Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

remove VM files

Browse Source
This commit is contained in:
Marek Marczykowski 2013-03-07 04:12:37 +01:00
parent ca7b381606
commit 0e8037deee
98 changed files with 4 additions and 3410 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
Makefile
View File

@ -2,13 +2,11 @@ RPMS_DIR=rpm/
VERSION_DOM0 := $(shell cat version_dom0)
VERSION_VAIO_FIXES := $(shell cat version_vaio_fixes)
VERSION_VM := $(shell cat version_vm)
DIST_DOM0 ?= fc18
help:
@echo "make rpms -- generate binary rpm packages"
@echo "make rpms-vm -- generate binary rpm packages for VM"
@echo "make rpms-dom0 -- generate binary rpm packages for Dom0"
@echo "make update-repo-current -- copy newly generated rpms to qubes yum repo"
@echo "make update-repo-current-testing -- same, but to -current-testing repo"
@ -16,20 +14,12 @@ help:
@echo "make update-repo-installer -- copy dom0 rpms to installer repo"
@echo "make clean -- cleanup"
rpms: rpms-vm rpms-dom0
rpms: rpms-dom0
rpms-libs:
rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-libs.spec
rpm --addsign $(RPMS_DIR)/x86_64/qubes-core-libs-$(VERSION_LIBS)*.rpm
rpms-vm:
@true
rpms-vm: rpms-libs
rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-vm.spec
rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-vm-kernel-placeholder.spec
rpm --addsign \
$(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION_VM)*.rpm \
$(RPMS_DIR)/x86_64/qubes-core-vm-kernel-placeholder-*.rpm
rpms-dom0: rpms-libs rpms-vaio-fixes
rpms-dom0: rpms-vaio-fixes
rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-dom0.spec
rpm --addsign \
$(RPMS_DIR)/x86_64/qubes-core-dom0-$(VERSION_DOM0)*.rpm
@ -41,52 +31,17 @@ rpms-vaio-fixes:
update-repo-current:
ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-$(VERSION_DOM0)*$(DIST_DOM0)*.rpm ../yum/current-release/current/dom0/rpm/
ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*$(DIST_DOM0)*.rpm ../yum/current-release/current/dom0/rpm/
ln -f $(RPMS_DIR)/x86_64/qubes-core-libs-$(VERSION_LIBS)*$(DIST_DOM0)*.rpm ../yum/current-release/current/dom0/rpm/
for vmrepo in ../yum/current-release/current/vm/* ; do \
dist=$$(basename $$vmrepo) ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-kernel-placeholder-*$$dist*.rpm $$vmrepo/rpm/ ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-libs-$(VERSION_LIBS)*$$dist*.rpm $$vmrepo/rpm/;\
done
update-repo-current-testing:
ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-$(VERSION_DOM0)*$(DIST_DOM0)*.rpm ../yum/current-release/current-testing/dom0/rpm/
ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*$(DIST_DOM0)*.rpm ../yum/current-release/current-testing/dom0/rpm/
ln -f $(RPMS_DIR)/x86_64/qubes-core-libs-$(VERSION_LIBS)*$(DIST_DOM0)*.rpm ../yum/current-release/current-testing/dom0/rpm/
for vmrepo in ../yum/current-release/current-testing/vm/* ; do \
dist=$$(basename $$vmrepo) ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-kernel-placeholder-*$$dist*.rpm $$vmrepo/rpm/ ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-libs-$(VERSION_LIBS)*$$dist*.rpm $$vmrepo/rpm/;\
done
update-repo-unstable:
ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-$(VERSION_DOM0)*$(DIST_DOM0)*.rpm ../yum/current-release/unstable/dom0/rpm/
ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*$(DIST_DOM0)*.rpm ../yum/current-release/unstable/dom0/rpm/
ln -f $(RPMS_DIR)/x86_64/qubes-core-libs-$(VERSION_LIBS)*$(DIST_DOM0)*.rpm ../yum/current-release/current-testing/dom0/rpm/
for vmrepo in ../yum/current-release/unstable/vm/* ; do \
dist=$$(basename $$vmrepo) ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-kernel-placeholder-*$$dist*.rpm $$vmrepo/rpm/ ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-libs-$(VERSION_LIBS)*$$dist*.rpm $$vmrepo/rpm/;\
done
update-repo-installer:
ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*$(DIST_DOM0)*.rpm ../installer/yum/qubes-dom0/rpm/
ln -f $(RPMS_DIR)/x86_64/qubes-core-libs-$(VERSION_LIBS)*fc18*.rpm ../installer/yum/qubes-dom0/rpm/
update-repo-template:
for vmrepo in ../template-builder/yum_repo_qubes/* ; do \
dist=$$(basename $$vmrepo) ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-kernel-placeholder-*$$dist*.rpm $$vmrepo/rpm/ ;\
ln -f $(RPMS_DIR)/x86_64/qubes-core-libs-$(VERSION_LIBS)*$$dist*.rpm $$vmrepo/rpm/;\
done
clean:
make -C dom0/qmemman clean
make -C dom0/restore clean
make -C misc clean
make -C qrexec clean
make -C u2mfn clean
make -C vchan -f Makefile.linux clean

2
misc/.gitignore vendored
View File

@ -1,2 +0,0 @@
meminfo-writer
xenstore-watch

12
misc/Makefile
View File

@ -1,12 +0,0 @@
CC=gcc
CFLAGS=-Wall -g -O3
all: meminfo-writer xenstore-watch python
meminfo-writer: meminfo-writer.o
$(CC) -g -o meminfo-writer meminfo-writer.o -lxenstore
xenstore-watch: xenstore-watch.o
$(CC) -o xenstore-watch xenstore-watch.o -lxenstore
python:
python -m compileall .
python -O -m compileall .
clean:
rm -f meminfo-writer xenstore-watch *.o *~ *.pyc *.pyo

39
misc/RPM-GPG-KEY-qubes-2-primary
View File

@ -1,39 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFClJWMBEADyAZgyocTmLQA0VpEXJKNvziKwaRWWrfzHw992okqRH/7wHfLn
uXZCSeLnFH/u2r7fOearUBajI879YeG8EpQ71wfAybQYGF5ZJWoW4fOEAZKVP8bC
1z65kKZguPcLfBiOWMAhLd8qxB3Zx5vVBM+8pGZ5ToRYxK6ivNTGOJfkz0GMxWCT
q7kMhVpd9xO62pNbDYC884lXk/24CMDy9QDAhTiAPIB+6rN74zw0XYHo5BId9SuL
ougyO3SZObkLOnfaWWEfZGbyFwvZWXigdZ/OPR2EvynBRF/ruJNlmS0EkxGEOMO8
ASeeik4HblNhdVDgnUG1zsQ6AqS7tKsy/il55gE9teCAnAL7nPLW7YJmnbzdl6nF
HKiHp7rZ+AtbDjkFpGmcbemvD+9gneUhuCzO8YQygqApdTXlcC5bY14SRyFtVDMp
wD9XX0cVHyapMAbWedVTXqhcdQ88kWGZ85jHCaFXkl8JyGNsVYMchJF9D8iemgW+
IhwveVEN+5FA9Mrd9NrlgxxO9+BuOgGUPKuw3425cOI47Z3hwGrKm35poZfKqA3U
o1Dwz/JbKM7yNXaZeKrj7Sa0zkzMKXff6PRQTZKqnu/ooyOeNziXgulxLMl2qgYg
ZGijQ/VPwhoaoQtThfyUKc/ttozguAWj5K3Se/BUJJyn0as87RA+8mQD8wARAQAB
tB5RdWJlcyBPUyBSZWxlYXNlIDIgU2lnbmluZyBLZXmJAjgEEwECACIFAlClJWMC
GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAxzudQKQORYvqUQAPAMwdFu
vyR98Q18jzgW6k+5OXNOW53xET+zSZyO/Na7oHC7l8uSOrA8Cu054zeVPzaKMfmr
9bnmb6pfk73Yd/P5AMWXd7h7xZ27Jwi0lhLmxsjMB1fJEJ/bA65m//PxqgIC9PNT
alg0yVE66GdHCVsXJA2XFBTuRyJbLphU8dY1kNesHVdW+Msm+prGOrv+FFzTZDxT
jp87L+xKqTYKgmpphPeM5OzaEj3bOHg3SK1VTVrzRgVVRRKNJKuLIprx5SOpGZxf
5xoPqqdotR4PbM0HQ2gvWy/JlIntN+btVAvwS7e+gcr15oBVsU6uvVJQERZsBDFV
dDffkgOgGVimv21zcxj5RKaUYEpBTqkKZaV23iZ6SQPFBhrjNmljDganTe5tioVQ
mo52s875hYV9VSOLVFOn+pkS0kV5/kFVxoPwHZ+SRKsVcSrRnd9t/et4+VcOCdaC
jX9rYPVQOP019V94dNQWLHYZDBcUZE6zX3xujH2BY+iw5EtjkNl5flaLw+yEUp1o
fbPjOgu0oA6qfoeK/3JtV12RnA08yi35fPKEQ45Qx/Rfs3fMNxiTxD9qZIM3rzXD
nLiNb3cXzqO29iLjhohC17IZrNfSgL81c9NeZ17eKVbUmKicM70BzJyJUvum3bHB
CvO5f7WECZP8UKiqmT4ys6yIyRz1ZrnaY5O7iQIcBBABAgAGBQJQpScRAAoJEN36
Gj42h5SUMHYP/2orT2b87YIXkOa1fwnaJtvLbMOisdscCn5kOU+30oQF0HLcCvdT
3iHokH9qFAr2slFAHDumkXu/iMordpR1lGItwLF1v6+9yHor03p/LP1JcVl/0PDf
nH4q6P9gQwHjq3RYVOdgYHJsDz2VSbvcsIfODKSxr95TsR1LgYasab4gre64gW3Y
kS4ao9W3QUeglbcYUbeYR+mbZvzq1yMg2qIrv89cYcXGdJFrIrlc6biD7v1V5pRH
CbAX9oWNoaUzPeg99w13Adt2e9PBJoq4hhouk87xnBg1QrMnL2ubUHvgTaH28J7U
V2hAwiCcSUwlY5zLs0QVUr13cfvvbGwHSU4avP15Xzgn1VKv+PRlfXPriU3HgG4R
td/Fdz7C+sBMwf7lb+fQSqJdJyB9SojHYMdpz3HmYuGJCySgC59iV5LX1i3AWAMo
7CvFSfqdiKSsHUH4Nl2jnduEcq2Q0uODCXIVcsIlNK/KWEE8CoadKLl55Efdc9JJ
miiW+iHwyHsPM6pqVV4F2R9IL4Wl8Rveaplbj/+TGGblVVO293VhswUGeOSLbXx2
xzFkTUWU/OrmVOLj6aqId6EinWB5oGJaiuKgZt66sLTs1niUnIzOmqi7R/dZ2mUf
QX62MfVWCv8NfkyMhrOft6ggS0Axo4F8fAcIInVXalvs2YScLSWdq54k
=4+bD
-----END PGP PUBLIC KEY BLOCK-----

52
misc/RPM-GPG-KEY-qubes-2-unstable
View File

@ -1,52 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQINBFClIUgBEACp0upqK7inupk52+8PHmIZFbm4lkV7IL2S9b285x579s1qysq7
az0JMekouPzNCu9MGFzSktIWT2ti6JHsGgXmY2PoCMDnBCubx5/nPA2fial7yoKg
ZxzpXGb6ZMtx5GOjXgpryUrNukYwORVR/jZS0noDb8rNnbeKi8R0SgaxRTYyJPvB
ChMl1kVX6R15nHsd43ndkgcgSOGT22f/mxqOka9t2cB3HevfDvEJvz8PMkxRgb3n
GOHFJRLYNIGmSegMllkMjUhZpu1e7T940WC3TWzJfpTNIo1Dsj0GIhGGniebGn/L
BvUrmANxQ5rGMjTFOkSb/vKa/w9ss0OECeIL/K4+A6NQTKXLAoKJYA/bx75Dh2dU
E3H8e4KoYuP3Q1lmLfcU3sX7s/MeszTpYHoUWTKyQXZYJged4ihP/RKz5iHRuAu2
0fjPdb6RGJYYi/3TDEoVHkkYyL88wETygXeJW2XtBz33ITLyiB3qfxh8eO4tVre2
QCus0nTpW+dblbfpG1Eb77OJTGlOF3rYx1oEEokochROEstN4bn3fMGMl6zHwBID
tVNPvnQTjrBj7wksvc4xoJNe6Om0kNB7w58l6tCpa/oknW/N9XbwTgm1CI7lMWKD
paieqfJbSYifCHEt0uVzsitoV992xZ8PRoooghGhBGWqTOSC3UDvJuajwwARAQAB
tCdRdWJlcyBPUyBSZWxlYXNlIDIgVW5zdGFibGUgU2lnbmluZyBLZXmJAjgEEwEC
ACIFAlClIUgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECMUDzj1Me+n
h7wP/At7TBmp5R9fDVKulLfHM9xDMwNCjmdDcKNwF7xy7c18uzhOpA7ENzgZWTR1
lkLrr+OlqXVlThzN1YRgvSx0KghSAIf0wuu8eeNKX+r1QFxEtxNrCobzK4ToNTiT
xuPrycJgJBThj0gfq2jaSYGuhi79HYkgFYiRDOfaTms3hL8+oSq0HmDsu3/JSfse
LAHiXbNyNvn1vpt09JH40me4RNTN0N3pUm9c5+7G0jwcE8OQZkjS7h04rpjbrDQE
DHxadqgkwzP4aJm3l3u/OZF7npI16jpCYpV/mWyDbEj047EN/sJjV3KfuN+AdeAT
9C7HJlGKcobeQztjzJuvzIILuzPewn77d7gua5kezM89nM6TK7T48upizNrCHxbw
l2Z2DdzHfSHMWYT0LS4JAjvUyuu2iTWkMGmh8r3SrAmUecFk2/bP0A2MTb10z17K
mzMzRU/u1n5DEsWlHzkXLmHJCKgid0UHuRbPabPWEK3E0yNid9MBkJWMZTFaALx7
QMdF7QUc/2mEj2ILuNO4V0KHIBVHDwT+SYGXJ+wPY6nHSo5pIeiSWdNpozvKB24y
8OWc1ST/rA6RaEDajSRMUxEkTtH7rGeueTVMhG8JCWWhmgNeMusg5Jq6OTrSooys
c6EDJsD44QaHrJUn6fXwOuyAgmzjX9p04fga67npSFoNUm7vuQINBFClIUgBEADQ
gWsxXqwIpuLVvcaiIo9pvO3wkt2nzXpLr93vzy+0+DTO11ejRDj9fuIA/9h55Yz5
8snI9+aIKryDedhY+3/iv1izN9tsWyLms1V0xHdKC0RgmBxtJoHyPVdwgDu/86bd
61zbhZAsaVmtP2vOdRD4dgR8wtTDbKnr9j4S8mRLkPJnjp+9e+H+akVVYbTx+Qki
l5XU7ogZejZnTaAonK/jMsbIUF2d1iFdvkMr1I9xFqqHTLwO0tmH/ZDP/9jcMnf4
dmVWDA4ykegn9RY+24YZ0mLaZrkDpvtfUrzxcZnvHuLVfROnQzOcIoP27Ut1v9s6
A1uLq8zxy8+pyHBi/DPz2ae1/fMDNJnZcdo8qQFY2NzRnzL6SRZ1YBzWR8t8B0m4
AginEa+/61UNNyXjkHzqqkVPv1EZ01c44MhB1P8/HZXF7YX80c6N2TUuGhH9dVRa
5S7JWaee8Ib6MT7Nafn/rmLoXPtU5lLzo1SbcEBHbkZXw365BCzp9X+LfesXF9xj
h4ISrCTcjaE20QoE1cNOsvuiuVK9fRqKsfMxuju0SpvZl5cAGM603WPZBMehbJ8e
i2J4CXHOr7mF/ecAlTAr08nYuQTEEpAx7ad/BtrmHFa8IqEhsEqBNC7xuzwAuPI7
xiiO7/KgDyS0mJ8Xm+9DMP/1q/QxT7Z4Ni4x2U+/swARAQABiQIfBBgBAgAJBQJQ
pSFIAhsMAAoJECMUDzj1Me+nD80P/0HLsF0BfxPgm/raoYS9Cqve6/aP9pHtAODD
SVGrb//PKAddVqJnsCu0TPbULx0cAYztQHw8n7rAO6iNbrxhOa6kin2vvdO0mVQY
kl3a/bDyo8rP/xyMS8K4EE2DfCL1HSDAS2r37mzi8RZED2Yj9F0aBgTO7rGhSXWt
WsDzsPzP46b8mr8BLQ8NfxKlJFpyIq8DwPEasrS5sKXEVXvnY4ZQMa5C2qzg1+LC
c6lbQHPIOaUnENy9ApBepZT8a09Ol3/2Z75UOe2AM5vynT5iST8fdFJlpI1+Z/hs
b+ZQ2uoMVW+O1VVtq+20o1WQVu9pORIKIq7wbBsIq6mejCC+KIZ5RDUPehs97+sL
il546IMqllX0LP40hBM/JP7vZEknYhkGl/HuJyrhaNi8NI4ryrIO8VL2rSx/1eUP
5Yn7jC5T+7twk6yKnzLZYfAG3F3HMTVrp5QwygBc+xmInwqbgHf4fJgT1WOVelKq
1wfoF7DYRT7+J5gAJboYOvS4cIqXAgeeslW76jRKbaK0X/Fa06fiRw3vGSEWdr+A
r4Kv/RAEB5z4da5MT88CB3OtgiJofnsPb+A+TmjTPcmaV2LHH30U/1aD/3RERBHb
cpKz+AV6MQ/7XpQiusXK14ospdTScEVwruXlCyt0hbqTsijiReNV4lV9nXtfmrEL
L0XnT71B
=o46N
-----END PGP PUBLIC KEY BLOCK-----

BIN
misc/dispvm-dotfiles.tbz
View File

Binary file not shown.

36
misc/dispvm-prerun.sh
View File

@ -1,36 +0,0 @@
#!/bin/sh
apps="evince /usr/libexec/evinced soffice firefox"
#If user have customized DispVM settings, use its home instead of default dotfiles
if [ -e /rw/home/user/.qubes-dispvm-customized ]; then
cp -af /rw/home/user /home/
else
cat /etc/dispvm-dotfiles.tbz | tar -xjf- --overwrite -C /home/user --owner user 2>&1 >/tmp/dispvm-dotfiles-errors.log
fi
for app in $apps ; do
echo "Launching: $app..."
$app >>/tmp/dispvm_prerun_errors.log 2>&1 &
done
echo "Sleeping..."
PREV_IO=0
while true; do
IO=`vmstat -D | awk '/read|write/ {IOs+=$1} END {print IOs}'`
if [ $IO -lt $[ $PREV_IO + 50 ] ]; then
break;
fi
PREV_IO=$IO
sleep 1
done
ps ax > /tmp/dispvm-prerun-proclist.log
if [ -e /rw/home/user/.qubes-dispvm-customized ]; then
cp -af /rw/home/user /home/
else
cat /etc/dispvm-dotfiles.tbz | tar -xjf- --overwrite -C /home/user --owner user 2>&1 >>/tmp/dispvm-dotfiles-errors.log
fi
echo done.

13
misc/fstab
View File

@ -1,13 +0,0 @@
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/dmroot / ext4 defaults,noatime 1 1
/dev/xvdb /rw ext4 noauto,defaults,discard 1 2
/rw/home /home none noauto,bind,defaults 0 0
/dev/xvdc1 swap swap defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
xen /proc/xen xenfs defaults 0 0
/dev/xvdi /mnt/removable auto noauto,user,rw 0 0

7
misc/nautilus-actions.conf
View File

@ -1,7 +0,0 @@
[runtime]
items-create-root-menu=false
items-add-about-item=false
[io-provider na-desktop]
readable=true
writable=true

4
misc/org.gnome.settings-daemon.plugins.updates.gschema.override
View File

@ -1,4 +0,0 @@
[org.gnome.settings-daemon.plugins.updates]
auto-update-type='none'
active=false
frequency-get-updates=0

6
misc/polkit-1-qubes-allow-all.pkla
View File

@ -1,6 +0,0 @@
[Qubes allow all]
Identity=*
Action=*
ResultAny=yes
ResultInactive=yes
ResultActive=yes

20
misc/qubes.repo
View File

@ -1,20 +0,0 @@
[qubes-vm-current]
name = Qubes OS Repository for VM (updates)
baseurl = http://yum.qubes-os.org/r2/current/vm/fc$releasever
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-2-primary
gpgcheck = 1
[qubes-vm-current-testing]
name = Qubes OS Repository for VM (updates-testing)
baseurl = http://yum.qubes-os.org/r2/current-testing/vm/fc$releasever
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-2-primary
gpgcheck = 1
enabled=0
[qubes-vm-unstable]
name = Qubes OS Repository for VM (unstable)
baseurl = http://yum.qubes-os.org/r2/unstable/vm/fc$releasever
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-2-unstable
gpgcheck = 1
enabled=0

46
misc/qubes.sudoers
View File

@ -1,46 +0,0 @@
user ALL=(ALL) NOPASSWD: ALL
# WTF?! Have you lost your mind?!
#
# In Qubes VMs there is no point in isolating the root account from
# the user account. This is because all the user data are already
# accessible from the user account, so there is no direct benefit for
# the attacker if she could escalate to root (there is even no benefit
# in trying to install some persistent rootkits, as the VM's root
# filesystem modifications are lost upon each start of a VM).
#
# One might argue that some hypothetical attacks against the
# hypervisor or the few daemons/backends in Dom0 (so VM escape
# attacks) most likely would require root access in the VM to trigger
# the attack.
#
# That's true, but mere existence of such a bug in the hypervisor or
# Dom0 that could be exploited by a malicious VM, no matter whether
# requiring user, root, or even kernel access in the VM, would be
# FATAL. In such situation (if there was such a bug in Xen) there
# really is no comforting that: "oh, but the mitigating factor was
# that the attacker needed root in VM!" We're not M$, and we're not
# gonna BS our users that there are mitigating factors in that case,
# and for sure, root/user isolation is not a mitigating factor.
#
# Because, really, if somebody could find and exploit a bug in the Xen
# hypervisor -- so far there have been only one (!) publicly disclosed
# exploitable bug in the Xen hypervisor from a VM, found in 2008,
# incidentally by one of the Qubes developers (RW) -- then it would be
# highly unlikely if that person couldn't also found a user-to-root
# escalation in VM (which as we know from history of UNIX/Linux
# happens all the time).
#
# At the same time allowing for easy user-to-root escalation in a VM
# is simply convenient for users, especially for update installation.
#
# Currently this still doesn't work as expected, because some idotic
# piece of software called PolKit uses own set of policies. We're
# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a
# simple experiment: start 'xinput test' in one xterm, running as
# user, then open some app that uses PolKit and asks for root
# password, e.g. gpk-update-viewer -- observe how all the keystrokes
# with root password you enter into the "secure" PolKit dialog box can
# be seen by the xinput program...)
#
# joanna.

3
misc/qubes_core.modules
View File

@ -1,3 +0,0 @@
modprobe evtchn 2>/dev/null || modprobe xen-evtchn
modprobe xen-blkback 2> /dev/null || modprobe blkbk
modprobe xen-usbfront 2> /dev/null

101
misc/qubes_download_dom0_updates.sh
View File

@ -1,101 +0,0 @@
#!/bin/bash
DOM0_UPDATES_DIR=/var/lib/qubes/dom0-updates
DOIT=0
GUI=1
CLEAN=0
CHECK_ONLY=0
OPTS="--installroot $DOM0_UPDATES_DIR --config=$DOM0_UPDATES_DIR/etc/yum.conf"
PKGLIST=
while [ -n "$1" ]; do
case "$1" in
--doit)
DOIT=1
;;
--nogui)
GUI=0
;;
--gui)
GUI=1
;;
--clean)
CLEAN=1
;;
--check-only)
CHECK_ONLY=1
;;
-*)
OPTS="$OPTS $1"
;;
*)
PKGLIST="$PKGLIST $1"
;;
esac
shift
done
if ! [ -d "$DOM0_UPDATES_DIR" ]; then
echo "Dom0 updates dir does not exists: $DOM0_UPDATES_DIR" >&2
exit 1
fi
mkdir -p $DOM0_UPDATES_DIR/etc
sed -i '/^reposdir\s*=/d' $DOM0_UPDATES_DIR/etc/yum.conf
# Rebuild rpm database in case of different rpm version
rm -f $DOM0_UPDATES_DIR/var/lib/rpm/__*
rpm --root=$DOM0_UPDATES_DIR --rebuilddb
if [ "$CLEAN" = "1" ]; then
yum $OPTS clean all
rm -f $DOM0_UPDATES_DIR/packages/*
fi
if [ "x$PKGLIST" = "x" ]; then
echo "Checking for dom0 updates..." >&2
PKGLIST=`yum $OPTS check-update -q | cut -f 1 -d ' '`
else
PKGS_FROM_CMDLINE=1
fi
if [ -z "$PKGLIST" ]; then
# No new updates
if [ "$GUI" = 1 ]; then
zenity --info --text="No new updates available"
fi
exit 0
fi
if [ "$CHECK_ONLY" = "1" ]; then
echo "Available updates: $PKGLIST"
exit 100
fi
if [ "$DOIT" != "1" -a "$PKGS_FROM_CMDLINE" != "1" ]; then
zenity --question --title="Qubes Dom0 updates" \
--text="There are updates for dom0 available, do you want to download them now?" || exit 0
fi
if [ "$PKGS_FROM_CMDLINE" == 1 ]; then
GUI=0
fi
mkdir -p "$DOM0_UPDATES_DIR/packages"
set -e
if [ "$GUI" = 1 ]; then
( echo "1"
yumdownloader --resolve --destdir "$DOM0_UPDATES_DIR/packages" $OPTS $PKGLIST
echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \
--text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates"
else
yumdownloader --resolve --destdir "$DOM0_UPDATES_DIR/packages" $OPTS $PKGLIST
fi
if ls $DOM0_UPDATES_DIR/packages/*.rpm > /dev/null 2>&1; then
/usr/lib/qubes/qrexec_client_vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent $DOM0_UPDATES_DIR/packages/*.rpm
else
echo "No packages downloaded"
fi

1
misc/qubes_misc.modules
View File

@ -1 +0,0 @@
modprobe dummy-hcd 2>/dev/null || true

2
misc/qubes_misc.rules
View File

@ -1,2 +0,0 @@
SUBSYSTEM=="memory", ACTION=="add", ATTR{state}=="offline", ATTR{state}="online"
KERNEL=="xen/evtchn", MODE="0666"

7
misc/qubes_serial_login
View File

@ -1,7 +0,0 @@
#!/bin/sh
if /bin/ls -l /proc/self/fd/0 | grep -q /dev/hvc0 ; then
exec su - $2
exit
else
exec /bin/login "$@"
fi

1
misc/qubes_trigger_sync_appmenus.action
View File

@ -1 +0,0 @@
*:any:/usr/lib/qubes/qubes_trigger_sync_appmenus.sh

7
misc/qubes_trigger_sync_appmenus.sh
View File

@ -1,7 +0,0 @@
#!/bin/sh
UPDATEABLE=`/usr/bin/xenstore-read qubes_vm_updateable`
if [ "$UPDATEABLE" = "True" ]; then
/usr/lib/qubes/qrexec_client_vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes_rpc/qubes.GetAppmenus
fi

21
misc/serial.conf
View File

@ -1,21 +0,0 @@
# Automatically start a configured serial console
#
# How this works:
#
# On boot, a udev helper examines /dev/console. If a serial console is the
# primary console (last console on the commandline in grub), the event
# 'fedora.serial-console-available <port name> <speed>' is emitted, which
# triggers this script. It waits for the runlevel to finish, ensures
# the proper port is in /etc/securetty, and starts the getty.
#
# If your serial console is not the primary console, or you want a getty
# on serial even if it's not the console, create your own event by copying
# /etc/init/tty.conf, and changing the getty line in that file.
start on fedora.serial-console-available DEV=* and stopped rc RUNLEVEL=[2345]
stop on runlevel [016]
instance $DEV
respawn
pre-start exec /sbin/securetty $DEV
exec /sbin/agetty -l /sbin/qubes_serial_login /dev/$DEV $SPEED vt100-nav

28
misc/xenstore-watch.c
View File

@ -1,28 +0,0 @@
#include <sys/types.h>
#include <xs.h>
#include <stdio.h>
#include <stdlib.h>
main(int argc, char **argv)
{
struct xs_handle *xs;
unsigned int count;
char **vec;
char dummy;
if (argc != 2) {
fprintf(stderr, "usage: %s xenstore_path\n", argv[0]);
exit(1);
}
xs = xs_domain_open();
if (!xs) {
perror("xs_domain_open");
exit(1);
}
if (!xs_watch(xs, argv[1], &dummy)) {
perror("xs_watch");
exit(1);
}
vec = xs_read_watch(xs, &count);
free(vec);
vec = xs_read_watch(xs, &count);
free(vec);
}

30
misc/xorg-preload-apps.conf
View File

@ -1,30 +0,0 @@
Section "ServerLayout"
Identifier "Default Layout"
Screen 0 "Screen0" 0 0
EndSection
Section "Device"
Identifier "Videocard0"
Driver "dummy"
VideoRam 4001
EndSection
Section "Monitor"
Identifier "Monitor0"
HorizSync 49-50
VertRefresh 62-63
Modeline "QB1280x800" 64 1280 1281 1282 1283 800 801 802 803
EndSection
Section "Screen"
Identifier "Screen0"
Device "Videocard0"
Monitor "Monitor0"
DefaultDepth 24
SubSection "Display"
Viewport 0 0
Depth 24
Modes "QB1280x800"
EndSubSection
EndSection

2
misc/yum-qubes-hooks.conf
View File

@ -1,2 +0,0 @@
[main]
enabled=1

42
misc/yum-qubes-hooks.py
View File

@ -1,42 +0,0 @@
#!/usr/bin/python
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2012 Marek Marczykowski <marmarek@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
from yum.plugins import TYPE_CORE
from yum.constants import *
import subprocess
requires_api_version = '2.4'
plugin_type = (TYPE_CORE,)
def posttrans_hook(conduit):
# Get all updates available _before_ this transaction
pkg_list = conduit._base.doPackageLists(pkgnarrow='updates')
# Get packages installed in this transaction...
ts = conduit.getTsInfo()
all = ts.getMembers()
# ...and filter them out of available updates
filtered_updates = filter(lambda x: x not in all, pkg_list.updates)
# Notify dom0 about left updates count
subprocess.call(['/usr/lib/qubes/qrexec_client_vm', 'dom0', 'qubes.NotifyUpdates', '/bin/echo', str(len(filtered_updates))])

8
network/30-qubes_external_ip
View File

@ -1,8 +0,0 @@
#!/bin/sh
if [ x$2 == xup ]; then
INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
/usr/bin/xenstore-write qubes_netvm_external_ip "$INET"
fi
if [ x$2 == xdown ]; then
/usr/bin/xenstore-write qubes_netvm_external_ip ""
fi

6
network/filter-qubes-yum
View File

@ -1,6 +0,0 @@
/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$
/repodata/repomd\.xml$
\.rpm$
\.drpm$
^mirrors\.fedoraproject\.org:443$
^http://mirrors\..*/mirrorlist\?

11
network/network-manager-prepare-conf-dir
View File

@ -1,11 +0,0 @@
#!/bin/sh
NM_CONFIG_DIR=/etc/NetworkManager/system-connections
if [ -d $NM_CONFIG_DIR -a ! -h $NM_CONFIG_DIR ]; then
mkdir -p /rw/config/NM-system-connections
mv $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true
rmdir $NM_CONFIG_DIR
ln -s /rw/config/NM-system-connections $NM_CONFIG_DIR
fi
exit 0

12
network/qubes.repo
View File

@ -1,12 +0,0 @@
[qubes-netvm]
name = Qubes OS Repository for NetVM
baseurl = http://qubes-os.org/yum/r1/netvm/rpm
gpgkey = http://qubes-os.org/keys/qubes-release-1-signing-key.asc
gpgcheck = 1
[qubes-netvm-testing]
name = Qubes OS Repository for NetVM
baseurl = http://qubes-os.org/yum/r1-testing/netvm/rpm
gpgkey = http://qubes-os.org/keys/qubes-release-1-signing-key.asc
gpgcheck = 1
enabled=0

53
network/qubes_firewall
View File

@ -1,53 +0,0 @@
#!/bin/bash
set -e
PIDFILE=/var/run/qubes/qubes_firewall.pid
XENSTORE_IPTABLES=qubes_iptables
XENSTORE_IPTABLES_HEADER=qubes_iptables_header
XENSTORE_ERROR=qubes_iptables_error
OLD_RULES=""
# PIDfile handling
[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0
echo $$ >$PIDFILE
trap 'exit 0' SIGTERM
FIRST_TIME=yes
while true; do
echo "1" > /proc/sys/net/ipv4/ip_forward
if [ "$FIRST_TIME" ]; then
FIRST_TIME=
TRIGGER=reload
else
# Wait for changes in xenstore file
/usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES
TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES)
fi
if ! [ "$TRIGGER" = "reload" ]; then continue ; fi
# Disable forarding to prevent potential "leaks" that might
# be bypassing the firewall or some proxy service (e.g. tor)
# during the time when the rules are being (re)applied
echo "0" > /proc/sys/net/ipv4/ip_forward
RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER)
IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true`
for i in $(xenstore-list qubes_iptables_domainrules) ; do
RULES=$(/usr/bin/xenstore-read qubes_iptables_domainrules/"$i")
ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true`
OUT="$OUT$ERRS"
done
/usr/bin/xenstore-write $XENSTORE_ERROR "$OUT"
if [ "$OUT" ]; then
DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
fi
# Check if user didn't define some custom rules to be applied as well...
[ -x /rw/config/qubes_firewall_user_script ] && /rw/config/qubes_firewall_user_script
done

19
network/qubes_fix_nm_conf.sh
View File

@ -1,19 +0,0 @@
#!/bin/sh
FILE=/etc/NetworkManager/NetworkManager.conf
VIFMAC=mac:fe:ff:ff:ff:ff:ff
if ! grep -q ^plugins.*keyfile $FILE ; then
sed -i 's/^plugins.*$/&,keyfile/' $FILE
fi
if grep -q ^plugins.*ifcfg-rh $FILE ; then
sed -i 's/^plugins=\(.*\)ifcfg-rh,\(.*\)$/plugins=\1\2/' $FILE
fi
if ! grep -q '^\[keyfile\]$' $FILE ; then
echo '[keyfile]' >> $FILE
fi
if ! grep -q ^unmanaged-devices $FILE ; then
sed -i 's/^\[keyfile\]$/\[keyfile\]\x0aunmanaged-devices='$VIFMAC/ $FILE
fi
if ! grep -q ^unmanaged-devices.*$VIFMAC $FILE ; then
sed -i 's/^unmanaged-devices.*$/&,'$VIFMAC/ $FILE
fi
exit 0

31
network/qubes_netwatcher
View File

@ -1,31 +0,0 @@
#!/bin/bash
set -e
PIDFILE=/var/run/qubes/qubes_netwatcher.pid
CURR_NETCFG=""
# PIDfile handling
[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0
echo $$ >$PIDFILE
trap 'exit 0' SIGTERM
while true; do
NET_DOMID=$(/usr/bin/xenstore-read qubes_netvm_domid || :)
if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes_netvm_external_ip || :)
# UNTRUSTED_NETCFG is not parsed in any way
# thus, no sanitization ready
# but be careful when passing it to other shell scripts
if [[ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]]; then
/sbin/service qubes-firewall stop
/sbin/service qubes-firewall start
CURR_NETCFG="$UNTRUSTED_NETCFG"
/usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG"
fi
/usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes_netvm_external_ip qubes_netvm_domid
else
/usr/bin/xenstore-watch -n 2 qubes_netvm_domid
fi
done

2
network/qubes_network.rules
View File

@ -1,2 +0,0 @@
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/qubes/setup_ip"

2
network/qubes_nmhook
View File

@ -1,2 +0,0 @@
#!/bin/sh
/usr/lib/qubes/qubes_setup_dnat_to_ns

24
network/qubes_setup_dnat_to_ns
View File

@ -1,24 +0,0 @@
#!/bin/sh
addrule()
{
if [ $FIRSTONE = yes ] ; then
FIRSTONE=no
RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1"
else
RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1"
NS=$NS2
fi
}
export PATH=$PATH:/sbin:/bin
source /var/run/qubes/qubes_ns
if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PR-QBS
FIRSTONE=yes
grep ^nameserver /etc/resolv.conf | grep -v ":.*:" | head -2 |
(
while read x y z ; do
addrule "$y"
done
(echo "*nat"; echo $RULE1; echo $RULE2; echo COMMIT) | iptables-restore -n
)

27
network/setup_ip
View File

@ -1,27 +0,0 @@
#!/bin/sh
ip=`/usr/bin/xenstore-read qubes_ip 2> /dev/null`
if [ x$ip != x ]; then
netmask=`/usr/bin/xenstore-read qubes_netmask`
gateway=`/usr/bin/xenstore-read qubes_gateway`
secondary_dns=`/usr/bin/xenstore-read qubes_secondary_dns`
/sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
/sbin/ifconfig $INTERFACE up
/sbin/route add -host $gateway dev $INTERFACE
/sbin/route add default gw $gateway
/sbin/ethtool -K $INTERFACE sg off
/sbin/ethtool -K $INTERFACE tx off
echo "nameserver $gateway" > /etc/resolv.conf
echo "nameserver $secondary_dns" >> /etc/resolv.conf
network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns)
echo "NS1=$gateway" > /var/run/qubes/qubes_ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns
/usr/lib/qubes/qubes_setup_dnat_to_ns
[ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook
fi
fi

30
network/tinyproxy-qubes-yum.conf
View File

@ -1,30 +0,0 @@
User tinyproxy
Group tinyproxy
Port 8082
Timeout 60
DefaultErrorFile "/usr/share/tinyproxy/default.html"
#StatHost "tinyproxy.stats"
StatFile "/usr/share/tinyproxy/stats.html"
Syslog On
LogLevel Notice
PidFile "/var/run/tinyproxy/tinyproxy-qubes-yum.pid"
MaxClients 50
MinSpareServers 2
MaxSpareServers 10
StartServers 2
MaxRequestsPerChild 0
ViaProxyName "tinyproxy"
Allow 127.0.0.1
Allow 10.137.0.0/16
Filter "/etc/tinyproxy/filter-qubes-yum"
FilterURLs On
#FilterExtended On
#FilterCaseSensitive On
FilterDefaultDeny Yes
ConnectPort 443

9
qubes_rpc/.gitignore vendored
View File

@ -1,9 +0,0 @@
qubes_add_pendrive_script
qubes_penctl
qvm-open-in-dvm
dvm_file_editor
qfile-agent
qfile-agent-dvm
qfile-unpacker
qopen-in-vm
vm-file-editor

14
qubes_rpc/Makefile
View File

@ -1,14 +0,0 @@
CC=gcc
CFLAGS=-g -Wall -I. -fPIC -pie
all: vm-file-editor qopen-in-vm qfile-agent qfile-unpacker
vm-file-editor: vm-file-editor.o ioall.o
$(CC) -pie -g -o $@ $^
qopen-in-vm: qopen-in-vm.o ioall.o gui-fatal.o
$(CC) -pie -g -o $@ $^
qfile-agent: qfile-agent.o ioall.o gui-fatal.o copy_file.o crc32.o
$(CC) -pie -g -o $@ $^
qfile-unpacker: qfile-unpacker.o ioall.o gui-fatal.o copy_file.o unpack.o crc32.o
$(CC) -pie -g -o $@ $^
clean:
rm -f qopen-in-vm qfile-agent qfile-unpacker vm-file-editor *.o *~

2
qubes_rpc/dvm2.h
View File

@ -1,2 +0,0 @@
#define DVM_FILENAME_SIZE 256
#define DVM_SPOOL "/home/user/.dvmspool"

55
qubes_rpc/gui-fatal.c
View File

@ -1,55 +0,0 @@
#define _GNU_SOURCE
#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <malloc.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdarg.h>
static void fix_display()
{
setenv("DISPLAY", ":0", 1);
}
static void produce_message(char * type, const char *fmt, va_list args)
{
char *dialog_msg;
char buf[1024];
(void) vsnprintf(buf, sizeof(buf), fmt, args);
asprintf(&dialog_msg, "%s: %s: %s (error type: %s)",
program_invocation_short_name, type, buf, strerror(errno));
fprintf(stderr, "%s", dialog_msg);
switch (fork()) {
case -1:
exit(1); //what else
case 0:
fix_display();
#ifdef USE_KDIALOG
execlp("kdialog", "kdialog", "--sorry", dialog_msg, NULL);
#else
execlp("zenity", "zenity", "--error", "--text", dialog_msg, NULL);
#endif
exit(1);
default:;
}
}
void gui_fatal(const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
produce_message("Fatal error", fmt, args);
va_end(args);
exit(1);
}
void gui_nonfatal(const char *fmt, ...)
{
va_list args;
va_start(args, fmt);
produce_message("Information", fmt, args);
va_end(args);
}

2
qubes_rpc/gui-fatal.h
View File

@ -1,2 +0,0 @@
void gui_fatal(const char *fmt, ...);
void gui_nonfatal(const char *fmt, ...);

16
qubes_rpc/prepare-suspend
View File

@ -1,16 +0,0 @@
#!/bin/sh
action=$1
[ -z "$action" ] && action=suspend
if [ x"$action" == x"suspend" ]; then
nmcli nm sleep true || service NetworkManager stop
# Force interfaces down, just in case when NM didn't done it
for if in `ls /sys/class/net|grep -v "lo\|vif"`; do
ip l s $if down
done
modprobe -r uhci_hcd ehci_hcd
else
modprobe ehci_hcd; modprobe uhci_hcd;
nmcli nm sleep false || { [ -x /bin/systemctl ] && systemctl start NetworkManager.service; } || service qubes_core_netvm start
fi

251
qubes_rpc/qfile-agent.c
View File

@ -1,251 +0,0 @@
#define _GNU_SOURCE
#include <dirent.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <signal.h>
#include <fcntl.h>
#include <malloc.h>
#include <stdlib.h>
#include <ioall.h>
#include <unistd.h>
#include <errno.h>
#include <gui-fatal.h>
#include "filecopy.h"
#include "crc32.h"
enum {
PROGRESS_FLAG_NORMAL,
PROGRESS_FLAG_INIT,
PROGRESS_FLAG_DONE
};
unsigned long crc32_sum;
int write_all_with_crc(int fd, void *buf, int size)
{
crc32_sum = Crc32_ComputeBuf(crc32_sum, buf, size);
return write_all(fd, buf, size);
}
void do_notify_progress(long long total, int flag)
{
char *du_size_env = getenv("FILECOPY_TOTAL_SIZE");
char *progress_type_env = getenv("PROGRESS_TYPE");
char *saved_stdout_env = getenv("SAVED_FD_1");
if (!progress_type_env)
return;
if (!strcmp(progress_type_env, "console") && du_size_env) {
char msg[256];
snprintf(msg, sizeof(msg), "sent %lld/%lld KB\r",
total / 1024, strtoull(du_size_env, NULL, 0));
write(2, msg, strlen(msg));
if (flag == PROGRESS_FLAG_DONE)
write(2, "\n", 1);
}
if (!strcmp(progress_type_env, "gui") && saved_stdout_env) {
char msg[256];
snprintf(msg, sizeof(msg), "%lld\n", total);
write(strtoul(saved_stdout_env, NULL, 0), msg,
strlen(msg));
}
}
void wait_for_result()
{
struct result_header hdr;
if (!read_all(0, &hdr, sizeof(hdr))) {
if (errno == EAGAIN) {
// no result sent and stdin still open
return;
} else {
// other read error or EOF
exit(1); // hopefully remote has produced error message
}
}
if (hdr.error_code != 0) {
switch (hdr.error_code) {
case EEXIST:
gui_fatal("File copy: not overwriting existing file. Clean QubesIncoming dir, and retry copy");
break;
case EINVAL:
gui_fatal("File copy: Corrupted data from packer");
break;
default:
gui_fatal("File copy: %s",
strerror(hdr.error_code));
}
}
if (hdr.crc32 != crc32_sum) {
gui_fatal("File transfer failed: checksum mismatch");
}
}
void notify_progress(int size, int flag)
{
static long long total = 0;
static long long prev_total = 0;
total += size;
if (total > prev_total + PROGRESS_NOTIFY_DELTA
|| (flag != PROGRESS_FLAG_NORMAL)) {
// check for possible error from qfile-unpacker; if error occured,
// exit() will be called, so don't bother with current state
// (notify_progress can be called as callback from copy_file())
if (flag == PROGRESS_FLAG_NORMAL)
wait_for_result();
do_notify_progress(total, flag);
prev_total = total;
}
}
void write_headers(struct file_header *hdr, char *filename)
{
if (!write_all_with_crc(1, hdr, sizeof(*hdr))
|| !write_all_with_crc(1, filename, hdr->namelen)) {
set_block(0);
wait_for_result();
exit(1);
}
}
int single_file_processor(char *filename, struct stat *st)
{
struct file_header hdr;
int fd;
mode_t mode = st->st_mode;
hdr.namelen = strlen(filename) + 1;
hdr.mode = mode;
hdr.atime = st->st_atim.tv_sec;
hdr.atime_nsec = st->st_atim.tv_nsec;
hdr.mtime = st->st_mtim.tv_sec;
hdr.mtime_nsec = st->st_mtim.tv_nsec;
if (S_ISREG(mode)) {
int ret;
fd = open(filename, O_RDONLY);
if (fd < 0)
gui_fatal("open %s", filename);
hdr.filelen = st->st_size;
write_headers(&hdr, filename);
ret = copy_file(1, fd, hdr.filelen, &crc32_sum);
if (ret != COPY_FILE_OK) {
if (ret != COPY_FILE_WRITE_ERROR)
gui_fatal("Copying file %s: %s", filename,
copy_file_status_to_str(ret));
else {
set_block(0);
wait_for_result();
exit(1);
}
}
close(fd);
}
if (S_ISDIR(mode)) {
hdr.filelen = 0;
write_headers(&hdr, filename);
}
if (S_ISLNK(mode)) {
char name[st->st_size + 1];
if (readlink(filename, name, sizeof(name)) != st->st_size)
gui_fatal("readlink %s", filename);
hdr.filelen = st->st_size + 1;
write_headers(&hdr, filename);
if (!write_all_with_crc(1, name, st->st_size + 1)) {
set_block(0);
wait_for_result();
exit(1);
}
}
// check for possible error from qfile-unpacker
wait_for_result();
return 0;
}
int do_fs_walk(char *file)
{
char *newfile;
struct stat st;
struct dirent *ent;
DIR *dir;
if (lstat(file, &st))
gui_fatal("stat %s", file);
single_file_processor(file, &st);
if (!S_ISDIR(st.st_mode))
return 0;
dir = opendir(file);
if (!dir)
gui_fatal("opendir %s", file);
while ((ent = readdir(dir))) {
char *fname = ent->d_name;
if (!strcmp(fname, ".") || !strcmp(fname, ".."))
continue;
asprintf(&newfile, "%s/%s", file, fname);
do_fs_walk(newfile);
free(newfile);
}
closedir(dir);
// directory metadata is resent; this makes the code simple,
// and the atime/mtime is set correctly at the second time
single_file_processor(file, &st);
return 0;
}
void notify_end_and_wait_for_result()
{
struct file_header end_hdr;
/* nofity end of transfer */
memset(&end_hdr, 0, sizeof(end_hdr));
end_hdr.namelen = 0;
end_hdr.filelen = 0;
write_all_with_crc(1, &end_hdr, sizeof(end_hdr));
set_block(0);
wait_for_result();
}
char *get_abs_path(char *cwd, char *pathname)
{
char *ret;
if (pathname[0] == '/')
return strdup(pathname);
asprintf(&ret, "%s/%s", cwd, pathname);
return ret;
}
int main(int argc, char **argv)
{
int i;
char *entry;
char *cwd;
char *sep;
signal(SIGPIPE, SIG_IGN);
// this will allow checking for possible feedback packet in the middle of transfer
set_nonblock(0);
notify_progress(0, PROGRESS_FLAG_INIT);
crc32_sum = 0;
cwd = getcwd(NULL, 0);
for (i = 1; i < argc; i++) {
entry = get_abs_path(cwd, argv[i]);
do {
sep = rindex(entry, '/');
if (!sep)
gui_fatal
("Internal error: nonabsolute filenames not allowed");
*sep = 0;
} while (sep[1] == 0);
if (entry[0] == 0)
chdir("/");
else if (chdir(entry))
gui_fatal("chdir to %s", entry);
do_fs_walk(sep + 1);
free(entry);
}
notify_end_and_wait_for_result();
notify_progress(0, PROGRESS_FLAG_DONE);
return 0;
}

56
qubes_rpc/qfile-unpacker.c
View File

@ -1,56 +0,0 @@
#define _GNU_SOURCE
#include <ioall.h>
#include <grp.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <pwd.h>
#include <sys/stat.h>
#include <string.h>
#include <unistd.h>
#include <sys/fsuid.h>
#include <gui-fatal.h>
#include <errno.h>
#include "filecopy.h"
#define INCOMING_DIR_ROOT "/home/user/QubesIncoming"
int prepare_creds_return_uid(char *username)
{
struct passwd *pwd;
pwd = getpwnam(username);
if (!pwd) {
perror("getpwnam");
exit(1);
}
setenv("HOME", pwd->pw_dir, 1);
setenv("USER", username, 1);
setgid(pwd->pw_gid);
initgroups(username, pwd->pw_gid);
setfsuid(pwd->pw_uid);
return pwd->pw_uid;
}
extern int do_unpack(void);
int main(int argc, char ** argv)
{
char *incoming_dir;
int uid;
char *remote_domain;
uid = prepare_creds_return_uid("user");
remote_domain = getenv("QREXEC_REMOTE_DOMAIN");
if (!remote_domain) {
gui_fatal("Cannot get remote domain name");
exit(1);
}
mkdir(INCOMING_DIR_ROOT, 0700);
asprintf(&incoming_dir, "%s/%s", INCOMING_DIR_ROOT, remote_domain);
mkdir(incoming_dir, 0700);
if (chdir(incoming_dir))
gui_fatal("Error chdir to %s", incoming_dir);
if (chroot(incoming_dir)) //impossible
gui_fatal("Error chroot to %s", incoming_dir);
setuid(uid);
return do_unpack();
}

103
qubes_rpc/qopen-in-vm.c
View File

@ -1,103 +0,0 @@
#define _GNU_SOURCE
#include <dirent.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <signal.h>
#include <fcntl.h>
#include <malloc.h>
#include <stdlib.h>
#include <ioall.h>
#include <unistd.h>
#include <gui-fatal.h>
#include "dvm2.h"
void send_file(char *fname)
{
char *base;
int fd = open(fname, O_RDONLY);
if (fd < 0)
gui_fatal("open %s", fname);
base = rindex(fname, '/');
if (!base)
base = fname;
else
base++;
if (strlen(base) >= DVM_FILENAME_SIZE)
base += strlen(base) - DVM_FILENAME_SIZE + 1;
if (!write_all(1, base, DVM_FILENAME_SIZE))
gui_fatal("send filename to dispVM");
if (!copy_fd_all(1, fd))
gui_fatal("send file to dispVM");
close(1);
}
int copy_and_return_nonemptiness(int tmpfd)
{
struct stat st;
if (!copy_fd_all(tmpfd, 0))
gui_fatal("receiving file from dispVM");
if (fstat(tmpfd, &st))
gui_fatal("fstat");
close(tmpfd);
return st.st_size;
}
void recv_file_nowrite(char *fname)
{
char *tempfile;
char *errmsg;
int tmpfd;
asprintf(&tempfile, "/tmp/file_edited_in_dvm.XXXXXX");
tmpfd = mkstemp(tempfile);
if (tmpfd < 0)
gui_fatal("unable to create any temporary file, aborting");
if (!copy_and_return_nonemptiness(tmpfd)) {
unlink(tempfile);
return;
}
asprintf(&errmsg,
"The file %s has been edited in Disposable VM and the modified content has been received, "
"but this file is in nonwritable directory and thus cannot be modified safely. The edited file has been "
"saved to %s", fname, tempfile);
gui_nonfatal(errmsg);
}
void actually_recv_file(char *fname, char *tempfile, int tmpfd)
{
if (!copy_and_return_nonemptiness(tmpfd)) {
unlink(tempfile);
return;
}
if (rename(tempfile, fname))
gui_fatal("rename");
}
void recv_file(char *fname)
{
int tmpfd;
char *tempfile;
asprintf(&tempfile, "%s.XXXXXX", fname);
tmpfd = mkstemp(tempfile);
if (tmpfd < 0)
recv_file_nowrite(fname);
else
actually_recv_file(fname, tempfile, tmpfd);
}
void talk_to_daemon(char *fname)
{
send_file(fname);
recv_file(fname);
}
int main(int argc, char ** argv)
{
signal(SIGPIPE, SIG_IGN);
if (argc!=2)
gui_fatal("OpenInVM - no file given?");
talk_to_daemon(argv[1]);
return 0;
}

4
qubes_rpc/qrun-in-vm
View File

@ -1,4 +0,0 @@
#!/bin/sh
# pass aguments to the remote stdin, shovel back the remote output
echo "$@"
exec /bin/cat >&$SAVED_FD_1

1
qubes_rpc/qubes.Filecopy
View File

@ -1 +0,0 @@
/usr/lib/qubes/qfile-unpacker

1
qubes_rpc/qubes.GetAppmenus
View File

@ -1 +0,0 @@
find /usr/share/applications/ /usr/local/share/applications/ -name '*.desktop' | xargs awk '/^\[/ { if (tolower($0) != "\[desktop entry\]") nextfile } /=/ {print FILENAME ":" $0 }' 2> /dev/null

1
qubes_rpc/qubes.OpenInVM
View File

@ -1 +0,0 @@
/usr/lib/qubes/vm-file-editor

1
qubes_rpc/qubes.SuspendPost
View File

@ -1 +0,0 @@
/usr/lib/qubes/prepare-suspend resume

1
qubes_rpc/qubes.SuspendPre
View File

@ -1 +0,0 @@
/usr/lib/qubes/prepare-suspend suspend

1
qubes_rpc/qubes.SyncNtpClock
View File

@ -1 +0,0 @@
/usr/lib/qubes/sync-ntp-clock

1
qubes_rpc/qubes.VMShell
View File

@ -1 +0,0 @@
/bin/bash

2
qubes_rpc/qubes.WaitForSession
View File

@ -1,2 +0,0 @@
read USERNAME
su -c 'echo $$ >> /tmp/qubes-session-waiter; [ ! -f /tmp/qubes-session-env ] && exec sleep 365d' - "$USERNAME"

9
qubes_rpc/qvm-copy-gnome.desktop
View File

@ -1,9 +0,0 @@
[Desktop Entry]
Type=Action
ToolbarLabel[C]=Copy to other AppVM
Name[C]=Copy to other AppVM
Profiles=profile-zero;
[X-Action-Profile profile-zero]
Exec=/usr/lib/qubes/qvm-copy-to-vm.gnome %F
Name[C]=Default profile

43
qubes_rpc/qvm-copy-to-vm
View File

@ -1,43 +0,0 @@
#!/bin/sh
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010 Rafal Wojtczuk <rafal@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
if [ $# -lt 2 ] ; then
echo usage: $0 '[--without-progress] dest_vmname file [file]+'
exit 1
fi
if [ x"$1" = "x--without-progress" ] ; then
export PROGRESS_TYPE=none
shift
else
export PROGRESS_TYPE=console
fi
VM="$1"
shift
if [ $PROGRESS_TYPE = console ] ; then
export FILECOPY_TOTAL_SIZE=$(du --apparent-size -c "$@" | tail -1 | cut -f 1)
fi
exec /usr/lib/qubes/qrexec_client_vm $VM qubes.Filecopy /usr/lib/qubes/qfile-agent "$@"

34
qubes_rpc/qvm-copy-to-vm.gnome
View File

@ -1,34 +0,0 @@
#!/bin/sh
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010 Rafal Wojtczuk <rafal@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
VM=$(qvm-mru-entry --title="File Copy" --text="Enter the destination domain name:" --mrufile "qvm-mru-filecopy")
if [ X$VM = X ] ; then exit 0 ; fi
SIZE=$(du --apparent-size -c "$@" | tail -1 | cut -f 1)
export PROGRESS_TYPE=gui
/usr/lib/qubes/qrexec_client_vm $VM qubes.Filecopy /usr/lib/qubes/qfile-agent "$@" |
(while read sentsize ; do
CURRSIZE=$(($sentsize/1024))
echo $((100*$CURRSIZE/$SIZE))
done) | zenity --progress --text="Copying files to domain: $VM..." --auto-close

43
qubes_rpc/qvm-copy-to-vm.kde
View File

@ -1,43 +0,0 @@
#!/bin/sh
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010 Rafal Wojtczuk <rafal@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
VM=$(kdialog -inputbox "Enter the VM name to send files to:")
if [ X$VM = X ] ; then exit 0 ; fi
SIZE=$(du --apparent-size -c "$@" | tail -1 | cut -f 1)
REF=$(kdialog --progressbar "Copy progress")
qdbus $REF org.freedesktop.DBus.Properties.Set "" maximum $SIZE
export PROGRESS_TYPE=gui
/usr/lib/qubes/qrexec_client_vm $VM qubes.Filecopy \
/usr/lib/qubes/qfile-agent "$@" |
(while read sentsize ; do
CURRSIZE=$(($sentsize/1024))
qdbus $REF org.freedesktop.DBus.Properties.Set "" value $CURRSIZE
done)
qdbus $REF close
# we do not want a dozen error messages, do we
# if ! [ "x"$agentstatus = xDONE ] ; then
# kdialog --sorry 'Abnormal file copy termination; see /var/log/qubes/qrexec.xid.log in dom0 for more details'
# fi

10
qubes_rpc/qvm-copy.desktop
View File

@ -1,10 +0,0 @@
[Desktop Entry]
Actions=QvmCopy;
Type=Service
X-KDE-ServiceTypes=KonqPopupMenu/Plugin,inode/directory,all/allfiles
[Desktop Action QvmCopy]
Exec=/usr/lib/qubes/qvm-copy-to-vm.kde %U
Icon=kget
Name=Send To VM

9
qubes_rpc/qvm-dvm-gnome.desktop
View File

@ -1,9 +0,0 @@
[Desktop Entry]
Type=Action
ToolbarLabel[C]=Open in DisposableVM
Name[C]=Open in DisposableVM
Profiles=profile-zero;
[X-Action-Profile profile-zero]
Exec=/usr/bin/qvm-open-in-dvm %f
Name[C]=Default profile

10
qubes_rpc/qvm-dvm.desktop
View File

@ -1,10 +0,0 @@
[Desktop Entry]
Actions=QvmDvm;
Type=Service
X-KDE-ServiceTypes=KonqPopupMenu/Plugin,all/allfiles
[Desktop Action QvmDvm]
Exec=/usr/bin/qvm-open-in-dvm %U
Icon=kget
Name=Open In DisposableVM

165
qubes_rpc/qvm-mru-entry
View File

@ -1,165 +0,0 @@
#!/usr/bin/python
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2012 Bruce Downs <bruceadowns@gmail.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
import os
from optparse import OptionParser
import gtk
class QubesMruDialog(gtk.Dialog):
entry = None
mrufile = None
def __init__(self, title, text, mrufile):
self.mrufile = mrufile
gtk.Dialog.__init__(
self,
title,
None,
0,
(gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL,
gtk.STOCK_OK, gtk.RESPONSE_OK))
# setting the default response to 'ok'
# does not work as advertised
# using key-press-event instead
#self.set_default_response(gtk.RESPONSE_OK)
self.connect("destroy", lambda *w: gtk.main_quit())
self.connect("response", self.response_callback)
self.connect("key-press-event", self.key_press_callback)
self.set_position(gtk.WIN_POS_CENTER)
self.set_resizable(True)
vbox = gtk.VBox(True, 5)
self.vbox.pack_start(vbox, True, True, 0)
vbox.set_border_width(5)
label = gtk.Label()
label.set_markup(text)
vbox.pack_start(label, False, False, 0)
# Create our entry
self.entry = gtk.Entry()
vbox.pack_start(self.entry, False, False, 0)
# Create the completion object
completion = gtk.EntryCompletion()
# Assign the completion to the entry
self.entry.set_completion(completion)
# Create a tree model and use it as the completion model
completion_model, firstline = self.create_completion_model()
completion.set_model(completion_model)
# Use model column 0 as the text column
completion.set_text_column(0)
if firstline:
self.entry.set_text(firstline)
self.show_all()
def create_completion_model(self):
store = gtk.ListStore(str)
firstline = None
if self.mrufile and os.access(self.mrufile, os.R_OK):
# read lines from mru file
lines = [line.strip() for line in open(self.mrufile)]
for line in lines:
if not firstline:
firstline = line
iter = store.append()
store.set(iter, 0, line)
return store, firstline
def handle_ok(self):
my_entry = self.entry.get_text()
if len(my_entry) > 0:
linesorg = []
linesorg.insert(0, my_entry)
# calc mru lines
if os.access(self.mrufile, os.R_OK):
# read lines from existing mru file
fMru = open(self.mrufile, "r")
linesorg += [line.strip() for line in fMru]
fMru.close()
#uniqify
linesuniq = []
for lineuniq in linesorg:
if (len(lineuniq) > 0 and lineuniq not in linesuniq):
linesuniq.append(lineuniq)
# write to mru
# up to 50 unique
fMru = file(self.mrufile, "w")
fMru.writelines( "%s\n" % line for line in linesuniq[:50] )
fMru.close()
# print entry to stdout
print my_entry
def response_callback(self, button, response_id):
if response_id == gtk.RESPONSE_OK:
self.handle_ok()
self.destroy()
def key_press_callback(self, button, event):
if event.keyval == gtk.keysyms.Return:
self.handle_ok()
self.destroy()
def main():
usage = "usage: %prog [--title 'Qubes Title'] [--text 'Qubes Text'] [--mrufile 'mru file name']"
parser = OptionParser (usage)
parser.add_option ("-l", "--title",
action="store",
dest="title",
default="Qubes MRU Dialog Entry",
help="Set the dialog title [%default]")
parser.add_option ("-x", "--text",
action="store",
dest="text",
default="Enter Qubes text:",
help="Set the dialog text [%default]")
parser.add_option ("-f", "--mrufile",
action="store",
dest="mrufile",
default='qvm-mru',
help="MRU file name [%default]")
(options, args) = parser.parse_args ()
mrudir = os.path.expanduser('~') + os.sep + '.config'
if not os.path.exists(mrudir):
os.makedirs(mrudir)
QubesMruDialog(options.title, options.text, mrudir + os.sep + options.mrufile)
gtk.main()
main()

31
qubes_rpc/qvm-open-in-dvm
View File

@ -1,31 +0,0 @@
#!/bin/bash
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010 Rafal Wojtczuk <rafal@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
if ! [ $# = 1 ] ; then
echo "Usage: $0 filename"
exit 1
fi
. /usr/lib/qubes/wrap_in_html_if_url.sh
wrap_in_html_if_url "$1"
exec /usr/lib/qubes/qrexec_client_vm '$dispvm' qubes.OpenInVM "/usr/lib/qubes/qopen-in-vm" "$FILE_ARGUMENT"

29
qubes_rpc/qvm-open-in-vm
View File

@ -1,29 +0,0 @@
#!/bin/bash
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010 Rafal Wojtczuk <rafal@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
if ! [ $# = 2 ] ; then
echo "Usage: $0 vmname filename"
exit 1
fi
. /usr/lib/qubes/wrap_in_html_if_url.sh
wrap_in_html_if_url "$2"
exec /usr/lib/qubes/qrexec_client_vm "$1" qubes.OpenInVM "/usr/lib/qubes/qopen-in-vm" "$FILE_ARGUMENT"

32
qubes_rpc/qvm-run
View File

@ -1,32 +0,0 @@
#!/bin/bash
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010 Rafal Wojtczuk <rafal@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
if [ $# -lt 2 ] ; then
echo "Usage: $0 vmname command arguments"
exit 1
fi
VMNAME=$1
shift
if [ $VMNAME = "--dispvm" ] ; then
VMNAME='$dispvm'
fi
exec /usr/lib/qubes/qrexec_client_vm $VMNAME qubes.VMShell "/usr/lib/qubes/qrun-in-vm" "$@"

12
qubes_rpc/sync-ntp-clock
View File

@ -1,12 +0,0 @@
#!/bin/sh
if [ -x /usr/libexec/ntpdate-wrapper ]; then
/usr/libexec/ntpdate-wrapper
elif [ -x /etc/init.d/ntpdate ]; then
/etc/init.d/ntpdate restart
elif [ -x /usr/sbin/ntpdate ]; then
/usr/sbin/ntpdate pool.ntp.org
else
echo "No ntpdate installed, giving up."
exit 1
fi

161
qubes_rpc/vm-file-editor.c
View File

@ -1,161 +0,0 @@
#include <sys/stat.h>
#include <sys/wait.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <ioall.h>
#include "dvm2.h"
char *gettime()
{
static char retbuf[60];
struct timeval tv;
gettimeofday(&tv, NULL);
snprintf(retbuf, sizeof(retbuf), "%lld.%lld",
(long long) tv.tv_sec, (long long) tv.tv_usec);
return retbuf;
}
char *get_filename()
{
char buf[DVM_FILENAME_SIZE];
static char retname[sizeof(buf) + sizeof("/tmp/")];
int i;
if (!read_all(0, buf, sizeof(buf)))
exit(1);
if (index(buf, '/')) {
fprintf(stderr, "filename contains /");
exit(1);
}
for (i=0; i < DVM_FILENAME_SIZE && buf[i]!=0; i++) {
// replace some characters with _ (eg mimeopen have problems with some of them)
if (index(" !?\"#$%^&*()[]<>;`~", buf[i]))
buf[i]='_';
}
snprintf(retname, sizeof(retname), "/tmp/%s", buf);
return retname;
}
void copy_file(char *filename)
{
int fd = open(filename, O_WRONLY | O_CREAT, 0600);
if (fd < 0) {
perror("open file");
exit(1);
}
if (!copy_fd_all(fd, 0))
exit(1);
close(fd);
}
void send_file_back(char * filename)
{
int fd = open(filename, O_RDONLY);
if (fd < 0) {
perror("open file");
exit(1);
}
if (!copy_fd_all(1, fd))
exit(1);
close(fd);
}
int
main()
{
struct stat stat_pre, stat_post, session_stat;
char *filename = get_filename();
int child, status, log_fd, null_fd;
char var[1024], val[4096];
FILE *env_file;
FILE *waiter_pidfile;
copy_file(filename);
if (stat(filename, &stat_pre)) {
perror("stat pre");
exit(1);
}
fprintf(stderr, "time=%s, waiting for qubes-session\n", gettime());
// wait for X server to starts (especially in DispVM)
if (stat("/tmp/qubes-session-env", &session_stat)) {
switch (child = fork()) {
case -1:
perror("fork");
exit(1);
case 0:
waiter_pidfile = fopen("/tmp/qubes-session-waiter", "a");
if (waiter_pidfile == NULL) {
perror("fopen waiter_pidfile");
exit(1);
}
fprintf(waiter_pidfile, "%d\n", getpid());
fclose(waiter_pidfile);
// check the second time, to prevent race
if (stat("/tmp/qubes-session-env", &session_stat)) {
// wait for qubes-session notify
pause();
}
exit(0);
default:
waitpid(child, &status, 0);
if (WIFEXITED(status) && WEXITSTATUS(status) != 0) {
//propagate exit code from child
exit(WEXITSTATUS(status));
}
}
}
fprintf(stderr, "time=%s, starting editor\n", gettime());
switch (child = fork()) {
case -1:
perror("fork");
exit(1);
case 0:
null_fd = open("/dev/null", O_RDONLY);
dup2(null_fd, 0);
close(null_fd);
env_file = fopen("/tmp/qubes-session-env", "r");
while(fscanf(env_file, "%1024[^=]=%4096[^\n]\n", var, val) == 2) {
setenv(var, val, 1);
}
fclose(env_file);
log_fd = open("/tmp/mimeopen.log", O_CREAT | O_APPEND, 0666);
if (log_fd == -1) {
perror("open /tmp/mimeopen.log");
exit(1);
}
dup2(log_fd, 1);
close(log_fd);
setenv("HOME", "/home/user", 1);
setenv("DISPLAY", ":0", 1);
execl("/usr/bin/mimeopen", "mimeopen", "-n", filename, (char*)NULL);
perror("execl");
exit(1);
default:
waitpid(child, &status, 0);
if (status != 0) {
char cmd[512];
#ifdef USE_KDIALOG
snprintf(cmd, sizeof(cmd),
"HOME=/home/user DISPLAY=:0 /usr/bin/kdialog --sorry 'Unable to handle mimetype of the requested file (exit status: %d)!' > /tmp/kdialog.log 2>&1 </dev/null", status);
("HOME=/home/user DISPLAY=:0 /usr/bin/kdialog --sorry 'Unable to handle mimetype of the requested file (exit status: %d)!' > /tmp/kdialog.log 2>&1 </dev/null", status);
#else
snprintf(cmd, sizeof(cmd),
"HOME=/home/user DISPLAY=:0 /usr/bin/zenity --error --text 'Unable to handle mimetype of the requested file (exit status: %d)!' > /tmp/kdialog.log 2>&1 </dev/null", status);
#endif
system(cmd);
}
}
if (stat(filename, &stat_post)) {
perror("stat post");
exit(1);
}
if (stat_pre.st_mtime != stat_post.st_mtime)
send_file_back(filename);
return 0;
}

17
qubes_rpc/wrap_in_html_if_url.sh
View File

@ -1,17 +0,0 @@
wrap_in_html_if_url()
{
case "$1" in
*://*)
FILE_ARGUMENT=$(mktemp)
echo -n '<html><meta HTTP-EQUIV="REFRESH" content="0; url=' > $FILE_ARGUMENT
echo -n "$1" >> $FILE_ARGUMENT
echo '"></html>' >> $FILE_ARGUMENT
;;
*)
FILE_ARGUMENT="$1"
;;
esac
}

26
rpm_spec/core-vm-kernel-placeholder.spec
View File

@ -1,26 +0,0 @@
# We don't install kernel pkg in VM, but some other pkgs depends on it.
# Done as separate subpackage because yum allows multiple versions of kernel
# pkg installed simultaneusly - and of course we don't want multiple versions
# of qubes-core-vm
Name: qubes-core-vm-kernel-placeholder
Summary: Placeholder for kernel package as it is managed by Dom0
Version: 1.0
Release: 2%{dist}
Vendor: Invisible Things Lab
License: GPL
Group: Qubes
URL: http://www.qubes-os.org
# template released with 1.0-rc1 have kernel-debug installed by mistake. This
# line is required to smooth upgrade.
Obsoletes: kernel-debug
# this driver require exact kernel-drm-nouveau version; as isn't needed in VM,
# just remove it
Obsoletes: xorg-x11-drv-nouveau
Provides: xorg-x11-drv-nouveau
# choose the oldest Qubes-supported VM kernel
Provides: kernel = 3.7.4
%description
Placeholder for kernel package as it is managed by Dom0.
%files

655
rpm_spec/core-vm.spec
View File

@ -1,655 +0,0 @@
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2010 Joanna Rutkowska <joanna@invisiblethingslab.com>
# Copyright (C) 2010 Rafal Wojtczuk <rafal@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
%{!?version: %define version %(cat version_vm)}
Name: qubes-core-vm
Version: %{version}
Release: 1%{dist}
Summary: The Qubes core files for VM
Group: Qubes
Vendor: Invisible Things Lab
License: GPL
URL: http://www.qubes-os.org
Requires: /usr/bin/xenstore-read
Requires: fedora-release
Requires: yum-plugin-post-transaction-actions
Requires: NetworkManager >= 0.8.1-1
%if %{fedora} >= 18
# Fedora >= 18 defaults to firewalld, which isn't supported nor needed by Qubes
Requires: iptables-services
Conflicts: firewalld
%endif
Requires: /usr/bin/mimeopen
Requires: ethtool
Requires: tinyproxy
Requires: ntpdate
Requires: net-tools
Requires: nautilus-actions
Requires: qubes-core-vm-kernel-placeholder
Requires: qubes-core-libs
Provides: qubes-core-vm
Obsoletes: qubes-core-commonvm
Obsoletes: qubes-core-appvm
Obsoletes: qubes-core-netvm
Obsoletes: qubes-core-proxyvm
Obsoletes: qubes-upgrade-vm < 2.0
BuildRequires: xen-devel
%define _builddir %(pwd)
%define kde_service_dir /usr/share/kde4/services/ServiceMenus
%description
The Qubes core files for installation inside a Qubes VM.
%prep
# we operate on the current directory, so no need to unpack anything
# symlink is to generate useful debuginfo packages
rm -f %{name}-%{version}
ln -sf . %{name}-%{version}
%setup -T -D
%build
(cd vchan; make -f Makefile.linux)
(cd qrexec; make)
for dir in qubes_rpc misc; do
(cd $dir; make)
done
%pre
if [ "$1" != 1 ] ; then
# do this whole %pre thing only when updating for the first time...
exit 0
fi
mkdir -p /var/lib/qubes
if [ -e /etc/fstab ] ; then
mv /etc/fstab /var/lib/qubes/fstab.orig
fi
adduser --create-home user
%install
install -m 0644 -D misc/fstab $RPM_BUILD_ROOT/etc/fstab
install -d $RPM_BUILD_ROOT/etc/init.d
install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/
install -d $RPM_BUILD_ROOT/lib/systemd/system $RPM_BUILD_ROOT/usr/lib/qubes/init
install -m 0755 vm-systemd/*.sh $RPM_BUILD_ROOT/usr/lib/qubes/init/
install -m 0644 vm-systemd/qubes-*.service $RPM_BUILD_ROOT/lib/systemd/system/
install -m 0644 vm-systemd/qubes-*.timer $RPM_BUILD_ROOT/lib/systemd/system/
install -m 0644 vm-systemd/NetworkManager.service $RPM_BUILD_ROOT/usr/lib/qubes/init/
install -m 0644 vm-systemd/NetworkManager-wait-online.service $RPM_BUILD_ROOT/usr/lib/qubes/init/
install -m 0644 vm-systemd/cups.service $RPM_BUILD_ROOT/usr/lib/qubes/init/
install -m 0644 vm-systemd/ntpd.service $RPM_BUILD_ROOT/usr/lib/qubes/init/
install -D -m 0440 misc/qubes.sudoers $RPM_BUILD_ROOT/etc/sudoers.d/qubes
install -D -m 0644 misc/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d/qubes.repo
install -D -m 0644 misc/serial.conf $RPM_BUILD_ROOT/usr/lib/qubes/serial.conf
install -D misc/qubes_serial_login $RPM_BUILD_ROOT/sbin/qubes_serial_login
install -d $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/
install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/
install -d $RPM_BUILD_ROOT/usr/lib/yum-plugins/
install -m 0644 misc/yum-qubes-hooks.py* $RPM_BUILD_ROOT/usr/lib/yum-plugins/
install -D -m 0644 misc/yum-qubes-hooks.conf $RPM_BUILD_ROOT/etc/yum/pluginconf.d/yum-qubes-hooks.conf
install -d $RPM_BUILD_ROOT/var/lib/qubes
install -d -m 755 $RPM_BUILD_ROOT/etc/pki/rpm-gpg
install -m 644 misc/RPM-GPG-KEY-qubes* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
install -D misc/xenstore-watch $RPM_BUILD_ROOT/usr/bin/xenstore-watch-qubes
install -d $RPM_BUILD_ROOT/etc/udev/rules.d
install -m 0644 misc/qubes_misc.rules $RPM_BUILD_ROOT/etc/udev/rules.d/50-qubes_misc.rules
install -m 0644 misc/qubes_block.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_block.rules
install -m 0644 misc/qubes_usb.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_usb.rules
install -d $RPM_BUILD_ROOT/usr/lib/qubes/
install misc/qubes_download_dom0_updates.sh $RPM_BUILD_ROOT/usr/lib/qubes/
install misc/{block_add_change,block_remove,block_cleanup} $RPM_BUILD_ROOT/usr/lib/qubes/
install misc/{usb_add_change,usb_remove} $RPM_BUILD_ROOT/usr/lib/qubes/
install misc/vusb-ctl.py $RPM_BUILD_ROOT/usr/lib/qubes/
install misc/qubes_trigger_sync_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes/
install -D -m 0644 misc/qubes_trigger_sync_appmenus.action $RPM_BUILD_ROOT/etc/yum/post-actions/qubes_trigger_sync_appmenus.action
install -D misc/polkit-1-qubes-allow-all.pkla $RPM_BUILD_ROOT/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
install -D misc/polkit-1-qubes-allow-all.rules $RPM_BUILD_ROOT/etc/polkit-1/rules.d/00-qubes-allow-all.rules
mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes
if [ -r misc/dispvm-dotfiles.%{dist}.tbz ]; then
install misc/dispvm-dotfiles.%{dist}.tbz $RPM_BUILD_ROOT/etc/dispvm-dotfiles.tbz
else
install misc/dispvm-dotfiles.tbz $RPM_BUILD_ROOT/etc/dispvm-dotfiles.tbz
fi
install misc/dispvm-prerun.sh $RPM_BUILD_ROOT/usr/lib/qubes/dispvm-prerun.sh
install -D misc/qubes_core.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes_core.modules
install -D misc/qubes_misc.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes_misc.modules
install -m 0644 network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules
install network/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes
install network/qubes_fix_nm_conf.sh $RPM_BUILD_ROOT/usr/lib/qubes
install network/setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/
install network/network-manager-prepare-conf-dir $RPM_BUILD_ROOT/usr/lib/qubes/
install -d $RPM_BUILD_ROOT/etc/dhclient.d
ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes
install -m 0400 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
install -m 0400 -D network/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables
install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf
install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum
install -d $RPM_BUILD_ROOT/etc/yum.conf.d
touch $RPM_BUILD_ROOT/etc/yum.conf.d/qubes-proxy.conf
install -d $RPM_BUILD_ROOT/usr/sbin
install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/
install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/
install -d $RPM_BUILD_ROOT/usr/bin
install qubes_rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-run,qvm-mru-entry} $RPM_BUILD_ROOT/usr/bin
install qubes_rpc/wrap_in_html_if_url.sh $RPM_BUILD_ROOT/usr/lib/qubes
install qubes_rpc/qvm-copy-to-vm.kde $RPM_BUILD_ROOT/usr/lib/qubes
install qubes_rpc/qvm-copy-to-vm.gnome $RPM_BUILD_ROOT/usr/lib/qubes
install qubes_rpc/{vm-file-editor,qfile-agent,qopen-in-vm,qfile-unpacker} $RPM_BUILD_ROOT/usr/lib/qubes
install qubes_rpc/qrun-in-vm $RPM_BUILD_ROOT/usr/lib/qubes
install qubes_rpc/sync-ntp-clock $RPM_BUILD_ROOT/usr/lib/qubes
install qubes_rpc/prepare-suspend $RPM_BUILD_ROOT/usr/lib/qubes
install -d $RPM_BUILD_ROOT/%{kde_service_dir}
install -m 0644 qubes_rpc/{qvm-copy.desktop,qvm-dvm.desktop} $RPM_BUILD_ROOT/%{kde_service_dir}
install -d $RPM_BUILD_ROOT/etc/qubes_rpc
install -m 0644 qubes_rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell,qubes.SyncNtpClock} $RPM_BUILD_ROOT/etc/qubes_rpc
install -m 0644 qubes_rpc/{qubes.SuspendPre,qubes.SuspendPost,qubes.GetAppmenus} $RPM_BUILD_ROOT/etc/qubes_rpc
install -m 0644 qubes_rpc/qubes.WaitForSession $RPM_BUILD_ROOT/etc/qubes_rpc
install -d $RPM_BUILD_ROOT/usr/share/file-manager/actions
install -m 0644 qubes_rpc/*-gnome.desktop $RPM_BUILD_ROOT/usr/share/file-manager/actions
install -D misc/nautilus-actions.conf $RPM_BUILD_ROOT/etc/xdg/nautilus-actions/nautilus-actions.conf
install qrexec/qrexec_agent $RPM_BUILD_ROOT/usr/lib/qubes
install qrexec/qrexec_client_vm $RPM_BUILD_ROOT/usr/lib/qubes
install qrexec/qubes_rpc_multiplexer $RPM_BUILD_ROOT/usr/lib/qubes
install misc/meminfo-writer $RPM_BUILD_ROOT/usr/lib/qubes
install -d $RPM_BUILD_ROOT/mnt/removable
install -d $RPM_BUILD_ROOT/var/lib/qubes/dom0-updates
install -D -m 0644 misc/xorg-preload-apps.conf $RPM_BUILD_ROOT/etc/X11/xorg-preload-apps.conf
install -d $RPM_BUILD_ROOT/var/run/qubes
install -d $RPM_BUILD_ROOT/home_volatile/user
%triggerin -- initscripts
cp /usr/lib/qubes/serial.conf /etc/init/serial.conf
%post
# disable some Upstart services
for F in plymouth-shutdown prefdm splash-manager start-ttys tty ; do
if [ -e /etc/init/$F.conf ]; then
mv -f /etc/init/$F.conf /etc/init/$F.conf.disabled
fi
done
remove_ShowIn () {
if [ -e /etc/xdg/autostart/$1.desktop ]; then
sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop
fi
}
# don't want it at all
for F in abrt-applet deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
if [ -e /etc/xdg/autostart/$F.desktop ]; then
remove_ShowIn $F
echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop
fi
done
# don't want it in DisposableVM
for F in gcm-apply ; do
if [ -e /etc/xdg/autostart/$F.desktop ]; then
remove_ShowIn $F
echo 'NotShowIn=DisposableVM;' >> /etc/xdg/autostart/$F.desktop
fi
done
# want it in AppVM only
for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do
if [ -e /etc/xdg/autostart/$F.desktop ]; then
remove_ShowIn $F
echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop
fi
done
# remove existing rule to add own later
for F in gpk-update-icon nm-applet ; do
remove_ShowIn $F
done
echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || :
echo 'OnlyShowIn=GNOME;NetVM;' >> /etc/xdg/autostart/nm-applet.desktop || :
usermod -p '' root
usermod -L user
# Create NetworkManager configuration if we do not have it
if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
echo '[main]' > /etc/NetworkManager/NetworkManager.conf
echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
fi
/usr/lib/qubes/qubes_fix_nm_conf.sh
# Remove ip_forward setting from sysctl, so NM will not reset it
sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf
# Install firmware link only on system which haven't it yet
if ! [ -e /lib/firmware/updates ]; then
ln -s /lib/modules/firmware /lib/firmware/updates
fi
if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
echo >> /etc/yum.conf
echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
fi
# Revert 'Prevent unnecessary updates in VMs':
sed -i -e '/^exclude = kernel/d' /etc/yum.conf
# qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
if ! grep -q localhost /etc/hosts; then
cat <<EOF > /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
EOF
fi
if [ "$1" != 1 ] ; then
# do the rest of %post thing only when updating for the first time...
exit 0
fi
if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
cp /etc/init/serial.conf /var/lib/qubes/serial.orig
fi
#echo "--> Disabling SELinux..."
sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
mv /etc/selinux/config.processed /etc/selinux/config
setenforce 0 2>/dev/null
# Remove most of the udev scripts to speed up the VM boot time
# Just leave the xen* scripts, that are needed if this VM was
# ever used as a net backend (e.g. as a VPN domain in the future)
#echo "--> Removing unnecessary udev scripts..."
mkdir -p /var/lib/qubes/removed-udev-scripts
for f in /etc/udev/rules.d/*
do
if [ $(basename $f) == "xen-backend.rules" ] ; then
continue
fi
if [ $(basename $f) == "xend.rules" ] ; then
continue
fi
if [ $(basename $f) == "50-qubes_misc.rules" ] ; then
continue
fi
if [ $(basename $f) == "99-qubes_network.rules" ] ; then
continue
fi
if [ $(basename $f) == "99-qubes_block.rules" ] ; then
continue
fi
if [ $(basename $f) == "99-qubes_usb.rules" ] ; then
continue
fi
if [ $(basename $f) == "90-hal.rules" ] ; then
continue
fi
mv $f /var/lib/qubes/removed-udev-scripts/
done
mkdir -p /rw
#rm -f /etc/mtab
#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
%preun
if [ "$1" = 0 ] ; then
# no more packages left
if [ -e /var/lib/qubes/fstab.orig ] ; then
mv /var/lib/qubes/fstab.orig /etc/fstab
fi
mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
if [ -e /var/lib/qubes/serial.orig ] ; then
mv /var/lib/qubes/serial.orig /etc/init/serial.conf
fi
fi
%postun
if [ $1 -eq 0 ] ; then
/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
if [ -l /lib/firmware/updates ]; then
rm /lib/firmware/updates
fi
fi
%posttrans
/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
%clean
rm -rf $RPM_BUILD_ROOT
rm -f %{name}-%{version}
%files
%defattr(-,root,root,-)
%dir /var/lib/qubes
%dir /var/run/qubes
%dir %attr(0775,user,user) /var/lib/qubes/dom0-updates
%{kde_service_dir}/qvm-copy.desktop
%{kde_service_dir}/qvm-dvm.desktop
/etc/NetworkManager/dispatcher.d/30-qubes_external_ip
/etc/NetworkManager/dispatcher.d/qubes_nmhook
/etc/X11/xorg-preload-apps.conf
/etc/dispvm-dotfiles.tbz
/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
/etc/fstab
/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes*
/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
/etc/polkit-1/rules.d/00-qubes-allow-all.rules
%dir /etc/qubes_rpc
/etc/qubes_rpc/qubes.Filecopy
/etc/qubes_rpc/qubes.OpenInVM
/etc/qubes_rpc/qubes.GetAppmenus
/etc/qubes_rpc/qubes.VMShell
/etc/qubes_rpc/qubes.SyncNtpClock
/etc/qubes_rpc/qubes.SuspendPre
/etc/qubes_rpc/qubes.SuspendPost
/etc/qubes_rpc/qubes.WaitForSession
/etc/sudoers.d/qubes
%config(noreplace) /etc/sysconfig/iptables
%config(noreplace) /etc/sysconfig/ip6tables
/etc/sysconfig/modules/qubes_core.modules
/etc/sysconfig/modules/qubes_misc.modules
%config(noreplace) /etc/tinyproxy/filter-qubes-yum
%config(noreplace) /etc/tinyproxy/tinyproxy-qubes-yum.conf
/etc/udev/rules.d/50-qubes_misc.rules
/etc/udev/rules.d/99-qubes_block.rules
/etc/udev/rules.d/99-qubes_network.rules
/etc/udev/rules.d/99-qubes_usb.rules
/etc/xdg/nautilus-actions/nautilus-actions.conf
/etc/xen/scripts/vif-route-qubes
%config(noreplace) /etc/yum.conf.d/qubes-proxy.conf
%config(noreplace) /etc/yum.repos.d/qubes.repo
/etc/yum/pluginconf.d/yum-qubes-hooks.conf
/etc/yum/post-actions/qubes_trigger_sync_appmenus.action
/sbin/qubes_serial_login
/usr/bin/qvm-copy-to-vm
/usr/bin/qvm-open-in-dvm
/usr/bin/qvm-open-in-vm
/usr/bin/qvm-run
/usr/bin/qvm-mru-entry
/usr/bin/xenstore-watch-qubes
%dir /usr/lib/qubes
/usr/lib/qubes/block_add_change
/usr/lib/qubes/block_cleanup
/usr/lib/qubes/block_remove
/usr/lib/qubes/usb_add_change
/usr/lib/qubes/usb_remove
/usr/lib/qubes/vusb-ctl.py*
/usr/lib/qubes/dispvm-prerun.sh
/usr/lib/qubes/sync-ntp-clock
/usr/lib/qubes/prepare-suspend
/usr/lib/qubes/meminfo-writer
/usr/lib/qubes/network-manager-prepare-conf-dir
/usr/lib/qubes/qfile-agent
%attr(4755,root,root) /usr/lib/qubes/qfile-unpacker
/usr/lib/qubes/qopen-in-vm
/usr/lib/qubes/qrexec_agent
/usr/lib/qubes/qrexec_client_vm
/usr/lib/qubes/qrun-in-vm
/usr/lib/qubes/qubes_download_dom0_updates.sh
/usr/lib/qubes/qubes_fix_nm_conf.sh
/usr/lib/qubes/qubes_rpc_multiplexer
/usr/lib/qubes/qubes_setup_dnat_to_ns
/usr/lib/qubes/qubes_trigger_sync_appmenus.sh
/usr/lib/qubes/qvm-copy-to-vm.gnome
/usr/lib/qubes/qvm-copy-to-vm.kde
/usr/lib/qubes/serial.conf
/usr/lib/qubes/setup_ip
/usr/lib/qubes/vm-file-editor
/usr/lib/qubes/wrap_in_html_if_url.sh
/usr/lib/yum-plugins/yum-qubes-hooks.py*
/usr/sbin/qubes_firewall
/usr/sbin/qubes_netwatcher
/usr/share/glib-2.0/schemas/org.gnome.settings-daemon.plugins.updates.gschema.override
/usr/share/file-manager/actions/qvm-copy-gnome.desktop
/usr/share/file-manager/actions/qvm-dvm-gnome.desktop
%dir /home_volatile
%attr(700,user,user) /home_volatile/user
%dir /mnt/removable
%package sysvinit
Summary: Qubes unit files for SysV init style or upstart
License: GPL v2 only
Group: Qubes
Requires: upstart
Requires: qubes-core-vm
Provides: qubes-core-vm-init-scripts
Conflicts: qubes-core-vm-systemd
%description sysvinit
The Qubes core startup configuration for SysV init (or upstart).
%files sysvinit
/etc/init.d/qubes_core
/etc/init.d/qubes_core_appvm
/etc/init.d/qubes_core_netvm
/etc/init.d/qubes-firewall
/etc/init.d/qubes-netwatcher
/etc/init.d/qubes-yum-proxy
%post sysvinit
#echo "--> Turning off unnecessary services..."
# FIXME: perhaps there is more elegant way to do this?
for f in /etc/init.d/*
do
srv=`basename $f`
[ $srv = 'functions' ] && continue
[ $srv = 'killall' ] && continue
[ $srv = 'halt' ] && continue
[ $srv = 'single' ] && continue
[ $srv = 'reboot' ] && continue
[ $srv = 'qubes_gui' ] && continue
chkconfig $srv off
done
#echo "--> Enabling essential services..."
chkconfig rsyslog on
chkconfig haldaemon on
chkconfig messagebus on
chkconfig iptables on
chkconfig ip6tables on
chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!"
chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!"
chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core_netvm!"
chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core_netvm!"
chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core_appvm!"
chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core_appvm!"
chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewall!"
chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!"
chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!"
chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!"
chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!"
chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!"
# TODO: make this not display the silly message about security context...
sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab
%preun sysvinit
if [ "$1" = 0 ] ; then
# no more packages left
chkconfig qubes_core off
chkconfig qubes_core_netvm off
chkconfig qubes_core_appvm off
chkconfig qubes-firewall off
chkconfig qubes-netwatcher off
chkconfig qubes-yum-proxy off
fi
%package systemd
Summary: Qubes unit files for SystemD init style
License: GPL v2 only
Group: Qubes
Requires: systemd
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: qubes-core-vm
Provides: qubes-core-vm-init-scripts
Conflicts: qubes-core-vm-sysvinit
%description systemd
The Qubes core startup configuration for SystemD init.
%files systemd
%defattr(-,root,root,-)
/lib/systemd/system/qubes-dvm.service
/lib/systemd/system/qubes-meminfo-writer.service
/lib/systemd/system/qubes-qrexec-agent.service
/lib/systemd/system/qubes-misc-post.service
/lib/systemd/system/qubes-firewall.service
/lib/systemd/system/qubes-netwatcher.service
/lib/systemd/system/qubes-network.service
/lib/systemd/system/qubes-sysinit.service
/lib/systemd/system/qubes-update-check.service
/lib/systemd/system/qubes-update-check.timer
/lib/systemd/system/qubes-yum-proxy.service
%dir /usr/lib/qubes/init
/usr/lib/qubes/init/prepare-dvm.sh
/usr/lib/qubes/init/network-proxy-setup.sh
/usr/lib/qubes/init/misc-post.sh
/usr/lib/qubes/init/misc-post-stop.sh
/usr/lib/qubes/init/qubes-sysinit.sh
/usr/lib/qubes/init/NetworkManager.service
/usr/lib/qubes/init/NetworkManager-wait-online.service
/usr/lib/qubes/init/cups.service
/usr/lib/qubes/init/ntpd.service
%ghost %attr(0644,root,root) /etc/systemd/system/NetworkManager.service
%ghost %attr(0644,root,root) /etc/systemd/system/NetworkManager-wait-online.service
%ghost %attr(0644,root,root) /etc/systemd/system/cups.service
%post systemd
for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-yum-proxy; do
/bin/systemctl enable $srv.service 2> /dev/null
done
/bin/systemctl enable qubes-update-check.timer 2> /dev/null
# Install overriden services only when original exists
for srv in cups NetworkManager NetworkManager-wait-online ntpd; do
if [ -f /lib/systemd/system/$srv.service ]; then
cp /usr/lib/qubes/init/$srv.service /etc/systemd/system/$srv.service
fi
done
# Set default "runlevel"
rm -f /etc/systemd/system/default.target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# Services to disable
#echo "--> Turning off unnecessary services..."
# FIXME: perhaps there is more elegant way to do this?
for f in /etc/init.d/*
do
srv=`basename $f`
[ $srv = 'functions' ] && continue
[ $srv = 'killall' ] && continue
[ $srv = 'halt' ] && continue
[ $srv = 'single' ] && continue
[ $srv = 'reboot' ] && continue
[ $srv = 'qubes_gui' ] && continue
chkconfig $srv off 2> /dev/null
done
DISABLE_SERVICES="alsa-store alsa-restore auditd avahi avahi-daemon backuppc cpuspeed crond"
DISABLE_SERVICES="$DISABLE_SERVICES fedora-autorelabel fedora-autorelabel-mark ipmi hwclock-load hwclock-save"
DISABLE_SERVICES="$DISABLE_SERVICES mdmonitor multipathd openct rpcbind mcelog fedora-storage-init fedora-storage-init-late"
DISABLE_SERVICES="$DISABLE_SERVICES plymouth-start plymouth-read-write plymouth-quit plymouth-quit-wait"
DISABLE_SERVICES="$DISABLE_SERVICES sshd tcsd sm-client sendmail mdmonitor-takeover"
for srv in $DISABLE_SERVICES; do
if [ -f /lib/systemd/system/$srv.service ]; then
if fgrep -q '[Install]' /lib/systemd/system/$srv.service; then
/bin/systemctl disable $srv.service 2> /dev/null
else
# forcibly disable
ln -sf /dev/null /etc/systemd/system/$srv.service
fi
fi
done
rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
# Enable some services
/bin/systemctl enable iptables.service 2> /dev/null
/bin/systemctl enable ip6tables.service 2> /dev/null
/bin/systemctl enable rsyslog.service 2> /dev/null
/bin/systemctl enable ntpd.service 2> /dev/null
# Disable original service to enable overriden one
/bin/systemctl disable NetworkManager.service 2> /dev/null
# Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)
/bin/systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null
/bin/systemctl enable NetworkManager.service 2> /dev/null
# Enable cups only when it is real SystemD service
[ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null
exit 0
%postun systemd
#Do not run this part on upgrades
if [ "$1" != 0 ] ; then
exit 0
fi
for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network; do
/bin/systemctl disable $srv.service
do

1
version_vm
View File

@ -1 +0,0 @@
2.1.13

48
vm-init.d/qubes-firewall
View File

@ -1,48 +0,0 @@
#!/bin/sh
#
# chkconfig: 345 91 91
# description: Starts Qubes Firewall monitor
#
# Source function library.
. /etc/rc.d/init.d/functions
PIDFILE=/var/run/qubes/qubes_firewall.pid
start()
{
type=$(/usr/bin/xenstore-read qubes_vm_type)
start_firewall=$(/usr/bin/xenstore-read qubes-service/qubes-firewall 2> /dev/null)
if [ -z "$start_firewall" ] && [ "$type" == "ProxyVM" ] || [ "$start_firewall" == "1" ]; then
echo -n $"Starting Qubes Firewall monitor:"
/sbin/ethtool -K eth0 sg off
/usr/sbin/qubes_firewall &
success
echo ""
fi
return 0
}
stop()
{
if [ -r $PIDFILE ]; then
echo -n "Stopping Qubes Firewall monitor:"
kill -9 $(cat $PIDFILE) 2>/dev/null && success || failure
echo ""
fi
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
exit 3
;;
esac
exit $RETVAL

48
vm-init.d/qubes-netwatcher
View File

@ -1,48 +0,0 @@
#!/bin/sh
#
# chkconfig: 345 92 92
# description: Starts Qubes Network monitor
#
# Source function library.
. /etc/rc.d/init.d/functions
PIDFILE=/var/run/qubes/qubes_netwatcher.pid
start()
{
type=$(/usr/bin/xenstore-read qubes_vm_type)
start_netwatcher=$(/usr/bin/xenstore-read qubes-service/qubes-netwatcher 2>/dev/null)
if [ -z "$start_netwatcher" ] && [ "$type" == "ProxyVM" ] || [ "$start_netwatcher" == "1" ]; then
echo -n $"Starting Qubes Network monitor:"
/sbin/ethtool -K eth0 sg off
/usr/sbin/qubes_netwatcher &
success
echo ""
fi
return 0
}
stop()
{
if [ -r "$PIDFILE" ]; then
echo -n "Stopping Qubes Network monitor:"
kill -9 $(cat $PIDFILE) 2>/dev/null && success || failure
echo ""
fi
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
exit 3
;;
esac
exit $RETVAL

121
vm-init.d/qubes-yum-proxy
View File

@ -1,121 +0,0 @@
#!/bin/sh
#
# tinyproxy Startup script for the tinyproxy server as Qubes yum proxy
#
# chkconfig: - 85 15
# description: small, efficient HTTP/SSL proxy daemon
#
# processname: tinyproxy
# config: /etc/tinyproxy/tinyproxy-qubes-yum.conf
# config: /etc/sysconfig/tinyproxy-qubes-yum
# pidfile: /var/run/tinyproxy/tinyproxy-qubes-yum.pid
#
# Note: pidfile is created by tinyproxy in its config
# see PidFile in the configuration file.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
exec="/usr/sbin/tinyproxy"
prog=$(basename $exec)
config="/etc/tinyproxy/tinyproxy-qubes-yum.conf"
pidfile="/var/run/tinyproxy/tinyproxy-qubes-yum.pid"
[ -e /etc/sysconfig/tinyproxy-qubes-yum ] && . /etc/sysconfig/tinyproxy-qubes-yum
lockfile=/var/lock/subsys/tinyproxy-qubes-yum
start() {
type=`/usr/bin/xenstore-read qubes_vm_type`
start_yum_proxy=`/usr/bin/xenstore-read qubes-service/qubes-yum-proxy 2>/dev/null`
if [ -z "$start_yum_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_yum_proxy" != "1" ]; then
# Yum proxy disabled
exit 0
fi
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
# setup network redirection
/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
echo -n $"Starting $prog (as Qubes yum proxy): "
daemon $exec -c $config
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile $prog
retval=$?
echo
/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
echo -n $"Reloading $prog: "
killproc -p $pidfile $prog -HUP
echo
}
force_reload() {
restart
}
rh_status() {
status $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?

119
vm-init.d/qubes_core
View File

@ -1,119 +0,0 @@
#!/bin/sh
#
# chkconfig: 345 90 90
# description: Executes Qubes core scripts at VM boot
#
# Source function library.
. /etc/rc.d/init.d/functions
start()
{
echo -n $"Executing Qubes Core scripts:"
if ! [ -x /usr/bin/xenstore-read ] ; then
echo "ERROR: /usr/bin/xenstore-read not found!"
exit 1
fi
# Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read
chmod 666 /proc/xen/xenbus
# Set permissions to files needed to listen at vchan
chmod 666 /proc/u2mfn
mkdir -p /var/run/xen-hotplug
name=$(/usr/bin/xenstore-read name)
if ! [ -f /etc/this_is_dvm ] ; then
# we don't want to set hostname for DispVM
# because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-<hostname>)
# (let's be frank: nobody's gonna use xterm on DispVM)
hostname $name
sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
fi
timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null`
if [ -n "$timezone" ]; then
ln -f /usr/share/zoneinfo/$timezone /etc/localtime
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
fi
yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null)
type=$(/usr/bin/xenstore-read qubes_vm_type)
if [ "$yum_proxy_setup" != "0" ] || [ -z "$yum_proxy_setup" -a "$type" == "TemplateVM" ]; then
echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf
else
echo > /etc/yum.conf.d/qubes-proxy.conf
fi
# Set IP address again (besides action in udev rules); this is needed by
# DispVM (to override DispVM-template IP) and in case when qubes_ip was
# called by udev before loading evtchn kernel module - in which case
# xenstore-read fails
INTERFACE=eth0 /usr/lib/qubes/setup_ip
mkdir -p /var/run/qubes
if [ -e /dev/xvdb ] ; then
mount /rw
if ! [ -d /rw/home ] ; then
echo
echo "--> Virgin boot of the VM: Linking /home to /rw/home"
mkdir -p /rw/config
touch /rw/config/rc.local
mkdir -p /rw/home
cp -a /home.orig/user /rw/home
mkdir -p /rw/usrlocal
cp -a /usr/local.orig/* /rw/usrlocal
touch /var/lib/qubes/first_boot_completed
fi
fi
if [ -L /home ]; then
rm /home
mkdir /home
fi
mount /home
/usr/lib/qubes/qrexec_agent 2>/var/log/qubes/qrexec_agent.log &
[ -x /rw/config/rc.local ] && /rw/config/rc.local
success
echo ""
start_ntpd=$(/usr/bin/xenstore-read qubes-service/ntpd 2> /dev/null)
if [ "$start_ntpd" == "1" ]; then
/sbin/service ntpd start
fi
return 0
}
stop()
{
su -c 'mkdir -p /home_volatile/user/.local/share/applications' user
su -c 'cp -a /usr/share/applications/defaults.list /home_volatile/user/.local/share/applications/' user
if [ -r '/home/user/.local/share/applications/defaults.list' ]; then
su -c 'cat /home/user/.local/share/applications/defaults.list >> /home_volatile/user/.local/share/applications/defaults.list' user
fi
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
exit 3
;;
esac
exit $RETVAL

99
vm-init.d/qubes_core_appvm
View File

@ -1,99 +0,0 @@
#!/bin/sh
#
# chkconfig: 345 85 85
# description: Executes Qubes core scripts at AppVM boot
#
# Source function library.
. /etc/rc.d/init.d/functions
possibly_run_save_script()
{
ENCODED_SCRIPT=$(xenstore-read qubes_save_script)
if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi
echo $ENCODED_SCRIPT|perl -e 'use MIME::Base64 qw(decode_base64); local($/) = undef;print decode_base64(<STDIN>)' >/tmp/qubes_save_script
chmod 755 /tmp/qubes_save_script
Xorg -config /etc/X11/xorg-preload-apps.conf :0 &
while ! [ -S /tmp/.X11-unix/X0 ]; do sleep 0.5; done
DISPLAY=:0 su - user -c /tmp/qubes_save_script
killall Xorg
}
start()
{
if ! [ -x /usr/bin/xenstore-read ] ; then
echo "ERROR: /usr/bin/xenstore-read not found!"
exit 1
fi
type=$(/usr/bin/xenstore-read qubes_vm_type)
if [ "$type" != "AppVM" -a "$type" != "DisposableVM" -a "$type" != "TemplateVM" ]; then
# This script runs only on AppVMs
return 0
fi
# Start AppVM specific services
start_cups=$(/usr/bin/xenstore-read qubes-service/cups 2> /dev/null)
if [ "$start_cups" != "0" ]; then
/sbin/service cups start
# Allow also notification icon
sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop
else
# Disable notification icon
sed -i -e '/QUBES/!s/^NotShowIn=.*/\1QUBES;/' /etc/xdg/autostart/print-applet.desktop
fi
echo -n $"Executing Qubes Core scripts for AppVM:"
if xenstore-read qubes_save_request 2>/dev/null ; then
if [ -L /home ]; then
rm /home
mkdir /home
fi
mount --bind /home_volatile /home
touch /etc/this_is_dvm
mount /rw
possibly_run_save_script
umount /rw
dmesg -c >/dev/null
free | grep Mem: |
(read a b c d ; xenstore-write device/qubes_used_mem $c)
# we're still running in DispVM template
echo "Waiting for save/restore..."
# ... wait until qubes_restore.c (in Dom0) recreates VM-specific keys
while ! xenstore-read qubes_restore_complete 2>/dev/null ; do
usleep 10
done
echo Back to life.
fi
start_meminfo_writer=$(/usr/bin/xenstore-read qubes-service/meminfo-writer 2>/dev/null)
if [ "$start_meminfo_writer" != "0" ]; then
MEM_CHANGE_THRESHOLD_KB=30000
MEMINFO_DELAY_USEC=100000
/usr/lib/qubes/meminfo-writer $MEM_CHANGE_THRESHOLD_KB $MEMINFO_DELAY_USEC /var/run/meminfo-writer.pid
fi
success
echo ""
return 0
}
stop()
{
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
exit 3
;;
esac
exit $RETVAL

60
vm-init.d/qubes_core_netvm
View File

@ -1,60 +0,0 @@
#!/bin/sh
#
# chkconfig: 345 90 90
# description: Executes Qubes core scripts at NetVM boot
#
# Source function library.
. /etc/rc.d/init.d/functions
start()
{
if ! [ -x /usr/bin/xenstore-read ] ; then
echo "ERROR: /usr/bin/xenstore-read not found!"
exit 1
fi
type=$(/usr/bin/xenstore-read qubes_vm_type)
if [ "$type" == "NetVM" ]; then
/usr/lib/qubes/network-manager-prepare-conf-dir
/sbin/service NetworkManager start
fi
echo -n $"Executing Qubes Core scripts NetVM:"
# Setup gateway for all the VMs this netVM is serviceing...
network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes_ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns
/usr/lib/qubes/qubes_setup_dnat_to_ns
echo "1" > /proc/sys/net/ipv4/ip_forward
fi
success
echo ""
return 0
}
stop()
{
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
*)
echo $"Usage: $0 {start|stop}"
exit 3
;;
esac
exit $RETVAL

5
vm-systemd/NetworkManager-wait-online.service
View File

@ -1,5 +0,0 @@
.include /lib/systemd/system/NetworkManager-wait-online.service
[Unit]
ConditionPathExists=/var/run/qubes-service/network-manager
# For /rw
After=qubes-misc-post.service

8
vm-systemd/NetworkManager.service
View File

@ -1,8 +0,0 @@
.include /lib/systemd/system/NetworkManager.service
[Unit]
ConditionPathExists=/var/run/qubes-service/network-manager
# For /rw
After=qubes-misc-post.service
[Service]
ExecStartPre=/usr/lib/qubes/network-manager-prepare-conf-dir

3
vm-systemd/cups.service
View File

@ -1,3 +0,0 @@
.include /lib/systemd/system/cups.service
[Unit]
ConditionPathExists=/var/run/qubes-service/cups

11
vm-systemd/misc-post-stop.sh
View File

@ -1,11 +0,0 @@
#!/bin/sh
# Save default applications for DispVM
su -c 'mkdir -p /home_volatile/user/.local/share/applications' user
su -c 'cp -a /usr/share/applications/defaults.list /home_volatile/user/.local/share/applications/' user
if [ -r '/home/user/.local/share/applications/defaults.list' ]; then
su -c 'cat /home/user/.local/share/applications/defaults.list >> /home_volatile/user/.local/share/applications/defaults.list' user
fi
exit 0

62
vm-systemd/misc-post.sh
View File

@ -1,62 +0,0 @@
#!/bin/sh
if [ -f /var/run/qubes-service/yum-proxy-setup ]; then
echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf
else
echo > /etc/yum.conf.d/qubes-proxy.conf
fi
# Set IP address again (besides action in udev rules); this is needed by
# DispVM (to override DispVM-template IP) and in case when qubes_ip was
# called by udev before loading evtchn kernel module - in which case
# xenstore-read fails
INTERFACE=eth0 /usr/lib/qubes/setup_ip
if [ -e /dev/xvdb -a ! -e /etc/this_is_dvm ] ; then
mount /rw
if ! [ -d /rw/home ] ; then
echo
echo "--> Virgin boot of the VM: Linking /home to /rw/home"
mkdir -p /rw/config
touch /rw/config/rc.local
touch /rw/config/rc.local-early
mkdir -p /rw/home
cp -a /home.orig/user /rw/home
mkdir -p /rw/usrlocal
cp -a /usr/local.orig/* /rw/usrlocal
touch /var/lib/qubes/first_boot_completed
fi
# Chown home if user UID have changed - can be the case on template switch
HOME_USER_UID=`ls -dn /rw/home/user | awk '{print $3}'`
if [ "`id -u user`" -ne "$HOME_USER_UID" ]; then
find /rw/home/user -uid "$HOME_USER_UID" -print0 | xargs -0 chown user:user
fi
if [ -L /home ]; then
rm /home
mkdir /home
fi
mount /home
fi
[ -x /rw/config/rc.local ] && /rw/config/rc.local
# Start services which haven't own proper systemd unit:
# Start AppVM specific services
if [ ! -f /etc/systemd/system/cups.service ]; then
if [ -f /var/run/qubes-service/cups ]; then
/sbin/service cups start
# Allow also notification icon
sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop
else
# Disable notification icon
sed -i -e '/QUBES/!s/^NotShowIn=.*/\1QUBES;/' /etc/xdg/autostart/print-applet.desktop
fi
fi
exit 0

15
vm-systemd/network-proxy-setup.sh
View File

@ -1,15 +0,0 @@
#!/bin/sh
# Setup gateway for all the VMs this netVM is serviceing...
network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes_ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns
/usr/lib/qubes/qubes_setup_dnat_to_ns
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/ethtool -K eth0 sg off
fi

3
vm-systemd/ntpd.service
View File

@ -1,3 +0,0 @@
.include /lib/systemd/system/ntpd.service
[Unit]
ConditionPathExists=/var/run/qubes-service/ntpd

36
vm-systemd/prepare-dvm.sh
View File

@ -1,36 +0,0 @@
#!/bin/sh
possibly_run_save_script()
{
ENCODED_SCRIPT=$(xenstore-read qubes_save_script)
if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi
echo $ENCODED_SCRIPT|perl -e 'use MIME::Base64 qw(decode_base64); local($/) = undef;print decode_base64(<STDIN>)' >/tmp/qubes_save_script
chmod 755 /tmp/qubes_save_script
Xorg -config /etc/X11/xorg-preload-apps.conf :0 &
while ! [ -S /tmp/.X11-unix/X0 ]; do sleep 0.5; done
DISPLAY=:0 su - user -c /tmp/qubes_save_script
killall Xorg
}
if xenstore-read qubes_save_request 2>/dev/null ; then
if [ -L /home ]; then
rm /home
mkdir /home
fi
mount --bind /home_volatile /home
touch /etc/this_is_dvm
mount /rw
possibly_run_save_script
umount /rw
dmesg -c >/dev/null
free | grep Mem: |
(read a b c d ; xenstore-write device/qubes_used_mem $c)
# we're still running in DispVM template
echo "Waiting for save/restore..."
# ... wait until qubes_restore.c (in Dom0) recreates VM-specific keys
while ! xenstore-read qubes_restore_complete 2>/dev/null ; do
usleep 10
done
echo Back to life.
fi

13
vm-systemd/qubes-dvm.service
View File

@ -1,13 +0,0 @@
[Unit]
Description=Prepare Qubes DispVM Template
ConditionPathExists=/var/run/qubes-service/qubes-dvm
After=systemd-readahead-replay.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/qubes/init/prepare-dvm.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

11
vm-systemd/qubes-firewall.service
View File

@ -1,11 +0,0 @@
[Unit]
Description=Qubes firewall updater
ConditionPathExists=/var/run/qubes-service/qubes-firewall
After=qubes-network.service
[Service]
ExecStart=/usr/sbin/qubes_firewall
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

12
vm-systemd/qubes-meminfo-writer.service
View File

@ -1,12 +0,0 @@
[Unit]
Description=Qubes memory information reporter
ConditionPathExists=/var/run/qubes-service/meminfo-writer
[Service]
Type=forking
ExecStart=/usr/lib/qubes/meminfo-writer 30000 100000 /var/run/meminfo-writer.pid
PIDFile=/var/run/meminfo-writer.pid
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

12
vm-systemd/qubes-misc-post.service
View File

@ -1,12 +0,0 @@
[Unit]
Description=Qubes misc post-boot actions
After=qubes-dvm.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/qubes/init/misc-post.sh
ExecStop=/usr/lib/qubes/init/misc-post-stop.sh
[Install]
WantedBy=multi-user.target

11
vm-systemd/qubes-netwatcher.service
View File

@ -1,11 +0,0 @@
[Unit]
Description=Qubes network monitor
ConditionPathExists=/var/run/qubes-service/qubes-netwatcher
After=qubes-firewall.service
[Service]
ExecStart=/usr/sbin/qubes_netwatcher
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

15
vm-systemd/qubes-network.service
View File

@ -1,15 +0,0 @@
[Unit]
Description=Qubes network forwarding setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=iptables.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Alias=qubes_firewall.service

10
vm-systemd/qubes-qrexec-agent.service
View File

@ -1,10 +0,0 @@
[Unit]
Description=Qubes remote exec agent
After=qubes-dvm.service
[Service]
ExecStart=/usr/lib/qubes/qrexec_agent
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

14
vm-systemd/qubes-sysinit.service
View File

@ -1,14 +0,0 @@
[Unit]
Description=Init Qubes Services settings
DefaultDependencies=no
Before=sysinit.target
After=local-fs.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/qubes/init/qubes-sysinit.sh
StandardOutput=syslog
[Install]
WantedBy=sysinit.target

77
vm-systemd/qubes-sysinit.sh
View File

@ -1,77 +0,0 @@
#!/bin/sh
# List of services enabled by default (in case of absence of xenstore entry)
DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy"
DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check"
DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check"
DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup"
DEFAULT_ENABLED="meminfo-writer"
XS_READ=/usr/bin/xenstore-read
XS_LS=/usr/bin/xenstore-ls
read_service() {
$XS_READ qubes-service/$1 2> /dev/null
}
# Wait for evtchn initialization
while [ ! -e /proc/xen/xenbus ]; do
sleep 0.1
done
mkdir -p /var/run/qubes
mkdir -p /var/run/qubes-service
mkdir -p /var/run/xen-hotplug
# Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read
chmod 666 /proc/xen/xenbus
# Set permissions to files needed to listen at vchan
chmod 666 /proc/u2mfn
# Set default services depending on VM type
TYPE=`$XS_READ qubes_vm_type 2> /dev/null`
[ "$TYPE" == "AppVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_APPVM
[ "$TYPE" == "NetVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_NETVM
[ "$TYPE" == "ProxyVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_PROXYVM
[ "$TYPE" == "TemplateVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_TEMPLATEVM
# Enable default services
for srv in $DEFAULT_ENABLED; do
touch /var/run/qubes-service/$srv
done
# Enable services
for srv in `$XS_LS qubes-service 2>/dev/null |grep ' = "1"'|cut -f 1 -d ' '`; do
touch /var/run/qubes-service/$srv
done
# Disable services
for srv in `$XS_LS qubes-service 2>/dev/null |grep ' = "0"'|cut -f 1 -d ' '`; do
rm -f /var/run/qubes-service/$srv
done
# Set the hostname
name=`$XS_READ name`
if [ -n "$name" ]; then
hostname $name
sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
fi
timezone=`$XS_READ qubes-timezone 2> /dev/null`
if [ -n "$timezone" ]; then
ln -f /usr/share/zoneinfo/$timezone /etc/localtime
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
fi
# Prepare environment for other services
echo > /var/run/qubes-service-environment
debug_mode=`$XS_READ qubes-debug-mode 2> /dev/null`
if [ -n "$debug_mode" -a "$debug_mode" -gt 0 ]; then
echo "GUI_OPTS=-vv" >> /var/run/qubes-service-environment
fi
[ -x /rw/config/rc.local-early ] && /rw/config/rc.local-early
exit 0

7
vm-systemd/qubes-update-check.service
View File

@ -1,7 +0,0 @@
[Unit]
Description=Qubes check for VM updates and notify dom0
ConditionPathExists=/var/run/qubes-service/qubes-update-check
[Service]
Type=oneshot
ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0'

11
vm-systemd/qubes-update-check.timer
View File

@ -1,11 +0,0 @@
[Unit]
Description=Periodically check for updates
ConditionPathExists=/var/run/qubes-service/qubes-update-check
[Timer]
OnBootSec=5min
OnUnitActiveSec=2d
[Install]
WantedBy=multi-user.target

15
vm-systemd/qubes-yum-proxy.service
View File

@ -1,15 +0,0 @@
[Unit]
Description=Qubes yum proxy (tinyproxy)
ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy
After=iptables.service
[Service]
ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy
ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf
ExecStopPost=/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
ExecStopPost=/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
[Install]
WantedBy=multi-user.target