diff --git a/Makefile b/Makefile index 007eec4..bc862c6 100644 --- a/Makefile +++ b/Makefile @@ -88,21 +88,27 @@ install-rh: install-systemd install-sysvinit install -d $(DESTDIR)/etc/yum.conf.d touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf -install-common: - install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes + install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/ + install -d $(DESTDIR)/var/lib/qubes/dom0-updates + install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action + install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login + install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables + install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables + +install-common: + install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes + install -d $(DESTDIR)/var/lib/qubes install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes install -d $(DESTDIR)/etc/udev/rules.d install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules install -d $(DESTDIR)/usr/lib/qubes/ - install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/ install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/ install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/ - install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs @@ -129,8 +135,6 @@ install-common: install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes - install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables - install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy @@ -176,7 +180,6 @@ install-common: install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf install -d $(DESTDIR)/mnt/removable - install -d $(DESTDIR)/var/lib/qubes/dom0-updates install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf @@ -188,5 +191,9 @@ install-deb: mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg + install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4 + install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6 + install -d $(DESTDIR)/etc/sysctl.d + install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/ install-vm: install-rh install-common diff --git a/debian/control b/debian/control index 2523068..62c9a95 100644 --- a/debian/control +++ b/debian/control @@ -9,8 +9,11 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, ${shlibs:Depends}, ${misc:Depends} -Conflicts: qubes-core-agent-linux +Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, libnotify-bin, notify-osd, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends} +Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit Description: Qubes core agent This package includes various daemons necessary for qubes domU support, such as qrexec. + +# Unresolved depends that exist in rpm_spec +#qubes-core-vm-kernel-placeholder, qubes-core-vm, diff --git a/debian/files b/debian/files deleted file mode 100644 index 67ae435..0000000 --- a/debian/files +++ /dev/null @@ -1 +0,0 @@ -qubes-core-agent_2.1.33_amd64.deb admin extra diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst new file mode 100755 index 0000000..db16268 --- /dev/null +++ b/debian/qubes-core-agent.postinst @@ -0,0 +1,504 @@ +#!/bin/bash +# postinst script for core-agent-linux +# +# see: dh_installdeb(1) + +set -e + +# The postint script may be called in the following ways: +# * 'configure' +# * 'abort-upgrade' +# * 'abort-remove' 'in-favour' +# +# * 'abort-remove' +# * 'abort-deconfigure' 'in-favour' +# 'removing' +# +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +# Directory that modified desktop entry config files are stored in +XDG_CONFIG_QUBES="/usr/share/qubes/xdg" + +# Install overriden services only when original exists +installOverridenServices() { + override_dir="${1}" + service="${2}" + retval=1 + + for unit in ${service}; do + unit="${unit%%.*}" + unit_name="$(basename ${unit})" + if [ -f ${unit}.service ]; then + echo "Installing override for ${unit}.service..." + cp ${override_dir}/${unit_name}.service /etc/systemd/system/ + retval=0 + fi + if [ -f ${unit}.socket -a -f ${override_dir}/${unit}.socket ]; then + echo "Installing override for ${unit}.socket..." + cp ${override_dir}/${unit_name}.socket /etc/systemd/system/ + retval=0 + fi + if [ -f ${unit}.path -a -f ${override_dir}/${unit}.path ]; then + echo "Installing override for ${unit}.path..." + cp ${override_dir}/${unit_name}.path /etc/systemd/system/ + retval=0 + fi + done + + return ${retval} +} + +reenableNetworkManager() { + # Disable original service to enable overriden one + echo "Disabling original service to enable overriden one..." + disableSystemdUnits ModemManager.service + disableSystemdUnits NetworkManager.service + + # Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts) + echo "Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)" + systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null || echo "Could not disable D-BUS activation of NetworkManager" + + echo "Re-enabling original service to enable overriden one..." + enableSystemdUnits ModemManager.service + enableSystemdUnits NetworkManager.service + + # Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811 + echo "Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811" + enableSystemdUnits NetworkManager-dispatcher.service +} + +remove_ShowIn() { + if [ -e "${1}" ]; then + sed -i '/^\(Not\|Only\)ShowIn/d' "${1}" + fi +} + +showIn() { + desktop_entry="${1}" + shown_in="${2}" + message="${shown_in:-"Shown in All;"}" + desktop_entry_qubes="${XDG_CONFIG_QUBES}/autostart/${desktop_entry##*/}" + + # Make sure Qubes autostart directory exists + mkdir -p "${XDG_CONFIG_QUBES}/autostart" + + # Desktop entry exists, so move to Qubes directory and modify it + if [ -e "${desktop_entry}" ]; then + echo "Desktop Entry Modification - ${message} ${desktop_entry##*/}..." + cp -pf "${desktop_entry}" "${desktop_entry_qubes}" + + remove_ShowIn "${desktop_entry_qubes}" + sed -i '/^X-GNOME-Autostart-enabled.*[fF0]/d' "${desktop_entry_qubes}" + + # Will only be '' if shown in all + if [ ! "${shown_in}x" == "x" ]; then + echo "${shown_in}" >> "${desktop_entry_qubes}" || true + fi + + # Desktop entry must have been removed, so also remove from Qubes directory + else + echo "Desktop Entry Modification - Remove: ${desktop_entry##*/}..." + rm -f "${desktop_entry_qubes}" + fi +} + +setArrayAsGlobal() { + local array="$1" + local export_as="$2" + local code=$(declare -p "$array") + local replaced="${code/$array/$export_as}" + eval ${replaced/declare -/declare -g} +} + +systemdInfo() { + unit=${1} + return_global_var=${2} + + declare -A INFO=() + while read line; do + INFO[${line%%=*}]="${line##*=}" + done < <(systemctl show ${unit} 2> /dev/null) + + setArrayAsGlobal INFO $return_global_var + return ${#INFO[@]} +} + +displayFailedStatus() { + action=${1} + unit=${2} + + # Only display if there are results. In chroot environmnet there will be + # no results to 'systemctl show' command + systemdInfo ${unit} info || { + echo + echo "===================================================" + echo "FAILED: systemd ${action} ${unit}" + echo "===================================================" + echo " LoadState = ${info[LoadState]}" + echo " LoadError = ${info[LoadError]}" + echo " ActiveState = ${info[ActiveState]}" + echo " SubState = ${info[SubState]}" + echo "UnitFileState = ${info[UnitFileState]}" + echo + } +} + +# Disable systemd units +disableSystemdUnits() { + for unit in $*; do + systemctl is-enabled ${unit} > /dev/null 2>&1 && { + echo "Disabling ${unit}..." + systemctl is-active ${unit} > /dev/null 2>&1 && { + systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit} + } + if [ -f /lib/systemd/system/${unit} ]; then + if fgrep -q '[Install]' /lib/systemd/system/${unit}; then + systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit} + else + # Forcibly disable + echo "Forcibly disabling: ${unit}" + ln -sf /dev/null /etc/systemd/system/${unit} + fi + else + systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit} + fi + } || { + echo "It appears ${unit} is already disabled!" + #displayFailedStatus is-disabled ${unit} + } + done +} + +# Enable systemd units +enableSystemdUnits() { + for unit in $*; do + systemctl is-enabled ${unit} > /dev/null 2>&1 && { + echo "It appears ${unit} is already enabled!" + #displayFailedStatus is-enabled ${unit} + } || { + echo "Enabling: ${unit}..." + systemctl enable ${unit} > /dev/null 2>&1 && { + systemctl start ${unit} > /dev/null 2>&1 || displayFailedStatus start ${unit} + } || { + echo "Could not enable: ${unit}" + displayFailedStatus enable ${unit} + } + } + done +} + +# Manually trigger all triggers to automaticatly configure +triggerTriggers() { + path="$(readlink -m ${0})" + triggers="${path/postinst/triggers}" + + awk '{sub(/[ \t]*#.*/,"")} NF' ${triggers} | while read line + do + /bin/bash -c "${0} triggered ${line##* }" || true + done +} + +case "${1}" in + configure) + # disable some Upstart services + for init in plymouth-shutdown \ + prefdm \ + splash-manager \ + start-ttys \ + tty ; do + if [ -e /etc/init/${init}.conf ]; then + mv -f /etc/init/${init}.conf /etc/init/${init}.conf.disabled + fi + done + + # Stops Qt form using the MIT-SHM X11 Shared Memory Extension + echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm.sh + chmod 0755 /etc/profile.d/qt_x11_no_mitshm.sh + + # Sudo's defualt umask is 077 so set sane default of 022 + # Also don't allow QT to used shared memory to prevent errors + echo 'Defaults umask = 0002' > /etc/sudoers.d/umask + echo 'Defaults umask_override' >> /etc/sudoers.d/umask + chmod 0440 /etc/sudoers.d/umask + echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm + chmod 0440 /etc/sudoers.d/qt_x11_no_mitshm + + # Create NetworkManager configuration if we do not have it + if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then + echo '[main]' > /etc/NetworkManager/NetworkManager.conf + echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf + echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf + fi + + # XXX: Test to see if this will satisify dispatcher dependancy + if [ ! -e "/lib/systemd/system/org.freedesktop.nm_dispatcher.service" ]; then + ln -s org.freedesktop.nm_dispatcher.service NetworkManager-dispatcher.service + fi + + # Remove old firmware updates link + if [ -L /lib/firmware/updates ]; then + rm -f /lib/firmware/updates + fi + + #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then + # echo >> /etc/yum.conf + # echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf + # echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf + #fi + + # Revert 'Prevent unnecessary updates in VMs': + #sed -i -e '/^exclude = kernel/d' /etc/yum.conf + + # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is + # in the form expected by qubes-sysinit.sh + for ip in '127\.0\.1\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts + else + echo "${ip//\\/} `hostname`" >> /etc/hosts + fi + done + # remove hostname from 127.0.0.1 line (in debian the hostname is by default + # resolved to 127.0.1.1) + sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + + chown user:user /home_volatile/user + + #if [ "${1}" != 1 ] ; then + # # do the rest of %post thing only when updating for the first time... + # exit 0 + #fi + + if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then + cp /etc/init/serial.conf /var/lib/qubes/serial.orig + fi + + # Remove most of the udev scripts to speed up the VM boot time + # Just leave the xen* scripts, that are needed if this VM was + # ever used as a net backend (e.g. as a VPN domain in the future) + #echo "--> Removing unnecessary udev scripts..." + mkdir -p /var/lib/qubes/removed-udev-scripts + for f in /etc/udev/rules.d/* + do + if [ $(basename ${f}) == "xen-backend.rules" ] ; then + continue + fi + + if [ $(basename ${f}) == "50-qubes-misc.rules" ] ; then + continue + fi + + if echo ${f} | grep -q qubes; then + continue + fi + + mv ${f} /var/lib/qubes/removed-udev-scripts/ + done + + # Create /rw directory + mkdir -p /rw + + # XXX: TODO: Needs to be implemented still + #rm -f /etc/mtab + #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" + #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig + #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + + # Enable Qubes systemd units + enableSystemdUnits \ + qubes-sysinit.service \ + qubes-misc-post.service \ + qubes-netwatcher.service \ + qubes-network.service \ + qubes-firewall.service \ + qubes-updates-proxy.service \ + qubes-updates-proxy.timer \ + qubes-qrexec-agent.service + + # Set default "runlevel" + rm -f /etc/systemd/system/default.target + ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + + # Process all triggers which will set defaults to wanted values + triggerTriggers + + disableSystemdUnits \ + alsa-store.service \ + alsa-restore.service \ + auditd.service \ + avahi.service \ + avahi-daemon.service \ + backuppc.service \ + cpuspeed.service \ + crond.service \ + fedora-autorelabel.service \ + fedora-autorelabel-mark.service \ + ipmi.service \ + hwclock-load.service \ + hwclock-save.service \ + mdmonitor.service \ + multipathd.service \ + openct.service \ + rpcbind.service \ + mcelog.service \ + fedora-storage-init.service \ + fedora-storage-init-late.service \ + plymouth-start.service \ + plymouth-read-write.service \ + plymouth-quit.service \ + plymouth-quit-wait.service \ + sshd.service \ + tcsd.service \ + sm-client.service \ + sendmail.service \ + mdmonitor-takeover.service \ + rngd smartd.service \ + upower.service \ + irqbalance.service \ + colord.service + + rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service + + # Enable other systemd units + enableSystemdUnits \ + rsyslog.service + + # XXX: TODO: Needs to be implemented still + # These do not exist on debian; maybe a different package name + # iptables.service \ + # ntpd.service \ + # ip6tables.service \ + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + exit 0 + ;; + + triggered) + for trigger in ${2}; do + case "${trigger}" in + + # Update Qubes App Menus + /usr/share/applications) + echo "Updating Qubes App Menus..." + /usr/lib/qubes/qubes-trigger-sync-appmenus.sh || true + ;; + + # Install overriden services only when original exists + /lib/systemd/system/NetworkManager.service | \ + /lib/systemd/system/NetworkManager-wait-online.service | \ + /lib/systemd/system/ModemManager.service) + UNITDIR=/lib/systemd/system + OVERRIDEDIR=/usr/lib/qubes/init + installOverridenServices "${OVERRIDEDIR}" "${trigger}" + if [ $? -eq 0 ]; then + reenableNetworkManager + fi + ;; + + # Enable cups only when it is real Systemd service + /lib/systemd/system/cups.service) + echo "Enabling cups" + [ -e /lib/systemd/system/cups.service ] && enableSystemdUnits cups.service + ;; + + # "Enable haveged service" + /lib/systemd/system/haveged.service) + echo "Enabling haveged service" + enableSystemdUnits haveged.service + ;; + + # Install overridden serial.conf init script + /etc/init/serial.conf) + echo "Installing over-ridden serial.conf init script..." + if [ -e /etc/init/serial.conf ]; then + cp /usr/share/qubes/serial.conf /etc/init/serial.conf + fi + ;; + + # Disable SELinux" + /etc/selinux/config) + echo "Disabling SELinux..." + if [ -e /etc/selinux/config ]; then + sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed + mv /etc/selinux/config.processed /etc/selinux/config + setenforce 0 2>/dev/null + fi + ;; + + # Desktop Entry Modification - Remove existing rules + /etc/xdg/autostart/gpk-update-icon.desktop | \ + /etc/xdg/autostart/nm-applet.desktop | \ + /etc/xdg/autostart/abrt-applet.desktop | \ + /etc/xdg/autostart/notify-osd.desktop) + showIn "${trigger}" + ;; + + # Desktop Entry Modification - Not shown in Qubes + /etc/xdg/autostart/pulseaudio.desktop | \ + /etc/xdg/autostart/deja-dup-monitor.desktop | \ + /etc/xdg/autostart/imsettings-start.desktop | \ + /etc/xdg/autostart/krb5-auth-dialog.desktop | \ + /etc/xdg/autostart/pulseaudio.desktop | \ + /etc/xdg/autostart/restorecond.desktop | \ + /etc/xdg/autostart/sealertauto.desktop | \ + /etc/xdg/autostart/gnome-power-manager.desktop | \ + /etc/xdg/autostart/gnome-sound-applet.desktop | \ + /etc/xdg/autostart/gnome-screensaver.desktop | \ + /etc/xdg/autostart/orca-autostart.desktop) + showIn "${trigger}" 'NotShowIn=QUBES;' + ;; + + # Desktop Entry Modification - Not shown in in DisposableVM + /etc/xdg/autostart/gcm-apply.desktop) + showIn "${trigger}" 'NotShowIn=DisposableVM;' + ;; + + # Desktop Entry Modification - Only shown in AppVM + /etc/xdg/autostart/gnome-keyring-gpg.desktop | \ + /etc/xdg/autostart/gnome-keyring-pkcs11.desktop | \ + /etc/xdg/autostart/gnome-keyring-secrets.desktop | \ + /etc/xdg/autostart/gnome-keyring-ssh.desktop | \ + /etc/xdg/autostart/gnome-settings-daemon.desktop | \ + /etc/xdg/autostart/user-dirs-update-gtk.desktop | \ + /etc/xdg/autostart/gsettings-data-convert.desktop) + showIn "${trigger}" 'OnlyShowIn=GNOME;AppVM;' + ;; + + # Desktop Entry Modification - Only shown in Gnome & UpdateableVM + /etc/xdg/autostart/gpk-update-icon.desktop) + showIn "${trigger}" 'OnlyShowIn=GNOME;UpdateableVM;' + ;; + + # Desktop Entry Modification - Only shown in Gnome & Qubes + /etc/xdg/autostart/nm-applet.desktop) + showIn "${trigger}" 'OnlyShowIn=GNOME;QUBES;' + ;; + + *) + echo "postinst called with unknown trigger \`${2}'" >&2 + exit 1 + ;; + esac + done + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`${1}'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/debian/qubes-core-agent.postrm b/debian/qubes-core-agent.postrm new file mode 100755 index 0000000..537679c --- /dev/null +++ b/debian/qubes-core-agent.postrm @@ -0,0 +1,58 @@ +#!/bin/bash +# postrm script for core-agent-linux +# +# see: dh_installdeb(1) + +set -e + +# The prerm script may be called in the following ways: +# * 'remove' +# * 'purge' +# * 'upgrade' +# * 'disappear' +# +# The postrm script is called after the package's files have been removed +# or replaced. The package whose postrm is being called may have previously been +# deconfigured and only be "Unpacked", at which point subsequent package changes +# do not consider its dependencies. Therefore, all postrm actions may only rely +# on essential packages and must gracefully skip any actions that require the +# package's dependencies if those dependencies are unavailable.[48] +# +# * 'failed-upgrade' +# +# Called when the old postrm upgrade action fails. The new package will be +# unpacked, but only essential packages and pre-dependencies can be relied on. +# Pre-dependencies will either be configured or will be "Unpacked" or +# "Half-Configured" but previously had been configured and was never removed. +# +# * 'abort-install' +# * 'abort-install' +# * 'abort-upgrade' +# +# Called before unpacking the new package as part of the error handling of +# preinst failures. May assume the same state as preinst can assume. +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "${1}" = "remove" ] ; then + /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || : + + if [ -L /lib/firmware/updates ]; then + rm /lib/firmware/updates + fi + + for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-qrexec-agent; do + systemctl disable ${srv}.service + done +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/debian/qubes-core-agent.preinst b/debian/qubes-core-agent.preinst new file mode 100755 index 0000000..7d8baf0 --- /dev/null +++ b/debian/qubes-core-agent.preinst @@ -0,0 +1,112 @@ +#!/bin/bash +# preinst script for core-agent-linux +# +# see: dh_installdeb(1) + +set -e + +# The preinst script may be called in the following ways: +# * 'install' +# * 'install' +# * 'upgrade' +# +# The package will not yet be unpacked, so the preinst script cannot rely +# on any files included in its package. Only essential packages and +# pre-dependencies (Pre-Depends) may be assumed to be available. +# Pre-dependencies will have been configured at least once, but at the time the +# preinst is called they may only be in an "Unpacked" or "Half-Configured" state +# if a previous version of the pre-dependency was completely configured and has +# not been removed since then. +# +# +# * 'abort-upgrade' +# +# Called during error handling of an upgrade that failed after unpacking the +# new package because the postrm upgrade action failed. The unpacked files may +# be partly from the new version or partly missing, so the script cannot rely +# on files included in the package. Package dependencies may not be available. +# Pre-dependencies will be at least "Unpacked" following the same rules as +# above, except they may be only "Half-Installed" if an upgrade of the +# pre-dependency failed.[46] +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "$1" = "install" ] ; then + # -------------------------------------------------------------------------- + # Create required directories + # -------------------------------------------------------------------------- + mkdir -p /var/lib/qubes + mkdir -p /lib/modules + #mkdir -p -m 0700 /var/log/xen # xen-utils-common should do this + + if [ -e /etc/fstab ] ; then + mv /etc/fstab /var/lib/qubes/fstab.orig + fi + + # -------------------------------------------------------------------------- + # Many Qubes scripts reference /bin/sh expecting the shell to be bash but + # in Debian it is dash so some scripts will fail so force an alternate for + # /bin/sh to be /bin/bash + # -------------------------------------------------------------------------- + update-alternatives --force --install /bin/sh sh /bin/bash 999 + + # -------------------------------------------------------------------------- + # Modules setup + # -------------------------------------------------------------------------- + echo "xen_netfront" >> /etc/modules + + # -------------------------------------------------------------------------- + # Remove `mesg` from root/.profile? + # -------------------------------------------------------------------------- + sed -i -e '/^mesg n/d' /root/.profile + + # -------------------------------------------------------------------------- + # Update /etc/fstab + # -------------------------------------------------------------------------- + cat > /etc/fstab < 'remove' +# * 'upgrade' +# * 'remove' 'in-favour' +# * 'deconfigure' 'in-favour' +# [removing conflicting-package version] +# +# The package whose prerm is being called will be at least "Half-Installed". +# All package dependencies will at least be "Half-Installed" and will have +# previously been configured and not removed. If there was no error, all +# dependencies will at least be "Unpacked", but these actions may be called in +# various error states where dependencies are only "Half-Installed" due to a +# partial upgrade. +# +# * 'failed-upgrade' +# +# Called during error handling when prerm upgrade fails. The new package +# will not yet be unpacked, and all the same constraints as for preinst +# upgrade apply. +# +# For details, see http://www.debian.org/doc/debian-policy/ or +# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or +# the debian-policy package + +if [ "$1" = "remove" ] ; then + # no more packages left + if [ -e /var/lib/qubes/fstab.orig ] ; then + mv /var/lib/qubes/fstab.orig /etc/fstab + fi + + if [ -d /var/lib/qubes/removed-udev-scripts ] ; then + mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + fi + + if [ -e /var/lib/qubes/serial.orig ] ; then + mv /var/lib/qubes/serial.orig /etc/init/serial.conf + fi +fi + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + +# vim: set ts=4 sw=4 sts=4 et : diff --git a/debian/qubes-core-agent.triggers b/debian/qubes-core-agent.triggers new file mode 100644 index 0000000..bd702ab --- /dev/null +++ b/debian/qubes-core-agent.triggers @@ -0,0 +1,47 @@ +interest-noawait /usr/share/applications +interest-noawait /lib/systemd/system/NetworkManager.service +interest-noawait /lib/systemd/system/NetworkManager-wait-online.service +interest-noawait /lib/systemd/system/ModemManager.service +interest-noawait /etc/init/serial.conf +interest-noawait /etc/selinux/config +interest-noawait /lib/systemd/system/cups.service +interest-noawait /lib/systemd/system/haveged.service + +# Desktop Entry Modification - Remove existing rules +interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop +interest-noawait /etc/xdg/autostart/nm-applet.desktop +interest-noawait /etc/xdg/autostart/abrt-applet.desktop + +# Desktop Entry Modification - Not shown in Qubes +interest-noawait /etc/xdg/autostart/pulseaudio.desktop +interest-noawait /etc/xdg/autostart/deja-dup-monitor.desktop +interest-noawait /etc/xdg/autostart/imsettings-start.desktop +interest-noawait /etc/xdg/autostart/krb5-auth-dialog.desktop +interest-noawait /etc/xdg/autostart/pulseaudio.desktop +interest-noawait /etc/xdg/autostart/restorecond.desktop +interest-noawait /etc/xdg/autostart/sealertauto.desktop +interest-noawait /etc/xdg/autostart/gnome-power-manager.desktop +interest-noawait /etc/xdg/autostart/gnome-sound-applet.desktop +interest-noawait /etc/xdg/autostart/gnome-screensaver.desktop +interest-noawait /etc/xdg/autostart/orca-autostart.desktop + +# Desktop Entry Modification - Not shown in in DisposableVM +interest-noawait /etc/xdg/autostart/gcm-apply.desktop + +# Desktop Entry Modification - Only shown in AppVM +interest-noawait /etc/xdg/autostart/gnome-keyring-gpg.desktop +interest-noawait /etc/xdg/autostart/gnome-keyring-pkcs11.desktop +interest-noawait /etc/xdg/autostart/gnome-keyring-secrets.desktop +interest-noawait /etc/xdg/autostart/gnome-keyring-ssh.desktop +interest-noawait /etc/xdg/autostart/gnome-settings-daemon.desktop +interest-noawait /etc/xdg/autostart/user-dirs-update-gtk.desktop +interest-noawait /etc/xdg/autostart/gsettings-data-convert.desktop + +# Desktop Entry Modification - Only shown in Gnome & UpdateableVM +interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop + +# Desktop Entry Modification - Only shown in Gnome & Qubes +interest-noawait /etc/xdg/autostart/nm-applet.desktop + +# Desktop Entry Modification - Show in all +interest-noawait /etc/xdg/autostart/notify-osd.desktop diff --git a/misc/Makefile b/misc/Makefile index b0b18ae..945dd6f 100644 --- a/misc/Makefile +++ b/misc/Makefile @@ -10,7 +10,7 @@ all: xenstore-watch python close-window xenstore-watch: xenstore-watch.o $(CC) -o xenstore-watch xenstore-watch.o -lxenstore close-window: close-window.c - $(CC) -lX11 -o $@ $< + $(CC) -o $@ $< -lX11 python: python -m compileall . python -O -m compileall . diff --git a/misc/dispvm-prerun.sh b/misc/dispvm-prerun.sh index 8bb2583..9489144 100755 --- a/misc/dispvm-prerun.sh +++ b/misc/dispvm-prerun.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash apps="evince /usr/libexec/evinced soffice firefox" diff --git a/misc/qubes-r3.list.in b/misc/qubes-r3.list.in index c0a8eb2..5b2992c 100644 --- a/misc/qubes-r3.list.in +++ b/misc/qubes-r3.list.in @@ -1,11 +1,11 @@ # Main qubes updates repository -#deb http://deb.qubes-os.org/r3/vm @DIST@ main +#deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@ main #deb-src http://deb.qubes-os.org/r3/vm @DIST@ main # Qubes updates candidates repository -#deb http://deb.qubes-os.org/r3/vm @DIST@-testing main +#deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@-testing main #deb-src http://deb.qubes-os.org/r3/vm @DIST@-testing main # Qubes experimental/unstable repository -#deb http://deb.qubes-os.org/r3/vm @DIST@-unstable main +#deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@-unstable main #deb-src http://deb.qubes-os.org/r3/vm @DIST@-unstable main diff --git a/misc/qubes-trigger-sync-appmenus.sh b/misc/qubes-trigger-sync-appmenus.sh index 89690c7..3df1d1d 100755 --- a/misc/qubes-trigger-sync-appmenus.sh +++ b/misc/qubes-trigger-sync-appmenus.sh @@ -1,6 +1,6 @@ #!/bin/sh -UPDATEABLE=`/usr/bin/qubesdb-read /qubes-vm-updateable` +UPDATEABLE=`qubesdb-read /qubes-vm-updateable` if [ "$UPDATEABLE" = "True" ]; then /usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes-rpc/qubes.GetAppmenus diff --git a/network/30-qubes-external-ip b/network/30-qubes-external-ip index 0f8e867..1d46834 100755 --- a/network/30-qubes-external-ip +++ b/network/30-qubes-external-ip @@ -1,8 +1,8 @@ #!/bin/sh if [ x$2 == xup ]; then INET=$(/sbin/ip addr show dev $1 | /bin/grep inet) - /usr/bin/qubesdb-write /qubes-netvm-external-ip "$INET" + qubesdb-write /qubes-netvm-external-ip "$INET" fi if [ x$2 == xdown ]; then - /usr/bin/qubesdb-write /qubes-netvm-external-ip "" + qubesdb-write /qubes-netvm-external-ip "" fi diff --git a/network/80-qubes.conf b/network/80-qubes.conf new file mode 100644 index 0000000..119d730 --- /dev/null +++ b/network/80-qubes.conf @@ -0,0 +1 @@ +net.ipv4.ip_forward=1 diff --git a/network/filter-updates b/network/filter-updates index c1afa54..1e5edec 100644 --- a/network/filter-updates +++ b/network/filter-updates @@ -1,11 +1,19 @@ +# Yum filters +# ----------------------------------------------------------------------------- /repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ /repodata/repomd\.xml$ \.rpm$ \.drpm$ ^mirrors\.fedoraproject\.org:443$ ^http://mirrors\..*/mirrorlist\? -\.deb$ -/dists/[a-z]*/\(InRelease\|Release\|Release.gpg\)$ -/dists/[a-z]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$ -/dists/[a-z]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ -/dists/[a-z]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ + +# Debian filters +# +# Whonix uses sourceforge to host its repos and url can end in: +# '/' or '/download' or '?.*' +# ----------------------------------------------------------------------------- +\.deb\(\|\/\|\/download\|\?.*\)$ +/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)\(\|\|/\|\/download\|\?.*\)$ +/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.gpg\)\(\|\|/\|\/download\|\?.*\)$ +/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$ +/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$ diff --git a/network/network-manager-prepare-conf-dir b/network/network-manager-prepare-conf-dir index c068bab..04cb00b 100755 --- a/network/network-manager-prepare-conf-dir +++ b/network/network-manager-prepare-conf-dir @@ -14,6 +14,6 @@ unmanaged_devices=mac:fe:ff:ff:ff:ff:ff # unmanaged_devices="$unmanaged_devices;mac:$mac" #done sed -i -e "s/^unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf -sed -i -e "s/^plugins=.*/plugins=keyfile,ifcfg-rh/" /etc/NetworkManager/NetworkManager.conf +sed -i -e "s/^plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf exit 0 diff --git a/network/qubes-firewall b/network/qubes-firewall index 76636fc..f636a36 100755 --- a/network/qubes-firewall +++ b/network/qubes-firewall @@ -34,19 +34,19 @@ while true; do # during the time when the rules are being (re)applied echo "0" > /proc/sys/net/ipv4/ip_forward - RULES=$(/usr/bin/qubesdb-read $XENSTORE_IPTABLES_HEADER) - IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') - OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true` + RULES=$(qubesdb-read $XENSTORE_IPTABLES_HEADER) + IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d') + OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true` for i in $(qubesdb-list -f /qubes-iptables-domainrules) ; do - RULES=$(/usr/bin/qubesdb-read "$i") + RULES=$(qubesdb-read "$i") ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true` if [ -n "$ERRS" ]; then echo "Failed applying rules for $i: $ERRS" >&2 OUT="$OUT$ERRS" fi done - /usr/bin/qubesdb-write $XENSTORE_ERROR "$OUT" + qubesdb-write $XENSTORE_ERROR "$OUT" if [ -n "$OUT" ]; then DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : fi diff --git a/network/qubes-netwatcher b/network/qubes-netwatcher index 0acab7f..81edffe 100755 --- a/network/qubes-netwatcher +++ b/network/qubes-netwatcher @@ -11,9 +11,9 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM while true; do - NET_DOMID=$(/usr/bin/xenstore-read qubes-netvm-domid || :) + NET_DOMID=$(xenstore-read qubes-netvm-domid || :) if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then - UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) + UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) # UNTRUSTED_NETCFG is not parsed in any way # thus, no sanitization ready # but be careful when passing it to other shell scripts @@ -21,11 +21,11 @@ while true; do /sbin/service qubes-firewall stop /sbin/service qubes-firewall start CURR_NETCFG="$UNTRUSTED_NETCFG" - /usr/bin/xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" + xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" fi - /usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid + xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid else - /usr/bin/xenstore-watch -n 2 qubes-netvm-domid + xenstore-watch -n 2 qubes-netvm-domid fi done diff --git a/network/qubes-setup-dnat-to-ns b/network/qubes-setup-dnat-to-ns index 6a30126..a1f9bc1 100755 --- a/network/qubes-setup-dnat-to-ns +++ b/network/qubes-setup-dnat-to-ns @@ -10,7 +10,7 @@ addrule() fi } export PATH=$PATH:/sbin:/bin -source /var/run/qubes/qubes-ns +. /var/run/qubes/qubes-ns if [ "X"$NS1 = "X" ] ; then exit ; fi iptables -t nat -F PR-QBS FIRSTONE=yes diff --git a/network/setup-ip b/network/setup-ip index 30334a2..4fa3c12 100755 --- a/network/setup-ip +++ b/network/setup-ip @@ -26,14 +26,24 @@ if [ x$ip != x ]; then [ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook fi if [ -f /var/run/qubes-service/network-manager ]; then - cat > /etc/sysconfig/network-scripts/ifcfg-$INTERFACE <<__EOF__ -DEVICE=$INTERFACE -IPADDR=$ip -NETMASK=255.255.255.255 -NETWORK=$ip -ONBOOT=yes -GATEWAYDEV=$INTERFACE -GATEWAY=$gateway + cat > /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE <<__EOF__ +[802-3-ethernet] +duplex=full + +[connection] +id=VM uplink $INTERFACE +uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef +type=802-3-ethernet + +[ipv6] +method=ignore + +[ipv4] +method=manual +dns=$gateway;$secondary_dns +address1=$ip/32,$gateway +may-fail=false __EOF__ + chmod 600 /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE fi fi diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 1f1e229..7744d71 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -140,11 +140,11 @@ remove_ShowIn () { fi } -# reenable abrt-aplet if disable by some earlier version of package -remove_ShowIn abrt-applet.desktop +# reenable if disabled by some earlier version of package +remove_ShowIn abrt-applet.desktop imsettings-start.desktop # don't want it at all -for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do +for F in deja-dup-monitor krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do if [ -e /etc/xdg/autostart/$F.desktop ]; then remove_ShowIn $F echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop @@ -213,6 +213,17 @@ if ! grep -q localhost /etc/hosts; then EOF fi +# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is +# in the form expected by qubes-sysinit.sh +for ip in '127\.0\.0\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts + else + echo "${ip} `hostname`" >> /etc/hosts + fi +done + if [ "$1" != 1 ] ; then # do the rest of %post thing only when updating for the first time... exit 0 @@ -279,7 +290,7 @@ fi if [ $1 -eq 0 ] ; then /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : - if [ -l /lib/firmware/updates ]; then + if [ -L /lib/firmware/updates ]; then rm /lib/firmware/updates fi fi diff --git a/vm-systemd/network-proxy-setup.sh b/vm-systemd/network-proxy-setup.sh index 668d79a..8b864b7 100755 --- a/vm-systemd/network-proxy-setup.sh +++ b/vm-systemd/network-proxy-setup.sh @@ -1,11 +1,11 @@ #!/bin/sh # Setup gateway for all the VMs this netVM is serviceing... -network=$(/usr/bin/qubesdb-read /qubes-netvm-network 2>/dev/null) +network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) if [ "x$network" != "x" ]; then - gateway=$(/usr/bin/qubesdb-read /qubes-netvm-gateway) - netmask=$(/usr/bin/qubesdb-read /qubes-netvm-netmask) - secondary_dns=$(/usr/bin/qubesdb-read /qubes-netvm-secondary-dns) + gateway=$(qubesdb-read /qubes-netvm-gateway) + netmask=$(qubesdb-read /qubes-netvm-netmask) + secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns) modprobe netbk 2> /dev/null || modprobe xen-netback echo "NS1=$gateway" > /var/run/qubes/qubes-ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns diff --git a/vm-systemd/qubes-qrexec-agent.service b/vm-systemd/qubes-qrexec-agent.service index e08e986..38d8f71 100644 --- a/vm-systemd/qubes-qrexec-agent.service +++ b/vm-systemd/qubes-qrexec-agent.service @@ -3,6 +3,7 @@ Description=Qubes remote exec agent After=qubes-dvm.service [Service] +ExecStartPre=/bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn' ExecStart=/usr/lib/qubes/qrexec-agent StandardOutput=syslog diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 05e9852..a0d0670 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # List of services enabled by default (in case of absence of qubesdb entry) DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy" @@ -7,8 +7,8 @@ DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup" DEFAULT_ENABLED="meminfo-writer" -QDB_READ=/usr/bin/qubesdb-read -QDB_LS=/usr/bin/qubesdb-multiread +QDB_READ=qubesdb-read +QDB_LS=qubesdb-multiread read_service() { $QDB_READ /qubes-service/$1 2> /dev/null @@ -31,6 +31,8 @@ mkdir -p /var/run/xen-hotplug # Set permissions to /proc/xen/xenbus, so normal user can use qubesdb-read chmod 666 /proc/xen/xenbus + +[ -e /proc/u2mfn ] || modprobe u2mfn # Set permissions to files needed to listen at vchan chmod 666 /proc/u2mfn @@ -60,14 +62,24 @@ done name=`$QDB_READ /name` if [ -n "$name" ]; then hostname $name - sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts + if [ -e /etc/debian_version ]; then + ipv4_localhost_re="127\.0\.1\.1" + else + ipv4_localhost_re="127\.0\.0\.1" + fi + sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts + sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts fi timezone=`$QDB_READ /qubes-timezone 2> /dev/null` if [ -n "$timezone" ]; then - ln -f /usr/share/zoneinfo/$timezone /etc/localtime - echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock - echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock + cp -p /usr/share/zoneinfo/$timezone /etc/localtime + if [ -e /etc/debian_version ]; then + echo "$timezone" > /etc/timezone + else + echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock + echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock + fi fi # Prepare environment for other services diff --git a/vm-systemd/qubes-update-check.service b/vm-systemd/qubes-update-check.service index 96bccbd..9879080 100644 --- a/vm-systemd/qubes-update-check.service +++ b/vm-systemd/qubes-update-check.service @@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check [Service] Type=oneshot -ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0' +ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'if [ -e /usr/bin/yum ]; then yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0; else apt-get -q update > /dev/null; apt-get -s upgrade | awk "/^Inst/{ print $2 }" | [[ $(wc -L) -eq 0 ]] && echo 0 || echo 1; fi'