#!/usr/bin/bash #TODO: check status, report if other volumes are already unsealed set -euo pipefail RED="\e[31;1m" GREEN="\e[32;1m" ENDCOLOR="\e[0m" if [ "$#" -lt 1 ]; then echo "Expected at least 1 argument." exit 1 fi if [ "$EUID" -ne 0 ]; then echo "Must be superuser." exit 1 fi if [ ! -d /run/shufflecake ]; then echo "Running in unsafe/maintenance mode, reliant-unseal not available." exit 1 fi name=$1 device="/dev/mapper/$name" echo -n "Unsealing device... " blockdev --setrw "$device" echo "Done." echo -n "Unsealing mountpoint... " mkdir "/run/shufflecake/$name" mount -o rw,noatime,nodiratime "$device" "/run/shufflecake/$name" echo "Done." # Check if we were given a qube list allowed_qubes="${*:2}" echo "Creating links... " for appvm in "/run/shufflecake/$name/appvms/"*; do qube="${appvm##*/}" # Filter if user provided a list of qubes if [ ! -z "$allowed_qubes" ]; then allowed=0 for allowed_qube in $allowed_qubes; do if [ "$qube" = "$allowed_qube" ]; then allowed=1 break fi done # Only unseal explicitly requested qubes if [ $allowed -ne 1 ]; then continue fi fi # Directory link directory="/var/lib/qubes/appvms/$qube" if [ ! -d "$directory" ]; then install -d -o root -g qubes -m 0750 "$directory" fi # App menus su user -c "qvm-start $qube" &>/dev/null || true su user -c "qvm-sync-appmenus $qube" &>/dev/null || true su user -c "qvm-shutdown $qube" &>/dev/null || true # Firewall rules if [ -f "$appvm/firewall.rules" ]; then echo "Found firewall.rules. Approve?" cat "$appvm/firewall.rules" read -p "[Y/N]: " -n 1 -r echo if [[ ! $REPLY =~ ^[Yy]$ ]]; then echo "Skipped." continue fi echo "Approved." su user -c "qvm-firewall $qube reset" su user -c "qvm-firewall $qube del --rule-no 0" while read -r; do su user -c "qvm-firewall $qube add $REPLY" done < "$appvm/firewall.rules" su user -c "qvm-firewall $qube add action=drop" fi done echo "Done." echo -e "${RED}Unsealed.${ENDCOLOR} See reliant-status for more information."