i.devpolicy revision b127ac411761a3d8d642d9342d9cac2785e1faaa
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#!/bin/sh
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# CDDL HEADER START
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# The contents of this file are subject to the terms of the
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# Common Development and Distribution License (the "License").
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# You may not use this file except in compliance with the License.
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# or http://www.opensolaris.org/os/licensing.
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# See the License for the specific language governing permissions
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# and limitations under the License.
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# When distributing Covered Code, include this CDDL HEADER in each
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# If applicable, add the following below this CDDL HEADER, with the
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# fields enclosed by brackets "[]" replaced with your own identifying
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# information: Portions Copyright [yyyy] [name of copyright owner]
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# CDDL HEADER END
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# Use is subject to license terms.
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# NOTE: When a change is made to the source file for
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# /etc/security/device_policy a corresponding change must be made to
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose# this class-action script.
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose#
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bosewhile read src dest
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bosedo
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose if [ ! -f $dest ] ; then
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose cp $src $dest
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose continue
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose fi
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # changes
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose cp $dest $dest.$$
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose sed < $dest.$$ > $dest \
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose -e '/md:admin/s/read_priv_set=sys_config/ /' \
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose -e '/^icmp[ ]*read_priv_set=net_rawaccess[ ]*write_priv_set=net_rawaccess$/d' \
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose -e '/^icmp6[ ]*read_priv_set=net_rawaccess[ ]*write_priv_set=net_rawaccess$/d' \
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose -e '/^keysock[ ]*read_priv_set=sys_net_config[ ]*write_priv_set=sys_net_config$/d' \
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose -e '/^ipsecah[ ]*read_priv_set=sys_net_config[ ]*write_priv_set=sys_net_config$/d' \
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose -e '/^ipsecesp[ ]*read_priv_set=sys_net_config[ ]*write_priv_set=sys_net_config$/d' \
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose -e '/^spdsock[ ]*read_priv_set=sys_net_config[ ]*write_priv_set=sys_net_config$/d' \
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose -e '/^ipf[ ]*read_priv_set=sys_net_config[ ]*write_priv_set=sys_net_config$/d' \
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose -e '/^sad:admin[ ]*read_priv_set=sys_config[ ]*write_priv_set=sys_config$/d'
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose rm -f $dest.$$
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # potential additions
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose additions="aggr bge dnet keysock ibd icmp icmp6 ipnet ipsecah ipsecesp openeepr random spdsock vni ipf pfil scsi_vhci"
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose for dev in $additions
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose do
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # if an entry for this driver exists in the source
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # file...
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose grep "^$dev[ ]" $src > /dev/null 2>&1
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose if [ $? = 0 ] ; then
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # ...and no entry exists in the destination
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # file...
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose grep "^$dev[ ]" $dest > /dev/null 2>&1
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose if [ $? != 0 ] ; then
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # ...then add the entry from
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # the source file to the
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # destination file.
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose grep "^$dev[ ]" $src >> $dest
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose fi
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose fi
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose done
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # potential deletions
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose deletions="elx dld dld:ctl aggr:ctl vnic:ctl le"
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose for dev in $deletions
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose do
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # if an entry for this driver exists in the destination
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # file...
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose grep "^$dev[ ]" $dest > /dev/null 2>&1
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose if [ $? = 0 ] ; then
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # ...and no entry exists in the source
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # file...
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose grep "$dev[ ]" $src > /dev/null 2>&1
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose if [ $? != 0 ] ; then
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # ...then remove the entry from
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose # the destination file.
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose cp $dest $dest.$$
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose grep -v "^$dev[ ]" $dest.$$ > $dest
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose rm -f $dest.$$
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose fi
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose fi
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose done
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bosedone
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Boseexit 0
885386b7e3f1c3e74b354576b98a092b0835d64eSumit Bose