diff --git a/debian/qubes-core-agent.dirs b/debian/qubes-core-agent.dirs index fa73b65..9677265 100644 --- a/debian/qubes-core-agent.dirs +++ b/debian/qubes-core-agent.dirs @@ -1,2 +1,3 @@ var/lib/qubes lib/modules +etc/qubes/protected-files.d diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index e4a9872..f188b2f 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -188,11 +188,11 @@ case "${1}" in fi # Location of files which contains list of protected files - PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' + PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is # in the form expected by qubes-sysinit.sh - if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then for ip in '127\.0\.1\.1' '::1'; do if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true @@ -205,7 +205,7 @@ case "${1}" in # remove hostname from 127.0.0.1 line (in debian the hostname is by default # resolved to 127.0.1.1) - if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true fi diff --git a/network/setup-ip b/network/setup-ip index 13adef7..30cd11c 100755 --- a/network/setup-ip +++ b/network/setup-ip @@ -7,7 +7,7 @@ disablegw=`qubesdb-read /qubes-service/disable-default-route 2> /dev/null` disabledns=`qubesdb-read /qubes-service/disable-dns-server 2> /dev/null` # Location of files which contains list of protected files -PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' +PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' ip=`/usr/bin/qubesdb-read /qubes-ip 2> /dev/null` if [ x$ip != x ]; then @@ -22,7 +22,7 @@ if [ x$ip != x ]; then fi /sbin/ethtool -K $INTERFACE sg off /sbin/ethtool -K $INTERFACE tx off - if ! grep -q "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then echo > /etc/resolv.conf if [ "x$disabledns" != "x1" ]; then echo "nameserver $gateway" > /etc/resolv.conf diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 8bce180..21aaf09 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -240,10 +240,11 @@ fi sed -i -e '/^exclude = kernel/d' /etc/yum.conf # Location of files which contains list of protected files -PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' +mkdir -p /etc/qubes/protected-files.d +PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content -if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then +if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then if ! grep -q localhost /etc/hosts; then cat < /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname` @@ -254,7 +255,7 @@ fi # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is # in the form expected by qubes-sysinit.sh -if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then +if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then for ip in '127\.0\.0\.1' '::1'; do if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts diff --git a/vm-init.d/qubes-core b/vm-init.d/qubes-core index cd0a6dc..06c9159 100755 --- a/vm-init.d/qubes-core +++ b/vm-init.d/qubes-core @@ -21,10 +21,10 @@ start() chmod 0775 /var/run/qubes # Location of files which contains list of protected files - PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' + PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' # Set the hostname - if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then name=$(/usr/bin/qubesdb-read /name) if ! [ -f /etc/this-is-dvm ] ; then # we don't want to set hostname for DispVM @@ -36,7 +36,7 @@ start() fi # Set the timezone - if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then timezone=`/usr/bin/qubesdb-read /qubes-timezone 2> /dev/null` if [ -n "$timezone" ]; then ln -f /usr/share/zoneinfo/$timezone /etc/localtime diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 06c74af..3c2cd20 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -11,7 +11,7 @@ QDB_READ=qubesdb-read QDB_LS=qubesdb-multiread # Location of files which contains list of protected files -PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' +PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' read_service() { $QDB_READ /qubes-service/$1 2> /dev/null @@ -70,7 +70,7 @@ for srv in `$QDB_LS /qubes-service/ 2>/dev/null |grep ' = 0'|cut -f 1 -d ' '`; d done # Set the hostname -if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then +if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then name=`$QDB_READ /name` if [ -n "$name" ]; then hostname $name @@ -85,7 +85,7 @@ if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then fi # Set the timezone -if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then +if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then timezone=`$QDB_READ /qubes-timezone 2> /dev/null` if [ -n "$timezone" ]; then cp -p /usr/share/zoneinfo/$timezone /etc/localtime