From 52d0cad8f09576f50479bfaaad9a03e725f7c77c Mon Sep 17 00:00:00 2001 From: Sean Whitton Date: Thu, 19 May 2016 14:27:12 +0900 Subject: Sbuild.blockNetwork --- src/Propellor/Property/Sbuild.hs | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src/Propellor') diff --git a/src/Propellor/Property/Sbuild.hs b/src/Propellor/Property/Sbuild.hs index c5bf30c0..41f26f27 100644 --- a/src/Propellor/Property/Sbuild.hs +++ b/src/Propellor/Property/Sbuild.hs @@ -11,6 +11,7 @@ Suggested usage in @config.hs@: > & Sbuild.updatedFor ((Debian Unstable) "i386") `period` Weekly > & Sbuild.usableBy (User "spwhitton") > & Sbuild.shareAptCache +> & Sbuild.blockNetwork > & Schroot.overlaysInTmpfs In @~/.sbuildrc@: @@ -57,6 +58,7 @@ import Propellor.Base import Debootstrap (extractSuite) import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.File as File +import qualified Propellor.Property.Firewall as Firewall import System.Directory import System.FilePath (takeDirectory) @@ -180,6 +182,16 @@ keypairGenerated = check (not <$> doesFileExist secKeyFile) $ go `assume` MadeChange secKeyFile = "/var/lib/sbuild/apt-keys/sbuild-key.sec" +-- | Block network access during builds +-- +-- This is a hack from until #802850 and +-- #802849 are resolved. +blockNetwork :: Property Linux +blockNetwork = Firewall.rule OUTPUT Filter DROP + ( GroupOwner (Group "sbuild") + ++ NotDestination [IPWithNumMask "127.0.0.1" "8"] + ) + -- ==== utility functions ==== schrootFromSystem :: System -> Maybe SbuildSchroot -- cgit v1.2.3