#!/bin/sh

PREREQ="3adm_disable"

prereqs()
{
	echo "$PREREQ"
}

case $1 in
	prereqs)
		prereqs
		exit 0
		;;
esac

. /scripts/functions
. /scripts/security-functions

clear

kysec_tmp=${rootmnt}/etc/kysec/tmp

if [ -d "$kysec_tmp" ]; then
	chmod 1777 $kysec_tmp
else
	mkdir -p -m 1777 $kysec_tmp
fi

securityfs_mnt=/sys/kernel/security
kysec_status_path="$securityfs_mnt/kysec/status"
kysec_status=0

if [ -e "$kysec_status_path" ]; then
	kysec_status=$(cat "$kysec_status_path")
fi

if [ "$kysec_status" -eq 0 ]; then
	echo "$kysec_status" > $kysec_tmp/.status
	exit 0
fi

set_kysec_status()
{
	echo $1 > $kysec_status_path
}

export exectl=
export relabel_flag=

relabel_file=${rootmnt}/.exectl
kysec_whlist_db=${rootmnt}/etc/kysec/db/whlist.db

get_relabel_flag()
{
	for x in $(cat /proc/cmdline); do
		case $x in
		exectl=*)
			exectl=${x#exectl=}
			;;
		esac
	done

	if [ -f "$relabel_file" -o "x${exectl}" = "x1" ]; then
		relabel_flag=$(sqlite3 "$kysec_whlist_db" "select * from relabel_status;")
	fi

	if [ -f $kysec_tmp/.status ]; then
		if [ $(cat "$kysec_tmp/.status") -eq 0 -a 0 -ne $kysec_status ]; then
			sqlite3 $kysec_whlist_db 'update relabel_status set relabel=2';
			relabel_flag=2
		fi
	fi
}

get_relabel_flag

. ${rootmnt}/etc/default/locale

# 根据安装系统选择的语言设置，选择要显示的语言
# $1 为中文
# $2 为英文
# $3 为藏文
# 非以上三种语言环境默认显示英文
translate_message()
{
	case "$LANG" in
		zh_CN.*)
			echo "$1"
		;;
		en_US.*)
			echo "$2"
		;;
		bo_CN.*)
			echo "$3"
		;;
		*)
			echo "$2"
		;;
	esac
}

kysec_init=/usr/sbin/kysec-init

relabel_system_for_whlist()
{
	local zh_CN_msg="正在扫描文件系统..."
	local en_CN_msg="Scanning file systems ......"
	local bo_CN_msg="ཡིག་ཆའི་མ་ལག "
	local msg="$(translate_message "$zh_CN_msg" "$en_CN_msg" "$bo_CN_msg")"
	show_message "$msg"

	rm -rf $kysec_tmp/*

	find ${rootmnt} -depth -maxdepth 1 \( -path ${rootmnt}/proc -o -path ${rootmnt}/run -o -path ${rootmnt}/sys -o -path ${rootmnt}/dev -o -path ${rootmnt}/tmp -o -path ${rootmnt}/cdrom -o -path ${rootmnt}/media -o -path ${rootmnt}/mnt -o -path ${rootmnt}/box -o -path ${rootmnt}/backup -o -path ${rootmnt}/data -o -path ${rootmnt}/lost+found -o -path ${rootmnt} \) -prune -o -print 1>$kysec_tmp/scanf
	cat $kysec_tmp/scanf | xargs -i -P $(nproc) find {} \( -type f -o -type l \) -print 1>>$kysec_tmp/scan
	new=$(echo ${rootmnt} | sed 's#\/#\\\/#g')
	sed -i 's/^'${new}'//g' $kysec_tmp/scan
	split -l 3333 $kysec_tmp/scan -d -a 4 scan_
	mv scan_* $kysec_tmp

	if [ "x$relabel_flag" = "x0" ]; then
		zh_CN_msg="正在初始化系统KySec安全标记，请稍候..."
		en_CN_msg="Initializing system KySec security labels, please wait ......"
		bo_CN_msg="ཐོག་མར་འགྱུར་བཞིན་པའི་མ་ལགKySecབདེ་འཇགས་མཚོན་རྟགས།ཅུང་ཙམ་སྒུག་རོགས།"
		msg="$(translate_message "$zh_CN_msg" "$en_CN_msg" "$bo_CN_msg")"
		show_message "$msg"
		cat $kysec_tmp/scanf | xargs -i -P $(nproc) ${kysec_init} --set-xattr {}
		${kysec_init} --rootmnt ${rootmnt} --set-special
	elif [ "x$relabel_flag" = "x2" ]; then
		zh_CN_msg="正在初始化系统执行控制安全标记，请稍候..."
		en_CN_msg="Initializing system execution control security labels, please wait ......"
		bo_CN_msg="ཐོག་མར་ཅན་གྱི་མ་ལག་གིས་བདེ་འཇགས་བརྡ་རྟགས་ལག་བསྟར་བྱེད་བཞིན་ཡོད།ཅུང་ཙམ་སྒུག་རོགས།"
		msg="$(translate_message "$zh_CN_msg" "$en_CN_msg" "$bo_CN_msg")"
		show_message "$msg"
		cat $kysec_tmp/scanf | xargs -i -P $(nproc) ${kysec_init} --relabel-exectl --set-xattr {}
		${kysec_init} --rootmnt ${rootmnt} --relabel-exectl --set-special
	fi

	setfattr -n security.kysec -v none:none:trusted ${rootmnt}
}

do_remount()
{
	old_value=$kysec_status

	mount -o remount,rw ${ROOT} ${rootmnt}

	[ 0 -ne "$kysec_status" ] && set_kysec_status 4

	mount -t proc -o nodev,noexec,nosuid proc "$rootmnt/proc"
	mount -t sysfs -o nodev,noexec,nosuid sys "$rootmnt/sys"
	mount -t devtmpfs udev "$rootmnt/dev"

	chroot "${rootmnt}" /bin/mount -a

	if [ "$1" = "all" ]; then
		relabel_system_for_whlist
	fi

	#rm -f $relabel_file

	[ 0 -ne "$kysec_status" ] && set_kysec_status $old_value

	umount "$rootmnt/dev"
	umount "$rootmnt/sys"
	umount "$rootmnt/proc"
}

do_relabel()
{
	# disable kernel messages temporarily
	local level=`cat /proc/sys/kernel/printk | awk '{print $1}'`
	local zh_CN_msg="文件系统KySec安全标记需要重新初始化"
	local en_CN_msg="The file system KySec security labels needs to be reinitialized"
	local bo_CN_msg="ཡིག་ཆའི་རྒྱད་ཁོངས་KySecབདེ་འཇགས་རྟགས་མཚན་ཡང་བསྐྱར་ཐོག་མའི་རྣམ་པ་།"
	local msg="$(translate_message "$zh_CN_msg" "$en_CN_msg" "$bo_CN_msg")"
	show_message "$msg"
	echo 1 > /proc/sys/kernel/printk

	do_remount all
	# enable kernel messages
	echo "$level" > /proc/sys/kernel/printk
	clear_message
}

if [ -n "$relabel_flag" ];then
	if [ "x$relabel_flag" = "x0" -o "x$relabel_flag" = "x2" ]; then
		do_relabel
	elif [ "x$relabel_flag" = "x1" ]; then
		rm -f $relabel_file
	fi
	echo "$kysec_status" > $kysec_tmp/.status
fi

[ -e ${rootmnt}/etc/console-setup/cached_setup_keyboard.sh ] && \
	setfattr -n security.kysec -v none:none:original ${rootmnt}/etc/console-setup/cached_setup_keyboard.sh

[ -e ${rootmnt}/usr/bin/mount ] && \
	setfattr -n security.kysec -v none:readonly:original ${rootmnt}/usr/bin/mount

clear
