diff options
| author | John Klug <john.klug@multitech.com> | 2025-05-21 21:16:03 +0000 |
|---|---|---|
| committer | John Klug <john.klug@multitech.com> | 2025-05-21 21:16:03 +0000 |
| commit | c3b91d44d29b23384f59a0debad906f0de063a18 (patch) | |
| tree | 6f1f46f7ca08bcbfb3b64b0afae4e1cafaf4513e /usr/libexec | |
| parent | de5d5585f1db309b4faf4167b6e7965748649bb6 (diff) | |
| download | commissioning-c3b91d44d29b23384f59a0debad906f0de063a18.tar.gz commissioning-c3b91d44d29b23384f59a0debad906f0de063a18.tar.bz2 commissioning-c3b91d44d29b23384f59a0debad906f0de063a18.zip | |
Remove the possibility of commissioning from Cellular for security purposes
Diffstat (limited to 'usr/libexec')
| -rwxr-xr-x | usr/libexec/commission/commission | 2 | ||||
| -rwxr-xr-x | usr/libexec/commission/nfoff.sh | 5 | ||||
| -rwxr-xr-x | usr/libexec/commission/nfon.sh | 6 | ||||
| -rwxr-xr-x | usr/libexec/commission/off.sh | 1 |
4 files changed, 14 insertions, 0 deletions
diff --git a/usr/libexec/commission/commission b/usr/libexec/commission/commission index b2120ea..8691984 100755 --- a/usr/libexec/commission/commission +++ b/usr/libexec/commission/commission @@ -19,6 +19,8 @@ fi PASSWORDS=$(passwd -Sa | egrep '^[^[:space:]]+[[:space:]]P[[:space:]]' | wc -l) if (($PASSWORDS == 0)) ; then + # Block wwan0 from commissioning + /usr/libexec/commission/nfon.sh # No password, so indicate commissioning mode # php-fpm-commision will be turned on as well rm -f "/run/mt-commission" diff --git a/usr/libexec/commission/nfoff.sh b/usr/libexec/commission/nfoff.sh new file mode 100755 index 0000000..54e7cd3 --- /dev/null +++ b/usr/libexec/commission/nfoff.sh @@ -0,0 +1,5 @@ +#!/bin/bash +for handle in $(nft -a list table inet filter | grep iifname | sed -E 's/.*#[[:space:]]*handle[[:space:]]*//') ; do + echo "Enable wwan0: nft delete rule inet filter input handle ${handle}" + nft delete rule inet filter input handle ${handle} +done diff --git a/usr/libexec/commission/nfon.sh b/usr/libexec/commission/nfon.sh new file mode 100755 index 0000000..92d3cb2 --- /dev/null +++ b/usr/libexec/commission/nfon.sh @@ -0,0 +1,6 @@ +#!/bin/bash +nft add table inet filter +nft add chain inet filter input { type filter hook input priority 0 \; } +nft add rule inet filter input iifname "wwan0" drop +echo 'Blocking wwan0 in commissioning mode' +nft -a list table inet filter diff --git a/usr/libexec/commission/off.sh b/usr/libexec/commission/off.sh index ae86c55..b726744 100755 --- a/usr/libexec/commission/off.sh +++ b/usr/libexec/commission/off.sh @@ -11,3 +11,4 @@ else /etc/init.d/commission stop 2>&1 | logger -p local0.crit /etc/init.d/commission-php-fpm stop 2>&1 | logger -p local0.crit fi +/usr/libexec/commission/nfoff.sh |