#!/bin/bash
set -euo pipefail
trap 'echo "Critical error in configure_uid_sandboxing. Aborting." >&2' ERR

PATH=/bin:/usr/bin:/sbin:/usr/sbin

function add_missing_caps {
	# Launchpad & app loaders needs additional caps. Re-setting them here with additional cap_setuid for the
	# purpose of security-config development (rpm postinstall).
	if [ -e "/usr/bin/launchpad-process-pool" ]
	then
		existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-process-pool | cut -f2 -d" " | cut -f1 -d"="`
		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/launchpad-process-pool
	fi

	if [ -e "/usr/bin/launchpad-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
	then
		existing_caps=`/usr/sbin/getcap /usr/bin/launchpad-loader | cut -f2 -d" " | cut -f1 -d"="`
		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/launchpad-loader
	fi

	if [ -e "/usr/bin/app-defined-loader" ] && [ ! -e "/usr/bin/launchpad-starter" ]
	then
		existing_caps=`/usr/sbin/getcap /usr/bin/app-defined-loader | cut -f2 -d" " | cut -f1 -d"="`
		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/app-defined-loader
	fi

	if [ -e "/usr/bin/dotnet-hydra-loader" ]
	then
		existing_caps=`/usr/sbin/getcap /usr/bin/dotnet-hydra-loader | cut -f2 -d" " | cut -f1 -d"="`
		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/dotnet-hydra-loader
	fi

	if [ -e "/usr/bin/dotnet-loader" ]
	then
		existing_caps=`/usr/sbin/getcap /usr/bin/dotnet-loader | cut -f2 -d" " | cut -f1 -d"="`
		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/dotnet-loader
	fi

	if [ -e "/usr/bin/wrt-loader" ]
	then
		existing_caps=`/usr/sbin/getcap /usr/bin/wrt-loader | cut -f2 -d" " | cut -f1 -d"="`
		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/wrt-loader
	fi

	if [ -e "/usr/bin/lux" ]
	then
		existing_caps=`/usr/sbin/getcap /usr/bin/lux | cut -f2 -d" " | cut -f1 -d"="`
		/usr/sbin/setcap "${existing_caps},cap_setuid=ei" /usr/bin/lux
	fi
}

function add_caps_to_user_session {
	user_service="/usr/lib/systemd/system/user@.service"
	if [ -e "$user_service" ]
	then
		grep "AmbientCapabilities=.*cap_setuid" "$user_service" || sed -ri 's/(AmbientCapabilities=)/\1cap_setuid /' "$user_service"
	fi
}

add_missing_caps
add_caps_to_user_session
