#!/bin/sh

. /etc/control.d/functions

FSPART=/tmp
CONFIG=/etc/fstab

new_summary "Mounted $FSPART partition security"

new_help exec "Enable executable bit on separate $FSPART"
new_help noexec "Disable executable bit on separate $FSPART"


get_fstab_line() {
	grep -sE -- '^[^#]' "$CONFIG" |
		grep -sE -- "\s$FSPART\s" |
		tail -n1
}

get_fstab_status() {
	local partline="$1"

	if [ -z "$partline" ]; then
		echo "undefined"
	elif echo "$partline" |grep -qws noexec; then
		echo "noexec"
	else
		echo "exec"
	fi
}

set_fstab_status() {
	local newbit="$1"
	local to= regex= err= currbit=
	local from="$(get_fstab_line)"

	if [ -z "$from" ]; then
		err=1
	else
		currbit="$(get_fstab_status "$from")"
		if [ "$newbit" != "$currbit" ]; then
			regex="s/(\,noexec|noexec\,?|\,exec|exec\,?)//g"
			to="$(echo "$from" |sed -E -- "$regex")"
			if [ "$from" != "$to" ]; then
				sed -i -- "s|$from|$to|" "$CONFIG" || err=1
			fi
			if [ "$newbit" = "noexec" ]; then
				currbit="$(echo "$to" |awk '{print $4;}')"
				if [ "$currbit" = "defaults" ]; then
					regex="s|defaults|noexec|"
				else
					regex="s|$currbit|noexec,$currbit|"
				fi
				from="$to"
				to="$(echo "$from" |sed -- "$regex")"
				if [ "$from" != "$to" ]; then
					sed -i -- "s|$from|$to|" "$CONFIG" || err=1
				fi
			fi
		fi
	fi

	from="$(grep -s -- " $FSPART " /proc/mounts |tail -n1)"

	if [ -n "$from" ]; then
		currbit="$(echo "$from" |
				awk '{print $4;}' |
				grep -ws -- noexec)"
		if [ "$newbit" = "noexec" -a -z "$currbit" ]; then
			mount -o remount,noexec -- "$FSPART" || err=1
		elif [ "$newbit" = "exec" -a -n "$currbit" ]; then
			mount -o remount,exec -- "$FSPART" || err=1
		fi
	fi

	[ -z "$err" ] || exit 1
}

control_fstab() {
	local REQUEST="$*"

	case "$REQUEST" in
	help|'help '*)
		control_help "${REQUEST##help}"
		;;
	list)	control_list
		;;
	summary)
		control_summary
		;;
	status|'')
		get_fstab_status "$(get_fstab_line)"
		;;
	noexec|exec)
		set_fstab_status "$REQUEST"
		;;
	*)	exit 1
		;;
	esac
}

control_fstab "$*"
