Changed location of PROTECTED_FILE_LIST to /etc/qubes/protected-files.d

debian/qubes-core-agent.dirs

@@ -0,0 +1,3 @@
+var/lib/qubes
+lib/modules
+etc/qubes/protected-files.d

debian/qubes-core-agent.postinst

@@ -188,11 +188,11 @@ case "${1}" in
         fi
 
         # Location of files which contains list of protected files
-        PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+        PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
         # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
         # in the form expected by qubes-sysinit.sh
-        if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+        if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
             for ip in '127\.0\.1\.1' '::1'; do
                 if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
                     sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
@@ -205,7 +205,7 @@ case "${1}" in
 
         # remove hostname from 127.0.0.1 line (in debian the hostname is by default
         # resolved to 127.0.1.1)
-        if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+        if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
             sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
         fi
 

network/setup-ip

@@ -7,7 +7,7 @@ else
 fi
 
 # Location of files which contains list of protected files
-PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
 # setup-ip is potentially invoked before qubes-sysinit.sh is done, therefore
 # we perform our xenstore reads here instead of relying on qvm-service 
@@ -28,7 +28,7 @@ if [ x$ip != x ]; then
     fi
     /sbin/ethtool -K $INTERFACE sg off
     /sbin/ethtool -K $INTERFACE tx off
-    if ! grep -q "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+    if ! grep -rq "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
    	    echo > /etc/resolv.conf
         if [ "x$disabledns" != "x1" ]; then
             echo "nameserver $gateway" > /etc/resolv.conf

rpm_spec/core-vm.spec

@@ -232,10 +232,11 @@ fi
 sed -i -e '/^exclude = kernel/d' /etc/yum.conf
 
 # Location of files which contains list of protected files
-PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+mkdir -p /etc/qubes/protected-files.d
+PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
 # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
-if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     if ! grep -q localhost /etc/hosts; then
       cat <<EOF > /etc/hosts
 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
@@ -246,7 +247,7 @@ fi
 
 # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
 # in the form expected by qubes-sysinit.sh
-if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     for ip in '127\.0\.0\.1' '::1'; do
         if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
             sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts

vm-init.d/qubes-core

@@ -22,11 +22,11 @@ start()
 
 	mkdir -p /var/run/xen-hotplug
 
-    # Location of files which contains list of protected files
-    PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+	# Location of files which contains list of protected files
+	PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
     # Set the hostname
-    if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then    
+    if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then    
     	name=$(/usr/bin/xenstore-read name)
     	if ! [ -f /etc/this-is-dvm ] ; then
     		# we don't want to set hostname for DispVM
@@ -38,7 +38,7 @@ start()
     fi
 
     # Set the timezone
-	if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+	if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     	timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null`
     	if [ -n "$timezone" ]; then
     		ln -f /usr/share/zoneinfo/$timezone /etc/localtime

vm-systemd/qubes-sysinit.sh

@@ -13,7 +13,7 @@ XS_LS=/usr/bin/xenstore-ls
 [ -x /usr/sbin/xenstore-ls ] && XS_LS=/usr/sbin/xenstore-ls
 
 # Location of files which contains list of protected files
-PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
+PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
 
 read_service() {
     $XS_READ qubes-service/$1 2> /dev/null
@@ -64,7 +64,7 @@ for srv in `$XS_LS qubes-service 2>/dev/null |grep ' = "0"'|cut -f 1 -d ' '`; do
 done
 
 # Set the hostname
-if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     name=`$XS_READ name`
     if [ -n "$name" ]; then
         hostname $name
@@ -79,7 +79,7 @@ if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
 fi
 
 # Set the timezone
-if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     timezone=`$XS_READ qubes-timezone 2> /dev/null`
     if [ -n "$timezone" ]; then
         cp -p /usr/share/zoneinfo/$timezone /etc/localtime