PKGBUILD.install 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482
  1. qubes_preset_file="75-qubes-vm.preset"
  2. ###########################
  3. ## Pre-Install functions ##
  4. ###########################
  5. update_default_user() {
  6. # Make sure there is a qubes group
  7. groupadd --force --system --gid 98 qubes
  8. # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this.
  9. # See https://bugs.archlinux.org/task/31831
  10. id -u 'user' >/dev/null 2>&1 || {
  11. useradd --user-group --create-home --shell /bin/zsh user
  12. }
  13. usermod -a --groups qubes user
  14. }
  15. ## arg 1: the new package version
  16. pre_install() {
  17. echo "Pre install..."
  18. update_default_user
  19. # do this whole %pre thing only when updating for the first time...
  20. mkdir -p /var/lib/qubes
  21. # Backup fstab / But use archlinux defaults (cp instead of mv)
  22. if [ -e /etc/fstab ] ; then
  23. cp /etc/fstab /var/lib/qubes/fstab.orig
  24. fi
  25. # Add qubes core related fstab entries
  26. echo "xen /proc/xen xenfs defaults 0 0" >> /etc/fstab
  27. usermod -p '' root
  28. usermod -L user
  29. }
  30. ## arg 1: the new package version
  31. ## arg 2: the old package version
  32. pre_upgrade() {
  33. # do something here
  34. echo "Pre upgrade..."
  35. update_default_user
  36. }
  37. ###################
  38. ## Install Hooks ##
  39. ###################
  40. configure_notification-daemon() {
  41. # Enable autostart of notification-daemon when installed
  42. if [ ! -L /etc/xdg/autostart/notification-daemon.desktop ]; then
  43. ln -s /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/
  44. fi
  45. }
  46. configure_selinux() {
  47. # SELinux is not enabled on archlinux
  48. #echo "--> Disabling SELinux..."
  49. echo "SELINUX not enabled on archlinux. skipped."
  50. # sed -e s/^SELINUX=.*$/SELINUX=disabled/ -i /etc/selinux/config
  51. # setenforce 0 2>/dev/null
  52. }
  53. ############################
  54. ## Post-Install functions ##
  55. ############################
  56. update_qubesconfig() {
  57. # Create NetworkManager configuration if we do not have it
  58. if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
  59. echo '[main]' > /etc/NetworkManager/NetworkManager.conf
  60. echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
  61. echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
  62. fi
  63. /usr/lib/qubes/qubes-fix-nm-conf.sh
  64. # Remove ip_forward setting from sysctl, so NM will not reset it
  65. # Archlinux now use sysctl.d/ instead of sysctl.conf
  66. #sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf
  67. # Remove old firmware updates link
  68. if [ -L /lib/firmware/updates ]; then
  69. rm -f /lib/firmware/updates
  70. fi
  71. # Yum proxy configuration is fedora specific
  72. #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
  73. # echo >> /etc/yum.conf
  74. # echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
  75. # echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
  76. #fi
  77. #/usr/lib/qubes/update-proxy-configs
  78. # Archlinux pacman configuration is handled in update_finalize
  79. # Location of files which contains list of protected files
  80. mkdir -p /etc/qubes/protected-files.d
  81. . /usr/lib/qubes/init/functions
  82. # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
  83. if ! is_protected_file /etc/hosts ; then
  84. if ! grep -q localhost /etc/hosts; then
  85. cat <<EOF > /etc/hosts
  86. 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
  87. ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
  88. EOF
  89. fi
  90. fi
  91. # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
  92. # in the form expected by qubes-sysinit.sh
  93. if ! is_protected_file /etc/hostname ; then
  94. for ip in '127\.0\.0\.1' '::1'; do
  95. if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
  96. sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
  97. sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
  98. else
  99. echo "${ip} `hostname`" >> /etc/hosts
  100. fi
  101. done
  102. fi
  103. # Make sure there is a default locale set so gnome-terminal will start
  104. if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
  105. touch /etc/locale.conf
  106. echo "LANG=en_US.UTF-8" >> /etc/locale.conf
  107. fi
  108. # ... and make sure it is really generated
  109. # This line is buggy as LANG can be set to LANG="en_US.UTF-8". The Quotes must be stripped
  110. current_locale=`grep LANG /etc/locale.conf|cut -f 2 -d = | tr -d '"'`
  111. if [ -n "$current_locale" ] && ! locale -a | grep -q "$current_locale"; then
  112. base=`echo "$current_locale" | cut -f 1 -d .`
  113. charmap=`echo "$current_locale.UTF-8" | cut -f 2 -d .`
  114. [ -n "$charmap" ] && charmap="-f $charmap"
  115. localedef -i $base $charmap $current_locale
  116. fi
  117. }
  118. ############################
  119. ## Service Management Functions ##
  120. ############################
  121. is_static() {
  122. [ -f "/usr/lib/systemd/system/$1" ] && ! grep -q '^[[].nstall]' "/usr/lib/systemd/system/$1"
  123. }
  124. is_masked() {
  125. if [ ! -L /etc/systemd/system/"$1" ]
  126. then
  127. return 1
  128. fi
  129. target=`readlink /etc/systemd/system/"$1" 2>/dev/null` || :
  130. if [ "$target" = "/dev/null" ]
  131. then
  132. return 0
  133. fi
  134. return 1
  135. }
  136. mask() {
  137. ln -sf /dev/null /etc/systemd/system/"$1"
  138. }
  139. unmask() {
  140. if ! is_masked "$1"
  141. then
  142. return 0
  143. fi
  144. rm -f /etc/systemd/system/"$1"
  145. }
  146. preset_units() {
  147. local represet=
  148. cat "$1" | while read action unit_name
  149. do
  150. if [ "$action" = "#" -a "$unit_name" = "Units below this line will be re-preset on package upgrade" ]
  151. then
  152. represet=1
  153. continue
  154. fi
  155. echo "$action $unit_name" | grep -q '^[[:space:]]*[^#;]' || continue
  156. [ -n "$action" -a -n "$unit_name" ] || continue
  157. if [ "$2" = "initial" -o "$represet" = "1" ]
  158. then
  159. if [ "$action" = "disable" ] && is_static "$unit_name"
  160. then
  161. if ! is_masked "$unit_name"
  162. then
  163. # We must effectively mask these units, even if they are static.
  164. mask "$unit_name"
  165. fi
  166. elif [ "$action" = "enable" ] && is_static "$unit_name"
  167. then
  168. if is_masked "$unit_name"
  169. then
  170. # We masked this static unit before, now we unmask it.
  171. unmask "$unit_name"
  172. fi
  173. systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
  174. else
  175. systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
  176. fi
  177. fi
  178. done
  179. }
  180. restore_units() {
  181. grep '^[[:space:]]*[^#;]' "$1" | while read action unit_name
  182. do
  183. if is_static "$unit_name" && is_masked "$unit_name"
  184. then
  185. # If the unit had been masked by us, we must unmask it here.
  186. # Otherwise systemctl preset will fail badly.
  187. unmask "$unit_name"
  188. fi
  189. systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || :
  190. done
  191. }
  192. configure_systemd() {
  193. if [ $1 -eq 1 ]
  194. then
  195. preset_units /usr/lib/systemd/system-preset/$qubes_preset_file initial
  196. changed=true
  197. else
  198. preset_units /usr/lib/systemd/system-preset/$qubes_preset_file upgrade
  199. changed=true
  200. # Upgrade path - now qubes-iptables is used instead
  201. for svc in iptables ip6tables
  202. do
  203. if [ -f "$svc".service ]
  204. then
  205. systemctl --no-reload preset "$svc".service
  206. changed=true
  207. fi
  208. done
  209. fi
  210. if [ $1 -eq 1 ]
  211. then
  212. # First install.
  213. # Set default "runlevel".
  214. # FIXME: this ought to be done via kernel command line.
  215. # The fewer deviations of the template from the seed
  216. # image, the better.
  217. rm -f /etc/systemd/system/default.target
  218. ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
  219. changed=true
  220. fi
  221. # remove old symlinks
  222. if [ -L /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service ]
  223. then
  224. rm -f /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service
  225. changed=true
  226. fi
  227. if [ -L /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service ]
  228. then
  229. rm -f /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service
  230. changed=true
  231. fi
  232. if [ "x$changed" != "x" ]
  233. then
  234. systemctl daemon-reload
  235. fi
  236. }
  237. ######################
  238. ## Archlinux Specific Functions ##
  239. ######################
  240. config_prependtomark() {
  241. FILE=$1
  242. APPENDBEFORELINE=$2
  243. APPENDLINE=$3
  244. grep -F -q "$APPENDLINE" "$FILE" || sed "/$APPENDBEFORELINE/i$APPENDLINE" -i "$FILE"
  245. }
  246. config_appendtomark() {
  247. FILE=$1
  248. APPENDAFTERLINE=$2
  249. APPENDLINE=$3
  250. grep -F -q "$APPENDLINE" "$FILE" || sed "/$APPENDAFTERLINE/a$APPENDLINE" -i "$FILE"
  251. }
  252. config_cleanupmark() {
  253. FILE="$1"
  254. BEGINMARK="$2"
  255. ENDMARK="$3"
  256. if grep -F -q "$BEGINMARK" "$FILE"; then
  257. if grep -F -q "$ENDMARK" "$FILE"; then
  258. cp "$FILE" "$FILE.qubes-update-orig"
  259. sed -i -e "/^$BEGINMARK$/,/^$ENDMARK$/{
  260. /^$ENDMARK$/b
  261. /^$BEGINMARK$/!d
  262. }" "$FILE"
  263. rm -f "$FILE.qubes-update-orig"
  264. else
  265. echo "ERROR: found $BEGINMARK marker but not $ENDMARK in $FILE. Please cleanup this file manually."
  266. fi
  267. elif grep -F -q "$ENDMARK" "$FILE"; then
  268. echo "ERROR: found $ENDMARK marker but not $BEGINMARK in $FILE. Please cleanup this file manually."
  269. fi
  270. }
  271. update_finalize() {
  272. # Archlinux specific: If marker exists, cleanup text between begin and end marker
  273. QUBES_MARKER="### QUBES CONFIG MARKER ###"
  274. if grep -F -q "$QUBES_MARKER" /etc/pacman.conf; then
  275. config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "### QUBES CONFIG END MARKER ###"
  276. config_cleanupmark "/etc/pacman.conf" "$QUBES_MARKER" "### QUBES CONFIG END MARKER ###"
  277. # Else, add qubes config block marker
  278. else
  279. config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "$QUBES_MARKER"
  280. config_prependtomark "/etc/pacman.conf" "# REPOSITORIES" "### QUBES CONFIG END MARKER ###"
  281. fi
  282. # Include /etc/pacman.d drop-in directory
  283. config_appendtomark "/etc/pacman.conf" "$QUBES_MARKER" "Include = /etc/pacman.d/*.conf"
  284. /usr/lib/qubes/update-proxy-configs
  285. # Archlinux specific: Update pam.d configuration for su to enable systemd-login wrapper
  286. # Also remove pam_unix.so from su configuration
  287. # as system-login (which include system-auth) already gives pam_unix.so
  288. # with more appropriate parameters (fix the missing nullok parameter)
  289. if [ -n "`cat /etc/pam.d/su | grep pam_unix.so`" ] ; then
  290. echo "Fixing pam.d"
  291. cat <<EOF > /etc/pam.d/su
  292. #%PAM-1.0
  293. auth sufficient pam_rootok.so
  294. # Uncomment the following line to implicitly trust users in the "wheel" group.
  295. #auth sufficient pam_wheel.so trust use_uid
  296. # Uncomment the following line to require a user to be in the "wheel" group.
  297. #auth required pam_wheel.so use_uid
  298. auth include system-login
  299. account include system-login
  300. session include system-login
  301. EOF
  302. cp /etc/pam.d/su /etc/pam.d/su-l
  303. fi
  304. # Archlinux specific: ensure tty1 is enabled
  305. rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
  306. systemctl enable getty\@tty1.service
  307. systemctl daemon-reload
  308. }
  309. ## arg 1: the new package version
  310. post_install() {
  311. update_qubesconfig
  312. # do the rest of %post thing only when updating for the first time...
  313. if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
  314. cp /etc/init/serial.conf /var/lib/qubes/serial.orig
  315. fi
  316. # Remove most of the udev scripts to speed up the VM boot time
  317. # Just leave the xen* scripts, that are needed if this VM was
  318. # ever used as a net backend (e.g. as a VPN domain in the future)
  319. #echo "--> Removing unnecessary udev scripts..."
  320. mkdir -p /var/lib/qubes/removed-udev-scripts
  321. for f in /etc/udev/rules.d/*
  322. do
  323. if [ $(basename $f) == "xen-backend.rules" ] ; then
  324. continue
  325. fi
  326. if [ $(basename $f) == "50-qubes-misc.rules" ] ; then
  327. continue
  328. fi
  329. if echo $f | grep -q qubes; then
  330. continue
  331. fi
  332. mv $f /var/lib/qubes/removed-udev-scripts/
  333. done
  334. mkdir -p /rw
  335. configure_notification-daemon
  336. configure_selinux
  337. configure_systemd 0
  338. update_finalize
  339. }
  340. ## arg 1: the new package version
  341. ## arg 2: the old package version
  342. post_upgrade() {
  343. update_qubesconfig
  344. configure_notification-daemon
  345. configure_selinux
  346. configure_systemd 1
  347. update_finalize
  348. }
  349. ######################
  350. ## Remove functions ##
  351. ######################
  352. ## arg 1: the old package version
  353. pre_remove() {
  354. # no more packages left
  355. if [ -e /var/lib/qubes/fstab.orig ] ; then
  356. mv /var/lib/qubes/fstab.orig /etc/fstab
  357. fi
  358. mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
  359. if [ -e /var/lib/qubes/serial.orig ] ; then
  360. mv /var/lib/qubes/serial.orig /etc/init/serial.conf
  361. fi
  362. if [ $1 -eq 0 ] ; then
  363. # Run this only during uninstall.
  364. # Save the preset file to later use it to re-preset services there
  365. # once the Qubes OS preset file is removed.
  366. mkdir -p /run/qubes-uninstall
  367. cp -f /usr/lib/systemd/system-preset/$qubes_preset_file /run/qubes-uninstall/
  368. cp -f /usr/lib/systemd/system-preset/$qubes_preset_file /run/qubes-uninstall/
  369. fi
  370. }
  371. ## arg 1: the old package version
  372. post_remove() {
  373. changed=
  374. if [ -d /run/qubes-uninstall ]
  375. then
  376. # We have a saved preset file (or more).
  377. # Re-preset the units mentioned there.
  378. restore_units /run/qubes-uninstall/$qubes_preset_file
  379. rm -rf /run/qubes-uninstall
  380. changed=true
  381. fi
  382. if [ "x$changed" != "x" ]
  383. then
  384. systemctl daemon-reload
  385. fi
  386. if [ -L /lib/firmware/updates ] ; then
  387. rm /lib/firmware/updates
  388. fi
  389. rm -rf /var/lib/qubes/xdg
  390. for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-mount-dirs qubes-netwatcher qubes-network qubes-qrexec-agent; do
  391. systemctl disable $srv.service
  392. done
  393. }