From 240d35259f355fa8000b9b1a7662e3703dfa9a85 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 6 Jan 2012 21:31:12 +0100 Subject: [PATCH 01/14] vm(+dom0): major rearrage VM files in repo; merge core-*vm packages --- Makefile | 23 +- appvm/Makefile | 14 - appvm/iptables | 12 - appvm/qubes_timestamp | 2 - {common => misc}/.gitignore | 0 {common => misc}/Makefile | 0 {common => misc}/RPM-GPG-KEY-qubes-1-primary | 0 {common => misc}/block-snapshot | 0 {common => misc}/block_add_change | 0 {common => misc}/block_cleanup | 0 {common => misc}/block_remove | 0 {common => misc}/fstab | 0 {common => misc}/meminfo-writer.c | 0 {common => misc}/qubes.repo | 0 {appvm => misc}/qubes.sudoers | 0 {common => misc}/qubes_block.rules | 0 {common => misc}/qubes_core.modules | 0 .../qubes_download_dom0_updates.sh | 0 {common => misc}/qubes_memory.rules | 0 {common => misc}/qubes_serial_login | 0 .../qubes_trigger_sync_appmenus.action | 0 .../qubes_trigger_sync_appmenus.sh | 0 {common => misc}/serial.conf | 0 {common => misc}/xenstore-watch.c | 0 {appvm => misc}/xorg-preload-apps.conf | 0 netvm/fstab | 14 - {netvm => network}/30-qubes_external_ip | 0 {common => network}/iptables | 0 {netvm => network}/qubes.repo | 0 {proxyvm/bin => network}/qubes_firewall | 0 {common => network}/qubes_fix_nm_conf.sh | 0 {proxyvm/bin => network}/qubes_netwatcher | 0 {common => network}/qubes_network.rules | 0 {common => network}/qubes_nmhook | 0 {common => network}/qubes_setup_dnat_to_ns | 0 {common => network}/setup_ip | 0 {common => network}/vif-route-qubes | 0 {appvm => qubes_rpc}/.gitignore | 0 qubes_rpc/Makefile | 14 + {common => qubes_rpc}/copy_file.c | 0 {common => qubes_rpc}/crc32.c | 0 {common => qubes_rpc}/crc32.h | 0 {appvm => qubes_rpc}/dvm2.h | 0 {common => qubes_rpc}/filecopy.h | 0 {common => qubes_rpc}/gui-fatal.c | 0 {common => qubes_rpc}/gui-fatal.h | 0 {common => qubes_rpc}/ioall.c | 0 {common => qubes_rpc}/ioall.h | 0 {appvm => qubes_rpc}/qfile-agent.c | 0 {appvm => qubes_rpc}/qfile-unpacker.c | 0 {appvm => qubes_rpc}/qopen-in-vm.c | 0 {appvm => qubes_rpc}/qrun-in-vm | 0 {appvm => qubes_rpc}/qubes.Filecopy | 0 {appvm => qubes_rpc}/qubes.Filecopy.policy | 0 {appvm => qubes_rpc}/qubes.OpenInVM | 0 {appvm => qubes_rpc}/qubes.OpenInVM.policy | 0 {appvm => qubes_rpc}/qubes.VMShell | 0 {appvm => qubes_rpc}/qubes.VMShell.policy | 0 {appvm => qubes_rpc}/qvm-copy-to-vm | 0 {appvm => qubes_rpc}/qvm-copy-to-vm.gnome | 0 {appvm => qubes_rpc}/qvm-copy-to-vm.kde | 0 {appvm => qubes_rpc}/qvm-copy.desktop | 0 {appvm => qubes_rpc}/qvm-dvm.desktop | 0 {appvm => qubes_rpc}/qvm-open-in-dvm | 0 {appvm => qubes_rpc}/qvm-open-in-vm | 0 {appvm => qubes_rpc}/qvm-run | 0 {common => qubes_rpc}/unpack.c | 0 {appvm => qubes_rpc}/vm-file-editor.c | 0 {appvm => qubes_rpc}/vm-shell | 0 {appvm => qubes_rpc}/wrap_in_html_if_url.sh | 0 rpm_spec/core-appvm.spec | 201 --------- rpm_spec/core-commonvm.spec | 266 ----------- rpm_spec/core-netvm.spec | 102 ----- rpm_spec/core-proxyvm.spec | 80 ---- rpm_spec/core-vm.spec | 417 ++++++++++++++++++ {common => vm-init.d}/qubes_core | 0 {appvm => vm-init.d}/qubes_core_appvm | 0 {netvm => vm-init.d}/qubes_core_netvm | 0 {proxyvm/init.d => vm-init.d}/qubes_firewall | 0 .../init.d => vm-init.d}/qubes_netwatcher | 0 80 files changed, 441 insertions(+), 704 deletions(-) delete mode 100644 appvm/Makefile delete mode 100644 appvm/iptables delete mode 100755 appvm/qubes_timestamp rename {common => misc}/.gitignore (100%) rename {common => misc}/Makefile (100%) rename {common => misc}/RPM-GPG-KEY-qubes-1-primary (100%) rename {common => misc}/block-snapshot (100%) rename {common => misc}/block_add_change (100%) rename {common => misc}/block_cleanup (100%) rename {common => misc}/block_remove (100%) rename {common => misc}/fstab (100%) rename {common => misc}/meminfo-writer.c (100%) rename {common => misc}/qubes.repo (100%) rename {appvm => misc}/qubes.sudoers (100%) rename {common => misc}/qubes_block.rules (100%) rename {common => misc}/qubes_core.modules (100%) rename {common => misc}/qubes_download_dom0_updates.sh (100%) rename {common => misc}/qubes_memory.rules (100%) rename {common => misc}/qubes_serial_login (100%) rename {common => misc}/qubes_trigger_sync_appmenus.action (100%) rename {common => misc}/qubes_trigger_sync_appmenus.sh (100%) rename {common => misc}/serial.conf (100%) rename {common => misc}/xenstore-watch.c (100%) rename {appvm => misc}/xorg-preload-apps.conf (100%) delete mode 100644 netvm/fstab rename {netvm => network}/30-qubes_external_ip (100%) rename {common => network}/iptables (100%) rename {netvm => network}/qubes.repo (100%) rename {proxyvm/bin => network}/qubes_firewall (100%) rename {common => network}/qubes_fix_nm_conf.sh (100%) rename {proxyvm/bin => network}/qubes_netwatcher (100%) rename {common => network}/qubes_network.rules (100%) rename {common => network}/qubes_nmhook (100%) rename {common => network}/qubes_setup_dnat_to_ns (100%) rename {common => network}/setup_ip (100%) rename {common => network}/vif-route-qubes (100%) rename {appvm => qubes_rpc}/.gitignore (100%) create mode 100644 qubes_rpc/Makefile rename {common => qubes_rpc}/copy_file.c (100%) rename {common => qubes_rpc}/crc32.c (100%) rename {common => qubes_rpc}/crc32.h (100%) rename {appvm => qubes_rpc}/dvm2.h (100%) rename {common => qubes_rpc}/filecopy.h (100%) rename {common => qubes_rpc}/gui-fatal.c (100%) rename {common => qubes_rpc}/gui-fatal.h (100%) rename {common => qubes_rpc}/ioall.c (100%) rename {common => qubes_rpc}/ioall.h (100%) rename {appvm => qubes_rpc}/qfile-agent.c (100%) rename {appvm => qubes_rpc}/qfile-unpacker.c (100%) rename {appvm => qubes_rpc}/qopen-in-vm.c (100%) rename {appvm => qubes_rpc}/qrun-in-vm (100%) rename {appvm => qubes_rpc}/qubes.Filecopy (100%) rename {appvm => qubes_rpc}/qubes.Filecopy.policy (100%) rename {appvm => qubes_rpc}/qubes.OpenInVM (100%) rename {appvm => qubes_rpc}/qubes.OpenInVM.policy (100%) rename {appvm => qubes_rpc}/qubes.VMShell (100%) rename {appvm => qubes_rpc}/qubes.VMShell.policy (100%) rename {appvm => qubes_rpc}/qvm-copy-to-vm (100%) rename {appvm => qubes_rpc}/qvm-copy-to-vm.gnome (100%) rename {appvm => qubes_rpc}/qvm-copy-to-vm.kde (100%) rename {appvm => qubes_rpc}/qvm-copy.desktop (100%) rename {appvm => qubes_rpc}/qvm-dvm.desktop (100%) rename {appvm => qubes_rpc}/qvm-open-in-dvm (100%) rename {appvm => qubes_rpc}/qvm-open-in-vm (100%) rename {appvm => qubes_rpc}/qvm-run (100%) rename {common => qubes_rpc}/unpack.c (100%) rename {appvm => qubes_rpc}/vm-file-editor.c (100%) rename {appvm => qubes_rpc}/vm-shell (100%) rename {appvm => qubes_rpc}/wrap_in_html_if_url.sh (100%) delete mode 100644 rpm_spec/core-appvm.spec delete mode 100644 rpm_spec/core-commonvm.spec delete mode 100644 rpm_spec/core-netvm.spec delete mode 100644 rpm_spec/core-proxyvm.spec create mode 100644 rpm_spec/core-vm.spec rename {common => vm-init.d}/qubes_core (100%) rename {appvm => vm-init.d}/qubes_core_appvm (100%) rename {netvm => vm-init.d}/qubes_core_netvm (100%) rename {proxyvm/init.d => vm-init.d}/qubes_firewall (100%) rename {proxyvm/init.d => vm-init.d}/qubes_netwatcher (100%) diff --git a/Makefile b/Makefile index 1ad0b26..6d94dde 100644 --- a/Makefile +++ b/Makefile @@ -13,14 +13,11 @@ help: @echo "make clean -- cleanup" rpms: - rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-commonvm.spec - rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-appvm.spec - rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-netvm.spec - rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-proxyvm.spec + rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-vm.spec rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-dom0.spec rpm --addsign \ $(RPMS_DIR)/x86_64/qubes-core-dom0-$(VERSION_DOM0)*.rpm \ - $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*.rpm + $(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION_VM)*.rpm rpms-vaio-fixes: rpmbuild --define "_rpmdir $(RPMS_DIR)" -bb rpm_spec/core-dom0-vaio-fixes.spec @@ -31,7 +28,7 @@ update-repo-current: ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*fc13*.rpm ../yum/current-release/current/dom0/rpm/ for vmrepo in ../yum/current-release/current/vm/* ; do \ dist=$$(basename $$vmrepo) ;\ - ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\ + ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\ done update-repo-current-testing: @@ -39,7 +36,7 @@ update-repo-current-testing: ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*fc13*.rpm ../yum/current-release/current-testing/dom0/rpm/ for vmrepo in ../yum/current-release/current-testing/vm/* ; do \ dist=$$(basename $$vmrepo) ;\ - ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\ + ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\ done update-repo-unstable: @@ -47,17 +44,17 @@ update-repo-unstable: ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-vaio-fixes-$(VERSION_VAIO_FIXES)*fc13*.rpm ../yum/current-release/unstable/dom0/rpm/ for vmrepo in ../yum/current-release/unstable/vm/* ; do \ dist=$$(basename $$vmrepo) ;\ - ln -f $(RPMS_DIR)/x86_64/qubes-core-*vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\ + ln -f $(RPMS_DIR)/x86_64/qubes-core-vm-*$(VERSION_VM)*$$dist*.rpm $$vmrepo/rpm/ ;\ done update-repo-installer: ln -f $(RPMS_DIR)/x86_64/qubes-core-dom0-*$(VERSION_DOM0)*fc13*.rpm ../installer/yum/qubes-dom0/rpm/ clean: - (cd appvm && make clean) - (cd dom0/restore && make clean) - (cd dom0/qmemman && make clean) - (cd common && make clean) - (cd u2mfn && make clean) + make -C dom0/qmemman clean + make -C dom0/restore clean + make -C misc clean + make -C network clean make -C qrexec clean + make -C u2mfn clean make -C vchan clean diff --git a/appvm/Makefile b/appvm/Makefile deleted file mode 100644 index 42bb636..0000000 --- a/appvm/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -CC=gcc -CFLAGS=-g -Wall -I../common -fPIC -pie -all: vm-file-editor qopen-in-vm qfile-agent qfile-unpacker -vm-file-editor: vm-file-editor.o ../common/ioall.o - $(CC) -pie -g -o $@ $^ -qopen-in-vm: qopen-in-vm.o ../common/ioall.o ../common/gui-fatal.o - $(CC) -pie -g -o $@ $^ -qfile-agent: qfile-agent.o ../common/ioall.o ../common/gui-fatal.o ../common/copy_file.o ../common/crc32.o - $(CC) -pie -g -o $@ $^ -qfile-unpacker: qfile-unpacker.o ../common/ioall.o ../common/gui-fatal.o ../common/copy_file.o ../common/unpack.o ../common/crc32.o - $(CC) -pie -g -o $@ $^ - -clean: - rm -f qopen-in-vm qfile-agent qfile-unpacker vm-file-editor *.o *~ diff --git a/appvm/iptables b/appvm/iptables deleted file mode 100644 index 77ad30c..0000000 --- a/appvm/iptables +++ /dev/null @@ -1,12 +0,0 @@ -# Firewall configuration written by system-config-firewall -# Manual customization of this file is not recommended. -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT diff --git a/appvm/qubes_timestamp b/appvm/qubes_timestamp deleted file mode 100755 index fc3d8d7..0000000 --- a/appvm/qubes_timestamp +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -exec xenstore-write device/qubes_timestamp $(date +%s.%N) diff --git a/common/.gitignore b/misc/.gitignore similarity index 100% rename from common/.gitignore rename to misc/.gitignore diff --git a/common/Makefile b/misc/Makefile similarity index 100% rename from common/Makefile rename to misc/Makefile diff --git a/common/RPM-GPG-KEY-qubes-1-primary b/misc/RPM-GPG-KEY-qubes-1-primary similarity index 100% rename from common/RPM-GPG-KEY-qubes-1-primary rename to misc/RPM-GPG-KEY-qubes-1-primary diff --git a/common/block-snapshot b/misc/block-snapshot similarity index 100% rename from common/block-snapshot rename to misc/block-snapshot diff --git a/common/block_add_change b/misc/block_add_change similarity index 100% rename from common/block_add_change rename to misc/block_add_change diff --git a/common/block_cleanup b/misc/block_cleanup similarity index 100% rename from common/block_cleanup rename to misc/block_cleanup diff --git a/common/block_remove b/misc/block_remove similarity index 100% rename from common/block_remove rename to misc/block_remove diff --git a/common/fstab b/misc/fstab similarity index 100% rename from common/fstab rename to misc/fstab diff --git a/common/meminfo-writer.c b/misc/meminfo-writer.c similarity index 100% rename from common/meminfo-writer.c rename to misc/meminfo-writer.c diff --git a/common/qubes.repo b/misc/qubes.repo similarity index 100% rename from common/qubes.repo rename to misc/qubes.repo diff --git a/appvm/qubes.sudoers b/misc/qubes.sudoers similarity index 100% rename from appvm/qubes.sudoers rename to misc/qubes.sudoers diff --git a/common/qubes_block.rules b/misc/qubes_block.rules similarity index 100% rename from common/qubes_block.rules rename to misc/qubes_block.rules diff --git a/common/qubes_core.modules b/misc/qubes_core.modules similarity index 100% rename from common/qubes_core.modules rename to misc/qubes_core.modules diff --git a/common/qubes_download_dom0_updates.sh b/misc/qubes_download_dom0_updates.sh similarity index 100% rename from common/qubes_download_dom0_updates.sh rename to misc/qubes_download_dom0_updates.sh diff --git a/common/qubes_memory.rules b/misc/qubes_memory.rules similarity index 100% rename from common/qubes_memory.rules rename to misc/qubes_memory.rules diff --git a/common/qubes_serial_login b/misc/qubes_serial_login similarity index 100% rename from common/qubes_serial_login rename to misc/qubes_serial_login diff --git a/common/qubes_trigger_sync_appmenus.action b/misc/qubes_trigger_sync_appmenus.action similarity index 100% rename from common/qubes_trigger_sync_appmenus.action rename to misc/qubes_trigger_sync_appmenus.action diff --git a/common/qubes_trigger_sync_appmenus.sh b/misc/qubes_trigger_sync_appmenus.sh similarity index 100% rename from common/qubes_trigger_sync_appmenus.sh rename to misc/qubes_trigger_sync_appmenus.sh diff --git a/common/serial.conf b/misc/serial.conf similarity index 100% rename from common/serial.conf rename to misc/serial.conf diff --git a/common/xenstore-watch.c b/misc/xenstore-watch.c similarity index 100% rename from common/xenstore-watch.c rename to misc/xenstore-watch.c diff --git a/appvm/xorg-preload-apps.conf b/misc/xorg-preload-apps.conf similarity index 100% rename from appvm/xorg-preload-apps.conf rename to misc/xorg-preload-apps.conf diff --git a/netvm/fstab b/netvm/fstab deleted file mode 100644 index 403b0d5..0000000 --- a/netvm/fstab +++ /dev/null @@ -1,14 +0,0 @@ - -# -# /etc/fstab -# Created by anaconda on Thu Dec 3 11:26:49 2009 -# -# Accessible filesystems, by reference, are maintained under '/dev/disk' -# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info -# -/dev/mapper/dmroot / ext4 defaults,noatime 1 1 -/dev/mapper/dmswap swap swap defaults 0 0 -tmpfs /dev/shm tmpfs defaults 0 0 -devpts /dev/pts devpts gid=5,mode=620 0 0 -sysfs /sys sysfs defaults 0 0 -proc /proc proc defaults 0 0 diff --git a/netvm/30-qubes_external_ip b/network/30-qubes_external_ip similarity index 100% rename from netvm/30-qubes_external_ip rename to network/30-qubes_external_ip diff --git a/common/iptables b/network/iptables similarity index 100% rename from common/iptables rename to network/iptables diff --git a/netvm/qubes.repo b/network/qubes.repo similarity index 100% rename from netvm/qubes.repo rename to network/qubes.repo diff --git a/proxyvm/bin/qubes_firewall b/network/qubes_firewall similarity index 100% rename from proxyvm/bin/qubes_firewall rename to network/qubes_firewall diff --git a/common/qubes_fix_nm_conf.sh b/network/qubes_fix_nm_conf.sh similarity index 100% rename from common/qubes_fix_nm_conf.sh rename to network/qubes_fix_nm_conf.sh diff --git a/proxyvm/bin/qubes_netwatcher b/network/qubes_netwatcher similarity index 100% rename from proxyvm/bin/qubes_netwatcher rename to network/qubes_netwatcher diff --git a/common/qubes_network.rules b/network/qubes_network.rules similarity index 100% rename from common/qubes_network.rules rename to network/qubes_network.rules diff --git a/common/qubes_nmhook b/network/qubes_nmhook similarity index 100% rename from common/qubes_nmhook rename to network/qubes_nmhook diff --git a/common/qubes_setup_dnat_to_ns b/network/qubes_setup_dnat_to_ns similarity index 100% rename from common/qubes_setup_dnat_to_ns rename to network/qubes_setup_dnat_to_ns diff --git a/common/setup_ip b/network/setup_ip similarity index 100% rename from common/setup_ip rename to network/setup_ip diff --git a/common/vif-route-qubes b/network/vif-route-qubes similarity index 100% rename from common/vif-route-qubes rename to network/vif-route-qubes diff --git a/appvm/.gitignore b/qubes_rpc/.gitignore similarity index 100% rename from appvm/.gitignore rename to qubes_rpc/.gitignore diff --git a/qubes_rpc/Makefile b/qubes_rpc/Makefile new file mode 100644 index 0000000..a592d1c --- /dev/null +++ b/qubes_rpc/Makefile @@ -0,0 +1,14 @@ +CC=gcc +CFLAGS=-g -Wall -I. -fPIC -pie +all: vm-file-editor qopen-in-vm qfile-agent qfile-unpacker +vm-file-editor: vm-file-editor.o ioall.o + $(CC) -pie -g -o $@ $^ +qopen-in-vm: qopen-in-vm.o ioall.o gui-fatal.o + $(CC) -pie -g -o $@ $^ +qfile-agent: qfile-agent.o ioall.o gui-fatal.o copy_file.o crc32.o + $(CC) -pie -g -o $@ $^ +qfile-unpacker: qfile-unpacker.o ioall.o gui-fatal.o copy_file.o unpack.o crc32.o + $(CC) -pie -g -o $@ $^ + +clean: + rm -f qopen-in-vm qfile-agent qfile-unpacker vm-file-editor *.o *~ diff --git a/common/copy_file.c b/qubes_rpc/copy_file.c similarity index 100% rename from common/copy_file.c rename to qubes_rpc/copy_file.c diff --git a/common/crc32.c b/qubes_rpc/crc32.c similarity index 100% rename from common/crc32.c rename to qubes_rpc/crc32.c diff --git a/common/crc32.h b/qubes_rpc/crc32.h similarity index 100% rename from common/crc32.h rename to qubes_rpc/crc32.h diff --git a/appvm/dvm2.h b/qubes_rpc/dvm2.h similarity index 100% rename from appvm/dvm2.h rename to qubes_rpc/dvm2.h diff --git a/common/filecopy.h b/qubes_rpc/filecopy.h similarity index 100% rename from common/filecopy.h rename to qubes_rpc/filecopy.h diff --git a/common/gui-fatal.c b/qubes_rpc/gui-fatal.c similarity index 100% rename from common/gui-fatal.c rename to qubes_rpc/gui-fatal.c diff --git a/common/gui-fatal.h b/qubes_rpc/gui-fatal.h similarity index 100% rename from common/gui-fatal.h rename to qubes_rpc/gui-fatal.h diff --git a/common/ioall.c b/qubes_rpc/ioall.c similarity index 100% rename from common/ioall.c rename to qubes_rpc/ioall.c diff --git a/common/ioall.h b/qubes_rpc/ioall.h similarity index 100% rename from common/ioall.h rename to qubes_rpc/ioall.h diff --git a/appvm/qfile-agent.c b/qubes_rpc/qfile-agent.c similarity index 100% rename from appvm/qfile-agent.c rename to qubes_rpc/qfile-agent.c diff --git a/appvm/qfile-unpacker.c b/qubes_rpc/qfile-unpacker.c similarity index 100% rename from appvm/qfile-unpacker.c rename to qubes_rpc/qfile-unpacker.c diff --git a/appvm/qopen-in-vm.c b/qubes_rpc/qopen-in-vm.c similarity index 100% rename from appvm/qopen-in-vm.c rename to qubes_rpc/qopen-in-vm.c diff --git a/appvm/qrun-in-vm b/qubes_rpc/qrun-in-vm similarity index 100% rename from appvm/qrun-in-vm rename to qubes_rpc/qrun-in-vm diff --git a/appvm/qubes.Filecopy b/qubes_rpc/qubes.Filecopy similarity index 100% rename from appvm/qubes.Filecopy rename to qubes_rpc/qubes.Filecopy diff --git a/appvm/qubes.Filecopy.policy b/qubes_rpc/qubes.Filecopy.policy similarity index 100% rename from appvm/qubes.Filecopy.policy rename to qubes_rpc/qubes.Filecopy.policy diff --git a/appvm/qubes.OpenInVM b/qubes_rpc/qubes.OpenInVM similarity index 100% rename from appvm/qubes.OpenInVM rename to qubes_rpc/qubes.OpenInVM diff --git a/appvm/qubes.OpenInVM.policy b/qubes_rpc/qubes.OpenInVM.policy similarity index 100% rename from appvm/qubes.OpenInVM.policy rename to qubes_rpc/qubes.OpenInVM.policy diff --git a/appvm/qubes.VMShell b/qubes_rpc/qubes.VMShell similarity index 100% rename from appvm/qubes.VMShell rename to qubes_rpc/qubes.VMShell diff --git a/appvm/qubes.VMShell.policy b/qubes_rpc/qubes.VMShell.policy similarity index 100% rename from appvm/qubes.VMShell.policy rename to qubes_rpc/qubes.VMShell.policy diff --git a/appvm/qvm-copy-to-vm b/qubes_rpc/qvm-copy-to-vm similarity index 100% rename from appvm/qvm-copy-to-vm rename to qubes_rpc/qvm-copy-to-vm diff --git a/appvm/qvm-copy-to-vm.gnome b/qubes_rpc/qvm-copy-to-vm.gnome similarity index 100% rename from appvm/qvm-copy-to-vm.gnome rename to qubes_rpc/qvm-copy-to-vm.gnome diff --git a/appvm/qvm-copy-to-vm.kde b/qubes_rpc/qvm-copy-to-vm.kde similarity index 100% rename from appvm/qvm-copy-to-vm.kde rename to qubes_rpc/qvm-copy-to-vm.kde diff --git a/appvm/qvm-copy.desktop b/qubes_rpc/qvm-copy.desktop similarity index 100% rename from appvm/qvm-copy.desktop rename to qubes_rpc/qvm-copy.desktop diff --git a/appvm/qvm-dvm.desktop b/qubes_rpc/qvm-dvm.desktop similarity index 100% rename from appvm/qvm-dvm.desktop rename to qubes_rpc/qvm-dvm.desktop diff --git a/appvm/qvm-open-in-dvm b/qubes_rpc/qvm-open-in-dvm similarity index 100% rename from appvm/qvm-open-in-dvm rename to qubes_rpc/qvm-open-in-dvm diff --git a/appvm/qvm-open-in-vm b/qubes_rpc/qvm-open-in-vm similarity index 100% rename from appvm/qvm-open-in-vm rename to qubes_rpc/qvm-open-in-vm diff --git a/appvm/qvm-run b/qubes_rpc/qvm-run similarity index 100% rename from appvm/qvm-run rename to qubes_rpc/qvm-run diff --git a/common/unpack.c b/qubes_rpc/unpack.c similarity index 100% rename from common/unpack.c rename to qubes_rpc/unpack.c diff --git a/appvm/vm-file-editor.c b/qubes_rpc/vm-file-editor.c similarity index 100% rename from appvm/vm-file-editor.c rename to qubes_rpc/vm-file-editor.c diff --git a/appvm/vm-shell b/qubes_rpc/vm-shell similarity index 100% rename from appvm/vm-shell rename to qubes_rpc/vm-shell diff --git a/appvm/wrap_in_html_if_url.sh b/qubes_rpc/wrap_in_html_if_url.sh similarity index 100% rename from appvm/wrap_in_html_if_url.sh rename to qubes_rpc/wrap_in_html_if_url.sh diff --git a/rpm_spec/core-appvm.spec b/rpm_spec/core-appvm.spec deleted file mode 100644 index 4fbfbed..0000000 --- a/rpm_spec/core-appvm.spec +++ /dev/null @@ -1,201 +0,0 @@ -# -# The Qubes OS Project, http://www.qubes-os.org -# -# Copyright (C) 2010 Joanna Rutkowska -# Copyright (C) 2010 Rafal Wojtczuk -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# - -%{!?version: %define version %(cat version_vm)} - -Name: qubes-core-appvm -Version: %{version} -Release: 1%{dist} -Summary: The Qubes core files for AppVM - -Group: Qubes -Vendor: Invisible Things Lab -License: GPL -URL: http://www.qubes-os.org -Requires: /usr/bin/xenstore-read -Requires: fedora-release -Requires: /usr/bin/mimeopen -Requires: qubes-core-commonvm -BuildRequires: gcc -BuildRequires: xen-devel -Provides: qubes-core-vm - -%define _builddir %(pwd)/appvm - -%define kde_service_dir /usr/share/kde4/services/ServiceMenus - -%description -The Qubes core files for installation inside a Qubes AppVM. - -%pre - -if [ "$1" != 1 ] ; then -# do this whole %pre thing only when updating for the first time... -exit 0 -fi - -adduser --create-home user -su user -c 'mkdir -p /home/user/.local/share' -su user -c 'mkdir -p /home/user/.gnome2/nautilus-scripts' -su user -c 'ln -s /usr/lib/qubes/qvm-copy-to-vm.gnome /home/user/.gnome2/nautilus-scripts/"Copy to other AppVM"' -su user -c 'ln -s /usr/bin/qvm-open-in-dvm /home/user/.gnome2/nautilus-scripts/"Open in DisposableVM"' -su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created' -su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created2' - - -mkdir -p $RPM_BUILD_ROOT/var/lib/qubes - -%build -make clean all -make -C ../common -make -C ../u2mfn -make -C ../vchan -make -C ../qrexec - -%install - -mkdir -p $RPM_BUILD_ROOT/etc/init.d -cp qubes_core_appvm $RPM_BUILD_ROOT/etc/init.d/ -mkdir -p $RPM_BUILD_ROOT/var/lib/qubes -mkdir -p $RPM_BUILD_ROOT/usr/bin -cp qubes_timestamp qvm-open-in-dvm $RPM_BUILD_ROOT/usr/bin -cp qvm-open-in-vm $RPM_BUILD_ROOT/usr/bin -cp qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin -cp qvm-run $RPM_BUILD_ROOT/usr/bin -mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes -cp wrap_in_html_if_url.sh $RPM_BUILD_ROOT/usr/lib/qubes -cp qvm-copy-to-vm.kde $RPM_BUILD_ROOT/usr/lib/qubes -cp qvm-copy-to-vm.gnome $RPM_BUILD_ROOT/usr/lib/qubes -cp ../qrexec/qrexec_agent $RPM_BUILD_ROOT/usr/lib/qubes -cp ../qrexec/qrexec_client_vm $RPM_BUILD_ROOT/usr/lib/qubes -cp ../qrexec/qubes_rpc_multiplexer $RPM_BUILD_ROOT/usr/lib/qubes -cp vm-file-editor qfile-agent qopen-in-vm qfile-unpacker $RPM_BUILD_ROOT/usr/lib/qubes -cp vm-shell qrun-in-vm $RPM_BUILD_ROOT/usr/lib/qubes -cp ../common/meminfo-writer $RPM_BUILD_ROOT/usr/lib/qubes -mkdir -p $RPM_BUILD_ROOT/%{kde_service_dir} -cp qvm-copy.desktop qvm-dvm.desktop $RPM_BUILD_ROOT/%{kde_service_dir} -mkdir -p $RPM_BUILD_ROOT/mnt/removable -mkdir -p $RPM_BUILD_ROOT/etc/qubes_rpc -cp qubes.Filecopy $RPM_BUILD_ROOT/etc/qubes_rpc -cp qubes.OpenInVM $RPM_BUILD_ROOT/etc/qubes_rpc -cp qubes.VMShell $RPM_BUILD_ROOT/etc/qubes_rpc -mkdir -p $RPM_BUILD_ROOT/var/lib/qubes/dom0-updates - -mkdir -p $RPM_BUILD_ROOT/etc/X11 -cp xorg-preload-apps.conf $RPM_BUILD_ROOT/etc/X11 - -mkdir -p $RPM_BUILD_ROOT/home_volatile/user - -install -D ../vchan/libvchan.h $RPM_BUILD_ROOT/usr/include/libvchan.h -install -D ../u2mfn/u2mfnlib.h $RPM_BUILD_ROOT/usr/include/u2mfnlib.h -install -D ../u2mfn/u2mfn-kernel.h $RPM_BUILD_ROOT/usr/include/u2mfn-kernel.h - -install -D ../vchan/libvchan.so $RPM_BUILD_ROOT/%{_libdir}/libvchan.so -install -D ../u2mfn/libu2mfn.so $RPM_BUILD_ROOT/%{_libdir}/libu2mfn.so - -install -d $RPM_BUILD_ROOT/etc/sudoers.d -install -m 0440 qubes.sudoers $RPM_BUILD_ROOT/etc/sudoers.d/qubes - -mkdir -p $RPM_BUILD_ROOT/var/run/qubes - -%triggerin -- initscripts -cp /var/lib/qubes/serial.conf /etc/init/serial.conf - -%post - -chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" - -if [ "$1" != 1 ] ; then -# do this whole %post thing only when updating for the first time... -exit 0 -fi - -usermod -L user - -%preun -if [ "$1" = 0 ] ; then - # no more packages left - chkconfig qubes_core_appvm off -fi - -%clean -rm -rf $RPM_BUILD_ROOT - -%files -%defattr(-,root,root,-) -/etc/init.d/qubes_core_appvm -/usr/bin/qvm-copy-to-vm -/usr/lib/qubes/qvm-copy-to-vm.kde -/usr/lib/qubes/qvm-copy-to-vm.gnome -/usr/bin/qvm-open-in-dvm -/usr/bin/qvm-open-in-vm -/usr/bin/qvm-run -/usr/lib/qubes/meminfo-writer -/usr/lib/qubes/vm-file-editor -%{kde_service_dir}/qvm-copy.desktop -%{kde_service_dir}/qvm-dvm.desktop -/usr/lib/qubes/qrexec_agent -/usr/lib/qubes/qrexec_client_vm -/usr/lib/qubes/qubes_rpc_multiplexer -/usr/lib/qubes/qfile-agent -/usr/lib/qubes/qopen-in-vm -/usr/lib/qubes/qfile-unpacker -/usr/lib/qubes/vm-shell -/usr/lib/qubes/qrun-in-vm -/usr/lib/qubes/wrap_in_html_if_url.sh -%dir /mnt/removable -%dir /etc/qubes_rpc -/etc/qubes_rpc/qubes.Filecopy -/etc/qubes_rpc/qubes.OpenInVM -/etc/qubes_rpc/qubes.VMShell -/usr/bin/qubes_timestamp -%dir /home_volatile -%attr(700,user,user) /home_volatile/user -/etc/X11/xorg-preload-apps.conf -%dir /var/run/qubes -%dir %attr(0775,user,user) /var/lib/qubes/dom0-updates -/etc/sudoers.d/qubes - -%package devel -Summary: Include files for qubes core libraries -License: GPL v2 only -Group: Development/Sources - -%description devel - -%files devel -/usr/include/libvchan.h -/usr/include/u2mfnlib.h -/usr/include/u2mfn-kernel.h - -%package libs -Summary: Qubes core libraries -License: GPL v2 only -Group: Development/Sources - -%description libs - -%files libs -%{_libdir}/libvchan.so -%{_libdir}/libu2mfn.so - diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec deleted file mode 100644 index b6d51ac..0000000 --- a/rpm_spec/core-commonvm.spec +++ /dev/null @@ -1,266 +0,0 @@ -# -# The Qubes OS Project, http://www.qubes-os.org -# -# Copyright (C) 2010 Joanna Rutkowska -# Copyright (C) 2010 Rafal Wojtczuk -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# - -%{!?version: %define version %(cat version_vm)} - -Name: qubes-core-commonvm -Version: %{version} -Release: 1%{dist} -Summary: The Qubes core files for any VM - -Group: Qubes -Vendor: Invisible Things Lab -License: GPL -URL: http://www.qubes-os.org -Requires: /usr/bin/xenstore-read -Requires: fedora-release -Requires: yum-plugin-post-transaction-actions -BuildRequires: xen-devel - -%define _builddir %(pwd)/common - -%description -The Qubes core files for installation inside a Qubes VM. - -%build -make - -%pre - -if [ "$1" != 1 ] ; then -# do this whole %pre thing only when updating for the first time... -exit 0 -fi - -mkdir -p $RPM_BUILD_ROOT/var/lib/qubes -if [ -e $RPM_BUILD_ROOT/etc/fstab ] ; then -mv $RPM_BUILD_ROOT/etc/fstab $RPM_BUILD_ROOT/var/lib/qubes/fstab.orig -fi - -%install - -mkdir -p $RPM_BUILD_ROOT/etc -cp fstab $RPM_BUILD_ROOT/etc/fstab -mkdir -p $RPM_BUILD_ROOT/etc/init.d -cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ -mkdir -p $RPM_BUILD_ROOT/var/lib/qubes -mkdir -p $RPM_BUILD_ROOT/etc/sysconfig -cp iptables $RPM_BUILD_ROOT/etc/sysconfig/ -mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d -cp qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d -install -d -m 755 $RPM_BUILD_ROOT/etc/pki/rpm-gpg -install -m 644 RPM-GPG-KEY-qubes* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ -mkdir -p $RPM_BUILD_ROOT/sbin -cp qubes_serial_login $RPM_BUILD_ROOT/sbin -mkdir -p $RPM_BUILD_ROOT/usr/bin -cp xenstore-watch $RPM_BUILD_ROOT/usr/bin/xenstore-watch-qubes -mkdir -p $RPM_BUILD_ROOT/etc -cp serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ -mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d -cp qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules -cp qubes_memory.rules $RPM_BUILD_ROOT/etc/udev/rules.d/50-qubes_memory.rules -cp qubes_block.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_block.rules -mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes/ -cp setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/ -cp qubes_download_dom0_updates.sh $RPM_BUILD_ROOT/usr/lib/qubes/ -cp block_add_change $RPM_BUILD_ROOT/usr/lib/qubes/ -cp block_remove $RPM_BUILD_ROOT/usr/lib/qubes/ -cp block_cleanup $RPM_BUILD_ROOT/usr/lib/qubes/ -mkdir -p $RPM_BUILD_ROOT/etc/yum/post-actions -cp qubes_trigger_sync_appmenus.action $RPM_BUILD_ROOT/etc/yum/post-actions/ -mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes -cp qubes_trigger_sync_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes/ - -install -D qubes_core.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes_core.modules - -mkdir -p $RPM_BUILD_ROOT/lib/firmware -ln -s /lib/modules/firmware $RPM_BUILD_ROOT/lib/firmware/updates - -%triggerin -- initscripts -cp /var/lib/qubes/serial.conf /etc/init/serial.conf - -%post - -# disable some Upstart services -for F in plymouth-shutdown prefdm splash-manager start-ttys tty ; do - if [ -e /etc/init/$F.conf ]; then - mv -f /etc/init/$F.conf /etc/init/$F.conf.disabled - fi -done - -remove_ShowIn () { - if [ -e /etc/xdg/autostart/$1.desktop ]; then - sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop - fi -} - -# don't want it at all -for F in abrt-applet deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto ; do - if [ -e /etc/xdg/autostart/$F.desktop ]; then - remove_ShowIn $F - echo 'NotShowIn=QUBES' >> /etc/xdg/autostart/$F.desktop - fi -done - -# don't want it in DisposableVM -for F in gcm-apply ; do - if [ -e /etc/xdg/autostart/$F.desktop ]; then - remove_ShowIn $F - echo 'NotShowIn=DisposableVM' >> /etc/xdg/autostart/$F.desktop - fi -done - -# want it in AppVM only -for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do - if [ -e /etc/xdg/autostart/$F.desktop ]; then - remove_ShowIn $F - echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop - fi -done - -# remove existing rule to add own later -for F in gpk-update-icon nm-applet ; do - remove_ShowIn $F -done - -echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || : -echo 'OnlyShowIn=GNOME;NetVM;' >> /etc/xdg/autostart/nm-applet.desktop || : - -usermod -p '' root - -# Prevent unnecessary updates in VMs: -sed -i -e '/^exclude = kernel/d' /etc/yum.conf -echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf - -if [ "$1" != 1 ] ; then -# do this whole %post thing only when updating for the first time... -exit 0 -fi - -if ! [ -f /var/lib/qubes/serial.orig ] ; then - cp /etc/init/serial.conf /var/lib/qubes/serial.orig -fi - -#echo "--> Disabling SELinux..." -sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed -mv /etc/selinux/config.processed /etc/selinux/config -setenforce 0 2>/dev/null - -#echo "--> Turning off unnecessary services..." -# FIXME: perhaps there is more elegant way to do this? -for f in /etc/init.d/* -do - srv=`basename $f` - [ $srv = 'functions' ] && continue - [ $srv = 'killall' ] && continue - [ $srv = 'halt' ] && continue - [ $srv = 'single' ] && continue - [ $srv = 'reboot' ] && continue - [ $srv = 'qubes_gui' ] && continue - chkconfig $srv off -done - -[ -x /bin/systemctl ] && /bin/systemctl disable NetworkManager.service -[ -x /bin/systemctl ] && /bin/systemctl disable crond.service - -#echo "--> Enabling essential services..." -chkconfig rsyslog on -chkconfig haldaemon on -chkconfig messagebus on -chkconfig iptables on -chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" - - -# TODO: make this not display the silly message about security context... -sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab - -# Remove most of the udev scripts to speed up the VM boot time -# Just leave the xen* scripts, that are needed if this VM was -# ever used as a net backend (e.g. as a VPN domain in the future) -#echo "--> Removing unnecessary udev scripts..." -mkdir -p /var/lib/qubes/removed-udev-scripts -for f in /etc/udev/rules.d/* -do - if [ $(basename $f) == "xen-backend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "xend.rules" ] ; then - continue - fi - - if [ $(basename $f) == "99-qubes_network.rules" ] ; then - continue - fi - - if [ $(basename $f) == "99-qubes_block.rules" ] ; then - continue - fi - - if [ $(basename $f) == "90-hal.rules" ] ; then - continue - fi - - - mv $f /var/lib/qubes/removed-udev-scripts/ -done -mkdir -p /rw -#rm -f /etc/mtab -#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" -#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig -#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 - -%preun -if [ "$1" = 0 ] ; then - # no more packages left - chkconfig qubes_core off - mv /var/lib/qubes/fstab.orig /etc/fstab - mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ - mv /var/lib/qubes/serial.orig /etc/init/serial.conf -fi - -%clean -rm -rf $RPM_BUILD_ROOT - -%files -%defattr(-,root,root,-) -/etc/fstab -/etc/init.d/qubes_core -/etc/sysconfig/iptables -/var/lib/qubes -/etc/yum.repos.d/qubes.repo -/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes* -/sbin/qubes_serial_login -/usr/bin/xenstore-watch-qubes -/etc/udev/rules.d/99-qubes_network.rules -/etc/udev/rules.d/50-qubes_memory.rules -/etc/udev/rules.d/99-qubes_block.rules -/etc/sysconfig/modules/qubes_core.modules -/usr/lib/qubes/setup_ip -/etc/yum/post-actions/qubes_trigger_sync_appmenus.action -/usr/lib/qubes/qubes_trigger_sync_appmenus.sh -/usr/lib/qubes/qubes_download_dom0_updates.sh -/usr/lib/qubes/block_add_change -/usr/lib/qubes/block_remove -/usr/lib/qubes/block_cleanup -/lib/firmware/updates diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec deleted file mode 100644 index a4c966b..0000000 --- a/rpm_spec/core-netvm.spec +++ /dev/null @@ -1,102 +0,0 @@ -# -# The Qubes OS Project, http://www.qubes-os.org -# -# Copyright (C) 2010 Joanna Rutkowska -# Copyright (C) 2010 Rafal Wojtczuk -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# - -%{!?version: %define version %(cat version_vm)} - -Name: qubes-core-netvm -Version: %{version} -Release: 1%{dist} -Summary: The Qubes core files for NetVM - -Group: Qubes -Vendor: Invisible Things Lab -License: GPL -URL: http://www.qubes-os.org -Requires: /usr/bin/xenstore-read -Requires: fedora-release -Requires: NetworkManager >= 0.8.1-1 -Requires: qubes-core-commonvm -Provides: qubes-core-vm - -%define _builddir %(pwd)/netvm - -%description -The Qubes core files for installation inside a Qubes NetVM. - -%pre - -%build -make -C ../vchan -make -C ../u2mfn - -%install - -mkdir -p $RPM_BUILD_ROOT/etc -mkdir -p $RPM_BUILD_ROOT/etc/init.d -cp qubes_core_netvm $RPM_BUILD_ROOT/etc/init.d/ -mkdir -p $RPM_BUILD_ROOT/var/lib/qubes -mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes -cp ../common/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes -cp ../common/qubes_fix_nm_conf.sh $RPM_BUILD_ROOT/usr/lib/qubes -mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d -ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh -mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ -cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ -cp ../netvm/30-qubes_external_ip $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ -mkdir -p $RPM_BUILD_ROOT/var/run/qubes -mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts -cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts - -%post - -# Create NetworkManager configuration if we do not have it -if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then -echo '[main]' > /etc/NetworkManager/NetworkManager.conf -echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf -echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf -fi -/usr/lib/qubes/qubes_fix_nm_conf.sh - -chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" - -# Remove ip_forward setting from sysctl, so NM will not reset it -sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf - -%preun -if [ "$1" = 0 ] ; then - # no more packages left - chkconfig qubes_core_netvm off -fi - -%clean -rm -rf $RPM_BUILD_ROOT - -%files -%defattr(-,root,root,-) -/etc/init.d/qubes_core_netvm -/usr/lib/qubes/qubes_setup_dnat_to_ns -/usr/lib/qubes/qubes_fix_nm_conf.sh -/etc/dhclient.d/qubes_setup_dnat_to_ns.sh -/etc/NetworkManager/dispatcher.d/qubes_nmhook -/etc/NetworkManager/dispatcher.d/30-qubes_external_ip -/etc/xen/scripts/vif-route-qubes diff --git a/rpm_spec/core-proxyvm.spec b/rpm_spec/core-proxyvm.spec deleted file mode 100644 index c83bd6a..0000000 --- a/rpm_spec/core-proxyvm.spec +++ /dev/null @@ -1,80 +0,0 @@ -# -# The Qubes OS Project, http://www.qubes-os.org -# -# Copyright (C) 2010 Joanna Rutkowska -# Copyright (C) 2010 Rafal Wojtczuk -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# - -%{!?version: %define version %(cat version_vm)} - -Name: qubes-core-proxyvm -Version: %{version} -Release: 1%{dist} -Summary: The Qubes core files for NetVM - -Group: Qubes -Vendor: Invisible Things Lab -License: GPL -URL: http://www.qubes-os.org -Requires: /usr/bin/xenstore-read -Requires: /sbin/ethtool -Requires: fedora-release -Requires: qubes-core-netvm - -%define _builddir %(pwd)/proxyvm - -%description -The Qubes core files for installation inside a Qubes ProxyVM in addition to NetVM scripts. - -%pre - -%build - -%install - -mkdir -p $RPM_BUILD_ROOT/etc/init.d -cp init.d/qubes_firewall $RPM_BUILD_ROOT/etc/init.d/ -cp init.d/qubes_netwatcher $RPM_BUILD_ROOT/etc/init.d/ -mkdir -p $RPM_BUILD_ROOT/usr/sbin -cp bin/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ -cp bin/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ - -%post - -chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" - -chkconfig --add qubes_netwatcher || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_netwatcher on || echo "WARNING: Cannot enable service qubes_core!" - -%preun -if [ "$1" = 0 ] ; then - # no more packages left - chkconfig qubes_firewall off - chkconfig qubes_netwatcher off -fi - -%clean -rm -rf $RPM_BUILD_ROOT - -%files -%defattr(-,root,root,-) -/etc/init.d/qubes_firewall -/etc/init.d/qubes_netwatcher -/usr/sbin/qubes_firewall -/usr/sbin/qubes_netwatcher diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec new file mode 100644 index 0000000..e6b2d88 --- /dev/null +++ b/rpm_spec/core-vm.spec @@ -0,0 +1,417 @@ +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2010 Joanna Rutkowska +# Copyright (C) 2010 Rafal Wojtczuk +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# + +%{!?version: %define version %(cat version_vm)} + +Name: qubes-core-vm +Version: %{version} +Release: 1%{dist} +Summary: The Qubes core files for VM + +Group: Qubes +Vendor: Invisible Things Lab +License: GPL +URL: http://www.qubes-os.org +Requires: /usr/bin/xenstore-read +Requires: fedora-release +Requires: yum-plugin-post-transaction-actions +Requires: NetworkManager >= 0.8.1-1 +Requires: /usr/bin/mimeopen +Requires: /sbin/ethtool +Provides: qubes-core-vm +BuildRequires: xen-devel + +%define _builddir %(pwd) + +%define kde_service_dir /usr/share/kde4/services/ServiceMenus + +%description +The Qubes core files for installation inside a Qubes VM. + +%build +make -C misc +make -C qubes_rpc +make -C qrexec +make -C vchan +make -C u2mfn + +%pre + +if [ "$1" != 1 ] ; then +# do this whole %pre thing only when updating for the first time... +exit 0 +fi + +mkdir -p /var/lib/qubes +if [ -e /etc/fstab ] ; then +mv /etc/fstab /var/lib/qubes/fstab.orig +fi + +adduser --create-home user +su user -c 'mkdir -p /home/user/.local/share' +su user -c 'mkdir -p /home/user/.gnome2/nautilus-scripts' +su user -c 'ln -s /usr/lib/qubes/qvm-copy-to-vm.gnome /home/user/.gnome2/nautilus-scripts/"Copy to other AppVM"' +su user -c 'ln -s /usr/bin/qvm-open-in-dvm /home/user/.gnome2/nautilus-scripts/"Open in DisposableVM"' +su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created' +su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created2' + +%install + +install -D misc/fstab $RPM_BUILD_ROOT/etc/fstab +install -d $RPM_BUILD_ROOT/etc/init.d +install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/ + +install -D -m 0440 misc/qubes.sudoers $RPM_BUILD_ROOT/etc/sudoers.d/qubes +install -D misc/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d/qubes.repo +install -D misc/serial.conf $RPM_BUILD_ROOT/usr/lib/qubes/serial.conf +install -D misc/qubes_serial_login $RPM_BUILD_ROOT/sbin/qubes_serial_login + +install -d $RPM_BUILD_ROOT/var/lib/qubes + +install -d -m 755 $RPM_BUILD_ROOT/etc/pki/rpm-gpg +install -m 644 misc/RPM-GPG-KEY-qubes* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ +install -D misc/xenstore-watch $RPM_BUILD_ROOT/usr/bin/xenstore-watch-qubes +install -d $RPM_BUILD_ROOT/etc/udev/rules.d +install misc/qubes_memory.rules $RPM_BUILD_ROOT/etc/udev/rules.d/50-qubes_memory.rules +install misc/qubes_block.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_block.rules +install -d $RPM_BUILD_ROOT/usr/lib/qubes/ +install misc/qubes_download_dom0_updates.sh $RPM_BUILD_ROOT/usr/lib/qubes/ +install misc/{block_add_change,block_remove,block_cleanup} $RPM_BUILD_ROOT/usr/lib/qubes/ +install misc/qubes_trigger_sync_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes/ +install -D misc/qubes_trigger_sync_appmenus.action $RPM_BUILD_ROOT/etc/yum/post-actions/qubes_trigger_sync_appmenus.action +mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes + +install -D misc/qubes_core.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes_core.modules + +install network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules +install network/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes +install network/qubes_fix_nm_conf.sh $RPM_BUILD_ROOT/usr/lib/qubes +install network/setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/ +install -d $RPM_BUILD_ROOT/etc/dhclient.d +ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh +install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ +install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ +install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes +install -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables + +install -d $RPM_BUILD_ROOT/usr/sbin +install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ +install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ + +install -d $RPM_BUILD_ROOT/lib/firmware +ln -s /lib/modules/firmware $RPM_BUILD_ROOT/lib/firmware/updates + +install -d $RPM_BUILD_ROOT/usr/bin + +install qubes_rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-run} $RPM_BUILD_ROOT/usr/bin +install qubes_rpc/wrap_in_html_if_url.sh $RPM_BUILD_ROOT/usr/lib/qubes +install qubes_rpc/qvm-copy-to-vm.kde $RPM_BUILD_ROOT/usr/lib/qubes +install qubes_rpc/qvm-copy-to-vm.gnome $RPM_BUILD_ROOT/usr/lib/qubes +install qubes_rpc/{vm-file-editor,qfile-agent,qopen-in-vm,qfile-unpacker} $RPM_BUILD_ROOT/usr/lib/qubes +install qubes_rpc/{vm-shell,qrun-in-vm} $RPM_BUILD_ROOT/usr/lib/qubes +install -d $RPM_BUILD_ROOT/%{kde_service_dir} +install qubes_rpc/{qvm-copy.desktop,qvm-dvm.desktop} $RPM_BUILD_ROOT/%{kde_service_dir} +install -d $RPM_BUILD_ROOT/etc/qubes_rpc +install qubes_rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell} $RPM_BUILD_ROOT/etc/qubes_rpc + +install qrexec/qrexec_agent $RPM_BUILD_ROOT/usr/lib/qubes +install qrexec/qrexec_client_vm $RPM_BUILD_ROOT/usr/lib/qubes +install qrexec/qubes_rpc_multiplexer $RPM_BUILD_ROOT/usr/lib/qubes + +install misc/meminfo-writer $RPM_BUILD_ROOT/usr/lib/qubes +install -d $RPM_BUILD_ROOT/mnt/removable +install -d $RPM_BUILD_ROOT/var/lib/qubes/dom0-updates + +install -D misc/xorg-preload-apps.conf $RPM_BUILD_ROOT/etc/X11/xorg-preload-apps.conf + +install -d $RPM_BUILD_ROOT/var/run/qubes +install -d $RPM_BUILD_ROOT/home_volatile/user + +install -D vchan/libvchan.h $RPM_BUILD_ROOT/usr/include/libvchan.h +install -D u2mfn/u2mfnlib.h $RPM_BUILD_ROOT/usr/include/u2mfnlib.h +install -D u2mfn/u2mfn-kernel.h $RPM_BUILD_ROOT/usr/include/u2mfn-kernel.h + +install -D vchan/libvchan.so $RPM_BUILD_ROOT/%{_libdir}/libvchan.so +install -D u2mfn/libu2mfn.so $RPM_BUILD_ROOT/%{_libdir}/libu2mfn.so + +%triggerin -- initscripts +cp /usr/lib/qubes/serial.conf /etc/init/serial.conf + +%post + +# disable some Upstart services +for F in plymouth-shutdown prefdm splash-manager start-ttys tty ; do + if [ -e /etc/init/$F.conf ]; then + mv -f /etc/init/$F.conf /etc/init/$F.conf.disabled + fi +done + +remove_ShowIn () { + if [ -e /etc/xdg/autostart/$1.desktop ]; then + sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop + fi +} + +# don't want it at all +for F in abrt-applet deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'NotShowIn=QUBES' >> /etc/xdg/autostart/$F.desktop + fi +done + +# don't want it in DisposableVM +for F in gcm-apply ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'NotShowIn=DisposableVM' >> /etc/xdg/autostart/$F.desktop + fi +done + +# want it in AppVM only +for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do + if [ -e /etc/xdg/autostart/$F.desktop ]; then + remove_ShowIn $F + echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop + fi +done + +# remove existing rule to add own later +for F in gpk-update-icon nm-applet ; do + remove_ShowIn $F +done + +echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || : +echo 'OnlyShowIn=GNOME;NetVM;' >> /etc/xdg/autostart/nm-applet.desktop || : + +usermod -p '' root +usermod -L user + +# Create NetworkManager configuration if we do not have it +if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then +echo '[main]' > /etc/NetworkManager/NetworkManager.conf +echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf +echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf +fi +/usr/lib/qubes/qubes_fix_nm_conf.sh + + +# Remove ip_forward setting from sysctl, so NM will not reset it +sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf + +# Prevent unnecessary updates in VMs: +sed -i -e '/^exclude = kernel/d' /etc/yum.conf +echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf + +if [ "$1" != 1 ] ; then +# do the rest of %post thing only when updating for the first time... +exit 0 +fi + +if ! [ -f /var/lib/qubes/serial.orig ] ; then + cp /etc/init/serial.conf /var/lib/qubes/serial.orig +fi + +#echo "--> Disabling SELinux..." +sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed +mv /etc/selinux/config.processed /etc/selinux/config +setenforce 0 2>/dev/null + +#echo "--> Turning off unnecessary services..." +# FIXME: perhaps there is more elegant way to do this? +for f in /etc/init.d/* +do + srv=`basename $f` + [ $srv = 'functions' ] && continue + [ $srv = 'killall' ] && continue + [ $srv = 'halt' ] && continue + [ $srv = 'single' ] && continue + [ $srv = 'reboot' ] && continue + [ $srv = 'qubes_gui' ] && continue + chkconfig $srv off +done + +[ -x /bin/systemctl ] && /bin/systemctl disable NetworkManager.service +[ -x /bin/systemctl ] && /bin/systemctl disable crond.service + +#echo "--> Enabling essential services..." +chkconfig rsyslog on +chkconfig haldaemon on +chkconfig messagebus on +chkconfig iptables on +chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_netwatcher || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_netwatcher on || echo "WARNING: Cannot enable service qubes_core!" + + +# TODO: make this not display the silly message about security context... +sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab + +# Remove most of the udev scripts to speed up the VM boot time +# Just leave the xen* scripts, that are needed if this VM was +# ever used as a net backend (e.g. as a VPN domain in the future) +#echo "--> Removing unnecessary udev scripts..." +mkdir -p /var/lib/qubes/removed-udev-scripts +for f in /etc/udev/rules.d/* +do + if [ $(basename $f) == "xen-backend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "xend.rules" ] ; then + continue + fi + + if [ $(basename $f) == "99-qubes_network.rules" ] ; then + continue + fi + + if [ $(basename $f) == "99-qubes_block.rules" ] ; then + continue + fi + + if [ $(basename $f) == "90-hal.rules" ] ; then + continue + fi + + + mv $f /var/lib/qubes/removed-udev-scripts/ +done +mkdir -p /rw +#rm -f /etc/mtab +#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" +#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig +#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + +%preun +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_core off + chkconfig qubes_core_netvm off + chkconfig qubes_core_appvm off + chkconfig qubes_firewall off + chkconfig qubes_netwatcher off + mv /var/lib/qubes/fstab.orig /etc/fstab + mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + mv /var/lib/qubes/serial.orig /etc/init/serial.conf +fi + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root,-) +%dir /var/lib/qubes +%dir /var/run/qubes +%dir %attr(0775,user,user) /var/lib/qubes/dom0-updates +%{kde_service_dir}/qvm-copy.desktop +%{kde_service_dir}/qvm-dvm.desktop +/etc/NetworkManager/dispatcher.d/30-qubes_external_ip +/etc/NetworkManager/dispatcher.d/qubes_nmhook +/etc/X11/xorg-preload-apps.conf +/etc/dhclient.d/qubes_setup_dnat_to_ns.sh +/etc/fstab +/etc/init.d/qubes_core +/etc/init.d/qubes_core_appvm +/etc/init.d/qubes_core_netvm +/etc/init.d/qubes_firewall +/etc/init.d/qubes_netwatcher +/etc/pki/rpm-gpg/RPM-GPG-KEY-qubes* +%dir /etc/qubes_rpc +/etc/qubes_rpc/qubes.Filecopy +/etc/qubes_rpc/qubes.OpenInVM +/etc/qubes_rpc/qubes.VMShell +/etc/sudoers.d/qubes +/etc/sysconfig/iptables +/etc/sysconfig/modules/qubes_core.modules +/etc/udev/rules.d/50-qubes_memory.rules +/etc/udev/rules.d/99-qubes_block.rules +/etc/udev/rules.d/99-qubes_network.rules +/etc/xen/scripts/vif-route-qubes +/etc/yum.repos.d/qubes.repo +/etc/yum/post-actions/qubes_trigger_sync_appmenus.action +/lib/firmware/updates +/sbin/qubes_serial_login +/usr/bin/qvm-copy-to-vm +/usr/bin/qvm-open-in-dvm +/usr/bin/qvm-open-in-vm +/usr/bin/qvm-run +/usr/bin/xenstore-watch-qubes +%dir /usr/lib/qubes +/usr/lib/qubes/block_add_change +/usr/lib/qubes/block_cleanup +/usr/lib/qubes/block_remove +/usr/lib/qubes/meminfo-writer +/usr/lib/qubes/qfile-agent +/usr/lib/qubes/qfile-unpacker +/usr/lib/qubes/qopen-in-vm +/usr/lib/qubes/qrexec_agent +/usr/lib/qubes/qrexec_client_vm +/usr/lib/qubes/qrun-in-vm +/usr/lib/qubes/qubes_download_dom0_updates.sh +/usr/lib/qubes/qubes_fix_nm_conf.sh +/usr/lib/qubes/qubes_rpc_multiplexer +/usr/lib/qubes/qubes_setup_dnat_to_ns +/usr/lib/qubes/qubes_trigger_sync_appmenus.sh +/usr/lib/qubes/qvm-copy-to-vm.gnome +/usr/lib/qubes/qvm-copy-to-vm.kde +/usr/lib/qubes/serial.conf +/usr/lib/qubes/setup_ip +/usr/lib/qubes/vm-file-editor +/usr/lib/qubes/vm-shell +/usr/lib/qubes/wrap_in_html_if_url.sh +/usr/sbin/qubes_firewall +/usr/sbin/qubes_netwatcher +%dir /home_volatile +%attr(700,user,user) /home_volatile/user +%dir /mnt/removable + + +%package devel +Summary: Include files for qubes core libraries +License: GPL v2 only +Group: Development/Sources + +%description devel + +%files devel +/usr/include/libvchan.h +/usr/include/u2mfnlib.h +/usr/include/u2mfn-kernel.h + +%package libs +Summary: Qubes core libraries +License: GPL v2 only +Group: Development/Sources + +%description libs + +%files libs +%{_libdir}/libvchan.so +%{_libdir}/libu2mfn.so diff --git a/common/qubes_core b/vm-init.d/qubes_core similarity index 100% rename from common/qubes_core rename to vm-init.d/qubes_core diff --git a/appvm/qubes_core_appvm b/vm-init.d/qubes_core_appvm similarity index 100% rename from appvm/qubes_core_appvm rename to vm-init.d/qubes_core_appvm diff --git a/netvm/qubes_core_netvm b/vm-init.d/qubes_core_netvm similarity index 100% rename from netvm/qubes_core_netvm rename to vm-init.d/qubes_core_netvm diff --git a/proxyvm/init.d/qubes_firewall b/vm-init.d/qubes_firewall similarity index 100% rename from proxyvm/init.d/qubes_firewall rename to vm-init.d/qubes_firewall diff --git a/proxyvm/init.d/qubes_netwatcher b/vm-init.d/qubes_netwatcher similarity index 100% rename from proxyvm/init.d/qubes_netwatcher rename to vm-init.d/qubes_netwatcher From a25d3be356d60025cee4c8c58a713f592199452a Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 10 Jan 2012 11:23:27 +0100 Subject: [PATCH 02/14] vm/spec: add Obsoletes header for smooth upgrade --- rpm_spec/core-vm.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index e6b2d88..18b1631 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -38,6 +38,10 @@ Requires: NetworkManager >= 0.8.1-1 Requires: /usr/bin/mimeopen Requires: /sbin/ethtool Provides: qubes-core-vm +Obsoletes: qubes-core-commonvm +Obsoletes: qubes-core-appvm +Obsoletes: qubes-core-netvm +Obsoletes: qubes-core-proxyvm BuildRequires: xen-devel %define _builddir %(pwd) @@ -397,6 +401,7 @@ rm -rf $RPM_BUILD_ROOT Summary: Include files for qubes core libraries License: GPL v2 only Group: Development/Sources +Obsoletes: qubes-core-appvm-devel %description devel @@ -409,6 +414,7 @@ Group: Development/Sources Summary: Qubes core libraries License: GPL v2 only Group: Development/Sources +Obsoletes: qubes-core-appvm-libs %description libs From 5573200c9de056e1065652f61cdae67df1d718ab Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 10 Jan 2012 12:09:09 +0100 Subject: [PATCH 03/14] vm/spec: split SysV init scripts into separate subpackage --- rpm_spec/core-vm.spec | 110 ++++++++++++++++++++++++------------------ 1 file changed, 63 insertions(+), 47 deletions(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 18b1631..49f715c 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -240,43 +240,6 @@ sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/confi mv /etc/selinux/config.processed /etc/selinux/config setenforce 0 2>/dev/null -#echo "--> Turning off unnecessary services..." -# FIXME: perhaps there is more elegant way to do this? -for f in /etc/init.d/* -do - srv=`basename $f` - [ $srv = 'functions' ] && continue - [ $srv = 'killall' ] && continue - [ $srv = 'halt' ] && continue - [ $srv = 'single' ] && continue - [ $srv = 'reboot' ] && continue - [ $srv = 'qubes_gui' ] && continue - chkconfig $srv off -done - -[ -x /bin/systemctl ] && /bin/systemctl disable NetworkManager.service -[ -x /bin/systemctl ] && /bin/systemctl disable crond.service - -#echo "--> Enabling essential services..." -chkconfig rsyslog on -chkconfig haldaemon on -chkconfig messagebus on -chkconfig iptables on -chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_netwatcher || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_netwatcher on || echo "WARNING: Cannot enable service qubes_core!" - - -# TODO: make this not display the silly message about security context... -sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab - # Remove most of the udev scripts to speed up the VM boot time # Just leave the xen* scripts, that are needed if this VM was # ever used as a net backend (e.g. as a VPN domain in the future) @@ -316,11 +279,6 @@ mkdir -p /rw %preun if [ "$1" = 0 ] ; then # no more packages left - chkconfig qubes_core off - chkconfig qubes_core_netvm off - chkconfig qubes_core_appvm off - chkconfig qubes_firewall off - chkconfig qubes_netwatcher off mv /var/lib/qubes/fstab.orig /etc/fstab mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ mv /var/lib/qubes/serial.orig /etc/init/serial.conf @@ -341,11 +299,6 @@ rm -rf $RPM_BUILD_ROOT /etc/X11/xorg-preload-apps.conf /etc/dhclient.d/qubes_setup_dnat_to_ns.sh /etc/fstab -/etc/init.d/qubes_core -/etc/init.d/qubes_core_appvm -/etc/init.d/qubes_core_netvm -/etc/init.d/qubes_firewall -/etc/init.d/qubes_netwatcher /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes* %dir /etc/qubes_rpc /etc/qubes_rpc/qubes.Filecopy @@ -421,3 +374,66 @@ Obsoletes: qubes-core-appvm-libs %files libs %{_libdir}/libvchan.so %{_libdir}/libu2mfn.so + +%package sysvinit +Summary: Qubes unit files for SysV init style or upstart +License: GPL v2 only +Group: Qubes +Requires: upstart +Requires: qubes-core-vm +Provides: qubes-core-vm-init-scripts + +%description sysvinit +The Qubes core startup configuration for SysV init (or upstart). + +%files sysvinit +/etc/init.d/qubes_core +/etc/init.d/qubes_core_appvm +/etc/init.d/qubes_core_netvm +/etc/init.d/qubes_firewall +/etc/init.d/qubes_netwatcher + +%post sysvinit + +#echo "--> Turning off unnecessary services..." +# FIXME: perhaps there is more elegant way to do this? +for f in /etc/init.d/* +do + srv=`basename $f` + [ $srv = 'functions' ] && continue + [ $srv = 'killall' ] && continue + [ $srv = 'halt' ] && continue + [ $srv = 'single' ] && continue + [ $srv = 'reboot' ] && continue + [ $srv = 'qubes_gui' ] && continue + chkconfig $srv off +done + +#echo "--> Enabling essential services..." +chkconfig rsyslog on +chkconfig haldaemon on +chkconfig messagebus on +chkconfig iptables on +chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core_netvm on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes_netwatcher || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes_netwatcher on || echo "WARNING: Cannot enable service qubes_core!" + +# TODO: make this not display the silly message about security context... +sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab + +%preun sysvinit +if [ "$1" = 0 ] ; then + # no more packages left + chkconfig qubes_core off + chkconfig qubes_core_netvm off + chkconfig qubes_core_appvm off + chkconfig qubes_firewall off + chkconfig qubes_netwatcher off +fi From 5e0cde15de5e7ebcc8d2825e8dbfcff08fbd3ac2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 10 Jan 2012 12:10:16 +0100 Subject: [PATCH 04/14] vm/init: introduce SystemD startup scripts --- rpm_spec/core-vm.spec | 105 ++++++++++++++++++++++++ vm-systemd/NetworkManager.service | 3 + vm-systemd/cups.service | 3 + vm-systemd/misc-post.sh | 60 ++++++++++++++ vm-systemd/network-proxy-setup.sh | 14 ++++ vm-systemd/ntpd.service | 3 + vm-systemd/prepare-dvm.sh | 30 +++++++ vm-systemd/qubes-dvm.service | 12 +++ vm-systemd/qubes-firewall.service | 10 +++ vm-systemd/qubes-meminfo-writer.service | 12 +++ vm-systemd/qubes-misc-post.service | 11 +++ vm-systemd/qubes-netwatcher.service | 11 +++ vm-systemd/qubes-network.service | 14 ++++ vm-systemd/qubes-qrexec-agent.service | 10 +++ vm-systemd/qubes-sysinit.service | 11 +++ vm-systemd/qubes-sysinit.sh | 50 +++++++++++ 16 files changed, 359 insertions(+) create mode 100644 vm-systemd/NetworkManager.service create mode 100644 vm-systemd/cups.service create mode 100755 vm-systemd/misc-post.sh create mode 100755 vm-systemd/network-proxy-setup.sh create mode 100644 vm-systemd/ntpd.service create mode 100755 vm-systemd/prepare-dvm.sh create mode 100644 vm-systemd/qubes-dvm.service create mode 100644 vm-systemd/qubes-firewall.service create mode 100644 vm-systemd/qubes-meminfo-writer.service create mode 100644 vm-systemd/qubes-misc-post.service create mode 100644 vm-systemd/qubes-netwatcher.service create mode 100644 vm-systemd/qubes-network.service create mode 100644 vm-systemd/qubes-qrexec-agent.service create mode 100644 vm-systemd/qubes-sysinit.service create mode 100755 vm-systemd/qubes-sysinit.sh diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 49f715c..15926cb 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -84,6 +84,13 @@ install -D misc/fstab $RPM_BUILD_ROOT/etc/fstab install -d $RPM_BUILD_ROOT/etc/init.d install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/ +install -d $RPM_BUILD_ROOT/lib/systemd/system $RPM_BUILD_ROOT/usr/lib/qubes/init +install -m 0755 vm-systemd/*.sh $RPM_BUILD_ROOT/usr/lib/qubes/init/ +install -m 0644 vm-systemd/qubes-*.service $RPM_BUILD_ROOT/lib/systemd/system/ +install -m 0644 vm-systemd/NetworkManager.service $RPM_BUILD_ROOT/usr/lib/qubes/init/ +install -m 0644 vm-systemd/cups.service $RPM_BUILD_ROOT/usr/lib/qubes/init/ +install -m 0644 vm-systemd/ntpd.service $RPM_BUILD_ROOT/usr/lib/qubes/init/ + install -D -m 0440 misc/qubes.sudoers $RPM_BUILD_ROOT/etc/sudoers.d/qubes install -D misc/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d/qubes.repo install -D misc/serial.conf $RPM_BUILD_ROOT/usr/lib/qubes/serial.conf @@ -382,6 +389,7 @@ Group: Qubes Requires: upstart Requires: qubes-core-vm Provides: qubes-core-vm-init-scripts +Conflicts: qubes-core-vm-systemd %description sysvinit The Qubes core startup configuration for SysV init (or upstart). @@ -437,3 +445,100 @@ if [ "$1" = 0 ] ; then chkconfig qubes_firewall off chkconfig qubes_netwatcher off fi + +%package systemd +Summary: Qubes unit files for SystemD init style +License: GPL v2 only +Group: Qubes +Requires: systemd +Requires: qubes-core-vm +Provides: qubes-core-vm-init-scripts +Conflicts: qubes-core-vm-sysvinit + +%description systemd +The Qubes core startup configuration for SystemD init. + +%files systemd +%defattr(-,root,root,-) +/lib/systemd/system/qubes-dvm.service +/lib/systemd/system/qubes-meminfo-writer.service +/lib/systemd/system/qubes-qrexec-agent.service +/lib/systemd/system/qubes-misc-post.service +/lib/systemd/system/qubes-firewall.service +/lib/systemd/system/qubes-netwatcher.service +/lib/systemd/system/qubes-network.service +/lib/systemd/system/qubes-sysinit.service +%dir /usr/lib/qubes/init +/usr/lib/qubes/init/prepare-dvm.sh +/usr/lib/qubes/init/network-proxy-setup.sh +/usr/lib/qubes/init/misc-post.sh +/usr/lib/qubes/init/qubes-sysinit.sh +/usr/lib/qubes/init/NetworkManager.service +/usr/lib/qubes/init/cups.service +/usr/lib/qubes/init/ntpd.service +%ghost %attr(0644,root,root) /etc/systemd/system/NetworkManager.service +%ghost %attr(0644,root,root) /etc/systemd/system/cups.service + +%post systemd + +for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network; do + /bin/systemctl enable $srv.service +done + +# Install overriden services only when original exists +for srv in cups NetworkManager ntpd; do + if [ -f /lib/systemd/system/$srv.service ]; then + cp /usr/lib/qubes/init/$srv.service /etc/systemd/system/$srv.service + fi +done + +# Set default "runlevel" +rm -f /etc/systemd/system/default.target +ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + +# Services to disable +#echo "--> Turning off unnecessary services..." +# FIXME: perhaps there is more elegant way to do this? +for f in /etc/init.d/* +do + srv=`basename $f` + [ $srv = 'functions' ] && continue + [ $srv = 'killall' ] && continue + [ $srv = 'halt' ] && continue + [ $srv = 'single' ] && continue + [ $srv = 'reboot' ] && continue + [ $srv = 'qubes_gui' ] && continue + chkconfig $srv off +done + +DISABLE_SERVICES="alsa-store alsa-restore auditd backuppc cpuspeed crond dbus-org.freedesktop.Avahi" +DISABLE_SERVICES="$DISABLE_SERVICES fedora-autorelabel fedora-autorelabel-mark ipmi hwclock-load hwclock-save" +DISABLE_SERVICES="$DISABLE_SERVICES mdmonitor multipathd openct rpcbind mcelog fedora-storage-init fedora-storage-init-late" +DISABLE_SERVICES="$DISABLE_SERVICES plymouth-start plymouth-read-write plymouth-quit plymouth-quit-wait" +for srv in $DISABLE_SERVICES; do + if [ -f /lib/systemd/system/$srv.service ]; then + if fgrep -q '[Install]' /lib/systemd/system/$srv.service; then + /bin/systemctl disable $srv.service + else + # forcibly disable + ln -sf /dev/null /etc/systemd/system/$srv.service + fi + fi +done + +rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service + +# Enable some services +/bin/systemctl enable iptables.service +/bin/systemctl enable rsyslog.service + +%postun systemd + +#Do not run this part on upgrades +if [ "$1" != 0 ] ; then + exit 0 +fi + +for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network; do + /bin/systemctl disable $srv.service +do diff --git a/vm-systemd/NetworkManager.service b/vm-systemd/NetworkManager.service new file mode 100644 index 0000000..bf1e486 --- /dev/null +++ b/vm-systemd/NetworkManager.service @@ -0,0 +1,3 @@ +.include /lib/systemd/system/NetworkManager.service +[Unit] +ConditionPathExists=/var/run/qubes-service/network-manager diff --git a/vm-systemd/cups.service b/vm-systemd/cups.service new file mode 100644 index 0000000..73e2796 --- /dev/null +++ b/vm-systemd/cups.service @@ -0,0 +1,3 @@ +.include /lib/systemd/system/cups.service +[Unit] +ConditionPathExists=/var/run/qubes-service/cups diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh new file mode 100755 index 0000000..9ebdf2e --- /dev/null +++ b/vm-systemd/misc-post.sh @@ -0,0 +1,60 @@ +#!/bin/sh + +# Set IP address again (besides action in udev rules); this is needed by +# DispVM (to override DispVM-template IP) and in case when qubes_ip was +# called by udev before loading evtchn kernel module - in which case +# xenstore-read fails +INTERFACE=eth0 /usr/lib/qubes/setup_ip + +if [ -e /dev/xvdb ] ; then + mount /rw + + if ! [ -d /rw/home ] ; then + echo + echo "--> Virgin boot of the VM: Linking /home to /rw/home" + + mkdir -p /rw/config + touch /rw/config/rc.local + + mkdir -p /rw/home + cp -a /home.orig/user /home + + mkdir -p /rw/usrlocal + cp -a /usr/local.orig/* /usr/local + + touch /var/lib/qubes/first_boot_completed + fi +fi + +[ -x /rw/config/rc.local ] && /rw/config/rc.local + +if ! [ -f /home/user/.gnome2/nautilus-scripts/.scripts_created ] ; then + echo "Creating symlinks for nautilus actions..." + su user -c 'mkdir -p /home/user/.gnome2/nautilus-scripts' + su user -c 'ln -s /usr/lib/qubes/qvm-copy-to-vm.gnome /home/user/.gnome2/nautilus-scripts/"Copy to other AppVM"' + su user -c 'ln -s /usr/bin/qvm-open-in-dvm /home/user/.gnome2/nautilus-scripts/"Open in DisposableVM"' + su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created' +fi + +if ! [ -f /home/user/.gnome2/nautilus-scripts/.scripts_created2 ] ; then + # as we have recently renamed tools, the symlinks would need to be fixed for older templates + su user -c 'ln -sf /usr/lib/qubes/qvm-copy-to-vm.gnome /home/user/.gnome2/nautilus-scripts/"Copy to other AppVM"' + su user -c 'ln -sf /usr/bin/qvm-open-in-dvm /home/user/.gnome2/nautilus-scripts/"Open in DisposableVM"' + su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created2' +fi + +# Start services which haven't own proper systemd unit: + +# Start AppVM specific services +if [ ! -f /etc/systemd/system/cups.service ]; then + if [ -f /var/run/qubes-service/cups ]; then + /sbin/service cups start + # Allow also notification icon + sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop + else + # Disable notification icon + sed -i -e '/QUBES/!s/^NotShowIn=.*/\1QUBES;/' /etc/xdg/autostart/print-applet.desktop + fi +fi + +exit 0 diff --git a/vm-systemd/network-proxy-setup.sh b/vm-systemd/network-proxy-setup.sh new file mode 100755 index 0000000..c12e1d3 --- /dev/null +++ b/vm-systemd/network-proxy-setup.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +# Setup gateway for all the VMs this netVM is serviceing... +network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null) +if [ "x$network" != "x" ]; then + gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) + netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) + secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) + modprobe netbk 2> /dev/null || modprobe xen-netback + echo "NS1=$gateway" > /var/run/qubes/qubes_ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns + /usr/lib/qubes/qubes_setup_dnat_to_ns + echo "1" > /proc/sys/net/ipv4/ip_forward +fi diff --git a/vm-systemd/ntpd.service b/vm-systemd/ntpd.service new file mode 100644 index 0000000..21e93db --- /dev/null +++ b/vm-systemd/ntpd.service @@ -0,0 +1,3 @@ +.include /lib/systemd/system/ntpd.service +[Unit] +ConditionPathExists=/var/run/qubes-service/ntpd diff --git a/vm-systemd/prepare-dvm.sh b/vm-systemd/prepare-dvm.sh new file mode 100755 index 0000000..86b6a74 --- /dev/null +++ b/vm-systemd/prepare-dvm.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +possibly_run_save_script() +{ + ENCODED_SCRIPT=$(xenstore-read qubes_save_script) + if [ -z "$ENCODED_SCRIPT" ] ; then return ; fi + echo $ENCODED_SCRIPT|perl -e 'use MIME::Base64 qw(decode_base64); local($/) = undef;print decode_base64()' >/tmp/qubes_save_script + chmod 755 /tmp/qubes_save_script + Xorg -config /etc/X11/xorg-preload-apps.conf :0 & + sleep 2 + DISPLAY=:0 su - user -c /tmp/qubes_save_script + killall Xorg +} + +if xenstore-read qubes_save_request 2>/dev/null ; then + ln -sf /home_volatile /home + possibly_run_save_script + touch /etc/this_is_dvm + dmesg -c >/dev/null + free | grep Mem: | + (read a b c d ; xenstore-write device/qubes_used_mem $c) + # we're still running in DispVM template + echo "Waiting for save/restore..." + # ... wait until qubes_restore.c (in Dom0) recreates VM-specific keys + while ! xenstore-read qubes_restore_complete 2>/dev/null ; do + usleep 10 + done + echo Back to life. +fi + diff --git a/vm-systemd/qubes-dvm.service b/vm-systemd/qubes-dvm.service new file mode 100644 index 0000000..b26834e --- /dev/null +++ b/vm-systemd/qubes-dvm.service @@ -0,0 +1,12 @@ +[Unit] +Description=Prepare Qubes DispVM Template +ConditionPathExists=/var/run/qubes-service/qubes-dvm + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/qubes/init/prepare-dvm.sh +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/vm-systemd/qubes-firewall.service b/vm-systemd/qubes-firewall.service new file mode 100644 index 0000000..df765dc --- /dev/null +++ b/vm-systemd/qubes-firewall.service @@ -0,0 +1,10 @@ +[Unit] +Description=Qubes firewall updater +ConditionPathExists=/var/run/qubes-service/qubes-firewall + +[Service] +ExecStart=/usr/sbin/qubes_firewall +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/vm-systemd/qubes-meminfo-writer.service b/vm-systemd/qubes-meminfo-writer.service new file mode 100644 index 0000000..fdb504d --- /dev/null +++ b/vm-systemd/qubes-meminfo-writer.service @@ -0,0 +1,12 @@ +[Unit] +Description=Qubes memory information reporter +ConditionPathExists=/var/run/qubes-service/meminfo-writer + +[Service] +Type=forking +ExecStart=/usr/lib/qubes/meminfo-writer 30000 100000 /var/run/meminfo-writer.pid +PIDFile=/var/run/meminfo-writer.pid +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/vm-systemd/qubes-misc-post.service b/vm-systemd/qubes-misc-post.service new file mode 100644 index 0000000..2dc9051 --- /dev/null +++ b/vm-systemd/qubes-misc-post.service @@ -0,0 +1,11 @@ +[Unit] +Description=Qubes misc post-boot actions +After=qubes-dvm.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/qubes/init/misc-post.sh + +[Install] +WantedBy=multi-user.target diff --git a/vm-systemd/qubes-netwatcher.service b/vm-systemd/qubes-netwatcher.service new file mode 100644 index 0000000..d784ba7 --- /dev/null +++ b/vm-systemd/qubes-netwatcher.service @@ -0,0 +1,11 @@ +[Unit] +Description=Qubes network monitor +ConditionPathExists=/var/run/qubes-service/qubes-netwatcher +After=qubes-firewall.service + +[Service] +ExecStart=/usr/sbin/qubes_netwatcher +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/vm-systemd/qubes-network.service b/vm-systemd/qubes-network.service new file mode 100644 index 0000000..28373db --- /dev/null +++ b/vm-systemd/qubes-network.service @@ -0,0 +1,14 @@ +[Unit] +Names=qubes_firewall.service +Description=Qubes network forwarding setup +ConditionPathExists=/var/run/qubes-service/qubes-network + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStartPre=/sbin/ethtool -K eth0 sg off +ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh +StandardOutput=syslog + +[Install] +WantedBy=network.target diff --git a/vm-systemd/qubes-qrexec-agent.service b/vm-systemd/qubes-qrexec-agent.service new file mode 100644 index 0000000..759e4b4 --- /dev/null +++ b/vm-systemd/qubes-qrexec-agent.service @@ -0,0 +1,10 @@ +[Unit] +Description=Qubes remote exec agent +After=qubes-dvm.service + +[Service] +ExecStart=/usr/lib/qubes/qrexec_agent +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/vm-systemd/qubes-sysinit.service b/vm-systemd/qubes-sysinit.service new file mode 100644 index 0000000..ea3b84e --- /dev/null +++ b/vm-systemd/qubes-sysinit.service @@ -0,0 +1,11 @@ +[Unit] +Description=Init Qubes Services settings + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/qubes/init/qubes-sysinit.sh +StandardOutput=syslog + +[Install] +WantedBy=sysinit.target diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh new file mode 100755 index 0000000..57cc2a3 --- /dev/null +++ b/vm-systemd/qubes-sysinit.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +# List of services enabled by default (in case of absence of xenstore entry) +DEFAULT_ENABLED_NETVM="network-manager qubes-network" +DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher" +DEFAULT_ENABLED_APPVM="meminfo-writer" +DEFAULT_ENABLED="meminfo-writer" + +XS_READ=/usr/bin/xenstore-read +XS_LS=/usr/bin/xenstore-ls + +read_service() { + $XS_READ qubes-service/$1 2> /dev/null +} + +mkdir -p /var/run/qubes +mkdir -p /var/run/qubes-service +mkdir -p /var/run/xen-hotplug + +# Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read +chmod 666 /proc/xen/xenbus + +# Set default services depending on VM type +TYPE=`$XS_READ qubes_vm_type 2> /dev/null` +[ "$TYPE" == "AppVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_APPVM +[ "$TYPE" == "NetVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_NETVM +[ "$TYPE" == "ProxyVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_PROXYVM + +# Enable default services +for srv in $DEFAULT_ENABLED; do + touch /var/run/qubes-service/$srv +done + +# Enable services +for srv in `$XS_LS qubes-service 2>/dev/null |grep ' = "1"'|cut -f 1 -d ' '`; do + touch /var/run/qubes-service/$srv +done + +# Disable services +for srv in `$XS_LS qubes-service 2>/dev/null |grep ' = "0"'|cut -f 1 -d ' '`; do + rm -f /var/run/qubes-service/$srv +done + +# Set the hostname +name=`$XS_READ name` +if [ -n "$name" ]; then + hostname $name + (grep -v "\<$name\>" /etc/hosts; echo "127.0.0.1 $name") > /etc/hosts +fi + From 068e1694363881c5e3b0003eeb58ba660de8384c Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 11 Jan 2012 19:08:15 +0100 Subject: [PATCH 05/14] vm/file-editor: mask some charracters in filename (#406) mimeopen passes wrong filename to the editor/viewer when filename contains '#'. So mask this (replace _) and some other non-alpha-numeric characters. --- qubes_rpc/vm-file-editor.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/qubes_rpc/vm-file-editor.c b/qubes_rpc/vm-file-editor.c index 533c363..297d1ce 100644 --- a/qubes_rpc/vm-file-editor.c +++ b/qubes_rpc/vm-file-editor.c @@ -12,12 +12,18 @@ char *get_filename() { char buf[DVM_FILENAME_SIZE]; static char retname[sizeof(buf) + sizeof("/tmp/")]; + int i; if (!read_all(0, buf, sizeof(buf))) exit(1); if (index(buf, '/')) { fprintf(stderr, "filename contains /"); exit(1); } + for (i=0; i < DVM_FILENAME_SIZE && buf[i]!=0; i++) { + // replace some characters with _ (eg mimeopen have problems with some of them) + if ((buf[i] > 0x20 && buf[i] < 0x30) || index(";:<=>?`~", buf[i])) + buf[i]='_'; + } snprintf(retname, sizeof(retname), "/tmp/%s", buf); return retname; } From 1b349b782d7536647c3df9ab405fc65a3d01201d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 11 Jan 2012 19:10:23 +0100 Subject: [PATCH 06/14] vm/systemd: improve qubes-sysinit dependencies --- vm-systemd/qubes-sysinit.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vm-systemd/qubes-sysinit.service b/vm-systemd/qubes-sysinit.service index ea3b84e..29bb1e4 100644 --- a/vm-systemd/qubes-sysinit.service +++ b/vm-systemd/qubes-sysinit.service @@ -1,5 +1,8 @@ [Unit] Description=Init Qubes Services settings +DefaultDependencies=no +Before=sysinit.target +After=local-fs.target [Service] Type=oneshot From b5fff2564f44478b82acfbecb1479bb18deca564 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 13 Jan 2012 20:42:31 +0100 Subject: [PATCH 07/14] vm/iptables: do not MASQUERADE packets on lo (#416) Masquerading packets on lo actually drops them when there is no default route. This causes problems with commutication between ntpd processes (ntp main daemon and resolver). And perhaps many more... --- network/iptables | 1 + 1 file changed, 1 insertion(+) diff --git a/network/iptables b/network/iptables index b80c19a..6e6e6d8 100644 --- a/network/iptables +++ b/network/iptables @@ -6,6 +6,7 @@ :PR-QBS - [0:0] -A PREROUTING -j PR-QBS -A POSTROUTING -o vif+ -j ACCEPT +-A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -j MASQUERADE COMMIT # Completed on Mon Sep 6 08:57:46 2010 From 86d7ba1120e284fc8d34e7987ea49b3f4fcf6bc7 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 14 Jan 2012 01:33:18 +0100 Subject: [PATCH 08/14] vm/file-editor: update masked characters (#406) Do not blacklist eg dot. --- qubes_rpc/vm-file-editor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qubes_rpc/vm-file-editor.c b/qubes_rpc/vm-file-editor.c index 297d1ce..6cea77c 100644 --- a/qubes_rpc/vm-file-editor.c +++ b/qubes_rpc/vm-file-editor.c @@ -21,7 +21,7 @@ char *get_filename() } for (i=0; i < DVM_FILENAME_SIZE && buf[i]!=0; i++) { // replace some characters with _ (eg mimeopen have problems with some of them) - if ((buf[i] > 0x20 && buf[i] < 0x30) || index(";:<=>?`~", buf[i])) + if (index(" !?\"#$%^&*()[]<>;`~", buf[i])) buf[i]='_'; } snprintf(retname, sizeof(retname), "/tmp/%s", buf); From 240d253d75a4027ae549277db405410049c11947 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 14 Jan 2012 01:35:58 +0100 Subject: [PATCH 09/14] vm/systemd: fix qubes-network dependencies network.target isn't enabled by default... --- vm-systemd/qubes-network.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vm-systemd/qubes-network.service b/vm-systemd/qubes-network.service index 28373db..86c02fe 100644 --- a/vm-systemd/qubes-network.service +++ b/vm-systemd/qubes-network.service @@ -2,6 +2,7 @@ Names=qubes_firewall.service Description=Qubes network forwarding setup ConditionPathExists=/var/run/qubes-service/qubes-network +Before=network.target [Service] Type=oneshot @@ -11,4 +12,4 @@ ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh StandardOutput=syslog [Install] -WantedBy=network.target +WantedBy=multi-user.target From e4eeaf2e1149501ec9ec52eed4efb88d3aa797e6 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 14 Jan 2012 01:36:22 +0100 Subject: [PATCH 10/14] vm/systemd: ensure that qubes-sysinit is started with /proc/xen mounted --- vm-systemd/qubes-sysinit.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-sysinit.service b/vm-systemd/qubes-sysinit.service index 29bb1e4..c6ca7a0 100644 --- a/vm-systemd/qubes-sysinit.service +++ b/vm-systemd/qubes-sysinit.service @@ -2,7 +2,7 @@ Description=Init Qubes Services settings DefaultDependencies=no Before=sysinit.target -After=local-fs.target +After=local-fs.target proc-xen.mount [Service] Type=oneshot From d3e1bf36bf6b3f8b3c6c0d2f6b7664ccf6ad4e4a Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 14 Jan 2012 01:37:22 +0100 Subject: [PATCH 11/14] vm: disable silent automatic update *installation* in FC15 (#415) Do not silently download and install updates, especially in NonUpdateableVM. --- ...e.settings-daemon.plugins.updates.gschema.override | 2 ++ rpm_spec/core-vm.spec | 11 +++++++++++ 2 files changed, 13 insertions(+) create mode 100644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override diff --git a/misc/org.gnome.settings-daemon.plugins.updates.gschema.override b/misc/org.gnome.settings-daemon.plugins.updates.gschema.override new file mode 100644 index 0000000..da283e1 --- /dev/null +++ b/misc/org.gnome.settings-daemon.plugins.updates.gschema.override @@ -0,0 +1,2 @@ +[org.gnome.settings-daemon.plugins.updates] +auto-update-type='none' diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 15926cb..dd16ca0 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -95,6 +95,8 @@ install -D -m 0440 misc/qubes.sudoers $RPM_BUILD_ROOT/etc/sudoers.d/qubes install -D misc/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d/qubes.repo install -D misc/serial.conf $RPM_BUILD_ROOT/usr/lib/qubes/serial.conf install -D misc/qubes_serial_login $RPM_BUILD_ROOT/sbin/qubes_serial_login +install -d $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ +install misc/org.gnome.settings-daemon.plugins.updates.gschema.override $RPM_BUILD_ROOT/usr/share/glib-2.0/schemas/ install -d $RPM_BUILD_ROOT/var/lib/qubes @@ -291,6 +293,14 @@ if [ "$1" = 0 ] ; then mv /var/lib/qubes/serial.orig /etc/init/serial.conf fi +%postun +if [ $1 -eq 0 ] ; then + /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : +fi + +%posttrans + /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : + %clean rm -rf $RPM_BUILD_ROOT @@ -352,6 +362,7 @@ rm -rf $RPM_BUILD_ROOT /usr/lib/qubes/wrap_in_html_if_url.sh /usr/sbin/qubes_firewall /usr/sbin/qubes_netwatcher +/usr/share/glib-2.0/schemas/org.gnome.settings-daemon.plugins.updates.gschema.override %dir /home_volatile %attr(700,user,user) /home_volatile/user %dir /mnt/removable From 9129f74603188cec11eb5b8407f77295df2d2d6b Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 14 Jan 2012 01:39:43 +0100 Subject: [PATCH 12/14] vm: disable some autostart applications --- rpm_spec/core-vm.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index dd16ca0..04ef7d5 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -185,7 +185,7 @@ remove_ShowIn () { } # don't want it at all -for F in abrt-applet deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto ; do +for F in abrt-applet deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do if [ -e /etc/xdg/autostart/$F.desktop ]; then remove_ShowIn $F echo 'NotShowIn=QUBES' >> /etc/xdg/autostart/$F.desktop From 4a73aa5da667b5dc075dc8f14db4c069635a9364 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 14 Jan 2012 01:40:10 +0100 Subject: [PATCH 13/14] vm/systemd: add some package requirements according to Fedora documentation --- rpm_spec/core-vm.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 04ef7d5..90f199a 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -462,6 +462,9 @@ Summary: Qubes unit files for SystemD init style License: GPL v2 only Group: Qubes Requires: systemd +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units Requires: qubes-core-vm Provides: qubes-core-vm-init-scripts Conflicts: qubes-core-vm-sysvinit From 33f50950ec996fa66cdd10a93d56e9ad0a6ab554 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 14 Jan 2012 01:40:54 +0100 Subject: [PATCH 14/14] vm/systemd: enable ntpd and NetworkManager services --- rpm_spec/core-vm.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 90f199a..c51567b 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -545,6 +545,12 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service # Enable some services /bin/systemctl enable iptables.service /bin/systemctl enable rsyslog.service +/bin/systemctl enable ntpd.service +/bin/systemctl enable NetworkManager.service +# Enable cups only when it is real SystemD service +[ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service + +exit 0 %postun systemd