TMPHASHBAK=`$EXECPWR mktemp`
TMPBINBAK=`$EXECPWR mktemp`
ORIGINCHECK=`GETORIGINCHECK_STATUS`
- DEVICEMODE=`GETDEVICEMODE`
# Useful information for Harmattan-based devices
ECHO_VERBOSE "refhashlist backup: $TMPHASHBAK"
ECHO_VERBOSE "origincheck: $ORIGINCHECK"
if test $ORIGINCHECK -eq 1; then
- /usr/sbin/aegisctl -s > /dev/null || exit 1; fi
-
+ SETORIGINCHECK_STATUS 0; fi
+
$EXECPWR cp -a /bin/busybox $TMPBINBAK || exit 1
$EXECPWR cp -a /var/lib/aegis/refhashlist $TMPHASHBAK || exit 1
$EXECPWR cp -af $EXECPWR /bin/busybox || ROLLBACK_HARMATTAN
/usr/bin/accli -c tcb-sign -F /var/lib/aegis/refhashlist < /var/lib/aegis/refhashlist || ROLLBACK_HARMATTAN
/usr/sbin/validator-init
- # We can't determine whether aegis is neutered in Open Mode or not, so
- # simply don't re-enable any security options except for in Closed Mode
- if test $DEVICEMODE != "open" -a $ORIGINCHECK -eq 1; then
- /usr/sbin/aegisctl +s > /dev/null; fi
+ if test $ORIGINCHECK -eq 1; then
+ SETORIGINCHECK_STATUS 1; fi
$EXECPWR rm $TMPBINBAK
$EXECPWR rm $TMPHASHBAK
TMPHASHBAK=`$EXECPWR mktemp`
TMPBINBAK=`$EXECPWR mktemp`
ORIGINCHECK=`GETORIGINCHECK_STATUS`
- DEVICEMODE=`GETDEVICEMODE`
# Useful information for Harmattan-based devices
ECHO_VERBOSE "refhashlist backup: $TMPHASHBAK"
ECHO_VERBOSE "origincheck: $ORIGINCHECK"
if test $ORIGINCHECK -eq 1; then
- /usr/sbin/aegisctl -s > /dev/null || exit 1; fi
+ SETORIGINCHECK_STATUS 0; fi
$EXECPWR cp -a /bin/busybox $TMPBINBAK || exit 1
$EXECPWR cp -a /var/lib/aegis/refhashlist $TMPHASHBAK || exit 1
/usr/bin/accli -c tcb-sign -F /var/lib/aegis/refhashlist < /var/lib/aegis/refhashlist || ROLLBACK_HARMATTAN
/usr/sbin/validator-init
- # We can't determine whether aegis is neutered in Open Mode or not, so
- # simply don't re-enable any security options except for in Closed Mode
- if test $DEVICEMODE != "open" -a $ORIGINCHECK -eq 1; then
- /usr/sbin/aegisctl +s > /dev/null; fi
+ if test $ORIGINCHECK -eq 1; then
+ SETORIGINCHECK_STATUS 1; fi
rm $TMPBINBAK
rm $TMPHASHBAK
/usr/bin/dpkg -s busybox | $EXECPWR awk '/^Version:/ {print $2}'
}
-# Get the current device mode in Harmattan. Returns "open" or "normal"
-GETDEVICEMODE() {
- /usr/bin/accli -I | $EXECPWR awk '/^Current mode:/ {print $3}'
-}
-
# Get the enforcement status of aegis' source origin check. Returns "1" when
# the check is active, otherwise "0"
GETORIGINCHECK_STATUS() {
- /usr/sbin/aegisctl | $EXECPWR sed 's/,.*//' | $EXECPWR grep "s" | $EXECPWR wc -l
+ ENFORCE="/sys/kernel/security/validator/enforce"
+ ENFORCE_HEX=`$EXECPWR cat $ENFORCE`
+ SID_CHECK_BIT="2"
+
+ if test "$ENFORCE_HEX" == ""; then exit 1; fi
+ RETVAL="1"
+ if test `echo $(($ENFORCE_HEX & $SID_CHECK_BIT))` -eq 0; then
+ RETVAL="0"
+ fi
+ echo $RETVAL
+}
+
+# Set the enforcement status of aegis' source origin check. The check will be
+# enabled when passed "1"; passing "0" will disable it.
+# Works in both normal and open mode via aegisctl, and in patched open mode via
+# via writing to sysfs entries directly
+SETORIGINCHECK_STATUS() {
+ ENABLE=$1
+
+ ENFORCE="/sys/kernel/security/validator/enforce"
+ ENFORCE_HEX=`$EXECPWR cat $ENFORCE`
+ SID_CHECK_BIT="2"
+
+ if test $ENABLE -gt 0; then
+ if test `GETORIGINCHECK_STATUS` -eq 1; then return; fi # Already on
+ ENFORCE_NEW_DEC=`echo $(($ENFORCE_HEX | $SID_CHECK_BIT))`
+ ENFORCE_NEW_HEX=`printf "0x%02x" $ENFORCE_NEW_DEC`
+ echo $ENFORCE_NEW_HEX > $ENFORCE 2> /dev/null
+ if test $? -gt 0; then
+ # Do not exit 1 on failure to re-enable the origincheck; not fatal for
+ # (un)installation of busybox-power
+ /usr/sbin/aegisctl +s > /dev/null
+ fi
+ else
+ if test `GETORIGINCHECK_STATUS` -eq 0; then return; fi # Already off
+ ENFORCE_NEW_DEC=`echo $(($ENFORCE_HEX ^ $SID_CHECK_BIT))`
+ ENFORCE_NEW_HEX=`printf "0x%02x" $ENFORCE_NEW_DEC`
+ echo $ENFORCE_NEW_HEX > $ENFORCE 2> /dev/null
+ if test $? -gt 0; then
+ /usr/sbin/aegisctl @s > /dev/null || exit 1
+ fi
+ fi
+
+ ECHO_VERBOSE "new origincheck: $ENABLE ($ENFORCE_NEW_HEX)"
}