projects / busybox-power / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5205482)
add proper support for (un)installation in Harmattan (patched) Open Mode
authorDennis Groenen <tj.groenen@gmail.com>
Tue, 23 Oct 2012 20:02:07 +0000 (22:02 +0200)
committerDennis Groenen <tj.groenen@gmail.com>
Tue, 23 Oct 2012 20:02:07 +0000 (22:02 +0200)
debian/busybox-power.postinst patch | blob | history
debian/busybox-power.prerm patch | blob | history
debian/scripts/functions patch | blob | history

diff --git a/debian/busybox-power.postinst b/debian/busybox-power.postinst
index 3b59eb9..65637f3 100644 (file)
--- a/debian/busybox-power.postinst
+++ b/debian/busybox-power.postinst
@@ -78,7 +78,6 @@ INSTALL() {
         TMPHASHBAK=`$EXECPWR mktemp`
         TMPBINBAK=`$EXECPWR mktemp`
         ORIGINCHECK=`GETORIGINCHECK_STATUS`
-        DEVICEMODE=`GETDEVICEMODE`
  
         # Useful information for Harmattan-based devices
         ECHO_VERBOSE "refhashlist backup: $TMPHASHBAK"
@@ -89,8 +88,8 @@ INSTALL() {
         ECHO_VERBOSE "origincheck: $ORIGINCHECK"
 
         if test $ORIGINCHECK -eq 1; then
-          /usr/sbin/aegisctl -s > /dev/null || exit 1; fi
+          SETORIGINCHECK_STATUS 0; fi
+
         $EXECPWR cp -a /bin/busybox $TMPBINBAK || exit 1
         $EXECPWR cp -a /var/lib/aegis/refhashlist $TMPHASHBAK || exit 1
         $EXECPWR cp -af $EXECPWR /bin/busybox || ROLLBACK_HARMATTAN
@@ -98,10 +97,8 @@ INSTALL() {
         /usr/bin/accli -c tcb-sign -F /var/lib/aegis/refhashlist < /var/lib/aegis/refhashlist || ROLLBACK_HARMATTAN
         /usr/sbin/validator-init
 
-        # We can't determine whether aegis is neutered in Open Mode or not, so
-        # simply don't re-enable any security options except for in Closed Mode
-        if test $DEVICEMODE != "open" -a $ORIGINCHECK -eq 1; then
-          /usr/sbin/aegisctl +s > /dev/null; fi
+        if test $ORIGINCHECK -eq 1; then
+          SETORIGINCHECK_STATUS 1; fi
 
         $EXECPWR rm $TMPBINBAK
         $EXECPWR rm $TMPHASHBAK
diff --git a/debian/busybox-power.prerm b/debian/busybox-power.prerm
index 0e540ca..3659037 100644 (file)
--- a/debian/busybox-power.prerm
+++ b/debian/busybox-power.prerm
@@ -167,7 +167,6 @@ UNINSTALL() {
         TMPHASHBAK=`$EXECPWR mktemp`
         TMPBINBAK=`$EXECPWR mktemp`
         ORIGINCHECK=`GETORIGINCHECK_STATUS`
-        DEVICEMODE=`GETDEVICEMODE`
 
         # Useful information for Harmattan-based devices
         ECHO_VERBOSE "refhashlist backup: $TMPHASHBAK"
@@ -178,7 +177,7 @@ UNINSTALL() {
         ECHO_VERBOSE "origincheck: $ORIGINCHECK"
 
         if test $ORIGINCHECK -eq 1; then
-          /usr/sbin/aegisctl -s > /dev/null || exit 1; fi
+          SETORIGINCHECK_STATUS 0; fi
 
         $EXECPWR cp -a /bin/busybox $TMPBINBAK || exit 1
         $EXECPWR cp -a /var/lib/aegis/refhashlist $TMPHASHBAK || exit 1
@@ -187,10 +186,8 @@ UNINSTALL() {
         /usr/bin/accli -c tcb-sign -F /var/lib/aegis/refhashlist < /var/lib/aegis/refhashlist || ROLLBACK_HARMATTAN
         /usr/sbin/validator-init
 
-        # We can't determine whether aegis is neutered in Open Mode or not, so
-        # simply don't re-enable any security options except for in Closed Mode
-        if test $DEVICEMODE != "open" -a $ORIGINCHECK -eq 1; then
-          /usr/sbin/aegisctl +s > /dev/null; fi
+        if test $ORIGINCHECK -eq 1; then
+          SETORIGINCHECK_STATUS 1; fi
 
         rm $TMPBINBAK
         rm $TMPHASHBAK
diff --git a/debian/scripts/functions b/debian/scripts/functions
index 921dad4..c75f781 100644 (file)
--- a/debian/scripts/functions
+++ b/debian/scripts/functions
@@ -53,14 +53,52 @@ GETBBVERSION() {
     /usr/bin/dpkg -s busybox | $EXECPWR awk '/^Version:/ {print $2}'
 }
 
-# Get the current device mode in Harmattan. Returns "open" or "normal"
-GETDEVICEMODE() {
-    /usr/bin/accli -I | $EXECPWR awk '/^Current mode:/ {print $3}'
-}
-
 # Get the enforcement status of aegis' source origin check. Returns "1" when
 # the check is active, otherwise "0"
 GETORIGINCHECK_STATUS() {
-    /usr/sbin/aegisctl | $EXECPWR sed 's/,.*//' | $EXECPWR grep "s" | $EXECPWR wc -l
+    ENFORCE="/sys/kernel/security/validator/enforce"
+    ENFORCE_HEX=`$EXECPWR cat $ENFORCE`
+    SID_CHECK_BIT="2"
+
+    if test "$ENFORCE_HEX" == ""; then exit 1; fi
+    RETVAL="1"
+    if test `echo $(($ENFORCE_HEX & $SID_CHECK_BIT))` -eq 0; then
+      RETVAL="0"
+    fi
+    echo $RETVAL
+}
+
+# Set the enforcement status of aegis' source origin check. The check will be
+# enabled when passed "1"; passing "0" will disable it.
+# Works in both normal and open mode via aegisctl, and in patched open mode via
+# via writing to sysfs entries directly
+SETORIGINCHECK_STATUS() {
+    ENABLE=$1
+
+    ENFORCE="/sys/kernel/security/validator/enforce"
+    ENFORCE_HEX=`$EXECPWR cat $ENFORCE`
+    SID_CHECK_BIT="2"
+
+    if test $ENABLE -gt 0; then
+      if test `GETORIGINCHECK_STATUS` -eq 1; then return; fi # Already on
+      ENFORCE_NEW_DEC=`echo $(($ENFORCE_HEX | $SID_CHECK_BIT))`
+      ENFORCE_NEW_HEX=`printf "0x%02x" $ENFORCE_NEW_DEC`
+      echo $ENFORCE_NEW_HEX > $ENFORCE 2> /dev/null
+      if test $? -gt 0; then
+        # Do not exit 1 on failure to re-enable the origincheck; not fatal for
+        # (un)installation of busybox-power
+        /usr/sbin/aegisctl +s > /dev/null
+      fi
+    else
+      if test `GETORIGINCHECK_STATUS` -eq 0; then return; fi # Already off
+      ENFORCE_NEW_DEC=`echo $(($ENFORCE_HEX ^ $SID_CHECK_BIT))`
+      ENFORCE_NEW_HEX=`printf "0x%02x" $ENFORCE_NEW_DEC`
+      echo $ENFORCE_NEW_HEX > $ENFORCE 2> /dev/null
+      if test $? -gt 0; then
+        /usr/sbin/aegisctl @s > /dev/null || exit 1
+      fi
+    fi
+
+    ECHO_VERBOSE "new origincheck: $ENABLE ($ENFORCE_NEW_HEX)"
 }
 
Unnamed repository; edit this file to name it for gitweb.