# # The Qubes OS Project, http://www.qubes-os.org # # Copyright (C) 2010 Joanna Rutkowska # Copyright (C) 2010 Rafal Wojtczuk # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # # %define qubes_services qubes-core qubes-core-netvm qubes-core-early qubes-firewall qubes-iptables qubes-updates-proxy qubes-updates-proxy-forwarder %define qubes_preset_file 75-qubes-vm.preset # systemd is used in Fedora and CentOS %if 0%{?fedora} || 0%{?rhel} %define with_sysvinit 0 %else %define with_sysvinit 1 %endif %if 0%{?rhel} == 8 %define plateform_python3_sitelib %(/usr/libexec/platform-python -c 'import distutils.sysconfig; print(distutils.sysconfig.get_python_lib())') %endif %define scriptletfuns is_static() { \ [ -f "%{_unitdir}/$1" ] && ! grep -q '^[[].nstall]' "%{_unitdir}/$1" \ } \ \ is_masked() { \ if [ ! -L %{_sysconfdir}/systemd/system/"$1" ] \ then \ return 1 \ fi \ target=`readlink %{_sysconfdir}/systemd/system/"$1" 2>/dev/null` || : \ if [ "$target" = "/dev/null" ] \ then \ return 0 \ fi \ return 1 \ } \ \ mask() { \ ln -sf /dev/null %{_sysconfdir}/systemd/system/"$1" \ } \ \ unmask() { \ if ! is_masked "$1" \ then \ return 0 \ fi \ rm -f %{_sysconfdir}/systemd/system/"$1" \ } \ \ preset_units() { \ local represet= \ cat "$1" | while read action unit_name \ do \ if [ "$action" = "#" -a "$unit_name" = "Units below this line will be re-preset on package upgrade" ] \ then \ represet=1 \ continue \ fi \ echo "$action $unit_name" | grep -q '^[[:space:]]*[^#;]' || continue \ [ -n "$action" -a -n "$unit_name" ] || continue \ if [ "$2" = "initial" -o "$represet" = "1" ] \ then \ if [ "$action" = "disable" ] && is_static "$unit_name" \ then \ if ! is_masked "$unit_name" \ then \ # We must effectively mask these units, even if they are static. \ mask "$unit_name" \ fi \ elif [ "$action" = "enable" ] && is_static "$unit_name" \ then \ if is_masked "$unit_name" \ then \ # We masked this static unit before, now we unmask it. \ unmask "$unit_name" \ fi \ systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || : \ else \ systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || : \ fi \ fi \ done \ } \ \ restore_units() { \ grep '^[[:space:]]*[^#;]' "$1" | while read action unit_name \ do \ if is_static "$unit_name" && is_masked "$unit_name" \ then \ # If the unit had been masked by us, we must unmask it here. \ # Otherwise systemctl preset will fail badly. \ unmask "$unit_name" \ fi \ systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || : \ done \ } \ Name: qubes-core-agent Version: @VERSION@ Release: 1%{dist} Summary: The QubesOS core files for VMs Group: Qubes Vendor: Invisible Things Lab License: GPL URL: https://www.qubes-os.org Conflicts: firewalld Requires: xdg-utils Requires: qubes-utils >= 3.1.3 Requires: qubes-utils-libs >= 4.0.16 Requires: initscripts Requires: gawk Requires: sed Requires: util-linux Requires: e2fsprogs Requires: hostname # for Qubes Manager VM updater Requires: xterm # for qubes-desktop-run Requires: python%{python3_pkgversion}-gobject-base Requires: python%{python3_pkgversion}-dbus # for qubes-session-autostart, xdg-icon Requires: python%{python3_pkgversion}-pyxdg Requires: python%{python3_pkgversion}-daemon # for qvm-feature-request Requires: python%{python3_pkgversion}-qubesdb # for qubes.ShowInTerminal RPC service Requires: socat Requires: ImageMagick Requires: librsvg2-tools Requires: zenity Requires: dconf Requires: qubes-core-qrexec-vm Requires: qubes-libvchan Requires: qubes-db-vm %if 0%{?rhel} == 8 # we need to stick to related DNF python version # which is python3.6 by default Requires: python3-dnf-plugins-qubes-hooks %else Requires: python%{python3_pkgversion}-dnf-plugins-qubes-hooks %endif Requires: python%{python3_pkgversion}-setuptools # for qubes.ResizeDisk Requires: parted Obsoletes: qubes-core-vm-kernel-placeholder <= 1.0 Obsoletes: qubes-upgrade-vm < 3.2 Provides: qubes-core-vm = %{version}-%{release} Obsoletes: qubes-core-vm < 4.0.0 Provides: qubes-core-vm-doc = %{version}-%{release} Obsoletes: qubes-core-vm-doc < 4.0.0 Conflicts: qubes-gui-agent < 4.1.6 BuildRequires: gcc BuildRequires: pandoc BuildRequires: xen-devel BuildRequires: libX11-devel BuildRequires: qubes-utils-devel >= 3.1.3 BuildRequires: qubes-libvchan-@BACKEND_VMM@-devel BuildRequires: pam-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: systemd Source0: %{name}-%{version}.tar.gz %description The Qubes core files for installation inside a Qubes VM. %package -n python2-dnf-plugins-qubes-hooks Summary: DNF plugin for Qubes specific post-installation actions BuildRequires: python2-devel %{?python_provide:%python_provide python2-dnf-plugins-qubes-hooks} %description -n python2-dnf-plugins-qubes-hooks DNF plugin for Qubes specific post-installation actions: * notify dom0 that updates were installed * refresh applications shortcut list %if 0%{?rhel} == 8 %package -n python3-dnf-plugins-qubes-hooks Summary: DNF plugin for Qubes specific post-installation actions BuildRequires: python3-devel %description -n python3-dnf-plugins-qubes-hooks DNF plugin for Qubes specific post-installation actions: * notify dom0 that updates were installed * refresh applications shortcut list %else %package -n python%{python3_pkgversion}-dnf-plugins-qubes-hooks Summary: DNF plugin for Qubes specific post-installation actions BuildRequires: python%{python3_pkgversion}-devel %{?python_provide:%python_provide python%{python3_pkgversion}-dnf-plugins-qubes-hooks} %description -n python%{python3_pkgversion}-dnf-plugins-qubes-hooks DNF plugin for Qubes specific post-installation actions: * notify dom0 that updates were installed * refresh applications shortcut list %endif %package nautilus Summary: Qubes integration for Nautilus Requires: qubes-core-agent = %{version} Requires: nautilus-python Conflicts: qubes-core-vm < 4.0.0 %description nautilus Nautilus addons for inter-VM file copy/move/open. %package dom0-updates Summary: Scripts required to handle dom0 updates Requires: qubes-core-agent = %{version} Requires: fakeroot Conflicts: qubes-core-vm < 4.0.0 Requires: tar %description dom0-updates Scripts required to handle dom0 updates. %package networking Summary: Networking support for Qubes VM Requires: ethtool Requires: iptables Requires: conntrack-tools Requires: net-tools Requires: iproute Requires: nftables Requires: socat Requires: qubes-core-agent = %{version} Requires: tinyproxy Conflicts: qubes-core-vm < 4.0.0 %description networking This package provides: * basic network functionality (setting IP address, DNS, default gateway) * proxy service used by TemplateVMs to download updates * qubes-firewall service (FirewallVM) Note: if you want to use NetworkManager (you do want it in NetVM), install also qubes-core-agent-network-manager. %package network-manager Summary: NetworkManager integration for Qubes VM # to show/hide nm-applet Requires: NetworkManager >= 0.8.1-1 Requires: glib2 Requires: polkit Requires: qubes-core-agent-networking = %{version} Conflicts: qubes-core-vm < 4.0.0 %description network-manager Integration of NetworkManager for Qubes VM: * make connections config persistent * adjust DNS redirections when needed * show/hide NetworkManager applet icon %package passwordless-root Summary: Passwordless root access from normal user Conflicts: qubes-core-vm < 4.0.0 %description passwordless-root Configure sudo, PolicyKit and similar tool to not ask for any password when switching from user to root. Since all the user data in a VM is accessible already from normal user account, there is not much more to guard there. Qubes VM is a single user system. %package thunar Summary: Thunar support for Qubes VM tools Requires: Thunar %description thunar Thunar support for Qubes VM tools %define kde_service_dir /usr/share/kde4/services %define kde5_service_dir /usr/share/kservices5/ServiceMenus %prep %setup -q %build %{?set_build_flags} for dir in qubes-rpc misc; do make -C $dir BACKEND_VMM=@BACKEND_VMM@ done make -C doc manpages %pre # Make sure there is a qubes group groupadd --force --system --gid 98 qubes id -u 'user' >/dev/null 2>&1 || { useradd --user-group --create-home --shell /bin/bash user } usermod -a --groups qubes user if [ "$1" != 1 ] ; then # do this whole %%pre thing only when updating for the first time... exit 0 fi mkdir -p /var/lib/qubes if [ -e /etc/fstab ] ; then mv /etc/fstab /var/lib/qubes/fstab.orig fi usermod -L user %pre passwordless-root usermod -L root %install make install-vm PYTHON=%{__python3} DESTDIR=$RPM_BUILD_ROOT SYSTEM_DROPIN_DIR=%{_unitdir} SYSLIBDIR=/usr/lib make -C app-menu DESTDIR=$RPM_BUILD_ROOT install make -C boot/redhat DESTDIR=$RPM_BUILD_ROOT install make -C config-overrides DESTDIR=$RPM_BUILD_ROOT install make -C filesystem DESTDIR=$RPM_BUILD_ROOT install make -C misc DESTDIR=$RPM_BUILD_ROOT install make -C network DESTDIR=$RPM_BUILD_ROOT install make -C passwordless-root DESTDIR=$RPM_BUILD_ROOT install install-rh make -C qubes-rpc DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc/kde DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc/nautilus DESTDIR=$RPM_BUILD_ROOT install make -C qubes-rpc/thunar DESTDIR=$RPM_BUILD_ROOT install make -C package-managers PYTHON=%{__python3} DESTDIR=$RPM_BUILD_ROOT install install-dnf %if 0%{?rhel} == 7 make -C package-managers DESTDIR=$RPM_BUILD_ROOT install-yum %endif %if 0%{?rhel} >= 7 sed -i \ -e 's:-primary:-centos:' \ -e 's:/fc:/centos:' \ $RPM_BUILD_ROOT/etc/yum.repos.d/qubes-*.repo %endif install -D -m 0644 boot/dracut-qubes.conf $RPM_BUILD_ROOT/usr/lib/dracut/dracut.conf.d/30-qubes.conf install -D -m 0644 boot/grub.qubes $RPM_BUILD_ROOT/etc/default/grub.qubes %if ! %with_sysvinit rm -rf $RPM_BUILD_ROOT/etc/init.d/qubes-* $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes-core.modules %endif %triggerin -- initscripts if [ -e /etc/init/serial.conf ]; then cp /usr/share/qubes/serial.conf /etc/init/serial.conf fi %triggerin -- grub2-tools if ! grep -q /etc/default/grub.qubes /etc/default/grub 2>/dev/null; then # do not keep Qubes-related settings directly in user-controlled config, # include another file echo '. /etc/default/grub.qubes' >> /etc/default/grub fi %triggerin passwordless-root -- util-linux qubesfile=/etc/pam.d/su.qubes origfile=${qubesfile%.qubes} backupfile=${origfile}.qubes-orig if [ -r "$origfile" -a ! -r "$backupfile" ]; then mv -f "$origfile" "$backupfile" fi ln -sf "$qubesfile" "$origfile" %post # disable some Upstart services for F in plymouth-shutdown prefdm splash-manager start-ttys tty ; do if [ -e /etc/init/$F.conf ]; then mv -f /etc/init/$F.conf /etc/init/$F.conf.disabled fi done chgrp user /var/lib/qubes/dom0-updates # Remove old firmware updates link if [ -L /lib/firmware/updates ]; then rm -f /lib/firmware/updates fi # convert /usr/local symlink to a mount point if [ -L /usr/local ]; then rm -f /usr/local mkdir /usr/local mount /usr/local || : fi # workaround for Fedora's systemd package bug # https://bugzilla.redhat.com/1559286 if [ -d /var/lib/private ]; then chmod 700 /var/lib/private fi if test -f /etc/yum.conf && ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then echo >> /etc/yum.conf echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf fi if ! [ -r /etc/dconf/profile/user ]; then mkdir -p /etc/dconf/profile echo "user-db:user" >> /etc/dconf/profile/user echo "system-db:local" >> /etc/dconf/profile/user fi dconf update &> /dev/null || : # And actually setup the proxy usage in package managers /usr/lib/qubes/update-proxy-configs # Location of files which contains list of protected files mkdir -p /etc/qubes/protected-files.d . /usr/lib/qubes/init/functions # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content if ! is_protected_file /etc/hosts ; then if ! grep -q localhost /etc/hosts; then cat < /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname` ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 EOF fi fi # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is # in the form expected by qubes-sysinit.sh if ! is_protected_file /etc/hostname ; then for ip in '127\.0\.0\.1' '::1'; do if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts else echo "${ip} `hostname`" >> /etc/hosts fi done fi if [ "$1" != 1 ] ; then # do the rest of %%post thing only when updating for the first time... exit 0 fi if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then cp /etc/init/serial.conf /var/lib/qubes/serial.orig fi # Remove most of the udev scripts to speed up the VM boot time # Just leave the xen* scripts, that are needed if this VM was # ever used as a net backend (e.g. as a VPN domain in the future) #echo "--> Removing unnecessary udev scripts..." mkdir -p /var/lib/qubes/removed-udev-scripts for f in /etc/udev/rules.d/* do if [ $(basename $f) == "xen-backend.rules" ] ; then continue fi if echo $f | grep -q qubes; then continue fi mv $f /var/lib/qubes/removed-udev-scripts/ done mkdir -p /rw #rm -f /etc/mtab #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 %triggerin -- notification-daemon # Enable autostart of notification-daemon when installed if [ ! -e /etc/xdg/autostart/notification-daemon.desktop ]; then ln -s /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/ fi exit 0 %triggerin -- selinux-policy . /usr/lib/qubes/init/functions if ! is_protected_file /etc/selinux/config; then echo "--> Disabling SELinux..." sed -e s/^SELINUX=.*$/SELINUX=disabled/ /etc/selinux/config.processed mv /etc/selinux/config.processed /etc/selinux/config setenforce 0 2>/dev/null fi exit 0 %post network-manager # Create NetworkManager configuration if we do not have it if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then echo '[main]' > /etc/NetworkManager/NetworkManager.conf echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf fi # Remove ip_forward setting from sysctl, so NM will not reset it sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf /usr/lib/qubes/qubes-fix-nm-conf.sh %post networking %systemd_post qubes-firewall.service %systemd_post qubes-iptables.service %systemd_post qubes-network.service %systemd_post qubes-network-uplink.service %systemd_post qubes-updates-proxy.service %post thunar if [ "$1" = 1 ]; then # There is no system-wide Thunar custom actions. There is only a default # file and a user file created from the default one. Qubes actions need # to be placed after all already defined actions and before # the end of file. if [ -f /etc/xdg/Thunar/uca.xml ] ; then cp -p /etc/xdg/Thunar/uca.xml{,.bak} sed -i '$e cat /usr/lib/qubes/uca_qubes.xml' /etc/xdg/Thunar/uca.xml fi if [ -f /home/user/.config/Thunar/uca.xml ] ; then cp -p /home/user/.config/Thunar/uca.xml{,.bak} sed -i '$e cat /usr/lib/qubes/uca_qubes.xml' /home/user/.config/Thunar/uca.xml fi fi %preun if [ "$1" = 0 ] ; then # no more packages left if [ -e /var/lib/qubes/fstab.orig ] ; then mv /var/lib/qubes/fstab.orig /etc/fstab fi mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ if [ -e /var/lib/qubes/serial.orig ] ; then mv /var/lib/qubes/serial.orig /etc/init/serial.conf fi fi %preun networking %systemd_preun qubes-firewall.service %systemd_preun qubes-iptables.service %systemd_preun qubes-network.service %systemd_preun qubes-updates-proxy.service %postun thunar if [ "$1" = 0 ]; then if [ -f /etc/xdg/Thunar/uca.xml ] ; then mv /etc/xdg/Thunar/uca.xml{,.uninstall} mv /etc/xdg/Thunar/uca.xml{.bak,} fi if [ -f /home/user/.config/Thunar/uca.xml ] ; then mv /home/user/.config/Thunar/uca.xml{,.uninstall} mv /home/user/.config/Thunar/uca.xml{.bak,} fi fi %postun if [ $1 -eq 0 ] ; then /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : if [ -L /lib/firmware/updates ]; then rm /lib/firmware/updates fi rm -rf /var/lib/qubes/xdg fi %postun passwordless-root if [ $1 -eq 0 ]; then usermod -p '*' root fi qubesfile=/etc/pam.d/su.qubes origfile=${qubesfile%.qubes} backupfile=${origfile}.qubes-orig if [ -f "$backupfile" ]; then mv -f "$backupfile" "$origfile" fi %posttrans /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %clean rm -rf $RPM_BUILD_ROOT rm -f %{name}-%{version} %files %defattr(-,root,root,-) %dir /var/lib/qubes %{kde_service_dir}/qvm-copy.desktop %{kde_service_dir}/qvm-move.desktop %{kde_service_dir}/qvm-dvm.desktop %{kde5_service_dir}/qvm-copy.desktop %{kde5_service_dir}/qvm-move.desktop %{kde5_service_dir}/qvm-dvm.desktop /etc/fstab /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes* %dir /etc/qubes-rpc %config(noreplace) /etc/qubes-rpc/qubes.ShowInTerminal %config(noreplace) /etc/qubes-rpc/qubes.Filecopy %config(noreplace) /etc/qubes-rpc/qubes.OpenInVM %config(noreplace) /etc/qubes-rpc/qubes.OpenURL %config(noreplace) /etc/qubes-rpc/qubes.GetAppmenus %config(noreplace) /etc/qubes-rpc/qubes.ConnectTCP %config(noreplace) /etc/qubes-rpc/qubes.VMShell %config(noreplace) /etc/qubes-rpc/qubes.VMExec %config(noreplace) /etc/qubes-rpc/qubes.VMExecGUI %config(noreplace) /etc/qubes-rpc/qubes.VMRootShell %config(noreplace) /etc/qubes-rpc/qubes.SuspendPre %config(noreplace) /etc/qubes-rpc/qubes.SuspendPreAll %config(noreplace) /etc/qubes-rpc/qubes.SuspendPost %config(noreplace) /etc/qubes-rpc/qubes.SuspendPostAll %config(noreplace) /etc/qubes-rpc/qubes.WaitForSession %config(noreplace) /etc/qubes-rpc/qubes.DetachPciDevice %config(noreplace) /etc/qubes-rpc/qubes.Backup %config(noreplace) /etc/qubes-rpc/qubes.Restore %config(noreplace) /etc/qubes-rpc/qubes.RegisterBackupLocation %config(noreplace) /etc/qubes-rpc/qubes.RestoreById %config(noreplace) /etc/qubes-rpc/qubes.SelectFile %config(noreplace) /etc/qubes-rpc/qubes.SelectDirectory %config(noreplace) /etc/qubes-rpc/qubes.GetImageRGBA %config(noreplace) /etc/qubes-rpc/qubes.SetDateTime %config(noreplace) /etc/qubes-rpc/qubes.InstallUpdatesGUI %config(noreplace) /etc/qubes-rpc/qubes.ResizeDisk %config(noreplace) /etc/qubes-rpc/qubes.StartApp %config(noreplace) /etc/qubes-rpc/qubes.PostInstall %config(noreplace) /etc/qubes-rpc/qubes.GetDate %config(noreplace) /etc/qubes-rpc/qubes.TemplateSearch %config(noreplace) /etc/qubes-rpc/qubes.TemplateDownload %config(noreplace) /etc/qubes/rpc-config/qubes.OpenInVM %config(noreplace) /etc/qubes/rpc-config/qubes.OpenURL %config(noreplace) /etc/qubes/rpc-config/qubes.SelectFile %config(noreplace) /etc/qubes/rpc-config/qubes.SelectDirectory %config(noreplace) /etc/qubes/rpc-config/qubes.ShowInTerminal %config(noreplace) /etc/qubes/rpc-config/qubes.StartApp %config(noreplace) /etc/qubes/rpc-config/qubes.InstallUpdatesGUI %config(noreplace) /etc/qubes/rpc-config/qubes.VMShell+WaitForSession %config(noreplace) /etc/qubes/rpc-config/qubes.VMExecGUI %config(noreplace) /etc/default/grub.qubes %dir /etc/qubes/autostart /etc/qubes/autostart/README.txt %config /etc/qubes/autostart/*.desktop.d/30_qubes.conf %dir /etc/qubes/applications /etc/qubes/applications/README.txt %config /etc/qubes/applications/*.desktop.d/30_qubes.conf %dir /etc/qubes/suspend-pre.d /etc/qubes/suspend-pre.d/README %dir /etc/qubes/suspend-post.d /etc/qubes/suspend-post.d/README /etc/qubes/suspend-post.d/qvm-sync-clock.sh %dir /etc/qubes/post-install.d /etc/qubes/post-install.d/README /etc/qubes/post-install.d/*.sh %config(noreplace) /etc/profile.d/qt_x11_no_mitshm.sh %config(noreplace) /etc/sudoers.d/qt_x11_no_mitshm %config(noreplace) /etc/sudoers.d/umask %config(noreplace) /etc/sysctl.d/20_tcp_timestamps.conf %config(noreplace) /etc/qubes-suspend-module-blacklist %config(noreplace) /etc/yum.conf.d/qubes-proxy.conf %config(noreplace) /etc/yum.repos.d/qubes-r4.repo %if 0%{?rhel} == 7 /etc/yum/pluginconf.d/yum-qubes-hooks.conf /usr/lib/yum-plugins/yum-qubes-hooks.py* %endif %config(noreplace) /etc/dnf/plugins/qubes-hooks.conf %config(noreplace) /etc/dconf/db/local.d/dpi /lib/udev/rules.d/50-qubes-mem-hotplug.rules /usr/lib/systemd/system/user@.service.d/90-session-stop-timeout.conf /usr/sbin/qubes-serial-login /usr/bin/qvm-copy-to-vm /usr/bin/qvm-move-to-vm /usr/bin/qvm-copy /usr/bin/qvm-move /usr/bin/qvm-open-in-dvm /usr/bin/qvm-open-in-vm /usr/bin/qvm-run-vm /usr/bin/qvm-features-request /usr/bin/qvm-sync-clock /usr/bin/qubes-desktop-run /usr/bin/qubes-run-terminal /usr/bin/qubes-run-gnome-terminal /usr/bin/qubes-open /usr/bin/qubes-session-autostart /usr/bin/qvm-connect-tcp /usr/bin/qubes-vmexec %dir /usr/lib/qubes /usr/lib/qubes/prepare-suspend /usr/lib/qubes/qfile-agent %attr(4755,root,root) /usr/lib/qubes/qfile-unpacker /usr/lib/qubes/qopen-in-vm /usr/lib/qubes/qrun-in-vm /usr/lib/qubes/qubes-trigger-sync-appmenus.sh /usr/lib/qubes/qvm-copy-to-vm.kde /usr/lib/qubes/qvm-move-to-vm.kde /usr/lib/qubes/tar2qfile /usr/lib/qubes/vm-file-editor /usr/lib/qubes/xdg-icon /usr/lib/qubes/update-proxy-configs /usr/lib/qubes/upgrades-installed-check /usr/lib/qubes/upgrades-status-notify /usr/lib/qubes/qubes-sync-clock /usr/lib/qubes/resize-rootfs /usr/lib/qubes/tinyproxy-wrapper /usr/lib/qubes/qvm-template-repo-query /usr/lib/dracut/dracut.conf.d/30-qubes.conf %dir /usr/lib/qubes/init /usr/lib/qubes/init/bind-dirs.sh /usr/lib/qubes/init/control-printer-icon.sh /usr/lib/qubes/init/functions /usr/lib/qubes/init/misc-post-stop.sh /usr/lib/qubes/init/misc-post.sh /usr/lib/qubes/init/mount-dirs.sh /usr/lib/qubes/init/qubes-early-vm-config.sh /usr/lib/qubes/init/qubes-random-seed.sh /usr/lib/qubes/init/qubes-sysinit.sh /usr/lib/qubes/init/resize-rootfs-if-needed.sh /usr/lib/qubes/init/setup-rw.sh /usr/lib/qubes/init/setup-rwdev.sh %dir /usr/lib/qubes-bind-dirs.d /usr/lib/qubes-bind-dirs.d/30_cron.conf /usr/share/applications/qubes-run-terminal.desktop /usr/share/applications/qubes-open-file-manager.desktop /usr/share/qubes/serial.conf /usr/share/qubes/marker-vm /usr/share/glib-2.0/schemas/20_org.gnome.settings-daemon.plugins.updates.qubes.gschema.override /usr/share/glib-2.0/schemas/20_org.gnome.nautilus.qubes.gschema.override /usr/share/glib-2.0/schemas/20_org.mate.NotificationDaemon.qubes.gschema.override /usr/share/glib-2.0/schemas/20_org.gnome.desktop.wm.preferences.qubes.gschema.override %{_mandir}/man1/qvm-*.1* %dir %{python3_sitelib}/qubesagent-*-py*.egg-info %{python3_sitelib}/qubesagent-*-py*.egg-info/* %{python3_sitelib}/qubesagent/__pycache__ %dir %{python3_sitelib}/qubesagent %{python3_sitelib}/qubesagent/__init__.py* %{python3_sitelib}/qubesagent/firewall.py* %{python3_sitelib}/qubesagent/test_firewall.py* %{python3_sitelib}/qubesagent/vmexec.py* %{python3_sitelib}/qubesagent/test_vmexec.py* %{python3_sitelib}/qubesagent/xdg.py* %{python3_sitelib}/qubesagent/test_xdg.py* /usr/share/qubes/mime-override/globs /usr/share/qubes/qubes-master-key.asc %dir /mnt/removable %dir /rw %files -n python2-dnf-plugins-qubes-hooks %{python2_sitelib}/dnf-plugins/* %if 0%{?rhel} == 8 %files -n python3-dnf-plugins-qubes-hooks %{plateform_python3_sitelib}/dnf-plugins/* %else %files -n python%{python3_pkgversion}-dnf-plugins-qubes-hooks %{python3_sitelib}/dnf-plugins/* %endif %files nautilus /usr/lib/qubes/qvm-copy-to-vm.gnome /usr/lib/qubes/qvm-move-to-vm.gnome /usr/share/nautilus-python/extensions/qvm_copy_nautilus.py* /usr/share/nautilus-python/extensions/qvm_move_nautilus.py* /usr/share/nautilus-python/extensions/qvm_dvm_nautilus.py* /usr/lib/qubes/qvm_nautilus_bookmark.sh %files thunar /usr/lib/qubes/qvm-actions.sh /usr/lib/qubes/uca_qubes.xml /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/thunar.xml %files dom0-updates %dir %attr(0755,user,user) /var/lib/qubes/dom0-updates /usr/lib/qubes/qubes-download-dom0-updates.sh %files networking %config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy %config(noreplace) /etc/qubes/ip6tables.rules %config(noreplace) /etc/qubes/ip6tables-enabled.rules %config(noreplace) /etc/qubes/iptables.rules %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf %config(noreplace) /etc/tinyproxy/updates-blacklist %config(noreplace) /etc/udev/rules.d/99-qubes-network.rules /etc/dhclient.d/qubes-setup-dnat-to-ns.sh /etc/xen/scripts/vif-qubes-nat.sh /etc/xen/scripts/vif-route-qubes /usr/lib/systemd/system/qubes-firewall.service /usr/lib/systemd/system/qubes-iptables.service /usr/lib/systemd/system/qubes-network.service /usr/lib/systemd/system/qubes-network-uplink.service /usr/lib/systemd/system/qubes-network-uplink@.service /usr/lib/systemd/system/qubes-updates-proxy.service /usr/lib/qubes/init/network-proxy-setup.sh /usr/lib/qubes/init/network-proxy-stop.sh /usr/lib/qubes/init/network-uplink-wait.sh /usr/lib/qubes/init/qubes-iptables /usr/lib/qubes/iptables-updates-proxy /usr/lib/qubes/qubes-setup-dnat-to-ns /usr/lib/qubes/setup-ip /usr/lib/tmpfiles.d/qubes-core-agent-linux.conf /usr/bin/qubes-firewall %files network-manager /etc/NetworkManager/dispatcher.d/30-qubes-external-ip /etc/NetworkManager/dispatcher.d/qubes-nmhook /etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop /usr/lib/NetworkManager/conf.d/30-qubes.conf /usr/lib/qubes/network-manager-prepare-conf-dir /usr/lib/qubes/qubes-fix-nm-conf.sh /usr/lib/qubes/show-hide-nm-applet.sh %files passwordless-root %config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla %config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules %config(noreplace) /etc/sudoers.d/qubes %config(noreplace) /etc/pam.d/su.qubes %if %with_sysvinit %package sysvinit Summary: Qubes unit files for SysV init style or upstart License: GPL v2 only Group: Qubes Requires: upstart Requires: qubes-core-agent = %{version} Requires: qubes-core-qrexec-vm Requires: qubes-core-agent-networking = %{version} Provides: qubes-core-agent-init-scripts Conflicts: qubes-core-agent-systemd Provides: qubes-core-vm-sysvinit = %{version}-%{release} Obsoletes: qubes-core-vm-sysvinit < 4.0.0 %description sysvinit The Qubes core startup configuration for SysV init (or upstart). %files sysvinit /etc/init.d/qubes-sysinit /etc/init.d/qubes-core-early /etc/init.d/qubes-core /etc/init.d/qubes-core-netvm /etc/init.d/qubes-firewall /etc/init.d/qubes-iptables /etc/init.d/qubes-updates-proxy /etc/init.d/qubes-updates-proxy-forwarder /etc/sysconfig/modules/qubes-core.modules %post sysvinit #echo "--> Turning off unnecessary services..." # FIXME: perhaps there is more elegant way to do this? for f in /etc/init.d/* do srv=`basename $f` [ $srv = 'functions' ] && continue [ $srv = 'killall' ] && continue [ $srv = 'halt' ] && continue [ $srv = 'single' ] && continue [ $srv = 'reboot' ] && continue [ $srv = 'qubes-gui' ] && continue chkconfig $srv off done #echo "--> Enabling essential services..." chkconfig rsyslog on chkconfig haldaemon on chkconfig messagebus on for svc in %qubes_services ; do if [ "$1" = 1 ] ; then chkconfig --add $svc || echo "WARNING: Cannot add service $svc!" else chkconfig $svc resetpriorities || echo "WARNING: Cannot reset priorities of service $svc!" fi done # TODO: make this not display the silly message about security context... sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab %preun sysvinit if [ "$1" = 0 ] ; then # no more packages left for svc in %qubes_services ; do chkconfig --del $svc done fi %endif %package systemd Summary: Qubes unit files for SystemD init style License: GPL v2 only Group: Qubes Requires: systemd Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units Requires: qubes-core-agent = %{version} Provides: qubes-core-agent-init-scripts Conflicts: qubes-core-agent-sysvinit Provides: qubes-core-vm-systemd = %{version}-%{release} Obsoletes: qubes-core-vm-systemd < 4.0.0 Conflicts: qubes-gui-agent < 4.1.0 # preset units after possibly new are installed OrderWithRequires(post): qubes-core-agent-networking %description systemd The Qubes core startup configuration for SystemD init. %files systemd %defattr(-,root,root,-) /etc/systemd/system/xendriverdomain.service /usr/lib/systemd/system/dev-xvdc1-swap.service /usr/lib/systemd/system/qubes-misc-post.service /usr/lib/systemd/system/qubes-mount-dirs.service /usr/lib/systemd/system/qubes-rootfs-resize.service /usr/lib/systemd/system/qubes-sysinit.service /usr/lib/systemd/system/qubes-early-vm-config.service /usr/lib/systemd/system/qubes-update-check.service /usr/lib/systemd/system/qubes-update-check.timer /usr/lib/systemd/system/qubes-sync-time.service /usr/lib/systemd/system/qubes-sync-time.timer /usr/lib/systemd/system/qubes-updates-proxy-forwarder@.service /usr/lib/systemd/system/qubes-updates-proxy-forwarder.socket /usr/lib/systemd/system-preset/%qubes_preset_file /usr/lib/modules-load.d/qubes-core.conf /usr/lib/systemd/system/boot.automount.d/30_qubes.conf /usr/lib/systemd/system/chronyd.service.d/30_qubes.conf /usr/lib/systemd/system/crond.service.d/30_qubes.conf /usr/lib/systemd/system/cups.service.d/30_qubes.conf /usr/lib/systemd/system/cups.socket.d/30_qubes.conf /usr/lib/systemd/system/cups.path.d/30_qubes.conf /usr/lib/systemd/system/cups-browsed.service.d/30_qubes.conf /usr/lib/systemd/system/org.cups.cupsd.service.d/30_qubes.conf /usr/lib/systemd/system/org.cups.cupsd.socket.d/30_qubes.conf /usr/lib/systemd/system/org.cups.cupsd.path.d/30_qubes.conf /usr/lib/systemd/system/getty@tty.service.d/30_qubes.conf /usr/lib/systemd/system/ModemManager.service.d/30_qubes.conf /usr/lib/systemd/system/NetworkManager.service.d/30_qubes.conf /usr/lib/systemd/system/NetworkManager-wait-online.service.d/30_qubes.conf /usr/lib/systemd/system/serial-getty@.service.d/30_qubes.conf /usr/lib/systemd/system/systemd-random-seed.service.d/30_qubes.conf /usr/lib/systemd/system/systemd-timesyncd.service.d/30_qubes.conf /usr/lib/systemd/system/tinyproxy.service.d/30_not_needed_in_qubes_by_default.conf /usr/lib/systemd/system/tor.service.d/30_qubes.conf /usr/lib/systemd/system/tor@default.service.d/30_qubes.conf /usr/lib/systemd/system/tmp.mount.d/30_qubes.conf /usr/lib/systemd/user/pulseaudio.service.d/30_qubes.conf /usr/lib/systemd/user/pulseaudio.socket.d/30_qubes.conf %post systemd changed= %scriptletfuns if [ $1 -eq 1 ] then preset_units %{_presetdir}/%qubes_preset_file initial changed=true else preset_units %{_presetdir}/%qubes_preset_file upgrade changed=true # Upgrade path - now qubes-iptables is used instead for svc in iptables ip6tables do if [ -f "$svc".service ] then systemctl --no-reload preset "$svc".service changed=true fi done fi if [ $1 -eq 1 ] then # First install. # Set default "runlevel". # FIXME: this ought to be done via kernel command line. # The fewer deviations of the template from the seed # image, the better. rm -f %{_sysconfdir}/systemd/system/default.target ln -s %{_unitdir}/multi-user.target %{_sysconfdir}/systemd/system/default.target changed=true fi # remove old symlinks if [ -L %{_sysconfdir}/systemd/system/sysinit.target.wants/qubes-random-seed.service ] then rm -f %{_sysconfdir}/systemd/system/sysinit.target.wants/qubes-random-seed.service changed=true fi if [ -L %{_sysconfdir}/systemd/system/multi-user.target.wants/qubes-mount-home.service ] then rm -f %{_sysconfdir}/systemd/system/multi-user.target.wants/qubes-mount-home.service changed=true fi if [ "x$changed" != "x" ] then systemctl daemon-reload fi %preun systemd if [ $1 -eq 0 ] ; then # Run this only during uninstall. # Save the preset file to later use it to re-preset services there # once the Qubes OS preset file is removed. mkdir -p %{_rundir}/qubes-uninstall cp -f %{_presetdir}/%qubes_preset_file %{_rundir}/qubes-uninstall/ fi %postun systemd changed= %scriptletfuns if [ -d %{_rundir}/qubes-uninstall ] then # We have a saved preset file (or more). # Re-preset the units mentioned there. restore_units %{_rundir}/qubes-uninstall/%qubes_preset_file rm -rf %{_rundir}/qubes-uninstall changed=true fi if [ "x$changed" != "x" ] then systemctl daemon-reload fi %changelog @CHANGELOG@