#!/bin/sh

# Script to concatenate rules files found in a base fapolicyd rules directory
# to form a single /etc/fapolicyd/compiled.rules file suitable for loading
# into the daemon

# When forming the interim rules file, both empty lines and comment
# lines (starting with # or <whitespace>#) are stripped as the source files
# are processed.
#
# Having formed the interim rules file, the script checks if the file is empty
# or is identical to the existing /etc/fapolicyd/compiled.rules and if either
# of these cases are true, it does not replace the existing file.
#

# Variables
#
# DestinationFile:
#   Destination rules file
# SourceRulesDir:
#   Directory location to find component rule files
# TmpRules:
#   Temporary interim rules file
# ASuffix:
#   Suffix for previous fapolicyd.rules file if this script replaces it.
#   The file is left in the destination directory with suffix with $ASuffix

OldDestinationFile=/etc/fapolicyd/fapolicyd.rules
DestinationFile=/etc/fapolicyd/compiled.rules
SourceRulesDir=/etc/fapolicyd/rules.d
TmpRules=$(mktemp /tmp/farules.XXXXXXXX)
ASuffix="prev"
OnlyCheck=0
LoadRules=0
RETVAL=0
usage="Usage: $0 [--check|--load]"

# Delete the interim file on faults
trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15

try_load() {
	pid=`pidof fapolicyd`
	if [ $LoadRules -eq 1 ] && [ "x$pid" != "x" ] ; then
		kill -HUP $pid
		RETVAL=$?
	fi
}

while [ $# -ge 1 ]
do
	if [ "$1" = "--check" ] ; then
		OnlyCheck=1
	elif [ "$1" = "--load" ] ; then
		LoadRules=1
	else
		echo "$usage"
		exit 1
	fi
	shift
done

# Check environment
if [ ! -d ${SourceRulesDir} ]; then
	echo "$0: No rules directory - ${SourceRulesDir}"
	rm -f ${TmpRules}
	try_load
	exit 1
fi

files=`ls ${SourceRulesDir} 2>/dev/null | wc -w`
if [ $files -eq 0 ] ; then
	echo "No rules in ${SourceRulesDir}"
	rm -f ${TmpRules}
	# won't call this an error as they may not have migrated
	exit 0
elif [ -e ${OldDestinationFile} ] ; then
	echo "Error - both old and new rules exist. Delete one or the other"
	rm -f ${TmpRules}
	exit 1
fi

# Create the interim rules file ensuring its access modes protect it
# from normal users and strip empty lines and comment lines.
umask 0137
echo "## This file is automatically generated from $SourceRulesDir" >> ${TmpRules}
for rules in $(/bin/ls -1v ${SourceRulesDir} | grep "\.rules$") ; do
	cat ${SourceRulesDir}/${rules}
done | awk '
BEGIN   {
        rest = 0;
} {
        if (length($0) < 1) { next; }
        if (match($0, "^\\s*#")) { next; }
        rules[rest++] = $0;
}
END     {
        for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; }
}' >> ${TmpRules}

# If the same then quit
cmp -s ${TmpRules} ${DestinationFile} > /dev/null 2>&1
if [ $? -eq 0 ]; then
	echo "$0: No change"
	rm -f ${TmpRules}
	try_load
	exit $RETVAL
elif [ $OnlyCheck -eq 1 ] ; then
	echo "$0: Rules have changed and should be updated"
	rm -f ${TmpRules}
	exit 0
fi

# Otherwise we install the new file
if [ -f ${DestinationFile} ]; then
	cp ${DestinationFile} ${DestinationFile}.${ASuffix}
fi

# We copy the file so that it gets the right selinux label
cp ${TmpRules} ${DestinationFile}
chmod 0640 ${DestinationFile}

# Restore context on MLS system.
# /tmp is SystemLow & fapolicyd.rules is SystemHigh
if [ -x /usr/sbin/restorecon ] ; then
	/usr/sbin/restorecon -F ${DestinationFile}
fi
rm -f ${TmpRules}

try_load
exit $RETVAL
