#!/bin/sh

PREREQ="security_set"
prereqs()
{
	echo "$PREREQ"
}

case $1 in
	prereqs)
		prereqs
		exit 0
		;;
esac

. /scripts/functions

sysfs_entry=/sys/kernel/security/kysec/3adm
kysec_tmp=${rootmnt}/etc/kysec/tmp
kysec_init=/usr/sbin/kysec-init

set_3adm_env()
{
	[ -z "$1" ] && echo 0

	if [ x"$1" = x"0" ]; then
		user="root"
		uid="0"
	elif [ x"$1" = x"1" ]; then
		user="secadm"
		uid="600"
		auduid="700"
	fi

	[ -f ${rootmnt}/etc/kysec/kysec.conf ] && chown "$uid":"$uid" ${rootmnt}/etc/kysec/kysec.conf
	[ -f ${rootmnt}/etc/kysec/netctl/netctl.xml ] && chown "$uid":"$uid" ${rootmnt}/etc/kysec/netctl/netctl.xml
	[ -d ${rootmnt}/etc/selinux ] && chown -R "$uid":"$uid" ${rootmnt}/etc/selinux
	[ -d ${rootmnt}/usr/share/selinux ] && chown -R "$uid":"$uid" ${rootmnt}/usr/share/selinux
	[ -d ${rootmnt}/var/lib/sepolgen ] && chown -R "$uid":"$uid" ${rootmnt}/var/lib/sepolgen
	[ -d ${rootmnt}/var/lib/selinux ] && chown -R "$uid":"$uid" ${rootmnt}/var/lib/selinux
	if [ x"$auduid" = x"700" ]; then
		chown -R "$auduid":"$auduid" ${rootmnt}/etc/audi*
		[ -d ${rootmnt}/var/log/audit ] && chown -R "$auduid":"$auduid" ${rootmnt}/var/log/audit
	else
		chown -R "$uid":"$uid" ${rootmnt}/etc/audi*
		[ -d ${rootmnt}/var/log/audit ] && chown -R "$uid":"$uid" ${rootmnt}/var/log/audit
	fi

	KYSEC_DEBUS_SERVICE=${rootmnt}/usr/share/dbus-1/system-services/com.kylin.kysec.service
	KYSEC_SYSTEMD_SERVICE=${rootmnt}/lib/systemd/system/kysec-daemon.service
	SELINUX_CONF=${rootmnt}/etc/selinux/config

	if [ -f "$KYSEC_DEBUS_SERVICE" ]; then
		sed -i /^User=/cUser=$user $KYSEC_DEBUS_SERVICE
		${kysec_init} --set-exectl $KYSEC_DEBUS_SERVICE
	fi

	if [ -f "$KYSEC_SYSTEMD_SERVICE" ];	then
		if [ -z "$(cat "$KYSEC_SYSTEMD_SERVICE" | grep "User=")" ]; then
			sed -i "/\[Service]/a\User=$user" $KYSEC_SYSTEMD_SERVICE
		else
			sed -i /^User=/cUser=$user $KYSEC_SYSTEMD_SERVICE
		fi
		${kysec_init} --set-exectl $KYSEC_SYSTEMD_SERVICE
	fi

	[ -f "$SELINUX_CONF" ] && ${kysec_init} --set-exectl $SELINUX_CONF
}

old_3adm="0"
new_3adm="0"

if [ -f "/.3adm" ]; then
	new_3adm=$(cat /.3adm)
fi

if [ -f "$kysec_tmp/.3adm" ]; then
	old_3adm=$(cat $kysec_tmp/.3adm)
	if [ "x$new_3adm" != "x$old_3adm" ]; then
		set_3adm_env "$new_3adm"
		if [ "x${new_3adm}" = "x1" ]; then
			# enable 3adm
			echo "$new_3adm" > "$sysfs_entry"
			rm -rf /.3adm
			log_success_msg "kysec 3adm enabled"
		fi
	fi
else
	set_3adm_env "$new_3adm"
	if [ "x${new_3adm}" = "x1" ]; then
		# enable 3adm
		echo "$new_3adm" > "$sysfs_entry"
		rm -rf /.3adm
		log_success_msg "kysec 3adm enabled"
	fi
fi

echo "$new_3adm" > "$kysec_tmp/.3adm"

