From d796284d8bb483a89bf3d65d198a890a62090d96 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 17 Nov 2015 15:06:35 -0400 Subject: Added Chroot.noServices property. --- debian/changelog | 1 + src/Propellor/Property/Chroot.hs | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/debian/changelog b/debian/changelog index 043848c5..b27ab8b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ propellor (2.13.1) UNRELEASED; urgency=medium * Add Propellor.Property.PropellorRepo.hasOriginUrl, an explicit way to set the git repository url normally implicitly set when using --spin. + * Added Chroot.noServices property. -- Joey Hess Wed, 11 Nov 2015 13:37:00 -0400 diff --git a/src/Propellor/Property/Chroot.hs b/src/Propellor/Property/Chroot.hs index 8d1a2388..a763a56b 100644 --- a/src/Propellor/Property/Chroot.hs +++ b/src/Propellor/Property/Chroot.hs @@ -8,6 +8,7 @@ module Propellor.Property.Chroot ( ChrootBootstrapper(..), Debootstrapped(..), ChrootTarball(..), + noServices, inChroot, -- * Internal use provisioned', @@ -27,6 +28,7 @@ import qualified Propellor.Property.Systemd.Core as Systemd import qualified Propellor.Property.File as File import qualified Propellor.Shim as Shim import Propellor.Property.Mount +import Utility.FileMode import qualified Data.Map as M import Data.List.Utils @@ -247,6 +249,22 @@ mungeloc = replace "/" "_" chrootDesc :: Chroot -> String -> String chrootDesc (Chroot loc _ _) desc = "chroot " ++ loc ++ " " ++ desc +-- | Adding this property to a chroot prevents daemons and other services +-- from being started, which is often something you want to prevent when +-- building a chroot. +-- +-- This is accomplished by installing a script +-- that does not let any daemons be started by packages that use +-- invoke-rc.d. Reverting the property removes the script. +noServices :: RevertableProperty NoInfo +noServices = setup teardown + where + f = "/usr/sbin/policy-rc.d" + script = [ "#!/bin/sh", "exit 101" ] + setup = File.mode f (combineModes (readModes ++ executeModes)) + `requires` File.hasContent f script + teardown = File.notPresent f + -- | Check if propellor is currently running within a chroot. -- -- This allows properties to check and avoid performing actions that -- cgit v1.2.3