| Path : /opt/ds_agent/ |
|
|
| Current File : //opt/ds_agent/Linux.init |
#!/bin/bash
#
# For RedHat-style chkconfig
#
# ds_filter Trend Micro Deep Security Drivers
#
# chkconfig: 2345 09 91
# description: Trend Micro Deep Security Drivers
#
#
# For SuSE-style chkconfig/insserv
#
### BEGIN INIT INFO
# Provides: ds_filter
# Required-Start: $null
# Required-Stop: $null
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Trend Micro Deep Security Drivers
# Description: Trend Micro Deep Security Drivers
# The ds_filter module is a set of kernel modules that implement
# the Trend Micro packet filter and stateful firewall.
### END INIT INFO
bindir="/opt/ds_agent"
drvdir="/opt/ds_agent"
confdir="/var/opt/ds_agent"
export LD_LIBRARY_PATH="/opt/ds_agent/lib"
dsfc="$bindir/dsfc"
conf="$confdir/config.bin"
module_im="dsa_filter"
module_im_preload_hook="dsa_filter_hook"
module_im_dev="dsa"
module_link="/lib/modules/$(/bin/uname -r)/kernel/net/${module_im}/"
blp_count_folder="/var/opt/ds_agent/filter/blp/"
blp_count_regex="fltblp_[0-9]+$"
# Source function library
INITD=`ps -p 1 -o comm=| tail -1`
if [ "$INITD" == "systemd" ]; then
# This is systemd (RHEL7 or newer)
action() {
echo $1
shift
$*
}
elif [ -r /etc/init.d/functions ]; then
# this is redhat
. /etc/init.d/functions
elif [ -r /etc/rc.status ]; then
# this is SuSE
. /etc/rc.status
action() {
echo -n $1
shift
$*
rc_status -v
}
elif [ -r /lib/lsb/init-functions ] ;then
# this is debian
rc_status() {
local ret=$?
[ "$ret" = 0 ] && echo [OK] || echo [ERROR]
return ${ret}
}
action() {
echo -n $1
shift
$*
rc_status
}
else
echo "Unsupported distribution."
exit 1
fi
clearArpCache() {
local ip
local flags
cat /proc/net/arp | grep -v ^IP | while read ip type flags hw mask device ; do
if [ "$(( $flags & 0x4))" = 0 ]; then
/sbin/arp -d "${ip}" >/dev/null 2>&1
fi
done
}
loadConfig() {
if test -r "$conf" ; then
echo -n "Loading existing configuration... "
$dsfc -l $conf
fi
}
getModuleDependenciesFromLsmodOutput() {
shift 3
echo $*
}
resetCompiler() {
### for decoupling dsc
if [ -L ${drvdir}/dsc-filter ] ; then rm -f ${drvdir}/dsc-filter ; fi
cp -f ${kernelVersionFull}/dsc ${drvdir}/dsc-filter
if [ -L ${drvdir}/wrs.tbf-filter ] ; then rm -f ${drvdir}/wrs.tbf-filter ; fi
cp -f ${kernelVersionFull}/wrs.tbf ${drvdir}/wrs.tbf-filter
rm -f /var/opt/ds_agent/filter/config.bin
if [ -f /var/opt/ds_agent/filter/preload.tbf ] ; then
cp -f ${drvdir}/wrs.tbf-filter /var/opt/ds_agent/filter/preload.tbf
fi
}
loadModule() {
# Params: moduleName
local moduleName=${1}
local moduleBinary="${drvdir}/${kernelVersionFull}/${moduleName}.ko"
# Reenforce selinux context in case being changed
if [ -x /usr/bin/chcon ]; then
/usr/bin/chcon -t modules_object_t "${moduleBinary}"
fi
cd ${drvdir}
if ( insmod ${insmodArgs} "${moduleBinary}" >/dev/null 2>&1) ; then
if moduleIsLoaded ${moduleName} ; then
mkdir -p ${module_link}
ln -s -f "${moduleBinary}" ${module_link}
action $"Loaded ${moduleName} module version ${loaded_version}" true
return 0
else
action $"${moduleName} is not supported on kernel ${kernelVersionFull}" false
return 1
fi
else
action $"${moduleName} is not supported on kernel ${kernelVersionFull}" false
return 1
fi
}
makeDevice() {
# Only necessary on older systems that don't have udevd or devfs
if pgrep -x udevd > /dev/null; then
return 0
fi
if mount | grep -q '\<devfs\>'; then
return 0
fi
local module=${1}
if [ -f /proc/driver/${module}/info ]; then
# first the main device
local DEVICE=$(cat /proc/driver/${module}/info | grep ^Device | cut -d : -f 2-)
local MAJOR=$(echo $DEVICE | cut -d : -f 1)
local MINOR=$(echo $DEVICE | cut -d : -f 2)
if [ -n "$MAJOR" -a -n "$MINOR" ] ; then
rm -f /dev/${module}
mknod -m 600 /dev/${module} c ${MAJOR} ${MINOR} 2>/dev/null
# label device file with SELinux file type 'misc_device_t'.
if [ -f /usr/bin/chcon ] ; then
/usr/bin/chcon -t misc_device_t /dev/${module}
fi
else
echo "Unable to determine device numbers for /dev/${modules}"
return 1
fi
# next the ssl device
local DEVICE=$(cat /proc/driver/${module}/info | grep ^SSL\ Device | cut -d : -f 2-)
local MAJOR=$(echo $DEVICE | cut -d : -f 1)
local MINOR=$(echo $DEVICE | cut -d : -f 2)
if [ -n "$MAJOR" -a -n "$MINOR" ] ; then
rm -f /dev/${module}_ssl /dev/ssl_${module}
mknod -m 600 /dev/${module}_ssl c ${MAJOR} ${MINOR} 2>/dev/null
# label device file with SELinux file type 'misc_device_t'.
if [ -f /usr/bin/chcon ] ; then
/usr/bin/chcon -t misc_device_t /dev/${module}_ssl
fi
# for backwards compatibility
ln -fs /dev/${module}_ssl /dev/ssl_${module}
else
echo "Unable to determine device numbers for /dev/${modules}_ssl"
return 1
fi
else
echo "Unable to create /dev entries for ${module}"
return 1
fi
}
setParameters() {
local module=${1}
sysdir=/sys/module/${module}/parameters/
p_limit=${sysdir}/async_queue_limit
p_release=${sysdir}/async_queue_release
test -f $p_limit && echo 100 > $p_limit
test -f $p_release && echo 1 > $p_release
true
# net-filter would copy the NIC bypass information from /etc/ds_filter.conf
DS_FILTER_CONF=/etc/ds_filter.conf
INTERFACE_BYPASS_PATTERN='INTERFACE_BYPASS_LIST='
if grep ^$INTERFACE_BYPASS_PATTERN $DS_FILTER_CONF >/dev/null 2>&1 ; then
grep ^$INTERFACE_BYPASS_PATTERN $DS_FILTER_CONF | awk -F= '{print $2}' > /proc/driver/dsa/ignore_device
fi
}
moduleIsLoaded() {
local module=${1}
(lsmod | tr -d '[]' | grep -m 1 "^${module}" > /dev/null) && return 0
return 1
}
pick1() {
eval 'echo $'"$pick_index"
}
pick() {
OLD_IFS=$IFS
local delimiter="$1"
shift
pick_index="$1"
shift
IFS=" -"$delimiter
pick1 $*
IFS=$OLD_IFS
unset pick_index
}
unloadModule() {
local module=${1}
local isRunning=0
local modInfo
# Get module dependency info, handling both 2.4 and 2.6 style output
modInfo=$(lsmod | tr -d '[]' | tr ',' ' ' 2>/dev/null | grep -m 1 "^${module}") && isRunning=1
if [ ${isRunning} -ne 0 ]; then
local dependencies=$(getModuleDependenciesFromLsmodOutput ${modInfo})
local dependentModule
for dependentModule in ${dependencies}; do
unloadModule ${dependentModule}
done
action $"Unloading ${module} module..." rmmod ${module} || return $?
rm -rf ${module_link}
rm -f /dev/${module}
fi
return 0
}
resetBLPFailureCount() {
local count=$(find "$blp_count_folder" -type f -regex "$blp_count_folder$blp_count_regex" -print 2>/dev/null | wc -l)
echo "dsa: Before reset, BLP failcount: $count" > /dev/kmsg
find "$blp_count_folder" -type f -regex "$blp_count_folder$blp_count_regex" -exec rm {} + 2>/dev/null
count=$(find "$blp_count_folder" -type f -regex "$blp_count_folder$blp_count_regex" -print 2>/dev/null | wc -l)
echo "dsa: After reset, BLP failcount: $count" > /dev/kmsg
}
########## Commands
start() {
if moduleIsLoaded ${module_im}; then
action $"${module_im} module already loaded" false
retval=${?}
else
loadModule ${module_im_preload_hook} || return ${?}
loadModule ${module_im} || return ${?}
resetCompiler
makeDevice ${module_im_dev}
setParameters ${module_im_preload_hook}
setParameters ${module_im}
retval=${?}
clearArpCache
loadConfig
fi
return ${retval}
}
stop() {
local module
[ -z $1 ] && /opt/ds_agent/ds_agent.init stopquiet
for module in ${module_im} ${module_im_preload_hook}; do
unloadModule ${module}
done
if ! moduleIsLoaded ${module_im}; then
resetBLPFailureCount
fi
retval=${?}
return ${retval}
}
stopmod() {
stop noappstop
}
restart() {
stop 0
start 0
}
modulestatus() {
local module
for module in ${module_im} ${module_im_preload_hook}; do
if moduleIsLoaded ${module}; then
echo "${module} is running. Driver loaded."
else
echo "${module} is stopped. Driver not loaded."
fi
done
}
######### Main entry point
kernelVersionFull=$(/bin/uname -r)
case "$1" in
start|stop|restart|stopmod)
$1
;;
status)
modulestatus
;;
condrestart)
echo "This function is removed in 10.1."
;;
info)
echo "This function is removed in 9.5."
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit 0
# vim: set et sw=4: