From 6dae019be9ebed76f282ec3cb258df7bf5891320 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Fri, 17 Nov 2017 21:58:39 -0400
Subject: Service: Avoid starting services when noServices is used.

Reconsidered making services never run inside chroots, that seemed too
potentially limiting.

Using Info rather than checking policy-rc.d because it will also work
outside of debian, but more because policy-rc.d has an extremely
complicated interface and I didn't want to deal with it.

This commit was sponsored by Jochen Bartl on Patreon.
---
 src/Propellor/Property/Service.hs | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

(limited to 'src/Propellor/Property/Service.hs')

diff --git a/src/Propellor/Property/Service.hs b/src/Propellor/Property/Service.hs
index e6a69eb5..0bcfdb93 100644
--- a/src/Propellor/Property/Service.hs
+++ b/src/Propellor/Property/Service.hs
@@ -1,6 +1,11 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+
 module Propellor.Property.Service where
 
 import Propellor.Base
+import Propellor.Types.Info
+import qualified Propellor.Property.File as File
+import Utility.FileMode
 
 type ServiceName = String
 
@@ -23,5 +28,31 @@ reloaded = signaled "reload" "reloaded"
 signaled :: String -> Desc -> ServiceName -> Property DebianLike
 signaled cmd desc svc = tightenTargets $ p `describe` (desc ++ " " ++ svc)
   where
-	p = scriptProperty ["invoke-rc.d " ++ shellEscape svc ++ " " ++ cmd ++ " >/dev/null 2>&1 || true"]
+	p = scriptProperty ["service " ++ shellEscape svc ++ " " ++ cmd ++ " >/dev/null 2>&1 || true"]
 		`assume` NoChange
+
+-- | This property prevents daemons and other services from being started,
+-- which is often something you want to prevent when building a chroot.
+--
+-- When this is set, `running` and `restarted` will not start services.
+--
+-- On Debian this installs a </usr/sbin/policy-rc.d> script to further
+-- prevent any packages that get installed from starting daemons.
+-- Reverting the property removes the script.
+noServices :: RevertableProperty (HasInfo + UnixLike) UnixLike
+noServices = (setup `setInfoProperty` toInfo (InfoVal NoServices)) <!> teardown
+  where
+	f = "/usr/sbin/policy-rc.d"
+	script = [ "#!/bin/sh", "exit 101" ]
+	setup = combineProperties "no services started" $ toProps
+		[ File.hasContent f script
+		, File.mode f (combineModes (readModes ++ executeModes))
+		]
+	teardown = File.notPresent f
+
+-- | Check if the noServices property is in effect.
+checkNoServices :: Propellor Bool
+checkNoServices = isJust . fromInfoVal
+	<$> (askInfo :: Propellor (InfoVal NoServices))
+
+data NoServices = NoServices deriving (Eq, Show, Typeable)
-- 
cgit v1.3-2-g0d8e