spacebar/macos-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use azw binary in launch daemon

Browse Source
This commit is contained in:
T. R. Bernstein
2024-07-01 21:52:15 +02:00
committed by T. R. Bernstein
parent ce8e527e9c
commit dd14a7922e
3 changed files with 39 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
bin/azw-ensure-single-fv-user Executable file
View File

@@ -0,0 +1,36 @@
#!/usr/bin/env zsh
# vi: set ft=zsh tw=80 ts=2
function main {
local username="\$1"
function doesFilevaultUserExist() {
dscl . -list /Users | grep \${username} >&! /dev/null
}
function isFilevaultUserEnabled() {
fdesetup list | grep \${username} &> /dev/null
}
function isFilevaultEnabled() {
fdesetup status | grep On &> /dev/null
}
function allowOnlyFilevaultUserToUnlock() {
local fdeuser
for fdeuser in \${(f)"\$(fdesetup list | cut -d',' -f1)"}; do
[[ \${fdeuser} != \${username} ]] && fdesetup remove -user "\${fdeuser}"
done
return 0
}
[[ \$(id -un) == 'root' ] || { lop -- -e 'This script needs to be run by root. Aborting.'; return }
isFilevaultEnabled || { lop -- -e 'FileVault is disabled. Aborting.'; return }
doesFilevaultUserExist && isFilevaultUserEnabled && allowOnlyFilevaultUserToUnlock
}
if [[ "${ZSH_EVAL_CONTEXT}" == toplevel || "${ZSH_EVAL_CONTEXT}" == cmdarg ]]; then
_DIR="${0:A:h}"
autoload -w zshlib
main "$@"
fi

2
modules/01-install-zsh-libraries.sh
View File

@@ -11,7 +11,7 @@ function createLaunchDaemon() {
<string>${serviceName}</string> <string>${serviceName}</string>
<key>ProgramArguments</key> <key>ProgramArguments</key>
<array> <array>
<string>azw</string> <string>/usr/local/bin/azw</string>
<string>update-zsh-libraries</string> <string>update-zsh-libraries</string>
</array> </array>
<key>StartCalendarInterval</key> <key>StartCalendarInterval</key>

41
modules/02-single-filevault-user.sh
View File

@@ -5,42 +5,6 @@ function getDefaultFilevaultUsername() {
print 'azwdevice' print 'azwdevice'
} }
function createEnsurerBinary() {
[[ -x $binaryPath ]] && return
cat > $binaryPath <<- BINARY
#!/usr/bin/env zsh
function {
local username="\$1"
function doesFilevaultUserExist() {
dscl . -list /Users | grep \${username} >&! /dev/null
}
function isFilevaultUserEnabled() {
fdesetup list | grep \${username} &> /dev/null
}
function isFilevaultEnabled() {
fdesetup status | grep On &> /dev/null
}
function allowOnlyFilevaultUserToUnlock() {
local fdeuser
for fdeuser in \${(f)"\$(fdesetup list | cut -d',' -f1)"}; do
[[ \${fdeuser} != \${username} ]] && fdesetup remove -user "\${fdeuser}"
done
return 0
}
[[ \$(id -un) == 'root' ] || return
isFilevaultEnabled || return
doesFilevaultUserExist && isFilevaultUserEnabled && allowOnlyFilevaultUserToUnlock
}
BINARY
chown root:wheel $binaryPath
chmod ug=rx,o=r $binaryPath
}
function createLaunchDaemon() { function createLaunchDaemon() {
cat > ${launchDaemonPath} <<- LDAEMON cat > ${launchDaemonPath} <<- LDAEMON
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
@@ -51,7 +15,8 @@ function createLaunchDaemon() {
<string>${serviceName}</string> <string>${serviceName}</string>
<key>ProgramArguments</key> <key>ProgramArguments</key>
<array> <array>
<string>${binaryPath}</string> <string>/usr/local/bin/azw</string>
<string>ensure-single-fv-user</string>
<string>${filevault_username}</string> <string>${filevault_username}</string>
</array> </array>
<key>OnDemand</key> <key>OnDemand</key>
@@ -79,8 +44,6 @@ function createLaunchdService() {
function configure_system() { function configure_system() {
lop -y h1 -- -i 'Allow only Filevault user to unlock disk' lop -y h1 -- -i 'Allow only Filevault user to unlock disk'
local binaryPath='/usr/local/bin/ensure-single-filevault-user'
indicateActivity -- 'Create ensurer binary' createEnsurerBinary
createLaunchdService createLaunchdService
} }