Qubes
/
core-agent-linux


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433
							
###################
## Install Hooks ##
###################

installOverridenServices() {
	UNITDIR=/lib/systemd/system
	OVERRIDEDIR=/usr/lib/qubes/init
	# Install overriden services only when original exists
	for srv in %*; do
	    if [ -f $UNITDIR/$srv.service ]; then
	        cp $OVERRIDEDIR/$srv.service /etc/systemd/system/
	        systemctl is-enabled $srv.service >/dev/null && systemctl --no-reload reenable $srv.service 2>/dev/null
	    fi
	    if [ -f $UNITDIR/$srv.socket -a -f $OVERRIDEDIR/$srv.socket ]; then
	        cp $OVERRIDEDIR/$srv.socket /etc/systemd/system/
	        systemctl is-enabled $srv.socket >/dev/null && systemctl --no-reload reenable $srv.socket 2>/dev/null
	    fi
	    if [ -f $UNITDIR/$srv.path -a -f $OVERRIDEDIR/$srv.path ]; then
	        cp $OVERRIDEDIR/$srv.path /etc/systemd/system/
	        systemctl is-enabled $srv.path >/dev/null && systemctl --no-reload reenable $srv.path 2>/dev/null
	    fi
	done
	
	systemctl daemon-reload

}

configure_initscripts() {

	if [ -e /etc/init/serial.conf ]; then
		cp /usr/share/qubes/serial.conf /etc/init/serial.conf
	fi

}


configure_iptables() {
	
	if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
	    cat <<EOF >>/etc/sysconfig/iptables-config
	
	### Automatically added by Qubes:
	# Override default rules location on Qubes
	IPTABLES_DATA=/etc/sysconfig/iptables.qubes
EOF
	fi
	
	if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
	    cat <<EOF >>/etc/sysconfig/ip6tables-config
	
	### Automatically added by Qubes:
	# Override default rules location on Qubes
	IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
EOF
	fi

}

configure_notification-daemon() {
	# Enable autostart of notification-daemon when installed
	ln -s /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/
}

configure_selinux() {

	# SELinux is not enabled on archlinux
	#echo "--> Disabling SELinux..."
	sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
	mv /etc/selinux/config.processed /etc/selinux/config
	setenforce 0 2>/dev/null

}

configure_networkmanager() {
	installOverridenServices ModemManager NetworkManager NetworkManager-wait-online
	# Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)
	systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null

	# Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811
	systemctl enable NetworkManager-dispatcher.service 2> /dev/null
}

configure_cups() {
	installOverridenServices cups
}

configure_cronie() {
	installOverridenServices crond
}

configure_crony() {
	installOverridenServices chronyd
}


###########################
## Pre-Install functions ##
###########################

update_default_user() {

	# Make sure there is a qubes group
	groupadd --force --system --gid 98 qubes

	# Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this.
	# See https://bugs.archlinux.org/task/31831
	id -u 'user' >/dev/null 2>&1 || {
	  useradd --user-group --create-home --shell /bin/zsh user
	}
	usermod -a --groups qubes user

}

## arg 1:  the new package version
pre_install() {
	echo "Pre install..."

	update_default_user

	# do this whole %pre thing only when updating for the first time...

	mkdir -p /var/lib/qubes

	# Backup fstab / But use archlinux defaults (cp instead of mv)
	if [ -e /etc/fstab ] ; then 
		cp /etc/fstab /var/lib/qubes/fstab.orig
	fi

	# Add qubes core related fstab entries
	echo "xen	/proc/xen	xenfs	defaults	0 0" >> /etc/fstab

	usermod -p '' root
	usermod -L user
}


## arg 1:  the new package version
## arg 2:  the old package version
pre_upgrade() {
	# do something here
	echo "Pre upgrade..."

	update_default_user

}

############################
## Post-Install functions ##
############################

remove_ShowIn () {
	if [ -e /etc/xdg/autostart/$1.desktop ]; then
		sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop
	fi
}

update_xdgstart () {

	# reenable if disabled by some earlier version of package
	remove_ShowIn abrt-applet.desktop imsettings-start.desktop
	
	# don't want it at all
	for F in deja-dup-monitor krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
		if [ -e /etc/xdg/autostart/$F.desktop ]; then
			remove_ShowIn $F
			echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop
		fi
	done
	
	# don't want it in DisposableVM
	for F in gcm-apply ; do
		if [ -e /etc/xdg/autostart/$F.desktop ]; then
			remove_ShowIn $F
			echo 'NotShowIn=DisposableVM;' >> /etc/xdg/autostart/$F.desktop
		fi
	done
	
	# want it in AppVM only
	for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do
		if [ -e /etc/xdg/autostart/$F.desktop ]; then
			remove_ShowIn $F
			echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop
		fi
	done
	
	# remove existing rule to add own later
	for F in gpk-update-icon nm-applet ; do
		remove_ShowIn $F
	done
	
	echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || :
	echo 'OnlyShowIn=GNOME;QUBES;' >> /etc/xdg/autostart/nm-applet.desktop || :

}

update_qubesconfig() {

	# Create NetworkManager configuration if we do not have it
	if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
	echo '[main]' > /etc/NetworkManager/NetworkManager.conf
	echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
	echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
	fi
	/usr/lib/qubes/qubes-fix-nm-conf.sh

	# Remove ip_forward setting from sysctl, so NM will not reset it
	# Archlinux now use sysctl.d/ instead of sysctl.conf
	#sed 's/^net.ipv4.ip_forward.*/#\0/'  -i /etc/sysctl.conf
	
	# Remove old firmware updates link
	if [ -L /lib/firmware/updates ]; then
	  rm -f /lib/firmware/updates
	fi

	# Yum proxy configuration is fedora specific
	#if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
	#  echo >> /etc/yum.conf
	#  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
	#  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
	#fi

	# Revert 'Prevent unnecessary updates in VMs':
	#sed -i -e '/^exclude = kernel/d' /etc/yum.conf

	# Location of files which contains list of protected files
	mkdir -p /etc/qubes/protected-files.d
	PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
	
	# qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
	if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
	    if ! grep -q localhost /etc/hosts; then
	      cat <<EOF > /etc/hosts
	127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
	::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
EOF
	    fi
	fi
	
	# Make sure that /etc/sysconfig/ip(|6)tables exists. Otherwise iptales.service
	# would not start (even when configured to use another configuration file.
	if [ ! -e '/etc/sysconfig/iptables' ]; then
	  ln -s iptables.qubes /etc/sysconfig/iptables
	fi
	if [ ! -e '/etc/sysconfig/ip6tables' ]; then
	  ln -s ip6tables.qubes /etc/sysconfig/ip6tables
	fi

	# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
	# in the form expected by qubes-sysinit.sh
	if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
	    for ip in '127\.0\.0\.1' '::1'; do
	        if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
	            sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
	            sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
	        else
	            echo "${ip} `hostname`" >> /etc/hosts
	        fi
	    done
	fi

	# Make sure there is a default locale set so gnome-terminal will start
	if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
	    touch /etc/locale.conf
	    echo "LANG=en_US.UTF-8" >> /etc/locale.conf
	fi
	# ... and make sure it is really generated
	current_locale=`grep LANG /etc/locale.conf|cut -f 2 -d =`
	if [ -n "$current_locale" ] && ! locale -a | grep -q "$current_locale"; then
	    base=`echo "$current_locale" | cut -f 1 -d .`
	    charmap=`echo "$current_locale.UTF-8" | cut -f 2 -d .`
	    [ -n "$charmap" ] && charmap="-f $charmap"
	    localedef -i $base $charmap $current_locale
	fi

}

update_systemd_finalize() {

	# Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
	if [ -z "`cat /etc/pam.d/su | grep system-login`" ] ; then
		echo "Fixing pam.d"
		sed '/auth\t\trequired\tpam_unix.so/aauth\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
		sed '/account\t\trequired\tpam_unix.so/aaccount\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
		sed '/session\t\trequired\tpam_unix.so/asession\t\tinclude\t\tsystem-login' -i /etc/pam.d/su
		cp /etc/pam.d/su /etc/pam.d/su-l
	fi

	# Set default "runlevel"
	rm -f /etc/systemd/system/default.target
	ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
	
	grep '^[[:space:]]*[^#;]' /lib/systemd/system-preset/75-qubes-vm.preset | while read action unit_name; do
	    case "$action" in
	    (disable)
	        if [ -f /lib/systemd/system/$unit_name.service ]; then
	            if ! fgrep -q '[Install]' /lib/systemd/system/$unit_name; then
	                # forcibly disable
	                ln -sf /dev/null /etc/systemd/system/$unit_name
	            fi
	        fi
	        ;;
	    esac
	done
	
	# Archlinux specific: ensure tty1 is enabled
	rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
	systemctl enable getty\@tty1.service


	systemctl daemon-reload

}


## arg 1:  the new package version
post_install() {

	update_xdgstart

	update_qubesconfig

	# do the rest of %post thing only when updating for the first time...
	if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
		cp /etc/init/serial.conf /var/lib/qubes/serial.orig
	fi

	# Remove most of the udev scripts to speed up the VM boot time
	# Just leave the xen* scripts, that are needed if this VM was
	# ever used as a net backend (e.g. as a VPN domain in the future)
	#echo "--> Removing unnecessary udev scripts..."
	mkdir -p /var/lib/qubes/removed-udev-scripts
	for f in /etc/udev/rules.d/*
	do
	    if [ $(basename $f) == "xen-backend.rules" ] ; then
	        continue
	    fi
	
	    if [ $(basename $f) == "50-qubes-misc.rules" ] ; then
	        continue
	    fi
	
	    if echo $f | grep -q qubes; then
	        continue
	    fi
	
	    mv $f /var/lib/qubes/removed-udev-scripts/
	done

	mkdir -p /rw

	configure_iptables
	configure_notification-daemon
	configure_selinux
	configure_networkmanager
	configure_cups
	configure_cronie
	configure_crony

	systemctl --no-reload preset-all

	update_systemd_finalize

	glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :

}


## arg 1:  the new package version
## arg 2:  the old package version
post_upgrade() {

	update_xdgstart

	update_qubesconfig

	configure_iptables
	configure_notification-daemon
	configure_selinux
	configure_networkmanager
	configure_cups
	configure_cronie
	configure_crony

	services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-home"
	services="$services qubes-netwatcher qubes-network qubes-sysinit"
	services="$services qubes-updates-proxy qubes-qrexec-agent"
	for srv in $services; do
		systemctl --no-reload preset $srv.service
	done
	systemctl --no-reload preset qubes-update-check.timer

	update_systemd_finalize

	/usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :

}

######################
## Remove functions ##
######################

## arg 1:  the old package version
pre_remove() {

    # no more packages left
    if [ -e /var/lib/qubes/fstab.orig ] ; then
    mv /var/lib/qubes/fstab.orig /etc/fstab
    fi
    mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
    if [ -e /var/lib/qubes/serial.orig ] ; then
    mv /var/lib/qubes/serial.orig /etc/init/serial.conf
    fi

}

## arg 1:  the old package version
post_remove() {

    /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :

    if [ -L /lib/firmware/updates ] ; then
      rm /lib/firmware/updates
    fi

    for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-mount-home qubes-netwatcher qubes-network qubes-qrexec-agent; do
        systemctl disable $srv.service
    done

}