-
Notifications
You must be signed in to change notification settings - Fork 0
/
lukskeychainclose
167 lines (132 loc) · 5.64 KB
/
lukskeychainclose
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#!/bin/sh
script_version="06032024-0247"
PREREQ=""
# Output prerequisites
prereqs() {
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/lukskeychainfunctions
ask_for_memory_wipe_and_exit() {
if [ -e "/usr/bin/sdmem" ]; then
dialog_skip_or_do 10 "If you don't cancel it the memory wipe will be performed (it may take time)..."
if [ $? -gt 0 ]; then
echo "Sync..."
sync
echo "Dropping caches with 'echo 3 > /proc/sys/vm/drop_caches'..."
echo 3 > /proc/sys/vm/drop_caches
echo "Sync..."
sync
echo "Cleaning the unused RAM with sdmem (in a 'fast' mode by writing zeroes, but it may take time)..."
/usr/bin/sdmem -l -l
fi
else
echo "The program sdmem for wiping the free RAM is not installed, we skip this step."
debug_pause 5
fi
exit
}
echo "Starting lukskeychainclose script... (version $script_version, functions version $script_version_functions)"
user_interaction() {
while :; do
echo "Press Enter to drop to the shell or type 'security risk'"
echo "and press Enter to leave it and continue."
read this_answer
if [ "${this_answer}" = "security risk" ]; then
echo "Continuing with the boot..."
ask_for_memory_wipe_and_exit
elif [ -z "${this_answer}" ]; then
echo "After exiting from the shell, another automatic attempt to"
echo "unmount and close the keychains will be made."
echo "Example commands:"
echo " umount /mykeys"
echo " cryptsetup close keychaintmp"
if [ -r /usr/bin/mcedit ]; then
echo "Dropping to shell... (Type 'exit' and press Enter to exit. Programs 'mc' and 'mcedit' are available.)"
else
echo "Dropping to shell... (Type 'exit' and press Enter to exit.)"
fi
/bin/sh
return
else
echo "Unexpected user input."
continue
fi
done
}
debug_pause 5
# Find devices mounted at /mykeys mountpoint
# We keep these variables unchanged for future reference (in case we use them in future versions of the script)
mounted_devices_full_list=$(awk '$2 == "/mykeys" {print $1}' /proc/mounts)
mounted_devices_mapper_list=$(echo "${mounted_devices_full_list}" | awk '$0 ~ "^/dev/mapper/" {print}')
# The above lines are intentionally placed outside the loop.
while :; do
# First, attempt to unmount each device mounted at /mykeys and then close it without user interaction
# and close all encrypted containers with filesystems previously mounted at /mykeys.
for this_device in $mounted_devices_full_list; do
echo "Trying to unmount ${this_device}..."
# umount "${this_device}" # this does not work with busybox - "Invalid argument"
umount /mykeys
done
for this_device in $mounted_devices_mapper_list; do
echo "Trying to close ${this_device}..."
cryptsetup close "${this_device##*/}"
done
echo "Unmounting all filesystems from /mntpoints/* (if any)..."
umount /mntpoints/*
# List of the devices mounted on /mykeys. Typically we expect only one
# device to be mounted there, but in case of user mistake there might be
# many devices mounted at the same mount point.
mounted_devices=$(awk '$2 == "/mykeys" {print $1}' /proc/mounts)
list_of_not_closed_mapper_devices=""
for this_device in $mounted_devices_mapper_list; do
# Check if the device exists in /dev/mapper directory
if [ -e "${this_device}" ]; then
list_of_not_closed_mapper_devices="${list_of_not_closed_mapper_devices} ${this_device}"
fi
done
if [ -z "${list_of_not_closed_mapper_devices}${mounted_devices}" ]; then
echo "Looks like we have all filesystems unmounted from /mykeys and all encrypted containers"
echo "with filesystems previously mounted at /mykeys closed. So we continue booting."
echo "Unmounting all filesystems from /mntpoints/* (if any)..."
umount /mntpoints/*
debug_pause 5
ask_for_memory_wipe_and_exit
else
if [ ! -z "${mounted_devices}" ]; then
if echo "${mounted_devices}" | grep -q '[[:space:]]'; then
echo "This is the list of devices mounted on /mykeys:"
echo "${mounted_devices}"
echo "Please unmount them manually."
else
echo "This is a device mounted on /mykeys:"
echo "${mounted_devices}"
echo "Please unmount it manually."
fi
fi
if [ ! -z "${list_of_not_closed_mapper_devices}" ]; then
if echo "${list_of_not_closed_mapper_devices}" | grep -q '[[:space:]]'; then
echo "This is the list of devices containing filesystem mounted on /mykeys:"
echo "${list_of_not_closed_mapper_devices}"
echo "Please close it manually."
else
echo "This is the device containing a filesystem mounted on /mykeys:"
echo "${list_of_not_closed_mapper_devices}"
echo "Please close it manually."
fi
if [ ! -z "${mounted_devices}" ]; then
echo "Alternatively, you can only unmount its filesystem and exit the shell."
echo "After you exit from the shell, an automatic retry to close the device(s) will be made."
fi
fi
echo "Unmounting all filesystems from /mntpoints/* (if any)..."
umount /mntpoints/*
user_interaction
fi
done
ask_for_memory_wipe_and_exit