#! /bin/bash
#
# Policy Loader.
#
# Copyright (C) 2005-2007  NTT DATA CORPORATION
#
# Version: 2.1.0-rc3 2007/09/18
#
# This program is executed automatically by kernel
# when execution of /sbin/init is requested by initrd.
#

PROC_POLICY_DIR=/proc/tomoyo/
DISK_POLICY_DIR=/etc/tomoyo/
PROFILE=""
TOMOYO_NOLOAD=0
TOMOYO_QUIET=0

REAL_INIT=/sbin/init
PROC_UNMOUNT=0
SYS_UNMOUNT=0
SECURITY_UNMOUNT=0

exec 0< /dev/console
exec 1> /dev/console
exec 2> /dev/console

if [ ! -d /proc/self/ ]; then
	mount -nt proc none /proc && PROC_UNMOUNT=1
fi

if [ ! -d /sys/kernel/ ]; then
	grep -q sysfs /proc/filesystems && mount -nt sysfs none /sys && SYS_UNMOUNT=1
fi

if [ ! -d /sys/kernel/security/tomoyo/ ]; then
	grep -q securityfs /proc/filesystems && mount -nt securityfs none /sys/kernel/security && SECURITY_UNMOUNT=1
fi

if [ -d /sys/kernel/security/tomoyo/ ]; then
	PROC_POLICY_DIR=/sys/kernel/security/tomoyo/
fi

if [ ! -d $PROC_POLICY_DIR ]; then
	[ $SECURITY_UNMOUNT == 1 ] && umount -n /sys/kernel/security
	[ $SYS_UNMOUNT == 1 ] && umount -n /sys
	[ $PROC_UNMOUNT == 1 ] && umount -n /proc
	[ $$ == 1 ] && exec $REAL_INIT "$@"
	echo "You can't run this program for this kernel."
	exit 1
fi

for i in `cat /proc/cmdline`
  do
  case $i in
	  (CCS=default)
	  PROFILE="default"
	  ;;
	  (CCS=disabled)
	  PROFILE="disable"
	  ;;
	  (CCS=boottest)
	  PROFILE="boottest"
	  ;;
	  (CCS=*)
	  PROFILE=`echo $i | cut -b 5-`
	  [ -r $DISK_POLICY_DIR/profile-$PROFILE.conf ] || PROFILE=""
	  ;;
	  (TOMOYO_NOLOAD)
	  TOMOYO_NOLOAD=1
	  ;;
	  (TOMOYO_QUIET)
	  TOMOYO_QUIET=1
	  ;;
  esac
done

if [ "x$PROFILE" == "x" ]; then
	TMOUT=10
	while :
	  do
	  echo "TOMOYO Linux: Enter 'disable' within $TMOUT seconds to disable TOMOYO Linux."
	  PROFILE=""
	  read -p "TOMOYO Linux> " PROFILE
	  [ "x$PROFILE" == "x" ] && PROFILE="default"
	  [ "x$PROFILE" == "xdefault" ] && break
	  [ "x$PROFILE" == "xdisable" ] && break
	  [ "x$PROFILE" == "xboottest" ] && break
	  [ -r $DISK_POLICY_DIR/profile-$PROFILE.conf ] && break
	  [ "x$PROFILE" == "xTOMOYO_NOLOAD" ] && TOMOYO_NOLOAD=1
	  [ "x$PROFILE" == "xTOMOYO_QUIET" ] && TOMOYO_QUIET=1
	done
fi

[ -r $DISK_POLICY_DIR/manager.conf ] && cat $DISK_POLICY_DIR/manager.conf > $PROC_POLICY_DIR/manager
[ -r $DISK_POLICY_DIR/system_policy.conf ] && cat $DISK_POLICY_DIR/system_policy.conf > $PROC_POLICY_DIR/system_policy
[ -r $DISK_POLICY_DIR/exception_policy.conf ] && cat $DISK_POLICY_DIR/exception_policy.conf > $PROC_POLICY_DIR/exception_policy
[ $TOMOYO_NOLOAD == 0 ] && [ -r $DISK_POLICY_DIR/domain_policy.conf ] && cat $DISK_POLICY_DIR/domain_policy.conf > $PROC_POLICY_DIR/domain_policy

if [ -r $DISK_POLICY_DIR/profile-$PROFILE.conf ]; then
	cat $DISK_POLICY_DIR/profile-$PROFILE.conf > $PROC_POLICY_DIR/profile
fi
if [ "x$PROFILE" == "xdefault" ]; then
	[ -r $DISK_POLICY_DIR/profile.conf ] && cat $DISK_POLICY_DIR/profile.conf > $PROC_POLICY_DIR/profile
fi
if [ "x$PROFILE" == "xdisable" ]; then
	for i in `seq 0 255`; do echo $i-COMMENT= > $PROC_POLICY_DIR/profile; done
	grep -vF -- -COMMENT= $PROC_POLICY_DIR/profile | sed -e 's/[0-9]*$/0/' > $PROC_POLICY_DIR/profile
fi
if [ "x$PROFILE" == "xboottest" ]; then
	echo '0-MAC_FOR_CAPABILITY::=0' > $PROC_POLICY_DIR/profile
fi
if [ $TOMOYO_QUIET == 1 ]; then
	grep -F TOMOYO_VERBOSE $PROC_POLICY_DIR/profile | sed -e 's/[0-9]*$/0/' > $PROC_POLICY_DIR/profile
fi

awk ' BEGIN { domain=0; acl=0; } { if ( $1 == "<kernel>" ) domain++; else if ( $1 != "" && $1 != "use_profile") acl++; } END { print domain " domains. " acl " ACL entries."; } ' $PROC_POLICY_DIR/domain_policy
awk ' BEGIN { shared_mem=0; private_mem=0; } { if ( $1 == "Shared:" ) shared_mem = $NF / 1024; else if ( $1 == "Private:" ) private_mem = $NF / 1024; } END { print shared_mem " KB shared. " private_mem " KB private."; } ' $PROC_POLICY_DIR/meminfo

# [ $SECURITY_UNMOUNT == 1 ] && umount -n /sys/kernel/security
# [ $SYS_UNMOUNT == 1 ] && umount -n /sys
[ $PROC_UNMOUNT == 1 ] && umount -n /proc
[ $$ == 1 ] && exec $REAL_INIT "$@"
exit 1
