Changed location of PROTECTED_FILE_LIST to /etc/qubes/protected-files.d

debian/qubes-core-agent.dirs

@@ -1,2 +1,3 @@
 var/lib/qubes
 lib/modules
+etc/qubes/protected-files.d

debian/qubes-core-agent.postinst

@@ -188,11 +188,11 @@ case "${1}" in
         fi
 
         # Location of files which contains list of protected files
-        PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+        PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
         # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
         # in the form expected by qubes-sysinit.sh
-        if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+        if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
             for ip in '127\.0\.1\.1' '::1'; do
                 if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
                     sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
@@ -205,7 +205,7 @@ case "${1}" in
 
         # remove hostname from 127.0.0.1 line (in debian the hostname is by default
         # resolved to 127.0.1.1)
-        if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+        if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
             sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
         fi
 

network/setup-ip

@@ -7,7 +7,7 @@ disablegw=`qubesdb-read /qubes-service/disable-default-route 2> /dev/null`
 disabledns=`qubesdb-read /qubes-service/disable-dns-server 2> /dev/null`
 
 # Location of files which contains list of protected files
-PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
 ip=`/usr/bin/qubesdb-read /qubes-ip 2> /dev/null`
 if [ x$ip != x ]; then
@@ -22,7 +22,7 @@ if [ x$ip != x ]; then
     fi
     /sbin/ethtool -K $INTERFACE sg off
     /sbin/ethtool -K $INTERFACE tx off
-    if ! grep -q "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+    if ! grep -rq "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
    	echo > /etc/resolv.conf
         if [ "x$disabledns" != "x1" ]; then
             echo "nameserver $gateway" > /etc/resolv.conf

rpm_spec/core-vm.spec

@@ -240,10 +240,11 @@ fi
 sed -i -e '/^exclude = kernel/d' /etc/yum.conf
 
 # Location of files which contains list of protected files
-PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+mkdir -p /etc/qubes/protected-files.d
+PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
 # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
-if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     if ! grep -q localhost /etc/hosts; then
       cat <<EOF > /etc/hosts
 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
@@ -254,7 +255,7 @@ fi
 
 # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
 # in the form expected by qubes-sysinit.sh
-if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     for ip in '127\.0\.0\.1' '::1'; do
         if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
             sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts

vm-init.d/qubes-core

@@ -21,10 +21,10 @@ start()
 	chmod 0775 /var/run/qubes
 
 	# Location of files which contains list of protected files
-	PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+	PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
 	# Set the hostname
-	if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+	if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
 		name=$(/usr/bin/qubesdb-read /name)
 		if ! [ -f /etc/this-is-dvm ] ; then
 			# we don't want to set hostname for DispVM
@@ -36,7 +36,7 @@ start()
 	fi
 
 	# Set the timezone
-	if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+	if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
 		timezone=`/usr/bin/qubesdb-read /qubes-timezone 2> /dev/null`
 		if [ -n "$timezone" ]; then
 			ln -f /usr/share/zoneinfo/$timezone /etc/localtime

vm-systemd/qubes-sysinit.sh

@@ -11,7 +11,7 @@ QDB_READ=qubesdb-read
 QDB_LS=qubesdb-multiread
 
 # Location of files which contains list of protected files
-PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
 read_service() {
     $QDB_READ /qubes-service/$1 2> /dev/null
@@ -70,7 +70,7 @@ for srv in `$QDB_LS /qubes-service/ 2>/dev/null |grep ' = 0'|cut -f 1 -d ' '`; d
 done
 
 # Set the hostname
-if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     name=`$QDB_READ /name`
     if [ -n "$name" ]; then
         hostname $name
@@ -85,7 +85,7 @@ if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
 fi
 
 # Set the timezone
-if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     timezone=`$QDB_READ /qubes-timezone 2> /dev/null`
     if [ -n "$timezone" ]; then
         cp -p /usr/share/zoneinfo/$timezone /etc/localtime