#!/bin/sh
PREREQ="security_set"
prereqs()
{
	echo "$PREREQ"
}

case $1 in
	prereqs)
		prereqs
		exit 0
		;;
esac

. /scripts/functions

sysfs_entry=/sys/kernel/security/kysec/3adm
kysec_tmp=${rootmnt}/etc/kysec/tmp

set_3adm_env()
{
	[ -z "$1" ] && echo 0

	if [ x"$1" = x"0" ]; then
		user="root"
		uid="0"
	elif [ x"$1" = x"1" ]; then
		user="secadm"
		uid="600"
		auduid="700"
	fi

	chown "$uid":"$uid" ${rootmnt}/etc/kysec/kysec.conf
	chown "$uid":"$uid" ${rootmnt}/etc/kysec/netctl/netctl.xml
	chown -R "$uid":"$uid" ${rootmnt}/etc/selinux
	chown -R "$uid":"$uid" ${rootmnt}/usr/share/selinux
	chown -R "$uid":"$uid" ${rootmnt}/var/lib/sepolgen
	chown -R "$uid":"$uid" ${rootmnt}/var/lib/selinux
	if [ x"$auduid" = x"700" ]; then
		chown -R "$auduid":"$auduid" ${rootmnt}/etc/audi*
		chown -R "$auduid":"$auduid" ${rootmnt}/var/log/audit
	else
		chown -R "$uid":"$uid" ${rootmnt}/etc/audi*
		chown -R "$uid":"$uid" ${rootmnt}/var/log/audit
	fi

	KYSEC_DEBUS_SERVICE=${rootmnt}/usr/share/dbus-1/system-services/com.kylin.kysec.service
	SELINUX_CONF=${rootmnt}/etc/selinux/config

	if [ -f "$KYSEC_DEBUS_SERVICE" ]; then
		sed -i /^User=/cUser=$user $KYSEC_DEBUS_SERVICE
		setfattr -n security.kysec -v none:none:original $KYSEC_DEBUS_SERVICE
	fi

	[ -f "$SELINUX_CONF" ] && setfattr -n security.kysec -v none:none:original $SELINUX_CONF
}

old_3adm="0"
new_3adm="0"

if [ -f "/.3adm" ]; then
	new_3adm=$(cat /.3adm)
fi

if [ -f "$kysec_tmp/.3adm" ]; then
	old_3adm=$(cat $kysec_tmp/.3adm)
	if [ "x$new_3adm" != "x$old_3adm" ]; then
		set_3adm_env "$new_3adm"
		if [ "x${new_3adm}" = "x1" ]; then
			# enable 3adm
			echo "$new_3adm" > "$sysfs_entry"
			rm -rf /.3adm
			log_success_msg "kysec 3adm enabled"
		fi
	fi
else
	set_3adm_env "$new_3adm"
	if [ "x${new_3adm}" = "x1" ]; then
		# enable 3adm
		echo "$new_3adm" > "$sysfs_entry"
		rm -rf /.3adm
		log_success_msg "kysec 3adm enabled"
	fi
fi

echo "$new_3adm" > "$kysec_tmp/.3adm"
