From 68d617a62d8312ea9b90780db2a638c0e093b927 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <karel.koci@nic.cz>
Date: Tue, 29 May 2018 16:13:18 +0200
Subject: [PATCH] base-files: do not automatically activate services and
 restart activated
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For security reasons only selected services are automatically activated.
Those are listed in /etc/services_wanted.
We also restart services when updated instead of just starting them.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
---
 package/base-files/Makefile                  | 11 ++++
 package/base-files/files/etc/services_wanted | 58 ++++++++++++++++++++
 package/base-files/files/lib/functions.sh    | 16 +++---
 3 files changed, 78 insertions(+), 7 deletions(-)
 create mode 100644 package/base-files/files/etc/services_wanted

diff --git a/package/base-files/Makefile b/package/base-files/Makefile
index 0a7c2bc..4a80593 100644
--- a/package/base-files/Makefile
+++ b/package/base-files/Makefile
@@ -200,6 +200,17 @@ define Package/base-files/install
 		rm -f $(1)/sbin/pkg_check,)
 endef
 
+define Package/base-files/postinst
+[ -n "$$IPKG_INSTROOT" ] || {
+	# Enable wanted services
+	while read L; do
+		if [ -f "/etc/init.d/$$L" ]; then
+			"/etc/init.d/$$L" enable
+		fi
+	done < /etc/services_wanted
+}
+endef
+
 ifneq ($(DUMP),1)
   -include $(PLATFORM_DIR)/base-files.mk
   -include $(PLATFORM_SUBDIR)/base-files.mk
diff --git a/package/base-files/files/etc/services_wanted b/package/base-files/files/etc/services_wanted
new file mode 100644
index 0000000..cc74025
--- /dev/null
+++ b/package/base-files/files/etc/services_wanted
@@ -0,0 +1,58 @@
+asm1062-fix
+atd
+atlas
+atsha204-feed-entropy
+boot
+cron
+cups
+dev-detect
+dnsmasq
+done
+firewall
+foris-controller
+foris-ws
+fosquitto
+fstab
+gpio_switch
+haas-proxy
+haveged
+hd-idle
+led
+lighttpd
+lm-sensors
+lvm2
+lxc-auto
+mountd
+mox_autosetup
+netdata
+nethist
+network
+odhcpd
+openvpn
+rainbow
+relayd
+resolver
+rpcd
+sentinel-dynfw-client
+sentinel-minipot
+sentinel-proxy
+setup_led
+smartd
+sqm
+srv
+sshd
+start-indicator
+sysctl
+sysfixtime
+sysfsutils
+syslog-ng
+sysntpd
+system
+ucitrack
+umdns
+umount
+update_mac
+updater-journal-recover
+urandom_seed
+usbmode
+zram
diff --git a/package/base-files/files/lib/functions.sh b/package/base-files/files/lib/functions.sh
index 860fc04..213e2c2 100755
--- a/package/base-files/files/lib/functions.sh
+++ b/package/base-files/files/lib/functions.sh
@@ -251,14 +251,16 @@ default_postinst() {
 
 	local shell="$(which bash)"
 	for i in $(grep -s "^/etc/init.d/" "$root$filelist"); do
-		if [ -n "$root" ]; then
-			${shell:-/bin/sh} "$root/etc/rc.common" "$root$i" enable
-		else
-			if [ "$PKG_UPGRADE" != "1" ]; then
-				"$i" enable
-			fi
-			"$i" start
+		if grep -q "^$(basename "$i")$" "$root/etc/services_wanted"; then
+			if [ -n "$root" ]; then
+				${shell:-/bin/sh} "$root/etc/rc.common" "$root$i" enable
+			else
+				[ "$PKG_UPGRADE" = "1" ] || "$i" enable
+ 			fi
 		fi
+		if [ -z "$root" ] && "$i" enabled; then
+			"$i" restart
+ 		fi
 	done
 
 	return $ret
-- 
2.30.0