blob: 98fca0d46c5e2d0afc34de9fcd304861800f27ad (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
# Generated by `python3 packaging/pacman/render.py`.
# Do not edit this file directly; update `packaging/pacman/templates/`.
_ensure_security_policy() {
if [ -f /etc/keymasq/security.toml ]; then
chown root:root /etc/keymasq/security.toml 2>/dev/null || true
chmod 644 /etc/keymasq/security.toml 2>/dev/null || true
return
fi
if [ -f /usr/share/doc/keymasq/security.toml ]; then
install -Dm644 /usr/share/doc/keymasq/security.toml /etc/keymasq/security.toml
chown root:root /etc/keymasq/security.toml 2>/dev/null || true
return
fi
install -Dm644 /dev/stdin /etc/keymasq/security.toml <<'EOF'
daemon_allowed_uids = []
session_allowed_uids = []
[macro]
exec_timeout_max_ms = 30000
[recording_guard]
# Tier 1 (recommended): require unlock for capture and recording commands.
unlock_required = true
# Tier 2 (optional): require unlock for macro inspection/edit commands.
macro_edit_requires_unlock = false
[session_command_acl]
# Denylist syntax (optional): "!command", "-command", or "deny:command"
gui = []
cli = []
[daemon_command_acl]
session = []
EOF
chown root:root /etc/keymasq/security.toml 2>/dev/null || true
}
post_install() {
systemd-sysusers
systemd-tmpfiles --create
udevadm control --reload-rules
udevadm trigger --subsystem-match=input --action=add
udevadm trigger --subsystem-match=misc --action=add
if [ -f /etc/systemd/system/keymasqd.service ]; then
echo ""
echo "Warning: /etc/systemd/system/keymasqd.service exists and overrides packaged unit."
echo "If keymasqd cannot access devices, run: sudo systemctl revert keymasqd"
fi
_ensure_security_policy
echo ""
echo "Keymasq has been installed!"
echo ""
echo "A system user 'keymasq' has been created for the daemon."
echo ""
echo "Security defaults use socket UID checks and command ACL policy."
echo "Policy file: /etc/keymasq/security.toml"
echo ""
echo "To use Keymasq:"
echo " 1. Enable the daemon:"
echo " sudo systemctl enable --now keymasqd"
echo ""
echo " 2. Enable the session manager:"
echo " systemctl --user enable --now keymasq-session"
echo ""
echo " 3. Launch Keymasq:"
echo " keymasq"
echo ""
echo "Configuration: ~/.config/keymasq/"
echo "Documentation: https://keymasq.tools/docs/latest/"
}
post_upgrade() {
systemd-sysusers
systemd-tmpfiles --create
udevadm control --reload-rules
udevadm trigger --subsystem-match=input --action=add
udevadm trigger --subsystem-match=misc --action=add
if [ -f /etc/systemd/system/keymasqd.service ]; then
echo ""
echo "Warning: /etc/systemd/system/keymasqd.service exists and overrides packaged unit."
echo "If keymasqd cannot access devices, run: sudo systemctl revert keymasqd"
fi
_ensure_security_policy
systemctl daemon-reload 2>/dev/null || true
systemctl try-restart keymasqd.service 2>/dev/null || true
echo ""
echo "Keymasq has been upgraded!"
echo ""
echo "Security policy uses UID/ACL controls; verify /etc/keymasq/security.toml"
echo "If session cannot connect to daemon, verify runtime socket policy in /etc/keymasq/security.toml"
echo "The package tried to restart keymasqd if it was already running."
echo "If needed, restart services manually:"
echo " systemctl --user restart keymasq-session"
}
post_remove() {
echo ""
echo "Keymasq has been removed."
echo ""
echo "The 'keymasq' user and group have been preserved."
echo "To remove them, run:"
echo " sudo userdel keymasq"
echo " sudo groupdel keymasq"
echo ""
echo "Configuration files remain in: ~/.config/keymasq/"
}
|