Qubes
/
core-agent-linux


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164
							#!/bin/bash
#
# chkconfig: 345 90 90
# description: Executes Qubes core scripts at VM boot
#
# Source function library.
. /etc/rc.d/init.d/functions

start()
{
	echo -n $"Executing Qubes Core scripts:"

	# Set permissions to /proc/xen/xenbus, so normal user can access xenstore
	chmod 666 /proc/xen/xenbus
	# Set permissions to files needed by gui-agent
	chmod 666 /proc/u2mfn

	mkdir -p /var/run/xen-hotplug
	mkdir -p /var/run/qubes
	chgrp qubes /var/run/qubes
	chmod 0775 /var/run/qubes

	# Location of files which contains list of protected files
	PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'

	# Set the hostname
	if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
		name=$(/usr/bin/qubesdb-read /name)
		if ! [ -f /etc/this-is-dvm ] ; then
			# we don't want to set hostname for DispVM
			# because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-<hostname>)
			# (let's be frank: nobody's gonna use xterm on DispVM)
			hostname $name
			sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
		fi
	fi

	# Set the timezone
	if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
		timezone=`/usr/bin/qubesdb-read /qubes-timezone 2> /dev/null`
		if [ -n "$timezone" ]; then
			ln -f /usr/share/zoneinfo/$timezone /etc/localtime
			echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
			echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
		fi
	fi

	yum_proxy_setup=$(/usr/bin/qubesdb-read /qubes-service/yum-proxy-setup 2> /dev/null || /usr/bin/qubesdb-read /qubes-service/updates-proxy-setup 2> /dev/null)
	type=$(/usr/bin/qubesdb-read /qubes-vm-type)
	if [ "$yum_proxy_setup" != "0" ] || [ -z "$yum_proxy_setup" -a "$type" == "TemplateVM" ]; then
		echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf
	else
		echo > /etc/yum.conf.d/qubes-proxy.conf
	fi

	# Set IP address again (besides action in udev rules); this is needed by
	# DispVM (to override DispVM-template IP) and in case when qubes-ip was
	# called by udev before loading evtchn kernel module - in which case
	# qubesdb-read fails
	INTERFACE=eth0 /usr/lib/qubes/setup-ip

	if [ -e /dev/xvdb ] ; then
		# check if private.img (xvdb) is empty - all zeros
		private_size_512=`blockdev --getsz /dev/xvdb`
		if dd if=/dev/zero bs=512 count=$private_size_512 | diff /dev/xvdb - >/dev/null; then
			# the device is empty, create filesystem
			echo "--> Virgin boot of the VM: creating filesystem on private.img"
			mkfs.ext4 -m 0 -q /dev/xvdb || exit 1
		fi

		mount /rw
		resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed"

        if ! [ -d /rw/home ] ; then
        	echo
        	echo "--> Virgin boot of the VM: Linking /home to /rw/home"

        	mkdir -p /rw/config
		cat > /rw/config/rc.local <<EOF
#!/bin/sh

# This script will be executed at every VM startup, you can place your own
# custom commands here. This include overriding some configuration in /etc,
# starting services etc.
#
# You need to make this script executable to have it enabled.

# Example for overriding the whole CUPS configuration:
#  rm -rf /etc/cups
#  ln -s /rw/config/cups /etc/cups
#  systemctl --no-block restart cups
EOF

			touch /rw/config/qubes-firewall-user-script
			cat > /rw/config/qubes-firewall-user-script <<EOF
#!/bin/sh

# This script is called in ProxyVM after firewall every update (configuration
# change, starting some VM etc). This is good place to write own custom
# firewall rules, in addition to autogenerated one. Remember that in most cases
# you'll need to insert the rules at the beginning (iptables -I) to have it
# efective.
#
# You need to make this script executable to have it enabled.
EOF

			touch /rw/config/suspend-module-blacklist
			cat > /rw/config/suspend-module-blacklist <<EOF
# You can list here modules you want to be unloaded before going to sleep. This
# file is used only if the VM has any PCI device assigned. Modules will be
# automatically loaded after resume.
EOF

            mkdir -p /rw/home
            cp -a /home.orig/user /rw/home

            mkdir -p /rw/usrlocal
            cp -a /usr/local.orig/* /rw/usrlocal

            touch /var/lib/qubes/first-boot-completed
        fi
	fi
    if [ -L /home ]; then
        rm /home
        mkdir /home
    fi
    mount /home

	[ -x /rw/config/rc.local ] && /rw/config/rc.local

	success
	echo ""

	start_ntpd=$(/usr/bin/qubesdb-read /qubes-service/ntpd 2> /dev/null)
	if [ "$start_ntpd" == "1" ]; then
		/sbin/service ntpd start
	fi
	return 0
}

stop()
{
	su -c 'mkdir -p /home_volatile/user/.local/share/applications' user
	su -c 'cp -a /usr/share/applications/defaults.list /home_volatile/user/.local/share/applications/' user
	if [ -r '/home/user/.local/share/applications/defaults.list' ]; then
		su -c 'cat /home/user/.local/share/applications/defaults.list >> /home_volatile/user/.local/share/applications/defaults.list' user
	fi
	return 0
}

case "$1" in
  start)
	start
	;;
  stop)
	stop
	;;
  *)
	echo $"Usage: $0 {start|stop}"
	exit 3
	;;
esac

exit $RETVAL