#!/bin/sh

PATH=/sbin:/usr/sbin:/bin:/usr/bin

# source the config file
. /etc/default/lockdown

# Functions
#
mod_lock()
{
  OUTPUT='LOCKDOWN: disabling kernel module changes'
  if [ -n "$MODLOCK_DEL" ]; then
    echo "${OUTPUT} in ${MODLOCK_DEL} seconds"
    (sleep "${MODLOCK_DEL}"; sysctl -q kernel.modules_disabled=1)&
  else
    echo "${OUTPUT} now"
    sysctl -q kernel.modules_disabled=1
  fi
}

kexec_lock()
{
  OUTPUT='LOCKDOWN: disabling kexec'
  sysctl -q kernel.kexec_load_disabled=1
}

bpf_lock()
{
  # check that it exists first, was added in 4.4
  if [ -e "/proc/sys/kernel/unprivileged_bpf_disabled" ]; then
    OUTPUT='LOCKDOWN: disabling BPF'
    sysctl -q kernel.unprivileged_bpf_disabled=1
  fi
}

# main
[ -n "$MODLOCK" ] && mod_lock
[ -n "$KEXECLOCK" ] && kexec_lock
[ -n "$BPFLOCK" ] && bpf_lock

