mirror of
https://codeberg.org/andersonarc/reliant-system.git
synced 2025-11-13 12:50:38 -05:00
91 lines
2.2 KiB
Bash
Executable file
91 lines
2.2 KiB
Bash
Executable file
#!/usr/bin/bash
|
|
#TODO: check status, report if other volumes are already unsealed
|
|
set -euo pipefail
|
|
RED="\e[31;1m"
|
|
GREEN="\e[32;1m"
|
|
ENDCOLOR="\e[0m"
|
|
|
|
if [ "$#" -lt 1 ]; then
|
|
echo "Expected at least 1 argument."
|
|
exit 1
|
|
fi
|
|
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "Must be superuser."
|
|
exit 1
|
|
fi
|
|
|
|
if [ ! -d /run/shufflecake ]; then
|
|
echo "Running in unsafe/maintenance mode, reliant-unseal not available."
|
|
exit 1
|
|
fi
|
|
|
|
name=$1
|
|
device="/dev/mapper/$name"
|
|
|
|
echo -n "Unsealing device... "
|
|
blockdev --setrw "$device"
|
|
echo "Done."
|
|
|
|
echo -n "Unsealing mountpoint... "
|
|
mkdir "/run/shufflecake/$name"
|
|
mount -o rw,noatime,nodiratime "$device" "/run/shufflecake/$name"
|
|
echo "Done."
|
|
|
|
# Check if we were given a qube list
|
|
allowed_qubes="${*:2}"
|
|
|
|
echo "Creating links... "
|
|
for appvm in "/run/shufflecake/$name/appvms/"*; do
|
|
qube="${appvm##*/}"
|
|
|
|
# Filter if user provided a list of qubes
|
|
if [ ! -z "$allowed_qubes" ]; then
|
|
allowed=0
|
|
for allowed_qube in $allowed_qubes; do
|
|
if [ "$qube" = "$allowed_qube" ]; then
|
|
allowed=1
|
|
break
|
|
fi
|
|
done
|
|
|
|
# Only unseal explicitly requested qubes
|
|
if [ $allowed -ne 1 ]; then
|
|
continue
|
|
fi
|
|
fi
|
|
|
|
# Directory link
|
|
directory="/var/lib/qubes/appvms/$qube"
|
|
if [ ! -d "$directory" ]; then
|
|
install -d -o root -g qubes -m 0750 "$directory"
|
|
fi
|
|
|
|
# App menus
|
|
su user -c "qvm-start $qube" &>/dev/null || true
|
|
su user -c "qvm-sync-appmenus $qube" &>/dev/null || true
|
|
su user -c "qvm-shutdown $qube" &>/dev/null || true
|
|
|
|
# Firewall rules
|
|
if [ -f "$appvm/firewall.rules" ]; then
|
|
echo "Found firewall.rules. Approve?"
|
|
cat "$appvm/firewall.rules"
|
|
read -p "[Y/N]: " -n 1 -r
|
|
echo
|
|
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
|
echo "Skipped."
|
|
continue
|
|
fi
|
|
|
|
echo "Approved."
|
|
su user -c "qvm-firewall $qube reset"
|
|
su user -c "qvm-firewall $qube del --rule-no 0"
|
|
while read -r; do
|
|
su user -c "qvm-firewall $qube add $REPLY"
|
|
done < "$appvm/firewall.rules"
|
|
su user -c "qvm-firewall $qube add action=drop"
|
|
fi
|
|
done
|
|
echo "Done."
|
|
|
|
echo -e "${RED}Unsealed.${ENDCOLOR} See reliant-status for more information."
|