From b268971323035dc3b5cb68f6379503e11866bfc3 Mon Sep 17 00:00:00 2001
From: tiann <twsxtd@gmail.com>
Date: Mon, 13 Feb 2023 23:32:26 +0800
Subject: [PATCH] ksud: support module disable in safemode

---
 userspace/ksud/src/event.rs  | 26 +++++++++++++++-----------
 userspace/ksud/src/module.rs | 14 ++++++++++++++
 2 files changed, 29 insertions(+), 11 deletions(-)

diff --git a/userspace/ksud/src/event.rs b/userspace/ksud/src/event.rs
index 38eef3ad..cb9377b8 100644
--- a/userspace/ksud/src/event.rs
+++ b/userspace/ksud/src/event.rs
@@ -116,10 +116,23 @@ pub fn on_post_data_fs() -> Result<()> {
         }
     }
 
+    // If there isn't any image exist, do nothing for module!
+    if !Path::new(target_update_img).exists() {
+        return Ok(());
+    }
+
+    // we should always mount the module.img to module dir
+    // becuase we may need to operate the module dir in safe mode
+    info!("mount module image: {target_update_img} to {module_dir}");
+    mount::AutoMountExt4::try_new(target_update_img, module_dir, false)
+        .with_context(|| "mount module image failed".to_string())?;
+
     // check safe mode first.
     if crate::utils::is_safe_mode() {
-        warn!("safe mode, skip module post-fs-data scripts");
-        // TODO: we should also disable modules
+        warn!("safe mode, skip post-fs-data scripts and disable all modules!");
+        if let Err(e) = crate::module::disable_all_modules() {
+            warn!("disable all modules failed: {}", e);
+        }
         return Ok(());
     }
 
@@ -128,15 +141,6 @@ pub fn on_post_data_fs() -> Result<()> {
         warn!("exec common post-fs-data scripts failed: {}", e);
     }
 
-    // If there isn't any image exist, do nothing for module!
-    if !Path::new(target_update_img).exists() {
-        return Ok(());
-    }
-
-    info!("mount module image: {target_update_img} to {module_dir}");
-    mount::AutoMountExt4::try_new(target_update_img, module_dir, false)
-        .with_context(|| "mount module image failed".to_string())?;
-
     // load sepolicy.rule
     if crate::module::load_sepolicy_rule().is_err() {
         warn!("load sepolicy.rule failed");
diff --git a/userspace/ksud/src/module.rs b/userspace/ksud/src/module.rs
index 050f61f8..45c356cb 100644
--- a/userspace/ksud/src/module.rs
+++ b/userspace/ksud/src/module.rs
@@ -636,6 +636,20 @@ pub fn disable_module(id: &str) -> Result<()> {
     })
 }
 
+pub fn disable_all_modules() -> Result<()> {
+    // we assume the module dir is already mounted
+    let dir = std::fs::read_dir(defs::MODULE_DIR)?;
+    for entry in dir.flatten() {
+        let path = entry.path();
+        let disable_flag = path.join(defs::DISABLE_FILE_NAME);
+        if let Err(e) = ensure_file_exists(disable_flag) {
+            warn!("Failed to disable module: {}: {}", path.display(), e);
+        }
+    }
+
+    Ok(())
+}
+
 fn _list_modules(path: &str) -> Vec<HashMap<String, String>> {
     // first check enabled modules
     let dir = std::fs::read_dir(path);