summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2015-11-17 15:06:35 -0400
committerJoey Hess2015-11-17 15:06:35 -0400
commitd796284d8bb483a89bf3d65d198a890a62090d96 (patch)
tree64588131d78152fa89cc7ebac7885bee174301d1
parente98b82c5dc68ae4c02a16945f78c0f1c78444bbd (diff)
Added Chroot.noServices property.
-rw-r--r--debian/changelog1
-rw-r--r--src/Propellor/Property/Chroot.hs18
2 files changed, 19 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 043848c5..b27ab8b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ propellor (2.13.1) UNRELEASED; urgency=medium
* Add Propellor.Property.PropellorRepo.hasOriginUrl, an explicit way to
set the git repository url normally implicitly set when using --spin.
+ * Added Chroot.noServices property.
-- Joey Hess <id@joeyh.name> Wed, 11 Nov 2015 13:37:00 -0400
diff --git a/src/Propellor/Property/Chroot.hs b/src/Propellor/Property/Chroot.hs
index 8d1a2388..a763a56b 100644
--- a/src/Propellor/Property/Chroot.hs
+++ b/src/Propellor/Property/Chroot.hs
@@ -8,6 +8,7 @@ module Propellor.Property.Chroot (
ChrootBootstrapper(..),
Debootstrapped(..),
ChrootTarball(..),
+ noServices,
inChroot,
-- * Internal use
provisioned',
@@ -27,6 +28,7 @@ import qualified Propellor.Property.Systemd.Core as Systemd
import qualified Propellor.Property.File as File
import qualified Propellor.Shim as Shim
import Propellor.Property.Mount
+import Utility.FileMode
import qualified Data.Map as M
import Data.List.Utils
@@ -247,6 +249,22 @@ mungeloc = replace "/" "_"
chrootDesc :: Chroot -> String -> String
chrootDesc (Chroot loc _ _) desc = "chroot " ++ loc ++ " " ++ desc
+-- | Adding this property to a chroot prevents daemons and other services
+-- from being started, which is often something you want to prevent when
+-- building a chroot.
+--
+-- This is accomplished by installing a </usr/sbin/policy-rc.d> script
+-- that does not let any daemons be started by packages that use
+-- invoke-rc.d. Reverting the property removes the script.
+noServices :: RevertableProperty NoInfo
+noServices = setup <!> teardown
+ where
+ f = "/usr/sbin/policy-rc.d"
+ script = [ "#!/bin/sh", "exit 101" ]
+ setup = File.mode f (combineModes (readModes ++ executeModes))
+ `requires` File.hasContent f script
+ teardown = File.notPresent f
+
-- | Check if propellor is currently running within a chroot.
--
-- This allows properties to check and avoid performing actions that