#!/bin/sh
# Kludge to control hardening in wget.

# shellcheck source=/dev/null
. /etc/control.d/functions

umask 022

PROG=wget
FLAGDIR=/var/lib/control
FLAGFILE=$FLAGDIR/$PROG

new_help hardened   "Seccomp in $PROG will actively SIGKILL misbehaving process"
new_help restrict   "Seccomp in $PROG will restrict bad operations with ENOSYS"
new_help unconfined "Capability drop and seccomp in $PROG is disabled"
new_summary "Control hardening in $PROG"

show_mode() {
	if [ -s "$FLAGFILE" ]; then
		cat <"$FLAGFILE"
		return
	fi
	# Backward compatibility mode.
	[ -f "$FLAGFILE" ] && echo 'unconfined' || echo 'restricted'
}

set_mode() {
	mkdir -p "$FLAGDIR"
	printf '%s\n' "$1" > "$FLAGFILE~new"
	mv "$FLAGFILE~new" "$FLAGFILE"
}

set -u
REQUEST="$*"
case "$REQUEST" in
	help|'help '*) control_help "${REQUEST#help}" ;;
	list) control_list ;;
	summary) control_summary ;;
	status) show_mode ;;
	hardened|restrict|unconfined) set_mode "$REQUEST" ;;
	*) echo >&2 "Invalid mode: $*"; exit 1 ;;
esac
