#!/bin/bash

TEXTDOMAINDIR=/usr/share/locale
TEXTDOMAIN=astra-safepolicy

mode=$1

if [ "$UID" != "0" ]; then
    # test actual ulimits for "status" command
    if [ "`ulimit -Hf`" != "50000000" ]; then exit 1; fi # non-32bit
    if [ "`ulimit -Sf`" != "25000000" ]; then exit 1; fi # non-32bit

    if [ "`ulimit -Hn`" != "4096" ]; then exit 1; fi
    if [ "`ulimit -Sn`" != "2048" ]; then exit 1; fi

    if [ "`ulimit -Hu`" != "2000" ]; then exit 1; fi
    if [ "`ulimit -Su`" != "1000" ]; then exit 1; fi

    if [ "`ulimit -Hc`" != "0" ]; then exit 1; fi

    exit 0
fi 
status=`systemctl is-enabled astra-ulimits-control 2>/dev/null`

if [ "x$mode" = "x" ]; then
    if [ "$status" = "enabled" ]; then
	mode=enable
    elif [ "$status" = "disabled" ]; then
	mode=disable
    fi
fi

function keep_pdpl()
{
	if [ -z "$1" ]; then
		pdpl-file $pdpl_label $pdpl_file 2> /dev/null
		unset pdpl_label
		unset pdpl_file
	else
		pdpl_label=`pdpl-file $1 2> /dev/null`
		pdpl_file=$1
	fi
}

if [ "$mode" = "enable" ]; then
    if [ ! -f /etc/systemd/system/astra-ulimits-control.service ]; then
	cat <<EOF> /etc/systemd/system/astra-ulimits-control.service
[Unit]
Description=control/Uncontrol ulimits for user
After=rc-local.service

[Service]
Type=oneshot
ExecStart=/usr/sbin/astra-ulimits-control

[Install]
WantedBy=astra-safepolicy.target
EOF
    fi
    if [ "$status" = "disabled" ] || [ "$status" = "" ]; then
	    systemctl enable astra-ulimits-control.service > /dev/null 2>&1
    fi
    keep_pdpl /etc/security/limits.conf
	sed -e "/.*hard fsize/d" -i /etc/security/limits.conf # non-32bit
	sed -e "/.*soft fsize/d" -i /etc/security/limits.conf # non-32bit
	sed -e "/.*hard nofile/d" -i /etc/security/limits.conf
	sed -e "/.*soft nofile/d" -i /etc/security/limits.conf
	sed -e "/.*hard nproc/d" -i /etc/security/limits.conf
	sed -e "/.*soft nproc/d" -i /etc/security/limits.conf
	sed -e "/.*hard core/d" -i /etc/security/limits.conf
	echo "* hard fsize 50000000" >> /etc/security/limits.conf # non-32bit
	echo "* soft fsize 25000000" >> /etc/security/limits.conf # non-32bit
	echo "* hard nofile 4096" >> /etc/security/limits.conf
	echo "* soft nofile 2048" >> /etc/security/limits.conf
	echo "* hard nproc 2000" >> /etc/security/limits.conf
	echo "* soft nproc 1000" >> /etc/security/limits.conf
	echo "* hard core 0" >> /etc/security/limits.conf
	keep_pdpl
elif [ "$mode" = "disable" ]; then 
	if [ "$status" = "enabled" ]; then
		systemctl disable astra-ulimits-control.service > /dev/null 2>&1
	fi
	sed -e "/.*hard fsize/d" -i /etc/security/limits.conf # non-32bit
	sed -e "/.*soft fsize/d" -i /etc/security/limits.conf # non-32bit
	sed -e "/.*hard nofile/d" -i /etc/security/limits.conf
	sed -e "/.*soft nofile/d" -i /etc/security/limits.conf
	sed -e "/.*hard nproc/d" -i /etc/security/limits.conf
	sed -e "/.*soft nproc/d" -i /etc/security/limits.conf
	sed -e "/.*hard core/d" -i /etc/security/limits.conf
	echo "#* hard fsize 50000000" >> /etc/security/limits.conf # non-32bit
	echo "#* soft fsize 25000000" >> /etc/security/limits.conf # non-32bit
	echo "#* hard nofile 4096" >> /etc/security/limits.conf
	echo "#* soft nofile 2048" >> /etc/security/limits.conf
	echo "#* hard nproc 2000" >> /etc/security/limits.conf
	echo "#* soft nproc 1000" >> /etc/security/limits.conf
	echo "#* hard core 0" >> /etc/security/limits.conf
elif [ "$mode" = "status" ]; then
    label=`pdpl-file /etc/passwd 2> /dev/null`
    label2=`pdpl-file /etc/passwd 2> /dev/null`
    echo "astra_lock_test:x:1:1::/nonexistent:" >> /etc/passwd
    echo "astra_lock_test:!:18248:0:99999:7:::" >> /etc/shadow
    scriptpath=$(type -P $0)
    set +e
    su astra_lock_test -s "$scriptpath"
    res=$?
    sed -i -e "/astra_lock_test:x:1:1::\/nonexistent:/d" /etc/passwd
    sed -i -e "/astra_lock_test:!:18248:0:99999:7:::/d" /etc/shadow
    if ! [ -z $label ]; then pdpl-file $label /etc/passwd; fi
    if ! [ -z $label2 ]; then pdpl-file $label /etc/shadow; fi
    if [ "$res" = "0" ]; then
        echo $"ACTIVE";
    else
        echo $"INACTIVE";
    fi
    exit $res
elif [ "$mode" = "is-enabled" ]; then
	if [ "$status" = "enabled" ]; then
		echo $"ENABLED"
		exit 0
	else
		echo $"DISABLED"
		exit 1
	fi
else
	echo $"Usage: $0 <enable/disable/status/is-enabled>"
	exit 1
fi
exit 0
