core-admin/rpm_spec/core-dom0.spec

395 lines
13 KiB
RPMSpec
Raw Normal View History

#
# This is the SPEC file for creating binary RPMs for the Dom0.
#
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010 Joanna Rutkowska <joanna@invisiblethingslab.com>
# Copyright (C) 2010 Rafal Wojtczuk <rafal@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
2015-09-28 17:44:59 +02:00
#%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(False)")}
%{!?version: %define version %(cat version)}
# debug_package hack should be removed when BuildArch:noarch is enabled below
%define debug_package %{nil}
%define _dracutmoddir /usr/lib/dracut/modules.d
%if %{fedora} < 17
%define _dracutmoddir /usr/share/dracut/modules.d
%endif
Name: qubes-core-dom0
Version: %{version}
2014-04-15 04:09:13 +02:00
Release: 1%{dist}
Summary: The Qubes core files (Dom0-side)
Group: Qubes
Vendor: Invisible Things Lab
License: GPL
URL: http://www.qubes-os.org
2015-01-13 18:23:04 +01:00
# because we have "#!/usr/bin/env python" shebangs, RPM puts
# "Requires: $(which # python)" dependency, which, depending on $PATH order,
# may point to /usr/bin/python or /bin/python (because Fedora has this stupid
# /bin -> usr/bin symlink). python*.rpm provides only /usr/bin/python.
AutoReq: no
# FIXME: Enable this and disable debug_package
#BuildArch: noarch
BuildRequires: ImageMagick
BuildRequires: systemd-units
2015-01-13 18:23:04 +01:00
# for building documentation
BuildRequires: python-sphinx
BuildRequires: libvirt-python
2015-12-10 21:52:05 +01:00
BuildRequires: dbus-python
2015-01-13 18:23:04 +01:00
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: python, pciutils, python-inotify, python-daemon
2015-09-28 17:44:59 +02:00
Requires: python-setuptools
Requires: qubes-core-dom0-linux >= 3.1.8
Requires: qubes-core-dom0-doc
Requires: qubes-db-dom0
Requires: python-lxml
2013-03-16 02:39:30 +01:00
# TODO: R: qubes-gui-dom0 >= 2.1.11
Conflicts: qubes-gui-dom0 < 1.1.13
2013-05-16 02:01:52 +02:00
Requires: libvirt-python
%if x%{?backend_vmm} == xxen
Requires: xen-runtime
Requires: xen-hvm
Requires: libvirt-daemon-xen >= 1.2.20-6
2013-05-16 02:01:52 +02:00
%endif
Requires: createrepo
2011-08-02 13:04:09 +02:00
Requires: gnome-packagekit
2012-01-30 16:27:12 +01:00
Requires: cronie
Requires: bsdtar
backup: use 'scrypt' tool for backup encryption and integrity protection `openssl dgst` and `openssl enc` used previously poorly handle key stretching - in case of `openssl enc` encryption key is derived using single MD5 iteration, without even any salt. This hardly prevent brute force or even rainbow tables attacks. To make things worse, the same key is used for encryption and integrity protection which ease brute force even further. All this is still about brute force attacks, so when using long, high entropy passphrase, it should be still relatively safe. But lets do better. According to discussion in QubesOS/qubes-issues#971, scrypt algorithm is a good choice for key stretching (it isn't the best of all existing, but a good one and widely adopted). At the same time, lets switch away from `openssl` tool, as it is very limited and apparently not designed for production use. Use `scrypt` tool, which is very simple and does exactly what we need - encrypt the data and integrity protect it. Its archive format have own (simple) header with data required by the `scrypt` algorithm, including salt. Internally data is encrypted with AES256-CTR and integrity protected with HMAC-SHA256. For details see: https://github.com/tarsnap/scrypt/blob/master/FORMAT This means change of backup format. Mainly: 1. HMAC is stored in scrypt header, so don't use separate file for it. Instead have data in files with `.enc` extension. 2. For compatibility leave `backup-header` and `backup-header.hmac`. But `backup-header.hmac` is really scrypt-encrypted version of `backup-header`. 3. For each file, prepend its identifier to the passphrase, to authenticate filename itself too. Having this we can guard against reordering archive files within a single backup and across backups. This identifier is built as: backup ID (from backup-header)!filename! For backup-header itself, there is no backup ID (just 'backup-header!'). Fixes QubesOS/qubes-issues#971
2016-10-20 12:56:51 +02:00
Requires: scrypt
# for qubes-hcl-report
Requires: dmidecode
Requires: PyQt4
2015-01-13 18:23:04 +01:00
# for property's docstrings
Requires: python-docutils
# for lvm support
Requires: lvm2-python-libs
2015-09-28 17:44:59 +02:00
# Prevent preupgrade from installation (it pretend to provide distribution upgrade)
Obsoletes: preupgrade < 2.0
Provides: preupgrade = 2.0
%define _builddir %(pwd)
%description
The Qubes core files for installation on Dom0.
%prep
# we operate on the current directory, so no need to unpack anything
# symlink is to generate useful debuginfo packages
rm -f %{name}-%{version}
ln -sf . %{name}-%{version}
%setup -T -D
%build
make all
%install
make install \
DESTDIR=$RPM_BUILD_ROOT \
UNITDIR=%{_unitdir} \
2015-09-28 17:44:59 +02:00
PYTHON_SITEPATH=%{python_sitelib} \
SYSCONFDIR=%{_sysconfdir}
%post
# Create NetworkManager configuration if we do not have it
if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
echo '[main]' > /etc/NetworkManager/NetworkManager.conf
echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
fi
sed '/^autoballoon=/d;/^lockfile=/d' -i /etc/xen/xl.conf
echo 'autoballoon=0' >> /etc/xen/xl.conf
echo 'lockfile="/var/run/qubes/xl-lock"' >> /etc/xen/xl.conf
2011-10-07 21:28:26 +02:00
sed 's/^PRELINKING\s*=.*/PRELINKING=no/' -i /etc/sysconfig/prelink
systemctl --no-reload enable qubes-core.service >/dev/null 2>&1
systemctl --no-reload enable qubes-netvm.service >/dev/null 2>&1
systemctl --no-reload enable qubes-setupdvm.service >/dev/null 2>&1
# Conflicts with libxl stack, so disable it
systemctl --no-reload disable xend.service >/dev/null 2>&1
systemctl --no-reload disable xendomains.service >/dev/null 2>&1
2013-05-04 04:33:07 +02:00
systemctl daemon-reload >/dev/null 2>&1 || :
HAD_SYSCONFIG_NETWORK=yes
if ! [ -e /etc/sysconfig/network ]; then
HAD_SYSCONFIG_NETWORK=no
# supplant empty one so NetworkManager init script does not complain
touch /etc/sysconfig/network
fi
# Load evtchn module - xenstored needs it
modprobe evtchn 2> /dev/null || modprobe xen-evtchn
service xenstored start
if ! [ -e /var/lib/qubes/qubes.xml ]; then
# echo "Initializing Qubes DB..."
umask 007; sg qubes -c 'qubes-create --offline-mode'
qubes-prefs --force-root --offline-mode default-kernel `ls /var/lib/qubes/vm-kernels|head -n 1` 2> /dev/null
fi
# Because we now have an installer
# this script is always executed during upgrade
# and we decided not to restart core during upgrade
#service qubes_core start
if [ "x"$HAD_SYSCONFIG_NETWORK = "xno" ]; then
rm -f /etc/sysconfig/network
fi
%clean
rm -rf $RPM_BUILD_ROOT
rm -f %{name}-%{version}
%pre
if ! grep -q ^qubes: /etc/group ; then
groupadd qubes
fi
%triggerin -- xen-runtime
2013-03-14 15:06:19 +01:00
/usr/lib/qubes/fix-dir-perms.sh
%preun
if [ "$1" = 0 ] ; then
# no more packages left
service qubes_netvm stop
service qubes_core stop
fi
%postun
if [ "$1" = 0 ] ; then
# no more packages left
chgrp root /etc/xen
chmod 700 /etc/xen
groupdel qubes
fi
%files
%defattr(-,root,root,-)
2012-03-29 16:17:10 +02:00
%config(noreplace) %attr(0664,root,qubes) %{_sysconfdir}/qubes/qmemman.conf
/usr/bin/qvm-*
/usr/bin/qubes-*
/usr/bin/qmemmand
2015-01-13 18:23:04 +01:00
2015-09-28 17:44:59 +02:00
%dir %{python_sitelib}/qubes-*.egg-info
%{python_sitelib}/qubes-*.egg-info/*
%dir %{python_sitelib}/qubes
%{python_sitelib}/qubes/__init__.py*
%{python_sitelib}/qubes/app.py*
%{python_sitelib}/qubes/backup.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/config.py*
%{python_sitelib}/qubes/core2migration.py*
2016-03-02 12:17:29 +01:00
%{python_sitelib}/qubes/devices.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/dochelpers.py*
%{python_sitelib}/qubes/events.py*
%{python_sitelib}/qubes/firewall.py*
%{python_sitelib}/qubes/exc.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/log.py*
%{python_sitelib}/qubes/rngdoc.py*
%{python_sitelib}/qubes/tarwriter.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/utils.py*
%dir %{python_sitelib}/qubes/vm
%{python_sitelib}/qubes/vm/__init__.py*
%{python_sitelib}/qubes/vm/adminvm.py*
%{python_sitelib}/qubes/vm/appvm.py*
%{python_sitelib}/qubes/vm/dispvm.py*
%{python_sitelib}/qubes/vm/qubesvm.py*
2016-03-13 12:43:26 +01:00
%{python_sitelib}/qubes/vm/standalonevm.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/vm/templatevm.py*
%dir %{python_sitelib}/qubes/vm/mix
%{python_sitelib}/qubes/vm/mix/__init__.py*
%{python_sitelib}/qubes/vm/mix/net.py*
2015-09-28 17:44:59 +02:00
%dir %{python_sitelib}/qubes/storage
%{python_sitelib}/qubes/storage/__init__.py*
%{python_sitelib}/qubes/storage/file.py*
%{python_sitelib}/qubes/storage/domain.py*
2016-04-01 15:10:44 +02:00
%{python_sitelib}/qubes/storage/kernels.py*
%{python_sitelib}/qubes/storage/lvm.py*
2015-09-28 17:44:59 +02:00
%dir %{python_sitelib}/qubes/tools
%{python_sitelib}/qubes/tools/__init__.py*
%{python_sitelib}/qubes/tools/qmemmand.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/tools/qubes_create.py*
%{python_sitelib}/qubes/tools/qubes_monitor_layout_notify.py*
%{python_sitelib}/qubes/tools/qubes_prefs.py*
2016-05-09 05:12:37 +02:00
%{python_sitelib}/qubes/tools/qvm_block.py*
%{python_sitelib}/qubes/tools/qvm_backup.py*
%{python_sitelib}/qubes/tools/qvm_backup_restore.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/tools/qvm_create.py*
%{python_sitelib}/qubes/tools/qvm_device.py*
%{python_sitelib}/qubes/tools/qvm_features.py*
%{python_sitelib}/qubes/tools/qvm_firewall.py*
2016-07-16 01:06:47 +02:00
%{python_sitelib}/qubes/tools/qvm_check.py*
2016-07-12 18:24:43 +02:00
%{python_sitelib}/qubes/tools/qvm_clone.py*
%{python_sitelib}/qubes/tools/qvm_kill.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/tools/qvm_ls.py*
%{python_sitelib}/qubes/tools/qvm_pause.py*
%{python_sitelib}/qubes/tools/qvm_pool.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/tools/qvm_prefs.py*
%{python_sitelib}/qubes/tools/qvm_remove.py*
%{python_sitelib}/qubes/tools/qvm_run.py*
%{python_sitelib}/qubes/tools/qvm_shutdown.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/tools/qvm_start.py*
%{python_sitelib}/qubes/tools/qvm_template_commit.py*
%{python_sitelib}/qubes/tools/qvm_template_postprocess.py*
%{python_sitelib}/qubes/tools/qvm_unpause.py*
2015-09-28 17:44:59 +02:00
%dir %{python_sitelib}/qubes/ext
%{python_sitelib}/qubes/ext/__init__.py*
%{python_sitelib}/qubes/ext/gui.py*
%{python_sitelib}/qubes/ext/pci.py*
%{python_sitelib}/qubes/ext/qubesmanager.py*
%{python_sitelib}/qubes/ext/r3compatibility.py*
2015-09-28 17:44:59 +02:00
%dir %{python_sitelib}/qubes/tests
%{python_sitelib}/qubes/tests/__init__.py*
%{python_sitelib}/qubes/tests/run.py*
%{python_sitelib}/qubes/tests/extra.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/tests/app.py*
2016-03-09 14:20:32 +01:00
%{python_sitelib}/qubes/tests/devices.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/tests/events.py*
%{python_sitelib}/qubes/tests/firewall.py*
%{python_sitelib}/qubes/tests/init.py*
%{python_sitelib}/qubes/tests/storage.py*
%{python_sitelib}/qubes/tests/storage_file.py*
2016-07-12 18:43:28 +02:00
%{python_sitelib}/qubes/tests/storage_lvm.py*
%{python_sitelib}/qubes/tests/tarwriter.py*
2015-09-28 17:44:59 +02:00
%dir %{python_sitelib}/qubes/tests/vm
%{python_sitelib}/qubes/tests/vm/__init__.py*
%{python_sitelib}/qubes/tests/vm/init.py*
%{python_sitelib}/qubes/tests/vm/adminvm.py*
%{python_sitelib}/qubes/tests/vm/qubesvm.py*
%dir %{python_sitelib}/qubes/tests/vm/mix
%{python_sitelib}/qubes/tests/vm/mix/__init__.py*
%{python_sitelib}/qubes/tests/vm/mix/net.py*
2015-09-28 17:44:59 +02:00
%dir %{python_sitelib}/qubes/tests/tools
%{python_sitelib}/qubes/tests/tools/__init__.py*
%{python_sitelib}/qubes/tests/tools/init.py*
%{python_sitelib}/qubes/tests/tools/qvm_device.py*
%{python_sitelib}/qubes/tests/tools/qvm_firewall.py*
2015-09-28 17:44:59 +02:00
%{python_sitelib}/qubes/tests/tools/qvm_ls.py*
2015-01-23 18:37:40 +01:00
%dir %{python_sitelib}/qubes/tests/int
%{python_sitelib}/qubes/tests/int/__init__.py*
%{python_sitelib}/qubes/tests/int/backup.py*
%{python_sitelib}/qubes/tests/int/backupcompatibility.py*
%{python_sitelib}/qubes/tests/int/basic.py*
%{python_sitelib}/qubes/tests/int/devices_pci.py*
%{python_sitelib}/qubes/tests/int/dispvm.py*
%{python_sitelib}/qubes/tests/int/dom0_update.py*
2016-03-02 02:46:15 +01:00
%{python_sitelib}/qubes/tests/int/network.py*
%{python_sitelib}/qubes/tests/int/storage.py*
2016-08-17 04:39:13 +02:00
%{python_sitelib}/qubes/tests/int/vm_qrexec_gui.py*
%dir %{python_sitelib}/qubes/tests/int/tools
%{python_sitelib}/qubes/tests/int/tools/__init__.py*
%{python_sitelib}/qubes/tests/int/tools/qubes_create.py*
%{python_sitelib}/qubes/tests/int/tools/qvm_firewall.py*
2016-08-09 05:12:12 +02:00
%{python_sitelib}/qubes/tests/int/tools/qvm_check.py*
%{python_sitelib}/qubes/tests/int/tools/qvm_prefs.py*
%{python_sitelib}/qubes/tests/int/tools/qvm_run.py*
%dir %{python_sitelib}/qubes/qmemman
%{python_sitelib}/qubes/qmemman/__init__.py*
%{python_sitelib}/qubes/qmemman/algo.py*
%{python_sitelib}/qubes/qmemman/client.py*
2015-01-13 18:23:04 +01:00
2013-03-14 15:06:19 +01:00
/usr/lib/qubes/unbind-pci-device.sh
/usr/lib/qubes/cleanup-dispvms
/usr/lib/qubes/qfile-daemon-dvm*
2013-03-14 15:06:19 +01:00
/usr/lib/qubes/block-cleaner-daemon.py*
/usr/lib/qubes/vusb-ctl.py*
/usr/lib/qubes/xl-qvm-usb-attach.py*
/usr/lib/qubes/xl-qvm-usb-detach.py*
2013-03-14 15:06:19 +01:00
/usr/lib/qubes/fix-dir-perms.sh
/usr/lib/qubes/startup-dvm.sh
/usr/lib/qubes/startup-misc.sh
2013-03-14 15:06:19 +01:00
/usr/lib/qubes/prepare-volatile-img.sh
2013-07-22 04:13:12 +02:00
/usr/libexec/qubes/qubes-notify-tools
/usr/libexec/qubes/qubes-notify-updates
%{_unitdir}/qubes-block-cleaner.service
%{_unitdir}/qubes-core.service
%{_unitdir}/qubes-setupdvm.service
%{_unitdir}/qubes-netvm.service
%{_unitdir}/qubes-qmemman.service
2013-11-20 02:57:17 +01:00
%{_unitdir}/qubes-vm@.service
%{_unitdir}/qubes-reload-firewall@.service
%{_unitdir}/qubes-reload-firewall@.timer
%attr(2770,root,qubes) %dir /var/lib/qubes
%attr(2770,root,qubes) %dir /var/lib/qubes/vm-templates
%attr(2770,root,qubes) %dir /var/lib/qubes/appvms
%attr(2770,root,qubes) %dir /var/lib/qubes/servicevms
%attr(2770,root,qubes) %dir /var/lib/qubes/backup
%attr(2770,root,qubes) %dir /var/lib/qubes/dvmdata
%attr(2770,root,qubes) %dir /var/lib/qubes/vm-kernels
2016-03-02 12:17:29 +01:00
/usr/share/qubes/templates/libvirt/xen.xml
/usr/share/qubes/templates/libvirt/devices/pci.xml
/usr/share/qubes/templates/libvirt/devices/net.xml
/usr/lib/tmpfiles.d/qubes.conf
2013-03-14 15:06:19 +01:00
/usr/lib/qubes/qubes-prepare-saved-domain.sh
/usr/lib/qubes/qubes-update-dispvm-savefile-with-progress.sh
2010-06-02 15:50:22 +02:00
/etc/xen/scripts/block.qubes
/etc/xen/scripts/block-snapshot
/etc/xen/scripts/block-origin
/etc/xen/scripts/vif-route-qubes
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.FeaturesRequest
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.Filecopy
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.GetImageRGBA
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.GetRandomizedTime
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.NotifyTools
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.NotifyUpdates
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.OpenInVM
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.OpenURL
%attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/qubes.VMShell
/etc/qubes-rpc/qubes.FeaturesRequest
/etc/qubes-rpc/qubes.GetRandomizedTime
/etc/qubes-rpc/qubes.NotifyTools
/etc/qubes-rpc/qubes.NotifyUpdates
%attr(2770,root,qubes) %dir /var/log/qubes
%attr(0770,root,qubes) %dir /var/run/qubes
/etc/xdg/autostart/qubes-guid.desktop
2015-01-13 23:52:19 +01:00
/usr/share/doc/qubes/relaxng/*.rng