if [ $zonename != global ] ; then
1649                         case $zonestate in
1650                                 running)
1651                                         ready="Ready\n"
1652                                         reboot="Reboot\n"
1653                                         stop="Halt\n"
1654                                         ;;
1655                                 ready)
1656                                         start="Boot\n"
1657                                         stop="Halt\n"
1658                                         ;;
1659                                 installed)
1660                                         if [[ -z $label ]] ; then
1661                                                 ready="Ready\n"
1662                                                 start="Boot\n"
1663                                         fi
1664                                         uninstall="Uninstall\n"
1665                                         relabelCheck
1666                                         autobootCheck
1667                                         ;;
1668                                 configured) 
1669                                         install="Install...\n"
1670                                         cloneCheck
1671                                         delete="Delete\n"
1672                                         console=
1673                                         ;;
1674                                 incomplete)
1675                                         uninstall="Uninstall\n"
1676                                         ;;
1677                                 *)
1678                                 ;;
1679                         esac
1680                 fi
1681 
1682                 command=$(echo ""\
1683                     $createZone \
1684                     $console \
1685                     $label \
1686                     $start \
1687                     $reboot \
1688                     $stop \
1689                     $clone \
1690                     $install \
1691                     $ready \
1692                     $uninstall \
1693                     $delete \
1694                     $addnet \
1695                     $deletenet \
1696                     $addremotehost \
1697                     $addcipsohost \
1698                     $removeremotehost \
1699                     $removecipsohost \
1700                     $setmlps \
1701                     $permitrelabel \
1702                     $autoboot \
1703                     $ldapClient \
1704                     $nscdOpt \
1705                     $killZones \
1706                     $xit \
1707                     | zenity --list \
1708                     --title="$title" \
1709                     --text="$msg_getcmd" \
1710                     --height=400 \
1711                     --width=330 \
1712                     --column "Zone: $zonename   Status: $zonestate" )
1713 
1714                 case $command in
1715                     " Create a new zone...")
1716                         zonename=
1717                         newZone ;;
1718 
1719                     " Zone Console...")
1720                         delay=2
1721                         gnome-terminal \
1722                             --title="Zone Console: $zonename" \
1723                             --command "zlogin -C $zonename" & ;;
1724 
1725                     " Select Label...")
1726                         selectLabel;;
1727 
1728                     " Ready")
1729                         zoneadm -z $zonename ready ;;
1730 
1731                     " Boot")
1732                         zoneadm -z $zonename boot ;;
1733 
1734                     " Halt")
1735                         zoneadm -z $zonename halt ;;
1736 
1737                     " Reboot")
1738                         zoneadm -z $zonename reboot ;;
1739 
1740                     " Install...")
1741                         install;;
1742 
1743                     " Clone...")
1744                         clone ;;
1745 
1746                     " Uninstall")
1747                         zoneadm -z $zonename uninstall -F;;
1748 
1749                     " Delete")
1750                         delete
1751                         return ;;
1752 
1753                     " Configure Network Interfaces...")
1754                         if [ $zonename = global ] ; then
1755                                 manageNets
1756                         else
1757                                 manageZoneNets
1758                         fi;;    
1759 
1760                     " Add Single-level Access to Remote Host...")
1761                         addTnrhdb ;;
1762 
1763                     " Add Multilevel Access to Remote Host...")
1764                         template=cipso
1765                         addTnrhdb ;;
1766 
1767                     " Remove Single-level Access to Remote Host...")
1768                         removeTnrhdb ;;
1769 
1770                     " Remove Multilevel Access to Remote Host...")
1771                         template=cipso
1772                         removeTnrhdb ;;
1773 
1774                     " Configure Multilevel Ports...")
1775                         setMLPs;;
1776 
1777                     " Permit Relabeling")
1778                         zonecfg -z $zonename set limitpriv=default,\
1779 win_mac_read,win_mac_write,win_selection,win_dac_read,win_dac_write,\
1780 file_downgrade_sl,file_upgrade_sl,sys_trans_label ;;
1781 
1782                     " Deny Relabeling")
1783                         zonecfg -z $zonename set limitpriv=default ;;
1784 
1785                     " Set Automatic Booting")
1786                         zonecfg -z $zonename set autoboot=true ;;
1787 
1788                     " Set Manual Booting")
1789                         zonecfg -z $zonename set autoboot=false ;;
1790 
1791                     " Create LDAP Client...")
1792                         createLDAPclient ;;
1793 
1794                     " Configure per-zone name service")
1795                         manageNscd ;;
1796 
1797                     " Unconfigure per-zone name service")
1798                         manageNscd ;;
1799 
1800                     " Destroy all zones...")
1801                         tearDownZones
1802                         return ;;
1803 
1804                     *)
1805                         if [ $zone_cnt == 1 ] ; then
1806                                 exit
1807                         else
1808                                 return
1809                         fi;;
1810                 esac
1811                 sleep $delay;
1812         done
1813 }
1814 
1815 # Main loop for top-level window
1816 #
1817 
1818 /usr/bin/plabel $$ 1>/dev/null 2>&1
1819 if [ $? != 0 ] ; then
1820         gettext "$0 : Trusted Extensions must be enabled.\n"
1821         exit 1
1822 fi
1823 
1824 myzone=$(/sbin/zonename)
1825 if [ $myzone != "global" ] ; then
1826         gettext "$0 : must be in global zone to run.\n"
1827         exit 1
1828 fi
1829 
1830 
1831 process_options "$@" || exit
1832 
1833 mkdir $TXTMP 2>/dev/null
1834 deflabel=$(chk_encodings -a|grep "Default User Sensitivity"|\
1835    sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1836 DEFAULTLABEL=$(atohexlabel ${deflabel})
1837 intlabel=$(chk_encodings -a|grep "Default User Clearance"|\
1838    sed 's/= /=/'|sed 's/"/'''/g|cut -d"=" -f2)
1839 INTLABEL=$(atohexlabel -c "${intlabel}")
1840 
1841 # are there any zfs pools?
1842 ZDSET=none
1843 zpool iostat 1>/dev/null 2>&1
1844 if [ $? = 0 ] ; then
1845         # is there a zfs pool named "zone"?
1846         zpool list -H zone 1>/dev/null 2>&1
1847         if [ $? = 0 ] ; then
1848                 # yes
1849                 ZDSET=zone
1850         else
1851                 # no, but is there a root pool?
1852                 rootfs=$(df -n / | awk '{print $3}')
1853                 if [ $rootfs = "zfs" ] ; then
1854                         # yes, use it
1855                         ZDSET=$(zfs list -Ho name / | cut -d/ -f 1)/zones
1856                         zfs list -H $ZDSET 1>/dev/null 2>&1
1857                         if [ $? = 1 ] ; then
1858                                 createZDSET "-o mountpoint=/zone" $ZDSET
1859                         fi
1860                 fi
1861         fi
1862 fi
1863 
1864 if [ $DISP -eq 0 ] ; then
1865         gettext "non-interactive mode ...\n"
1866 
1867         if [ $DESTROYZONES -eq 1 ] ; then
1868                 tearDownZones
1869         fi
1870 
1871         if [ $CREATEDEF -eq 1 ] ; then
1872                 if [[ $(zoneadm list -c) == global ]] ; then
1873                         createDefaultZones
1874                 else
1875                         gettext "cannot create default zones because there are existing zones.\n"
1876                 fi
1877         fi
1878 
1879         exit
1880 fi
1881 
1882 if [ $NSCD_PER_LABEL -eq 0 ] ; then
1883         NSCD_OPT="Configure per-zone name service"
1884 else
1885         NSCD_OPT="Unconfigure per-zone name service"
1886 fi
1887 
1888 
1889 while (( 1 )) do
1890         selectZone
1891 done