ublinux-init/ublinux/rc.preinit.d/56-security

#!/bin/bash
#
# Initial script for Live operating system
# This script are launching before starting init from linux-live script.
# Current dir allways must be set to root (/)
# All system path must be relative, except initrd dirs

ENABLED=yes
[ "$ENABLED" != "yes" ] && exit 0
DEBUGMODE=no

SELF_NAME="56-security"
PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin

unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
debug_mode "$0" "$@"

SYSCONF="${ROOTFS}/${SYSCONF}"
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null

exec_access_denied_vtx11(){
    FILE_XORGDONTVTSWITCH_CONF="${ROOTFS}/etc/X11/xorg.conf.d/ublinux-disable-vt.conf"
    FILE_SYSTEMDLOGIND_CONF="${ROOTFS}/etc/systemd/logind.conf.d/ublinux-disable-vt.conf"
    FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/ublinux-disable-vt.conf"

    if [[ ${ACCESS_DENIED_VTX11} == @(yes|enable) ]]; then
	mkdir -p ${FILE_XORGDONTVTSWITCH_CONF%/*}
	 cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_XORGDONTVTSWITCH_CONF}"
	    Section "ServerFlags"
	    Option "DontVTSwitch" "true"
	    EndSection
EOF
	if readlink -fq ${ROOTFS}/usr/bin/init | grep -q "lib/systemd/systemd$"; then
	    mkdir -p ${FILE_SYSTEMDLOGIND_CONF%/*}
	    cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_SYSTEMDLOGIND_CONF}"
		[Login]
		NAutoVTs=0
		ReserveVT=0
EOF
	fi
	if [[ -d ${ROOTFS}/etc/lightdm ]]; then
	    mkdir -p ${FILE_LIGHTDM_CONF%/*}
	    cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_LIGHTDM_CONF}"
		[LightDM]
		logind-check-graphical=true
EOF
	fi
    elif [[ ${ACCESS_DENIED_VTX11} == @(no|disable) ]]; then
	rm -f "${FILE_SYSTEMDLOGIND_CONF}" "${FILE_XORGDONTVTSWITCH_CONF}" "${FILE_LIGHTDM_CONF}"
    fi
}

exec_polkit(){
## Настрока polkit правил
    rm -f ${ROOTFS}/etc/polkit-1/rules.d/kiosk-*
    if [[ -n ${POLKIT[@]} ]]; then
	for RULES in "${!POLKIT[@]}"; do
	    RULES_GROUP=
	    RULES_FILE="${ROOTFS}/etc/polkit-1/rules.d/kiosk-$(sed 's/\([A-z0-9]*.[A-z0-9]*.[A-z0-9]*\)\..*/\1/' <<< ${RULES}).rules"
	    RULES_RESULT=$(cut -d: -f1 <<< ${POLKIT[${RULES}]})
	    for GROUP in $(grep ":" <<< ${POLKIT[${RULES}]} | cut -d: -f2 | tr ',' '\n'); do
	        RULES_GROUP+="&& subject.isInGroup(\"${GROUP}\") "
	    done
	    cat >> ${RULES_FILE} <<EOF
polkit.addRule(function(action, subject) {
    if (action.id.indexOf("${RULES}") == 0 
	&& subject.active == true
	&& subject.local == true	
	${RULES_GROUP}
	) 
    {
            return polkit.Result.${RULES_RESULT^^};
    }
});

EOF
	done
	#touch ${ROOTFS}/etc/polkit-1/rules.d
    fi
}

    if [[ ${0##*/} == ${SELF_NAME} && -z $@ ]]; then
        while read -r FUNCTION; do
            $"${FUNCTION##* }"
        done < <(declare -F | grep "declare -f exec_")
    elif [[ ${0##*/} == ${SELF_NAME} ]]; then
        for FUNCTION in $@; do
            ${FUNCTION}
        done
    else
        true
    fi