Merge branch 'debian'

Conflicts:
	misc/qubes-r2.list.in
	misc/qubes-trigger-sync-appmenus.sh
	network/30-qubes-external-ip
	network/qubes-firewall
	vm-systemd/network-proxy-setup.sh
	vm-systemd/prepare-dvm.sh
	vm-systemd/qubes-sysinit.sh
This commit is contained in:
Marek Marczykowski-Górecki 2015-01-30 00:30:24 +01:00
commit 9130636c88
25 changed files with 886 additions and 59 deletions

View File

@ -88,21 +88,27 @@ install-rh: install-systemd install-sysvinit
install -d $(DESTDIR)/etc/yum.conf.d install -d $(DESTDIR)/etc/yum.conf.d
touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
install-common: install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes install -d $(DESTDIR)/var/lib/qubes/dom0-updates
install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
install-common:
install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
install -d $(DESTDIR)/var/lib/qubes install -d $(DESTDIR)/var/lib/qubes
install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes
install -d $(DESTDIR)/etc/udev/rules.d install -d $(DESTDIR)/etc/udev/rules.d
install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules
install -d $(DESTDIR)/usr/lib/qubes/ install -d $(DESTDIR)/usr/lib/qubes/
install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/ install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/
install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/ install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/
install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules
install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs
@ -129,8 +135,6 @@ install-common:
install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates
install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy
@ -176,7 +180,6 @@ install-common:
install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf
install -d $(DESTDIR)/mnt/removable install -d $(DESTDIR)/mnt/removable
install -d $(DESTDIR)/var/lib/qubes/dom0-updates
install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf
@ -188,5 +191,9 @@ install-deb:
mkdir -p $(DESTDIR)/etc/apt/sources.list.d mkdir -p $(DESTDIR)/etc/apt/sources.list.d
sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
install -d $(DESTDIR)/etc/sysctl.d
install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
install-vm: install-rh install-common install-vm: install-rh install-common

7
debian/control vendored
View File

@ -9,8 +9,11 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git
Package: qubes-core-agent Package: qubes-core-agent
Architecture: any Architecture: any
Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, ${shlibs:Depends}, ${misc:Depends} Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, libnotify-bin, notify-osd, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends}
Conflicts: qubes-core-agent-linux Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
Description: Qubes core agent Description: Qubes core agent
This package includes various daemons necessary for qubes domU support, This package includes various daemons necessary for qubes domU support,
such as qrexec. such as qrexec.
# Unresolved depends that exist in rpm_spec
#qubes-core-vm-kernel-placeholder, qubes-core-vm,

1
debian/files vendored
View File

@ -1 +0,0 @@
qubes-core-agent_2.1.33_amd64.deb admin extra

504
debian/qubes-core-agent.postinst vendored Executable file
View File

@ -0,0 +1,504 @@
#!/bin/bash
# postinst script for core-agent-linux
#
# see: dh_installdeb(1)
set -e
# The postint script may be called in the following ways:
# * <postinst> 'configure' <most-recently-configured-version>
# * <old-postinst> 'abort-upgrade' <new version>
# * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
# <new-version>
# * <postinst> 'abort-remove'
# * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
# <failed-install-package> <version> 'removing'
# <conflicting-package> <version>
#
# For details, see http://www.debian.org/doc/debian-policy/ or
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
# the debian-policy package
# Directory that modified desktop entry config files are stored in
XDG_CONFIG_QUBES="/usr/share/qubes/xdg"
# Install overriden services only when original exists
installOverridenServices() {
override_dir="${1}"
service="${2}"
retval=1
for unit in ${service}; do
unit="${unit%%.*}"
unit_name="$(basename ${unit})"
if [ -f ${unit}.service ]; then
echo "Installing override for ${unit}.service..."
cp ${override_dir}/${unit_name}.service /etc/systemd/system/
retval=0
fi
if [ -f ${unit}.socket -a -f ${override_dir}/${unit}.socket ]; then
echo "Installing override for ${unit}.socket..."
cp ${override_dir}/${unit_name}.socket /etc/systemd/system/
retval=0
fi
if [ -f ${unit}.path -a -f ${override_dir}/${unit}.path ]; then
echo "Installing override for ${unit}.path..."
cp ${override_dir}/${unit_name}.path /etc/systemd/system/
retval=0
fi
done
return ${retval}
}
reenableNetworkManager() {
# Disable original service to enable overriden one
echo "Disabling original service to enable overriden one..."
disableSystemdUnits ModemManager.service
disableSystemdUnits NetworkManager.service
# Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)
echo "Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)"
systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null || echo "Could not disable D-BUS activation of NetworkManager"
echo "Re-enabling original service to enable overriden one..."
enableSystemdUnits ModemManager.service
enableSystemdUnits NetworkManager.service
# Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811
echo "Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811"
enableSystemdUnits NetworkManager-dispatcher.service
}
remove_ShowIn() {
if [ -e "${1}" ]; then
sed -i '/^\(Not\|Only\)ShowIn/d' "${1}"
fi
}
showIn() {
desktop_entry="${1}"
shown_in="${2}"
message="${shown_in:-"Shown in All;"}"
desktop_entry_qubes="${XDG_CONFIG_QUBES}/autostart/${desktop_entry##*/}"
# Make sure Qubes autostart directory exists
mkdir -p "${XDG_CONFIG_QUBES}/autostart"
# Desktop entry exists, so move to Qubes directory and modify it
if [ -e "${desktop_entry}" ]; then
echo "Desktop Entry Modification - ${message} ${desktop_entry##*/}..."
cp -pf "${desktop_entry}" "${desktop_entry_qubes}"
remove_ShowIn "${desktop_entry_qubes}"
sed -i '/^X-GNOME-Autostart-enabled.*[fF0]/d' "${desktop_entry_qubes}"
# Will only be '' if shown in all
if [ ! "${shown_in}x" == "x" ]; then
echo "${shown_in}" >> "${desktop_entry_qubes}" || true
fi
# Desktop entry must have been removed, so also remove from Qubes directory
else
echo "Desktop Entry Modification - Remove: ${desktop_entry##*/}..."
rm -f "${desktop_entry_qubes}"
fi
}
setArrayAsGlobal() {
local array="$1"
local export_as="$2"
local code=$(declare -p "$array")
local replaced="${code/$array/$export_as}"
eval ${replaced/declare -/declare -g}
}
systemdInfo() {
unit=${1}
return_global_var=${2}
declare -A INFO=()
while read line; do
INFO[${line%%=*}]="${line##*=}"
done < <(systemctl show ${unit} 2> /dev/null)
setArrayAsGlobal INFO $return_global_var
return ${#INFO[@]}
}
displayFailedStatus() {
action=${1}
unit=${2}
# Only display if there are results. In chroot environmnet there will be
# no results to 'systemctl show' command
systemdInfo ${unit} info || {
echo
echo "==================================================="
echo "FAILED: systemd ${action} ${unit}"
echo "==================================================="
echo " LoadState = ${info[LoadState]}"
echo " LoadError = ${info[LoadError]}"
echo " ActiveState = ${info[ActiveState]}"
echo " SubState = ${info[SubState]}"
echo "UnitFileState = ${info[UnitFileState]}"
echo
}
}
# Disable systemd units
disableSystemdUnits() {
for unit in $*; do
systemctl is-enabled ${unit} > /dev/null 2>&1 && {
echo "Disabling ${unit}..."
systemctl is-active ${unit} > /dev/null 2>&1 && {
systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit}
}
if [ -f /lib/systemd/system/${unit} ]; then
if fgrep -q '[Install]' /lib/systemd/system/${unit}; then
systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
else
# Forcibly disable
echo "Forcibly disabling: ${unit}"
ln -sf /dev/null /etc/systemd/system/${unit}
fi
else
systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
fi
} || {
echo "It appears ${unit} is already disabled!"
#displayFailedStatus is-disabled ${unit}
}
done
}
# Enable systemd units
enableSystemdUnits() {
for unit in $*; do
systemctl is-enabled ${unit} > /dev/null 2>&1 && {
echo "It appears ${unit} is already enabled!"
#displayFailedStatus is-enabled ${unit}
} || {
echo "Enabling: ${unit}..."
systemctl enable ${unit} > /dev/null 2>&1 && {
systemctl start ${unit} > /dev/null 2>&1 || displayFailedStatus start ${unit}
} || {
echo "Could not enable: ${unit}"
displayFailedStatus enable ${unit}
}
}
done
}
# Manually trigger all triggers to automaticatly configure
triggerTriggers() {
path="$(readlink -m ${0})"
triggers="${path/postinst/triggers}"
awk '{sub(/[ \t]*#.*/,"")} NF' ${triggers} | while read line
do
/bin/bash -c "${0} triggered ${line##* }" || true
done
}
case "${1}" in
configure)
# disable some Upstart services
for init in plymouth-shutdown \
prefdm \
splash-manager \
start-ttys \
tty ; do
if [ -e /etc/init/${init}.conf ]; then
mv -f /etc/init/${init}.conf /etc/init/${init}.conf.disabled
fi
done
# Stops Qt form using the MIT-SHM X11 Shared Memory Extension
echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm.sh
chmod 0755 /etc/profile.d/qt_x11_no_mitshm.sh
# Sudo's defualt umask is 077 so set sane default of 022
# Also don't allow QT to used shared memory to prevent errors
echo 'Defaults umask = 0002' > /etc/sudoers.d/umask
echo 'Defaults umask_override' >> /etc/sudoers.d/umask
chmod 0440 /etc/sudoers.d/umask
echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm
chmod 0440 /etc/sudoers.d/qt_x11_no_mitshm
# Create NetworkManager configuration if we do not have it
if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
echo '[main]' > /etc/NetworkManager/NetworkManager.conf
echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
fi
# XXX: Test to see if this will satisify dispatcher dependancy
if [ ! -e "/lib/systemd/system/org.freedesktop.nm_dispatcher.service" ]; then
ln -s org.freedesktop.nm_dispatcher.service NetworkManager-dispatcher.service
fi
# Remove old firmware updates link
if [ -L /lib/firmware/updates ]; then
rm -f /lib/firmware/updates
fi
#if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
# echo >> /etc/yum.conf
# echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
# echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
#fi
# Revert 'Prevent unnecessary updates in VMs':
#sed -i -e '/^exclude = kernel/d' /etc/yum.conf
# ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
# in the form expected by qubes-sysinit.sh
for ip in '127\.0\.1\.1' '::1'; do
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
else
echo "${ip//\\/} `hostname`" >> /etc/hosts
fi
done
# remove hostname from 127.0.0.1 line (in debian the hostname is by default
# resolved to 127.0.1.1)
sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
chown user:user /home_volatile/user
#if [ "${1}" != 1 ] ; then
# # do the rest of %post thing only when updating for the first time...
# exit 0
#fi
if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
cp /etc/init/serial.conf /var/lib/qubes/serial.orig
fi
# Remove most of the udev scripts to speed up the VM boot time
# Just leave the xen* scripts, that are needed if this VM was
# ever used as a net backend (e.g. as a VPN domain in the future)
#echo "--> Removing unnecessary udev scripts..."
mkdir -p /var/lib/qubes/removed-udev-scripts
for f in /etc/udev/rules.d/*
do
if [ $(basename ${f}) == "xen-backend.rules" ] ; then
continue
fi
if [ $(basename ${f}) == "50-qubes-misc.rules" ] ; then
continue
fi
if echo ${f} | grep -q qubes; then
continue
fi
mv ${f} /var/lib/qubes/removed-udev-scripts/
done
# Create /rw directory
mkdir -p /rw
# XXX: TODO: Needs to be implemented still
#rm -f /etc/mtab
#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
# Enable Qubes systemd units
enableSystemdUnits \
qubes-sysinit.service \
qubes-misc-post.service \
qubes-netwatcher.service \
qubes-network.service \
qubes-firewall.service \
qubes-updates-proxy.service \
qubes-updates-proxy.timer \
qubes-qrexec-agent.service
# Set default "runlevel"
rm -f /etc/systemd/system/default.target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# Process all triggers which will set defaults to wanted values
triggerTriggers
disableSystemdUnits \
alsa-store.service \
alsa-restore.service \
auditd.service \
avahi.service \
avahi-daemon.service \
backuppc.service \
cpuspeed.service \
crond.service \
fedora-autorelabel.service \
fedora-autorelabel-mark.service \
ipmi.service \
hwclock-load.service \
hwclock-save.service \
mdmonitor.service \
multipathd.service \
openct.service \
rpcbind.service \
mcelog.service \
fedora-storage-init.service \
fedora-storage-init-late.service \
plymouth-start.service \
plymouth-read-write.service \
plymouth-quit.service \
plymouth-quit-wait.service \
sshd.service \
tcsd.service \
sm-client.service \
sendmail.service \
mdmonitor-takeover.service \
rngd smartd.service \
upower.service \
irqbalance.service \
colord.service
rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
# Enable other systemd units
enableSystemdUnits \
rsyslog.service
# XXX: TODO: Needs to be implemented still
# These do not exist on debian; maybe a different package name
# iptables.service \
# ntpd.service \
# ip6tables.service \
;;
abort-upgrade|abort-remove|abort-deconfigure)
exit 0
;;
triggered)
for trigger in ${2}; do
case "${trigger}" in
# Update Qubes App Menus
/usr/share/applications)
echo "Updating Qubes App Menus..."
/usr/lib/qubes/qubes-trigger-sync-appmenus.sh || true
;;
# Install overriden services only when original exists
/lib/systemd/system/NetworkManager.service | \
/lib/systemd/system/NetworkManager-wait-online.service | \
/lib/systemd/system/ModemManager.service)
UNITDIR=/lib/systemd/system
OVERRIDEDIR=/usr/lib/qubes/init
installOverridenServices "${OVERRIDEDIR}" "${trigger}"
if [ $? -eq 0 ]; then
reenableNetworkManager
fi
;;
# Enable cups only when it is real Systemd service
/lib/systemd/system/cups.service)
echo "Enabling cups"
[ -e /lib/systemd/system/cups.service ] && enableSystemdUnits cups.service
;;
# "Enable haveged service"
/lib/systemd/system/haveged.service)
echo "Enabling haveged service"
enableSystemdUnits haveged.service
;;
# Install overridden serial.conf init script
/etc/init/serial.conf)
echo "Installing over-ridden serial.conf init script..."
if [ -e /etc/init/serial.conf ]; then
cp /usr/share/qubes/serial.conf /etc/init/serial.conf
fi
;;
# Disable SELinux"
/etc/selinux/config)
echo "Disabling SELinux..."
if [ -e /etc/selinux/config ]; then
sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
mv /etc/selinux/config.processed /etc/selinux/config
setenforce 0 2>/dev/null
fi
;;
# Desktop Entry Modification - Remove existing rules
/etc/xdg/autostart/gpk-update-icon.desktop | \
/etc/xdg/autostart/nm-applet.desktop | \
/etc/xdg/autostart/abrt-applet.desktop | \
/etc/xdg/autostart/notify-osd.desktop)
showIn "${trigger}"
;;
# Desktop Entry Modification - Not shown in Qubes
/etc/xdg/autostart/pulseaudio.desktop | \
/etc/xdg/autostart/deja-dup-monitor.desktop | \
/etc/xdg/autostart/imsettings-start.desktop | \
/etc/xdg/autostart/krb5-auth-dialog.desktop | \
/etc/xdg/autostart/pulseaudio.desktop | \
/etc/xdg/autostart/restorecond.desktop | \
/etc/xdg/autostart/sealertauto.desktop | \
/etc/xdg/autostart/gnome-power-manager.desktop | \
/etc/xdg/autostart/gnome-sound-applet.desktop | \
/etc/xdg/autostart/gnome-screensaver.desktop | \
/etc/xdg/autostart/orca-autostart.desktop)
showIn "${trigger}" 'NotShowIn=QUBES;'
;;
# Desktop Entry Modification - Not shown in in DisposableVM
/etc/xdg/autostart/gcm-apply.desktop)
showIn "${trigger}" 'NotShowIn=DisposableVM;'
;;
# Desktop Entry Modification - Only shown in AppVM
/etc/xdg/autostart/gnome-keyring-gpg.desktop | \
/etc/xdg/autostart/gnome-keyring-pkcs11.desktop | \
/etc/xdg/autostart/gnome-keyring-secrets.desktop | \
/etc/xdg/autostart/gnome-keyring-ssh.desktop | \
/etc/xdg/autostart/gnome-settings-daemon.desktop | \
/etc/xdg/autostart/user-dirs-update-gtk.desktop | \
/etc/xdg/autostart/gsettings-data-convert.desktop)
showIn "${trigger}" 'OnlyShowIn=GNOME;AppVM;'
;;
# Desktop Entry Modification - Only shown in Gnome & UpdateableVM
/etc/xdg/autostart/gpk-update-icon.desktop)
showIn "${trigger}" 'OnlyShowIn=GNOME;UpdateableVM;'
;;
# Desktop Entry Modification - Only shown in Gnome & Qubes
/etc/xdg/autostart/nm-applet.desktop)
showIn "${trigger}" 'OnlyShowIn=GNOME;QUBES;'
;;
*)
echo "postinst called with unknown trigger \`${2}'" >&2
exit 1
;;
esac
done
exit 0
;;
*)
echo "postinst called with unknown argument \`${1}'" >&2
exit 1
;;
esac
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0
# vim: set ts=4 sw=4 sts=4 et :

58
debian/qubes-core-agent.postrm vendored Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
# postrm script for core-agent-linux
#
# see: dh_installdeb(1)
set -e
# The prerm script may be called in the following ways:
# * <postrm> 'remove'
# * <postrm> 'purge'
# * <old-postrm> 'upgrade' <new-version>
# * <disappearer's-postrm> 'disappear' <overwriter> <overwriter-version>
#
# The postrm script is called after the package's files have been removed
# or replaced. The package whose postrm is being called may have previously been
# deconfigured and only be "Unpacked", at which point subsequent package changes
# do not consider its dependencies. Therefore, all postrm actions may only rely
# on essential packages and must gracefully skip any actions that require the
# package's dependencies if those dependencies are unavailable.[48]
#
# * <new-postrm> 'failed-upgrade' <old-version>
#
# Called when the old postrm upgrade action fails. The new package will be
# unpacked, but only essential packages and pre-dependencies can be relied on.
# Pre-dependencies will either be configured or will be "Unpacked" or
# "Half-Configured" but previously had been configured and was never removed.
#
# * <new-postrm> 'abort-install'
# * <new-postrm> 'abort-install' <old-version>
# * <new-postrm> 'abort-upgrade' <old-version>
#
# Called before unpacking the new package as part of the error handling of
# preinst failures. May assume the same state as preinst can assume.
#
# For details, see http://www.debian.org/doc/debian-policy/ or
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
# the debian-policy package
if [ "${1}" = "remove" ] ; then
/usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :
if [ -L /lib/firmware/updates ]; then
rm /lib/firmware/updates
fi
for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-qrexec-agent; do
systemctl disable ${srv}.service
done
fi
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0
# vim: set ts=4 sw=4 sts=4 et :

112
debian/qubes-core-agent.preinst vendored Executable file
View File

@ -0,0 +1,112 @@
#!/bin/bash
# preinst script for core-agent-linux
#
# see: dh_installdeb(1)
set -e
# The preinst script may be called in the following ways:
# * <new-preinst> 'install'
# * <new-preinst> 'install' <old-version>
# * <new-preinst> 'upgrade' <old-version>
#
# The package will not yet be unpacked, so the preinst script cannot rely
# on any files included in its package. Only essential packages and
# pre-dependencies (Pre-Depends) may be assumed to be available.
# Pre-dependencies will have been configured at least once, but at the time the
# preinst is called they may only be in an "Unpacked" or "Half-Configured" state
# if a previous version of the pre-dependency was completely configured and has
# not been removed since then.
#
#
# * <old-preinst> 'abort-upgrade' <new-version>
#
# Called during error handling of an upgrade that failed after unpacking the
# new package because the postrm upgrade action failed. The unpacked files may
# be partly from the new version or partly missing, so the script cannot rely
# on files included in the package. Package dependencies may not be available.
# Pre-dependencies will be at least "Unpacked" following the same rules as
# above, except they may be only "Half-Installed" if an upgrade of the
# pre-dependency failed.[46]
#
# For details, see http://www.debian.org/doc/debian-policy/ or
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
# the debian-policy package
if [ "$1" = "install" ] ; then
# --------------------------------------------------------------------------
# Create required directories
# --------------------------------------------------------------------------
mkdir -p /var/lib/qubes
mkdir -p /lib/modules
#mkdir -p -m 0700 /var/log/xen # xen-utils-common should do this
if [ -e /etc/fstab ] ; then
mv /etc/fstab /var/lib/qubes/fstab.orig
fi
# --------------------------------------------------------------------------
# Many Qubes scripts reference /bin/sh expecting the shell to be bash but
# in Debian it is dash so some scripts will fail so force an alternate for
# /bin/sh to be /bin/bash
# --------------------------------------------------------------------------
update-alternatives --force --install /bin/sh sh /bin/bash 999
# --------------------------------------------------------------------------
# Modules setup
# --------------------------------------------------------------------------
echo "xen_netfront" >> /etc/modules
# --------------------------------------------------------------------------
# Remove `mesg` from root/.profile?
# --------------------------------------------------------------------------
sed -i -e '/^mesg n/d' /root/.profile
# --------------------------------------------------------------------------
# Update /etc/fstab
# --------------------------------------------------------------------------
cat > /etc/fstab <<EOF
/dev/mapper/dmroot / ext4 defaults,noatime 1 1
/dev/xvdc1 swap swap defaults 0 0
/dev/xvdb /rw ext4 noauto,defaults,discard 1 2
/rw/home /home none noauto,bind,defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
xen /proc/xen xenfs defaults 0 0
/dev/xvdi /mnt/removable auto noauto,user,rw 0 0
/dev/xvdd /lib/modules ext3 defaults 0 0
EOF
# --------------------------------------------------------------------------
# User add / modifications
# --------------------------------------------------------------------------
id -u 'user' || {
groupadd -f user
useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
}
id -u 'tinyproxy' || {
groupadd -f tinyproxy
useradd -g tinyproxy -M --home /run/tinyproxy --shell /bin/false tinyproxy
}
usermod -p '' root
usermod -L user
exit 0
fi
if [ "$1" = "upgrade" ] ; then
exit 0
fi
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0
# vim: set ts=4 sw=4 sts=4 et :

54
debian/qubes-core-agent.prerm vendored Executable file
View File

@ -0,0 +1,54 @@
#!/bin/bash
# prerm script for core-agent-linux
#
# see: dh_installdeb(1)
set -e
# The prerm script may be called in the following ways:
# * <prerm> 'remove'
# * <old-prerm> 'upgrade' <new-version>
# * <conflictor's-prerm> 'remove' 'in-favour' <package> <new-version>
# * <deconfigured's-prerm> 'deconfigure' 'in-favour' <package-being-installed>
# <version> [removing conflicting-package version]
#
# The package whose prerm is being called will be at least "Half-Installed".
# All package dependencies will at least be "Half-Installed" and will have
# previously been configured and not removed. If there was no error, all
# dependencies will at least be "Unpacked", but these actions may be called in
# various error states where dependencies are only "Half-Installed" due to a
# partial upgrade.
#
# * <new-prerm> 'failed-upgrade' <old-version>
#
# Called during error handling when prerm upgrade fails. The new package
# will not yet be unpacked, and all the same constraints as for preinst
# upgrade apply.
#
# For details, see http://www.debian.org/doc/debian-policy/ or
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
# the debian-policy package
if [ "$1" = "remove" ] ; then
# no more packages left
if [ -e /var/lib/qubes/fstab.orig ] ; then
mv /var/lib/qubes/fstab.orig /etc/fstab
fi
if [ -d /var/lib/qubes/removed-udev-scripts ] ; then
mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
fi
if [ -e /var/lib/qubes/serial.orig ] ; then
mv /var/lib/qubes/serial.orig /etc/init/serial.conf
fi
fi
# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.
#DEBHELPER#
exit 0
# vim: set ts=4 sw=4 sts=4 et :

47
debian/qubes-core-agent.triggers vendored Normal file
View File

@ -0,0 +1,47 @@
interest-noawait /usr/share/applications
interest-noawait /lib/systemd/system/NetworkManager.service
interest-noawait /lib/systemd/system/NetworkManager-wait-online.service
interest-noawait /lib/systemd/system/ModemManager.service
interest-noawait /etc/init/serial.conf
interest-noawait /etc/selinux/config
interest-noawait /lib/systemd/system/cups.service
interest-noawait /lib/systemd/system/haveged.service
# Desktop Entry Modification - Remove existing rules
interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop
interest-noawait /etc/xdg/autostart/nm-applet.desktop
interest-noawait /etc/xdg/autostart/abrt-applet.desktop
# Desktop Entry Modification - Not shown in Qubes
interest-noawait /etc/xdg/autostart/pulseaudio.desktop
interest-noawait /etc/xdg/autostart/deja-dup-monitor.desktop
interest-noawait /etc/xdg/autostart/imsettings-start.desktop
interest-noawait /etc/xdg/autostart/krb5-auth-dialog.desktop
interest-noawait /etc/xdg/autostart/pulseaudio.desktop
interest-noawait /etc/xdg/autostart/restorecond.desktop
interest-noawait /etc/xdg/autostart/sealertauto.desktop
interest-noawait /etc/xdg/autostart/gnome-power-manager.desktop
interest-noawait /etc/xdg/autostart/gnome-sound-applet.desktop
interest-noawait /etc/xdg/autostart/gnome-screensaver.desktop
interest-noawait /etc/xdg/autostart/orca-autostart.desktop
# Desktop Entry Modification - Not shown in in DisposableVM
interest-noawait /etc/xdg/autostart/gcm-apply.desktop
# Desktop Entry Modification - Only shown in AppVM
interest-noawait /etc/xdg/autostart/gnome-keyring-gpg.desktop
interest-noawait /etc/xdg/autostart/gnome-keyring-pkcs11.desktop
interest-noawait /etc/xdg/autostart/gnome-keyring-secrets.desktop
interest-noawait /etc/xdg/autostart/gnome-keyring-ssh.desktop
interest-noawait /etc/xdg/autostart/gnome-settings-daemon.desktop
interest-noawait /etc/xdg/autostart/user-dirs-update-gtk.desktop
interest-noawait /etc/xdg/autostart/gsettings-data-convert.desktop
# Desktop Entry Modification - Only shown in Gnome & UpdateableVM
interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop
# Desktop Entry Modification - Only shown in Gnome & Qubes
interest-noawait /etc/xdg/autostart/nm-applet.desktop
# Desktop Entry Modification - Show in all
interest-noawait /etc/xdg/autostart/notify-osd.desktop

View File

@ -10,7 +10,7 @@ all: xenstore-watch python close-window
xenstore-watch: xenstore-watch.o xenstore-watch: xenstore-watch.o
$(CC) -o xenstore-watch xenstore-watch.o -lxenstore $(CC) -o xenstore-watch xenstore-watch.o -lxenstore
close-window: close-window.c close-window: close-window.c
$(CC) -lX11 -o $@ $< $(CC) -o $@ $< -lX11
python: python:
python -m compileall . python -m compileall .
python -O -m compileall . python -O -m compileall .

View File

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/bash
apps="evince /usr/libexec/evinced soffice firefox" apps="evince /usr/libexec/evinced soffice firefox"

View File

@ -1,11 +1,11 @@
# Main qubes updates repository # Main qubes updates repository
#deb http://deb.qubes-os.org/r3/vm @DIST@ main #deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@ main
#deb-src http://deb.qubes-os.org/r3/vm @DIST@ main #deb-src http://deb.qubes-os.org/r3/vm @DIST@ main
# Qubes updates candidates repository # Qubes updates candidates repository
#deb http://deb.qubes-os.org/r3/vm @DIST@-testing main #deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@-testing main
#deb-src http://deb.qubes-os.org/r3/vm @DIST@-testing main #deb-src http://deb.qubes-os.org/r3/vm @DIST@-testing main
# Qubes experimental/unstable repository # Qubes experimental/unstable repository
#deb http://deb.qubes-os.org/r3/vm @DIST@-unstable main #deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@-unstable main
#deb-src http://deb.qubes-os.org/r3/vm @DIST@-unstable main #deb-src http://deb.qubes-os.org/r3/vm @DIST@-unstable main

View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
UPDATEABLE=`/usr/bin/qubesdb-read /qubes-vm-updateable` UPDATEABLE=`qubesdb-read /qubes-vm-updateable`
if [ "$UPDATEABLE" = "True" ]; then if [ "$UPDATEABLE" = "True" ]; then
/usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes-rpc/qubes.GetAppmenus /usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes-rpc/qubes.GetAppmenus

View File

@ -1,8 +1,8 @@
#!/bin/sh #!/bin/sh
if [ x$2 == xup ]; then if [ x$2 == xup ]; then
INET=$(/sbin/ip addr show dev $1 | /bin/grep inet) INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
/usr/bin/qubesdb-write /qubes-netvm-external-ip "$INET" qubesdb-write /qubes-netvm-external-ip "$INET"
fi fi
if [ x$2 == xdown ]; then if [ x$2 == xdown ]; then
/usr/bin/qubesdb-write /qubes-netvm-external-ip "" qubesdb-write /qubes-netvm-external-ip ""
fi fi

1
network/80-qubes.conf Normal file
View File

@ -0,0 +1 @@
net.ipv4.ip_forward=1

View File

@ -1,11 +1,19 @@
# Yum filters
# -----------------------------------------------------------------------------
/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ /repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$
/repodata/repomd\.xml$ /repodata/repomd\.xml$
\.rpm$ \.rpm$
\.drpm$ \.drpm$
^mirrors\.fedoraproject\.org:443$ ^mirrors\.fedoraproject\.org:443$
^http://mirrors\..*/mirrorlist\? ^http://mirrors\..*/mirrorlist\?
\.deb$
/dists/[a-z]*/\(InRelease\|Release\|Release.gpg\)$ # Debian filters
/dists/[a-z]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$ #
/dists/[a-z]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ # Whonix uses sourceforge to host its repos and url can end in:
/dists/[a-z]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ # '/' or '/download' or '?.*'
# -----------------------------------------------------------------------------
\.deb\(\|\/\|\/download\|\?.*\)$
/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)\(\|\|/\|\/download\|\?.*\)$
/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.gpg\)\(\|\|/\|\/download\|\?.*\)$
/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$
/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$

View File

@ -14,6 +14,6 @@ unmanaged_devices=mac:fe:ff:ff:ff:ff:ff
# unmanaged_devices="$unmanaged_devices;mac:$mac" # unmanaged_devices="$unmanaged_devices;mac:$mac"
#done #done
sed -i -e "s/^unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf sed -i -e "s/^unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf
sed -i -e "s/^plugins=.*/plugins=keyfile,ifcfg-rh/" /etc/NetworkManager/NetworkManager.conf sed -i -e "s/^plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf
exit 0 exit 0

View File

@ -34,19 +34,19 @@ while true; do
# during the time when the rules are being (re)applied # during the time when the rules are being (re)applied
echo "0" > /proc/sys/net/ipv4/ip_forward echo "0" > /proc/sys/net/ipv4/ip_forward
RULES=$(/usr/bin/qubesdb-read $XENSTORE_IPTABLES_HEADER) RULES=$(qubesdb-read $XENSTORE_IPTABLES_HEADER)
IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d')
OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true` OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true`
for i in $(qubesdb-list -f /qubes-iptables-domainrules) ; do for i in $(qubesdb-list -f /qubes-iptables-domainrules) ; do
RULES=$(/usr/bin/qubesdb-read "$i") RULES=$(qubesdb-read "$i")
ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true` ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true`
if [ -n "$ERRS" ]; then if [ -n "$ERRS" ]; then
echo "Failed applying rules for $i: $ERRS" >&2 echo "Failed applying rules for $i: $ERRS" >&2
OUT="$OUT$ERRS" OUT="$OUT$ERRS"
fi fi
done done
/usr/bin/qubesdb-write $XENSTORE_ERROR "$OUT" qubesdb-write $XENSTORE_ERROR "$OUT"
if [ -n "$OUT" ]; then if [ -n "$OUT" ]; then
DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
fi fi

View File

@ -11,9 +11,9 @@ echo $$ >$PIDFILE
trap 'exit 0' SIGTERM trap 'exit 0' SIGTERM
while true; do while true; do
NET_DOMID=$(/usr/bin/xenstore-read qubes-netvm-domid || :) NET_DOMID=$(xenstore-read qubes-netvm-domid || :)
if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :)
# UNTRUSTED_NETCFG is not parsed in any way # UNTRUSTED_NETCFG is not parsed in any way
# thus, no sanitization ready # thus, no sanitization ready
# but be careful when passing it to other shell scripts # but be careful when passing it to other shell scripts
@ -21,11 +21,11 @@ while true; do
/sbin/service qubes-firewall stop /sbin/service qubes-firewall stop
/sbin/service qubes-firewall start /sbin/service qubes-firewall start
CURR_NETCFG="$UNTRUSTED_NETCFG" CURR_NETCFG="$UNTRUSTED_NETCFG"
/usr/bin/xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" xenstore-write qubes-netvm-external-ip "$CURR_NETCFG"
fi fi
/usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid
else else
/usr/bin/xenstore-watch -n 2 qubes-netvm-domid xenstore-watch -n 2 qubes-netvm-domid
fi fi
done done

View File

@ -10,7 +10,7 @@ addrule()
fi fi
} }
export PATH=$PATH:/sbin:/bin export PATH=$PATH:/sbin:/bin
source /var/run/qubes/qubes-ns . /var/run/qubes/qubes-ns
if [ "X"$NS1 = "X" ] ; then exit ; fi if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PR-QBS iptables -t nat -F PR-QBS
FIRSTONE=yes FIRSTONE=yes

View File

@ -26,14 +26,24 @@ if [ x$ip != x ]; then
[ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook [ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook
fi fi
if [ -f /var/run/qubes-service/network-manager ]; then if [ -f /var/run/qubes-service/network-manager ]; then
cat > /etc/sysconfig/network-scripts/ifcfg-$INTERFACE <<__EOF__ cat > /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE <<__EOF__
DEVICE=$INTERFACE [802-3-ethernet]
IPADDR=$ip duplex=full
NETMASK=255.255.255.255
NETWORK=$ip [connection]
ONBOOT=yes id=VM uplink $INTERFACE
GATEWAYDEV=$INTERFACE uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
GATEWAY=$gateway type=802-3-ethernet
[ipv6]
method=ignore
[ipv4]
method=manual
dns=$gateway;$secondary_dns
address1=$ip/32,$gateway
may-fail=false
__EOF__ __EOF__
chmod 600 /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
fi fi
fi fi

View File

@ -140,11 +140,11 @@ remove_ShowIn () {
fi fi
} }
# reenable abrt-aplet if disable by some earlier version of package # reenable if disabled by some earlier version of package
remove_ShowIn abrt-applet.desktop remove_ShowIn abrt-applet.desktop imsettings-start.desktop
# don't want it at all # don't want it at all
for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do for F in deja-dup-monitor krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
if [ -e /etc/xdg/autostart/$F.desktop ]; then if [ -e /etc/xdg/autostart/$F.desktop ]; then
remove_ShowIn $F remove_ShowIn $F
echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop
@ -213,6 +213,17 @@ if ! grep -q localhost /etc/hosts; then
EOF EOF
fi fi
# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
# in the form expected by qubes-sysinit.sh
for ip in '127\.0\.0\.1' '::1'; do
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
else
echo "${ip} `hostname`" >> /etc/hosts
fi
done
if [ "$1" != 1 ] ; then if [ "$1" != 1 ] ; then
# do the rest of %post thing only when updating for the first time... # do the rest of %post thing only when updating for the first time...
exit 0 exit 0
@ -279,7 +290,7 @@ fi
if [ $1 -eq 0 ] ; then if [ $1 -eq 0 ] ; then
/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
if [ -l /lib/firmware/updates ]; then if [ -L /lib/firmware/updates ]; then
rm /lib/firmware/updates rm /lib/firmware/updates
fi fi
fi fi

View File

@ -1,11 +1,11 @@
#!/bin/sh #!/bin/sh
# Setup gateway for all the VMs this netVM is serviceing... # Setup gateway for all the VMs this netVM is serviceing...
network=$(/usr/bin/qubesdb-read /qubes-netvm-network 2>/dev/null) network=$(qubesdb-read /qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ]; then if [ "x$network" != "x" ]; then
gateway=$(/usr/bin/qubesdb-read /qubes-netvm-gateway) gateway=$(qubesdb-read /qubes-netvm-gateway)
netmask=$(/usr/bin/qubesdb-read /qubes-netvm-netmask) netmask=$(qubesdb-read /qubes-netvm-netmask)
secondary_dns=$(/usr/bin/qubesdb-read /qubes-netvm-secondary-dns) secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
modprobe netbk 2> /dev/null || modprobe xen-netback modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes-ns echo "NS1=$gateway" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns

View File

@ -3,6 +3,7 @@ Description=Qubes remote exec agent
After=qubes-dvm.service After=qubes-dvm.service
[Service] [Service]
ExecStartPre=/bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn'
ExecStart=/usr/lib/qubes/qrexec-agent ExecStart=/usr/lib/qubes/qrexec-agent
StandardOutput=syslog StandardOutput=syslog

View File

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/bash
# List of services enabled by default (in case of absence of qubesdb entry) # List of services enabled by default (in case of absence of qubesdb entry)
DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy" DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy"
@ -7,8 +7,8 @@ DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check"
DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup" DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup"
DEFAULT_ENABLED="meminfo-writer" DEFAULT_ENABLED="meminfo-writer"
QDB_READ=/usr/bin/qubesdb-read QDB_READ=qubesdb-read
QDB_LS=/usr/bin/qubesdb-multiread QDB_LS=qubesdb-multiread
read_service() { read_service() {
$QDB_READ /qubes-service/$1 2> /dev/null $QDB_READ /qubes-service/$1 2> /dev/null
@ -31,6 +31,8 @@ mkdir -p /var/run/xen-hotplug
# Set permissions to /proc/xen/xenbus, so normal user can use qubesdb-read # Set permissions to /proc/xen/xenbus, so normal user can use qubesdb-read
chmod 666 /proc/xen/xenbus chmod 666 /proc/xen/xenbus
[ -e /proc/u2mfn ] || modprobe u2mfn
# Set permissions to files needed to listen at vchan # Set permissions to files needed to listen at vchan
chmod 666 /proc/u2mfn chmod 666 /proc/u2mfn
@ -60,15 +62,25 @@ done
name=`$QDB_READ /name` name=`$QDB_READ /name`
if [ -n "$name" ]; then if [ -n "$name" ]; then
hostname $name hostname $name
sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts if [ -e /etc/debian_version ]; then
ipv4_localhost_re="127\.0\.1\.1"
else
ipv4_localhost_re="127\.0\.0\.1"
fi
sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
fi fi
timezone=`$QDB_READ /qubes-timezone 2> /dev/null` timezone=`$QDB_READ /qubes-timezone 2> /dev/null`
if [ -n "$timezone" ]; then if [ -n "$timezone" ]; then
ln -f /usr/share/zoneinfo/$timezone /etc/localtime cp -p /usr/share/zoneinfo/$timezone /etc/localtime
if [ -e /etc/debian_version ]; then
echo "$timezone" > /etc/timezone
else
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
fi fi
fi
# Prepare environment for other services # Prepare environment for other services
echo > /var/run/qubes-service-environment echo > /var/run/qubes-service-environment

View File

@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0' ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'if [ -e /usr/bin/yum ]; then yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0; else apt-get -q update > /dev/null; apt-get -s upgrade | awk "/^Inst/{ print $2 }" | [[ $(wc -L) -eq 0 ]] && echo 0 || echo 1; fi'