core-agent-linux/debian/qubes-core-agent.postinst

#!/bin/bash
# postinst script for core-agent-linux
#
# see: dh_installdeb(1)

set -e

# The postint script may be called in the following ways:
#   * <postinst> 'configure' <most-recently-configured-version>
#   * <old-postinst> 'abort-upgrade' <new version>
#   * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
#     <new-version>
#   * <postinst> 'abort-remove'
#   * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
#     <failed-install-package> <version> 'removing'
#     <conflicting-package> <version>
#
#    For details, see http://www.debian.org/doc/debian-policy/ or
# https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html or
# the debian-policy package

# Directory that modified desktop entry config files are stored in
XDG_CONFIG_QUBES="/usr/share/qubes/xdg"

# Install overriden services only when original exists
installOverridenServices() {
    override_dir="${1}"
    service="${2}"
    retval=1

    for unit in ${service}; do
        unit="${unit%%.*}"
        unit_name="$(basename ${unit})"
        if [ -f ${unit}.service ]; then
            echo "Installing override for ${unit}.service..."
            cp ${override_dir}/${unit_name}.service /etc/systemd/system/
            retval=0
        fi
        if [ -f ${unit}.socket -a -f ${override_dir}/${unit}.socket ]; then
            echo "Installing override for ${unit}.socket..."
            cp ${override_dir}/${unit_name}.socket /etc/systemd/system/
            retval=0
        fi
        if [ -f ${unit}.path -a -f ${override_dir}/${unit}.path ]; then
            echo "Installing override for ${unit}.path..."
            cp ${override_dir}/${unit_name}.path /etc/systemd/system/
            retval=0
        fi
    done

    return ${retval}
}

reenableNetworkManager() {
    # Disable original service to enable overriden one
    echo "Disabling original service to enable overriden one..."
    disableSystemdUnits ModemManager.service
    disableSystemdUnits NetworkManager.service

    # Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)
    echo "Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)"
    systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null || echo "Could not disable D-BUS activation of NetworkManager"

    echo "Re-enabling original service to enable overriden one..."
    enableSystemdUnits ModemManager.service
    enableSystemdUnits NetworkManager.service

    # Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811
    echo "Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811"
    enableSystemdUnits NetworkManager-dispatcher.service
}

remove_ShowIn() {
    if [ -e "${1}" ]; then
        sed -i '/^\(Not\|Only\)ShowIn/d' "${1}"
    fi
}

showIn() {
    desktop_entry="${1}"
    shown_in="${2}"
    message="${shown_in:-"Shown in All;"}" 
    desktop_entry_qubes="${XDG_CONFIG_QUBES}/autostart/${desktop_entry##*/}"

    # Make sure Qubes autostart directory exists
    mkdir -p "${XDG_CONFIG_QUBES}/autostart"

    # Desktop entry exists, so move to Qubes directory and modify it
    if [ -e "${desktop_entry}" ]; then
        echo "Desktop Entry Modification - ${message} ${desktop_entry##*/}..."
        cp -pf "${desktop_entry}" "${desktop_entry_qubes}"

        remove_ShowIn "${desktop_entry_qubes}"
        sed -i '/^X-GNOME-Autostart-enabled.*[fF0]/d' "${desktop_entry_qubes}"

        # Will only be '' if shown in all
        if [ ! "${shown_in}x" == "x" ]; then
            echo "${shown_in}" >> "${desktop_entry_qubes}" || true
        fi

    # Desktop entry must have been removed, so also remove from Qubes directory
    else
        echo "Desktop Entry Modification - Remove: ${desktop_entry##*/}..."
        rm -f "${desktop_entry_qubes}"
    fi
}

setArrayAsGlobal() {
    local array="$1"
    local export_as="$2"
    local code=$(declare -p "$array")
    local replaced="${code/$array/$export_as}"
    eval ${replaced/declare -/declare -g}
}

systemdInfo() {
    unit=${1}
    return_global_var=${2}

    declare -A INFO=()
    while read line; do
        INFO[${line%%=*}]="${line##*=}"
    done < <(systemctl show ${unit} 2> /dev/null)

    setArrayAsGlobal INFO $return_global_var
    return ${#INFO[@]}
}

displayFailedStatus() {
    action=${1}
    unit=${2}

    # Only display if there are results.  In chroot environmnet there will be 
    # no results to 'systemctl show' command
    systemdInfo ${unit} info || {
        echo
        echo "==================================================="
        echo "FAILED: systemd ${action} ${unit}"
        echo "==================================================="
        echo "    LoadState = ${info[LoadState]}"
        echo "    LoadError = ${info[LoadError]}"
        echo "  ActiveState = ${info[ActiveState]}"
        echo "     SubState = ${info[SubState]}"
        echo "UnitFileState = ${info[UnitFileState]}"
        echo
    }
}

# Disable systemd units
disableSystemdUnits() {
    for unit in $*; do
        systemctl is-enabled ${unit} > /dev/null 2>&1 && {
            echo "Disabling ${unit}..."
            systemctl is-active ${unit} > /dev/null 2>&1 && {
                systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit}
            }
            if [ -f /lib/systemd/system/${unit} ]; then
                if fgrep -q '[Install]' /lib/systemd/system/${unit}; then
                    systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
                else
                    # Forcibly disable
                    echo "Forcibly disabling: ${unit}"
                    ln -sf /dev/null /etc/systemd/system/${unit}
                fi
            else
                    systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
            fi
        } || {
            echo "It appears ${unit} is already disabled!"
            #displayFailedStatus is-disabled ${unit}
        }
    done
}

# Enable systemd units
enableSystemdUnits() {
    for unit in $*; do
        systemctl is-enabled ${unit} > /dev/null 2>&1 && {
            echo "It appears ${unit} is already enabled!"
            #displayFailedStatus is-enabled ${unit}
        } || {
            echo "Enabling: ${unit}..."
            systemctl enable ${unit} > /dev/null 2>&1 && {
                systemctl start ${unit} > /dev/null 2>&1 || displayFailedStatus start ${unit}
            } || {
                echo "Could not enable: ${unit}"
                displayFailedStatus enable ${unit}
            }
        }
    done
}

# Manually trigger all triggers to automaticatly configure
triggerTriggers() {
        path="$(readlink -m ${0})"
        triggers="${path/postinst/triggers}"

        awk '{sub(/[ \t]*#.*/,"")} NF' ${triggers} | while read line
        do
            /bin/bash -c "${0} triggered ${line##* }" || true
        done
}

case "${1}" in
    configure)
        # disable some Upstart services
        for init in plymouth-shutdown \
                    prefdm \
                    splash-manager \
                    start-ttys \
                    tty ; do
            if [ -e /etc/init/${init}.conf ]; then
                mv -f /etc/init/${init}.conf /etc/init/${init}.conf.disabled
            fi
        done

        # Stops Qt form using the MIT-SHM X11 Shared Memory Extension
        echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm.sh
        chmod 0755 /etc/profile.d/qt_x11_no_mitshm.sh

        # Sudo's defualt umask is 077 so set sane default of 022
        # Also don't allow QT to used shared memory to prevent errors
        echo 'Defaults umask = 0002' > /etc/sudoers.d/umask
        echo 'Defaults umask_override' >> /etc/sudoers.d/umask
        chmod 0440 /etc/sudoers.d/umask
        echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm
        chmod 0440 /etc/sudoers.d/qt_x11_no_mitshm

        # Create NetworkManager configuration if we do not have it
        if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
            echo '[main]' > /etc/NetworkManager/NetworkManager.conf
            echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
            echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
        fi

        # Remove old firmware updates link
        if [ -L /lib/firmware/updates ]; then
            rm -f /lib/firmware/updates
        fi

        #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
        #  echo >> /etc/yum.conf
        #  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
        #  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
        #fi

        # Revert 'Prevent unnecessary updates in VMs':
        #sed -i -e '/^exclude = kernel/d' /etc/yum.conf

        # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
        # in the form expected by qubes-sysinit.sh
        for ip in '127\.0\.1\.1' '::1'; do
            if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
                sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
                sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
            else
                echo "${ip//\\/} `hostname`" >> /etc/hosts
            fi
        done
        # remove hostname from 127.0.0.1 line (in debian the hostname is by default
        # resolved to 127.0.1.1)
        sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts

        chown user:user /home_volatile/user

        #if [ "${1}" !=  1 ] ; then
        #    # do the rest of %post thing only when updating for the first time...
        #    exit 0
        #fi

        if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
            cp /etc/init/serial.conf /var/lib/qubes/serial.orig
        fi

        # Remove most of the udev scripts to speed up the VM boot time
        # Just leave the xen* scripts, that are needed if this VM was
        # ever used as a net backend (e.g. as a VPN domain in the future)
        #echo "--> Removing unnecessary udev scripts..."
        mkdir -p /var/lib/qubes/removed-udev-scripts
        for f in /etc/udev/rules.d/*
        do
            if [ $(basename ${f}) == "xen-backend.rules" ] ; then
                continue
            fi

            if [ $(basename ${f}) == "50-qubes-misc.rules" ] ; then
                continue
            fi

            if echo ${f} | grep -q qubes; then
                continue
            fi

            mv ${f} /var/lib/qubes/removed-udev-scripts/
        done

        # Create /rw directory
        mkdir -p /rw

        # XXX: TODO: Needs to be implemented still
        #rm -f /etc/mtab
        #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
        #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
        #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0

        # Enable Qubes systemd units
        enableSystemdUnits \
            qubes-sysinit.service \
            qubes-misc-post.service \
            qubes-netwatcher.service \
            qubes-network.service \
            qubes-firewall.service \
            qubes-updates-proxy.service \
            qubes-update-check.timer \
            qubes-qrexec-agent.service

        # Set default "runlevel"
        rm -f /etc/systemd/system/default.target
        ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target

        # Process all triggers which will set defaults to wanted values
        triggerTriggers

        disableSystemdUnits \
            alsa-store.service \
            alsa-restore.service \
            auditd.service \
            avahi.service \
            avahi-daemon.service \
            backuppc.service \
            cpuspeed.service \
            crond.service \
            fedora-autorelabel.service \
            fedora-autorelabel-mark.service \
            ipmi.service \
            hwclock-load.service \
            hwclock-save.service \
            mdmonitor.service \
            multipathd.service \
            openct.service \
            rpcbind.service \
            mcelog.service \
            fedora-storage-init.service \
            fedora-storage-init-late.service \
            plymouth-start.service \
            plymouth-read-write.service \
            plymouth-quit.service \
            plymouth-quit-wait.service \
            sshd.service \
            tcsd.service \
            sm-client.service \
            sendmail.service \
            mdmonitor-takeover.service \
            rngd smartd.service \
            upower.service \
            irqbalance.service \
            colord.service

        rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service

        # Enable other systemd units
        enableSystemdUnits \
            rsyslog.service

        # XXX: TODO: Needs to be implemented still
        # These do not exist on debian; maybe a different package name
        #    iptables.service \
        #    ntpd.service \
        #    ip6tables.service \
        ;;

    abort-upgrade|abort-remove|abort-deconfigure)
        exit 0
        ;;

    triggered)
        for trigger in ${2}; do
            case "${trigger}" in

                # Update Qubes App Menus
                /usr/share/applications)
                    echo "Updating Qubes App Menus..."
                    /usr/lib/qubes/qubes-trigger-sync-appmenus.sh || true
                    ;;

                # Install overriden services only when original exists
                /lib/systemd/system/NetworkManager.service | \
                /lib/systemd/system/NetworkManager-wait-online.service | \
                /lib/systemd/system/ModemManager.service)
                    UNITDIR=/lib/systemd/system
                    OVERRIDEDIR=/usr/lib/qubes/init
                    installOverridenServices "${OVERRIDEDIR}" "${trigger}"
                    if [ $? -eq 0 ]; then
                        reenableNetworkManager
                    fi
                    ;;

                # Enable cups only when it is real Systemd service
                /lib/systemd/system/cups.service)
                    echo "Enabling cups"
                    [ -e /lib/systemd/system/cups.service ] && enableSystemdUnits cups.service
                    ;;

                # "Enable haveged service"
                /lib/systemd/system/haveged.service)
                    echo "Enabling haveged service"
                    enableSystemdUnits haveged.service
                    ;;

                # Install overridden serial.conf init script 
                /etc/init/serial.conf)
                    echo "Installing over-ridden serial.conf init script..."
                    if [ -e /etc/init/serial.conf ]; then
                        cp /usr/share/qubes/serial.conf /etc/init/serial.conf
                    fi
                    ;;

                # Disable SELinux"
                /etc/selinux/config)
                    echo "Disabling SELinux..."
                    if [ -e /etc/selinux/config ]; then
                        sed -e s/^SELINUX=.*$/SELINUX=disabled/ </etc/selinux/config >/etc/selinux/config.processed
                        mv /etc/selinux/config.processed /etc/selinux/config
                        setenforce 0 2>/dev/null
                    fi
                    ;;

                # Desktop Entry Modification - Remove existing rules
                /etc/xdg/autostart/gpk-update-icon.desktop | \
                /etc/xdg/autostart/nm-applet.desktop | \
                /etc/xdg/autostart/abrt-applet.desktop | \
                /etc/xdg/autostart/notify-osd.desktop)
                    showIn "${trigger}"
                    ;;

                # Desktop Entry Modification - Not shown in Qubes
                /etc/xdg/autostart/pulseaudio.desktop | \
                /etc/xdg/autostart/deja-dup-monitor.desktop | \
                /etc/xdg/autostart/imsettings-start.desktop | \
                /etc/xdg/autostart/krb5-auth-dialog.desktop | \
                /etc/xdg/autostart/pulseaudio.desktop | \
                /etc/xdg/autostart/restorecond.desktop | \
                /etc/xdg/autostart/sealertauto.desktop | \
                /etc/xdg/autostart/gnome-power-manager.desktop | \
                /etc/xdg/autostart/gnome-sound-applet.desktop | \
                /etc/xdg/autostart/gnome-screensaver.desktop | \
                /etc/xdg/autostart/orca-autostart.desktop)
                    showIn "${trigger}" 'NotShowIn=QUBES;'
                    ;;

                # Desktop Entry Modification - Not shown in in DisposableVM
                /etc/xdg/autostart/gcm-apply.desktop)
                    showIn "${trigger}" 'NotShowIn=DisposableVM;'
                    ;;

                # Desktop Entry Modification - Only shown in AppVM
                /etc/xdg/autostart/gnome-keyring-gpg.desktop | \
                /etc/xdg/autostart/gnome-keyring-pkcs11.desktop | \
                /etc/xdg/autostart/gnome-keyring-secrets.desktop | \
                /etc/xdg/autostart/gnome-keyring-ssh.desktop | \
                /etc/xdg/autostart/gnome-settings-daemon.desktop | \
                /etc/xdg/autostart/user-dirs-update-gtk.desktop | \
                /etc/xdg/autostart/gsettings-data-convert.desktop)
                    showIn "${trigger}" 'OnlyShowIn=GNOME;AppVM;'
                    ;;

                # Desktop Entry Modification - Only shown in Gnome & UpdateableVM
                /etc/xdg/autostart/gpk-update-icon.desktop)
                    showIn "${trigger}" 'OnlyShowIn=GNOME;UpdateableVM;'
                    ;;

                # Desktop Entry Modification - Only shown in Gnome & Qubes
                /etc/xdg/autostart/nm-applet.desktop)
                    showIn "${trigger}" 'OnlyShowIn=GNOME;QUBES;'
                    ;;

                *)
                    echo "postinst called with unknown trigger \`${2}'" >&2
                    exit 1
                    ;;
            esac
        done
        exit 0
        ;;

    *)
        echo "postinst called with unknown argument \`${1}'" >&2
        exit 1
        ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0

# vim: set ts=4 sw=4 sts=4 et :