#!/bin/bash5 -e
#
# A control(8) srcript to modify the 'ima_appraise' kernel command
# line parameter in various system bootloader configuration files.
# Written in Bash 4.
#
# Copyright (C) 2023  Denis Medvedev.
# Copyright (C) 2024  Paul Wolneykien.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

source /etc/control.d/functions
source /usr/sbin/bootloader-utils.bash

new_summary "Set 'ima_appraise' and (in non-selinux case) 'lsm' Linux kernel command-line parameters"
new_help 'enforce' "Enforce IMA integrity check"
new_help 'fix' "IMA signature update mode"
new_help 'off' "Disable IMA integrity check"
new_help 'unspecified' "Remove the 'ima_appraise' option from the Linux kernel command-line"

REQUEST="$*"

case "$REQUEST" in
    help|'help '*)
	control_help "${REQUEST#help}"
	;;
    list)
	control_list
	;;
    summary)
	control_summary
	;;
    status)
	get_cmdline_all 'ima_appraise' || \
	    echo 'unspecified'
	;;
    enforce|fix|off|unspecified)
	case "$REQUEST" in
	    enforce|fix|off)
		set_cmdline_all 'ima_appraise' "$REQUEST"
		;;
	    unspecified)
		del_cmdline_all 'ima_appraise'
		;;
	esac
	get_cmdline_all 'selinux' || case "$REQUEST" in
	    enforce|fix)
		set_cmdline_all 'lsm' 'integrity'
		;;
	    off|unspecified)
		del_cmdline_all 'lsm' 'integrity'
		;;
	esac
	[[ $SKIP_APPLY != "" && $SKIP_APPLY != 0 ]] || \
	    apply_bootconf
	;;
    *)
	printf '%s: %s\n' "${0##*/}" "Invalid mode: $REQUEST" >&2
	exit 1
	;;
esac
