# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Distributed under the terms of the GNU General Public License v2

inherit useradd pam

DESCRIPTION="ChromeOS specific system setup"
HOMEPAGE="http://src.chromium.org/"
SRC_URI=""

LICENSE="GPL-2"
SLOT="0"
KEYWORDS="amd64 arm x86"
IUSE="cros_embedded cros_host pam"

# We need to make sure timezone-data is merged before us.
# See pkg_setup below as well as http://crosbug.com/27413
# and friends.
# Similarly, we have to make sure bash is merged before us.
# We don't need dash because only bash modifies ROOT duing
# pkg_* stages, and depending on dash would disable a little
# bit of possible parallelism.
# See http://crosbug.com/38597 for more details.
DEPEND=">=sys-apps/baselayout-2
	! 95_cros_base
		insopts -m 440
		doins 95_cros_base || die
	fi
}

pkg_postinst() {
	local x

	# We explicitly add all of the users needed in the system here. The
	# build of Chromium OS uses a single build chroot environment to build
	# for various targets with distinct ${ROOT}. This causes two problems:
	#   1. The target rootfs needs to have the same UIDs as the build
	#      chroot so that chmod operations work.
	#   2. The portage tools to add a new user in an ebuild don't work when
	#      $ROOT != /
	# We solve this by having baselayout install in both the build and
	# target and pre-create all needed users. In order to support existing
	# build roots we copy over the user entries if they already exist.
	local system_user="chronos"
	local system_id="1000"
	local system_home="/home/${system_user}/user"
	# Add a chronos-access group to provide non-chronos users,
	# mostly system daemons running as a non-chronos user, group permissions
	# to access files/directories owned by chronos.
	local system_access_user="chronos-access"
	local system_access_id="1001"

	local crypted_password='*'
	[ -r "${SHARED_USER_PASSWD_FILE}" ] &&
		crypted_password=$(cat "${SHARED_USER_PASSWD_FILE}")
	remove_user "${system_user}"
	add_user "${system_user}" "x" "${system_id}" \
		"${system_id}" "system_user" "${system_home}" /bin/bash
	remove_shadow "${system_user}"
	add_shadow "${system_user}" "${crypted_password}"

	copy_or_add_group "${system_user}" "${system_id}"
	copy_or_add_daemon_user "${system_access_user}" "${system_access_id}"
	copy_or_add_daemon_user "messagebus" 201  # For dbus
	copy_or_add_daemon_user "syslog" 202      # For rsyslog
	copy_or_add_daemon_user "ntp" 203
	copy_or_add_daemon_user "sshd" 204
	copy_or_add_daemon_user "polkituser" 206  # For policykit
	copy_or_add_daemon_user "tss" 207         # For trousers (TSS/TPM)
	copy_or_add_daemon_user "pkcs11" 208      # For pkcs11 clients
	copy_or_add_daemon_user "qdlservice" 209  # for QDLService
	copy_or_add_daemon_user "cromo" 210       # For cromo (modem manager)
#	copy_or_add_daemon_user "cashew" 211      # Deprecated, do not reuse
	copy_or_add_daemon_user "ipsec" 212       # For strongswan/ipsec VPN
	copy_or_add_daemon_user "cros-disks" 213  # For cros-disks
	copy_or_add_daemon_user "tor" 214         # For tor (anonymity service)
	copy_or_add_daemon_user "tcpdump" 215     # For tcpdump --with-user
	copy_or_add_daemon_user "debugd" 216      # For debugd
	copy_or_add_daemon_user "openvpn" 217     # For openvpn
	copy_or_add_daemon_user "bluetooth" 218   # For bluez
	copy_or_add_daemon_user "wpa" 219         # For wpa_supplicant
	copy_or_add_daemon_user "cras" 220        # For cras (audio)
#	copy_or_add_daemon_user "gavd" 221        # For gavd (audio) (deprecated)
	copy_or_add_daemon_user "input" 222       # For /dev/input/event access
	copy_or_add_daemon_user "chaps" 223       # For chaps (pkcs11)
	copy_or_add_daemon_user "dhcp" 224        # For dhcpcd (DHCP client)
	copy_or_add_daemon_user "tpmd" 225        # For tpmd
	copy_or_add_daemon_user "mtp" 226         # For libmtp
	copy_or_add_daemon_user "proxystate" 227  # For proxy monitoring
	copy_or_add_daemon_user "power" 228       # For powerd
	copy_or_add_daemon_user "watchdog" 229    # For daisydog
	copy_or_add_daemon_user "devbroker" 230   # For permission_broker
	copy_or_add_daemon_user "xorg" 231        # For Xorg
	copy_or_add_daemon_user "nfqueue" 232     # For netfilter-queue
	copy_or_add_daemon_user "tlsdate-dbus" 233 # For tlsdate-dbus-announce
	copy_or_add_daemon_user "tlsdate" 234
	copy_or_add_daemon_user "debugd-logs" 235 # For debugd's unprivileged logs
	copy_or_add_daemon_user "debugfs-access" 236 # Access to debugfs
	copy_or_add_daemon_user "shill-crypto" 237 # For shill's crypto-util
	copy_or_add_daemon_user "avahi" 238       # For avahi-daemon
	# Reserve some UIDs/GIDs between 300 and 349 for sandboxing FUSE-based
	# filesystem daemons.
	copy_or_add_daemon_user "ntfs-3g" 300     # For ntfs-3g prcoess
	copy_or_add_daemon_user "avfs" 301        # For avfs process
	copy_or_add_daemon_user "fuse-exfat" 302  # For exfat-fuse prcoess

	# Group that are allowed to create directories under /home//root
	copy_or_add_group "daemon-store" 400
	copy_or_add_group "logs-access" 401

	# All audio interfacing will go through the audio server.
	add_users_to_group audio "cras"
	add_users_to_group input "cras"           # For /dev/input/event* access

	# The system user is part of the audio server group to play sounds.  The
	# power manager user needs to check whether audio is playing.
	add_users_to_group cras "${system_user}" power

	# The system_user needs to be part of the audio and video groups.
	add_users_to_group audio "${system_user}"
	add_users_to_group video "${system_user}"

	# The Xorg user needs to be part of the input and video groups.
	add_users_to_group input "xorg"
	add_users_to_group video "xorg"

	# Users which require access to PKCS #11 cryptographic services must be
	# in the pkcs11 group.
	remove_all_users_from_group pkcs11
	add_users_to_group pkcs11 root ipsec "${system_user}" chaps wpa

	# All users accessing opencryptoki database files and all users for
	# sandboxing FUSE-based filesystem daemons need to be in the
	# ${system_access_user} group.
	remove_all_users_from_group "${system_access_user}"
	add_users_to_group "${system_access_user}" root ipsec "${system_user}" \
		ntfs-3g avfs fuse-exfat chaps

	# Dedicated group for owning access to serial devices.
	copy_or_add_group "serial" 402
	add_users_to_group "serial" "${system_user}"
	add_users_to_group "serial" "uucp"

	# debugd-logs has logs access
	add_users_to_group "logs-access" "debugd-logs"

	# The root user must be in the wpa group for wpa_cli.
	add_users_to_group wpa root

	# Restrict tcsd access to root and chaps.
	add_users_to_group tss root chaps

	# Add mtp user to usb group for USB device access.
	add_users_to_group usb mtp

	# Create a group for device access via permission_broker
	copy_or_add_group "devbroker-access" 403
	add_users_to_group devbroker-access "${system_user}"

	# Give the power manager access to I2C devices so it can adjust external
	# displays' brightness via DDC.
	copy_or_add_group i2c 404
	add_users_to_group i2c power

	# Give the power manager access to /dev/tty* so it can disable VT switching
	# before suspending the system.
	add_users_to_group tty power

	# The power manager needs to read from /dev/input/event* to observe power
	# button and lid events.
	add_users_to_group input power

	# Some default directories. These are created here rather than at
	# install because some of them may already exist and have mounts.
	for x in /dev /home /media \
		/mnt/stateful_partition /proc /root /sys /var/lock; do
		[ -d "${ROOT}/$x" ] && continue
		install -d --mode=0755 --owner=root --group=root "${ROOT}/$x"
	done

	# On embedded systems, we don't have bash.  So use /bin/sh.
	if use cros_embedded; then
		sed -i \
			-e '/:\/bin\/bash$/s:bash$:sh:' \
			"${ROOT}"/etc/passwd || die
	fi
}