-
Notifications
You must be signed in to change notification settings - Fork 29
/
init
executable file
·269 lines (199 loc) · 7.98 KB
/
init
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
#!/bin/busybox ash
# Default variables
export PATH="/sbin:/bin"
# Bootstrap procedure (in /stage):
# mount /rwroot
# mount /boot
# mount /live (from squashfs in /boot)
# move /boot -> /live/mnt/boot
# bind /live -> /live/mnt/live
# move /rwroot -> /live/mnt/rwroot
# switch_root to /live
stage=/stage
sboot=${stage}/boot
slive=${stage}/live
srwroot=${stage}/rwroot
mboot=${slive}/mnt/boot
mlive=${slive}/mnt/live
mrwroot=${slive}/mnt/rwroot
rwrootsz=80%
# External scripts
. /etc/modules.fs
. /etc/init.scripts
# Mount virtual filesystems
mount -t proc proc /proc
echo 0 > /proc/sys/kernel/grsecurity/audit_mount
mount -t sysfs sysfs /sys
# Mount rwroot tmpfs directory
# overlayfs behavior wrt. noexec,nosuid,nodev:
# + [no]exec, [no]suid: lowerdir / upperdir options at mount-time
# + nodev: overlayfs mount option
# (however, nodev still affects bind mounts)
mount -t tmpfs -o mode=700,nosuid,nodev,noexec,size=${rwrootsz} tmpfs ${srwroot}
for dir in etc var home usr; do
mkdir -m 755 ${srwroot}/${dir}
mkdir -m 700 ${srwroot}/${dir}-work
done
mkdir -m 1777 ${srwroot}/tmp
# /etc and /home can be allowed to exec new/modified executables:
# mount -o bind ${srwroot}/etc ${srwroot}/etc
# mount -o remount,exec ${srwroot}/etc
# Mount devtmpfs filesystem (noexec: (#92921))
mount -t devtmpfs -o nosuid,noexec devtmpfs /dev
ln -s ../tmp /dev/shm
# Parse kernel options, with sensible defaults
for param in `cat /proc/cmdline`; do
eval param_${param%%[^a-z0-9_]*}=\"\${param#*=}\"
done
: ${param_cdroot:='/dev/sd* /dev/sr* /dev/vd* /dev/mmcblk*'}
: ${param_loop:=/liberte/boot/root-x86.sfs}
# Sets/validates param_cdroot_{type,flags}
set_cdroot_type
# Handle blacklisted modules
if [ -n "${param_blacklist}" ]; then
echo "${param_blacklist}" | tr , '\n' | sed 's/^/blacklist /' > /etc/modprobe.d/boot-blacklist.conf
cp -r /etc/modprobe.d ${srwroot}/etc/
fi
# Hotplugging is handled similarly in /sbin/hotplug (UEVENT_HELPER_PATH)
good_msg 'Loading modules'
# Specify required filesystem modules (no autoloading on mount)
force_load="${force_load_fs}"
oldmods=
newmods=" ${force_load} "
while [ "${oldmods}" != "${newmods}" ]; do
for modalias in ${newmods}; do
if ! echo "${oldmods}" | grep -q " ${modalias} "; then
modprobe -qb ${modalias}
fi
done
oldmods="${newmods}"
newmods=' '$(cat $(find /sys/devices -name modalias) | sort -u | tr '\n' ' ')
done
# Run debug shell if requested
rundebugshell
# No "udevadm settle", so just loop
good_msg "Looking for the media"
tested=' '
waitmsg=0
while :; do
if [ ${waitmsg} = 1 ]; then
warn_msg 'Waiting for the media ...'
waitmsg=0
# Incorrect USB hubs? (VMWare)
modprobe -b sd_mod
modprobe -b usb-storage
fi
for mediadev in ${param_cdroot}; do
# Check for a block device to mount
if [ -b "${mediadev}" ] && ! echo "${tested}" | grep -q " ${mediadev} "; then
tested="${tested}${mediadev} "
# Skip if disk has at least one partition (heuristic)
mediadevname=`basename ${mediadev}`
if ! ls /sys/block/${mediadevname}/${mediadevname}*/partition 1>/dev/null 2>&1; then
good_msg "Attempting to mount media: ${mediadev}"
# Unless the media is already in ro mode, write-protect it during mount
mediaro=`blockdev --getro ${mediadev} 2>/dev/null` || mediaro=1
[ ${mediaro} = 1 ] || blockdev --setro ${mediadev}
if mount -r -t ${param_cdroot_type} -o "${param_cdroot_flags}" ${mediadev} ${sboot} >/dev/null 2>&1; then
# Check for the recognition file
if [ -e ${sboot}"${param_loop}" ]; then
good_msg "Media found on ${mediadev}"
# Force 'toram' and readonly device mode on CD boot
real_cdroot_type=`grep " ${sboot} " /proc/mounts | cut -d' ' -f3`
[ "${real_cdroot_type}" != iso9660 ] || param_readonly=1 param_toram=1
[ ${mediaro} = 1 -o -n "${param_readonly}" ] || blockdev --setrw ${mediadev}
break 2
else
umount ${sboot}
fi
fi
[ ${mediaro} = 1 ] || blockdev --setrw ${mediadev}
waitmsg=1
fi
fi
done
sleep 0.5
done
test_success "find media to mount"
# Determine fs type and remount with specific flags
if [ ${had_cdroot_flags} = 0 -a "${real_cdroot_type}" != ${param_cdroot_type} ]; then
param_cdroot_type="${real_cdroot_type}" param_cdroot_flags=
set_cdroot_type
good_msg "Remounting ${mediadev} with ${param_cdroot_type}-specific flags"
umount ${sboot}
mount -r -t ${param_cdroot_type} -o "${param_cdroot_flags}" ${mediadev} ${sboot}
fi
# Unload unused filesystem modules
for modname in `echo "${force_load_fs}" | tr - _`; do
if [ "`cat /sys/module/${modname}/refcnt 2>/dev/null`" = 0 ]; then
modprobe -r ${modname}
fi
done
# Setup the loopback mounts
verifyroot() {
local imgdev="$1"
if [ -n "${param_cdroot_hash}" ]; then
good_msg 'Setting up DM-Verity for filesystem image'
# Load required modules (no module autoloading)
modprobe -b dm_verity
modprobe -b algif_hash
modprobe -b sha1_generic
[ "${param_cdroot_hash%:*}" -gt 0 -a "${param_cdroot_hash%:*}" != "${param_cdroot_hash}" ] 2>/dev/null
test_success 'parse DM-Verity hash descriptor'
sfsbytes=`blockdev --getsize64 ${imgdev}`
sfsoffset=$((sfsbytes - ${param_cdroot_hash%:*} * 4096))
hashdesc=`veritysetup dump --hash-offset=${sfsoffset} ${imgdev} | sed -n 's/^.*:[[:blank:]]*//; 3p; 5,7p' | tr '\n' :`
[ "${hashdesc}" = 1:4096:4096:sha256: ]
test_success 'verify DM-Verity superblock'
veritysetup create --hash-offset=${sfsoffset} rootfs ${imgdev} ${imgdev} "${param_cdroot_hash#*:}"
test_success 'setup DM-Verity mapping'
veritysetup status rootfs | grep -qs '^[[:blank:]]*status:[[:blank:]]*verified$'
test_success 'setup DM-Verity mapping with given root hash'
# Remove modules used only for veritysetup's crypto backend init
modprobe -r sha1_generic
modprobe -r algif_hash
rootdev=/dev/mapper/rootfs
else
warn_msg 'Skipping filesystem image verification'
fi
}
# Let 'notoram' override 'toram' enforcement for CDs
rootimg=${sboot}"${param_loop}"
if [ -n "${param_toram}" -a -z "${param_notoram}" ]; then
good_msg 'Copying filesystem image to RAM ...'
rootimgram=${srwroot}/cache/root.sfs
mkdir -m 700 ${srwroot}/cache
cp "${rootimg}" ${rootimgram} || rm ${rootimgram}
rootimg=${rootimgram}
fi
# Set up DM-Verity (sets rootdev=/dev/mapper/...)
rootdev=/dev/loop0
modprobe -b loop
losetup -r ${rootdev} "${rootimg}"
verifyroot ${rootdev}
# CONFIG_FEATURE_DEVFS must be disabled for BusyBox
good_msg 'Mounting SquashFS filesystem'
modprobe -b squashfs
mount -r -t squashfs -o ${fs_flags_squashfs} ${rootdev} ${slive}
test_success 'mount compressed filesystem'
# Move boot mountpoint under live
mount -o move ${sboot} ${mboot}
# Bind extra live mountpoint under live
mount -r -o bind ${slive} ${mlive}
# Move rwroot mountpoint under live
mount -o move ${srwroot} ${mrwroot}
# Run debug shell again if requested
rundebugshell
good_msg 'Booting (initramfs)'
# Disable hotplugging and time change logging (hwclock starts before sysctl)
echo > /proc/sys/kernel/hotplug
echo 0 > /proc/sys/kernel/grsecurity/timechange_logging
umount /sys || bad_msg 'Failed to unmount /sys'
umount /proc || bad_msg 'Failed to unmount /proc'
cd ${slive}
mount -o move /dev ${slive}/dev
exec env - ${param_tz:+TZ=:"${param_tz#:}"} ${TERM:+TERM="${TERM}"} switch_root -c /dev/console ${slive} /sbin/init
# If we get here, something bad has happened
echo 'A fatal error has probably occured since /sbin/init did not'
echo 'boot correctly. Trying to open a shell...'
exec sh