From: xf0r3m Date: Sun, 6 Jul 2025 16:18:31 +0000 (+0200) Subject: Przekazanie do testów obsługi LVM w immudex-crypt oraz immudex-padlock. X-Git-Url: https://gitweb.morketsmerke.org/?a=commitdiff_plain;ds=inline;p=X200.git Przekazanie do testów obsługi LVM w immudex-crypt oraz immudex-padlock. --- diff --git a/base.sh b/base.sh index 0054736..43c60ff 100644 --- a/base.sh +++ b/base.sh @@ -112,7 +112,7 @@ cp -vv ~/immudex/tools/bin/immudex-morketsmerke /usr/local/bin; cp -vv ~/X200/immudex-motd2 /usr/local/bin/immudex-motd2; cp -vv ~/X200/immudex-run /usr/local/bin/immudex-run; cp -vv ~/X200/immudex-nextcloud /usr/local/bin/immudex-nextcloud; -cp -vv ~/immudex/tools/bin/immudex-padlock /usr/local/bin; +cp -vv ~/X200/immudex-padlock /usr/local/bin; cp -vv ~/immudex/tools/bin/immudex-pl /usr/local/bin; wget https://ftp.morketsmerke.org/librewolf/immudex-secured-firefox -O /usr/local/bin/immudex-secured-firefox; cp -vv ~/immudex/tools/bin/immudex-shoutcasts /usr/local/bin; @@ -123,13 +123,13 @@ install_packages fzf jq ueberzug; git clone https://github.com/pystardust/ytfzf /tmp/ytfzf; (cd /tmp/ytfzf && make install doc) -cp -vv ~/immudex/tools/bin/library.sh /usr/local/bin; +cp -vv ~/X200/library.sh /usr/local/bin; cp -vv ~/immudex/tools/bin/idle-clic /usr/local/bin; cp -vv ~/immudex/tools/bin/sync.sh /usr/local/bin; chmod +x /usr/local/bin/*; cp -vv ~/immudex/tools/sbin/immudex-create-media /usr/local/sbin; -cp -vv ~/immudex/tools/sbin/immudex-crypt /usr/local/sbin; +cp -vv ~/X200/immudex-crypt /usr/local/sbin; cp -vv ~/immudex/tools/sbin/immudex-hostname /usr/local/sbin; cp -vv ~/immudex/tools/sbin/immudex-install /usr/local/sbin; cp -vv ~/immudex/tools/sbin/immudex-upgrade /usr/local/sbin; diff --git a/immudex-crypt b/immudex-crypt new file mode 100755 index 0000000..ed8c76a --- /dev/null +++ b/immudex-crypt @@ -0,0 +1,227 @@ +#!/bin/bash + +function help() { + + echo "immudex-crypt - script used for listing, open and close crypt_LUKS ppartitions"; + echo "@ 2024 morketsmerke.org"; + echo "Superuser (root) privileges are required."; + echo "Options:"; + echo " list - displaing list of opened and available crypt_LUKS devices"; + echo " create - formatting device for crypt_LUKS"; + echo " open - opening crypt_LUKS device, after this device is ready to mount"; + echo " close - unmount and closing crypt_LUKS devices"; + echo "Using:"; + echo "# immudex-crypt list"; + echo "# immudex-crypt create "; + echo "# immudex-crypt open "; + echo "# immudex-crypt close immudex-crypt[0-9] | ic[0-9] | [0-9]"; + echo "LVM prep:"; + echo "It's possible to mount EXT4 LV with your data, behind LUKS. For now"; + echo "only open function works, so you need prepare whole LVM structure on"; + echo "your disk or partition even with file system instalation. If there is"; + echo "only one EXT4 LV it will be mounted automaticly, but if there is more"; + echo "than one, you will be asked to choose which one shoud be mounted."; + echo "LVM behind LUKS, can be used for swap. Turning on swap partition is up"; + echo "to you, but close function check is there any swap partition in use"; + echo "and turn off swap before deactivating volume group and close LUKS."; +} + +function list() { + + mapperDeviceList=$(ls /dev/mapper | grep 'immudex-*' | awk '{printf $1" "}'); + + echo "=============================================================="; + echo -e "Opened devices:"; + echo "=============================================================="; + echo -e "Device:\t\tMapper name:\t\tMount point:"; + + if [ "$mapperDeviceList" ]; then + for dmDevice in $mapperDeviceList; do + if cryptsetup status /dev/mapper/${dmDevice} > /dev/null 2>&1; then + mountPoint=$(df --output=source,target /dev/mapper/${dmDevice} | tail -n 1 | awk '{printf $2}'); + device=$(sudo cryptsetup status /dev/mapper/${dmDevice} | grep "device" | awk '{printf $2}'); + if [ "$mountPoint" ] && [ "$mountPoint" != "/dev" ]; then + echo -e "$device\t /dev/mapper/${dmDevice}\t$mountPoint"; + else + if $(sudo blkid | grep "${dmDevice}" | grep -q "LVM2_member"); then + echo -e "$device\t /dev/mapper/${dmDevice}\tNot mounted (LVM2_member)"; + else + echo -e "$device\t /dev/mapper/${dmDevice}\tNot mounted"; + fi + fi + fi + done + else + echo -e "No opened crypt devices was found"; + fi + echo "=============================================================="; + + luksDevicesList=$(sudo blkid | grep 'LUKS' | cut -d ":" -f 1 | awk '{printf $1" "}'); + + echo "=============================================================="; + echo -e "crypt_LUKS devices:"; + echo "=============================================================="; + echo -e "Device:\t\t\tSize:"; + + if [ "$luksDevicesList" ]; then + for lDevice in $luksDevicesList; do + lDeviceSize=$(lsblk | grep "$(basename $lDevice)" | awk '{printf $4}'); + echo -e "$lDevice\t\t$lDeviceSize"; + done + else + echo "No crypt device was found"; + fi + echo "=============================================================="; +} + +function open() { + + if [ $# -lt 1 ]; then help; exit 1; + else + index=$(ls --hide=control /dev/mapper | grep "immudex-crypt" | grep -o "[0-9]*$"| tail -1); + if [ "$index" ]; then + index=$((index + 1)); + else + index=0; + fi + cryptsetup open $1 immudex-crypt${index}; + mkdir -p /media/${USER}/immudex-crypt${index}; + # Różnica w reprezentacji czasu modyfikacji miedzy Debian testing a stable i oldstable + #dmDevice=$(ls -l /dev/mapper/immudex-crypt${index} | awk '{printf $10}' | cut -d "/" -f 2); + lastField=$(ls -l /dev/mapper/immudex-crypt${index} | grep -o ' ' | wc -l); + dmDevice=$(ls -al /dev/mapper/immudex-crypt${index} | cut -d " " -f ${lastField}- | cut -d "/" -f2); + if ! $(sudo file -s /dev/${dmDevice} | grep -q 'ext4'); then + if $(sudo file -s /dev/${dmDevice} | grep -q 'LVM'); then + lvm_member=0; + else + echo "Could not determine filesystem of unlocked device."; + echo -n "Format this device to ext4? (y/n): " + read format; + if [ "$format" = "y" ]; then + mkfs.ext4 /dev/mapper/immudex-crypt${index}; + else + echo "Refuse to mount."; + cryptsetup close immudex-crypt${index}; + exit 1; + fi + fi + fi + if [ "$lvm_member" ]; then + luksDeviceName="immudex-crypt${index}"; + vgName=$(sudo pvs | grep "$luksDeviceName" | awk '{printf $2}'); + extLVS=$(sudo blkid | grep "$(echo "$vgName" | sed 's,-,--,g')" | grep 'ext4' | sed 's/://g' | awk '{printf $1" "}'); + if [ $(echo $extLVS | wc -w) -gt 0 ]; then + if [ $(echo $extLVS | wc -w) -gt 1 ]; then + select extLV in $extLVS; do + break; + done + mount $extLV /media/${USER}/immudex-crypt${index}; + else + mount $extLVS /media/${USER}/immudex-crypt${index}; + fi + else + echo "Refuse to mount."; + cryptsetup close immudex-crypt${index}; + exit 1; + fi + else + mount /dev/mapper/immudex-crypt${index} /media/${USER}/immudex-crypt${index}; + fi + if [ ! -e /ic${index} ]; then + ln -s /media/${USER}/immudex-crypt${index} /ic${index}; + fi + fi + +} + +function close() { + + if [ $# -lt 1 ]; then help; exit 1; + else + if [ $1 -ge 0 ] 2> /dev/null; then + cryptfsName="immudex-crypt${1}"; + elif echo $1 | grep -q 'ic'; then + cryptfsName="immudex-crypt$(echo $1 | grep -o '[0-9]')"; + else + cryptfsName=$1; + fi + if cryptsetup status /dev/mapper/${cryptfsName} > /dev/null 2>&1; then + mountPoint=$(df --output=source,target /media/${USER}/${cryptfsName} | tail -1 | awk '{printf $2}'); + if [ "$mountPoint" ] && [ "$mountPoint" != "/dev" ]; then + umount -R $mountPoint; + if $(sudo blkid | grep "$cryptfsName" | grep -q 'LVM2_member'); then + vgName=$(sudo pvs | grep "$cryptfsName" | awk '{printf $2}' | sed 's/-/--/g'); + swapFile=$(cat /proc/swaps | sed -n 2p | awk '{printf $1}'); + if [ "$swapFile" ]; then + if $(ls -l /dev/mapper | grep "$(basename $swapFile)" | grep -q "$vgName"); then + sudo swapoff $swapFile; + fi + fi + sudo vgchange -a n; + fi + cryptsetup close ${cryptfsName}; + else + if $(sudo blkid | grep "${cryptfsName}" | grep -q 'LVM2_member'); then + sudo vgchange -a n; + fi + cryptsetup close ${cryptfsName}; + fi + else + echo "Given devices isn't opened crypt device or it was closed before"; + fi + fi +} + +function create() { + if [ $# -lt 1 ]; then help; exit 1; + else + cryptsetup -y -v luksFormat $1; + fi +} + +function set_ownership(){ + if [ $# -lt 1 ]; then help; exit 1; + else + mountPoint=$(list | grep "$USER" | grep "$1" | awk '{printf $3}') + owner=$(stat -c %u $mountPoint); + if [ $owner -eq $RUID ]; then + if id $USER | grep -q $RUID; then + echo "User $USER is already owner of $mountPoint"; + fi + else + chown ${USER}:${USER} $mountPoint; + fi + fi +} + +if [ "$1" ]; then + + if [ $UID -ne 0 ]; then + echo "Permission denied!"; + help; + exit 1; + fi + + #immudex-crypt RUID is EUID of sudo, which spawning immudex-crypt + export RUID=$(grep '^Uid:' /proc/$(pidof -s sudo)/status | awk '{printf $2}'); + export USER=$(grep "$RUID" /etc/passwd | cut -d ":" -f1); + + case $1 in + "list") list;; + "open") if [ "$2" ]; then open $2; + else help; exit 1; + fi;; + "close") if [ "$2" ]; then close $2; + else help; exit 1; + fi;; + "create") if [ "$2" ]; then + create $2; + open $2; + set_ownership $2; + else help; exit 1; + fi;; + *) help;; + esac +else + help; exit 1; +fi diff --git a/immudex-padlock b/immudex-padlock new file mode 100755 index 0000000..902ce97 --- /dev/null +++ b/immudex-padlock @@ -0,0 +1,76 @@ +#!/bin/bash + +source /usr/local/bin/library.sh; + +launcher="/home/${USER}/.config/xfce4/panel/launcher-14/16844255236.desktop"; + +function main_unlock() { + sudo /usr/local/sbin/immudex-crypt open $1; + index=$(basename $(sudo /usr/local/sbin/immudex-crypt list | grep "$1" | head -1 | awk '{printf $2}' | grep -o '[0-9]')); + #sudo mkdir -p /media/${USER}/$devName; + #sudo mount /dev/mapper/$devName /media/${USER}/$devName; + + xfce4-terminal --default-working-directory=/ic${index}; + sed -i 's/padlock-icon/changes-allow/' ${launcher}; + #sudo rm /usr/share/icons/padlock-icon.png; + #sudo ln -s /usr/share/icons/changes-allow.png /usr/share/icons/padlock-icon.png; + +} + +function unlock() { + + cryptParts=$(sudo blkid | grep 'LUKS' | sed 's/://g' | awk '{printf $1" "}'); + if [ "$cryptParts" ]; then + if [ $(echo $cryptParts | wc -w) -gt 1 ]; then + select cryptPart in $cryptParts; do + main_unlock $cryptPart; + break; + done + else + main_unlock $cryptParts; + fi + else + echo -e "\e[31mThere is no LUKS partition to open.\e[0m"; + sleep 3; + fi +} + +function lock() { + + mapperDeviceList=$(ls /dev/mapper | grep 'immudex-*' | awk '{printf $1" "}'); + + if [ "$mapperDeviceList" ]; then + for dmDevice in $mapperDeviceList; do + if sudo cryptsetup status /dev/mapper/${dmDevice} > /dev/null 2>&1; then + mountPoint=$(df --output=source,target /media/${USER}/${dmDevice} | tail -n 1 | awk '{printf $2}'); + if [ "$mountPoint" ]; then + if $(sudo lsof $mountPoint > /dev/null 2>&1); then + notify-send "Padlock" "The /dev/mapper/${dmDevice} cannot be unmount, because there are opened file or running proceses." --icon=dialog-error; + else + sudo umount $mountPoint; + if [ $? -ne 0 ]; then + notify-send "Padlock" "The /dev/mapper/${dmDevice} cannot be unmount, because there are other filesystem is mounted in." --icon=dialog-error; + else + deactivate_lvm_w_swap $dmDevice; + sudo cryptsetup close /dev/mapper/${dmDevice}; + fi + fi + else + deactivate_lvm_w_swap $dmDevice; + sudo cryptsetup close /dev/mapper/${dmDevice}; + fi + fi + done + fi + if ! $(df -h | grep -q '/dev/mapper'); then + sed -i 's/changes-allow/padlock-icon/' ${launcher}; + #sudo rm /usr/share/icons/padlock-icon.png; + #sudo ln -s /usr/share/icons/changes-prevent.png /usr/share/icons/padlock-icon.png; + fi +} + +mapperDeviceList=$(ls /dev/mapper | grep 'immudex-*' | awk '{printf $1" "}'); + +if [ "$mapperDeviceList" ]; then lock; +else unlock; +fi diff --git a/library.sh b/library.sh new file mode 100755 index 0000000..01d711b --- /dev/null +++ b/library.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +function get_debian_branch() { + if grep -q 'trixie' /etc/os-release; then + echo "testing"; + elif grep -q 'bookworm' /etc/os-release; then + echo "stable"; + else + echo "oldstable"; + fi +} + +function get_machine_arch() { + arch=$(uname -m); + if [ "$arch" = "i686" ]; then + echo "32"; + else + echo "64"; + fi +} + +function check_distro_commit() { + versionFile="/run/live/medium/live/version"; + if [ -f $versionFile ]; then + localVersion=$(cat $versionFile); + if [ -d /tmp/immudex ]; then + $(cd /tmp/immudex && git pull -q); + else + git clone -q https://github.com/xf0r3m/immudex /tmp/immudex; + fi + latestVersion=$(cd /tmp/immudex && git log --pretty=oneline | head -1 | cut -d " " -f 1); + if [ "$1" ] && [ "$1" == "--print" ]; then + echo "$(cd /tmp/immudex && git log ${localVersion}..${latestVersion})"; + fi + if [ "$localVersion" = "$latestVersion" ]; then + return 0; + else + return 1; + fi + else + return 255; + fi +} + +function ascii_colors() { + + BLUE="\e[1;94m"; + RED="\e[1;91m"; + CYAN="\e[1;96m"; + ENDCOLOR="\e[0m"; + + echo -e "${BLUE} _ ${RED} _ ${CYAN} ${ENDCOLOR}"; + echo -e "${BLUE}(_)_ __ ___ _ __ ___ _ _ ${RED} __| | ___${CYAN}__ __${ENDCOLOR}"; + echo -e "${BLUE}| | '_ \` _ \| '_ \` _ \| | | |${RED}/ _\` |/ _ \\\\${CYAN} \/ /${ENDCOLOR}"; + echo -e "${BLUE}| | | | | | | | | | | | |_| |${RED} (_| | __/${CYAN}> < ${ENDCOLOR}"; + echo -e "${BLUE}|_|_| |_| |_|_| |_| |_|\__,_|${RED}\__,_|\___/${CYAN}_/\_\\"; + echo -e "${ENDCOLOR}"; + +} + +function deactivate_lvm_w_swap() { + if $(sudo blkid | grep "$1" | grep -q 'LVM2_member'); then + vgName=$(sudo pvs | grep "$1" | awk '{printf $2}' | sed 's/-/--/g'); + swapFile=$(cat /proc/swaps | sed -n 2p | awk '{printf $1}'); + if [ "$swapFile" ]; then + if $(ls -l /dev/mapper | grep "$(basename $swapFile)" | grep -q "$vgName"); then + sudo swapoff $swapFile; + fi + fi + sudo vgchange -a n; + fi +} + +function deactivate_lvm() { + if $(sudo blkid | grep "$1" | grep -q 'LVM2_member'); then + sudo vgchange -a n; + fi +}