diff --git a/Makefile b/Makefile index 125a7a6..f491f9c 100644 --- a/Makefile +++ b/Makefile @@ -74,8 +74,6 @@ install-sysvinit: install-rh: install-systemd install-sysvinit - install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab - install -D -m 0644 misc/qubes-r2.repo $(DESTDIR)/etc/yum.repos.d/qubes-r2.repo install -d $(DESTDIR)/usr/share/glib-2.0/schemas/ install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/ @@ -102,6 +100,8 @@ install-rh: install-systemd install-sysvinit install -m 0400 -D network/ip6tables $(DESTDIR)/usr/lib/qubes/init/ip6tables install-common: + install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab + install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes install -d $(DESTDIR)/var/lib/qubes @@ -198,5 +198,8 @@ install-deb: install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6 install -d $(DESTDIR)/etc/sysctl.d install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/ + install -D -m 644 misc/profile.d_qt_x11_no_mitshm.sh $(DESTDIR)/etc/profile.d/qt_x11_no_mitshm.sh + install -D -m 440 misc/sudoers.d_umask $(DESTDIR)/etc/sudoers.d/umask + install -D -m 440 misc/sudoers.d_qt_x11_no_mitshm $(DESTDIR)/etc/sudoers.d/qt_x11_no_mitshm install-vm: install-rh install-common diff --git a/debian/control b/debian/control index 749030f..adb6c07 100644 --- a/debian/control +++ b/debian/control @@ -2,14 +2,14 @@ Source: qubes-core-agent Section: admin Priority: extra Maintainer: Davíð Steinn Geirsson -Build-Depends: qubes-utils, libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5) +Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5) Standards-Version: 3.9.3 Homepage: http://www.qubes-os.org Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, ethtool, python2.7, python-gi, init-system-helpers, xdg-user-dirs, iptables, net-tools, initscripts, imagemagick, fakeroot, systemd, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils (>= 2.0.17), libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, ethtool, python2.7, python-gi, init-system-helpers, xdg-user-dirs, iptables, net-tools, initscripts, imagemagick, fakeroot, systemd, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, ${shlibs:Depends}, ${misc:Depends} Recommends: tinyproxy, gnome-themes-standard, chrony, ntpdate, haveged, network-manager (>= 0.8.1-1), network-manager-gnome, xsettingsd, nautilus-actions, libnotify-bin, notify-osd, gnome-packagekit, gnome-terminal Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit Description: Qubes core agent diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index d7dc396..beeb3f2 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -158,9 +158,8 @@ disableSystemdUnits() { if fgrep -q '[Install]' /lib/systemd/system/${unit}; then systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit} else - # Forcibly disable - echo "Forcibly disabling: ${unit}" - ln -sf /dev/null /etc/systemd/system/${unit} + echo "Masking service: ${unit}" + systemctl mask ${unit} fi else systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit} @@ -180,9 +179,7 @@ enableSystemdUnits() { #displayFailedStatus is-enabled ${unit} } || { echo "Enabling: ${unit}..." - systemctl enable ${unit} > /dev/null 2>&1 && { - systemctl start ${unit} > /dev/null 2>&1 || displayFailedStatus start ${unit} - } || { + systemctl enable ${unit} > /dev/null 2>&1 || { echo "Could not enable: ${unit}" displayFailedStatus enable ${unit} } @@ -209,23 +206,9 @@ case "${1}" in splash-manager \ start-ttys \ tty ; do - if [ -e /etc/init/${init}.conf ]; then - mv -f /etc/init/${init}.conf /etc/init/${init}.conf.disabled - fi + dpkg-divert --divert /etc/init/${init}.conf.qubes-disabled --package qubes-core-agent --rename --add /etc/init/${init}.conf done - # Stops Qt form using the MIT-SHM X11 Shared Memory Extension - echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm.sh - chmod 0755 /etc/profile.d/qt_x11_no_mitshm.sh - - # Sudo's defualt umask is 077 so set sane default of 022 - # Also don't allow QT to used shared memory to prevent errors - echo 'Defaults umask = 0002' > /etc/sudoers.d/umask - echo 'Defaults umask_override' >> /etc/sudoers.d/umask - chmod 0440 /etc/sudoers.d/umask - echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm - chmod 0440 /etc/sudoers.d/qt_x11_no_mitshm - # Create NetworkManager configuration if we do not have it if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then echo '[main]' > /etc/NetworkManager/NetworkManager.conf @@ -238,15 +221,6 @@ case "${1}" in rm -f /lib/firmware/updates fi - #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then - # echo >> /etc/yum.conf - # echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf - # echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf - #fi - - # Revert 'Prevent unnecessary updates in VMs': - #sed -i -e '/^exclude = kernel/d' /etc/yum.conf - # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is # in the form expected by qubes-sysinit.sh for ip in '127\.0\.1\.1' '::1'; do @@ -263,45 +237,7 @@ case "${1}" in chown user:user /home_volatile/user - #if [ "${1}" != 1 ] ; then - # # do the rest of %post thing only when updating for the first time... - # exit 0 - #fi - - if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then - cp /etc/init/serial.conf /var/lib/qubes/serial.orig - fi - - # Remove most of the udev scripts to speed up the VM boot time - # Just leave the xen* scripts, that are needed if this VM was - # ever used as a net backend (e.g. as a VPN domain in the future) - #echo "--> Removing unnecessary udev scripts..." - mkdir -p /var/lib/qubes/removed-udev-scripts - for f in /etc/udev/rules.d/* - do - if [ $(basename ${f}) == "xen-backend.rules" ] ; then - continue - fi - - if [ $(basename ${f}) == "50-qubes-misc.rules" ] ; then - continue - fi - - if echo ${f} | grep -q qubes; then - continue - fi - - mv ${f} /var/lib/qubes/removed-udev-scripts/ - done - - # Create /rw directory - mkdir -p /rw - - # XXX: TODO: Needs to be implemented still - #rm -f /etc/mtab - #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0" - #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig - #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0 + dpkg-divert --divert /etc/init/serial.conf.qubes-orig --package qubes-core-agent --rename --add /etc/init/serial.conf # Enable Qubes systemd units enableSystemdUnits \ @@ -315,19 +251,7 @@ case "${1}" in qubes-qrexec-agent.service # Set default "runlevel" - rm -f /etc/systemd/system/default.target - ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target - - # Copy ip(|6)tables into place if they do not already exist in filesystem. - # This prevents conflict with iptables-service with fc21 and also put config - # in proper place for debian - mkdir -p '/etc/iptables' - if [ ! -f '/etc/iptables/rules.v4' ]; then - cp -p /usr/lib/qubes/init/iptables /etc/iptables/rules.v4 - fi - if [ ! -f '/etc/iptables/rules.v6' ]; then - cp -p /usr/lib/qubes/init/ip6tables /etc/iptables/rules.v6 - fi + systemctl set-default multi-user.target # Process all triggers which will set defaults to wanted values triggerTriggers @@ -371,13 +295,12 @@ case "${1}" in # Enable other systemd units enableSystemdUnits \ - rsyslog.service + rsyslog.service \ + netfilter-persistent.service # XXX: TODO: Needs to be implemented still # These do not exist on debian; maybe a different package name - # iptables.service \ # ntpd.service \ - # ip6tables.service \ ;; abort-upgrade|abort-remove|abort-deconfigure) @@ -408,14 +331,12 @@ case "${1}" in # Enable cups only when it is real Systemd service /lib/systemd/system/cups.service) - echo "Enabling cups" [ -e /lib/systemd/system/cups.service ] && enableSystemdUnits cups.service ;; # "Enable haveged service" /lib/systemd/system/haveged.service) - echo "Enabling haveged service" - enableSystemdUnits haveged.service + [ -e /lib/systemd/system/haveged.service ] && enableSystemdUnits haveged.service ;; # Install overridden serial.conf init script diff --git a/debian/qubes-core-agent.preinst b/debian/qubes-core-agent.preinst index a6b96e2..0302e29 100755 --- a/debian/qubes-core-agent.preinst +++ b/debian/qubes-core-agent.preinst @@ -41,10 +41,6 @@ if [ "$1" = "install" ] ; then mkdir -p /lib/modules #mkdir -p -m 0700 /var/log/xen # xen-utils-common should do this - if [ -e /etc/fstab ] ; then - mv /etc/fstab /var/lib/qubes/fstab.orig - fi - # -------------------------------------------------------------------------- # Many Qubes scripts reference /bin/sh expecting the shell to be bash but # in Debian it is dash so some scripts will fail so force an alternate for @@ -52,36 +48,11 @@ if [ "$1" = "install" ] ; then # -------------------------------------------------------------------------- update-alternatives --force --install /bin/sh sh /bin/bash 999 - # -------------------------------------------------------------------------- - # Modules setup - # -------------------------------------------------------------------------- - echo "xen_netfront" >> /etc/modules - # -------------------------------------------------------------------------- # Remove `mesg` from root/.profile? # -------------------------------------------------------------------------- sed -i -e '/^mesg n/d' /root/.profile - # -------------------------------------------------------------------------- - # Update /etc/fstab - # -------------------------------------------------------------------------- - cat > /etc/fstab <