diff --git a/debian/qubes-core-agent.dirs b/debian/qubes-core-agent.dirs new file mode 100644 index 0000000..9677265 --- /dev/null +++ b/debian/qubes-core-agent.dirs @@ -0,0 +1,3 @@ +var/lib/qubes +lib/modules +etc/qubes/protected-files.d diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index e4a9872..f188b2f 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -188,11 +188,11 @@ case "${1}" in fi # Location of files which contains list of protected files - PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' + PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is # in the form expected by qubes-sysinit.sh - if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then for ip in '127\.0\.1\.1' '::1'; do if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true @@ -205,7 +205,7 @@ case "${1}" in # remove hostname from 127.0.0.1 line (in debian the hostname is by default # resolved to 127.0.1.1) - if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true fi diff --git a/network/setup-ip b/network/setup-ip index ae9d83b..7438810 100755 --- a/network/setup-ip +++ b/network/setup-ip @@ -7,7 +7,7 @@ else fi # Location of files which contains list of protected files -PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' +PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' # setup-ip is potentially invoked before qubes-sysinit.sh is done, therefore # we perform our xenstore reads here instead of relying on qvm-service @@ -28,7 +28,7 @@ if [ x$ip != x ]; then fi /sbin/ethtool -K $INTERFACE sg off /sbin/ethtool -K $INTERFACE tx off - if ! grep -q "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then echo > /etc/resolv.conf if [ "x$disabledns" != "x1" ]; then echo "nameserver $gateway" > /etc/resolv.conf diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 2c976bc..c29ea83 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -232,10 +232,11 @@ fi sed -i -e '/^exclude = kernel/d' /etc/yum.conf # Location of files which contains list of protected files -PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' +mkdir -p /etc/qubes/protected-files.d +PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content -if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then +if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then if ! grep -q localhost /etc/hosts; then cat < /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname` @@ -246,7 +247,7 @@ fi # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is # in the form expected by qubes-sysinit.sh -if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then +if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then for ip in '127\.0\.0\.1' '::1'; do if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts diff --git a/vm-init.d/qubes-core b/vm-init.d/qubes-core index 3d66fe2..b817be2 100755 --- a/vm-init.d/qubes-core +++ b/vm-init.d/qubes-core @@ -22,11 +22,11 @@ start() mkdir -p /var/run/xen-hotplug - # Location of files which contains list of protected files - PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' + # Location of files which contains list of protected files + PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' # Set the hostname - if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then name=$(/usr/bin/xenstore-read name) if ! [ -f /etc/this-is-dvm ] ; then # we don't want to set hostname for DispVM @@ -38,7 +38,7 @@ start() fi # Set the timezone - if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then + if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null` if [ -n "$timezone" ]; then ln -f /usr/share/zoneinfo/$timezone /etc/localtime diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index abab4e7..2b334f8 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -13,7 +13,7 @@ XS_LS=/usr/bin/xenstore-ls [ -x /usr/sbin/xenstore-ls ] && XS_LS=/usr/sbin/xenstore-ls # Location of files which contains list of protected files -PROTECTED_FILE_LIST='/var/lib/qubes/protected-files' +PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' read_service() { $XS_READ qubes-service/$1 2> /dev/null @@ -64,7 +64,7 @@ for srv in `$XS_LS qubes-service 2>/dev/null |grep ' = "0"'|cut -f 1 -d ' '`; do done # Set the hostname -if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then +if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then name=`$XS_READ name` if [ -n "$name" ]; then hostname $name @@ -79,7 +79,7 @@ if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then fi # Set the timezone -if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then +if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then timezone=`$XS_READ qubes-timezone 2> /dev/null` if [ -n "$timezone" ]; then cp -p /usr/share/zoneinfo/$timezone /etc/localtime