Initial public commit.

(c) 2010 Invisible Things Lab

Authors:
=========
Joanna Rutkowska <joanna@invisiblethingslab.com>
Rafal Wojtczuk  <rafal@invisiblethingslab.com>

.gitignore

@@ -0,0 +1,2 @@
+rpm/
+*.pyc

Makefile

@@ -0,0 +1,18 @@
+RPMS_DIR=rpm/
+help:
+	@echo "make rpms        -- generate binary rpm packages"
+	@echo "make update_repo -- copy newly generated rpms to qubes yum repo"
+
+rpms:	
+	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-appvm.spec
+	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-netvm.spec
+	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-dom0.spec
+	rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/dom0-cleanup.spec
+	rpm --addsign $(RPMS_DIR)/x86_64/*.rpm
+
+update_repo:
+	ln -f $(RPMS_DIR)/x86_64/*.rpm ../yum/rpm/
+	(if [ -d $(RPMS_DIR)/i686 ] ; then ln -f $(RPMS_DIR)/i686/*.rpm ../yum/rpm/; fi)
+
+clean:
+	(cd appvm && make clean)

TODO

@@ -0,0 +1,16 @@
+* file exchange -- handle correctly files that have spaces in name
+-- qvm-copy-to-vm* do not copy files in the top directory has spaces in the name
+
+* qvm-update-appmenus
+-- let the user install appmenus for (potential) new apps after template update
+-- BUT: potential problem of Dom0 needing to mount the template's fs
+-- but: perhaps we should trust the template and its update process?
+
+* netvm: prevent inter-VM networking
+-- do not allow one AppVM to send any packets to other AppVMs that use the same netvm
+
+* qvm-prefs: allow to grow/shrink AppVM's private.img?
+
+* Dom0 udev scripts: do not load network drivers at all!
+
+* Dom0: detect when running without VT-d enabled and display a warning

appvm/Makefile

@@ -0,0 +1,9 @@
+CC=gcc
+CFLAGS=-Wall
+all:	qubes_penctl qubes_add_pendrive_script
+qubes_penctl: qubes_penctl.o
+	$(CC) -o qubes_penctl qubes_penctl.o -lxenstore
+qubes_add_pendrive_script: qubes_add_pendrive_script.o
+	$(CC) -o qubes_add_pendrive_script qubes_add_pendrive_script.o
+clean:
+	rm -f qubes_penctl qubes_add_pendrive_script *.o *~

appvm/fstab

@@ -0,0 +1,17 @@
+
+#
+# /etc/fstab
+# Created by anaconda on Thu Dec  3 11:26:49 2009
+#
+# Accessible filesystems, by reference, are maintained under '/dev/disk'
+# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
+#
+/dev/mapper/dmroot /                       ext4 defaults,noatime        1 1
+/dev/mapper/dmswap swap                    swap    defaults        0 0
+/dev/xvdb		/rw			ext4	defaults	0 0
+tmpfs                   /dev/shm                tmpfs   defaults        0 0
+devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
+sysfs                   /sys                    sysfs   defaults        0 0
+proc                    /proc                   proc    defaults        0 0
+/dev/xvdg	/mnt/outgoing	vfat noauto,user,rw 0 0
+/dev/xvdh	/mnt/incoming	vfat noauto,user,rw 0 0

appvm/iptables

@@ -0,0 +1,12 @@
+# Firewall configuration written by system-config-firewall
+# Manual customization of this file is not recommended.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT

appvm/qubes.rules

@@ -0,0 +1 @@
+SUBSYSTEM=="block", KERNEL=="xvdh", ACTION=="add", RUN+="/usr/bin/qubes_add_pendrive_script"

appvm/qubes_add_pendrive_script.c

@@ -0,0 +1,87 @@
+/*
+ * The Qubes OS Project, http://www.qubes-os.org
+ *
+ * Copyright (C) 2010  Rafal Wojtczuk  <rafal@invisiblethingslab.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/inotify.h>
+#include <fcntl.h>
+#include <stdlib.h>
+int parse_events(char *buf, int len)
+{
+	int i = 0;
+	while (i < len) {
+		struct inotify_event *ev = (struct inotify_event *)(buf + i);
+		if ((ev->mask & IN_UNMOUNT) || (ev->mask & IN_IGNORED))
+			return 1;
+		i += sizeof(struct inotify_event) + ev->len;
+	}
+	return 0;
+}
+
+#define BUFLEN 1024
+void wait_for_umount(char *name)
+{
+	char buf[BUFLEN];
+	int fd = inotify_init();
+	int len;
+	int ret = inotify_add_watch(fd, name, IN_ATTRIB);
+	if (ret < 0) {
+		perror("inotify_add_watch");
+		return;
+	}
+	for (;;) {
+		len = read(fd, buf, BUFLEN - 1);
+		if (len <= 0) {
+			perror("read inotify");
+			return;
+		}
+		if (parse_events(buf, len))
+			return;
+	}
+}
+
+void background()
+{
+	int i, fd;
+	for (i = 0; i < 256; i++)
+		close(i);
+	fd = open("/dev/null", O_RDWR);
+	for (i = 0; i <= 2; i++)
+		dup2(fd, i);
+	switch (fork()) {
+	case -1:
+		exit(1);
+	case 0: break;
+	default:
+		exit(0);
+	}
+}
+
+
+#define MOUNTDIR "/mnt/incoming"
+int main()
+{
+	background();
+	if (!system("su - user -c 'mount " MOUNTDIR "'"))
+		wait_for_umount(MOUNTDIR "/.");
+	system("xenstore-write device/qpen umount");
+	return 0;
+}

appvm/qubes_core

@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+# chkconfig: 345 90 90
+# description: Executes Qubes core scripts at VM boot
+#
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+start()
+{
+	echo -n $"Executing Qubes Core scripts:"
+
+	if ! [ -d /rw/home ] ; then
+	    echo
+	    echo "--> Virgin boot of the VM: Linking /home to /rw/home"
+	    mv /home /home.orig
+	    mkdir -p /rw/config
+	    mkdir -p /rw/home
+	    ln -s /rw/home/ /home
+#	    chcon --reference /home.orig /rw/home
+	    cp -a /home.orig/user /home
+	    touch /rw/config/rc.local
+	    rm -fr /home.orig
+	    touch /var/lib/qubes/first_boot_completed
+    else
+	    mv /home /home.tmpl
+	    ln -s /rw/home/ /home
+	fi
+
+
+	if ! [ -x /usr/bin/xenstore-read ] ; then
+		echo "ERROR: /usr/bin/xenstore-read not found!"
+		exit 1
+	fi
+
+	name=$(/usr/bin/xenstore-read name)
+	hostname $name
+
+	vmtype=$(/usr/bin/xenstore-read qubes_vm_type)
+
+	if [ $vmtype == 'NetVM' ] ; then
+	    # Setup gateway for all the VMs this netVM is serviceing...
+	    brctl addbr br0
+	    gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
+	    netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
+	    network=$(/usr/bin/xenstore-read qubes_netvm_network)
+	    ifconfig br0 $gateway netmask $netmask up
+	    echo "1" > /proc/sys/net/ipv4/ip_forward
+	    dnsmasq
+	    iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE
+	else
+	    ip=$(/usr/bin/xenstore-read qubes_ip)
+	    netmask=$(/usr/bin/xenstore-read qubes_netmask)
+	    gateway=$(/usr/bin/xenstore-read qubes_gateway)
+        if [ x$ip != x ]; then
+            /sbin/ifconfig eth0 $ip netmask $netmask up
+            /sbin/route add default gw $gateway
+            echo "nameserver $gateway" > /etc/resolv.conf
+        fi
+	fi
+
+	
+	[ -x /rw/config/rc.local ] && /rw/config/rc.local
+	success
+	echo ""
+	return 0
+}
+
+stop()
+{
+	return 0
+}
+
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  *)
+	echo $"Usage: $0 {start|stop}"
+	exit 3
+	;;
+esac
+
+exit $RETVAL

appvm/qubes_penctl.c

@@ -0,0 +1,71 @@
+/*
+ * The Qubes OS Project, http://www.qubes-os.org
+ *
+ * Copyright (C) 2010  Rafal Wojtczuk  <rafal@invisiblethingslab.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ *
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <xs.h>
+int check_name(unsigned char *s)
+{
+	int c;
+	for (; *s; s++) {
+		c = *s;
+		if (c >= 'a' && c <= 'z')
+			continue;
+		if (c >= 'A' && c <= 'Z')
+			continue;
+		if (c == '_' || c == '-')
+			continue;
+		return 0;
+	}
+	return 1;
+}
+
+int main(int argc, char **argv)
+{
+	char buf[256] = "new";
+	struct xs_handle *xs;
+	xs = xs_domain_open();
+	setuid(getuid());
+	if (!xs) {
+		perror("xs_domain_open");
+		exit(1);
+	}
+	if (argc < 2) {
+		fprintf(stderr, "usage: %s new\n"
+			"%s send vmname\n", argv[0], argv[0]);
+		exit(1);
+	}
+	if (argc > 2) {
+		if (!check_name((unsigned char*)argv[2])) {
+			fprintf(stderr, "invalid vmname %s\n", argv[2]);
+			exit(1);
+		}
+		snprintf(buf, sizeof(buf), "send %s", argv[2]);
+	}
+	if (!xs_write(xs, 0, "device/qpen", buf, strlen(buf))) {
+		perror("xs_write");
+		exit(1);
+	}
+	xs_daemon_close(xs);
+	return 0;
+}

appvm/qvm-copy-to-vm

@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+# The Qubes OS Project, http://www.qubes-os.org
+#
+# Copyright (C) 2010  Rafal Wojtczuk  <rafal@invisiblethingslab.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+#
+
+if [ $# -lt 2 ] ; then
+	echo usage: $0 'vmname file [file]*'
+	exit 1
+fi
+qubes_penctl new || exit 1
+echo -n Waiting for the Qubes virtual pendrive
+while ! [ -e /dev/xvdg ] ; do
+	echo -n .
+	sleep 1
+done
+echo " received"
+mount /mnt/outgoing 
+VMNAME=$1
+shift
+cp -v -a $* /mnt/outgoing
+#sometimes Dolphin lags a bit
+umount /mnt/outgoing || (sleep 1; umount /mnt/outgoing) || exit 1
+qubes_penctl send $VMNAME || exit 1

appvm/qvm-copy-to-vm.kde

@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+# The Qubes OS Project, http://www.qubes-os.org
+#
+# Copyright (C) 2010  Rafal Wojtczuk  <rafal@invisiblethingslab.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+#
+
+FILES="$*"
+VM=$(kdialog -inputbox "Enter the VM name to send $FILE to:")
+if [ X$VM = X ] ; then exit 0 ; fi
+DEST=/mnt/outgoing
+SIZE=$(du -c $FILES | tail -1 | cut -f 1)
+REF=$(kdialog --progressbar "Copy progress")
+qdbus $REF org.freedesktop.DBus.Properties.Set "" maximum $SIZE
+FLAG=$(mktemp)
+(qvm-copy-to-vm $VM $FILES ; rm $FLAG)  &
+while ! grep -q $DEST /proc/mounts && [ -f $FLAG ] ; do
+	sleep 0.1
+done
+while grep -q $DEST /proc/mounts ; do
+	CURRSIZE=$(du -c $DEST | tail -1 | cut -f 1)
+	qdbus $REF  org.freedesktop.DBus.Properties.Set "" value $CURRSIZE
+	sleep 1
+done
+qdbus $REF close
+
+ 

appvm/qvm-copy.desktop

@@ -0,0 +1,10 @@
+[Desktop Entry]
+Actions=QvmCopy;
+Type=Service
+X-KDE-ServiceTypes=KonqPopupMenu/Plugin,inode/directory,all/allfiles
+
+[Desktop Action QvmCopy]
+Exec=/usr/bin/qvm-copy-to-vm.kde %U
+Icon=kget
+Name=Send To VM
+

netvm/fstab

@@ -0,0 +1,14 @@
+
+#
+# /etc/fstab
+# Created by anaconda on Thu Dec  3 11:26:49 2009
+#
+# Accessible filesystems, by reference, are maintained under '/dev/disk'
+# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
+#
+/dev/mapper/dmroot /                       ext4 defaults,noatime        1 1
+/dev/mapper/dmswap swap                    swap    defaults        0 0
+tmpfs                   /dev/shm                tmpfs   defaults        0 0
+devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
+sysfs                   /sys                    sysfs   defaults        0 0
+proc                    /proc                   proc    defaults        0 0

netvm/iptables

@@ -0,0 +1,17 @@
+# Generated by iptables-save v1.4.5 on Thu Apr  1 10:55:18 2010
+*nat
+:PREROUTING ACCEPT [3:696]
+:POSTROUTING ACCEPT [1:67]
+:OUTPUT ACCEPT [1:67]
+-A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
+COMMIT
+# Completed on Thu Apr  1 10:55:18 2010
+# Generated by iptables-save v1.4.5 on Thu Apr  1 10:55:18 2010
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i br0 -p udp -m udp --dport 68 -j DROP
+-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
+COMMIT
+# Completed on Thu Apr  1 10:55:18 2010

netvm/qubes_core

@@ -0,0 +1,55 @@
+#!/bin/sh
+#
+# chkconfig: 345 90 90
+# description: Executes Qubes core scripts at VM boot
+#
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+start()
+{
+	echo -n $"Executing Qubes Core scripts NetVM:"
+
+	if ! [ -x /usr/bin/xenstore-read ] ; then
+		echo "ERROR: /usr/bin/xenstore-read not found!"
+		exit 1
+	fi
+
+	name=$(/usr/bin/xenstore-read name)
+	hostname $name
+
+    # Setup gateway for all the VMs this netVM is serviceing...
+    brctl addbr br0
+    gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
+    netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
+    network=$(/usr/bin/xenstore-read qubes_netvm_network)
+    ifconfig br0 $gateway netmask $netmask up
+    echo "1" > /proc/sys/net/ipv4/ip_forward
+    dnsmasq --listen-address $gateway --bind-interfaces
+#now done by iptables rc script
+#    iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE
+	
+	success
+	echo ""
+	return 0
+}
+
+stop()
+{
+	return 0
+}
+
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  *)
+	echo $"Usage: $0 {start|stop}"
+	exit 3
+	;;
+esac
+
+exit $RETVAL

rpm_spec/core-appvm.spec

@@ -0,0 +1,162 @@
+#
+# The Qubes OS Project, http://www.qubes-os.org
+#
+# Copyright (C) 2010  Joanna Rutkowska <joanna@invisiblethingslab.com>
+# Copyright (C) 2010  Rafal Wojtczuk  <rafal@invisiblethingslab.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+#
+
+%{!?version: %define version %(cat version_vm)}
+
+Name:		qubes-core-appvm
+Version:	%{version}
+Release:	1
+Summary:	The Qubes core files for AppVM
+
+Group:		Qubes
+Vendor:		Invisible Things Lab
+License:	GPL
+URL:		http://www.qubes-os.org
+Requires:	/usr/bin/xenstore-read
+Provides:   qubes-core-vm
+
+%define _builddir %(pwd)/appvm
+
+%define kde_service_dir /usr/share/kde4/services/ServiceMenus 
+
+%description
+The Qubes core files for installation inside a Qubes AppVM.
+
+%pre
+
+mkdir -p $RPM_BUILD_ROOT/var/lib/qubes
+[ -e $RPM_BUILD_ROOT/etc/fstab ] && mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig
+
+%build
+make clean all
+
+%install
+
+mkdir -p $RPM_BUILD_ROOT/etc
+cp fstab $RPM_BUILD_ROOT/etc/fstab
+mkdir -p $RPM_BUILD_ROOT/etc/init.d
+cp qubes_core $RPM_BUILD_ROOT/etc/init.d/
+mkdir -p $RPM_BUILD_ROOT/var/lib/qubes
+mkdir -p $RPM_BUILD_ROOT/usr/bin
+cp qubes_add_pendrive_script qubes_penctl qvm-copy-to-vm  qvm-copy-to-vm.kde $RPM_BUILD_ROOT/usr/bin
+mkdir -p $RPM_BUILD_ROOT/%{kde_service_dir}
+cp qvm-copy.desktop $RPM_BUILD_ROOT/%{kde_service_dir}
+mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d
+cp qubes.rules $RPM_BUILD_ROOT/etc/udev/rules.d
+mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
+cp iptables $RPM_BUILD_ROOT/etc/sysconfig/
+mkdir -p $RPM_BUILD_ROOT/mnt/incoming
+mkdir -p $RPM_BUILD_ROOT/mnt/outgoing
+
+%post
+
+if [ "$1" !=  1 ] ; then
+# do this whole %post thing only when updating for the first time...
+exit 0
+fi
+
+echo "--> Disabling SELinux..."
+sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
+mv /etc/selinux/config.processed /etc/selinux/config
+setenforce 0
+
+echo "--> Turning off unnecessary services..."
+# FIXME: perhaps there is more elegant way to do this? 
+for f in /etc/init.d/*
+do
+        srv=`basename $f`
+        [ $srv = 'functions' ] && continue
+        [ $srv = 'killall' ] && continue
+        [ $srv = 'halt' ] && continue
+        chkconfig $srv off
+done
+
+echo "--> Enabling essential services..."
+chkconfig rsyslog on
+chkconfig haldaemon on
+chkconfig messagebus on
+chkconfig cups on
+chkconfig iptables on
+chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!"
+chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!"
+
+
+sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab
+
+# Remove most of the udev scripts to speed up the VM boot time
+# Just leave the xen* scripts, that are needed if this VM was
+# ever used as a net backend (e.g. as a VPN domain in the future)
+echo "--> Removing unnecessary udev scripts..."
+mkdir -p /var/lib/qubes/removed-udev-scripts
+for f in /etc/udev/rules.d/*
+do
+    if [ $(basename $f) == "xen-backend.rules" ] ; then
+        continue
+    fi
+
+    if [ $(basename $f) == "xend.rules" ] ; then
+        continue
+    fi
+
+    if [ $(basename $f) == "qubes.rules" ] ; then
+        continue
+    fi
+
+    if [ $(basename $f) == "90-hal.rules" ] ; then
+        continue
+    fi
+
+
+    mv $f /var/lib/qubes/removed-udev-scripts/
+done
+
+mkdir -p /rw
+#rm -f /etc/mtab
+echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
+mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
+grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
+
+%preun
+if [ "$1" = 0 ] ; then
+    # no more packages left
+    chkconfig qubes_core off
+    mv /var/lib/qubes/fstab.orig /etc/fstab
+    mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
+fi
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root,-)
+/etc/fstab
+/etc/init.d/qubes_core
+/usr/bin/qvm-copy-to-vm
+/usr/bin/qvm-copy-to-vm.kde
+%{kde_service_dir}/qvm-copy.desktop
+%attr(4755,root,root) /usr/bin/qubes_penctl
+/usr/bin/qubes_add_pendrive_script
+/etc/udev/rules.d/qubes.rules
+/etc/sysconfig/iptables
+%dir /var/lib/qubes
+%dir /mnt/incoming
+%dir /mnt/outgoing

rpm_spec/core-netvm.spec

@@ -0,0 +1,142 @@
+#
+# The Qubes OS Project, http://www.qubes-os.org
+#
+# Copyright (C) 2010  Joanna Rutkowska <joanna@invisiblethingslab.com>
+# Copyright (C) 2010  Rafal Wojtczuk  <rafal@invisiblethingslab.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+#
+
+%{!?version: %define version %(cat version_vm)}
+
+Name:		qubes-core-netvm
+Version:	%{version}
+Release:	1
+Summary:	The Qubes core files for NetVM
+
+Group:		Qubes
+Vendor:		Invisible Things Lab
+License:	GPL
+URL:		http://www.qubes-os.org
+Requires:	/usr/bin/xenstore-read
+Provides:   qubes-core-vm
+
+%define _builddir %(pwd)/netvm
+
+%description
+The Qubes core files for installation inside a Qubes NetVM.
+
+%pre
+
+mkdir -p $RPM_BUILD_ROOT/var/lib/qubes
+[ -e $RPM_BUILD_ROOT/etc/fstab ] && mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig
+
+%build
+
+%install
+
+mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
+cp iptables $RPM_BUILD_ROOT/etc/sysconfig
+mkdir -p $RPM_BUILD_ROOT/etc
+cp fstab $RPM_BUILD_ROOT/etc/fstab
+mkdir -p $RPM_BUILD_ROOT/etc/init.d
+cp qubes_core $RPM_BUILD_ROOT/etc/init.d/
+mkdir -p $RPM_BUILD_ROOT/var/lib/qubes
+
+%post
+
+if [ "$1" !=  1 ] ; then
+# do this whole %post thing only when updating for the first time...
+exit 0
+fi
+
+echo "--> Disabling SELinux..."
+sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
+mv /etc/selinux/config.processed /etc/selinux/config
+setenforce 0
+
+echo "--> Turning off unnecessary services..."
+# FIXME: perhaps there is more elegant way to do this? 
+for f in /etc/init.d/*
+do
+        srv=`basename $f`
+        [ $srv = 'functions' ] && continue
+        [ $srv = 'killall' ] && continue
+        [ $srv = 'halt' ] && continue
+        chkconfig $srv off
+done
+
+echo "--> Enabling essential services..."
+chkconfig iptables on
+chkconfig rsyslog on
+chkconfig haldaemon on
+chkconfig messagebus on
+chkconfig NetworkManager on
+chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!"
+chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!"
+
+
+sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab
+
+# Remove most of the udev scripts to speed up the VM boot time
+# Just leave the xen* scripts, that are needed if this VM was
+# ever used as a net backend (e.g. as a VPN domain in the future)
+echo "--> Removing unnecessary udev scripts..."
+mkdir -p /var/lib/qubes/removed-udev-scripts
+for f in /etc/udev/rules.d/*
+do
+    if [ $(basename $f) == "xen-backend.rules" ] ; then
+        continue
+    fi
+
+    if [ $(basename $f) == "xend.rules" ] ; then
+        continue
+    fi
+
+    if [ $(basename $f) == "qubes.rules" ] ; then
+        continue
+    fi
+
+    if [ $(basename $f) == "90-hal.rules" ] ; then
+        continue
+    fi
+
+
+    mv $f /var/lib/qubes/removed-udev-scripts/
+done
+
+#rm -f /etc/mtab
+#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
+#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
+#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
+
+%preun
+if [ "$1" = 0 ] ; then
+    # no more packages left
+    chkconfig qubes_core off
+    mv /var/lib/qubes/fstab.orig /etc/fstab
+    mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
+fi
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root,-)
+/etc/fstab
+/etc/sysconfig/iptables
+/etc/init.d/qubes_core
+%dir /var/lib/qubes

rpm_spec/dom0-cleanup.spec

@@ -0,0 +1,78 @@
+#
+# The Qubes OS Project, http://www.qubes-os.org
+#
+# Copyright (C) 2010  Joanna Rutkowska <joanna@invisiblethingslab.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+#
+
+Name:		qubes-dom0-cleanup
+Version:	0.2.2
+Release:	1
+Summary:	Additional tools that cleans up some unnecessary stuff in Qubes's Dom0
+
+Group:		Qubes
+Vendor:		Invisible Things Lab
+License:	GPL
+URL:		http://www.qubes-os.org
+Requires:	qubes-core-dom0
+
+%define _builddir %(pwd)/dom0
+
+%description
+Additional tools that cleans up some unnecessary stuff in Qubes's Dom0
+
+%install
+
+mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes
+cp aux-tools/check_and_remove_appmenu.sh $RPM_BUILD_ROOT/usr/lib/qubes
+cp aux-tools/remove_dom0_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes
+
+%post
+echo "--> Turning off unnecessary services..."
+# FIXME: perhaps there is more elegant way to do this? 
+for f in /etc/init.d/*
+do
+        srv=`basename $f`
+        [ $srv = 'functions' ] && continue
+        [ $srv = 'killall' ] && continue
+        [ $srv = 'halt' ] && continue
+        chkconfig $srv off
+done
+
+#echo "--> Enabling essential services..."
+chkconfig abrtd on
+chkconfig haldaemon on
+chkconfig messagebus on
+chkconfig xenstored on
+chkconfig xend on
+chkconfig xenconsoled on
+chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!"
+chkconfig qubes_netvm on || echo "WARNING: Cannot enable service qubes_core!"
+
+/usr/lib/qubes/remove_dom0_appmenus.sh
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%postun
+
+mv /var/lib/qubes/backup/removed-apps/* /usr/share/applications
+xdg-desktop-menu forceupdate
+
+%files
+/usr/lib/qubes/check_and_remove_appmenu.sh
+/usr/lib/qubes/remove_dom0_appmenus.sh

version_vm

@@ -0,0 +1 @@
+1.0.0