live-persist 14.6 KB
Newer Older
1 2
#!/bin/bash

3 4
error ()
{
5
	echo "error: ${*}" >&2
6 7 8
	exit 1
}

anonym's avatar
anonym committed
9 10
warning ()
{
11
	echo "warning: ${*}" >&2
anonym's avatar
anonym committed
12 13
}

14
# import Cmdline_old()
15 16
. /lib/live/boot/9990-cmdline-old \
	|| error 'Could not source /lib/live/boot/9990-cmdline-old'
17

18
# Set variable names needed by get_custom_mounts(),
19 20
# and now initialized by live-boot in a file that we certainly
# don't want to source.
21
export persistence_list="persistence.conf"
22
export old_persistence_list="nonexistent"
23 24

# This will import the following functions and variables used below:
25
#   activate_custom_mounts()
26 27
#   get_custom_mounts()
#   open_luks_device()
28
#   probe_for_gpt_name()
29 30 31
#   removable_dev()
#   removable_usb_dev()
#   storage_devices()
32
#   where_is_mounted()
33
#   $custom_overlay_label
34 35
. /lib/live/boot/9990-misc-helpers.sh \
	|| error 'Could not source /lib/live/boot/9990-misc-helpers.sh'
36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

usage ()
{
	local cmd=${0##*/}
	echo "Usage: ${cmd} [OPTION]... list [LABEL]...
List (on stdout) all GPT partitions with names among LABEL(s) that are
compatible with live-boot's overlay persistence, and that are adhering to
live-boot's persistence filters (e.g. persistent-media). If no LABEL is given
the default in live-boot is used ('${custom_overlay_label}').
   or: ${cmd} [OPTION]... activate VOLUME...
Activates persistence on the given VOLUME(s). Successes and failures are
written to stdout. There are no checks for whether the given volumes adhere
to live-boot's options.

Kernel command-line options are parsed just like in live-boot and have the same
effect (see live-boot(7) for more information)

Arguments to options must be passed using an equality sign. LISTs are coma
separated. Most options correspond to the persistent-* options of live-boot,
and will override the corresponging options parsed from the kernel command-line.

General options:
  --help                display this help and exit
  --log-file=FILE       log the bash execution trace to FILE

Options affecting the 'list' action:
  --encryption=LIST     override 'persistent-encryption'
  --media=VALUE         override 'persistent-media'

Options affecting the 'activate' action:
  --read-only           enable 'persistent-read-only'
  --read-write          disable 'persistent-read-only'
  --union=VALUE         override 'union'
"
}

72 73 74 75
escape() {
	printf "%s\n" "${2}" | sed --regexp-extended "s/[${1}]/\\\&/g"
}

kytv's avatar
kytv committed
76
escape_dots() {
77
	escape . "${@}"
78 79
}

anonym's avatar
anonym committed
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
add_persistence_preset()
{
	local PRESET="${1}"
	local PRESET_SOURCE="${2}"
	local CONFIG="${3}"
	if [ "${PERSISTENCE_READONLY}" = true ]
	then
		warning "We are trying to add a persistence preset while" \
		        "persistence is in read-only mode"
	else
		echo "${PRESET}	source=${PRESET_SOURCE}" \
		    >> "${CONFIG}" || error "Failed to make ${PRESET}: $?"
		warning "Successfully made ${PRESET} persistent"
	fi
}

96 97 98 99
remove_persistence_preset()
{
	local PRESET="${1}"
	local CONFIG="${2}"
anonym's avatar
anonym committed
100 101 102 103 104
	# The intent here is to simply remove the line starting with
	# $PRESET, but since it is a path, and sed uses / as delimiter
	# for patterns we can use together with d, we have to escape /
	# (and . as usual).
	sed -i "/^$(escape './' "${PRESET}")\s/d" "${CONFIG}"
105 106
}

anonym's avatar
anonym committed
107 108 109 110 111 112 113 114
is_preset_enabled() {
	local PRESET="${1}"
	local PRESET_SOURCE="${2}"
	local CONFIG="${3}"
	grep --extended-regexp --line-regex --quiet --no-messages \
	     -e "$(escape_dots ${PRESET})\s+source=${PRESET_SOURCE}" "$CONFIG"
}

115 116
migrate_persistence_preset()
{
anonym's avatar
anonym committed
117 118 119 120
	local OLD="${1}"
	local OLD_SOURCE="${2}"
	local NEW="${3}"
	local NEW_SOURCE="${4}"
121
	local CONFIG="${5}"
anonym's avatar
anonym committed
122 123
	if   is_preset_enabled "${OLD}" "${OLD_SOURCE}" "${CONFIG}" && \
	   ! is_preset_enabled "${NEW}" "${NEW_SOURCE}" "${CONFIG}"
124
	then
anonym's avatar
anonym committed
125 126
		warning "Need to make ${NEW} persistent"
		add_persistence_preset "${NEW}" "${NEW_SOURCE}" \
anonym's avatar
anonym committed
127
		                       "${CONFIG}"
128 129 130
	fi
}

131 132 133
# We override live-boot's logging facilities to get more useful error messages
log_warning_msg ()
{
134
	warning "${@}"
135 136 137 138 139
}

# We override live-boot's panic() since it does a lot of crazy stuff
panic ()
{
140
	error "${@}"
141 142 143 144 145 146 147
}

list_gpt_volumes ()
{
	local labels=${@}

	local whitelistdev=""
148
	case "${PERSISTENCE_MEDIA}" in
149 150
		removable)
			whitelistdev="$(removable_dev)"
151
			[ -z "${whitelistdev}" ] && return
152 153 154
			;;
		removable-usb)
			whitelistdev="$(removable_usb_dev)"
155
			[ -z "${whitelistdev}" ] && return
156 157
			;;
		*)
158 159 160 161 162 163 164 165 166
			if grep -qs -w -E '(live-media|bootfrom)=removable-usb' /proc/cmdline ; then
				whitelistdev="$(removable_usb_dev)"
				[ -z "${whitelistdev}" ] && return
			elif grep -qs -w -E '(live-media|bootfrom)=removable' /proc/cmdline ; then
				whitelistdev="$(removable_dev)"
				[ -z "${whitelistdev}" ] && return
			else
				whitelistdev=""
			fi
167 168 169
			;;
	esac

170
	for dev in $(storage_devices "" "${whitelistdev}")
171
	do
172
		if ( is_luks_partition ${dev} >/dev/null 2>&1 && \
173
		     echo ${PERSISTENCE_ENCRYPTION} | grep -qve "\<luks\>" ) || \
174

175
		   ( ! is_luks_partition ${dev} >/dev/null 2>&1 && \
176
		     echo ${PERSISTENCE_ENCRYPTION} | grep -qve "\<none\>" )
177 178 179
		then
			continue
		fi
180
		local result="$(probe_for_gpt_name "${labels}" ${dev})"
181 182 183 184 185 186 187 188 189
		if [ -n "${result}" ]
		then
			echo ${result#*=}
		fi
	done

	exit 0
}

190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216
mountpoint_has_correct_access_rights ()
{
	local mountpoint="$1"
	local expected_user=root
	local expected_group=root
	local expected_perms=775
	local expected_acl="user::rwx
user:tails-persistence-setup:rwx
group::rwx
mask::rwx
other::r-x"

	if [ $(stat -c %U "$mountpoint") != "$expected_user" ]
	then
		warning "'$mountpoint' is not owned by the '$expected_user' user"
		return 1
	fi
	if [ $(stat -c %G "$mountpoint") != "$expected_group" ]
	then
		warning "'$mountpoint' is not owned by the '$expected_group' group"
		return 2
	fi
	if [ $(stat -c %a "$mountpoint") != "$expected_perms" ]
	then
		warning "'$mountpoint' permissions are not $expected_perms"
		return 4
	fi
Tails developers's avatar
Tails developers committed
217
	if [ "$(getfacl --omit-header --skip-base "$mountpoint" 2>/dev/null | grep -v '^\s*$')" \
218 219 220 221 222 223 224 225
	      != "$expected_acl" ]
	then
		warning "'$mountpoint' has incorrect ACL"
		return 8
	fi
	return 0
}

226 227 228
persistence_conf_file_has_correct_access_rights ()
{
	local conf="$1"
229
	local expected_perms="$2"
230 231
	local expected_user=tails-persistence-setup
	local expected_group=tails-persistence-setup
232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248
	local expected_acl=""

	if [ $(stat -c %U "$conf") != "$expected_user" ]
	then
		warning "'$conf' is not owned by the '$expected_user' user"
		return 1
	fi
	if [ $(stat -c %G "$conf") != "$expected_group" ]
	then
		warning "'$conf' is not owned by the '$expected_group' group"
		return 2
	fi
	if [ $(stat -c %a "$conf") != "$expected_perms" ]
	then
		warning "'$conf' permissions are not $expected_perms"
		return 4
	fi
Tails developers's avatar
Tails developers committed
249
	if [ "$(getfacl --omit-header --skip-base "$conf" 2>/dev/null | grep -v '^\s*$')" \
250 251 252 253 254 255 256 257
	      != "$expected_acl" ]
	then
		warning "'$conf' has incorrect ACL"
		return 8
	fi
	return 0
}

258 259 260
disable_and_create_empty_persistence_conf_file ()
{
	local conf="$1"
261
	local mode="$2"
262
	local dest="${conf}.insecure_disabled"
263

264 265 266 267 268
	if [ -z "$mode" ]
	then
		mode=0600
	fi

269 270 271 272 273 274 275
	if [ -s "$conf" ]
	then
		mv "$conf" "$dest" || error "Failed to disable '$conf': $?"
	else
		rm "$conf" || error "Failed to delete '$conf': $?"
	fi

276
	create_empty_persistence_conf_file "$conf" "$mode"
277 278 279 280 281
}

create_empty_persistence_conf_file ()
{
	local conf="$1"
282
	local mode="$2"
283

284
	install --owner tails-persistence-setup \
285
		--group tails-persistence-setup --mode "$mode" \
286 287 288 289
		/dev/null "$conf" \
		|| error "Failed to create empty '$conf': $?"
}

290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331
activate_volumes ()
{
	local volumes=${@}
	local ret=0
	local open_volumes=""
	local successes=""
	local failures=""

	# required by open_luks_device()
	exec 6>&1

	for vol in ${volumes}
	do
		if [ ! -b "${vol}" ]
		then
			warning "${vol} is not a block device"
			failures="${failures} ${vol}"
			ret=1
			continue
		fi
		if [ -n "$(what_is_mounted_on ${dev})" ]
		then
			warning "${vol} is already mounted"
			failures="${failures} ${vol}"
			ret=1
			continue
		fi
		local luks_vol=""
		if /sbin/cryptsetup isLuks ${vol} >/dev/null 2>&1 
		then
			if luks_vol=$(open_luks_device "${vol}")
			then
				open_volumes="${open_volumes} ${luks_vol}"
			else
				failures="${failures} ${vol}"
			fi
		else
			open_volumes="${open_volumes} ${vol}"
		fi
	done

	custom_mounts="$(mktemp /tmp/custom_mounts-XXXXXX.list)"
332
	get_custom_mounts ${custom_mounts} ${open_volumes}
333 334
	# ... and now the persistent volumes should be mounted.

335
	# Enable the acl mount option on all persistent filesystems.
336
	for mountpoint in $(ls -d /live/persistence/*_unlocked || true)
337 338 339 340
	do
		mount -o remount,acl "$mountpoint"
	done

341
	# Detect if we have incorrect ownership, permissions and ACL.
342
	ACCESS_RIGHTS_ARE_CORRECT=true
343
	for mountpoint in $(ls -d /live/persistence/*_unlocked || true)
344 345 346
	do
		if ! mountpoint_has_correct_access_rights "$mountpoint"
		then
347
			ACCESS_RIGHTS_ARE_CORRECT=false
348 349 350
			break
		fi
	done
Tails developers's avatar
TODO++  
Tails developers committed
351

anonym's avatar
anonym committed
352
	# Create live-additional-software.conf if there is none
353 354 355 356
	for mountpoint in $(ls -d /live/persistence/*_unlocked || true)
	do
		if test ! -f "$mountpoint/live-additional-software.conf"
		then
357
			create_empty_persistence_conf_file "$mountpoint/live-additional-software.conf" "0644"
358 359 360
		fi
	done

361 362 363 364
	# Disable all persistence configuration files if the mountpoint
	# has wrong access rights.
	if [ "$ACCESS_RIGHTS_ARE_CORRECT" != true ]
	then
365
		for f in $(ls /live/persistence/*_unlocked/persistence.conf || true)
366 367 368 369
		do
			warning "Disabling '$f': persistent volume has unsafe access rights"
			disable_and_create_empty_persistence_conf_file "$f"
		done
370 371 372 373 374
		for f in $(ls /live/persistence/*_unlocked/live-additional-software.conf || true)
		do
			warning "Disabling '$f': persistent volume has unsafe access rights"
			disable_and_create_empty_persistence_conf_file "$f" "644"
		done
375
	fi
376

377 378
	# Regardless of the mountpoint access rights, disable persistence
	# configuration files with wrong access rights.
379
	for f in $(ls /live/persistence/*_unlocked/persistence.conf || true)
380
	do
381
		if ! persistence_conf_file_has_correct_access_rights "$f" "600"
382 383 384 385 386
		then
			warning "Disabling '$f', that has unsafe access rights"
			disable_and_create_empty_persistence_conf_file "$f"
		fi
	done
387 388
	for f in $(ls /live/persistence/*_unlocked/live-additional-software.conf || true)
	do
389
		if persistence_conf_file_has_correct_access_rights "$f" "600"
Alan's avatar
Alan committed
390
		then
391 392
			chmod 0644 "$f"
		fi
393
		if ! persistence_conf_file_has_correct_access_rights "$f" "644"
394 395
		then
			warning "Disabling '$f', that has unsafe access rights"
396
			disable_and_create_empty_persistence_conf_file "$f" "644"
397 398
		fi
	done
399

400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427
	# Fix permissions on persistent directories that were created
	# with unsafe permissions.
	for persistent_fs in $(ls -d /live/persistence/*_unlocked || true)
	do
		[ -d "$persistent_fs" ] || continue
		for child in $(ls "$persistent_fs" || true)
		do
			subdir="$persistent_fs/$child"
			[ -d "$subdir" ] || continue
			# Note: we chmod even custom persistent directories.
			# This may break things by changing otherwise correct
			# permissions copied from the directory that was made
			# persistent, so we only do that if the persistent directory
			# is owned by amnesia:amnesia, and thus unlikely to be
			# a system directory. This e.g. avoids setting wrong
			# permissions on the APT, CUPS and NetworkManager
			# persistent directories.
			[ $(stat -c '%U' "$subdir") = 'amnesia' ] || continue
			[ $(stat -c '%G' "$subdir") = 'amnesia' ] || continue
			if [ "$PERSISTENCE_READONLY" = true ]
			then
				warning "Permissions of '$subdir' may need to be fixed, but read only was selected; please retry in read-write mode"
			else
				chmod go= "$subdir"
			fi
		done
	done

428
	# Load the new persistence.conf.
429
	custom_mounts="$(mktemp /tmp/custom_mounts-XXXXXX.list)"
430
	get_custom_mounts ${custom_mounts} ${open_volumes}
431

432 433
	if [ -s "${custom_mounts}" ]
	then
434 435 436 437
		OLD_UMASK="$(umask)"
		# Have activate_custom_mounts create new directories
		# with safe permissions (#7443)
		umask 0077
438
		activate_custom_mounts ${custom_mounts} &> /dev/null
439
		umask "$OLD_UMASK"
440 441 442
	fi
	rm -f ${custom_mounts} 2> /dev/null

443 444 445 446 447 448 449 450
	# Get rid of any Enigmail configuredVersion that we previously used
	# to set in a way that would persistently override the value maintained
	# by Enigmail itself (#12680, #15693). We stopped writing this pref
	# there a long time ago but recently instructed users to reintroduce
	# this problem as a workaround (#15692).
	tb_profile="$(dirname "${conf}")/thunderbird/profile.default"
	rm -f "${tb_profile}/preferences/0000tails.js"

451 452
	for vol in ${open_volumes}
	do
453
		if grep -qe "^${vol}\>" /proc/mounts
454
		then
455 456
			successes="${successes} ${vol}"
		else
457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481
			failures="${failures} ${vol}"
			ret=1
		fi
	done

	if [ -n "${successes}" ]
	then
		echo "Successes:"
		for vol in ${successes}
		do
			echo "  - ${vol}"
		done
	fi

	if [ -n "${failures}" ]
	then
		echo "Failures:"
		for vol in ${failures}
		do
			echo "  - ${vol}"
		done
	fi
	exit ${ret}
}

482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501
close_volumes ()
{
	local volumes=${@}
	local custom_mounts="$(mktemp /tmp/custom_mounts-XXXXXX.list)"
	get_custom_mounts ${custom_mounts} ${volumes}
	while read device source dest options # < ${custom_mounts}
	do
		if [ "${options}" != linkfiles ]
		then
			umount ${dest} 2> /dev/null
		fi
	done < ${custom_mounts}
	rm -f ${custom_mounts} 2> /dev/null
	for vol in ${volumes}
	do
		local backing=$(where_is_mounted ${vol})
		umount ${backing}
	done
}

502 503 504 505 506 507 508 509
main ()
{
	# tracing get's activated by Arguments() if "debug" is in /proc/cmdline
	# which may be something we don't want to flood stderr
	exec 3<>"/dev/null"
	BASH_XTRACEFD="3"

	# parse the kernel cmdline for live-boot's configuration as defaults
510
	Cmdline_old
511 512 513 514 515

	# note that this is not enough for disabling tracing. we need to do the
	# $BASH_XTRACEFD stuff above to avoid tracing until this point.
	set +x

516
	export PERSISTENCE="true"
517
	export NOPERSISTENCE=""
518 519 520 521 522 523 524 525

	# Should be set empty since live-boot already changed root for us
	export rootmnt=""

	while echo "${1}" | grep -qe "^--[^ ]\+\>"
	do
		case "${1}" in
			--encryption=*)
526
				export PERSISTENCE_ENCRYPTION="${1#*=}"
527 528 529 530 531 532 533 534 535 536 537 538
				;;
			--help)
				usage
				exit 0
				;;
			--log-file=*)
				local log_file="${1#*=}"
				[ -e "${log_file}" ] && rm -f "${log_file}"
				exec 3<>"${log_file}"
				set -x
				;;
			--media=*)
539
				export PERSISTENCE_MEDIA="${1#*=}"
540 541
				;;
			--read-only)
542
				export PERSISTENCE_READONLY="true"
543 544
				;;
			--read-write)
545
				export PERSISTENCE_READONLY=""
546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568
				;;
			--union=*)
				export UNIONTYPE="${1#*=}"
				;;
			*)
				error "unrecognized option: ${1}"
				;;
		esac
		shift
	done

	local action="${1}"
	shift
	case "${action}" in
		list)
			local labels=${@}
			if ! echo ${labels} | grep -qe "[^[:space:]]"
			then
				# use default from live-helpers
				labels=${custom_overlay_label}
			fi
			list_gpt_volumes ${labels}
			;;
569
		activate|close)
570
			if ! echo "${@}" | grep -qe "[^[:space:]]"
571 572 573
			then
				error "you must specify at least one volume"
			fi
574
			${action}_volumes "${@}"
575 576 577 578 579 580 581 582 583 584
			;;
		"")
			error "no action specified"
			;;
		*)
			error "unrecognized action: ${action}"
			;;
	esac
}

585
main "${@}"