#!/bin/sh

PREREQ="3adm_disable"

prereqs()
{
	echo "$PREREQ"
}

case $1 in
	prereqs)
		prereqs
		exit 0
		;;
esac

. /scripts/functions
. /scripts/security-functions

clear

kysec_tmp=${rootmnt}/etc/kysec/tmp

if [ -d "$kysec_tmp" ]; then
	chmod 1777 $kysec_tmp
else
	mkdir -p -m 1777 $kysec_tmp
fi

securityfs_mnt=/sys/kernel/security
kysec_status_path="$securityfs_mnt/kysec/status"
kysec_version_path="$securityfs_mnt/kysec/version"
kysec_status=0

if [ -e "$kysec_status_path" ]; then
	kysec_status=$(cat "$kysec_status_path")
fi

if [ "$kysec_status" -eq 0 ]; then
	echo "$kysec_status" > $kysec_tmp/.status
	exit 0
fi

set_kysec_status()
{
	echo $1 > $kysec_status_path
}

export exectl=
export relabel_flag=

relabel_file=${rootmnt}/.exectl
kysec_whlist_db=${rootmnt}/etc/kysec/db/whlist.db

# 该文件为一个标志文件,是否将文件记录到kid资源数据库中
# 若该文件不存在,则全局打标的时候(relabel_status =0 )将资源记录到kid资源数据库中,
# 反之,则不记录.
label_inited=${rootmnt}/etc/kysec/tmp/.label_inited

get_relabel_flag()
{
	for x in $(cat /proc/cmdline); do
		case $x in
		exectl=*)
			exectl=${x#exectl=}
			;;
		esac
	done

	if [ -f "$relabel_file" -o "x${exectl}" = "x1" ]; then
		relabel_flag=$(sqlite3 "$kysec_whlist_db" "select * from relabel_status;")
	fi

	if [ -f $kysec_tmp/.status ]; then
		if [ "x$relabel_flag" != "x0" -a $(cat "$kysec_tmp/.status") -eq 0 -a 0 -ne $kysec_status ]; then
			sqlite3 $kysec_whlist_db 'update relabel_status set relabel=2';
			relabel_flag=2
		fi
	fi

	local support_version="5.0"
	local current_version=$(cat "$kysec_version_path")

	if [ "x$relabel_flag" != "x0" ]; then
		if [ ! -e "$kysec_tmp/.version" ]; then
			[ "$current_version" \> "$support_version" -o "$current_version" = "$support_version" ] && relabel_flag=0
		else
			if [ "$(cat "$kysec_tmp/.version")" \> "$support_version" -o "$(cat "$kysec_tmp/.version")" = "$support_version" ]; then
				[ "$current_version" \< "$support_version" ] && relabel_flag=0
			elif [ "$(cat "$kysec_tmp/.version")" \< "$support_version" ]; then
				[ "$current_version" \> "$support_version"  -o "$current_version" = "$support_version" ] && relabel_flag=0
			fi
		fi
		[ "x$relabel_flag" = "x0" ] && sqlite3 $kysec_whlist_db 'update relabel_status set relabel=0';
	fi

	echo "$current_version" > $kysec_tmp/.version
}

get_relabel_flag

priv_kid_sql_file="$kysec_tmp/priv_kid.sql"

update_user_priv_kid()
{
	echo -n > "$priv_kid_sql_file"

	if [ -d "${rootmnt}/home" ]; then
		for dir in "${rootmnt}"/home/*
		do
			user=$(echo "${rootmnt}" | sed 's#\/#\\\/#g')
			user=$(echo "$dir" | sed 's/^'${user}'//g')
			echo "INSERT INTO \"v_kid_res\" (KID, ResourceType, Resource) VALUES (999, 2, "\'$user\'");" >> "$priv_kid_sql_file"
		done
	fi

	sqlite3 "$kysec_whlist_db" < "$priv_kid_sql_file"
	sync
}

update_skel_priv_kid()
{
	echo -n > "$priv_kid_sql_file"

	. "${rootmnt}/etc/adduser.conf"

	for tmp in "${rootmnt}$SKEL"/*
	do
		dir_tmp=$(echo "${rootmnt}" | sed 's#\/#\\\/#g')
		dir=$(echo "$tmp" | sed 's/^'${dir_tmp}'//g')
		echo "INSERT INTO \"v_kid_res\" (KID, ResourceType, Resource) VALUES (10000+0x1000000, 2, "\'$dir\'");" >> "$priv_kid_sql_file"
	done

	sqlite3 "$kysec_whlist_db" < "$priv_kid_sql_file"
	sync
}

. ${rootmnt}/etc/default/locale

# 根据安装系统选择的语言设置，选择要显示的语言
# $1 为简体中文
# $2 为繁体中文
# $3 为藏文
# $4 为蒙古文
# $5 为英文
# 非以上语言环境默认显示简体中文
translate_message()
{
	case "$LANG" in
		zh_CN.*)
			echo "$1"
		;;
		zh_HK.*)
			echo "$2"
		;;
		bo_CN.*)
			echo "$3"
		;;
		mn_MN.*)
			echo "$4"
		;;
		en_US.*)
			echo "$5"
		;;
		*)
			echo "$1"
		;;
	esac
}

kysec_init=/usr/sbin/kysec-init

relabel_system_for_whlist()
{
	local zh_CN_msg="正在扫描文件系统……"
	local zh_HK_msg="正在掃描文件系統……"
	local bo_CN_msg="ཡིག་ཆའི་མ་ལག "
	local mn_MN_msg="ᠶᠠᠭ ᠹᠠᠶᠢᠯ ᠤᠨ ᠰᠢᠰᠲ᠋ᠡᠮ ᠢ ᠰᠢᠷᠪᠢᠵᠦ ᠪᠠᠶᠢᠨ᠎ᠠ ᠁"
	local en_CN_msg="Scanning file systems ..."
	local msg="$(translate_message "$zh_CN_msg" "$zh_HK_msg" "$bo_CN_msg" "$mn_MN_msg" "$en_CN_msg")"
	show_message "$msg"

	rm -rf $kysec_tmp/*

	find ${rootmnt} -depth -maxdepth 1 \( -path ${rootmnt}/proc -o -path ${rootmnt}/run -o -path ${rootmnt}/sys -o -path ${rootmnt}/dev -o -path ${rootmnt}/tmp -o -path ${rootmnt}/cdrom -o -path ${rootmnt}/media -o -path ${rootmnt}/mnt -o -path ${rootmnt}/box -o -path ${rootmnt}/backup -o -path ${rootmnt}/data -o -path ${rootmnt}/lost+found -o -path ${rootmnt} \) -prune -o -print 1>$kysec_tmp/scanf
	cat $kysec_tmp/scanf | xargs -i -P $(nproc) find {} \( -type f -o -type l \) -print 1>>$kysec_tmp/scan
	local new=$(echo ${rootmnt} | sed 's#\/#\\\/#g')
	sed -i 's/^'${new}'//g' $kysec_tmp/scan
	split -l 3333 $kysec_tmp/scan -d -a 4 scan_
	mv scan_* $kysec_tmp

	if [ "x$relabel_flag" = "x0" ]; then
		zh_CN_msg="正在初始化系统KySec安全标记，请稍候……"
		zh_HK_msg="正在初始化系統KySec安全標記，請稍候……"
		bo_CN_msg="ཐོག་མར་འགྱུར་བཞིན་པའི་མ་ལགKySecབདེ་འཇགས་མཚོན་རྟགས།ཅུང་ཙམ་སྒུག་རོགས།"
		mn_MN_msg="ᠶᠠᠭ ᠰᠢᠰᠲ᠋ᠧᠮ KySec ᠠᠶᠤᠯᠭᠦᠢ ᠲᠡᠮᠳᠡᠭ ᠢ᠋ ᠠᠩᠬᠠᠵᠢᠭᠤᠯᠵᠤ ᠪᠠᠢᠨ᠎ᠠ ᠂ ᠲᠦᠷ ᠬᠦᠯᠢᠶᠡᠭᠡᠷᠡᠢ ᠁"
		en_CN_msg="Initializing system KySec security labels, please wait ..."
		msg="$(translate_message "$zh_CN_msg" "$zh_HK_msg" "$bo_CN_msg" "$mn_MN_msg" "$en_CN_msg")"
		show_message "$msg"
		cat $kysec_tmp/scanf | xargs -i -P $(nproc) ${kysec_init} --rootmnt ${rootmnt} --with-old --set-xattr {}
		${kysec_init} --rootmnt ${rootmnt} --with-old --set-special
		${kysec_init} --rootmnt ${rootmnt} --init-kid-db  # 将scan_*包含的文件内容记录到kid资源表中,默认类别为9999 系统类
	elif [ "x$relabel_flag" = "x2" ]; then
		zh_CN_msg="正在初始化系统执行控制安全标记，请稍候……"
		zh_HK_msg="正在初始化系統執行控制安全標記，請稍候……"
		bo_CN_msg="ཐོག་མར་ཅན་གྱི་མ་ལག་གིས་བདེ་འཇགས་བརྡ་རྟགས་ལག་བསྟར་བྱེད་བཞིན་ཡོད།ཅུང་ཙམ་སྒུག་རོགས།"
		mn_MN_msg="ᠶᠠᠭ ᠰᠢᠰᠲ᠋ᠡᠮ ᠤᠨ ᠭᠦᠢᠴᠡᠳᠬᠡᠬᠦ ᠡᠵᠡᠮᠰᠢᠯ ᠤᠨ ᠠᠶᠤᠯᠭᠦᠢ ᠶᠢᠨ ᠲᠡᠮᠳᠡᠭ ᠢ ᠠᠩᠬᠠᠵᠢᠭᠤᠯᠵᠤ ᠪᠠᠶᠢᠨ᠎ᠠ ᠲᠦᠷ ᠬᠦᠯᠢᠶᠡᠭᠡᠷᠡᠢ ᠁"
		en_CN_msg="Initializing system execution control security labels, please wait ..."
		msg="$(translate_message "$zh_CN_msg" "$zh_HK_msg" "$bo_CN_msg" "$mn_MN_msg" "$en_CN_msg")"
		show_message "$msg"
		cat $kysec_tmp/scanf | xargs -i -P $(nproc) ${kysec_init} --relabel-exectl --set-xattr {}
		${kysec_init} --rootmnt ${rootmnt} --relabel-exectl --set-special
	fi

	zh_CN_msg="正在初始化系统完整性控制安全标记，请稍候……"
	zh_HK_msg="正在初始化系統完整性控制安全標記，請稍候……"
	bo_CN_msg="ཐོག་མ་ཅན་གྱི་རྒྱུད་ཁོངས་ཆ་ཚང་རང་བཞིན་གྱི་ཚོད་འཛིན་བདེ་འཇགས་རྟགས་མཚན་བྱེད་བཞིན་ཡོད།ཅུང་ཙམ་སྒུག་རོགས།"
	mn_MN_msg="ᠶᠠᠭ ᠰᠢᠰᠲ᠋ᠡᠮ ᠦᠨ ᠪᠦᠷᠢᠨ ᠪᠦᠲᠦᠨ ᠴᠢᠨᠠᠷ ᠲᠠᠢ ᠠᠮᠤᠷ ᠲᠦᠪᠰᠢᠨ ᠤ ᠲᠡᠮᠳᠡᠭ ᠢ ᠠᠩᠬᠠᠵᠢᠭᠤᠯᠵᠤ ᠪᠠᠶᠢᠨ᠎ᠠ ᠲᠦᠷ ᠬᠦᠯᠢᠶᠡᠭᠡᠷᠡᠢ ᠁"
	en_CN_msg="Initializing the System Integrity Control security labels, please wait ..."
	msg="$(translate_message "$zh_CN_msg" "$zh_HK_msg" "$bo_CN_msg" "$mn_MN_msg" "$en_CN_msg")"
	show_message "$msg"

	update_user_priv_kid
	update_skel_priv_kid
	${kysec_init} --rootmnt ${rootmnt} --set-kid --set-netid
}

do_remount()
{
	local old_value=$kysec_status

	mount -o remount,rw ${ROOT} ${rootmnt}

	[ 0 -ne "$kysec_status" ] && set_kysec_status 4

	mount -t proc -o nodev,noexec,nosuid proc "$rootmnt/proc"
	mount -t sysfs -o nodev,noexec,nosuid sys "$rootmnt/sys"
	mount -t devtmpfs udev "$rootmnt/dev"

	chroot "${rootmnt}" /bin/mount -a

	if [ "$1" = "all" ]; then
		relabel_system_for_whlist
	fi

	[ 0 -ne "$kysec_status" ] && set_kysec_status $old_value

	umount "$rootmnt/dev"
	umount "$rootmnt/sys"
	umount "$rootmnt/proc"
}

do_relabel()
{
	# disable kernel messages temporarily
	local level=`cat /proc/sys/kernel/printk | awk '{print $1}'`
	local zh_CN_msg="文件系统KySec安全标记需要重新初始化"
	local zh_HK_msg="文件系統KySec安全標記需要重新初始化"
	local bo_CN_msg="ཡིག་ཆའི་རྒྱད་ཁོངས་KySecབདེ་འཇགས་རྟགས་མཚན་ཡང་བསྐྱར་ཐོག་མའི་རྣམ་པ་།"
	local mn_MN_msg="ᠹᠠᠢᠯ ᠤ᠋ᠨ ᠱᠢᠰᠲ᠋ᠧᠮ ᠦ᠋ᠨ KySec ᠠᠶᠤᠯᠭᠦᠢ ᠲᠡᠮᠳᠡᠭ ᠳᠠᠬᠢᠨ ᠠᠩᠬᠠᠵᠢᠭᠤᠯᠬᠤ ᠬᠡᠷᠡᠭᠲᠡᠢ"
	local en_CN_msg="The file system KySec security labels needs to be reinitialized"
	local msg="$(translate_message "$zh_CN_msg" "$zh_HK_msg" "$bo_CN_msg" "$mn_MN_msg" "$en_CN_msg")"
	show_message "$msg"
	echo 1 > /proc/sys/kernel/printk

	do_remount all

	echo 1 > ${label_inited}
	# enable kernel messages
	echo "$level" > /proc/sys/kernel/printk
	clear_message
}

if [ -n "$relabel_flag" ];then
	if [ "x$relabel_flag" = "x0" -o "x$relabel_flag" = "x2" ]; then
		do_relabel
	elif [ "x$relabel_flag" = "x1" ]; then
		rm -f $relabel_file
	fi
	echo "$kysec_status" > $kysec_tmp/.status
fi


[ -e ${rootmnt}/etc/console-setup/cached_setup_keyboard.sh ] && \
	${kysec_init} --set-exectl ${rootmnt}/etc/console-setup/cached_setup_keyboard.sh

[ -e ${rootmnt}/usr/bin/mount ] && \
	${kysec_init} --set-exectl ${rootmnt}/usr/bin/mount

clear
