#!/bin/bash

PREREQ="ksaf_policy_init"

prereqs() {
	echo "$PREREQ"
}

case $1 in
prereqs)
	prereqs
	exit 0
	;;
esac

. /scripts/functions
. /scripts/security-functions

securityfs_mnt=/sys/kernel/security
ksaf_status_path="$securityfs_mnt/ksaf/status"
ksaf_conf_file=${rootmnt}/etc/ksaf/mod_conf/ksaf_main.conf
old_ksaf_status=0

if [ -e "$ksaf_conf_file" ]; then
	old_ksaf_status=$(cat "$ksaf_conf_file")
fi

set_ksaf_status() {
	echo $1 >$ksaf_status_path
}

# As an initramfs hook.

do_pkg_update() {
	PKG_UPDATE_SCRIPTS_DIR="/etc/kysec-scene/pkg-update"

	if [ ! -e "${PKG_UPDATE_SCRIPTS_DIR}" ]; then
		return
	fi

	for script in "${PKG_UPDATE_SCRIPTS_DIR}"/*.sh; do
		"$script" initrd
		status=$?
		if [ $status -ne 0 ]; then
			echo "failed to run pkg-update for $(basename "$script"), exit code=$status"
			continue
		fi
		# Do not delete the script file here because we need it on systemd stage.
	done
}

cmdline=$(cat /proc/cmdline)

if echo "$cmdline" | grep -qE 'lsm=([^,]+,)*[^,]*ksaf([^,]*|$)'; then
	if [ "$old_ksaf_status" -ne 0 ];then
		set_ksaf_status 4
		chroot "${rootmnt}" /bin/bash -c "$(declare -f do_pkg_update); do_pkg_update"
		set_ksaf_status "$old_ksaf_status"
	fi
fi

