#!/bin/sh

PREREQ="_load_selinux_policy"
prereqs()
{
	echo "$PREREQ"
}

case $1 in
	prereqs)
		prereqs
		exit 0
		;;
esac

#. /scripts/functions
#
#SECURITY_MNT_DIR=/sys/kernel/security
#KYSEC_VERSION_PATH=$SECURITY_MNT_DIR/kysec/version
#
#KYLIN_SECURITY_CONF=${rootmnt}/etc/kysec/kysec.conf
#LSM=$SECURITY_MNT_DIR/lsm
#
#[ ! -e "$KYLIN_SECURITY_CONF" -o ! -e "$LSM" ] && exit 0
#
#SECURITY=$(awk -F '[ ="]' '/security|lsm/{gsub(",", " ", $5); print $5}' "$KYLIN_SECURITY_CONF")
#SECURITY_LSM=$(awk -F , '{gsub(",", " ", $0); print $0}' "$LSM")
#
##security_in_grub=0
##selinux_in_grub=0
#enforcing_in_grub=0
#kysec_status_in_grub=0
#kysec_exectl_in_grub=0
#kysec_netctl_in_grub=0
#kysec_3adm_in_grub=0
#kysec_ppro_in_grub=0
#kysec_devctl_in_grub=0
#kysec_sm_in_grub=0
#kysec_ipt_in_grub=0
#kic_status_in_grub=0
#kysec_pblk_in_grub=0
#kysec_eperm_in_grub=0
#
#check_kid_support()
#{
#	support_version="5.0"
#	current_version=$(cat "$kysec_version_path")
#
#	if [ "$current_version" \< "$support_version" ]; then
#		echo "false"
#	else
#		echo "true"
#	fi
#}
#
#for x in $(cat /proc/cmdline)
#do
#	case $x in
#		#security=*|lsm=*)
#		#	security_in_grub=1
#		#	;;
#		#selinux=*)
#		#	selinux_in_grub=1
#		#	;;
#		enforcing=*)
#			enforcing_in_grub=1
#			;;
#		kysec_status=*)
#			kysec_status_in_grub=1
#			;;
#		kysec_exectl=*)
#			kysec_exectl_in_grub=1
#			;;
#		kysec_netctl=*)
#			kysec_netctl_in_grub=1
#			;;
#		kysec_3adm=*)
#			kysec_3adm_in_grub=1
#			;;
#		kysec_ppro=*)
#			kysec_ppro_in_grub=1
#			;;
#		kysec_devctl=*)
#			kysec_devctl_in_grub=1
#			;;
#		kysec_sm=*)
#			kysec_sm_in_grub=1
#			;;
#		kysec_ipt=*)
#			kysec_ipt_in_grub=1
#			;;
#		kic_status=*)
#			kic_status_in_grub=1
#			;;
#		kysec_pblk=*)
#			kysec_pblk_in_grub=1
#			;;
#		kysec_eperm=*)
#			kysec_eperm_in_grub=1
#			;;
#	esac
#done
#
#for mod in $SECURITY_LSM
#do
#	for i in $SECURITY
#	do
#		if [ "$mod" = "$i" ]; then
#			case "$i" in
#				"selinux")
#					#SE_FS_DIR=/sys/fs/selinux
#					#SE_ENFORCE_F=$SE_FS_DIR/enforce
#					SE_CONFIG_F=${rootmnt}/etc/selinux/config
#
#					# SElinux 不能通过写/sys/fs/selinux下的文件修改其状态
#					#se_status=$(awk -F = '/selinux/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					#if [ -n $se_status ]; then
#					#	echo "se_status=$se_status"
#					#fi
#					#mount -t selinuxfs none $SE_FS_DIR
#					enforcing=$(awk -F = '/enforcing/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$enforcing" ]; then
#						#echo "enforcing=$enforcing"
#						# 设置SElinux enforcing值
#						#[ $enforcing_in_grub -eq 0 ] && \
#						#	echo $enforcing > $SE_ENFORCE_F
#						if [ "$enforcing_in_grub" -eq 0 ]; then
#							if [ "$enforcing" -eq 0 ]; then
#								sed -i /^SELINUX=/cSELINUX=permissive "$SE_CONFIG_F"
#							elif [ "$enforcing" -eq 1 ]; then
#								sed -i /^SELINUX=/cSELINUX=enforcing "$SE_CONFIG_F"
#							fi
#						fi
#					fi
#					break
#					;;
#				"kysec")
#					KYSEC_STATUS_DIR=$SECURITY_MNT_DIR/kysec
#					KYSEC_STATUS_F=$KYSEC_STATUS_DIR/status
#					KYSEC_EXECTL_F=$KYSEC_STATUS_DIR/exectl
#					KYSEC_NETCTL_F=$KYSEC_STATUS_DIR/netctl
#					KYSEC_FPRO_F=$KYSEC_STATUS_DIR/fpro
#					KYSEC_KMOD_F=$KYSEC_STATUS_DIR/kmod
#					KYSEC_3ADM_F=$KYSEC_STATUS_DIR/3adm
#					KYSEC_PPRO_F=$KYSEC_STATUS_DIR/ppro
#					KYSEC_DEVCTL_F=$KYSEC_STATUS_DIR/devctl
#					KYSEC_SM_F=$KYSEC_STATUS_DIR/sm
#					KYSEC_IPT_F=$KYSEC_STATUS_DIR/iptables
#					KYSEC_KID_F=$KYSEC_STATUS_DIR/kid
#					KYSEC_PBLK_F=$KYSEC_STATUS_DIR/pblk
#					KYSEC_EPERM_F=$KYSEC_STATUS_DIR/eperm_status
#
#					kysec_status=$(awk -F = '/kysec_status/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_status" ]; then
#						#echo "kysec_status=$kysec_status"
#						[ "$kysec_status_in_grub" -eq 0 ] && [ -e "$KYSEC_STATUS_F" ] && \
#							echo "$kysec_status" > "$KYSEC_STATUS_F"
#					fi
#
#					kysec_exectl=$(awk -F = '/kysec_exectl/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_exectl" ]; then
#						#echo "kysec_exectl=$kysec_exectl"
#						[ "$kysec_exectl_in_grub" -eq 0 ] && [ -e "$KYSEC_EXECTL_F" ] && \
#							echo "$kysec_exectl" > "$KYSEC_EXECTL_F"
#					fi
#
#					kysec_netctl=$(awk -F = '/kysec_netctl/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_netctl" ]; then
#						#echo "kysec_netctl=$kysec_netctl"
#						[ "$kysec_netctl_in_grub" -eq 0 ] && [ -e "$KYSEC_NETCTL_F" ] && \
#							echo "$kysec_netctl" > "$KYSEC_NETCTL_F"
#					fi
#
#					kysec_fpro=$(awk -F = '/kysec_fpro/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_fpro" ]; then
#						#echo "kysec_fpro=$kysec_fpro"
#						[ -e "$KYSEC_FPRO_F" ] && \
#							echo "$kysec_fpro" > "$KYSEC_FPRO_F"
#					fi
#
#					kysec_kmodpro=$(awk -F = '/kysec_kmodpro/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_kmodpro" ]; then
#						#echo "kysec_kmodpro=$kysec_kmodpro"
#						[ -e "$KYSEC_KMOD_F" ] && \
#							echo "$kysec_kmodpro" > "$KYSEC_KMOD_F"
#					fi
#
#					kysec_3adm=$(awk -F = '/kysec_3adm/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_3adm" ]; then
#						#echo "kysec_3adm=$kysec_3adm"
#						if [ "$kysec_3adm_in_grub" -eq 0 -a -e "$KYSEC_3ADM_F" ]; then
#							echo "$kysec_3adm" > "$KYSEC_3ADM_F"
#							echo "$kysec_3adm" > /.3adm
#						fi
#					fi
#
#					kysec_ppro=$(awk -F = '/kysec_ppro/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_ppro" ]; then
#						#echo "kysec_ppro=$kysec_ppro"
#						[ "$kysec_ppro_in_grub" -eq 0 ] && [ -e "$KYSEC_PPRO_F" ] && \
#							echo "$kysec_ppro" > "$KYSEC_PPRO_F"
#					fi
#
#					kysec_devctl=$(awk -F = '/kysec_devctl/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_devctl" ]; then
#						#echo "kysec_devctl=$kysec_devctl"
#						[ "$kysec_devctl_in_grub" -eq 0 ] && [ -e "$KYSEC_DEVCTL_F" ] && \
#							echo "$kysec_devctl" > "$KYSEC_DEVCTL_F"
#					fi
#
#					kysec_sm=$(awk -F = '/kysec_sm/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_sm" ]; then
#						#echo "kysec_sm=$kysec_sm"
#						[ "$kysec_sm_in_grub" -eq 0 ] && [ -e "$KYSEC_SM_F" ] && \
#							echo "$kysec_sm" > "$KYSEC_SM_F"
#					fi
#
#					kysec_ipt=$(awk -F = '/kysec_ipt/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_ipt" ]; then
#						#echo "kysec_ipt=$kysec_ipt"
#						[ "$kysec_ipt_in_grub" -eq 0 ] && [ -e "$KYSEC_IPT_F" ] && \
#							echo "$kysec_ipt" > "$KYSEC_IPT_F"
#					fi
#
#					kysec_kid=$(awk -F = '/kysec_kid/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_kid" ]; then
#						#echo "kysec_kid=$kysec_kid"
#						[ -e "$KYSEC_KID_F" ] && \
#							echo "$kysec_kid" > "$KYSEC_KID_F"
#					fi
#					
#					kysec_pblk=$(awk -F = '/kysec_pblk/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_pblk" ]; then
#						#echo "kysec_pblk=$kysec_pblk"
#						[ $kysec_pblk_in_grub -eq 0 ] && [ -e "$KYSEC_PBLK_F" ] && \
#							echo "$kysec_pblk" > "$KYSEC_PBLK_F"
#					fi
#
#					kysec_eperm=$(awk -F = '/kysec_eperm/&&/[0-9]$/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kysec_eperm" ]; then
#						#echo "kysec_eperm=$kysec_eperm"
#						[ $kysec_eperm_in_grub -eq 0 ] && [ -e "$KYSEC_EPERM_F" ] && \
#							echo "$kysec_eperm" > "$KYSEC_EPERM_F"
#					fi
#
#					break
#					;;
#				"kic")
#					KIC_STATUS_DIR=$SECURITY_MNT_DIR/kic
#					KIC_STATUS_F=$KIC_STATUS_DIR/status
#
#					kic_status=$(awk -F = '/kic_status/{gsub(" ", "", $0); print $2}' "$KYLIN_SECURITY_CONF")
#					if [ -n "$kic_status" ]; then
#						#echo "kic_status=$kic_status"
#						[ "$kic_status_in_grub" -eq 0 ] && [ -e "$KIC_STATUS_F" ] && \
#							echo "$kic_status" > "$KIC_STATUS_F"
#					fi
#					break
#					;;
#				#"apparmor")
#				#	# apparmor 不能通过写/sys/kernel/security/apparmor下的文件修改其状态
#				#	;;
#				#"box")
#				#	# box 不能通过写/sys/kernel/security/box/status文件修改其状态
#				#	break
#				#	;;
#			esac
#		fi
#	done
#done
#
#set_unnotify()
#{
#	if [ -f "$SECURITY_MNT_DIR/kysec/unnotify" ]; then
#		unnotify_wechat_path0="/.cxoffice/wechat/drive_c/users/crossover"
#		unnotify_wechat_path1="/文档/WeChat Files"
#		unnotify_wps_mime_path="/usr/share/mime"
#		unnotify_wps_icons_path="/usr/share/icons"
#		unnotify_wps_mui_path="/opt/kingsoft/wps-office/office6/mui"
#
#		if [ -d ${rootmnt}/data/root -a -d ${rootmnt}/data/home ]; then
#			root_inode=$(ls -di ${rootmnt}/root/ | awk '{print $1}')
#			data_root_inode=$(ls -di ${rootmnt}/data/root/ | awk '{print $1}')
#
#			if [ "x$root_inode" = "x$data_root_inode" ]; then
#				unnotify_path_users=$(ls -d ${rootmnt}/data/home/*)
#				unnotify_path_root="/data/root"
#			fi
#		else
#			unnotify_path_users=$(ls -d ${rootmnt}/home/*)
#			unnotify_path_root="/root"
#		fi
#
#		for path in $unnotify_path_users
#		do
#			if [ ! -e "$path/文档" -a -e "$path/Documents" ]; then
#				unnotify_wechat_path1="/Documents/WeChat Files"
#			fi
#			path_tmp0="$path$unnotify_wechat_path0"
#			path_tmp1="$path$unnotify_wechat_path1"
#			unnotify_path0="${path_tmp0#$rootmnt}"
#			unnotify_path1="${path_tmp1#$rootmnt}"
#			echo "$unnotify_path0" >> "$kysec_tmp/unnotify"
#			echo "$unnotify_path1" >> "$kysec_tmp/unnotify"
#		done
#		echo "$unnotify_path_root$unnotify_wechat_path0" >> "$kysec_tmp/unnotify"
#		echo "$unnotify_path_root$unnotify_wechat_path1" >> "$kysec_tmp/unnotify"
#		echo "$unnotify_wps_mime_path" >> "$kysec_tmp/unnotify"
#		echo "$unnotify_wps_icons_path" >> "$kysec_tmp/unnotify"
#		echo "$unnotify_wps_mui_path" >> "$kysec_tmp/unnotify"
#		cat "$kysec_tmp/unnotify" > "$SECURITY_MNT_DIR/kysec/unnotify"
#		rm -f "$kysec_tmp/unnotify"
#	fi
#}
#
#mount -o remount,rw ${ROOT} ${rootmnt}
#mount -t proc -o nodev,noexec,nosuid proc "$rootmnt/proc"
#mount -t sysfs -o nodev,noexec,nosuid sys "$rootmnt/sys"
#mount -t devtmpfs udev "$rootmnt/dev"
#
#chroot "${rootmnt}" /bin/mount -a
#
#ls -a ${rootmnt}/home/*/.box 2> /dev/null
#ls -a ${rootmnt}/root/.box 2> /dev/null
#
#[ -e ${rootmnt}/etc/kysec/box_extend.conf ] && [ -e $SECURITY_MNT_DIR/box/policy ] && \
#	cat ${rootmnt}/etc/kysec/box_extend.conf > $SECURITY_MNT_DIR/box/policy
#
#if [ "$(check_kid_support)" = "false" ]; then
#	set_unnotify
#fi
#
#umount "$rootmnt/dev"
#umount "$rootmnt/sys"
#umount "$rootmnt/proc"
