From: Dennis Groenen Date: Tue, 23 Oct 2012 20:02:07 +0000 (+0200) Subject: add proper support for (un)installation in Harmattan (patched) Open Mode X-Git-Tag: 1.20.2power4~7 X-Git-Url: http://vcs.maemo.org/git/?p=busybox-power;a=commitdiff_plain;h=106a76bf509e95a9db09fbff48024fe3989742b8 add proper support for (un)installation in Harmattan (patched) Open Mode --- diff --git a/debian/busybox-power.postinst b/debian/busybox-power.postinst index 3b59eb9..65637f3 100644 --- a/debian/busybox-power.postinst +++ b/debian/busybox-power.postinst @@ -78,7 +78,6 @@ INSTALL() { TMPHASHBAK=`$EXECPWR mktemp` TMPBINBAK=`$EXECPWR mktemp` ORIGINCHECK=`GETORIGINCHECK_STATUS` - DEVICEMODE=`GETDEVICEMODE` # Useful information for Harmattan-based devices ECHO_VERBOSE "refhashlist backup: $TMPHASHBAK" @@ -89,8 +88,8 @@ INSTALL() { ECHO_VERBOSE "origincheck: $ORIGINCHECK" if test $ORIGINCHECK -eq 1; then - /usr/sbin/aegisctl -s > /dev/null || exit 1; fi - + SETORIGINCHECK_STATUS 0; fi + $EXECPWR cp -a /bin/busybox $TMPBINBAK || exit 1 $EXECPWR cp -a /var/lib/aegis/refhashlist $TMPHASHBAK || exit 1 $EXECPWR cp -af $EXECPWR /bin/busybox || ROLLBACK_HARMATTAN @@ -98,10 +97,8 @@ INSTALL() { /usr/bin/accli -c tcb-sign -F /var/lib/aegis/refhashlist < /var/lib/aegis/refhashlist || ROLLBACK_HARMATTAN /usr/sbin/validator-init - # We can't determine whether aegis is neutered in Open Mode or not, so - # simply don't re-enable any security options except for in Closed Mode - if test $DEVICEMODE != "open" -a $ORIGINCHECK -eq 1; then - /usr/sbin/aegisctl +s > /dev/null; fi + if test $ORIGINCHECK -eq 1; then + SETORIGINCHECK_STATUS 1; fi $EXECPWR rm $TMPBINBAK $EXECPWR rm $TMPHASHBAK diff --git a/debian/busybox-power.prerm b/debian/busybox-power.prerm index 0e540ca..3659037 100644 --- a/debian/busybox-power.prerm +++ b/debian/busybox-power.prerm @@ -167,7 +167,6 @@ UNINSTALL() { TMPHASHBAK=`$EXECPWR mktemp` TMPBINBAK=`$EXECPWR mktemp` ORIGINCHECK=`GETORIGINCHECK_STATUS` - DEVICEMODE=`GETDEVICEMODE` # Useful information for Harmattan-based devices ECHO_VERBOSE "refhashlist backup: $TMPHASHBAK" @@ -178,7 +177,7 @@ UNINSTALL() { ECHO_VERBOSE "origincheck: $ORIGINCHECK" if test $ORIGINCHECK -eq 1; then - /usr/sbin/aegisctl -s > /dev/null || exit 1; fi + SETORIGINCHECK_STATUS 0; fi $EXECPWR cp -a /bin/busybox $TMPBINBAK || exit 1 $EXECPWR cp -a /var/lib/aegis/refhashlist $TMPHASHBAK || exit 1 @@ -187,10 +186,8 @@ UNINSTALL() { /usr/bin/accli -c tcb-sign -F /var/lib/aegis/refhashlist < /var/lib/aegis/refhashlist || ROLLBACK_HARMATTAN /usr/sbin/validator-init - # We can't determine whether aegis is neutered in Open Mode or not, so - # simply don't re-enable any security options except for in Closed Mode - if test $DEVICEMODE != "open" -a $ORIGINCHECK -eq 1; then - /usr/sbin/aegisctl +s > /dev/null; fi + if test $ORIGINCHECK -eq 1; then + SETORIGINCHECK_STATUS 1; fi rm $TMPBINBAK rm $TMPHASHBAK diff --git a/debian/scripts/functions b/debian/scripts/functions index 921dad4..c75f781 100644 --- a/debian/scripts/functions +++ b/debian/scripts/functions @@ -53,14 +53,52 @@ GETBBVERSION() { /usr/bin/dpkg -s busybox | $EXECPWR awk '/^Version:/ {print $2}' } -# Get the current device mode in Harmattan. Returns "open" or "normal" -GETDEVICEMODE() { - /usr/bin/accli -I | $EXECPWR awk '/^Current mode:/ {print $3}' -} - # Get the enforcement status of aegis' source origin check. Returns "1" when # the check is active, otherwise "0" GETORIGINCHECK_STATUS() { - /usr/sbin/aegisctl | $EXECPWR sed 's/,.*//' | $EXECPWR grep "s" | $EXECPWR wc -l + ENFORCE="/sys/kernel/security/validator/enforce" + ENFORCE_HEX=`$EXECPWR cat $ENFORCE` + SID_CHECK_BIT="2" + + if test "$ENFORCE_HEX" == ""; then exit 1; fi + RETVAL="1" + if test `echo $(($ENFORCE_HEX & $SID_CHECK_BIT))` -eq 0; then + RETVAL="0" + fi + echo $RETVAL +} + +# Set the enforcement status of aegis' source origin check. The check will be +# enabled when passed "1"; passing "0" will disable it. +# Works in both normal and open mode via aegisctl, and in patched open mode via +# via writing to sysfs entries directly +SETORIGINCHECK_STATUS() { + ENABLE=$1 + + ENFORCE="/sys/kernel/security/validator/enforce" + ENFORCE_HEX=`$EXECPWR cat $ENFORCE` + SID_CHECK_BIT="2" + + if test $ENABLE -gt 0; then + if test `GETORIGINCHECK_STATUS` -eq 1; then return; fi # Already on + ENFORCE_NEW_DEC=`echo $(($ENFORCE_HEX | $SID_CHECK_BIT))` + ENFORCE_NEW_HEX=`printf "0x%02x" $ENFORCE_NEW_DEC` + echo $ENFORCE_NEW_HEX > $ENFORCE 2> /dev/null + if test $? -gt 0; then + # Do not exit 1 on failure to re-enable the origincheck; not fatal for + # (un)installation of busybox-power + /usr/sbin/aegisctl +s > /dev/null + fi + else + if test `GETORIGINCHECK_STATUS` -eq 0; then return; fi # Already off + ENFORCE_NEW_DEC=`echo $(($ENFORCE_HEX ^ $SID_CHECK_BIT))` + ENFORCE_NEW_HEX=`printf "0x%02x" $ENFORCE_NEW_DEC` + echo $ENFORCE_NEW_HEX > $ENFORCE 2> /dev/null + if test $? -gt 0; then + /usr/sbin/aegisctl @s > /dev/null || exit 1 + fi + fi + + ECHO_VERBOSE "new origincheck: $ENABLE ($ENFORCE_NEW_HEX)" }