#!/bin/bash

if [ "x$(id -u)" != "x0" ] ; then
	echo "You must run this as root"
	exit 1
fi

kysec_conf=/etc/kysec/kysec.conf
if [ ! -f /etc/kysec/kysec.conf ]; then
	kysec_conf=/etc/kylin-security.conf
fi

echo "开启UID唯一性检查"
if [ -n "$(grep "state=off" /etc/chkuid_state)" ]; then
	sed -i 's/state=off/state=on/g' /etc/chkuid_state
fi

echo "开启审计"
if [ -n "$(grep "audit=0" /etc/default/grub)" ]; then
	sed -i 's/audit=0//g' /etc/default/grub
	# 下面在执行security-switch时会执行update-grub，
	# 且ksc-set依赖的security-switch的default状态是开启审计的
	# update-grub >/dev/null 2>&1
fi

###### kysec1.0开启安全方式在安装阶段不适用 #########
# 先设置为default状态，通用版本执行 security-switch --set default 之后的
# 配置就是默认的安全状态（/usr/share/libsecurity-conf/data/kysec.conf）
# echo "设置默认安全状态"
# /usr/sbin/security-switch --set default >/dev/null 2>&1

default_grub="/etc/default/grub"
################ kysec2.0开启安全 ################
# 1. 安装阶段修改grub增加安全参数 并重新生成启动grub
#
grub_param=$(grep "GRUB_CMDLINE_LINUX_SECURITY"  ${default_grub})
if [ -z "${grub_param}" ];then
	sed -i '$a\GRUB_CMDLINE_LINUX_SECURITY="security=box lsm=bpf,ksaf"' ${default_grub}
else
	# 兼容处理脏数据(类似某些情况下能找到该字符串)
	sed -i '/GRUB_CMDLINE_LINUX_SECURITY/d' ${default_grub}
	sed -i '$a\GRUB_CMDLINE_LINUX_SECURITY="security=box lsm=bpf,ksaf"' ${default_grub}
fi

# 生成默认策略文件列表, 第一次开机时 init阶段ksaf打标使用
/usr/bin/kysec-scene-parse-resource -g

# 兼容boot分区挂载为ro情况
ro_parted=$(mount |grep  "/boot" |grep "ro" |awk '{print $3}')
if [ -n "${ro_parted}" ];then
	for mount_path in ${ro_parted} # 兼容过滤出来多个boot目录包含ro情况
	do
		mount -o remount,rw  ${mount_path}
	done
fi

# 更新grub文件
update-grub

# 2. 开启kysec-scene-init服务,该服务会在第一次启动时设置当前安全状态为 default 模式
#
systemctl enable kysec-scene-init.service

################ End ################

#sed -i 's/kysec_status =.*/kysec_status = 2/' "$kysec_conf"
#sed -i 's/kysec_exectl =.*/kysec_exectl = 2/' "$kysec_conf"
#sed -i 's/kysec_netctl =.*/kysec_netctl = 2/' "$kysec_conf"
#sed -i 's/kysec_ppro =.*/kysec_ppro = 1/' "$kysec_conf"
#sed -i 's/kysec_3adm =.*/kysec_3adm = 0/' "$kysec_conf"

# 重新初始化白名单
# echo "需要重新初始化白名单"
# sqlite3 /etc/kysec/db/whlist.db 'update relabel_status set relabel=0';
[ ! -e /.exectl ] && touch /.exectl

# 防火墙设置为办公网络
#echo "防火墙设置为办公网络"
#sed -i 's/Zone=.*/Zone=work/' /etc/kylin-firewall/kylin-firewall.conf
sed -i 's/Mode=.*/Mode=all/' /etc/kylin-firewall/kylin-firewall.conf
[ -n "$(dpkg-query -l | grep ufw)" ] && ufw disable

# dpkg警告弹框
if [ -n "$(dpkg-query -l | grep libkylin-signtool)" ]; then
	sed -i 's/.*allow-kylinsign.*/allow-kylinsign/g' /etc/dpkg/dpkg.cfg
	sed -i 's/.*verify-kylinsign.*/verify-kylinsign/g' /etc/dpkg/dpkg.cfg
	if [ -f /etc/dpkg/plugins ]; then
		if [ -n "$(cat /etc/dpkg/plugins | grep libdpkg_signtool)" ]; then
			sed -i 's/.*libdpkg_signtool.*/libdpkg_signtool/g' /etc/dpkg/plugins
		else
			echo libdpkg_signtool >> /etc/dpkg/plugins
		fi
	else
		echo libdpkg_signtool >> /etc/dpkg/plugins
	fi
fi

#设备管控
echo "对内置设备进行授权"
/usr/sbin/ksc-dinit 2>/dev/null || true
echo "授权完成"

#可信度量
spi_sysconfig_file="/usr/sbin/spi_sysconfig"
if [ -x "$spi_sysconfig_file" ]; then
  echo "关闭可信度量"
  /usr/sbin/spi_sysconfig -a write -i measuremode -m stop 2>/dev/null || true
  echo "已关闭"
fi

#bug214277 蒙文繁文磁盘加密登录界面未翻译
dpkg-reconfigure  cryptsetup-initramfs

# dpkg插件配置
FILE="/etc/dpkg/plugins"

# dpkg插件配置 ksaf_label
if ! grep -q "ksaf_label" "$FILE" 2>/dev/null; then
    if ! echo "ksaf_label" >> "$FILE"; then
        echo "Failed to add 'ksaf_label' to $FILE" >&2
        exit 1
    fi
fi

# dpkg插件配置 spro
if ! grep -q "spro" "$FILE" 2>/dev/null; then
    if ! echo "spro" >> "$FILE"; then
        echo "Failed to add 'spro' to $FILE" >&2
        exit 1
    fi
fi

echo "安全状态设置完成，请重启系统"
