#!/bin/bash
# 
# This script is used for Administration of RSBAC general attributes
#
#
# Make sure we're really running bash.
#
[ -z "$BASH" ] && { echo "This menu requires bash - sorry!" 1>&2; exit 1; }
#
# We also need the proc fs mounted.
[ ! -f /proc/stat ] && { echo "This menu requires proc fs mounted" 1>&2; exit 1; }
#
# Cache function definitions, turn off posix compliance
#
set -h +o posix

# The dir for tmp files
if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi

# The dir for tmp files
if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi

# This must be a unique temporary filename
if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX`
then
  TMPFILE=$TMPDIR/rsbac_dialog.$$
  if test -e $TMPFILE
  then rm $TMPFILE
  fi
fi

# Set conf filename
RSBACCONF=/etc/rsbac.conf
# Read settings
if test -f $RSBACCONF
then . $RSBACCONF
fi
if test -f ~/.rsbacrc
then . ~/.rsbacrc
fi
if test -z "$RSBACMOD"
then RSBACMOD='GEN MAC PM DAZ FF RC AUTH ACL CAP JAIL RES PAX'
fi
for i in $RSBACMOD
do
  export SHOW_${i}=yes
done

# set this to rsbac bin dir, if not in path (trailing / is mandatory!)
#
#if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi

# which dialog tool to use - dialog or kdialog or xdialog...
if test -z $DIALOG
then DIALOG=${RSBACPATH}dialog
fi
if ! $DIALOG --clear
then
  echo $DIALOG menu program required! >&2
  exit
fi
if ! $DIALOG --help 2>&1 | grep -q "help-button"
then
  echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2
  echo "required, please use dialog from admin tools contrib dir or set" >&2
  echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2
  exit
fi

# test for LINES and COLUMNS (should be exported e.g. in /etc/profile)
set_geometry ()
{
        BL=${1:-24}
        BC=${2:-80}
        [ $BL = 0 ] && BL=24
        [ $BC = 0 ] && BC=80
        export LINES=$BL
        export COLUMNS=$BC
        BL=$((BL-4))
        BC=$((BC-5))
        MAXLINES=$((LINES-10))
}

set_geometry `stty size 2>/dev/null`

gl () {
  if test $1 -gt $MAXLINES
  then echo $MAXLINES
  else echo $1
  fi
}

export BACKTITLE="RSBAC Administration Tools 1.3.6"
TITLE="`whoami`@`hostname`: RSBAC Administration"
HELPTITLE="`whoami`@`hostname`: RSBAC Administration Help"
ERRTITLE="RSBAC Administration - ERROR"

show_help () {
  case "$RSBACLANG" in
    DE)
      show_help_german "$1"
      ;;
    *)
      show_help_english "$1"
      ;;
  esac
}

show_help_english () {
 {
  echo "$1"
  echo ""
  case "$1" in
    'User Attributes:')
        echo "Set all user object related attributes."
      ;;

    'Group Attributes:')
        echo "Set all Linux group object related attributes."
      ;;

    'File/Dir Attributes:')
        echo "Set all filesystem object related attributes."
      ;;

    'Block/Char Device Attributes:')
        echo "Set all device object related attributes."
      ;;

    'Process Attributes:')
        echo "Set all process object related attributes."
      ;;

    'Network Device Attributes:')
        echo "Go to Network Device attribute menu."
      ;;

    'Network Template Definition:')
        echo "Go to Network Template Definition menu."
      ;;

    'Network Template Attributes:')
        echo "Go to Network Template attribute menu."
      ;;

    'RC Roles:')
        echo "RC model role administration."
      ;;

    'RC Types:')
        echo "RC model type administration."
      ;;

    'ACL Management:')
        echo "ACL model ACL administration for all target types."
      ;;

    'ACL Group Management:')
        echo "ACL model group administration."
      ;;

    'Settings:')
        echo "Change RSBAC menu settings, e.g. selection of models."
      ;;

    'Logging:')
        echo "Setup general logging for all request and target types."
      ;;

    'Switch Modules:')
        echo "Switch decision modules on or off, requires kernel config setting"
        echo "and sufficient privileges."
      ;;

    'Switch Softmode:')
        echo "Switch softmode globally or for single decision modules on or off,"
        echo "requires kernel config setting and sufficient privileges."
      ;;

    'Check Status:')
        echo "Call rsbac_check 1 1 to check internal status. Results are shown "
        echo "in the system log."
      ;;

    'Show Status')
        echo "Display /proc/rsbac-info/stats with status information."
      ;;

    'Show PM Status')
        echo "Display /proc/rsbac-info/stats_pm with PM model status information."
      ;;

    'Show RC Status')
        echo "Display /proc/rsbac-info/stats_rc with RC model status information."
      ;;

    'Show ACL Lists')
        echo "Display /proc/rsbac-info/acl_acllist with a listing of all ACL"
        echo "model ACLs."
      ;;

    'Show ACL Groups')
        echo "Display /proc/rsbac-info/acl_grouplist with a listing of all ACL groups."
      ;;

    'Show eXtended Status')
        echo "Display /proc/rsbac-info/xstats with extended statistics."
      ;;

    'Bash Shell')
        echo "Provide a bash shell."
      ;;

    Quit)
        echo "Quit this menu."
      ;;

    *)
        echo "No help for $1 available!"
  esac
 } > $TMPFILE
  $DIALOG --title "$HELPTITLE" \
          --backtitle "$BACKTITLE" \
          --textbox $TMPFILE $BL $BC
#  sleep 1
}

show_help_german () {
 {
  echo "$1"
  echo ""
  case "$1" in
    'User Attributes:')
        echo "Setzen aller Benutzer-Attribute."
      ;;

    'Group Attributes:')
        echo "Setzen aller Gruppen-Attribute."
      ;;

    'File/Dir Attributes:')
        echo "Setzen aller Dateisystem-Objekt-Attribute."
      ;;

    'Block/Char Device Attributes:')
        echo "Setzen aller Device-Objekt-Attribute."
      ;;

    'Process Attributes:')
        echo "Setzen aller Proze-Attribute."
      ;;

    'Network Device Attributes:')
        echo "Setzen aller Netzwerk-Device-Attribute."
      ;;

    'Network Template Definition:')
        echo "Definition von Netzwerk-Templates."
      ;;

    'Network Template Attributes:')
        echo "Setzen aller Netzwerk-Template-Attribute."
      ;;

    'RC Roles:')
        echo "Administration der RC-Modell-Rollen."
      ;;

    'RC Types:')
        echo "Administration der RC-Modell-Typen."
      ;;

    'ACL Management:')
        echo "ACL-Administration fr alle Ziel-Typen."
      ;;

    'ACL Group Management:')
        echo "ACL-Gruppen-Verwaltung."
      ;;

    'Settings:')
        echo "RSBAC-Einstellungen setzen und speichern."
      ;;

    'Logging:')
        echo "Generelle Logging-Einstellungen."
      ;;

    'Switch Modules:')
        echo "Entscheidungs-Module an- oder abschalten, erfordert Aktivierung"
        echo "in der Kern-Konfiguration und ausreichende Privilegien."
      ;;

    'Switch Softmode:')
        echo "Softmode global oder fr einzelne Module an- oder abschalten,"
        echo "erfordert Aktivierung in der Kern-Konfiguration und ausreichende"
        echo "Privilegien."
      ;;

    'Check Status:')
        echo "Aufruf von rsbac_check 1 1 zur internen Status-Prfung."
        echo "Ergebnisse erscheinen im System-Log."
      ;;

    'Show Status')
        echo "Ausgabe von /proc/rsbac-info/stats mit Status-Informationen."
      ;;

    'Show PM Status')
        echo "Ausgabe von /proc/rsbac-info/stats_pm mit PM-Status-Informationen."
      ;;

    'Show RC Status')
        echo "Ausgabe von /proc/rsbac-info/stats_rc mit RC-Status-Informationen."
      ;;

    'Show ACL Lists')
        echo "Ausgabe von /proc/rsbac-info/acl_acllist mit einer Liste aller"
        echo "ACL-Eintrge der ACL-Modells."
      ;;

    'Show ACL Groups')
        echo "Ausgabe von /proc/rsbac-info/acl_grouplist mit einer Liste aller"
        echo "ACL-Gruppen."
      ;;

    'Show eXtended Status')
        echo "Ausgabe von /proc/rsbac-info/xstats mit erweiterter Statistik."
      ;;

    'Bash Shell')
        echo "Aufruf einer bash-Kommandozeile."
      ;;

    Quit)
        echo "Beende dieses Men."
      ;;

    *)
        echo "Keine Hilfe fr $1 verfgbar!"
  esac
 } > $TMPFILE
  $DIALOG --title "$HELPTITLE" \
          --backtitle "$BACKTITLE" \
          --textbox $TMPFILE $BL $BC
#  sleep 1
}

get_llname () {
      case $1 in
        0) echo None
          ;;
        1) echo Denied
          ;;
        2) echo Full
          ;;
        *) echo N/A
          ;;
      esac 
}


gen_log_menu_items() {
  echo -n "" >${TMPFILE}.2
  for i in $REQUESTS
  do TMP=`$RSBACPATH""switch_adf_log -gs $i`
     echo $i $TMP>>${TMPFILE}.2
  done
}

gen_log_menu_subitems() {
  echo -n "" >${TMPFILE}.2
  for i in $TARGETS
  do TMP=`$RSBACPATH""switch_adf_log -gs $1 $i`
     echo $i `get_llname $TMP`>>${TMPFILE}.2
  done
}

onoff () {
   if test "$1" = "$2"
     then echo on
   else echo off
   fi
}

log_menu () {
  if test -z "$REQUESTS"
    then REQUESTS=`$RSBACPATH""switch_adf_log -n`
  fi
  if test -z "$TARGETS"
    then TARGETS=`$RSBACPATH""switch_adf_log -t`
  fi
  while true
  do
    gen_log_menu_items
    if ! \
    $DIALOG --title "$TITLE" \
           --backtitle "$BACKTITLE" \
           --default-item "$REQ" \
           --menu "Log Levels for Requests" $BL $BC `gl 45` \
                `cat ${TMPFILE}.2` \
                "Quit" "" \
         2>$TMPFILE
     then rm ${TMPFILE}.2
          return
    fi
    REQ=`cat $TMPFILE`
    case "$REQ" in
      Quit)
        rm ${TMPFILE}.2
        return
        ;;
      *)
        while true
        do
          gen_log_menu_subitems $REQ
          if ! \
          $DIALOG --title "$TITLE" \
                 --backtitle "$BACKTITLE" \
                 --default-item "$TARGET" \
                 --menu "Log Levels for Requests: Choose Target Type" $BL $BC `gl 15` \
                     "ALL" "" \
                     `cat ${TMPFILE}.2` \
               2>$TMPFILE
          then rm ${TMPFILE}.2
            break
          fi
          TARGET=`cat ${TMPFILE}`
          if test "$TARGET" = "ALL"
          then
            VAL=
          else
            VAL=`${RSBACPATH}switch_adf_log -gs $REQ $TARGET`
          fi
          if $DIALOG --title "$TITLE" \
                     --backtitle "$BACKTITLE" \
                     --radiolist "Choose Log Level for $REQ / $TARGET" $BL $BC 3 \
                         0 `get_llname 0` `onoff 0 $VAL` \
                         1 `get_llname 1` `onoff 1 $VAL` \
                         2 `get_llname 2` `onoff 2 $VAL` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
            if test "$TARGET" = "ALL"
            then
              if $RSBACPATH""switch_adf_log $REQ $TMP &>$TMPFILE
              then
                if test -n "$RSBACLOGFILE"
                then
                  echo $RSBACPATH""switch_adf_log $REQ $TMP >>"$RSBACLOGFILE"
                fi
              else
                $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
              fi
            else
              if $RSBACPATH""switch_adf_log $REQ $TARGET $TMP &>$TMPFILE
              then
                if test -n "$RSBACLOGFILE"
                then
                  echo $RSBACPATH""switch_adf_log $REQ $TARGET $TMP >>"$RSBACLOGFILE"
                fi
              else
                $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
              fi
            fi
          fi
        done
    esac
  done
}

  {
    echo 'main_menu ()'
    echo '  {'    
    echo "    $DIALOG --title \"$TITLE\" \\"
    echo '       --backtitle "$BACKTITLE" \'
    echo '       --help-button --default-item "$CHOICE" \'
    echo '       --menu "Main FD Menu" $BL $BC `gl 29` \'
    echo '              "User Attributes:" "Go to user attribute menu" \'
    echo '              "Group Attributes:" "Go to Linux group attribute menu" \'
    echo '              "File/Dir Attributes:" "Go to file/dir attribute menu" \'
    echo '              "Block/Char Device Attributes:" "Go to dev attribute menu" \'
    echo '              "Process Attributes:" "Go to process attribute menu" \'
    echo '              "Network Device Attributes:" "Go to Network Device attribute menu" \'
    echo '              "Network Template Definition:" "Go to Network Template Definition menu" \'
    echo '              "Network Template Attributes:" "Go to Network Template attribute menu" \'
    if test "$SHOW_RC" = "yes"
    then
      echo '              "RC Roles:" "Go to RC role menu" \'
      echo '              "RC Types:" "Go to RC type menu" \'
    fi
    if test "$SHOW_ACL" = "yes"
    then
      echo '              "ACL Management:" "Go to ACL menu" \'
      echo '              "ACL Group Management:" "Go to ACL group menu" \'
    fi
    echo '              "---------------" "" \'
    echo '              "Settings:" "RSBAC menu settings" \'
    echo '              "Logging:" "Setup general logging" \'
    echo '              "Switch Modules:" "Switch modules on or off" \'
    echo '              "Switch Softmode:" "Switch global or module softmode" \'
    echo '              "---------------" "" \'
    echo '              "Check Status:" "rsbac_check 1 1" \'
    echo '              "Show Status" "" \'
    if test "$SHOW_PM" = "yes"
    then
      echo '              "Show PM Status" "" \'
    fi
    if test "$SHOW_RC" = "yes"
    then
      echo '              "Show RC Status" "" \'
    fi
    if test "$SHOW_ACL" = "yes"
    then
      echo '              "Show ACL Lists" "" \'
      echo '              "Show ACL Groups" "" \'
    fi
    echo '              "Show eXtended Status" "" \'
    echo '              "---------------" "" \'
    echo '              "Bash Shell" "" \'
    echo '              "----------------" " " \'
    echo '              "Quit" ""'
    echo '  }'
  } > $TMPFILE

. $TMPFILE

#cp $TMPFILE /tmp/menu

if test -n "$RSBACLOGFILE"
then
  {
    echo ""
    echo "# $0 start `date`"
  } >>"$RSBACLOGFILE"
fi

while true
  do
    if ! main_menu 2>$TMPFILE
    then
      rm $TMPFILE ; exit
    fi

  CHOICE=`cat $TMPFILE`
  case "$CHOICE" in
    HELP*)
        show_help "${CHOICE:5}"
        CHOICE="${CHOICE:5}"
      ;;
    'User Attributes:')
        $RSBACPATH""rsbac_user_menu
      ;;

    'Group Attributes:')
        $RSBACPATH""rsbac_group_menu
      ;;

    'File/Dir Attributes:')
        $RSBACPATH""rsbac_fd_menu
      ;;

    'Block/Char Device Attributes:')
        $RSBACPATH""rsbac_dev_menu
      ;;

    'Process Attributes:')
        $RSBACPATH""rsbac_process_menu
      ;;

    "Network Device Attributes:")
        $RSBACPATH""rsbac_netdev_menu
      ;;

    "Network Template Definition:")
        $RSBACPATH""rsbac_nettemp_def_menu
      ;;

    "Network Template Attributes:")
        $RSBACPATH""rsbac_nettemp_menu
      ;;

    'RC Roles:')
        $RSBACPATH""rsbac_rc_role_menu
      ;;

    'RC Types:')
        $RSBACPATH""rsbac_rc_type_menu
      ;;

    'ACL Management:')
        $RSBACPATH""rsbac_acl_menu
      ;;

    'ACL Group Management:')
        $RSBACPATH""rsbac_acl_group_menu
      ;;

    'Settings:')
      $RSBACPATH""rsbac_settings_menu
      # Read settings
      if test -f $RSBACCONF
      then . $RSBACCONF
      fi
      if test -f ~/.rsbacrc
      then . ~/.rsbacrc
      fi
      ;;

    'Logging:')
      log_menu
      ;;

    'Switch Modules:')
        TMP=
        while \
        $DIALOG --title "$TITLE" \
               --backtitle "$BACKTITLE" \
               --default-item "$TMP" \
               --menu "Select Module to Switch" $BL $BC `gl 11` \
                      "MAC"  "Mandatory Access Control (Bell-LaPadula)" \
                      "PM"   "Privacy Model" \
                      "DAZ"  "Dazuko" \
                      "FF"   "File Flags" \
                      "RC"   "Role Compatibility" \
                      "ACL"  "Access Control Lists" \
                      "AUTH" "Authorization" \
                      "CAP"  "Linux Capabilities" \
                      "JAIL" "Process JAILs" \
                      "RES" "Linux Resources" \
                      "PAX" "PaX flags" \
             2>$TMPFILE
        do
          TMP=`cat $TMPFILE`
          case $TMP in
            HELP*)
              show_help "${TMP:5}"
              TMP="${TMP:5}"
              ;;
            *)
              if $DIALOG --title "$TITLE" \
                        --backtitle "$BACKTITLE" \
                        --radiolist "Switch $TMP to" $BL $BC 2 \
                                    0 "off" off \
                                    1 "on" off \
                 2>$TMPFILE
              then
                 if ! $RSBACPATH""switch_module $TMP `cat $TMPFILE` &>$TMPFILE
                 then \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
              fi
          esac
        done
      ;;

    'Switch Softmode:')
        TMP=
        while \
        $DIALOG --title "$TITLE" \
               --backtitle "$BACKTITLE" \
               --default-item "$TMP" \
               --menu "Select Module to Switch Softmode for" $BL $BC `gl 12` \
                      "GLOBAL" "Global Softmode" \
                      "MAC"  "Mandatory Access Control (Bell-LaPadula)" \
                      "PM"   "Privacy Model" \
                      "DAZ"  "Dazuko" \
                      "FF"   "File Flags" \
                      "RC"   "Role Compatibility" \
                      "ACL"  "Access Control Lists" \
                      "AUTH" "Authorization" \
                      "CAP"  "Linux Capabilities" \
                      "JAIL" "Process JAILs" \
                      "RES" "Linux Resources" \
                      "PAX" "PaX flags" \
             2>$TMPFILE
        do
          TMP=`cat $TMPFILE`
          case $TMP in
            HELP*)
              show_help "${TMP:5}"
              TMP="${TMP:5}"
              ;;
            *)
              if $DIALOG --title "$TITLE" \
                        --backtitle "$BACKTITLE" \
                        --radiolist "Switch $TMP Softmode to" $BL $BC 2 \
                                    0 "off" off \
                                    1 "on" off \
                 2>$TMPFILE
              then
                 if test "$TMP" = "GLOBAL"
                 then
                   if ! $RSBACPATH""switch_module SOFTMODE `cat $TMPFILE` &>$TMPFILE
                   then
                     $DIALOG --title "$ERRTITLE" \
                            --backtitle "$BACKTITLE" \
                            --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                   fi
                 else
                   if ! echo "debug ind_softmode $TMP `cat $TMPFILE`" >/proc/rsbac-info/debug 2>$TMPFILE
                   then
                     $DIALOG --title "$ERRTITLE" \
                            --backtitle "$BACKTITLE" \
                            --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                   fi
                 fi
              fi
          esac
        done
      ;;

    'Check Status:')
        if test -f /proc/rsbac-info/stats
        then
          if ! ${RSBACPATH}rsbac_check 1 1 &>$TMPFILE
          then $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --textbox $TMPFILE $BL $BC
          fi
        fi
      ;;

    'Show Status')
        if test -f /proc/rsbac-info/stats
        then 
          less /proc/rsbac-info/stats
#          $DIALOG --title "$TITLE" \
#                 --backtitle "$BACKTITLE" \
#                 --textbox /proc/rsbac-info/stats $BL $BC
        fi
      ;;

    'Show PM Status')
        if test -f /proc/rsbac-info/stats_pm
        then 
          less /proc/rsbac-info/stats_pm
#          $DIALOG --title "$TITLE" \
#                 --backtitle "$BACKTITLE" \
#                 --textbox /proc/rsbac-info/stats_pm $BL $BC
        fi
      ;;

    'Show RC Status')
        if test -f /proc/rsbac-info/stats_rc
        then 
          less /proc/rsbac-info/stats_rc
#          $DIALOG --title "$TITLE" \
#                 --backtitle "$BACKTITLE" \
#                 --textbox /proc/rsbac-info/stats_rc $BL $BC
        fi
      ;;

    'Show ACL Lists')
        if test -f /proc/rsbac-info/acl_acllist
        then 
          less /proc/rsbac-info/acl_acllist
#          $DIALOG --title "$TITLE" \
#                 --backtitle "$BACKTITLE" \
#                 --textbox /proc/rsbac-info/acl_acllist $BL $BC
        fi
      ;;

    'Show ACL Groups')
        if test -f /proc/rsbac-info/acl_grouplist
        then 
          less /proc/rsbac-info/acl_grouplist
#          $DIALOG --title "$TITLE" \
#                 --backtitle "$BACKTITLE" \
#                 --textbox /proc/rsbac-info/acl_grouplist $BL $BC
        fi
      ;;

    'Show eXtended Status')
        if test -f /proc/rsbac-info/xstats
        then 
          less /proc/rsbac-info/xstats
#          $DIALOG --title "$TITLE" \
#                 --backtitle "$BACKTITLE" \
#                 --textbox /proc/rsbac-info/xstats $BL $BC
        fi
      ;;

    'Bash Shell')
        echo Return with exit!
        bash --login || bash -login || bash -l
      ;;

    Quit)
        rm $TMPFILE ; exit
      ;;

    *)
        $DIALOG --title "$ERRTITLE" \
               --backtitle "$BACKTITLE" \
               --msgbox "Main Menu: Selection Error!" 5 $BC

  esac
# sleep 2
done
