commit 349a2d0c15668d78b5a81baacf09e6ccb3d0a8b7 Author: Joanna Rutkowska Date: Mon Apr 5 20:58:57 2010 +0200 Initial public commit. (c) 2010 Invisible Things Lab Authors: ========= Joanna Rutkowska Rafal Wojtczuk diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4d22dcb --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +rpm/ +*.pyc diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..fe70076 --- /dev/null +++ b/Makefile @@ -0,0 +1,18 @@ +RPMS_DIR=rpm/ +help: + @echo "make rpms -- generate binary rpm packages" + @echo "make update_repo -- copy newly generated rpms to qubes yum repo" + +rpms: + rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-appvm.spec + rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-netvm.spec + rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-dom0.spec + rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/dom0-cleanup.spec + rpm --addsign $(RPMS_DIR)/x86_64/*.rpm + +update_repo: + ln -f $(RPMS_DIR)/x86_64/*.rpm ../yum/rpm/ + (if [ -d $(RPMS_DIR)/i686 ] ; then ln -f $(RPMS_DIR)/i686/*.rpm ../yum/rpm/; fi) + +clean: + (cd appvm && make clean) diff --git a/TODO b/TODO new file mode 100644 index 0000000..b9b4b42 --- /dev/null +++ b/TODO @@ -0,0 +1,16 @@ +* file exchange -- handle correctly files that have spaces in name +-- qvm-copy-to-vm* do not copy files in the top directory has spaces in the name + +* qvm-update-appmenus +-- let the user install appmenus for (potential) new apps after template update +-- BUT: potential problem of Dom0 needing to mount the template's fs +-- but: perhaps we should trust the template and its update process? + +* netvm: prevent inter-VM networking +-- do not allow one AppVM to send any packets to other AppVMs that use the same netvm + +* qvm-prefs: allow to grow/shrink AppVM's private.img? + +* Dom0 udev scripts: do not load network drivers at all! + +* Dom0: detect when running without VT-d enabled and display a warning diff --git a/appvm/Makefile b/appvm/Makefile new file mode 100644 index 0000000..ef88f08 --- /dev/null +++ b/appvm/Makefile @@ -0,0 +1,9 @@ +CC=gcc +CFLAGS=-Wall +all: qubes_penctl qubes_add_pendrive_script +qubes_penctl: qubes_penctl.o + $(CC) -o qubes_penctl qubes_penctl.o -lxenstore +qubes_add_pendrive_script: qubes_add_pendrive_script.o + $(CC) -o qubes_add_pendrive_script qubes_add_pendrive_script.o +clean: + rm -f qubes_penctl qubes_add_pendrive_script *.o *~ diff --git a/appvm/fstab b/appvm/fstab new file mode 100644 index 0000000..604dbb8 --- /dev/null +++ b/appvm/fstab @@ -0,0 +1,17 @@ + +# +# /etc/fstab +# Created by anaconda on Thu Dec 3 11:26:49 2009 +# +# Accessible filesystems, by reference, are maintained under '/dev/disk' +# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info +# +/dev/mapper/dmroot / ext4 defaults,noatime 1 1 +/dev/mapper/dmswap swap swap defaults 0 0 +/dev/xvdb /rw ext4 defaults 0 0 +tmpfs /dev/shm tmpfs defaults 0 0 +devpts /dev/pts devpts gid=5,mode=620 0 0 +sysfs /sys sysfs defaults 0 0 +proc /proc proc defaults 0 0 +/dev/xvdg /mnt/outgoing vfat noauto,user,rw 0 0 +/dev/xvdh /mnt/incoming vfat noauto,user,rw 0 0 diff --git a/appvm/iptables b/appvm/iptables new file mode 100644 index 0000000..77ad30c --- /dev/null +++ b/appvm/iptables @@ -0,0 +1,12 @@ +# Firewall configuration written by system-config-firewall +# Manual customization of this file is not recommended. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/appvm/qubes.rules b/appvm/qubes.rules new file mode 100644 index 0000000..e3fc50e --- /dev/null +++ b/appvm/qubes.rules @@ -0,0 +1 @@ +SUBSYSTEM=="block", KERNEL=="xvdh", ACTION=="add", RUN+="/usr/bin/qubes_add_pendrive_script" diff --git a/appvm/qubes_add_pendrive_script.c b/appvm/qubes_add_pendrive_script.c new file mode 100644 index 0000000..8c0fb91 --- /dev/null +++ b/appvm/qubes_add_pendrive_script.c @@ -0,0 +1,87 @@ +/* + * The Qubes OS Project, http://www.qubes-os.org + * + * Copyright (C) 2010 Rafal Wojtczuk + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + */ + +#include +#include +#include +#include +#include +int parse_events(char *buf, int len) +{ + int i = 0; + while (i < len) { + struct inotify_event *ev = (struct inotify_event *)(buf + i); + if ((ev->mask & IN_UNMOUNT) || (ev->mask & IN_IGNORED)) + return 1; + i += sizeof(struct inotify_event) + ev->len; + } + return 0; +} + +#define BUFLEN 1024 +void wait_for_umount(char *name) +{ + char buf[BUFLEN]; + int fd = inotify_init(); + int len; + int ret = inotify_add_watch(fd, name, IN_ATTRIB); + if (ret < 0) { + perror("inotify_add_watch"); + return; + } + for (;;) { + len = read(fd, buf, BUFLEN - 1); + if (len <= 0) { + perror("read inotify"); + return; + } + if (parse_events(buf, len)) + return; + } +} + +void background() +{ + int i, fd; + for (i = 0; i < 256; i++) + close(i); + fd = open("/dev/null", O_RDWR); + for (i = 0; i <= 2; i++) + dup2(fd, i); + switch (fork()) { + case -1: + exit(1); + case 0: break; + default: + exit(0); + } +} + + +#define MOUNTDIR "/mnt/incoming" +int main() +{ + background(); + if (!system("su - user -c 'mount " MOUNTDIR "'")) + wait_for_umount(MOUNTDIR "/."); + system("xenstore-write device/qpen umount"); + return 0; +} diff --git a/appvm/qubes_core b/appvm/qubes_core new file mode 100755 index 0000000..dfedb9f --- /dev/null +++ b/appvm/qubes_core @@ -0,0 +1,87 @@ +#!/bin/sh +# +# chkconfig: 345 90 90 +# description: Executes Qubes core scripts at VM boot +# +# Source function library. +. /etc/rc.d/init.d/functions + +start() +{ + echo -n $"Executing Qubes Core scripts:" + + if ! [ -d /rw/home ] ; then + echo + echo "--> Virgin boot of the VM: Linking /home to /rw/home" + mv /home /home.orig + mkdir -p /rw/config + mkdir -p /rw/home + ln -s /rw/home/ /home +# chcon --reference /home.orig /rw/home + cp -a /home.orig/user /home + touch /rw/config/rc.local + rm -fr /home.orig + touch /var/lib/qubes/first_boot_completed + else + mv /home /home.tmpl + ln -s /rw/home/ /home + fi + + + if ! [ -x /usr/bin/xenstore-read ] ; then + echo "ERROR: /usr/bin/xenstore-read not found!" + exit 1 + fi + + name=$(/usr/bin/xenstore-read name) + hostname $name + + vmtype=$(/usr/bin/xenstore-read qubes_vm_type) + + if [ $vmtype == 'NetVM' ] ; then + # Setup gateway for all the VMs this netVM is serviceing... + brctl addbr br0 + gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) + netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) + network=$(/usr/bin/xenstore-read qubes_netvm_network) + ifconfig br0 $gateway netmask $netmask up + echo "1" > /proc/sys/net/ipv4/ip_forward + dnsmasq + iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE + else + ip=$(/usr/bin/xenstore-read qubes_ip) + netmask=$(/usr/bin/xenstore-read qubes_netmask) + gateway=$(/usr/bin/xenstore-read qubes_gateway) + if [ x$ip != x ]; then + /sbin/ifconfig eth0 $ip netmask $netmask up + /sbin/route add default gw $gateway + echo "nameserver $gateway" > /etc/resolv.conf + fi + fi + + + [ -x /rw/config/rc.local ] && /rw/config/rc.local + success + echo "" + return 0 +} + +stop() +{ + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/appvm/qubes_penctl.c b/appvm/qubes_penctl.c new file mode 100644 index 0000000..ab373f0 --- /dev/null +++ b/appvm/qubes_penctl.c @@ -0,0 +1,71 @@ +/* + * The Qubes OS Project, http://www.qubes-os.org + * + * Copyright (C) 2010 Rafal Wojtczuk + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + */ + +#include +#include +#include +#include +#include +int check_name(unsigned char *s) +{ + int c; + for (; *s; s++) { + c = *s; + if (c >= 'a' && c <= 'z') + continue; + if (c >= 'A' && c <= 'Z') + continue; + if (c == '_' || c == '-') + continue; + return 0; + } + return 1; +} + +int main(int argc, char **argv) +{ + char buf[256] = "new"; + struct xs_handle *xs; + xs = xs_domain_open(); + setuid(getuid()); + if (!xs) { + perror("xs_domain_open"); + exit(1); + } + if (argc < 2) { + fprintf(stderr, "usage: %s new\n" + "%s send vmname\n", argv[0], argv[0]); + exit(1); + } + if (argc > 2) { + if (!check_name((unsigned char*)argv[2])) { + fprintf(stderr, "invalid vmname %s\n", argv[2]); + exit(1); + } + snprintf(buf, sizeof(buf), "send %s", argv[2]); + } + if (!xs_write(xs, 0, "device/qpen", buf, strlen(buf))) { + perror("xs_write"); + exit(1); + } + xs_daemon_close(xs); + return 0; +} diff --git a/appvm/qvm-copy-to-vm b/appvm/qvm-copy-to-vm new file mode 100755 index 0000000..28d9428 --- /dev/null +++ b/appvm/qvm-copy-to-vm @@ -0,0 +1,40 @@ +#!/bin/sh +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +if [ $# -lt 2 ] ; then + echo usage: $0 'vmname file [file]*' + exit 1 +fi +qubes_penctl new || exit 1 +echo -n Waiting for the Qubes virtual pendrive +while ! [ -e /dev/xvdg ] ; do + echo -n . + sleep 1 +done +echo " received" +mount /mnt/outgoing +VMNAME=$1 +shift +cp -v -a $* /mnt/outgoing +#sometimes Dolphin lags a bit +umount /mnt/outgoing || (sleep 1; umount /mnt/outgoing) || exit 1 +qubes_penctl send $VMNAME || exit 1 diff --git a/appvm/qvm-copy-to-vm.kde b/appvm/qvm-copy-to-vm.kde new file mode 100755 index 0000000..0278db1 --- /dev/null +++ b/appvm/qvm-copy-to-vm.kde @@ -0,0 +1,42 @@ +#!/bin/sh +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +FILES="$*" +VM=$(kdialog -inputbox "Enter the VM name to send $FILE to:") +if [ X$VM = X ] ; then exit 0 ; fi +DEST=/mnt/outgoing +SIZE=$(du -c $FILES | tail -1 | cut -f 1) +REF=$(kdialog --progressbar "Copy progress") +qdbus $REF org.freedesktop.DBus.Properties.Set "" maximum $SIZE +FLAG=$(mktemp) +(qvm-copy-to-vm $VM $FILES ; rm $FLAG) & +while ! grep -q $DEST /proc/mounts && [ -f $FLAG ] ; do + sleep 0.1 +done +while grep -q $DEST /proc/mounts ; do + CURRSIZE=$(du -c $DEST | tail -1 | cut -f 1) + qdbus $REF org.freedesktop.DBus.Properties.Set "" value $CURRSIZE + sleep 1 +done +qdbus $REF close + + diff --git a/appvm/qvm-copy.desktop b/appvm/qvm-copy.desktop new file mode 100644 index 0000000..6d7ebc6 --- /dev/null +++ b/appvm/qvm-copy.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Actions=QvmCopy; +Type=Service +X-KDE-ServiceTypes=KonqPopupMenu/Plugin,inode/directory,all/allfiles + +[Desktop Action QvmCopy] +Exec=/usr/bin/qvm-copy-to-vm.kde %U +Icon=kget +Name=Send To VM + diff --git a/netvm/fstab b/netvm/fstab new file mode 100644 index 0000000..403b0d5 --- /dev/null +++ b/netvm/fstab @@ -0,0 +1,14 @@ + +# +# /etc/fstab +# Created by anaconda on Thu Dec 3 11:26:49 2009 +# +# Accessible filesystems, by reference, are maintained under '/dev/disk' +# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info +# +/dev/mapper/dmroot / ext4 defaults,noatime 1 1 +/dev/mapper/dmswap swap swap defaults 0 0 +tmpfs /dev/shm tmpfs defaults 0 0 +devpts /dev/pts devpts gid=5,mode=620 0 0 +sysfs /sys sysfs defaults 0 0 +proc /proc proc defaults 0 0 diff --git a/netvm/iptables b/netvm/iptables new file mode 100644 index 0000000..67d2d80 --- /dev/null +++ b/netvm/iptables @@ -0,0 +1,17 @@ +# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010 +*nat +:PREROUTING ACCEPT [3:696] +:POSTROUTING ACCEPT [1:67] +:OUTPUT ACCEPT [1:67] +-A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE +COMMIT +# Completed on Thu Apr 1 10:55:18 2010 +# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010 +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i br0 -p udp -m udp --dport 68 -j DROP +-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP +COMMIT +# Completed on Thu Apr 1 10:55:18 2010 diff --git a/netvm/qubes_core b/netvm/qubes_core new file mode 100755 index 0000000..776fa7a --- /dev/null +++ b/netvm/qubes_core @@ -0,0 +1,55 @@ +#!/bin/sh +# +# chkconfig: 345 90 90 +# description: Executes Qubes core scripts at VM boot +# +# Source function library. +. /etc/rc.d/init.d/functions + +start() +{ + echo -n $"Executing Qubes Core scripts NetVM:" + + if ! [ -x /usr/bin/xenstore-read ] ; then + echo "ERROR: /usr/bin/xenstore-read not found!" + exit 1 + fi + + name=$(/usr/bin/xenstore-read name) + hostname $name + + # Setup gateway for all the VMs this netVM is serviceing... + brctl addbr br0 + gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) + netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) + network=$(/usr/bin/xenstore-read qubes_netvm_network) + ifconfig br0 $gateway netmask $netmask up + echo "1" > /proc/sys/net/ipv4/ip_forward + dnsmasq --listen-address $gateway --bind-interfaces +#now done by iptables rc script +# iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE + + success + echo "" + return 0 +} + +stop() +{ + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/rpm_spec/core-appvm.spec b/rpm_spec/core-appvm.spec new file mode 100644 index 0000000..d88ea3c --- /dev/null +++ b/rpm_spec/core-appvm.spec @@ -0,0 +1,162 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +%{!?version: %define version %(cat version_vm)} + +Name: qubes-core-appvm +Version: %{version} +Release: 1 +Summary: The Qubes core files for AppVM + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: /usr/bin/xenstore-read +Provides: qubes-core-vm + +%define _builddir %(pwd)/appvm + +%define kde_service_dir /usr/share/kde4/services/ServiceMenus + +%description +The Qubes core files for installation inside a Qubes AppVM. + +%pre + +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes +[ -e $RPM_BUILD_ROOT/etc/fstab ] && mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig + +%build +make clean all + +%install + +mkdir -p $RPM_BUILD_ROOT/etc +cp fstab $RPM_BUILD_ROOT/etc/fstab +mkdir -p $RPM_BUILD_ROOT/etc/init.d +cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes +mkdir -p $RPM_BUILD_ROOT/usr/bin +cp qubes_add_pendrive_script qubes_penctl qvm-copy-to-vm qvm-copy-to-vm.kde $RPM_BUILD_ROOT/usr/bin +mkdir -p $RPM_BUILD_ROOT/%{kde_service_dir} +cp qvm-copy.desktop $RPM_BUILD_ROOT/%{kde_service_dir} +mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d +cp qubes.rules $RPM_BUILD_ROOT/etc/udev/rules.d +mkdir -p $RPM_BUILD_ROOT/etc/sysconfig +cp iptables $RPM_BUILD_ROOT/etc/sysconfig/ +mkdir -p $RPM_BUILD_ROOT/mnt/incoming +mkdir -p $RPM_BUILD_ROOT/mnt/outgoing + +%post + +if [ "$1" != 1 ] ; then +# do this whole %post thing only when updating for the first time... +exit 0 +fi + +echo "--> Disabling SELinux..." +sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed +mv /etc/selinux/config.processed /etc/selinux/config +setenforce 0 + +echo "--> Turning off unnecessary services..." +# FIXME: perhaps there is more elegant way to do this? +for f in /etc/init.d/* +do + srv=`basename $f` + [ $srv = 'functions' ] && continue + [ $srv = 'killall' ] && continue + [ $srv = 'halt' ] && continue + chkconfig $srv off +done + +echo "--> Enabling essential services..." +chkconfig rsyslog on +chkconfig haldaemon on +chkconfig messagebus on +chkconfig cups on +chkconfig iptables on +chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" + + +sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab + +# Remove most of the udev scripts to speed up the VM boot time +# Just leave the xen* scripts, that are needed if this VM was +# ever used as a net backend (e.g. as a VPN domain in the future) +echo "--> Removing unnecessary udev scripts..." +mkdir -p /var/lib/qubes/removed-udev-scripts +for f in /etc/udev/rules.d/* +do + if [ $(basename $f) == "xen-backend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "xend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "qubes.rules" ] ; then + continue + fi + + if [ $(basename $f) == "90-hal.rules" ] ; then + continue + fi + + + mv $f /var/lib/qubes/removed-udev-scripts/ +done + +mkdir -p /rw +#rm -f /etc/mtab +echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" +mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig +grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + +%preun +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_core off + mv /var/lib/qubes/fstab.orig /etc/fstab + mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +/etc/fstab +/etc/init.d/qubes_core +/usr/bin/qvm-copy-to-vm +/usr/bin/qvm-copy-to-vm.kde +%{kde_service_dir}/qvm-copy.desktop +%attr(4755,root,root) /usr/bin/qubes_penctl +/usr/bin/qubes_add_pendrive_script +/etc/udev/rules.d/qubes.rules +/etc/sysconfig/iptables +%dir /var/lib/qubes +%dir /mnt/incoming +%dir /mnt/outgoing diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec new file mode 100644 index 0000000..39a0cdf --- /dev/null +++ b/rpm_spec/core-netvm.spec @@ -0,0 +1,142 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +%{!?version: %define version %(cat version_vm)} + +Name: qubes-core-netvm +Version: %{version} +Release: 1 +Summary: The Qubes core files for NetVM + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: /usr/bin/xenstore-read +Provides: qubes-core-vm + +%define _builddir %(pwd)/netvm + +%description +The Qubes core files for installation inside a Qubes NetVM. + +%pre + +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes +[ -e $RPM_BUILD_ROOT/etc/fstab ] && mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig + +%build + +%install + +mkdir -p $RPM_BUILD_ROOT/etc/sysconfig +cp iptables $RPM_BUILD_ROOT/etc/sysconfig +mkdir -p $RPM_BUILD_ROOT/etc +cp fstab $RPM_BUILD_ROOT/etc/fstab +mkdir -p $RPM_BUILD_ROOT/etc/init.d +cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ +mkdir -p $RPM_BUILD_ROOT/var/lib/qubes + +%post + +if [ "$1" != 1 ] ; then +# do this whole %post thing only when updating for the first time... +exit 0 +fi + +echo "--> Disabling SELinux..." +sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed +mv /etc/selinux/config.processed /etc/selinux/config +setenforce 0 + +echo "--> Turning off unnecessary services..." +# FIXME: perhaps there is more elegant way to do this? +for f in /etc/init.d/* +do + srv=`basename $f` + [ $srv = 'functions' ] && continue + [ $srv = 'killall' ] && continue + [ $srv = 'halt' ] && continue + chkconfig $srv off +done + +echo "--> Enabling essential services..." +chkconfig iptables on +chkconfig rsyslog on +chkconfig haldaemon on +chkconfig messagebus on +chkconfig NetworkManager on +chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" + + +sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab + +# Remove most of the udev scripts to speed up the VM boot time +# Just leave the xen* scripts, that are needed if this VM was +# ever used as a net backend (e.g. as a VPN domain in the future) +echo "--> Removing unnecessary udev scripts..." +mkdir -p /var/lib/qubes/removed-udev-scripts +for f in /etc/udev/rules.d/* +do + if [ $(basename $f) == "xen-backend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "xend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "qubes.rules" ] ; then + continue + fi + + if [ $(basename $f) == "90-hal.rules" ] ; then + continue + fi + + + mv $f /var/lib/qubes/removed-udev-scripts/ +done + +#rm -f /etc/mtab +#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" +#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig +#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + +%preun +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_core off + mv /var/lib/qubes/fstab.orig /etc/fstab + mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +/etc/fstab +/etc/sysconfig/iptables +/etc/init.d/qubes_core +%dir /var/lib/qubes diff --git a/rpm_spec/dom0-cleanup.spec b/rpm_spec/dom0-cleanup.spec new file mode 100644 index 0000000..3f6dee1 --- /dev/null +++ b/rpm_spec/dom0-cleanup.spec @@ -0,0 +1,78 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +Name: qubes-dom0-cleanup +Version: 0.2.2 +Release: 1 +Summary: Additional tools that cleans up some unnecessary stuff in Qubes's Dom0 + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: qubes-core-dom0 + +%define _builddir %(pwd)/dom0 + +%description +Additional tools that cleans up some unnecessary stuff in Qubes's Dom0 + +%install + +mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes +cp aux-tools/check_and_remove_appmenu.sh $RPM_BUILD_ROOT/usr/lib/qubes +cp aux-tools/remove_dom0_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes + +%post +echo "--> Turning off unnecessary services..." +# FIXME: perhaps there is more elegant way to do this? +for f in /etc/init.d/* +do + srv=`basename $f` + [ $srv = 'functions' ] && continue + [ $srv = 'killall' ] && continue + [ $srv = 'halt' ] && continue + chkconfig $srv off +done + +#echo "--> Enabling essential services..." +chkconfig abrtd on +chkconfig haldaemon on +chkconfig messagebus on +chkconfig xenstored on +chkconfig xend on +chkconfig xenconsoled on +chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig qubes_netvm on || echo "WARNING: Cannot enable service qubes_core!" + +/usr/lib/qubes/remove_dom0_appmenus.sh + +%clean +rm -rf $RPM_BUILD_ROOT + +%postun + +mv /var/lib/qubes/backup/removed-apps/* /usr/share/applications +xdg-desktop-menu forceupdate + +%files +/usr/lib/qubes/check_and_remove_appmenu.sh +/usr/lib/qubes/remove_dom0_appmenus.sh diff --git a/version_vm b/version_vm new file mode 100644 index 0000000..3eefcb9 --- /dev/null +++ b/version_vm @@ -0,0 +1 @@ +1.0.0