Merge branch 'debian'
Conflicts: misc/qubes-r2.list.in misc/qubes-trigger-sync-appmenus.sh network/30-qubes-external-ip network/qubes-firewall vm-systemd/network-proxy-setup.sh vm-systemd/prepare-dvm.sh vm-systemd/qubes-sysinit.sh
This commit is contained in:
commit
9130636c88
21
Makefile
21
Makefile
@ -88,21 +88,27 @@ install-rh: install-systemd install-sysvinit
|
|||||||
install -d $(DESTDIR)/etc/yum.conf.d
|
install -d $(DESTDIR)/etc/yum.conf.d
|
||||||
touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
|
touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
|
||||||
|
|
||||||
install-common:
|
install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
|
||||||
install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
|
install -d $(DESTDIR)/var/lib/qubes/dom0-updates
|
||||||
|
install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
|
||||||
|
|
||||||
install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
|
install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
|
||||||
install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
|
install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
|
||||||
|
|
||||||
|
install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
|
||||||
|
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
|
||||||
|
|
||||||
|
install-common:
|
||||||
|
install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
|
||||||
|
|
||||||
install -d $(DESTDIR)/var/lib/qubes
|
install -d $(DESTDIR)/var/lib/qubes
|
||||||
|
|
||||||
install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes
|
install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes
|
||||||
install -d $(DESTDIR)/etc/udev/rules.d
|
install -d $(DESTDIR)/etc/udev/rules.d
|
||||||
install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules
|
install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules
|
||||||
install -d $(DESTDIR)/usr/lib/qubes/
|
install -d $(DESTDIR)/usr/lib/qubes/
|
||||||
install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
|
|
||||||
install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/
|
install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/
|
||||||
install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/
|
install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/
|
||||||
install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
|
|
||||||
install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
|
||||||
install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules
|
install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules
|
||||||
install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs
|
install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs
|
||||||
@ -129,8 +135,6 @@ install-common:
|
|||||||
install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
|
install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
|
||||||
install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
|
install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
|
||||||
install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
|
install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
|
||||||
install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
|
|
||||||
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
|
|
||||||
install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
|
install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
|
||||||
install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates
|
install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates
|
||||||
install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy
|
install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy
|
||||||
@ -176,7 +180,6 @@ install-common:
|
|||||||
install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf
|
install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf
|
||||||
|
|
||||||
install -d $(DESTDIR)/mnt/removable
|
install -d $(DESTDIR)/mnt/removable
|
||||||
install -d $(DESTDIR)/var/lib/qubes/dom0-updates
|
|
||||||
|
|
||||||
install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf
|
install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf
|
||||||
|
|
||||||
@ -188,5 +191,9 @@ install-deb:
|
|||||||
mkdir -p $(DESTDIR)/etc/apt/sources.list.d
|
mkdir -p $(DESTDIR)/etc/apt/sources.list.d
|
||||||
sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
|
sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
|
||||||
install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
|
install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
|
||||||
|
install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
|
||||||
|
install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
|
||||||
|
install -d $(DESTDIR)/etc/sysctl.d
|
||||||
|
install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
|
||||||
|
|
||||||
install-vm: install-rh install-common
|
install-vm: install-rh install-common
|
||||||
|
7
debian/control
vendored
7
debian/control
vendored
@ -9,8 +9,11 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git
|
|||||||
|
|
||||||
Package: qubes-core-agent
|
Package: qubes-core-agent
|
||||||
Architecture: any
|
Architecture: any
|
||||||
Depends: qubes-utils, libvchan-xen, xenstore-utils, ethtool, python2.7, ${shlibs:Depends}, ${misc:Depends}
|
Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, libnotify-bin, notify-osd, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends}
|
||||||
Conflicts: qubes-core-agent-linux
|
Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
|
||||||
Description: Qubes core agent
|
Description: Qubes core agent
|
||||||
This package includes various daemons necessary for qubes domU support,
|
This package includes various daemons necessary for qubes domU support,
|
||||||
such as qrexec.
|
such as qrexec.
|
||||||
|
|
||||||
|
# Unresolved depends that exist in rpm_spec
|
||||||
|
#qubes-core-vm-kernel-placeholder, qubes-core-vm,
|
||||||
|
1
debian/files
vendored
1
debian/files
vendored
@ -1 +0,0 @@
|
|||||||
qubes-core-agent_2.1.33_amd64.deb admin extra
|
|
504
debian/qubes-core-agent.postinst
vendored
Executable file
504
debian/qubes-core-agent.postinst
vendored
Executable file
@ -0,0 +1,504 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# postinst script for core-agent-linux
|
||||||
|
#
|
||||||
|
# see: dh_installdeb(1)
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# The postint script may be called in the following ways:
|
||||||
|
# * <postinst> 'configure' <most-recently-configured-version>
|
||||||
|
# * <old-postinst> 'abort-upgrade' <new version>
|
||||||
|
# * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
|
||||||
|
# <new-version>
|
||||||
|
# * <postinst> 'abort-remove'
|
||||||
|
# * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
|
||||||
|
# <failed-install-package> <version> 'removing'
|
||||||
|
# <conflicting-package> <version>
|
||||||
|
#
|
||||||
|
# For details, see http://www.debian.org/doc/debian-policy/ or
|
||||||
|
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
|
||||||
|
# the debian-policy package
|
||||||
|
|
||||||
|
# Directory that modified desktop entry config files are stored in
|
||||||
|
XDG_CONFIG_QUBES="/usr/share/qubes/xdg"
|
||||||
|
|
||||||
|
# Install overriden services only when original exists
|
||||||
|
installOverridenServices() {
|
||||||
|
override_dir="${1}"
|
||||||
|
service="${2}"
|
||||||
|
retval=1
|
||||||
|
|
||||||
|
for unit in ${service}; do
|
||||||
|
unit="${unit%%.*}"
|
||||||
|
unit_name="$(basename ${unit})"
|
||||||
|
if [ -f ${unit}.service ]; then
|
||||||
|
echo "Installing override for ${unit}.service..."
|
||||||
|
cp ${override_dir}/${unit_name}.service /etc/systemd/system/
|
||||||
|
retval=0
|
||||||
|
fi
|
||||||
|
if [ -f ${unit}.socket -a -f ${override_dir}/${unit}.socket ]; then
|
||||||
|
echo "Installing override for ${unit}.socket..."
|
||||||
|
cp ${override_dir}/${unit_name}.socket /etc/systemd/system/
|
||||||
|
retval=0
|
||||||
|
fi
|
||||||
|
if [ -f ${unit}.path -a -f ${override_dir}/${unit}.path ]; then
|
||||||
|
echo "Installing override for ${unit}.path..."
|
||||||
|
cp ${override_dir}/${unit_name}.path /etc/systemd/system/
|
||||||
|
retval=0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
return ${retval}
|
||||||
|
}
|
||||||
|
|
||||||
|
reenableNetworkManager() {
|
||||||
|
# Disable original service to enable overriden one
|
||||||
|
echo "Disabling original service to enable overriden one..."
|
||||||
|
disableSystemdUnits ModemManager.service
|
||||||
|
disableSystemdUnits NetworkManager.service
|
||||||
|
|
||||||
|
# Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)
|
||||||
|
echo "Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)"
|
||||||
|
systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null || echo "Could not disable D-BUS activation of NetworkManager"
|
||||||
|
|
||||||
|
echo "Re-enabling original service to enable overriden one..."
|
||||||
|
enableSystemdUnits ModemManager.service
|
||||||
|
enableSystemdUnits NetworkManager.service
|
||||||
|
|
||||||
|
# Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811
|
||||||
|
echo "Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811"
|
||||||
|
enableSystemdUnits NetworkManager-dispatcher.service
|
||||||
|
}
|
||||||
|
|
||||||
|
remove_ShowIn() {
|
||||||
|
if [ -e "${1}" ]; then
|
||||||
|
sed -i '/^\(Not\|Only\)ShowIn/d' "${1}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
showIn() {
|
||||||
|
desktop_entry="${1}"
|
||||||
|
shown_in="${2}"
|
||||||
|
message="${shown_in:-"Shown in All;"}"
|
||||||
|
desktop_entry_qubes="${XDG_CONFIG_QUBES}/autostart/${desktop_entry##*/}"
|
||||||
|
|
||||||
|
# Make sure Qubes autostart directory exists
|
||||||
|
mkdir -p "${XDG_CONFIG_QUBES}/autostart"
|
||||||
|
|
||||||
|
# Desktop entry exists, so move to Qubes directory and modify it
|
||||||
|
if [ -e "${desktop_entry}" ]; then
|
||||||
|
echo "Desktop Entry Modification - ${message} ${desktop_entry##*/}..."
|
||||||
|
cp -pf "${desktop_entry}" "${desktop_entry_qubes}"
|
||||||
|
|
||||||
|
remove_ShowIn "${desktop_entry_qubes}"
|
||||||
|
sed -i '/^X-GNOME-Autostart-enabled.*[fF0]/d' "${desktop_entry_qubes}"
|
||||||
|
|
||||||
|
# Will only be '' if shown in all
|
||||||
|
if [ ! "${shown_in}x" == "x" ]; then
|
||||||
|
echo "${shown_in}" >> "${desktop_entry_qubes}" || true
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Desktop entry must have been removed, so also remove from Qubes directory
|
||||||
|
else
|
||||||
|
echo "Desktop Entry Modification - Remove: ${desktop_entry##*/}..."
|
||||||
|
rm -f "${desktop_entry_qubes}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
setArrayAsGlobal() {
|
||||||
|
local array="$1"
|
||||||
|
local export_as="$2"
|
||||||
|
local code=$(declare -p "$array")
|
||||||
|
local replaced="${code/$array/$export_as}"
|
||||||
|
eval ${replaced/declare -/declare -g}
|
||||||
|
}
|
||||||
|
|
||||||
|
systemdInfo() {
|
||||||
|
unit=${1}
|
||||||
|
return_global_var=${2}
|
||||||
|
|
||||||
|
declare -A INFO=()
|
||||||
|
while read line; do
|
||||||
|
INFO[${line%%=*}]="${line##*=}"
|
||||||
|
done < <(systemctl show ${unit} 2> /dev/null)
|
||||||
|
|
||||||
|
setArrayAsGlobal INFO $return_global_var
|
||||||
|
return ${#INFO[@]}
|
||||||
|
}
|
||||||
|
|
||||||
|
displayFailedStatus() {
|
||||||
|
action=${1}
|
||||||
|
unit=${2}
|
||||||
|
|
||||||
|
# Only display if there are results. In chroot environmnet there will be
|
||||||
|
# no results to 'systemctl show' command
|
||||||
|
systemdInfo ${unit} info || {
|
||||||
|
echo
|
||||||
|
echo "==================================================="
|
||||||
|
echo "FAILED: systemd ${action} ${unit}"
|
||||||
|
echo "==================================================="
|
||||||
|
echo " LoadState = ${info[LoadState]}"
|
||||||
|
echo " LoadError = ${info[LoadError]}"
|
||||||
|
echo " ActiveState = ${info[ActiveState]}"
|
||||||
|
echo " SubState = ${info[SubState]}"
|
||||||
|
echo "UnitFileState = ${info[UnitFileState]}"
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Disable systemd units
|
||||||
|
disableSystemdUnits() {
|
||||||
|
for unit in $*; do
|
||||||
|
systemctl is-enabled ${unit} > /dev/null 2>&1 && {
|
||||||
|
echo "Disabling ${unit}..."
|
||||||
|
systemctl is-active ${unit} > /dev/null 2>&1 && {
|
||||||
|
systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit}
|
||||||
|
}
|
||||||
|
if [ -f /lib/systemd/system/${unit} ]; then
|
||||||
|
if fgrep -q '[Install]' /lib/systemd/system/${unit}; then
|
||||||
|
systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
|
||||||
|
else
|
||||||
|
# Forcibly disable
|
||||||
|
echo "Forcibly disabling: ${unit}"
|
||||||
|
ln -sf /dev/null /etc/systemd/system/${unit}
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
|
||||||
|
fi
|
||||||
|
} || {
|
||||||
|
echo "It appears ${unit} is already disabled!"
|
||||||
|
#displayFailedStatus is-disabled ${unit}
|
||||||
|
}
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# Enable systemd units
|
||||||
|
enableSystemdUnits() {
|
||||||
|
for unit in $*; do
|
||||||
|
systemctl is-enabled ${unit} > /dev/null 2>&1 && {
|
||||||
|
echo "It appears ${unit} is already enabled!"
|
||||||
|
#displayFailedStatus is-enabled ${unit}
|
||||||
|
} || {
|
||||||
|
echo "Enabling: ${unit}..."
|
||||||
|
systemctl enable ${unit} > /dev/null 2>&1 && {
|
||||||
|
systemctl start ${unit} > /dev/null 2>&1 || displayFailedStatus start ${unit}
|
||||||
|
} || {
|
||||||
|
echo "Could not enable: ${unit}"
|
||||||
|
displayFailedStatus enable ${unit}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# Manually trigger all triggers to automaticatly configure
|
||||||
|
triggerTriggers() {
|
||||||
|
path="$(readlink -m ${0})"
|
||||||
|
triggers="${path/postinst/triggers}"
|
||||||
|
|
||||||
|
awk '{sub(/[ \t]*#.*/,"")} NF' ${triggers} | while read line
|
||||||
|
do
|
||||||
|
/bin/bash -c "${0} triggered ${line##* }" || true
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
case "${1}" in
|
||||||
|
configure)
|
||||||
|
# disable some Upstart services
|
||||||
|
for init in plymouth-shutdown \
|
||||||
|
prefdm \
|
||||||
|
splash-manager \
|
||||||
|
start-ttys \
|
||||||
|
tty ; do
|
||||||
|
if [ -e /etc/init/${init}.conf ]; then
|
||||||
|
mv -f /etc/init/${init}.conf /etc/init/${init}.conf.disabled
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Stops Qt form using the MIT-SHM X11 Shared Memory Extension
|
||||||
|
echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm.sh
|
||||||
|
chmod 0755 /etc/profile.d/qt_x11_no_mitshm.sh
|
||||||
|
|
||||||
|
# Sudo's defualt umask is 077 so set sane default of 022
|
||||||
|
# Also don't allow QT to used shared memory to prevent errors
|
||||||
|
echo 'Defaults umask = 0002' > /etc/sudoers.d/umask
|
||||||
|
echo 'Defaults umask_override' >> /etc/sudoers.d/umask
|
||||||
|
chmod 0440 /etc/sudoers.d/umask
|
||||||
|
echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm
|
||||||
|
chmod 0440 /etc/sudoers.d/qt_x11_no_mitshm
|
||||||
|
|
||||||
|
# Create NetworkManager configuration if we do not have it
|
||||||
|
if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
|
||||||
|
echo '[main]' > /etc/NetworkManager/NetworkManager.conf
|
||||||
|
echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
|
||||||
|
echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
|
||||||
|
fi
|
||||||
|
|
||||||
|
# XXX: Test to see if this will satisify dispatcher dependancy
|
||||||
|
if [ ! -e "/lib/systemd/system/org.freedesktop.nm_dispatcher.service" ]; then
|
||||||
|
ln -s org.freedesktop.nm_dispatcher.service NetworkManager-dispatcher.service
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Remove old firmware updates link
|
||||||
|
if [ -L /lib/firmware/updates ]; then
|
||||||
|
rm -f /lib/firmware/updates
|
||||||
|
fi
|
||||||
|
|
||||||
|
#if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
|
||||||
|
# echo >> /etc/yum.conf
|
||||||
|
# echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
|
||||||
|
# echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
|
||||||
|
#fi
|
||||||
|
|
||||||
|
# Revert 'Prevent unnecessary updates in VMs':
|
||||||
|
#sed -i -e '/^exclude = kernel/d' /etc/yum.conf
|
||||||
|
|
||||||
|
# ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
|
||||||
|
# in the form expected by qubes-sysinit.sh
|
||||||
|
for ip in '127\.0\.1\.1' '::1'; do
|
||||||
|
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
|
||||||
|
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
|
||||||
|
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
|
||||||
|
else
|
||||||
|
echo "${ip//\\/} `hostname`" >> /etc/hosts
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
# remove hostname from 127.0.0.1 line (in debian the hostname is by default
|
||||||
|
# resolved to 127.0.1.1)
|
||||||
|
sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
|
||||||
|
|
||||||
|
chown user:user /home_volatile/user
|
||||||
|
|
||||||
|
#if [ "${1}" != 1 ] ; then
|
||||||
|
# # do the rest of %post thing only when updating for the first time...
|
||||||
|
# exit 0
|
||||||
|
#fi
|
||||||
|
|
||||||
|
if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
|
||||||
|
cp /etc/init/serial.conf /var/lib/qubes/serial.orig
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Remove most of the udev scripts to speed up the VM boot time
|
||||||
|
# Just leave the xen* scripts, that are needed if this VM was
|
||||||
|
# ever used as a net backend (e.g. as a VPN domain in the future)
|
||||||
|
#echo "--> Removing unnecessary udev scripts..."
|
||||||
|
mkdir -p /var/lib/qubes/removed-udev-scripts
|
||||||
|
for f in /etc/udev/rules.d/*
|
||||||
|
do
|
||||||
|
if [ $(basename ${f}) == "xen-backend.rules" ] ; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $(basename ${f}) == "50-qubes-misc.rules" ] ; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
if echo ${f} | grep -q qubes; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
mv ${f} /var/lib/qubes/removed-udev-scripts/
|
||||||
|
done
|
||||||
|
|
||||||
|
# Create /rw directory
|
||||||
|
mkdir -p /rw
|
||||||
|
|
||||||
|
# XXX: TODO: Needs to be implemented still
|
||||||
|
#rm -f /etc/mtab
|
||||||
|
#echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
|
||||||
|
#mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
|
||||||
|
#grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
|
||||||
|
|
||||||
|
# Enable Qubes systemd units
|
||||||
|
enableSystemdUnits \
|
||||||
|
qubes-sysinit.service \
|
||||||
|
qubes-misc-post.service \
|
||||||
|
qubes-netwatcher.service \
|
||||||
|
qubes-network.service \
|
||||||
|
qubes-firewall.service \
|
||||||
|
qubes-updates-proxy.service \
|
||||||
|
qubes-updates-proxy.timer \
|
||||||
|
qubes-qrexec-agent.service
|
||||||
|
|
||||||
|
# Set default "runlevel"
|
||||||
|
rm -f /etc/systemd/system/default.target
|
||||||
|
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
|
||||||
|
|
||||||
|
# Process all triggers which will set defaults to wanted values
|
||||||
|
triggerTriggers
|
||||||
|
|
||||||
|
disableSystemdUnits \
|
||||||
|
alsa-store.service \
|
||||||
|
alsa-restore.service \
|
||||||
|
auditd.service \
|
||||||
|
avahi.service \
|
||||||
|
avahi-daemon.service \
|
||||||
|
backuppc.service \
|
||||||
|
cpuspeed.service \
|
||||||
|
crond.service \
|
||||||
|
fedora-autorelabel.service \
|
||||||
|
fedora-autorelabel-mark.service \
|
||||||
|
ipmi.service \
|
||||||
|
hwclock-load.service \
|
||||||
|
hwclock-save.service \
|
||||||
|
mdmonitor.service \
|
||||||
|
multipathd.service \
|
||||||
|
openct.service \
|
||||||
|
rpcbind.service \
|
||||||
|
mcelog.service \
|
||||||
|
fedora-storage-init.service \
|
||||||
|
fedora-storage-init-late.service \
|
||||||
|
plymouth-start.service \
|
||||||
|
plymouth-read-write.service \
|
||||||
|
plymouth-quit.service \
|
||||||
|
plymouth-quit-wait.service \
|
||||||
|
sshd.service \
|
||||||
|
tcsd.service \
|
||||||
|
sm-client.service \
|
||||||
|
sendmail.service \
|
||||||
|
mdmonitor-takeover.service \
|
||||||
|
rngd smartd.service \
|
||||||
|
upower.service \
|
||||||
|
irqbalance.service \
|
||||||
|
colord.service
|
||||||
|
|
||||||
|
rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
|
||||||
|
|
||||||
|
# Enable other systemd units
|
||||||
|
enableSystemdUnits \
|
||||||
|
rsyslog.service
|
||||||
|
|
||||||
|
# XXX: TODO: Needs to be implemented still
|
||||||
|
# These do not exist on debian; maybe a different package name
|
||||||
|
# iptables.service \
|
||||||
|
# ntpd.service \
|
||||||
|
# ip6tables.service \
|
||||||
|
;;
|
||||||
|
|
||||||
|
abort-upgrade|abort-remove|abort-deconfigure)
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
|
||||||
|
triggered)
|
||||||
|
for trigger in ${2}; do
|
||||||
|
case "${trigger}" in
|
||||||
|
|
||||||
|
# Update Qubes App Menus
|
||||||
|
/usr/share/applications)
|
||||||
|
echo "Updating Qubes App Menus..."
|
||||||
|
/usr/lib/qubes/qubes-trigger-sync-appmenus.sh || true
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Install overriden services only when original exists
|
||||||
|
/lib/systemd/system/NetworkManager.service | \
|
||||||
|
/lib/systemd/system/NetworkManager-wait-online.service | \
|
||||||
|
/lib/systemd/system/ModemManager.service)
|
||||||
|
UNITDIR=/lib/systemd/system
|
||||||
|
OVERRIDEDIR=/usr/lib/qubes/init
|
||||||
|
installOverridenServices "${OVERRIDEDIR}" "${trigger}"
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
reenableNetworkManager
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Enable cups only when it is real Systemd service
|
||||||
|
/lib/systemd/system/cups.service)
|
||||||
|
echo "Enabling cups"
|
||||||
|
[ -e /lib/systemd/system/cups.service ] && enableSystemdUnits cups.service
|
||||||
|
;;
|
||||||
|
|
||||||
|
# "Enable haveged service"
|
||||||
|
/lib/systemd/system/haveged.service)
|
||||||
|
echo "Enabling haveged service"
|
||||||
|
enableSystemdUnits haveged.service
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Install overridden serial.conf init script
|
||||||
|
/etc/init/serial.conf)
|
||||||
|
echo "Installing over-ridden serial.conf init script..."
|
||||||
|
if [ -e /etc/init/serial.conf ]; then
|
||||||
|
cp /usr/share/qubes/serial.conf /etc/init/serial.conf
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Disable SELinux"
|
||||||
|
/etc/selinux/config)
|
||||||
|
echo "Disabling SELinux..."
|
||||||
|
if [ -e /etc/selinux/config ]; then
|
||||||
|
sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
|
||||||
|
mv /etc/selinux/config.processed /etc/selinux/config
|
||||||
|
setenforce 0 2>/dev/null
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Remove existing rules
|
||||||
|
/etc/xdg/autostart/gpk-update-icon.desktop | \
|
||||||
|
/etc/xdg/autostart/nm-applet.desktop | \
|
||||||
|
/etc/xdg/autostart/abrt-applet.desktop | \
|
||||||
|
/etc/xdg/autostart/notify-osd.desktop)
|
||||||
|
showIn "${trigger}"
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Not shown in Qubes
|
||||||
|
/etc/xdg/autostart/pulseaudio.desktop | \
|
||||||
|
/etc/xdg/autostart/deja-dup-monitor.desktop | \
|
||||||
|
/etc/xdg/autostart/imsettings-start.desktop | \
|
||||||
|
/etc/xdg/autostart/krb5-auth-dialog.desktop | \
|
||||||
|
/etc/xdg/autostart/pulseaudio.desktop | \
|
||||||
|
/etc/xdg/autostart/restorecond.desktop | \
|
||||||
|
/etc/xdg/autostart/sealertauto.desktop | \
|
||||||
|
/etc/xdg/autostart/gnome-power-manager.desktop | \
|
||||||
|
/etc/xdg/autostart/gnome-sound-applet.desktop | \
|
||||||
|
/etc/xdg/autostart/gnome-screensaver.desktop | \
|
||||||
|
/etc/xdg/autostart/orca-autostart.desktop)
|
||||||
|
showIn "${trigger}" 'NotShowIn=QUBES;'
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Not shown in in DisposableVM
|
||||||
|
/etc/xdg/autostart/gcm-apply.desktop)
|
||||||
|
showIn "${trigger}" 'NotShowIn=DisposableVM;'
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Only shown in AppVM
|
||||||
|
/etc/xdg/autostart/gnome-keyring-gpg.desktop | \
|
||||||
|
/etc/xdg/autostart/gnome-keyring-pkcs11.desktop | \
|
||||||
|
/etc/xdg/autostart/gnome-keyring-secrets.desktop | \
|
||||||
|
/etc/xdg/autostart/gnome-keyring-ssh.desktop | \
|
||||||
|
/etc/xdg/autostart/gnome-settings-daemon.desktop | \
|
||||||
|
/etc/xdg/autostart/user-dirs-update-gtk.desktop | \
|
||||||
|
/etc/xdg/autostart/gsettings-data-convert.desktop)
|
||||||
|
showIn "${trigger}" 'OnlyShowIn=GNOME;AppVM;'
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Only shown in Gnome & UpdateableVM
|
||||||
|
/etc/xdg/autostart/gpk-update-icon.desktop)
|
||||||
|
showIn "${trigger}" 'OnlyShowIn=GNOME;UpdateableVM;'
|
||||||
|
;;
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Only shown in Gnome & Qubes
|
||||||
|
/etc/xdg/autostart/nm-applet.desktop)
|
||||||
|
showIn "${trigger}" 'OnlyShowIn=GNOME;QUBES;'
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "postinst called with unknown trigger \`${2}'" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "postinst called with unknown argument \`${1}'" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# dh_installdeb will replace this with shell code automatically
|
||||||
|
# generated by other debhelper scripts.
|
||||||
|
|
||||||
|
#DEBHELPER#
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
# vim: set ts=4 sw=4 sts=4 et :
|
58
debian/qubes-core-agent.postrm
vendored
Executable file
58
debian/qubes-core-agent.postrm
vendored
Executable file
@ -0,0 +1,58 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# postrm script for core-agent-linux
|
||||||
|
#
|
||||||
|
# see: dh_installdeb(1)
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# The prerm script may be called in the following ways:
|
||||||
|
# * <postrm> 'remove'
|
||||||
|
# * <postrm> 'purge'
|
||||||
|
# * <old-postrm> 'upgrade' <new-version>
|
||||||
|
# * <disappearer's-postrm> 'disappear' <overwriter> <overwriter-version>
|
||||||
|
#
|
||||||
|
# The postrm script is called after the package's files have been removed
|
||||||
|
# or replaced. The package whose postrm is being called may have previously been
|
||||||
|
# deconfigured and only be "Unpacked", at which point subsequent package changes
|
||||||
|
# do not consider its dependencies. Therefore, all postrm actions may only rely
|
||||||
|
# on essential packages and must gracefully skip any actions that require the
|
||||||
|
# package's dependencies if those dependencies are unavailable.[48]
|
||||||
|
#
|
||||||
|
# * <new-postrm> 'failed-upgrade' <old-version>
|
||||||
|
#
|
||||||
|
# Called when the old postrm upgrade action fails. The new package will be
|
||||||
|
# unpacked, but only essential packages and pre-dependencies can be relied on.
|
||||||
|
# Pre-dependencies will either be configured or will be "Unpacked" or
|
||||||
|
# "Half-Configured" but previously had been configured and was never removed.
|
||||||
|
#
|
||||||
|
# * <new-postrm> 'abort-install'
|
||||||
|
# * <new-postrm> 'abort-install' <old-version>
|
||||||
|
# * <new-postrm> 'abort-upgrade' <old-version>
|
||||||
|
#
|
||||||
|
# Called before unpacking the new package as part of the error handling of
|
||||||
|
# preinst failures. May assume the same state as preinst can assume.
|
||||||
|
#
|
||||||
|
# For details, see http://www.debian.org/doc/debian-policy/ or
|
||||||
|
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
|
||||||
|
# the debian-policy package
|
||||||
|
|
||||||
|
if [ "${1}" = "remove" ] ; then
|
||||||
|
/usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :
|
||||||
|
|
||||||
|
if [ -L /lib/firmware/updates ]; then
|
||||||
|
rm /lib/firmware/updates
|
||||||
|
fi
|
||||||
|
|
||||||
|
for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-qrexec-agent; do
|
||||||
|
systemctl disable ${srv}.service
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
# dh_installdeb will replace this with shell code automatically
|
||||||
|
# generated by other debhelper scripts.
|
||||||
|
|
||||||
|
#DEBHELPER#
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
# vim: set ts=4 sw=4 sts=4 et :
|
112
debian/qubes-core-agent.preinst
vendored
Executable file
112
debian/qubes-core-agent.preinst
vendored
Executable file
@ -0,0 +1,112 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# preinst script for core-agent-linux
|
||||||
|
#
|
||||||
|
# see: dh_installdeb(1)
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# The preinst script may be called in the following ways:
|
||||||
|
# * <new-preinst> 'install'
|
||||||
|
# * <new-preinst> 'install' <old-version>
|
||||||
|
# * <new-preinst> 'upgrade' <old-version>
|
||||||
|
#
|
||||||
|
# The package will not yet be unpacked, so the preinst script cannot rely
|
||||||
|
# on any files included in its package. Only essential packages and
|
||||||
|
# pre-dependencies (Pre-Depends) may be assumed to be available.
|
||||||
|
# Pre-dependencies will have been configured at least once, but at the time the
|
||||||
|
# preinst is called they may only be in an "Unpacked" or "Half-Configured" state
|
||||||
|
# if a previous version of the pre-dependency was completely configured and has
|
||||||
|
# not been removed since then.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# * <old-preinst> 'abort-upgrade' <new-version>
|
||||||
|
#
|
||||||
|
# Called during error handling of an upgrade that failed after unpacking the
|
||||||
|
# new package because the postrm upgrade action failed. The unpacked files may
|
||||||
|
# be partly from the new version or partly missing, so the script cannot rely
|
||||||
|
# on files included in the package. Package dependencies may not be available.
|
||||||
|
# Pre-dependencies will be at least "Unpacked" following the same rules as
|
||||||
|
# above, except they may be only "Half-Installed" if an upgrade of the
|
||||||
|
# pre-dependency failed.[46]
|
||||||
|
#
|
||||||
|
# For details, see http://www.debian.org/doc/debian-policy/ or
|
||||||
|
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
|
||||||
|
# the debian-policy package
|
||||||
|
|
||||||
|
if [ "$1" = "install" ] ; then
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
# Create required directories
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
mkdir -p /var/lib/qubes
|
||||||
|
mkdir -p /lib/modules
|
||||||
|
#mkdir -p -m 0700 /var/log/xen # xen-utils-common should do this
|
||||||
|
|
||||||
|
if [ -e /etc/fstab ] ; then
|
||||||
|
mv /etc/fstab /var/lib/qubes/fstab.orig
|
||||||
|
fi
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
# Many Qubes scripts reference /bin/sh expecting the shell to be bash but
|
||||||
|
# in Debian it is dash so some scripts will fail so force an alternate for
|
||||||
|
# /bin/sh to be /bin/bash
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
update-alternatives --force --install /bin/sh sh /bin/bash 999
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
# Modules setup
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
echo "xen_netfront" >> /etc/modules
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
# Remove `mesg` from root/.profile?
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
sed -i -e '/^mesg n/d' /root/.profile
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
# Update /etc/fstab
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
cat > /etc/fstab <<EOF
|
||||||
|
/dev/mapper/dmroot / ext4 defaults,noatime 1 1
|
||||||
|
/dev/xvdc1 swap swap defaults 0 0
|
||||||
|
|
||||||
|
/dev/xvdb /rw ext4 noauto,defaults,discard 1 2
|
||||||
|
/rw/home /home none noauto,bind,defaults 0 0
|
||||||
|
|
||||||
|
tmpfs /dev/shm tmpfs defaults 0 0
|
||||||
|
devpts /dev/pts devpts gid=5,mode=620 0 0
|
||||||
|
proc /proc proc defaults 0 0
|
||||||
|
sysfs /sys sysfs defaults 0 0
|
||||||
|
xen /proc/xen xenfs defaults 0 0
|
||||||
|
|
||||||
|
/dev/xvdi /mnt/removable auto noauto,user,rw 0 0
|
||||||
|
/dev/xvdd /lib/modules ext3 defaults 0 0
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
# User add / modifications
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
id -u 'user' || {
|
||||||
|
groupadd -f user
|
||||||
|
useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
|
||||||
|
}
|
||||||
|
id -u 'tinyproxy' || {
|
||||||
|
groupadd -f tinyproxy
|
||||||
|
useradd -g tinyproxy -M --home /run/tinyproxy --shell /bin/false tinyproxy
|
||||||
|
}
|
||||||
|
usermod -p '' root
|
||||||
|
usermod -L user
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$1" = "upgrade" ] ; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# dh_installdeb will replace this with shell code automatically
|
||||||
|
# generated by other debhelper scripts.
|
||||||
|
|
||||||
|
#DEBHELPER#
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
# vim: set ts=4 sw=4 sts=4 et :
|
54
debian/qubes-core-agent.prerm
vendored
Executable file
54
debian/qubes-core-agent.prerm
vendored
Executable file
@ -0,0 +1,54 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# prerm script for core-agent-linux
|
||||||
|
#
|
||||||
|
# see: dh_installdeb(1)
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# The prerm script may be called in the following ways:
|
||||||
|
# * <prerm> 'remove'
|
||||||
|
# * <old-prerm> 'upgrade' <new-version>
|
||||||
|
# * <conflictor's-prerm> 'remove' 'in-favour' <package> <new-version>
|
||||||
|
# * <deconfigured's-prerm> 'deconfigure' 'in-favour' <package-being-installed>
|
||||||
|
# <version> [removing conflicting-package version]
|
||||||
|
#
|
||||||
|
# The package whose prerm is being called will be at least "Half-Installed".
|
||||||
|
# All package dependencies will at least be "Half-Installed" and will have
|
||||||
|
# previously been configured and not removed. If there was no error, all
|
||||||
|
# dependencies will at least be "Unpacked", but these actions may be called in
|
||||||
|
# various error states where dependencies are only "Half-Installed" due to a
|
||||||
|
# partial upgrade.
|
||||||
|
#
|
||||||
|
# * <new-prerm> 'failed-upgrade' <old-version>
|
||||||
|
#
|
||||||
|
# Called during error handling when prerm upgrade fails. The new package
|
||||||
|
# will not yet be unpacked, and all the same constraints as for preinst
|
||||||
|
# upgrade apply.
|
||||||
|
#
|
||||||
|
# For details, see http://www.debian.org/doc/debian-policy/ or
|
||||||
|
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
|
||||||
|
# the debian-policy package
|
||||||
|
|
||||||
|
if [ "$1" = "remove" ] ; then
|
||||||
|
# no more packages left
|
||||||
|
if [ -e /var/lib/qubes/fstab.orig ] ; then
|
||||||
|
mv /var/lib/qubes/fstab.orig /etc/fstab
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -d /var/lib/qubes/removed-udev-scripts ] ; then
|
||||||
|
mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -e /var/lib/qubes/serial.orig ] ; then
|
||||||
|
mv /var/lib/qubes/serial.orig /etc/init/serial.conf
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# dh_installdeb will replace this with shell code automatically
|
||||||
|
# generated by other debhelper scripts.
|
||||||
|
|
||||||
|
#DEBHELPER#
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
# vim: set ts=4 sw=4 sts=4 et :
|
47
debian/qubes-core-agent.triggers
vendored
Normal file
47
debian/qubes-core-agent.triggers
vendored
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
interest-noawait /usr/share/applications
|
||||||
|
interest-noawait /lib/systemd/system/NetworkManager.service
|
||||||
|
interest-noawait /lib/systemd/system/NetworkManager-wait-online.service
|
||||||
|
interest-noawait /lib/systemd/system/ModemManager.service
|
||||||
|
interest-noawait /etc/init/serial.conf
|
||||||
|
interest-noawait /etc/selinux/config
|
||||||
|
interest-noawait /lib/systemd/system/cups.service
|
||||||
|
interest-noawait /lib/systemd/system/haveged.service
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Remove existing rules
|
||||||
|
interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/nm-applet.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/abrt-applet.desktop
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Not shown in Qubes
|
||||||
|
interest-noawait /etc/xdg/autostart/pulseaudio.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/deja-dup-monitor.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/imsettings-start.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/krb5-auth-dialog.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/pulseaudio.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/restorecond.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/sealertauto.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/gnome-power-manager.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/gnome-sound-applet.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/gnome-screensaver.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/orca-autostart.desktop
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Not shown in in DisposableVM
|
||||||
|
interest-noawait /etc/xdg/autostart/gcm-apply.desktop
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Only shown in AppVM
|
||||||
|
interest-noawait /etc/xdg/autostart/gnome-keyring-gpg.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/gnome-keyring-pkcs11.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/gnome-keyring-secrets.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/gnome-keyring-ssh.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/gnome-settings-daemon.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/user-dirs-update-gtk.desktop
|
||||||
|
interest-noawait /etc/xdg/autostart/gsettings-data-convert.desktop
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Only shown in Gnome & UpdateableVM
|
||||||
|
interest-noawait /etc/xdg/autostart/gpk-update-icon.desktop
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Only shown in Gnome & Qubes
|
||||||
|
interest-noawait /etc/xdg/autostart/nm-applet.desktop
|
||||||
|
|
||||||
|
# Desktop Entry Modification - Show in all
|
||||||
|
interest-noawait /etc/xdg/autostart/notify-osd.desktop
|
@ -10,7 +10,7 @@ all: xenstore-watch python close-window
|
|||||||
xenstore-watch: xenstore-watch.o
|
xenstore-watch: xenstore-watch.o
|
||||||
$(CC) -o xenstore-watch xenstore-watch.o -lxenstore
|
$(CC) -o xenstore-watch xenstore-watch.o -lxenstore
|
||||||
close-window: close-window.c
|
close-window: close-window.c
|
||||||
$(CC) -lX11 -o $@ $<
|
$(CC) -o $@ $< -lX11
|
||||||
python:
|
python:
|
||||||
python -m compileall .
|
python -m compileall .
|
||||||
python -O -m compileall .
|
python -O -m compileall .
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#!/bin/sh
|
#!/bin/bash
|
||||||
|
|
||||||
apps="evince /usr/libexec/evinced soffice firefox"
|
apps="evince /usr/libexec/evinced soffice firefox"
|
||||||
|
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
# Main qubes updates repository
|
# Main qubes updates repository
|
||||||
#deb http://deb.qubes-os.org/r3/vm @DIST@ main
|
#deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@ main
|
||||||
#deb-src http://deb.qubes-os.org/r3/vm @DIST@ main
|
#deb-src http://deb.qubes-os.org/r3/vm @DIST@ main
|
||||||
|
|
||||||
# Qubes updates candidates repository
|
# Qubes updates candidates repository
|
||||||
#deb http://deb.qubes-os.org/r3/vm @DIST@-testing main
|
#deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@-testing main
|
||||||
#deb-src http://deb.qubes-os.org/r3/vm @DIST@-testing main
|
#deb-src http://deb.qubes-os.org/r3/vm @DIST@-testing main
|
||||||
|
|
||||||
# Qubes experimental/unstable repository
|
# Qubes experimental/unstable repository
|
||||||
#deb http://deb.qubes-os.org/r3/vm @DIST@-unstable main
|
#deb [arch=amd64] http://deb.qubes-os.org/r3/vm @DIST@-unstable main
|
||||||
#deb-src http://deb.qubes-os.org/r3/vm @DIST@-unstable main
|
#deb-src http://deb.qubes-os.org/r3/vm @DIST@-unstable main
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
UPDATEABLE=`/usr/bin/qubesdb-read /qubes-vm-updateable`
|
UPDATEABLE=`qubesdb-read /qubes-vm-updateable`
|
||||||
|
|
||||||
if [ "$UPDATEABLE" = "True" ]; then
|
if [ "$UPDATEABLE" = "True" ]; then
|
||||||
/usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes-rpc/qubes.GetAppmenus
|
/usr/lib/qubes/qrexec-client-vm dom0 qubes.SyncAppMenus /bin/sh /etc/qubes-rpc/qubes.GetAppmenus
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
if [ x$2 == xup ]; then
|
if [ x$2 == xup ]; then
|
||||||
INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
|
INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
|
||||||
/usr/bin/qubesdb-write /qubes-netvm-external-ip "$INET"
|
qubesdb-write /qubes-netvm-external-ip "$INET"
|
||||||
fi
|
fi
|
||||||
if [ x$2 == xdown ]; then
|
if [ x$2 == xdown ]; then
|
||||||
/usr/bin/qubesdb-write /qubes-netvm-external-ip ""
|
qubesdb-write /qubes-netvm-external-ip ""
|
||||||
fi
|
fi
|
||||||
|
1
network/80-qubes.conf
Normal file
1
network/80-qubes.conf
Normal file
@ -0,0 +1 @@
|
|||||||
|
net.ipv4.ip_forward=1
|
@ -1,11 +1,19 @@
|
|||||||
|
# Yum filters
|
||||||
|
# -----------------------------------------------------------------------------
|
||||||
/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$
|
/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$
|
||||||
/repodata/repomd\.xml$
|
/repodata/repomd\.xml$
|
||||||
\.rpm$
|
\.rpm$
|
||||||
\.drpm$
|
\.drpm$
|
||||||
^mirrors\.fedoraproject\.org:443$
|
^mirrors\.fedoraproject\.org:443$
|
||||||
^http://mirrors\..*/mirrorlist\?
|
^http://mirrors\..*/mirrorlist\?
|
||||||
\.deb$
|
|
||||||
/dists/[a-z]*/\(InRelease\|Release\|Release.gpg\)$
|
# Debian filters
|
||||||
/dists/[a-z]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$
|
#
|
||||||
/dists/[a-z]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$
|
# Whonix uses sourceforge to host its repos and url can end in:
|
||||||
/dists/[a-z]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$
|
# '/' or '/download' or '?.*'
|
||||||
|
# -----------------------------------------------------------------------------
|
||||||
|
\.deb\(\|\/\|\/download\|\?.*\)$
|
||||||
|
/dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)\(\|\|/\|\/download\|\?.*\)$
|
||||||
|
/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.gpg\)\(\|\|/\|\/download\|\?.*\)$
|
||||||
|
/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$
|
||||||
|
/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$
|
||||||
|
@ -14,6 +14,6 @@ unmanaged_devices=mac:fe:ff:ff:ff:ff:ff
|
|||||||
# unmanaged_devices="$unmanaged_devices;mac:$mac"
|
# unmanaged_devices="$unmanaged_devices;mac:$mac"
|
||||||
#done
|
#done
|
||||||
sed -i -e "s/^unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf
|
sed -i -e "s/^unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf
|
||||||
sed -i -e "s/^plugins=.*/plugins=keyfile,ifcfg-rh/" /etc/NetworkManager/NetworkManager.conf
|
sed -i -e "s/^plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
@ -34,19 +34,19 @@ while true; do
|
|||||||
# during the time when the rules are being (re)applied
|
# during the time when the rules are being (re)applied
|
||||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||||
|
|
||||||
RULES=$(/usr/bin/qubesdb-read $XENSTORE_IPTABLES_HEADER)
|
RULES=$(qubesdb-read $XENSTORE_IPTABLES_HEADER)
|
||||||
IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
|
IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d')
|
||||||
OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true`
|
OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true`
|
||||||
|
|
||||||
for i in $(qubesdb-list -f /qubes-iptables-domainrules) ; do
|
for i in $(qubesdb-list -f /qubes-iptables-domainrules) ; do
|
||||||
RULES=$(/usr/bin/qubesdb-read "$i")
|
RULES=$(qubesdb-read "$i")
|
||||||
ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true`
|
ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true`
|
||||||
if [ -n "$ERRS" ]; then
|
if [ -n "$ERRS" ]; then
|
||||||
echo "Failed applying rules for $i: $ERRS" >&2
|
echo "Failed applying rules for $i: $ERRS" >&2
|
||||||
OUT="$OUT$ERRS"
|
OUT="$OUT$ERRS"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
/usr/bin/qubesdb-write $XENSTORE_ERROR "$OUT"
|
qubesdb-write $XENSTORE_ERROR "$OUT"
|
||||||
if [ -n "$OUT" ]; then
|
if [ -n "$OUT" ]; then
|
||||||
DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
|
DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
|
||||||
fi
|
fi
|
||||||
|
@ -11,9 +11,9 @@ echo $$ >$PIDFILE
|
|||||||
trap 'exit 0' SIGTERM
|
trap 'exit 0' SIGTERM
|
||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
NET_DOMID=$(/usr/bin/xenstore-read qubes-netvm-domid || :)
|
NET_DOMID=$(xenstore-read qubes-netvm-domid || :)
|
||||||
if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
|
if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
|
||||||
UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :)
|
UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :)
|
||||||
# UNTRUSTED_NETCFG is not parsed in any way
|
# UNTRUSTED_NETCFG is not parsed in any way
|
||||||
# thus, no sanitization ready
|
# thus, no sanitization ready
|
||||||
# but be careful when passing it to other shell scripts
|
# but be careful when passing it to other shell scripts
|
||||||
@ -21,11 +21,11 @@ while true; do
|
|||||||
/sbin/service qubes-firewall stop
|
/sbin/service qubes-firewall stop
|
||||||
/sbin/service qubes-firewall start
|
/sbin/service qubes-firewall start
|
||||||
CURR_NETCFG="$UNTRUSTED_NETCFG"
|
CURR_NETCFG="$UNTRUSTED_NETCFG"
|
||||||
/usr/bin/xenstore-write qubes-netvm-external-ip "$CURR_NETCFG"
|
xenstore-write qubes-netvm-external-ip "$CURR_NETCFG"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
/usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid
|
xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid
|
||||||
else
|
else
|
||||||
/usr/bin/xenstore-watch -n 2 qubes-netvm-domid
|
xenstore-watch -n 2 qubes-netvm-domid
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -10,7 +10,7 @@ addrule()
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
export PATH=$PATH:/sbin:/bin
|
export PATH=$PATH:/sbin:/bin
|
||||||
source /var/run/qubes/qubes-ns
|
. /var/run/qubes/qubes-ns
|
||||||
if [ "X"$NS1 = "X" ] ; then exit ; fi
|
if [ "X"$NS1 = "X" ] ; then exit ; fi
|
||||||
iptables -t nat -F PR-QBS
|
iptables -t nat -F PR-QBS
|
||||||
FIRSTONE=yes
|
FIRSTONE=yes
|
||||||
|
@ -26,14 +26,24 @@ if [ x$ip != x ]; then
|
|||||||
[ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook
|
[ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook
|
||||||
fi
|
fi
|
||||||
if [ -f /var/run/qubes-service/network-manager ]; then
|
if [ -f /var/run/qubes-service/network-manager ]; then
|
||||||
cat > /etc/sysconfig/network-scripts/ifcfg-$INTERFACE <<__EOF__
|
cat > /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE <<__EOF__
|
||||||
DEVICE=$INTERFACE
|
[802-3-ethernet]
|
||||||
IPADDR=$ip
|
duplex=full
|
||||||
NETMASK=255.255.255.255
|
|
||||||
NETWORK=$ip
|
[connection]
|
||||||
ONBOOT=yes
|
id=VM uplink $INTERFACE
|
||||||
GATEWAYDEV=$INTERFACE
|
uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
|
||||||
GATEWAY=$gateway
|
type=802-3-ethernet
|
||||||
|
|
||||||
|
[ipv6]
|
||||||
|
method=ignore
|
||||||
|
|
||||||
|
[ipv4]
|
||||||
|
method=manual
|
||||||
|
dns=$gateway;$secondary_dns
|
||||||
|
address1=$ip/32,$gateway
|
||||||
|
may-fail=false
|
||||||
__EOF__
|
__EOF__
|
||||||
|
chmod 600 /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -140,11 +140,11 @@ remove_ShowIn () {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# reenable abrt-aplet if disable by some earlier version of package
|
# reenable if disabled by some earlier version of package
|
||||||
remove_ShowIn abrt-applet.desktop
|
remove_ShowIn abrt-applet.desktop imsettings-start.desktop
|
||||||
|
|
||||||
# don't want it at all
|
# don't want it at all
|
||||||
for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
|
for F in deja-dup-monitor krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
|
||||||
if [ -e /etc/xdg/autostart/$F.desktop ]; then
|
if [ -e /etc/xdg/autostart/$F.desktop ]; then
|
||||||
remove_ShowIn $F
|
remove_ShowIn $F
|
||||||
echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop
|
echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop
|
||||||
@ -213,6 +213,17 @@ if ! grep -q localhost /etc/hosts; then
|
|||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
|
||||||
|
# in the form expected by qubes-sysinit.sh
|
||||||
|
for ip in '127\.0\.0\.1' '::1'; do
|
||||||
|
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
|
||||||
|
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
|
||||||
|
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
|
||||||
|
else
|
||||||
|
echo "${ip} `hostname`" >> /etc/hosts
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
if [ "$1" != 1 ] ; then
|
if [ "$1" != 1 ] ; then
|
||||||
# do the rest of %post thing only when updating for the first time...
|
# do the rest of %post thing only when updating for the first time...
|
||||||
exit 0
|
exit 0
|
||||||
@ -279,7 +290,7 @@ fi
|
|||||||
if [ $1 -eq 0 ] ; then
|
if [ $1 -eq 0 ] ; then
|
||||||
/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
|
/usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
|
||||||
|
|
||||||
if [ -l /lib/firmware/updates ]; then
|
if [ -L /lib/firmware/updates ]; then
|
||||||
rm /lib/firmware/updates
|
rm /lib/firmware/updates
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
# Setup gateway for all the VMs this netVM is serviceing...
|
# Setup gateway for all the VMs this netVM is serviceing...
|
||||||
network=$(/usr/bin/qubesdb-read /qubes-netvm-network 2>/dev/null)
|
network=$(qubesdb-read /qubes-netvm-network 2>/dev/null)
|
||||||
if [ "x$network" != "x" ]; then
|
if [ "x$network" != "x" ]; then
|
||||||
gateway=$(/usr/bin/qubesdb-read /qubes-netvm-gateway)
|
gateway=$(qubesdb-read /qubes-netvm-gateway)
|
||||||
netmask=$(/usr/bin/qubesdb-read /qubes-netvm-netmask)
|
netmask=$(qubesdb-read /qubes-netvm-netmask)
|
||||||
secondary_dns=$(/usr/bin/qubesdb-read /qubes-netvm-secondary-dns)
|
secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
|
||||||
modprobe netbk 2> /dev/null || modprobe xen-netback
|
modprobe netbk 2> /dev/null || modprobe xen-netback
|
||||||
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
|
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
|
||||||
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
|
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
|
||||||
|
@ -3,6 +3,7 @@ Description=Qubes remote exec agent
|
|||||||
After=qubes-dvm.service
|
After=qubes-dvm.service
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
ExecStartPre=/bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn'
|
||||||
ExecStart=/usr/lib/qubes/qrexec-agent
|
ExecStart=/usr/lib/qubes/qrexec-agent
|
||||||
StandardOutput=syslog
|
StandardOutput=syslog
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
#!/bin/sh
|
#!/bin/bash
|
||||||
|
|
||||||
# List of services enabled by default (in case of absence of qubesdb entry)
|
# List of services enabled by default (in case of absence of qubesdb entry)
|
||||||
DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy"
|
DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy"
|
||||||
@ -7,8 +7,8 @@ DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check"
|
|||||||
DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup"
|
DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup"
|
||||||
DEFAULT_ENABLED="meminfo-writer"
|
DEFAULT_ENABLED="meminfo-writer"
|
||||||
|
|
||||||
QDB_READ=/usr/bin/qubesdb-read
|
QDB_READ=qubesdb-read
|
||||||
QDB_LS=/usr/bin/qubesdb-multiread
|
QDB_LS=qubesdb-multiread
|
||||||
|
|
||||||
read_service() {
|
read_service() {
|
||||||
$QDB_READ /qubes-service/$1 2> /dev/null
|
$QDB_READ /qubes-service/$1 2> /dev/null
|
||||||
@ -31,6 +31,8 @@ mkdir -p /var/run/xen-hotplug
|
|||||||
|
|
||||||
# Set permissions to /proc/xen/xenbus, so normal user can use qubesdb-read
|
# Set permissions to /proc/xen/xenbus, so normal user can use qubesdb-read
|
||||||
chmod 666 /proc/xen/xenbus
|
chmod 666 /proc/xen/xenbus
|
||||||
|
|
||||||
|
[ -e /proc/u2mfn ] || modprobe u2mfn
|
||||||
# Set permissions to files needed to listen at vchan
|
# Set permissions to files needed to listen at vchan
|
||||||
chmod 666 /proc/u2mfn
|
chmod 666 /proc/u2mfn
|
||||||
|
|
||||||
@ -60,15 +62,25 @@ done
|
|||||||
name=`$QDB_READ /name`
|
name=`$QDB_READ /name`
|
||||||
if [ -n "$name" ]; then
|
if [ -n "$name" ]; then
|
||||||
hostname $name
|
hostname $name
|
||||||
sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
|
if [ -e /etc/debian_version ]; then
|
||||||
|
ipv4_localhost_re="127\.0\.1\.1"
|
||||||
|
else
|
||||||
|
ipv4_localhost_re="127\.0\.0\.1"
|
||||||
|
fi
|
||||||
|
sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
|
||||||
|
sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
|
||||||
fi
|
fi
|
||||||
|
|
||||||
timezone=`$QDB_READ /qubes-timezone 2> /dev/null`
|
timezone=`$QDB_READ /qubes-timezone 2> /dev/null`
|
||||||
if [ -n "$timezone" ]; then
|
if [ -n "$timezone" ]; then
|
||||||
ln -f /usr/share/zoneinfo/$timezone /etc/localtime
|
cp -p /usr/share/zoneinfo/$timezone /etc/localtime
|
||||||
|
if [ -e /etc/debian_version ]; then
|
||||||
|
echo "$timezone" > /etc/timezone
|
||||||
|
else
|
||||||
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
|
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
|
||||||
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
|
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# Prepare environment for other services
|
# Prepare environment for other services
|
||||||
echo > /var/run/qubes-service-environment
|
echo > /var/run/qubes-service-environment
|
||||||
|
@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0'
|
ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'if [ -e /usr/bin/yum ]; then yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0; else apt-get -q update > /dev/null; apt-get -s upgrade | awk "/^Inst/{ print $2 }" | [[ $(wc -L) -eq 0 ]] && echo 0 || echo 1; fi'
|
||||||
|
Loading…
Reference in New Issue
Block a user