diff --git a/app-emulation/qubes-core-agent-linux/Manifest b/app-emulation/qubes-core-agent-linux/Manifest new file mode 100644 index 0000000..766fcf2 --- /dev/null +++ b/app-emulation/qubes-core-agent-linux/Manifest @@ -0,0 +1,3 @@ +AUX qubes-ensure-lib-modules.service 430 BLAKE2B 454043bc962b1d541229002cb3649331f1b03787ef440745d70dd7013978eea2e88b122625ae4bad06ba17ad82d4160c3238d0e4883d76d99674d0bdce8fb512 SHA512 e8660d2daeefc263fb00a05ae50f34b484525a2489164fe8a84b3b92fa43fe3cfade8ce7f2a6691712ff59d326c09b0c453c7b69873d13f8a907b7efef135bf1 +EBUILD qubes-core-agent-linux-4.2.38.ebuild 12797 BLAKE2B e1583c90470893c0a18931a0071d3dcdc9aaa938f37901533ce955107c1d93e9bc93dac6da1ea72a39b3ad1e0ecbf74de871b11707639dc0f743121e4f1e6c71 SHA512 7252f140838f830cc88100b7e83d4ba8833aaa6402ce6644cdba6ad150f8384a2e90012622b2a997b0ad773c69f7dd1e32b8b102af4e5065096b9482330461f0 +EBUILD qubes-core-agent-linux-4.3.12.ebuild 12797 BLAKE2B e1583c90470893c0a18931a0071d3dcdc9aaa938f37901533ce955107c1d93e9bc93dac6da1ea72a39b3ad1e0ecbf74de871b11707639dc0f743121e4f1e6c71 SHA512 7252f140838f830cc88100b7e83d4ba8833aaa6402ce6644cdba6ad150f8384a2e90012622b2a997b0ad773c69f7dd1e32b8b102af4e5065096b9482330461f0 diff --git a/app-emulation/qubes-core-agent-linux/files/qubes-ensure-lib-modules.service b/app-emulation/qubes-core-agent-linux/files/qubes-ensure-lib-modules.service new file mode 100644 index 0000000..ea9cb26 --- /dev/null +++ b/app-emulation/qubes-core-agent-linux/files/qubes-ensure-lib-modules.service @@ -0,0 +1,19 @@ +[Unit] +Description=Qubes verification of /usr/lib/modules +DefaultDependencies=no +Documentation= +ConditionPathExists=/dev/xvdd +Before=systemd-modules-load.service +Before=systemd-udevd.service +Before=local-fs-pre.target +After=systemd-remount-fs.service +ConditionPathExists=!/usr/lib/modules/lost+found + +[Service] +Type=oneshot +ExecStart=/bin/mount /dev/xvdd /usr/lib/modules +StandardOutput=syslog + +[Install] +WantedBy=sysinit.target + diff --git a/app-emulation/qubes-core-agent-linux/qubes-core-agent-linux-4.2.38.ebuild b/app-emulation/qubes-core-agent-linux/qubes-core-agent-linux-4.2.38.ebuild new file mode 100644 index 0000000..a1677d1 --- /dev/null +++ b/app-emulation/qubes-core-agent-linux/qubes-core-agent-linux-4.2.38.ebuild @@ -0,0 +1,440 @@ +# Maintainer: Frédéric Pierret + +EAPI=7 + +PYTHON_COMPAT=( python3_{10..13} ) + +inherit git-r3 multilib distutils-r1 qubes + +if [[ ${PV} == *9999 ]]; then + EGIT_COMMIT=HEAD +else + EGIT_COMMIT="v${PV}" +fi + +EGIT_REPO_URI="https://github.com/QubesOS/qubes-core-agent-linux.git" + +KEYWORDS="amd64" +DESCRIPTION="The Qubes core files for installation inside a Qubes VM" +HOMEPAGE="http://www.qubes-os.org" +LICENSE="GPL-2" + +SLOT="0" +IUSE="nautilus networking network-manager passwordless-root pandoc-bin" + +DEPEND="app-emulation/qubes-libvchan-xen + app-emulation/qubes-db + app-emulation/qubes-utils + net-misc/socat + x11-misc/notification-daemon + x11-misc/xdg-utils + sys-apps/gentoo-systemd-integration + gnome-extra/zenity + pandoc-bin? ( + app-text/pandoc-bin + ) + !pandoc-bin? ( + app-text/pandoc + ) + networking? ( + sys-apps/ethtool + sys-apps/net-tools + net-firewall/iptables + net-proxy/tinyproxy + + network-manager? ( + net-misc/networkmanager + net-firewall/nftables + ) + ) + nautilus? ( + dev-python/nautilus-python + ) + ${PYTHON_DEPS} + " +RDEPEND="${DEPEND}" +PDEPEND="" + +src_prepare() { + qubes_verify_sources_git "${EGIT_COMMIT}" + + default +} + +src_compile() { + # Fix PAM + sed -i 's/postlogin/system-auth/g' passwordless-root/pam.d_su.qubes + + # Fix modules-load.d path + sed -i 's|$(SYSLIBDIR)/modules-load.d|$(LIBDIR)/modules-load.d|g' Makefile + + # Fix for network tools paths + sed -i 's:/sbin/ifconfig:/bin/ifconfig:g' network/* + sed -i 's:/sbin/route:/bin/route:g' network/* + sed -i 's:/sbin/ethtool:/usr/sbin/ethtool:g' network/* + sed -i 's:/sbin/ip:/bin/ip:g' network/* + + myopt="${myopt} DESTDIR="${D}" SYSTEMD=1 BACKEND_VMM=xen" + for dir in qubes-rpc misc; do + emake ${myopt} -C "$dir" + done +} + +src_install() { + emake ${myopt} install-corevm + emake ${myopt} -C app-menu install + emake ${myopt} -C filesystem install + emake ${myopt} -C misc install + emake ${myopt} -C qubes-rpc install + emake ${myopt} -C package-managers install + if use passwordless-root; then + emake ${myopt} -C passwordless-root install + fi + if use nautilus; then + emake ${myopt} -C qubes-rpc/nautilus install + fi + + if use networking; then + if use network-manager; then + emake ${myopt} install-netvm + fi + emake ${myopt} -C network install + emake ${myopt} install-networking + fi + + insopts -m 0644 + insinto /usr/lib/systemd/system/ + doins "${FILESDIR}"/qubes-ensure-lib-modules.service + + # Remove things unwanted in Gentoo + ${myopt} rm -r "$DESTDIR/etc/yum"* + ${myopt} rm -r "$DESTDIR/etc/dnf"* + ${myopt} rm -r "$DESTDIR/etc/init.d" +} + +pkg_preinst() { + update_default_user + + mkdir -p /var/lib/qubes + + if [ -e /etc/fstab ]; then + mv /etc/fstab /var/lib/qubes/fstab.orig + fi + + usermod -L root + usermod -L user +} + +pkg_postinst() { + update_qubesconfig + + mkdir -p /usr/lib/modules + ln -sf /usr/lib/modules /lib/ + systemctl enable qubes-ensure-lib-modules.service + + if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ]; then + cp /etc/init/serial.conf /var/lib/qubes/serial.orig + fi + + # Remove most of the udev scripts to speed up the VM boot time + # Just leave the xen* scripts, that are needed if this VM was + # ever used as a net backend (e.g. as a VPN domain in the future) + mkdir -p /var/lib/qubes/removed-udev-scripts + for f in /etc/udev/rules.d/* + do + if [ "$(basename "$f")" == "xen-backend.rules" ]; then + continue + fi + + if echo "$f" | grep -q qubes; then + continue + fi + + mv "$f" /var/lib/qubes/removed-udev-scripts/ + done + + mkdir -p /var/lib/qubes/removed-modules-load.d/ + if [ -e /usr/lib/modules-load.d/xen.conf ]; then + mv /usr/lib/modules-load.d/xen.conf /var/lib/qubes/removed-modules-load.d/ + fi + + if [ -e /var/lib/qubes/dom0-updates ]; then + chgrp user /var/lib/qubes/dom0-updates + fi + + mkdir -p /rw + + configure_notification_daemon + configure_selinux + configure_systemd 1 + + if use networking; then + if use network-manager; then + systemctl enable qubes-network.service + systemctl enable qubes-firewall.service + systemctl enable qubes-iptables.service + systemctl enable qubes-updates-proxy.service + + # Create NetworkManager configuration if we do not have it + if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then + echo '[main]' > /etc/NetworkManager/NetworkManager.conf + echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf + echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf + fi + + /usr/lib/qubes/qubes-fix-nm-conf.sh + fi + fi +} + +pkg_prerm() { + systemctl disable qubes-ensure-lib-modules.service + + if [ -e /var/lib/qubes/fstab.orig ]; then + mv /var/lib/qubes/fstab.orig /etc/fstab + fi + + for f in /var/lib/qubes/removed-udev-scripts/* + do + mv /var/lib/qubes/removed-udev-scripts/"$f" /etc/udev/rules.d/ + done + + if [ -e /var/lib/qubes/removed-modules-load.d/xen.conf ]; then + mv /var/lib/qubes/removed-modules-load.d/xen.conf /usr/lib/modules-load.d/xen.conf + fi + + if [ -e /var/lib/qubes/serial.orig ]; then + mv /var/lib/qubes/serial.orig /etc/init/serial.conf + fi + + # Run this only during uninstall. + # Save the preset file to later use it to re-preset services there + # once the Qubes OS preset file is removed. + mkdir -p /run/qubes-uninstall + cp -f /lib/systemd/system-preset/75-qubes-vm.preset /run/qubes-uninstall/ + + if use networking; then + if use network-manager; then + systemctl disable qubes-network.service + systemctl disable qubes-firewall.service + systemctl disable qubes-iptables.service + systemctl disable qubes-updates-proxy.service + fi + fi +} + +pkg_postrm() { + changed= + + if [ -d /run/qubes-uninstall ]; then + # We have a saved preset file (or more). + # Re-preset the units mentioned there. + restore_units /run/qubes-uninstall/75-qubes-vm.preset + rm -rf /run/qubes-uninstall + changed=true + fi + + if [ -n "$changed" ]; then + systemctl daemon-reload + fi + + if [ -L /lib/firmware/updates ]; then + rm /lib/firmware/updates + fi + + rm -rf /var/lib/qubes/xdg + + for srv in qubes-sysinit qubes-misc-post qubes-mount-dirs; do + systemctl disable $srv.service + done +} + +### + +update_default_user() { + # Make sure there is a qubes group + groupadd --force --system --gid 98 qubes + + id -u 'user' >/dev/null 2>&1 || { + useradd --user-group --create-home --shell /bin/bash user + } + + usermod -a --groups qubes user +} + +configure_notification_daemon() { + # Enable autostart of notification-daemon when installed + if [ ! -L /etc/xdg/autostart/notification-daemon.desktop ]; then + ln -sf /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/ + fi +} + +configure_selinux() { + if [ -e /etc/selinux/config ]; then + sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config + setenforce 0 2>/dev/null + fi +} + +update_qubesconfig() { + # Remove old firmware updates link + if [ -L /lib/firmware/updates ]; then + rm -f /lib/firmware/updates + fi + + # convert /usr/local symlink to a mount point + if [ -L /usr/local ]; then + rm -f /usr/local + mkdir /usr/local + mount /usr/local || : + fi + + if ! [ -r /etc/dconf/profile/user ]; then + mkdir -p /etc/dconf/profile + echo "user-db:user" >> /etc/dconf/profile/user + echo "system-db:local" >> /etc/dconf/profile/user + fi + + dconf update &> /dev/null || : + + # Location of files which contains list of protected files + mkdir -p /etc/qubes/protected-files.d + # shellcheck source=init/functions + . /usr/lib/qubes/init/functions + + # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content + if ! is_protected_file /etc/hosts; then + if ! grep -q localhost /etc/hosts; then + + cat < /etc/hosts +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 $(hostname) +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +EOF + + fi + fi + + # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is + # in the form expected by qubes-sysinit.sh + if ! is_protected_file /etc/hostname; then + for ip in '127\.0\.0\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 $(hostname)/" /etc/hosts + else + echo "${ip} $(hostname)" >> /etc/hosts + fi + done + fi + +} + +is_static() { + [ -f "/usr/lib/systemd/system/$1" ] && ! grep -q '^[[].nstall]' "/usr/lib/systemd/system/$1" +} + +is_masked() { + if [ ! -L /etc/systemd/system/"$1" ]; then + return 1 + fi + target=$(readlink /etc/systemd/system/"$1" 2>/dev/null) || : + if [ "$target" = "/dev/null" ]; then + return 0 + fi + return 1 +} + +mask() { + ln -sf /dev/null /etc/systemd/system/"$1" +} + +unmask() { + if ! is_masked "$1"; then + return 0 + fi + rm -f /etc/systemd/system/"$1" +} + +preset_units() { + local represet= + while read -r action unit_name + do + if [ "$action" = "#" ] && [ "$unit_name" = "Units below this line will be re-preset on package upgrade" ]; then + represet=1 + continue + fi + echo "$action $unit_name" | grep -q '^[[:space:]]*[^#;]' || continue + [[ -n "$action" && -n "$unit_name" ]] || continue + if [ "$2" = "initial" ] || [ "$represet" = "1" ]; then + if [ "$action" = "disable" ] && is_static "$unit_name"; then + if ! is_masked "$unit_name"; then + # We must effectively mask these units, even if they are static. + mask "$unit_name" + fi + elif [ "$action" = "enable" ] && is_static "$unit_name"; then + if is_masked "$unit_name"; then + # We masked this static unit before, now we unmask it. + unmask "$unit_name" + fi + systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || : + else + systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || : + fi + fi + done < "$1" +} + +restore_units() { + grep '^[[:space:]]*[^#;]' "$1" | while read -r action unit_name + do + if is_static "$unit_name" && is_masked "$unit_name"; then + # If the unit had been masked by us, we must unmask it here. + # Otherwise systemctl preset will fail badly. + unmask "$unit_name" + fi + systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || : + done +} + +configure_systemd() { + if [ "$1" -eq 1 ]; then + preset_units /lib/systemd/system-preset/75-qubes-vm.preset initial + changed=true + else + preset_units /lib/systemd/system-preset/75-qubes-vm.preset upgrade + changed=true + # Upgrade path - now qubes-iptables is used instead + for svc in iptables ip6tables + do + if [ -f "$svc".service ]; then + systemctl --no-reload preset "$svc".service + changed=true + fi + done + fi + + if [ "$1" -eq 1 ]; then + # First install. + # Set default "runlevel". + # FIXME: this ought to be done via kernel command line. + # The fewer deviations of the template from the seed + # image, the better. + rm -f /etc/systemd/system/default.target + ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + changed=true + fi + + # remove old symlinks + if [ -L /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service ]; then + rm -f /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service + changed=true + fi + if [ -L /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service ]; then + rm -f /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service + changed=true + fi + + if [ -n "$changed" ]; then + systemctl daemon-reload + fi +} diff --git a/app-emulation/qubes-core-agent-linux/qubes-core-agent-linux-4.3.12.ebuild b/app-emulation/qubes-core-agent-linux/qubes-core-agent-linux-4.3.12.ebuild new file mode 100644 index 0000000..a1677d1 --- /dev/null +++ b/app-emulation/qubes-core-agent-linux/qubes-core-agent-linux-4.3.12.ebuild @@ -0,0 +1,440 @@ +# Maintainer: Frédéric Pierret + +EAPI=7 + +PYTHON_COMPAT=( python3_{10..13} ) + +inherit git-r3 multilib distutils-r1 qubes + +if [[ ${PV} == *9999 ]]; then + EGIT_COMMIT=HEAD +else + EGIT_COMMIT="v${PV}" +fi + +EGIT_REPO_URI="https://github.com/QubesOS/qubes-core-agent-linux.git" + +KEYWORDS="amd64" +DESCRIPTION="The Qubes core files for installation inside a Qubes VM" +HOMEPAGE="http://www.qubes-os.org" +LICENSE="GPL-2" + +SLOT="0" +IUSE="nautilus networking network-manager passwordless-root pandoc-bin" + +DEPEND="app-emulation/qubes-libvchan-xen + app-emulation/qubes-db + app-emulation/qubes-utils + net-misc/socat + x11-misc/notification-daemon + x11-misc/xdg-utils + sys-apps/gentoo-systemd-integration + gnome-extra/zenity + pandoc-bin? ( + app-text/pandoc-bin + ) + !pandoc-bin? ( + app-text/pandoc + ) + networking? ( + sys-apps/ethtool + sys-apps/net-tools + net-firewall/iptables + net-proxy/tinyproxy + + network-manager? ( + net-misc/networkmanager + net-firewall/nftables + ) + ) + nautilus? ( + dev-python/nautilus-python + ) + ${PYTHON_DEPS} + " +RDEPEND="${DEPEND}" +PDEPEND="" + +src_prepare() { + qubes_verify_sources_git "${EGIT_COMMIT}" + + default +} + +src_compile() { + # Fix PAM + sed -i 's/postlogin/system-auth/g' passwordless-root/pam.d_su.qubes + + # Fix modules-load.d path + sed -i 's|$(SYSLIBDIR)/modules-load.d|$(LIBDIR)/modules-load.d|g' Makefile + + # Fix for network tools paths + sed -i 's:/sbin/ifconfig:/bin/ifconfig:g' network/* + sed -i 's:/sbin/route:/bin/route:g' network/* + sed -i 's:/sbin/ethtool:/usr/sbin/ethtool:g' network/* + sed -i 's:/sbin/ip:/bin/ip:g' network/* + + myopt="${myopt} DESTDIR="${D}" SYSTEMD=1 BACKEND_VMM=xen" + for dir in qubes-rpc misc; do + emake ${myopt} -C "$dir" + done +} + +src_install() { + emake ${myopt} install-corevm + emake ${myopt} -C app-menu install + emake ${myopt} -C filesystem install + emake ${myopt} -C misc install + emake ${myopt} -C qubes-rpc install + emake ${myopt} -C package-managers install + if use passwordless-root; then + emake ${myopt} -C passwordless-root install + fi + if use nautilus; then + emake ${myopt} -C qubes-rpc/nautilus install + fi + + if use networking; then + if use network-manager; then + emake ${myopt} install-netvm + fi + emake ${myopt} -C network install + emake ${myopt} install-networking + fi + + insopts -m 0644 + insinto /usr/lib/systemd/system/ + doins "${FILESDIR}"/qubes-ensure-lib-modules.service + + # Remove things unwanted in Gentoo + ${myopt} rm -r "$DESTDIR/etc/yum"* + ${myopt} rm -r "$DESTDIR/etc/dnf"* + ${myopt} rm -r "$DESTDIR/etc/init.d" +} + +pkg_preinst() { + update_default_user + + mkdir -p /var/lib/qubes + + if [ -e /etc/fstab ]; then + mv /etc/fstab /var/lib/qubes/fstab.orig + fi + + usermod -L root + usermod -L user +} + +pkg_postinst() { + update_qubesconfig + + mkdir -p /usr/lib/modules + ln -sf /usr/lib/modules /lib/ + systemctl enable qubes-ensure-lib-modules.service + + if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ]; then + cp /etc/init/serial.conf /var/lib/qubes/serial.orig + fi + + # Remove most of the udev scripts to speed up the VM boot time + # Just leave the xen* scripts, that are needed if this VM was + # ever used as a net backend (e.g. as a VPN domain in the future) + mkdir -p /var/lib/qubes/removed-udev-scripts + for f in /etc/udev/rules.d/* + do + if [ "$(basename "$f")" == "xen-backend.rules" ]; then + continue + fi + + if echo "$f" | grep -q qubes; then + continue + fi + + mv "$f" /var/lib/qubes/removed-udev-scripts/ + done + + mkdir -p /var/lib/qubes/removed-modules-load.d/ + if [ -e /usr/lib/modules-load.d/xen.conf ]; then + mv /usr/lib/modules-load.d/xen.conf /var/lib/qubes/removed-modules-load.d/ + fi + + if [ -e /var/lib/qubes/dom0-updates ]; then + chgrp user /var/lib/qubes/dom0-updates + fi + + mkdir -p /rw + + configure_notification_daemon + configure_selinux + configure_systemd 1 + + if use networking; then + if use network-manager; then + systemctl enable qubes-network.service + systemctl enable qubes-firewall.service + systemctl enable qubes-iptables.service + systemctl enable qubes-updates-proxy.service + + # Create NetworkManager configuration if we do not have it + if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then + echo '[main]' > /etc/NetworkManager/NetworkManager.conf + echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf + echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf + fi + + /usr/lib/qubes/qubes-fix-nm-conf.sh + fi + fi +} + +pkg_prerm() { + systemctl disable qubes-ensure-lib-modules.service + + if [ -e /var/lib/qubes/fstab.orig ]; then + mv /var/lib/qubes/fstab.orig /etc/fstab + fi + + for f in /var/lib/qubes/removed-udev-scripts/* + do + mv /var/lib/qubes/removed-udev-scripts/"$f" /etc/udev/rules.d/ + done + + if [ -e /var/lib/qubes/removed-modules-load.d/xen.conf ]; then + mv /var/lib/qubes/removed-modules-load.d/xen.conf /usr/lib/modules-load.d/xen.conf + fi + + if [ -e /var/lib/qubes/serial.orig ]; then + mv /var/lib/qubes/serial.orig /etc/init/serial.conf + fi + + # Run this only during uninstall. + # Save the preset file to later use it to re-preset services there + # once the Qubes OS preset file is removed. + mkdir -p /run/qubes-uninstall + cp -f /lib/systemd/system-preset/75-qubes-vm.preset /run/qubes-uninstall/ + + if use networking; then + if use network-manager; then + systemctl disable qubes-network.service + systemctl disable qubes-firewall.service + systemctl disable qubes-iptables.service + systemctl disable qubes-updates-proxy.service + fi + fi +} + +pkg_postrm() { + changed= + + if [ -d /run/qubes-uninstall ]; then + # We have a saved preset file (or more). + # Re-preset the units mentioned there. + restore_units /run/qubes-uninstall/75-qubes-vm.preset + rm -rf /run/qubes-uninstall + changed=true + fi + + if [ -n "$changed" ]; then + systemctl daemon-reload + fi + + if [ -L /lib/firmware/updates ]; then + rm /lib/firmware/updates + fi + + rm -rf /var/lib/qubes/xdg + + for srv in qubes-sysinit qubes-misc-post qubes-mount-dirs; do + systemctl disable $srv.service + done +} + +### + +update_default_user() { + # Make sure there is a qubes group + groupadd --force --system --gid 98 qubes + + id -u 'user' >/dev/null 2>&1 || { + useradd --user-group --create-home --shell /bin/bash user + } + + usermod -a --groups qubes user +} + +configure_notification_daemon() { + # Enable autostart of notification-daemon when installed + if [ ! -L /etc/xdg/autostart/notification-daemon.desktop ]; then + ln -sf /usr/share/applications/notification-daemon.desktop /etc/xdg/autostart/ + fi +} + +configure_selinux() { + if [ -e /etc/selinux/config ]; then + sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config + setenforce 0 2>/dev/null + fi +} + +update_qubesconfig() { + # Remove old firmware updates link + if [ -L /lib/firmware/updates ]; then + rm -f /lib/firmware/updates + fi + + # convert /usr/local symlink to a mount point + if [ -L /usr/local ]; then + rm -f /usr/local + mkdir /usr/local + mount /usr/local || : + fi + + if ! [ -r /etc/dconf/profile/user ]; then + mkdir -p /etc/dconf/profile + echo "user-db:user" >> /etc/dconf/profile/user + echo "system-db:local" >> /etc/dconf/profile/user + fi + + dconf update &> /dev/null || : + + # Location of files which contains list of protected files + mkdir -p /etc/qubes/protected-files.d + # shellcheck source=init/functions + . /usr/lib/qubes/init/functions + + # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content + if ! is_protected_file /etc/hosts; then + if ! grep -q localhost /etc/hosts; then + + cat < /etc/hosts +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 $(hostname) +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 +EOF + + fi + fi + + # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is + # in the form expected by qubes-sysinit.sh + if ! is_protected_file /etc/hostname; then + for ip in '127\.0\.0\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s$(hostname)\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 $(hostname)/" /etc/hosts + else + echo "${ip} $(hostname)" >> /etc/hosts + fi + done + fi + +} + +is_static() { + [ -f "/usr/lib/systemd/system/$1" ] && ! grep -q '^[[].nstall]' "/usr/lib/systemd/system/$1" +} + +is_masked() { + if [ ! -L /etc/systemd/system/"$1" ]; then + return 1 + fi + target=$(readlink /etc/systemd/system/"$1" 2>/dev/null) || : + if [ "$target" = "/dev/null" ]; then + return 0 + fi + return 1 +} + +mask() { + ln -sf /dev/null /etc/systemd/system/"$1" +} + +unmask() { + if ! is_masked "$1"; then + return 0 + fi + rm -f /etc/systemd/system/"$1" +} + +preset_units() { + local represet= + while read -r action unit_name + do + if [ "$action" = "#" ] && [ "$unit_name" = "Units below this line will be re-preset on package upgrade" ]; then + represet=1 + continue + fi + echo "$action $unit_name" | grep -q '^[[:space:]]*[^#;]' || continue + [[ -n "$action" && -n "$unit_name" ]] || continue + if [ "$2" = "initial" ] || [ "$represet" = "1" ]; then + if [ "$action" = "disable" ] && is_static "$unit_name"; then + if ! is_masked "$unit_name"; then + # We must effectively mask these units, even if they are static. + mask "$unit_name" + fi + elif [ "$action" = "enable" ] && is_static "$unit_name"; then + if is_masked "$unit_name"; then + # We masked this static unit before, now we unmask it. + unmask "$unit_name" + fi + systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || : + else + systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || : + fi + fi + done < "$1" +} + +restore_units() { + grep '^[[:space:]]*[^#;]' "$1" | while read -r action unit_name + do + if is_static "$unit_name" && is_masked "$unit_name"; then + # If the unit had been masked by us, we must unmask it here. + # Otherwise systemctl preset will fail badly. + unmask "$unit_name" + fi + systemctl --no-reload preset "$unit_name" >/dev/null 2>&1 || : + done +} + +configure_systemd() { + if [ "$1" -eq 1 ]; then + preset_units /lib/systemd/system-preset/75-qubes-vm.preset initial + changed=true + else + preset_units /lib/systemd/system-preset/75-qubes-vm.preset upgrade + changed=true + # Upgrade path - now qubes-iptables is used instead + for svc in iptables ip6tables + do + if [ -f "$svc".service ]; then + systemctl --no-reload preset "$svc".service + changed=true + fi + done + fi + + if [ "$1" -eq 1 ]; then + # First install. + # Set default "runlevel". + # FIXME: this ought to be done via kernel command line. + # The fewer deviations of the template from the seed + # image, the better. + rm -f /etc/systemd/system/default.target + ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + changed=true + fi + + # remove old symlinks + if [ -L /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service ]; then + rm -f /etc/systemd/system/sysinit.target.wants/qubes-random-seed.service + changed=true + fi + if [ -L /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service ]; then + rm -f /etc/systemd/system/multi-user.target.wants/qubes-mount-home.service + changed=true + fi + + if [ -n "$changed" ]; then + systemctl daemon-reload + fi +}