[2/3,V6] Disable shell access when lockdown is active
diff mbox

Message ID 454975258.78262.1471386450102.JavaMail.zimbra@raptorengineeringinc.com
State Superseded
Headers show

Commit Message

Timothy Pearson Aug. 16, 2016, 10:27 p.m. UTC
This patch disables direct command line access when the /etc/pb-lockdown
file is present.

Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
---
 configure.ac        |  1 +
 ui/ncurses/nc-cui.c | 22 +++++++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

Comments

Timothy Pearson Aug. 16, 2016, 10:35 p.m. UTC | #1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/16/2016 05:27 PM, Timothy Pearson wrote:
> +AM_CONDITIONAL([WITH_SIGNED_BOOT], [test "x$with_signed_boot" = "xyes"])

This slipped through yet again.  Given the timezone and moderation
issues, and to prevent additional wasted time, I'm just resending this
patch as a V7 in isolation.

- -- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645 (direct line)
+1 (512) 690-0200 (switchboard)
https://www.raptorengineering.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJXs5U9AAoJEK+E3vEXDOFbQTkH/36sHI6u8L9d9D32kBnnelEo
Es5QgNvrCz7I69ylhmvDEVJIqagKXqyu8/fDvjgj9YrILmMpGbodTdG7901i24EV
x7zor3vsMqD/9tFiHwhhZJUMYL8kTRfzDKfJ02SkgFBgS7DzYH+tYAmpkjGdBp/g
BQCsbiiqwOmaI0R2jXnAqaDSURpS3NOF5E4fWDr8nFE6+07cHp7NPaG0RMfRUwMl
t6d8Qy4Hlw4xl0GWKz0z3juAWtJsG1YvdDhgM7K8S9XUukPEZzlREpVMwoTeVD8D
AUf7rmzqj2SRm8QJ1dziNSUdDI5+acZWqJooSnWKSyYMZZx2HY0ZTbwEoNh0bsU=
=PA7f
-----END PGP SIGNATURE-----

Patch
diff mbox

diff --git a/configure.ac b/configure.ac
index 36d3ddb..370511b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -178,6 +178,7 @@  AC_ARG_WITH(
 	[],
 	[with_signed_boot=yes]
 )
+AM_CONDITIONAL([WITH_SIGNED_BOOT], [test "x$with_signed_boot" = "xyes"])
 
 AM_CONDITIONAL(
 	[WITH_SIGNED_BOOT],
diff --git a/ui/ncurses/nc-cui.c b/ui/ncurses/nc-cui.c
index 09b63b0..c2f1c83 100644
--- a/ui/ncurses/nc-cui.c
+++ b/ui/ncurses/nc-cui.c
@@ -25,6 +25,7 @@ 
 #include <stdlib.h>
 #include <string.h>
 #include <sys/ioctl.h>
+#include <sys/reboot.h>
 
 #include "log/log.h"
 #include "pb-protocol/pb-protocol.h"
@@ -47,6 +48,14 @@  extern const struct help_text main_menu_help_text;
 
 static struct pmenu *main_menu_init(struct cui *cui);
 
+static bool lockdown_active(void)
+{
+	bool lockdown = false;
+	if (access(LOCKDOWN_FILE, F_OK) != -1)
+		lockdown = true;
+	return lockdown;
+}
+
 static void cui_start(void)
 {
 	initscr();			/* Initialize ncurses. */
@@ -94,6 +103,13 @@  static void cui_atexit(void)
 	clear();
 	refresh();
 	endwin();
+
+	bool lockdown = lockdown_active();
+
+	while (lockdown) {
+		sync();
+		reboot(RB_AUTOBOOT);
+	}
 }
 
 /**
@@ -826,6 +842,7 @@  static struct pmenu *main_menu_init(struct cui *cui)
 	struct pmenu_item *i;
 	struct pmenu *m;
 	int result;
+	bool lockdown = lockdown_active();
 
 	m = pmenu_init(cui, 7, cui_on_exit);
 	if (!m) {
@@ -869,7 +886,10 @@  static struct pmenu *main_menu_init(struct cui *cui)
 	i->on_execute = menu_add_url_execute;
 	pmenu_item_insert(m, i, 5);
 
-	i = pmenu_item_create(m, _("Exit to shell"));
+	if (lockdown)
+		i = pmenu_item_create(m, _("Reboot"));
+	else
+		i = pmenu_item_create(m, _("Exit to shell"));
 	i->on_execute = pmenu_exit_cb;
 	pmenu_item_insert(m, i, 6);