#!/bin/bash

## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

source /usr/share/debconf/confmodule

set -e

check_migrate_permission_hardener_state() {
   local orig_hardening_arr custom_hardening_arr config_file
   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then
     return 0
   fi
   mkdir --parents '/var/lib/security-misc/do_once'

   # TODO: Is there some way to autogenerate this list at runtime?
   orig_hardening_arr=(
      '/usr/lib/permission-hardener.d/25_default_sudo.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
      '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
      '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
      '/usr/lib/permission-hardener.d/30_ping.conf'
      '/usr/lib/permission-hardener.d/30_default.conf'
   )
   readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }')

   for config_file in \
      /usr/lib/permission-hardener.d/*.conf \
      /etc/permission-hardener.d/*.conf \
      /usr/local/etc/permission-hardener.d/*.conf \
      /etc/permission-hardening.d/*.conf \
      /usr/local/etc/permission-hardening.d/*.conf
   do
      # shellcheck disable=SC2076
      if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
         custom_hardening_arr+=( "${config_file}" )
      fi
   done

   if [ "${#custom_hardening_arr[@]}" != '0' ]; then
      ## db_input will return code 30 if the message won't be displayed, which
      ## causes a non-interactive install to error out if you don't use || true
      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
      ## db_go can return code 30 too in some instances, we don't care here
      # shellcheck disable=SC2119
      db_go || true
   fi

   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1"
}

check_migrate_permission_hardener_state