leehambley/policy-rc.d.rb

## policy-rc.d.rb
#!/usr/local/rvm/bin/our_ruby_wrapper -w

require 'optparse'

#
# Documentation for this dark corner of the Debian package manager can be
# found at the following places:
#
#  * http://matrix.umcs.lublin.pl/cgi-bin/dwww/usr/share/doc/sysv-rc/README.policy-rc.d.gz
#  * http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s-disableserv
#  * http://packages.debian.org/wheezy/policyrcd-script-zg2
#
# Information about the decisions being made by this script can be found
# in /var/log/syslog on ubuntu. (See `logger` below)
#
#  Usage:
#
#     This script is called by invoke-rc.d (a simple wrapper around directly
#     using the init.d scripts themselves. This invoke-rc.d applies a local
#     policy, when /usr/sbin/profile-rc.d exists, and is executable it is run
#     and it's exit code is consulted.
#     This is a simple, naïve implementation of a policy to disallow the
#     staring of services which protonet manages with Runit, but installs from
#     the normal Debian/Ubuntu package sources.
#

runit_managed_packages = %w{apache2 smbd nmbd dnsmasq nginx
rabbitmq-server}

options = {}
OptionParser.new do |opts|
  opts.banner = "Usage: #{$0} [options] <initdscript ID> <actions> <runlevel>"
  opts.on("", "--quiet", "Run verbosely") do |v|
    options[:quiet] = v
  end
  opts.on("", "--list", "List policy in a human readable way") do
    warn "--list option not supported"
    abort
  end
end.parse!

initscript_id, actions, runlevel = ARGV.take(3)

unless options[:quiet]
  puts "Script ID: #{initscript_id} Actions: #{actions} Runlevel: #{runlevel}"
end

if runit_managed_packages.include?(initscript_id.downcase)
  puts "Denying (Code: 101)" unless options[:quiet]
  `logger protonet policy-rc.d Denying installation with #{ARGV.inspect}`
  exit 101
else
  puts "Allowing (Code: 0)" unless options[:quiet]
  `logger protonet policy-rc.d Allowing installation with #{ARGV.inspect}`
  exit 0
end
	#!/usr/local/rvm/bin/our_ruby_wrapper -w

	require 'optparse'

	#
	# Documentation for this dark corner of the Debian package manager can be
	# found at the following places:
	#
	# * http://matrix.umcs.lublin.pl/cgi-bin/dwww/usr/share/doc/sysv-rc/README.policy-rc.d.gz
	# * http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s-disableserv
	# * http://packages.debian.org/wheezy/policyrcd-script-zg2
	#
	# Information about the decisions being made by this script can be found
	# in /var/log/syslog on ubuntu. (See `logger` below)
	#
	# Usage:
	#
	# This script is called by invoke-rc.d (a simple wrapper around directly
	# using the init.d scripts themselves. This invoke-rc.d applies a local
	# policy, when /usr/sbin/profile-rc.d exists, and is executable it is run
	# and it's exit code is consulted.
	# This is a simple, naïve implementation of a policy to disallow the
	# staring of services which protonet manages with Runit, but installs from
	# the normal Debian/Ubuntu package sources.
	#

	runit_managed_packages = %w{apache2 smbd nmbd dnsmasq nginx
	rabbitmq-server}

	options = {}
	OptionParser.new do \|opts\|
	opts.banner = "Usage: #{$0} [options] <initdscript ID> <actions> <runlevel>"
	opts.on("", "--quiet", "Run verbosely") do \|v\|
	options[:quiet] = v
	end
	opts.on("", "--list", "List policy in a human readable way") do
	warn "--list option not supported"
	abort
	end
	end.parse!

	initscript_id, actions, runlevel = ARGV.take(3)

	unless options[:quiet]
	puts "Script ID: #{initscript_id} Actions: #{actions} Runlevel: #{runlevel}"
	end

	if runit_managed_packages.include?(initscript_id.downcase)
	puts "Denying (Code: 101)" unless options[:quiet]
	`logger protonet policy-rc.d Denying installation with #{ARGV.inspect}`
	exit 101
	else
	puts "Allowing (Code: 0)" unless options[:quiet]
	`logger protonet policy-rc.d Allowing installation with #{ARGV.inspect}`
	exit 0
	end