#!/bin/sh -efu

FACILITY=user
PROG="${0##*/}"

VM_DIR=/etc/pve/qemu-server

info() {
    echo "[$PROG]: $*" >&2
    logger -t "$PROG" -p "$FACILITY.info" "$*"
}

alert() {
    echo "[$PROG]: $*" >&2
    logger -t "$PROG" -p "$FACILITY.alert" "$*"
}

cleanup() {
    rm -rf "$workdir"
}

workdir="$(mktemp -d --tmpdir $PROG.XXXX)"
trap cleanup EXIT

if ! grep -q -e '-[[:space:]]\+/usr/share/seabios'; then
    info "Seabios integrity OK"
else
    alert "Seabios integrity failure! Locking down all VMs that use seabios..."

    [ -d "$VM_DIR" ] || exit 0

    find -L "$VM_DIR" -mindepth 1 -maxdepth 1 \
	 ! -type d -name '*.conf' | \
	 sort -u >"$workdir/all.list"
    find -L "$VM_DIR" -mindepth 1 -maxdepth 1 \
	 ! -type d -name '*.conf' \
	 -exec grep -l 'ovmf' '{}' \; | \
	sort -u >"$workdir/ovmf.list"

    comm -23 "$workdir/all.list" "$workdir/ovmf.list" | \
	while read f; do
	    vm="${f##*/}"
	    vm="${vm%.conf}"
	    qm stop "$vm" && qm block "$vm" ||:
        done
fi
