#!/bin/sh

po_domain="alterator-secsetup"
alterator_api_version=1

. alterator-sh-functions

altha="$(/sbin/sysctl kernel.altha &>/dev/null && echo Yes || echo No)"

CONTROL_PATH=/usr/sbin/control

on_message() {
  case "$in_action" in
    read)
        # Macros block
        write_bool_param chblk "$((/sbin/systemctl --quiet is-enabled macrosblock && echo on) || echo off)"
        write_bool_param integis "$(([ -e "/sbin/integalert" ] && echo on) || echo off)"

        ! [ $($CONTROL_PATH 'tcb-hash-prefix') == 'gost_yescrypt' ]
        write_bool_param enable_gost "$?"

        # LSM module AltHa (Alt Hardening)
        write_bool_param altha $altha
        if [ $altha == "Yes" ]
        then
            # switchers
            write_bool_param altha_nosuid $([ $(/sbin/sysctl -n kernel.altha.nosuid.enabled) == 1 ] && echo "on" || echo "off")
            write_bool_param altha_rstrscript $([ $(/sbin/sysctl -n kernel.altha.rstrscript.enabled) == 1 ] && echo "on" || echo "off")
            write_bool_param altha_olock $([ $(/sbin/sysctl -n kernel.altha.olock.enabled) == 1 ] && echo "on" || echo "off")
            # settings
            write_string_param altha_nosuid_exceptions $(/sbin/sysctl -n kernel.altha.nosuid.exceptions)
            write_string_param altha_rstrscript_interpreters $(/sbin/sysctl -n kernel.altha.rstrscript.interpreters)
            write_string_param altha_olock_dirs $(/sbin/sysctl -n kernel.altha.olock.dirs)
        fi
        ;;
    write)
        if [ $altha == "Yes" ]
        then
            case "$in_altha_nosuid" in
                "#t"|"on") /sbin/sysctl kernel.altha.nosuid.enabled=1 ;;
                "#f") /sbin/sysctl kernel.altha.nosuid.enabled=0 ;;
            esac

            case "$in_altha_rstrscript" in
                "#t"|"on") /sbin/sysctl kernel.altha.rstrscript.enabled=1 ;;
                "#f") /sbin/sysctl kernel.altha.rstrscript.enabled=0 ;;
            esac

            case "$in_altha_olock" in
                "#t"|"on") /sbin/sysctl kernel.altha.olock.enabled=1 ;;
                "#f") /sbin/sysctl kernel.altha.olock.enabled=0 ;;
            esac
            /sbin/sysctl kernel.altha.nosuid.exceptions="$in_altha_nosuid_exceptions"
            /sbin/sysctl kernel.altha.rstrscript.interpreters="$in_altha_rstrscript_interpreters"
            /sbin/sysctl kernel.altha.olock.dirs="$in_altha_olock_dirs"
            # save config
            /sbin/sysctl kernel.altha 2>/dev/null >/lib/sysctl.d/secsetup.conf
        fi

        case "$in_macrosblock" in 
            "#t"|"on") /sbin/systemctl --now enable macrosblock ;;
            "#f") /sbin/systemctl --now disable macrosblock ;;
        esac

        case "$in_enable_gost" in
            "#t"|"on") $CONTROL_PATH 'tcb-hash-prefix' 'gost_yescrypt' ;;
            "#f") $CONTROL_PATH 'tcb-hash-prefix' 'default'     ;;
        esac

        ;;
    list)
        ;;
  esac
}

message_loop
