#!/bin/sh

PREREQ="3adm_disable"

prereqs()
{
	echo "$PREREQ"
}

case $1 in
	prereqs)
		prereqs
		exit 0
		;;
esac

. /scripts/functions
. /scripts/security-functions

clear

kysec_tmp=${rootmnt}/etc/kysec/tmp

if [ -d "$kysec_tmp" ]; then
	chmod 1777 $kysec_tmp
else
	mkdir -p -m 1777 $kysec_tmp
fi

securityfs_mnt=/sys/kernel/security
kysec_status_path="$securityfs_mnt/kysec/status"
kysec_status=0

if [ -e "$kysec_status_path" ]; then
	kysec_status=$(cat "$kysec_status_path")
fi

if [ "$kysec_status" -eq 0 ]; then
	echo "$kysec_status" > $kysec_tmp/.status
	exit 0
fi

set_kysec_status()
{
	echo $1 > $kysec_status_path
}

export exectl=
export relabel_flag=

relabel_file=${rootmnt}/.exectl
kysec_whlist_db=${rootmnt}/etc/kysec/db/whlist.db

get_relabel_flag()
{
	for x in $(cat /proc/cmdline); do
		case $x in
		exectl=*)
			exectl=${x#exectl=}
			;;
		esac
	done

	if [ -f "$relabel_file" -o "x${exectl}" = "x1" ]; then
		relabel_flag=$(sqlite3 "$kysec_whlist_db" "select * from relabel_status;")
	fi

	if [ -f $kysec_tmp/.status ]; then
		if [ $(cat "$kysec_tmp/.status") -eq 0 -a 0 -ne $kysec_status ]; then
			sqlite3 $kysec_whlist_db 'update relabel_status set relabel=2';
			relabel_flag=2
		fi
	fi
}

get_relabel_flag

kysec_init=/usr/sbin/kysec-init

relabel_system_for_whlist()
{
	show_message "正在扫描文件系统..."

	rm -rf $kysec_tmp/*

	find ${rootmnt} -depth -maxdepth 1 \( -path ${rootmnt}/proc -o -path ${rootmnt}/run -o -path ${rootmnt}/sys -o -path ${rootmnt}/dev -o -path ${rootmnt}/tmp -o -path ${rootmnt}/cdrom -o -path ${rootmnt}/media -o -path ${rootmnt}/mnt -o -path ${rootmnt}/box -o -path ${rootmnt}/backup -o -path ${rootmnt}/data -o -path ${rootmnt}/lost+found -o -path ${rootmnt} \) -prune -o -print 1>$kysec_tmp/scanf
	cat $kysec_tmp/scanf | xargs -i -P $(nproc) find {} \( -type f -o -type l \) -print 1>>$kysec_tmp/scan
	new=$(echo ${rootmnt} | sed 's#\/#\\\/#g')
	sed -i 's/^'${new}'//g' $kysec_tmp/scan
	split -l 3333 $kysec_tmp/scan -d -a 4 scan_
	mv scan_* $kysec_tmp

	if [ "x$relabel_flag" = "x0" ]; then
		show_message "正在初始化系统Kysec安全标记，请稍候..."
		cat $kysec_tmp/scanf | xargs -i -P $(nproc) ${kysec_init} --set-xattr {}
		${kysec_init} --rootmnt ${rootmnt} --set-special
	elif [ "x$relabel_flag" = "x2" ]; then
		show_message "正在初始化系统执行控制安全标记，请稍候..."
		cat $kysec_tmp/scanf | xargs -i -P $(nproc) ${kysec_init} --relabel-exectl --set-xattr {}
		${kysec_init} --rootmnt ${rootmnt} --relabel-exectl --set-special
	fi

	setfattr -n security.kysec -v none:none:trusted ${rootmnt}
}

relabel_system_from_whlist()
{
	show_message "正在初始化系统执行控制安全标记，请稍候..."
	${kysec_init} --rootmnt ${rootmnt} --from-whlist
}

do_remount()
{
	old_value=$kysec_status

	mount -o remount,rw ${ROOT} ${rootmnt}

	[ 0 -ne "$kysec_status" ] && set_kysec_status 4

	mount -t proc -o nodev,noexec,nosuid proc "$rootmnt/proc"
	mount -t sysfs -o nodev,noexec,nosuid sys "$rootmnt/sys"
	mount -t devtmpfs udev "$rootmnt/dev"

	chroot "${rootmnt}" /bin/mount -a

	if [ "$1" = "all" ]; then
		relabel_system_for_whlist
	elif [ "$1" = "whlist" ]; then
		relabel_system_from_whlist
	fi

	#rm -f $relabel_file

	[ 0 -ne "$kysec_status" ] && set_kysec_status $old_value

	umount "$rootmnt/dev"
	umount "$rootmnt/sys"
	umount "$rootmnt/proc"
}

if [ -n "$relabel_flag" ];then
	if [ "x$relabel_flag" = "x0" -o "x$relabel_flag" = "x2" ]; then
		# disable kernel messages temporarily
		level=`cat /proc/sys/kernel/printk | awk '{print $1}'`
		show_message "文件系统Kysec安全标记需要重新初始化"
		echo 1 > /proc/sys/kernel/printk

		do_remount all
		# enable kernel messages
		echo "$level" > /proc/sys/kernel/printk
		clear_message
	elif [ "x$relabel_flag" = "x1" ]; then
		#do_remount whlist
		rm -f $relabel_file
	fi
	echo "$kysec_status" > $kysec_tmp/.status
fi

[ -e ${rootmnt}/etc/console-setup/cached_setup_keyboard.sh ] && \
	setfattr -n security.kysec -v none:none:original ${rootmnt}/etc/console-setup/cached_setup_keyboard.sh

clear
