#!/bin/bash

## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

set -x
set -e

## For Non-Qubes.
user_name="user"

if ischroot --default-false ; then
   exit 0
fi

if command -v qubesdb-read &>/dev/null ; then
   qubes_vm_name="$(qubesdb-read /name)"
   qubes_vm_persistence="$(qubesdb-read /qubes-vm-persistence)"
   if ! user_name=$(qubesdb-read /default-user) ; then
      echo "$0: WARNING: failed to run 'qubesdb-read /default-user', falling back to user_name=user"
      user_name=user
   fi
else
   ## Do not do any of this outside of Qubes.
   exit 0
fi

## Avoid running in Qubes DVM Template.
## https://phabricator.whonix.org/T726
if echo "$qubes_vm_name" | grep -q "\-dvm" ; then
   exit 0
fi

if test -f /run/qubes/this-is-templatevm ; then
   exit 0
fi

## Do this only in a DispVM.
if [ ! "$qubes_vm_persistence" = "none" ]; then
   exit 0
fi

if [ ! -d "/home/$user_name" ]; then
   exit 0
fi

if [ ! -d /var/cache/tb-binary ]; then
   exit 0
fi

## Mount point must be existing to be able to use mount.
sudo --non-interactive -u "$user_name" mkdir --parents "/home/$user_name/.tb"
sudo --non-interactive -u "$user_name" mkdir --parents "/home/$user_name/.cache/tb"

chown --recursive "$user_name:$user_name" /var/cache/tb-binary
## Could alternatively do after mounting:
#chown --recursive "$user_name:$user_name" "/home/$user_name/.tb"
#chown --recursive "$user_name:$user_name" "/home/$user_name/.cache/tb"
## But that would not give any security advantage since changing permissions
## after bind mount will also result in the original folder changing
## permissions.

if [ -d "/var/cache/tb-binary/.tb" ]; then
   mount --bind -o nosuid,nodev "/var/cache/tb-binary/.tb" "/home/$user_name/.tb"
fi
if [ -d "/var/cache/tb-binary/.cache/tb" ]; then
   mount --bind -o nosuid,nodev "/var/cache/tb-binary/.cache/tb" "/home/$user_name/.cache/tb"
fi

## results in:
# mount | grep home
# /dev/xvdb on /home type ext4 (rw,nosuid,nodev,noexec,relatime,discard)
# /dev/xvda3 on /home/user/.tb type ext4 (rw,nosuid,nodev,noatime,discard)
# /dev/xvda3 on /rw/home/user/.tb type ext4 (rw,noatime,discard)
# /dev/xvda3 on /home/user/.cache/tb type ext4 (rw,nosuid,nodev,noatime,discard)
# /dev/xvda3 on /rw/home/user/.cache/tb type ext4 (rw,noatime,discard)

## Remount with nosuid,nodev.
if [ -d "/rw/home/$user_name/.tb" ]; then
   mount -o remount,nosuid,nodev "/rw/home/$user_name/.tb"
fi
if [ -d "/rw/home/$user_name/.cache/tb" ]; then
   mount -o remount,nosuid,nodev "/rw/home/$user_name/.cache/tb"
fi

## results in:
# mount | grep home
# /dev/xvdb on /home type ext4 (rw,nosuid,nodev,noexec,relatime,discard)
# /dev/xvda3 on /home/user/.tb type ext4 (rw,nosuid,nodev,noatime,discard)
# /dev/xvda3 on /rw/home/user/.tb type ext4 (rw,nosuid,nodev,noatime,discard)
# /dev/xvda3 on /home/user/.cache/tb type ext4 (rw,nosuid,nodev,noatime,discard)
# /dev/xvda3 on /rw/home/user/.cache/tb type ext4 (rw,nosuid,nodev,noatime,discard)
