version 2.1.68

Previous (< 2.1.66) version of the package owned
/etc/sysconfig/iptables, the current on doesn't. This means that during
update, the file will be removed during cleanup phase. Since cleanup is
executing after %post, it will also remove symlink created there.
So move that code to %posttrans, which is executed after cleanup phase.

Fixes QubesOS/qubes-issues#1278

Makefile

@@ -5,6 +5,11 @@ VERSION := $(shell cat version)
 DIST ?= fc18
 KDESERVICEDIR ?= /usr/share/kde4/services
 SBINDIR ?= /usr/sbin
+LIBDIR ?= /usr/lib
+SYSLIBDIR ?= /lib
+
+PYTHON = /usr/bin/python2
+PYTHON_SITEARCH = `python2 -c 'import distutils.sysconfig; print distutils.sysconfig.get_python_lib(1)'`
 
 # This makefile uses some bash-isms, make uses /bin/sh by default.
 SHELL = /bin/bash
@@ -44,18 +49,20 @@ all:
 	make -C qubes-rpc
 
 install-systemd:
-	install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init $(DESTDIR)/lib/modules-load.d
+	install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system{,-preset} $(DESTDIR)$(LIBDIR)/qubes/init $(DESTDIR)$(SYSLIBDIR)/modules-load.d
-	install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/
+	install -m 0755 vm-systemd/*.sh $(DESTDIR)$(LIBDIR)/qubes/init/
-	install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)/lib/systemd/system/
+	install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)$(SYSLIBDIR)/systemd/system/
-	install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)/lib/systemd/system/
+	install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)$(SYSLIBDIR)/systemd/system/
-	install -m 0644 vm-systemd/ModemManager.service $(DESTDIR)/usr/lib/qubes/init/
+	install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
-	install -m 0644 vm-systemd/NetworkManager.service $(DESTDIR)/usr/lib/qubes/init/
+	install -m 0644 vm-systemd/ModemManager.service $(DESTDIR)$(LIBDIR)/qubes/init/
-	install -m 0644 vm-systemd/NetworkManager-wait-online.service $(DESTDIR)/usr/lib/qubes/init/
+	install -m 0644 vm-systemd/NetworkManager.service $(DESTDIR)$(LIBDIR)/qubes/init/
-	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)/lib/modules-load.d/
+	install -m 0644 vm-systemd/NetworkManager-wait-online.service $(DESTDIR)$(LIBDIR)/qubes/init/
-	install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)/lib/modules-load.d/
+	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
-	install -m 0644 vm-systemd/cups.* $(DESTDIR)/usr/lib/qubes/init/
+	install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
-	install -m 0644 vm-systemd/ntpd.service $(DESTDIR)/usr/lib/qubes/init/
+	install -m 0644 vm-systemd/cups.* $(DESTDIR)$(LIBDIR)/qubes/init/
-	install -m 0644 vm-systemd/chronyd.service $(DESTDIR)/usr/lib/qubes/init/
+	install -m 0644 vm-systemd/ntpd.service $(DESTDIR)$(LIBDIR)/qubes/init/
+	install -m 0644 vm-systemd/chronyd.service $(DESTDIR)$(LIBDIR)/qubes/init/
+	install -m 0644 vm-systemd/crond.service $(DESTDIR)$(LIBDIR)/qubes/init/
 
 install-sysvinit:
 	install -d $(DESTDIR)/etc/init.d
@@ -71,34 +78,32 @@ install-sysvinit:
 
 
 install-rh: install-systemd install-sysvinit
-	install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
-
 	install -D -m 0644 misc/qubes-r2.repo $(DESTDIR)/etc/yum.repos.d/qubes-r2.repo
 	install -d $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/
 	install -m 0644 misc/org.gnome.nautilus.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/
-	install -d $(DESTDIR)/usr/lib/yum-plugins/
+	install -d $(DESTDIR)$(LIBDIR)/yum-plugins/
-	install -m 0644 misc/yum-qubes-hooks.py* $(DESTDIR)/usr/lib/yum-plugins/
+	install -m 0644 misc/yum-qubes-hooks.py* $(DESTDIR)$(LIBDIR)/yum-plugins/
 	install -D -m 0644 misc/yum-qubes-hooks.conf $(DESTDIR)/etc/yum/pluginconf.d/yum-qubes-hooks.conf
 	install -d -m 755 $(DESTDIR)/etc/pki/rpm-gpg
 	install -m 644 misc/RPM-GPG-KEY-qubes* $(DESTDIR)/etc/pki/rpm-gpg/
-	install -D -m 644 misc/session-stop-timeout.conf $(DESTDIR)/usr/lib/systemd/system/user@.service.d/90-session-stop-timeout.conf
+	install -D -m 644 misc/session-stop-timeout.conf $(DESTDIR)$(LIBDIR)/systemd/system/user@.service.d/90-session-stop-timeout.conf
 
 
 	install -d $(DESTDIR)/etc/yum.conf.d
 	touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
 
-	install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/
-	install -d $(DESTDIR)/var/lib/qubes/dom0-updates
 	install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action
 
 	install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
 	install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
 
-	install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables
+	install -m 0400 -D network/iptables $(DESTDIR)/usr/lib/qubes/init/iptables
-	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
+	install -m 0400 -D network/ip6tables $(DESTDIR)/usr/lib/qubes/init/ip6tables
 
 install-common:
+	install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
+
 	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
 
 	install -d $(DESTDIR)/var/lib/qubes
@@ -106,14 +111,14 @@ install-common:
 	install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes
 	install -d $(DESTDIR)/etc/udev/rules.d
 	install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules
-	install -d $(DESTDIR)/usr/lib/qubes/
+	install -d $(DESTDIR)$(LIBDIR)/qubes/
-	install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/
+	install misc/vusb-ctl.py $(DESTDIR)$(LIBDIR)/qubes/
-	install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/
+	install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)$(LIBDIR)/qubes/
 	install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 	install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules
 	install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs
-
+	install misc/qubes-download-dom0-updates.sh $(DESTDIR)$(LIBDIR)/qubes/
-	mkdir -p $(DESTDIR)/usr/lib/qubes
+	install -g user -m 2775 -d $(DESTDIR)/var/lib/qubes/dom0-updates
 
 	if [ -r misc/dispvm-dotfiles.$(DIST).tbz ] ; \
 	then \
@@ -122,14 +127,14 @@ install-common:
 		install misc/dispvm-dotfiles.tbz $(DESTDIR)/etc/dispvm-dotfiles.tbz ; \
 	fi;
 
-	install misc/dispvm-prerun.sh $(DESTDIR)/usr/lib/qubes/dispvm-prerun.sh
+	install misc/dispvm-prerun.sh $(DESTDIR)$(LIBDIR)/qubes/dispvm-prerun.sh
-	install misc/close-window $(DESTDIR)/usr/lib/qubes/close-window
+	install misc/close-window $(DESTDIR)$(LIBDIR)/qubes/close-window
 
 	install -m 0644 network/udev-qubes-network.rules $(DESTDIR)/etc/udev/rules.d/99-qubes-network.rules
-	install network/qubes-setup-dnat-to-ns $(DESTDIR)/usr/lib/qubes
+	install network/qubes-setup-dnat-to-ns $(DESTDIR)$(LIBDIR)/qubes
-	install network/qubes-fix-nm-conf.sh $(DESTDIR)/usr/lib/qubes
+	install network/qubes-fix-nm-conf.sh $(DESTDIR)$(LIBDIR)/qubes
-	install network/setup-ip $(DESTDIR)/usr/lib/qubes/
+	install network/setup-ip $(DESTDIR)$(LIBDIR)/qubes/
-	install network/network-manager-prepare-conf-dir $(DESTDIR)/usr/lib/qubes/
+	install network/network-manager-prepare-conf-dir $(DESTDIR)$(LIBDIR)/qubes/
 	install -d $(DESTDIR)/etc/dhclient.d
 	ln -s /usr/lib/qubes/qubes-setup-dnat-to-ns $(DESTDIR)/etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
@@ -137,9 +142,9 @@ install-common:
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates
-	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy
+	install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)$(LIBDIR)/qubes/iptables-updates-proxy
 	install -d $(DESTDIR)/etc/xdg/autostart
-	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)/usr/lib/qubes/show-hide-nm-applet.sh
+	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
 	install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
 
 	install -d $(DESTDIR)/$(SBINDIR)
@@ -149,18 +154,18 @@ install-common:
 	install -d $(DESTDIR)/usr/bin
 
 	install qubes-rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-move-to-vm,qvm-run,qvm-mru-entry} $(DESTDIR)/usr/bin
-	install qubes-rpc/wrap-in-html-if-url.sh $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/wrap-in-html-if-url.sh $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/qvm-copy-to-vm.kde $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/qvm-copy-to-vm.kde $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/qvm-copy-to-vm.gnome $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/qvm-copy-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/qvm-move-to-vm.kde $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/qvm-move-to-vm.kde $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/qvm-move-to-vm.gnome $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/qvm-move-to-vm.gnome $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/{vm-file-editor,qfile-agent,qopen-in-vm} $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/{vm-file-editor,qfile-agent,qopen-in-vm} $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/tar2qfile $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/tar2qfile $(DESTDIR)$(LIBDIR)/qubes
 	# Install qfile-unpacker as SUID - because it will fail to receive files from other vm
-	install -m 4755  qubes-rpc/qfile-unpacker $(DESTDIR)/usr/lib/qubes
+	install -m 4755  qubes-rpc/qfile-unpacker $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/qrun-in-vm $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/qrun-in-vm $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/sync-ntp-clock $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/sync-ntp-clock $(DESTDIR)$(LIBDIR)/qubes
-	install qubes-rpc/prepare-suspend $(DESTDIR)/usr/lib/qubes
+	install qubes-rpc/prepare-suspend $(DESTDIR)$(LIBDIR)/qubes
 	install -d $(DESTDIR)/$(KDESERVICEDIR)
 	install -m 0644 qubes-rpc/{qvm-copy.desktop,qvm-move.desktop,qvm-dvm.desktop} $(DESTDIR)/$(KDESERVICEDIR)
 	install -d $(DESTDIR)/etc/qubes-rpc
@@ -173,11 +178,17 @@ install-common:
 	install -m 0644 qubes-rpc/qubes.GetImageRGBA $(DESTDIR)/etc/qubes-rpc
 	install -m 0644 qubes-rpc/qubes.SetDateTime $(DESTDIR)/etc/qubes-rpc
 
-	install -d $(DESTDIR)/usr/share/file-manager/actions
+	install -d $(DESTDIR)/usr/share/nautilus-python/extensions
-	install -m 0644 qubes-rpc/*-gnome.desktop $(DESTDIR)/usr/share/file-manager/actions
+	install -m 0644 qubes-rpc/*_nautilus.py $(DESTDIR)/usr/share/nautilus-python/extensions
 
 	install -D -m 0755 misc/qubes-desktop-run $(DESTDIR)/usr/bin/qubes-desktop-run
-	install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf
+
+	mkdir -p $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/
+ifeq (1,${DEBIANBUILD})
+	install -m 0644 misc/xdg.py $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/
+else
+	install -m 0644 misc/xdg.py* $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/
+endif
 
 	install -d $(DESTDIR)/mnt/removable
 
@@ -189,11 +200,15 @@ install-common:
 
 install-deb:
 	mkdir -p $(DESTDIR)/etc/apt/sources.list.d
-	sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r2.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r2.list
+	sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r2.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r2.list
 	install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
 	install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
 	install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
+	install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook
 	install -d $(DESTDIR)/etc/sysctl.d
 	install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
+	install -D -m 644 misc/profile.d_qt_x11_no_mitshm.sh $(DESTDIR)/etc/profile.d/qt_x11_no_mitshm.sh
+	install -D -m 440 misc/sudoers.d_umask $(DESTDIR)/etc/sudoers.d/umask
+	install -D -m 440 misc/sudoers.d_qt_x11_no_mitshm $(DESTDIR)/etc/sudoers.d/qt_x11_no_mitshm
 
 install-vm: install-rh install-common

Makefile.builder

@@ -1,7 +1,11 @@
 ifeq ($(PACKAGE_SET),vm)
+ifeq ($(UPGRADE_PKG_ONLY),yes)
+RPM_SPEC_FILES := rpm_spec/upgrade-vm.spec
+else
 RPM_SPEC_FILES := rpm_spec/core-vm.spec \
     rpm_spec/core-vm-doc.spec \
     rpm_spec/core-vm-kernel-placeholder.spec
+endif
 ARCH_BUILD_DIRS := archlinux
 DEBIAN_BUILD_DIRS := debian
 endif

archlinux/PKGBUILD

@@ -62,14 +62,14 @@ done
 package() {
   # Note: Archlinux removed use of directory such as /sbin /bin /usr/sbin (https://mailman.archlinux.org/pipermail/arch-dev-public/2012-March/022625.html)
   
-  (cd qrexec; make install DESTDIR=$pkgdir SBINDIR=/usr/bin)
+  (cd qrexec; make install DESTDIR=$pkgdir SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib)
 
-  make install-vm DESTDIR=$pkgdir SBINDIR=/usr/bin DIST=archlinux
+  make install-vm DESTDIR=$pkgdir SBINDIR=/usr/bin LIBDIR=/usr/lib SYSLIBDIR=/usr/lib DIST=archlinux
 
   # Change the place for iptable rules to match archlinux standard
   mkdir -p $pkgdir/etc/iptables
-  mv $pkgdir/etc/sysconfig/iptables $pkgdir/etc/iptables/iptables.rules
+  mv $pkgdir/usr/lib/qubes/init/iptables $pkgdir/etc/iptables/iptables.rules
-  mv $pkgdir/etc/sysconfig/ip6tables $pkgdir/etc/iptables/ip6tables.rules
+  mv $pkgdir/usr/lib/qubes/init/ip6tables $pkgdir/etc/iptables/ip6tables.rules
 
   # Remove things non wanted in archlinux
   rm -r $pkgdir/etc/yum*
@@ -78,7 +78,7 @@ package() {
   rm $pkgdir/etc/fstab
 
   # Install systemd script allowing to automount /lib/modules
-  install -m 644 $srcdir/PKGBUILD.qubes-ensure-lib-modules.service $pkgdir/lib/systemd/system/qubes-ensure-lib-modules.service
+  install -m 644 $srcdir/PKGBUILD.qubes-ensure-lib-modules.service ${pkgdir}/usr/lib/systemd/system/qubes-ensure-lib-modules.service
 
   # Archlinux specific: enable autologin on tty1
   mkdir -p $pkgdir/etc/systemd/system/getty@tty1.service.d/
@@ -88,6 +88,9 @@ ExecStart=
 ExecStart=-/usr/bin/agetty --autologin user --noclear %I 38400 linux
 EOF
 
+  # Archlinux packaging guidelines: /var/run is a symlink to a tmpfs. Don't create it
+  rm -r $pkgdir/var/run
+
 }
 
 # vim:set ts=2 sw=2 et:

archlinux/PKGBUILD.install

@@ -7,11 +7,11 @@ remove_ShowIn () {
 
 update_xdgstart () {
 
-# reenable abrt-aplet if disabled by some earlier version of package
+# reenable if disabled by some earlier version of package
-remove_ShowIn abrt-applet.desktop
+remove_ShowIn abrt-applet.desktop imsettings-start.desktop
 
 # don't want it at all
-for F in deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
+for F in deja-dup-monitor krb5-auth-dialog pulseaudio restorecond sealertauto gnome-power-manager gnome-sound-applet gnome-screensaver orca-autostart; do
 	if [ -e /etc/xdg/autostart/$F.desktop ]; then
 		remove_ShowIn $F
 		echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/$F.desktop

debian/changelog

@@ -1,3 +1,381 @@
+qubes-core-agent (2.1.68) wheezy; urgency=medium
+
+  * Move iptables symlink creation to %posttrans
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Sat, 10 Oct 2015 06:33:46 +0200
+
+qubes-core-agent (2.1.67) wheezy; urgency=medium
+
+  [ Patrick Schleizer ]
+  * also inform in cli if no new updates are available (cherry picked
+    from commit e1e51627200cfbde50ec489145ad33495bac28ad)
+
+  [ Jason Mehring ]
+  * debian: Renamed incorrect filename:  00notiy-hook -> 00notify-hook
+
+  [ Marek Marczykowski-Górecki ]
+  * qubes-desktop-run: start the Dbus service (if needed)
+
+  [ Jason Mehring ]
+  * debian: Reformat depends in control for better readability
+
+  [ Marek Marczykowski-Górecki ]
+  * debian: remove `Recommends: chrony`
+  * Move .desktop launching code to python moules so it can be reused
+  * qubes-desktop-run: don't crash on Debian wheezy (glib < 2.36)
+  * debian: depend on gawk
+
+  [ Patrick Schleizer ]
+  * added missing dependency python-dbus to 'Depends:'
+  * added missing dependency xserver-xorg-dev
+
+  [ Marek Marczykowski-Górecki ]
+  * rpm: add dbus-python dependency
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Tue, 29 Sep 2015 12:49:05 +0200
+
+qubes-core-agent (2.1.66) wheezy; urgency=medium
+
+  * fedora: ensure that /etc/sysconfig/iptables exists (Fedora 20)
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Fri, 17 Jul 2015 16:11:50 +0200
+
+qubes-core-agent (2.1.65) wheezy; urgency=medium
+
+  * rpm: improve setting iptables rules
+  * fedora, debian: make sure that default locale is generated
+  * dom0-updates: make the tool working on Debian
+  * Do not override file pointed by /etc/localtime symlink
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Tue, 23 Jun 2015 20:12:30 +0200
+
+qubes-core-agent (2.1.64) wheezy; urgency=medium
+
+  [ Jason Mehring ]
+  * Set a default locale if missing
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Thu, 11 Jun 2015 04:05:51 +0200
+
+qubes-core-agent (2.1.63) wheezy; urgency=medium
+
+  * debian: fix apt sources.list generation (missing debian version
+    field)
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Mon, 08 Jun 2015 08:48:02 +0200
+
+qubes-core-agent (2.1.62) wheezy; urgency=medium
+
+  [ Jason Mehring ]
+  * debian: Only notify dom0 on apt-get post hook; don't update package
+    index
+  * debian: Allow apt-get post hook to fail gracefully (won't work in
+    chroot)
+
+  [ Marek Marczykowski-Górecki ]
+  * appmenus: hide message about missing /usr/local/share/applications
+  * rpm: mark service files as configuration to not override user
+    changes
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Tue, 02 Jun 2015 11:21:05 +0200
+
+qubes-core-agent (2.1.61) wheezy; urgency=medium
+
+  [ Jason Mehring ]
+  * debian: Update notification now notifies dom0 when an upgrade is
+    completed
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Tue, 28 Apr 2015 03:19:31 +0200
+
+qubes-core-agent (2.1.60) wheezy; urgency=medium
+
+  [ Marek Marczykowski-Górecki ]
+  * upgrade: package for simplify upgrade from R2 to R3.0
+  * network: restart updates proxy after network change to reload DNS
+    address
+
+  [ Jason Mehring ]
+  * whonix:  Added protected-files file used to prevent scripts from
+    modifying files that need to be protected
+  * Changed location of PROTECTED_FILE_LIST to /etc/qubes/protected-
+    files.d
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Sat, 25 Apr 2015 02:30:13 +0200
+
+qubes-core-agent (2.1.59) wheezy; urgency=medium
+
+  * systemd: disable avahi-daemon and dnf-makecache
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Thu, 16 Apr 2015 15:55:55 +0200
+
+qubes-core-agent (2.1.58) wheezy; urgency=medium
+
+  [ Matt McCutchen ]
+  * Make qvm-run bidirectional and document its limitations.
+  * Switch to preset file for systemd units to disable.
+
+  [ Marek Marczykowski-Górecki ]
+  * Fix resizing of /rw partition (private.img)
+  * debian: install qubes-download-dom0-updates.sh
+  * debian: update NetworkManager configuration
+  * debian: fix handling SysV units in disableSystemdUnits
+
+  [ Wojtek Porczyk ]
+  * sudoers: do not require TTY
+
+  [ Marek Marczykowski-Górecki ]
+  * Do not load xen-usbfront automatically
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Thu, 16 Apr 2015 03:40:01 +0200
+
+qubes-core-agent (2.1.57) wheezy; urgency=medium
+
+  * qrexec: expand tabs, no functional change
+  * qrexec: add simple stdio handling in qrexec-client-vm without a
+    child process
+  * qrexec: move qrexec-client-vm to /usr/bin
+  * rpm: add missing BuildRequires: libX11-devel
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Sat, 04 Apr 2015 18:57:40 +0200
+
+qubes-core-agent (2.1.56) wheezy; urgency=medium
+
+  [ Marek Marczykowski-Górecki ]
+  * network: fix handling newline in firewall rules
+  * updates-proxy: allow xz compressed metadata (fc21)
+  * backup: fix qubes.Restore service - do not send garbage as backup
+    data
+  * Fix "backup: fix qubes.Restore service - do not send garbage as
+    backup data"
+
+  [ Jason Mehring ]
+  * Switched qvm-move-to-vm.{gnome,kde} scripts to use bash not sh
+  * Removed nautilus-actions depend and replaced with nautilus-python
+  * Removed code that deleted original nautilus actions
+
+  [ Marek Marczykowski-Górecki ]
+  * fc21: fix DispVM preparation - Xorg has new name
+  * dispvm: kill all process after populating caches
+  * dispvm: close only visible windows during DispVM preparation
+
+  [ Jason Mehring ]
+  * debian: Remove 'exit 0' in maintainer section scripts to all other
+    debhelpers (if any) to also execute
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Thu, 05 Mar 2015 03:40:08 +0100
+
+qubes-core-agent (2.1.55) jessie; urgency=medium
+
+  * debian: change systemctl set-default back to manual symlink
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Tue, 10 Feb 2015 17:17:29 +0100
+
+qubes-core-agent (2.1.54) jessie; urgency=medium
+
+  [ Marek Marczykowski-Górecki ]
+  * rpm: add missing R: pygobject3-base
+
+  [ HW42 ]
+  * debian: fix for QSB #014 requires up to date qubes-utils
+  * debian: postinst: use systemctl mask
+  * debian: postinst: use dpkg-divert
+  * debian: don't generate regular conf files in postinst
+  * debian: postinst: don't remove /etc/udev/rules.d/*
+  * debian: postinst: don't create /rw - it is already part of the
+    package
+  * debian: postinst: use systemctl to set default target
+  * debian: postinst: remove fedora specific code
+  * debian: postinst: enable netfilter-persistent service
+  * debian: postinst: cleanup
+  * debian: postinst: don't start systemd services
+  * debian: postinst: enable haveged only if installed
+  * debian: postinst: remove redundant and misleading trigger output
+  * debian: install fstab as normal config file
+  * debian: preinst: remove modification of /etc/modules
+  * remove 'bashisms' or explicit use bash
+  * debian: preinst: don't force the default shell to bash
+  * debian: prerm: remove obsolete code
+  * debian: preinst: cleanup user creation
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Tue, 10 Feb 2015 14:57:57 +0100
+
+qubes-core-agent (2.1.53) jessie; urgency=medium
+
+  * filecopy: fallback to "open(..., 000)" method when /proc
+    inaccessible
+  * network: support for not setting DNS and/or default gateway (v2)
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Thu, 29 Jan 2015 03:01:19 +0100
+
+qubes-core-agent (2.1.52) jessie; urgency=medium
+
+  [ HW42 ]
+  * don't ignore asprintf() return value
+
+  [ Marek Marczykowski-Górecki ]
+  * network: support for not setting DNS and/or default gateway
+
+  [ Olivier MEDOC ]
+  * archlinux: fix new packaging requirements related to sbin, lib64,
+    run ...
+  * archlinux: align with fedora changes related to imsettings
+
+  [ Marek Marczykowski-Górecki ]
+  * fedora: reduce code duplication in systemd triggers
+  * fedora: reload systemd only once
+  * systemd: allow to start cron daemon (#909)
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Tue, 27 Jan 2015 01:07:52 +0100
+
+qubes-core-agent (2.1.51) jessie; urgency=medium
+
+  * fedora: Fix iptables config installation one more time
+  * version 2.1.49.1
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Wed, 21 Jan 2015 06:39:11 +0100
+
+qubes-core-agent (2.1.50) jessie; urgency=medium
+
+  * filecopy: prevent files/dirs movement outside incoming directory
+    during transfer
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Sun, 18 Jan 2015 18:07:07 +0100
+
+qubes-core-agent (2.1.49) jessie; urgency=medium
+
+  * fedora: Fix iptables config install script
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Thu, 15 Jan 2015 03:50:13 +0100
+
+qubes-core-agent (2.1.48) jessie; urgency=medium
+
+  [ Jason Mehring ]
+  * fc21: iptables configurations conflict with fc21 yum package manager
+  * fc21:  Remove left-over code comment
+
+  [ Marek Marczykowski-Górecki ]
+  * fedora: Add security-testing repo definition
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Mon, 12 Jan 2015 21:12:36 +0100
+
+qubes-core-agent (2.1.47) jessie; urgency=medium
+
+  * network: set uplink configuration based on MAC (NetworkManager)
+  * network: fix NM config preparation
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Mon, 22 Dec 2014 00:05:24 +0100
+
+qubes-core-agent (2.1.46) jessie; urgency=medium
+
+  [ Marek Marczykowski-Górecki ]
+  * debian: add missing python-gi to dependencies
+  * debian: remove obsolete code from postinst script
+  * debian: fix service name in postinst script
+  * Update update-proxy rules for debian security fixes repo
+
+  [ HW42 ]
+  * debian: move not strictly required packages to Recommends-Section.
+  * debian: remove unneeded acpid dependency
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Tue, 16 Dec 2014 00:54:47 +0100
+
+qubes-core-agent (2.1.45) jessie; urgency=medium
+
+  * debian: fix generation of apt sources list file
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Mon, 01 Dec 2014 22:32:29 +0100
+
+qubes-core-agent (2.1.44) jessie; urgency=medium
+
+  [ Jason Mehring ]
+  * Allow hyphenated distro names in tinyproxy filter
+  * Change condition test to compare to a link "-L"
+  * debian: add xen-utils-common as a dependancy to allow Debian proxies
+  * debian: Added maintainers scripts (pre / postinit + rm) - Currently
+    in debug mode
+  * debian: preinst needs a group and force no password entry on adduser
+  * debian: Added less restrictive filter option for debian packages
+    Sites like sourceforge append ?downloadxxx to end
+  * debian: added new depends
+  * debian: force shell to be bash since its default is dash and many
+    qubes scripts rely on bash and will break in dash and added
+    tinyproxy user
+
+  [ HW42 ]
+  * move fedora specific stuff to install-rh target
+  * don't track debina/files (since it is autogenerated)
+  * use systemd in debian
+  * install iptables/forwarding for debian
+  * various patches for debian
+  * improve update of /etc/hosts
+  * make source.list multiarch compatible
+  * add xserver-xorg-video-dummy to the dependencies list of qubes-core-
+    agent
+  * dispvm-presun.sh needs bash
+  * use sleep instead os usleep since it is more portable
+  * debian: chown /home_volatile/user in posinst
+  * fix xenstore-read path in network-proxy-setup.sh for debian
+  * debian: add dependency on xen-utils since it's needed for
+    proxy/netvm
+  * debian: add support for qubes appmenus
+
+  [ Marek Marczykowski-Górecki ]
+  * debian: fix initialization of /etc/hosts
+
+  [ Jason Mehring ]
+  * debian: set -e added in place of set -x
+  * debian: Made debian proxy filter rules more restrictive
+  * debian: Cleanup
+  * debian: Prepend package name to maintainers scripts
+  * debian: Add qubes-update-check for Debian
+  * debian: Revert back to original NetworkManager, ModemManager service
+    names
+  * debian: apt-get needs to update first
+  * debian: Remove absolute path to xenstore-*
+  * debian:  Added more dependancies
+  * debian: Added postrm disable of other Qubes packages
+  * debian: Added all other outstanding triggers contained in rpm_spec
+    as well as triggers if other packages get installed at a later date
+    the configurations will run on them
+  * debian: removed commented out depends
+  * debian: Added more error reporting to track down any missing
+    dependancies
+  * debian:  More depends for debian as netvm and some configuration
+    tweaks.
+
+  [ Marek Marczykowski-Górecki ]
+  * network: do not use ifcfg-rh NM plugin
+  * network: fix NM uplink config permissions
+
+  [ Jason Mehring ]
+  * debian: Add new notification agent depends; remove other
+  * debian: Added functionality to move desktop entry config files to
+    /usr/share/qubes/xdg/autostart to preserve originals
+  * debian:  Wrong variable name was used to create
+    /usr/share/qubes/xdg/autostart
+
+  [ Marek Marczykowski-Górecki ]
+  * Fix compile flags order (-lX11 moved to the end)
+
+  [ Jason Mehring ]
+  * debian: Updated tinyproxy filter rules
+  * debian: Don't display systemd info in chroot since systemd show does
+    not work in chroot
+
+  [ Marek Marczykowski-Górecki ]
+  * network: fix indentation
+  * Fix disabling nm-applet when NM is disabled
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Mon, 01 Dec 2014 03:57:41 +0100
+
+qubes-core-agent (2.1.43) jessie; urgency=medium
+
+  * Improve handling of .desktop files
+  * suspend: do not disable network frontend devices
+  * Handle tabs in /etc/hosts
+  * Reenable imsettings service
+
+ -- Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>  Tue, 18 Nov 2014 17:28:29 +0100
+
 qubes-core-agent (2.1.42) jessie; urgency=medium
 
   * firewall: show error message only on actual error

debian/control

@@ -2,14 +2,58 @@ Source: qubes-core-agent
 Section: admin
 Priority: extra
 Maintainer: Davíð Steinn Geirsson <david@dsg.is>
-Build-Depends: qubes-utils, libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5)
+Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5), lsb-release, xserver-xorg-dev
 Standards-Version: 3.9.3
 Homepage: http://www.qubes-os.org
 Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git
 
 Package: qubes-core-agent
 Architecture: any
-Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, xdg-user-dirs, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, iptables, net-tools, nautilus-actions, initscripts, imagemagick, fakeroot, libnotify-bin, notify-osd, systemd, gnome-terminal, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, acpid, ${shlibs:Depends}, ${misc:Depends}
+Depends:
+    dmsetup,
+    ethtool,
+    fakeroot,
+    gawk,
+    imagemagick,
+    init-system-helpers,
+    initscripts,
+    iptables,
+    iptables-persistent,
+    libvchan-xen,
+    locales,
+    ncurses-term,
+    net-tools,
+    psmisc,
+    python2.7,
+    python-gi,
+    qubes-utils (>= 2.0.17),
+    python-dbus,
+    sudo,
+    systemd,
+    x11-xserver-utils,
+    xdg-user-dirs,
+    xen-utils-common,
+    xenstore-utils,
+    xinit,
+    xserver-xorg-core,
+    xserver-xorg-video-dummy,
+    ${shlibs:Depends},
+    ${misc:Depends}
+Recommends:
+    gnome-packagekit,
+    gnome-terminal,
+    gnome-themes-standard,
+    haveged,
+    libnotify-bin,
+    network-manager (>= 0.8.1-1),
+    network-manager-gnome,
+    notify-osd,
+    ntpdate,
+    python-nautilus,
+    tinyproxy,
+    xsettingsd,
+    yum,
+    yum-utils
 Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
 Description: Qubes core agent
  This package includes various daemons necessary for qubes domU support,

debian/qubes-core-agent.dirs

@@ -0,0 +1,3 @@
+var/lib/qubes
+lib/modules
+etc/qubes/protected-files.d

debian/qubes-core-agent.postinst

@@ -105,88 +105,47 @@ showIn() {
     fi
 }
 
-setArrayAsGlobal() {
+changeSystemdStatus() {
-    local array="$1"
-    local export_as="$2"
-    local code=$(declare -p "$array")
-    local replaced="${code/$array/$export_as}"
-    eval ${replaced/declare -/declare -g}
-}
-
-systemdInfo() {
     unit=${1}
-    return_global_var=${2}
+    disable=${2-0}
     
-    declare -A INFO=()
+    # Check if unit file is currently active (running)
-    while read line; do
+    systemctl is-active ${unit} > /dev/null 2>&1 && active=true || unset active
-        INFO[${line%%=*}]="${line##*=}"
-    done < <(systemctl show ${unit} 2> /dev/null)
 
-    setArrayAsGlobal INFO $return_global_var
+    case ${disable} in
-    return ${#INFO[@]}
+        0)
-}
+            systemctl --quiet enable ${unit} > /dev/null 2>&1 || true
+            ;;
+        1)  
+            if [ $active ]; then
+                systemctl --quiet stop ${unit} > /dev/null 2>&1 || true
+            fi  
 
-displayFailedStatus() {
-    action=${1}
-    unit=${2}
-
-    # Only display if there are results.  In chroot environmnet there will be 
-    # no results to 'systemctl show' command
-    systemdInfo ${unit} info || {
-        echo
-        echo "==================================================="
-        echo "FAILED: systemd ${action} ${unit}"
-        echo "==================================================="
-        echo "    LoadState = ${info[LoadState]}"
-        echo "    LoadError = ${info[LoadError]}"
-        echo "  ActiveState = ${info[ActiveState]}"
-        echo "     SubState = ${info[SubState]}"
-        echo "UnitFileState = ${info[UnitFileState]}"
-        echo
-    }
-}
-
-# Disable systemd units
-disableSystemdUnits() {
-    for unit in $*; do
-        systemctl is-enabled ${unit} > /dev/null 2>&1 && {
-            echo "Disabling ${unit}..."
-            systemctl is-active ${unit} > /dev/null 2>&1 && {
-                systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit}
-            }
             if [ -f /lib/systemd/system/${unit} ]; then
                 if fgrep -q '[Install]' /lib/systemd/system/${unit}; then
-                    systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
+                    systemctl --quiet disable ${unit} > /dev/null 2>&1 || true
                 else
                     # Forcibly disable
-                    echo "Forcibly disabling: ${unit}"
                     ln -sf /dev/null /etc/systemd/system/${unit}
                 fi
             else
-                    systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
+                systemctl --quiet disable ${unit} > /dev/null 2>&1 || true
             fi
-        } || {
+            ;;
-            echo "It appears ${unit} is already disabled!"
+    esac
-            #displayFailedStatus is-disabled ${unit}
-        }
-    done
 }
 
 # Enable systemd units
 enableSystemdUnits() {
     for unit in $*; do
-        systemctl is-enabled ${unit} > /dev/null 2>&1 && {
+        changeSystemdStatus ${unit} 0 || true
-            echo "It appears ${unit} is already enabled!"
+    done
-            #displayFailedStatus is-enabled ${unit}
+}
-        } || {
+
-            echo "Enabling: ${unit}..."
+# Disable systemd units
-            systemctl enable ${unit} > /dev/null 2>&1 && {
+disableSystemdUnits() {
-                systemctl start ${unit} > /dev/null 2>&1 || displayFailedStatus start ${unit}
+    for unit in $*; do
-            } || {
+        changeSystemdStatus ${unit} 1 || true
-                echo "Could not enable: ${unit}"
-                displayFailedStatus enable ${unit}
-            }
-        }
     done
 }
 
@@ -209,22 +168,11 @@ case "${1}" in
                     splash-manager \
                     start-ttys \
                     tty ; do
-            if [ -e /etc/init/${init}.conf ]; then
+            dpkg-divert --divert /etc/init/${init}.conf.qubes-disabled --package qubes-core-agent --rename --add /etc/init/${init}.conf
-                mv -f /etc/init/${init}.conf /etc/init/${init}.conf.disabled
-            fi
         done
 
-        # Stops Qt form using the MIT-SHM X11 Shared Memory Extension
+        # Disable sysv init network-manager
-        echo 'export QT_X11_NO_MITSHM=1' > /etc/profile.d/qt_x11_no_mitshm.sh
+        disableSystemdUnits network-manager
-        chmod 0755 /etc/profile.d/qt_x11_no_mitshm.sh
-
-        # Sudo's defualt umask is 077 so set sane default of 022
-        # Also don't allow QT to used shared memory to prevent errors
-        echo 'Defaults umask = 0002' > /etc/sudoers.d/umask
-        echo 'Defaults umask_override' >> /etc/sudoers.d/umask
-        chmod 0440 /etc/sudoers.d/umask
-        echo 'Defaults env_keep += "QT_X11_NO_MITSHM"' > /etc/sudoers.d/qt_x11_no_mitshm
-        chmod 0440 /etc/sudoers.d/qt_x11_no_mitshm
 
         # Create NetworkManager configuration if we do not have it
         if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
@@ -232,10 +180,15 @@ case "${1}" in
             echo 'plugins = keyfile' >> /etc/NetworkManager/NetworkManager.conf
             echo '[keyfile]' >> /etc/NetworkManager/NetworkManager.conf
         fi
+        /usr/lib/qubes/qubes-fix-nm-conf.sh
 
-        # XXX: Test to see if this will satisify dispatcher dependancy
+        # make sure locale is really generated
-        if [ ! -e  "/lib/systemd/system/org.freedesktop.nm_dispatcher.service" ]; then
+        current_locale=`grep 'LANG\|LC_ALL' /etc/default/locale|head -n 1|cut -f 2 -d =`
-            ln -s org.freedesktop.nm_dispatcher.service NetworkManager-dispatcher.service
+        if [ -n "$current_locale" ] && ! locale -a | grep -q "$current_locale"; then
+            base=`echo "$current_locale" | cut -f 1 -d .`
+            charmap=`echo "$current_locale.UTF-8" | cut -f 2 -d .`
+            [ -n "$charmap" ] && charmap="-f $charmap"
+            localedef -i $base $charmap $current_locale
         fi
 
         # Remove old firmware updates link
@@ -243,70 +196,31 @@ case "${1}" in
             rm -f /lib/firmware/updates
         fi
 
-        #if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then
+        # Location of files which contains list of protected files
-        #  echo >> /etc/yum.conf
+        PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
-        #  echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf
-        #  echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf
-        #fi
-
-        # Revert 'Prevent unnecessary updates in VMs':
-        #sed -i -e '/^exclude = kernel/d' /etc/yum.conf
 
         # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
         # in the form expected by qubes-sysinit.sh
+        if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
             for ip in '127\.0\.1\.1' '::1'; do
                 if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
-                sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
+                    sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
-                sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
+                    sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts || true
                 else
-                echo "${ip//\\/} `hostname`" >> /etc/hosts
+                    echo "${ip//\\/} `hostname`" >> /etc/hosts || true
                 fi
             done
+        fi
+
         # remove hostname from 127.0.0.1 line (in debian the hostname is by default
         # resolved to 127.0.1.1)
-        sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
+        if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+            sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
+        fi
 
         chown user:user /home_volatile/user
 
-        #if [ "${1}" !=  1 ] ; then
+        dpkg-divert --divert /etc/init/serial.conf.qubes-orig --package qubes-core-agent --rename --add /etc/init/serial.conf
-        #    # do the rest of %post thing only when updating for the first time...
-        #    exit 0
-        #fi
-
-        if [ -e /etc/init/serial.conf ] && ! [ -f /var/lib/qubes/serial.orig ] ; then
-            cp /etc/init/serial.conf /var/lib/qubes/serial.orig
-        fi
-
-        # Remove most of the udev scripts to speed up the VM boot time
-        # Just leave the xen* scripts, that are needed if this VM was
-        # ever used as a net backend (e.g. as a VPN domain in the future)
-        #echo "--> Removing unnecessary udev scripts..."
-        mkdir -p /var/lib/qubes/removed-udev-scripts
-        for f in /etc/udev/rules.d/*
-        do
-            if [ $(basename ${f}) == "xen-backend.rules" ] ; then
-                continue
-            fi
-
-            if [ $(basename ${f}) == "50-qubes-misc.rules" ] ; then
-                continue
-            fi
-
-            if echo ${f} | grep -q qubes; then
-                continue
-            fi
-
-            mv ${f} /var/lib/qubes/removed-udev-scripts/
-        done
-
-        # Create /rw directory
-        mkdir -p /rw
-
-        # XXX: TODO: Needs to be implemented still
-        #rm -f /etc/mtab
-        #echo "--> Removing HWADDR setting from /etc/sysconfig/network-scripts/ifcfg-eth0"
-        #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
-        #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
 
         # Enable Qubes systemd units
         enableSystemdUnits \
@@ -316,7 +230,7 @@ case "${1}" in
             qubes-network.service \
             qubes-firewall.service \
             qubes-updates-proxy.service \
-            qubes-updates-proxy.timer \
+            qubes-update-check.timer \
             qubes-qrexec-agent.service
 
         # Set default "runlevel"
@@ -365,13 +279,12 @@ case "${1}" in
 
         # Enable other systemd units
         enableSystemdUnits \
-            rsyslog.service
+            rsyslog.service \
+            netfilter-persistent.service
 
         # XXX: TODO: Needs to be implemented still
         # These do not exist on debian; maybe a different package name
-        #    iptables.service \
         #    ntpd.service \
-        #    ip6tables.service \
         ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
@@ -402,14 +315,12 @@ case "${1}" in
 
                 # Enable cups only when it is real Systemd service
                 /lib/systemd/system/cups.service)
-                    echo "Enabling cups"
                     [ -e /lib/systemd/system/cups.service ] && enableSystemdUnits cups.service
                     ;;
 
                 # "Enable haveged service"
                 /lib/systemd/system/haveged.service)
-                    echo "Enabling haveged service"
+                    [ -e /lib/systemd/system/haveged.service ] && enableSystemdUnits haveged.service
-                    enableSystemdUnits haveged.service
                     ;;
 
                 # Install overridden serial.conf init script 
@@ -485,7 +396,6 @@ case "${1}" in
                     ;;
             esac
         done
-        exit 0
         ;;
 
     *)

debian/qubes-core-agent.postrm

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 # postrm script for core-agent-linux
 #
 # see: dh_installdeb(1)
@@ -37,7 +37,7 @@ set -e
 # the debian-policy package
 
 if [ "${1}" = "remove" ] ; then
-    /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas &> /dev/null || :
+    /usr/bin/glib-compile-schemas /usr/share/glib-2.0/schemas > /dev/null 2>&1 || :
 
     if [ -L /lib/firmware/updates ]; then
         rm /lib/firmware/updates

debian/qubes-core-agent.preinst

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 # preinst script for core-agent-linux
 #
 # see: dh_installdeb(1)
@@ -41,65 +41,26 @@ if [ "$1" = "install" ] ; then
     mkdir -p /lib/modules
     #mkdir -p -m 0700 /var/log/xen  # xen-utils-common should do this
 
-    if [ -e /etc/fstab ] ; then 
-        mv /etc/fstab /var/lib/qubes/fstab.orig
-    fi
-
-    # --------------------------------------------------------------------------
-    # Many Qubes scripts reference /bin/sh expecting the shell to be bash but
-    # in Debian it is dash so some scripts will fail so force an alternate for
-    # /bin/sh to be /bin/bash
-    # --------------------------------------------------------------------------
-    update-alternatives --force --install /bin/sh sh /bin/bash 999
-
-    # --------------------------------------------------------------------------
-    # Modules setup
-    # --------------------------------------------------------------------------
-    echo "xen_netfront" >> /etc/modules
-
     # --------------------------------------------------------------------------
     # Remove `mesg` from root/.profile?
     # --------------------------------------------------------------------------
     sed -i -e '/^mesg n/d' /root/.profile
 
-    # --------------------------------------------------------------------------
-    # Update /etc/fstab
-    # --------------------------------------------------------------------------
-    cat > /etc/fstab <<EOF
-/dev/mapper/dmroot /         ext4 defaults,noatime 1 1
-/dev/xvdc1 swap              swap    defaults 0 0
-
-/dev/xvdb /rw                ext4    noauto,defaults,discard 1 2
-/rw/home /home               none    noauto,bind,defaults 0 0
-
-tmpfs /dev/shm               tmpfs   defaults 0 0
-devpts /dev/pts              devpts  gid=5,mode=620 0 0
-proc /proc                   proc    defaults 0 0
-sysfs /sys                   sysfs   defaults 0 0
-xen /proc/xen                xenfs   defaults 0 0
-
-/dev/xvdi /mnt/removable     auto    noauto,user,rw 0 0
-/dev/xvdd /lib/modules       ext3    defaults 0 0
-EOF
-
     # --------------------------------------------------------------------------
     # User add / modifications
     # --------------------------------------------------------------------------
-    id -u 'user' || {
+    id -u 'user' >/dev/null 2>&1 || {
-        groupadd -f user
+        useradd -U -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
-        useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
     }
-    id -u 'tinyproxy' || {
+    id -u 'tinyproxy' >/dev/null 2>&1 || {
-        groupadd -f tinyproxy
+        useradd -U -r -M --home /run/tinyproxy --shell /bin/false tinyproxy
-        useradd -g tinyproxy -M --home /run/tinyproxy --shell /bin/false tinyproxy
     }
     usermod -p '' root
     usermod -L user
-    exit 0
 fi
 
 if [ "$1" = "upgrade" ] ; then
-    exit 0
+    true 
 fi
 
 # dh_installdeb will replace this with shell code automatically

debian/qubes-core-agent.prerm

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 # prerm script for core-agent-linux
 #
 # see: dh_installdeb(1)
@@ -30,18 +30,15 @@ set -e
 # the debian-policy package
 
 if [ "$1" = "remove" ] ; then
-    # no more packages left
+    for init in plymouth-shutdown \
-    if [ -e /var/lib/qubes/fstab.orig ] ; then
+            prefdm \
-        mv /var/lib/qubes/fstab.orig /etc/fstab
+            splash-manager \
-    fi
+            start-ttys \
+            tty ; do
+        dpkg-divert --divert /etc/init/${init}.conf.qubes-disabled --package qubes-core-agent --remove /etc/init/${init}.conf
+    done
 
-    if [ -d /var/lib/qubes/removed-udev-scripts ] ; then
+    dpkg-divert --divert /etc/init/serial.conf.qubes-orig --package qubes-core-agent --remove /etc/init/serial.conf
-        mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/
-    fi
-
-    if [ -e /var/lib/qubes/serial.orig ] ; then
-        mv /var/lib/qubes/serial.orig /etc/init/serial.conf
-    fi
 fi
 
 # dh_installdeb will replace this with shell code automatically

misc/RPM-GPG-KEY-upgrade-qubes-3-primary

@@ -0,0 +1,40 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFRsmtIBEAC7UgrYFrkPpSxjRoT9OmU0JqYmzLBqzRRdHCtakTdN8pRl/yE/
+zQHvmPnrQ57u45KtxY7EYveWC6RtNEw9IVvyQZp6jGQ05ljhwkNKfxKZcGvT4Qd4
+oCcXdKzGOjsw/mW0saklcrBdm7PiEhQvC0Oc66RreNeZ/2INQALVZLv808KLlNHs
+uK9u/mjrT/A3RpzvFYvVnPJPJFjnYyGM8cVysCez4yeH9nymbLLD73pZyKhSU5Uo
+x3LJKMfIUee0N677Lb45iM+iHW+kcHay3i7tev0xkm08V61ym2YwCJxIpMCvryvK
+h1kScMeAOLsHkZpsqoXuSy8GFz1gKiZFCaiuF+ojRSXcN221Exfz/pF47aMd7Sm3
+0hSQk6Om9DESrzDXm85czq7Taw48NL35nCoPUqNfAP+BknSz79KoNkPDGP9+ps34
+S9o401dygAZToQNTJNuJeZwEVEBykRlsoeR/C9CTsSZMufBGBS9805h31FoZ3ePv
+ITTaZidVWxUnRn4mlcYlfUEniyrmtc8IG0SZQZ+AQu0BgDZ/oV2LsS/g+YbN6qjF
+LczBCWPngXUYvmm0syPdGfPQZJCnvwnEpPoRq+bqknLUN/EzEihbILR9gaO0U/XR
+9+EB796N973+v6HsKxKmfJMqkIXa+PhLvfWVs3ZZnM6USTpA0DYHpvcVIwARAQAB
+tB5RdWJlcyBPUyBSZWxlYXNlIDMgU2lnbmluZyBLZXmJAjgEEwECACIFAlRsmtIC
+GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEMsRyh0D+lCCAyUP/jM+dKCC
+WIjTAFzdudJFfznjFjiggI7EdNJYpMd3FP8Gq53qqFH5rvg0fwJjnNGPBpfEjhHM
+TlCNn3M0L6NZbB7PQwUBD332f2QwE4PIcuo1e7c9ySrhdMc0maR5+CcMlJHG6T8Q
+EacL+Xhc91GC2Gi/qMOjE4lo337Y3GLE6WHFRVvqBpI+ovr9LYKP5vQ+InY+uVsP
+LTL7AQVRDZcu4eQdI1HdJ0fYyhx5lJSiPWaM80VBkOgfF6HyGrMcjzWs+9gtYs76
+g6QoEKgu3YuPi1J1JE7d+Un7iYSqrUv3ljSDq2PMlx4vpq+oc1/1qHLyMYpGjmHa
+cQRjPo8bqgZ4vo6BC4Za+SGliLPcN9w0ivjsaGZ2L5PHxJ7kCSJ6SbZUrjWhTZL3
+arWGCFQmYqAY5EkNSWrQePgkCj/5I5YAou39LnREN91KgYDT8bMeED7uQ/fskRns
+Xfbx6ACsU69lLYIqd4HcuhcHWV9lTYtavjLKny71BauLALOve9uHmYX/cweBnt98
+8AWGuIuspvs3kwFJLu5k30m3HUMZPG8lDfN0R9v5eyoNxFc+WNbxHq4fIUXmbGfN
+Jclsn3hzUUS3XBG2G9VDmcf/N82xlwRMDHD78G/+Q3MumQeLtlXirhASQqi3XdXk
+CR5+NjOJZWRYfvk+WbJsshE3sosG2uLHzgs/iQIcBBABAgAGBQJUbJtEAAoJEN36
+Gj42h5SUuVsQAI5QPmqJvnUgUMzoj1gCWW2eJTbxTWs9jALN8JRqPGT4KKe+x5te
+IgYkK056WlxBA73UDcXLQ4dKoqF9J3wMF2O+Ir7C46p+dFS5KTjUj4vaYMgAmshu
+ihZmBChmldQpIYmFvWtdvdanEpaOiblr+AXK1Hd5aJrpBFf5I/EP7iCWeOXc5FzK
+UEZylf8PVmNO3s8uuyWMdGR7cGcukwOONzre9XurO6P8fHfjh+vXeI+5KsJ1Cd2y
+22OWAK0QjtCBLTQ4E6WUM2/FjLU55HB3fdAo4ucd2QgJhf4HuWq6KiLRz74O04o1
+lrqtS3M9GfLmQx/lUF8vIS4jVf8X7/iZY52VCJM5PDoeF0xKTACJ2+emuQfyw0SE
+7AfxCrt35cvXBWAzUN/kLFslQkBI+/FssnUDBYGeU+SkgEfkpuWwRsqfwCITN0I4
+jmwDfa+6PQpMF9lkgF+BanNa8bfroWztmW9dZYp6jyV8/VI5SeG7RYu6TZUeXXoS
+eMIL/d9eIhebLj5syd0BNukZMpI92wnSDWTWxBZFliltOIv6/yC6Bj7UaCyt2JkV
+/xbi+rOiemBS1mPHhV/CAM7sV0TM8xONyVXM4g5eVj0RStFYjc586ZguleNeIfYT
+qDqp/VUKnu6jYNOWS2W/kpenXId22X1TdXcxwm3U3kOc06pygu1fTdDp
+=idYC
+-----END PGP PUBLIC KEY BLOCK-----

misc/RPM-GPG-KEY-upgrade-qubes-3-unstable

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFRuA2sBEACjOSNmDK6g6vpirgy0mRbRORP44eI0R45JN3oSGgsmCD5jJSTo
+RRUE1RknbK26+bjnsKAKwpP67CA3So/5sa4l7i7G4xJdgVZooM3ZTK7ubQCqkMYB
+h4yYTBAtt7vi6olhKvEkCvhzozcUa4/qW/NuIuTCpF0G0kBUWyqqYQzwtWD5QimE
+6NjbxjuKf0P0KtzUvF2SdNYh87kXUj+6+RcA6VxjsLY3gSWnl+786L4yKUekRjB7
+JvD9yMd1V+U/P1MUamJFyn68Aih6dRi17/ZvHKHY0gj6k6acE34Oy6SDmbwuWWeZ
+jMpSACAHHhWJID0wwrig3ZsxV4lGWoND/n+OSmEyWg4J8dB1thZpoBgjL05prBgC
+oygzwyHlyewVqdtdjMJOSSk34pehQ35lPQ9XqASnF1igQaVTKFxUIg1eoaQMZibd
+dSJzEcwuFUeJ1S22lyUdtaC/WdGb5vvHSEDiOA/3Ll0gpaHm2tor08J0s9C6CD2Q
+irF/FwUu52yO/bNtOkXunX5G2Ua+c49o3D6bvc+mfBY4EVKN5k6URW+vy47gJDbH
+4CVcxgBRoFy8SdAogqf/H/4+UOAR5jo5QLzsRq0mRHRbleLHwyH5PQxF9M73UVgL
+J5OohzOoThyiWbIesjyFw9aiC1Dk9l6ugprPTAS6LPNpxNaByNlpbX/eJQARAQAB
+tCdRdWJlcyBPUyBSZWxlYXNlIDMgVW5zdGFibGUgU2lnbmluZyBLZXmJAjgEEwEC
+ACIFAlRuA2sCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJP+RAmjx3Ot
+WFMP/1y98l3kXaIUIXZFjdtCmiZvFZKETP5S/81Rn32PISSs5TklxWbt6B3rNY67
+ovtK10qJXxarLeu0+IR+UM+AV1R/OvT3qtrJuvbbr0vIyy0RONaapoPIdI2eD2FC
+E/7JTv7KibKSE4nI9W9ZdRboJB1MPigffBR7qAC2ReCGtyKVUWRCKh57aQqbSDkZ
+AruTV1gXbFDusuKh1kQ2zVXFMn9KU98Qv0nKewjndNwnfOk7UFdsTkRCEyHr19wx
+KOuoLH4bfCyV8dEfriM5d6ABjmpv0Olp9XFT5YznoxrsXAjO0aUIBiNYYTk5vRLG
+ixBJGRjruDUzCZ8gIObIEwfAJsJ4LsFZ5LI0csF2uNueeogmNm0LfejyrWBlyRfW
+XdM5WP9vAbWectxNfaW84pPkvAEaer2W+x9ddO+FirTPNgU0M55JxcjKve8XsbuK
+iOA80h8eiMuukn2CDENVG9g7hiui9YzcenQKzmZIYYARWPzSKRyRrMFWrhDjOZ+R
+sG2PKzuJVIatGqhzqjD4CmoMPkVDli9p1ADOJLMJu062D53aWjgVi6DFHt5cZmFx
+rvDPiLqy/uuWWSDaDgX36KEenvwzQLjlEdTrN8a3qiBMxeceLWFLQqAknQnmU19/
+HcyP+lX0FzFFm1yIB/aEQpcXsfJcil0Dg6zAeFbXxdQYWlVm
+=7CDU
+-----END PGP PUBLIC KEY BLOCK-----

misc/close-window.c

@@ -15,15 +15,26 @@ int close_window(Display *d, XID window) {
 	return XSendEvent(ev.display, ev.window, True, 0, (XEvent *) & ev);
 }
 
+int is_window_visible(Display *d, XID window) {
+    XWindowAttributes xwa;
+
+    if (!XGetWindowAttributes(d, window, &xwa))
+        return 0;
+    return xwa.map_state == IsViewable;
+}
+
 int main(int argc, char **argv) {
 	int i;
 	Display *d;
+	XID w;
 
 	d = XOpenDisplay(NULL);
 	if (!d)
 		exit(1);
 	for (i=1; i<argc; i++) {
-		close_window(d, strtoul(argv[i], NULL, 0));
+        w = strtoul(argv[i], NULL, 0);
+        if (is_window_visible(d, w))
+                close_window(d, w);
 	}
 	XSync(d, False);
 	XCloseDisplay(d);

misc/dispvm-prerun.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 apps="evince /usr/libexec/evinced soffice firefox"
 
@@ -18,7 +18,7 @@ echo "Sleeping..."
 PREV_IO=0
 while true; do
 	IO=`vmstat -D | awk '/read|write/ {IOs+=$1} END {print IOs}'`
-	if [ $IO -lt $[ $PREV_IO + 50 ] ]; then
+	if [ $IO -lt $(( $PREV_IO + 50 )) ]; then
 		break;
 	fi
 	PREV_IO=$IO
@@ -30,6 +30,7 @@ ps ax > /tmp/dispvm-prerun-proclist.log
 echo "Closing windows..."
 /usr/lib/qubes/close-window `xwininfo -root -children|tail -n +7 |awk '{print $1}'`
 sleep 1
+fuser -vkm /rw
 
 if [ -e /rw/home/user/.qubes-dispvm-customized ]; then
 	cp -af /rw/home/user /home/

misc/nautilus-actions.conf

@@ -1,7 +0,0 @@
-[runtime]
-items-create-root-menu=false
-items-add-about-item=false
-
-[io-provider na-desktop]
-readable=true
-writable=true

misc/profile.d_qt_x11_no_mitshm.sh

@@ -0,0 +1,2 @@
+# Stops Qt form using the MIT-SHM X11 Shared Memory Extension
+export QT_X11_NO_MITSHM=1

misc/qubes-desktop-run

@@ -1,11 +1,7 @@
 #!/usr/bin/python
 
-from gi.repository import Gio
+from qubes.xdg import launch
 import sys
 
-def main(myname, desktop, *files):
+if __name__ == '__main__':
-    launcher = Gio.DesktopAppInfo.new_from_filename(desktop)
+    launch(*sys.argv[1:])
-    launcher.launch(files, None)
-
-if __name__ == "__main__":
-    main(*sys.argv)

misc/qubes-download-dom0-updates.sh

@@ -45,6 +45,12 @@ fi
 mkdir -p $DOM0_UPDATES_DIR/etc
 sed -i '/^reposdir\s*=/d' $DOM0_UPDATES_DIR/etc/yum.conf
 
+if [ -e /etc/debian_version ]; then
+    # Default rpm configuration on Debian uses ~/.rpmdb for rpm database (as
+    # rpm isn't native package manager there)
+    mkdir -p "$DOM0_UPDATES_DIR$HOME"
+    ln -nsf "$DOM0_UPDATES_DIR/var/lib/rpm" "$DOM0_UPDATES_DIR$HOME/.rpmdb"
+fi
 # Rebuild rpm database in case of different rpm version
 rm -f $DOM0_UPDATES_DIR/var/lib/rpm/__*
 rpm --root=$DOM0_UPDATES_DIR --rebuilddb
@@ -62,7 +68,7 @@ else
 fi
 
 if [ -z "$PKGLIST" -a -z "$UPDATES" ]; then
-    # No new updates
+    echo "No new updates available"
     if [ "$GUI" = 1 ]; then
         zenity --info --text="No new updates available"
     fi
@@ -85,17 +91,27 @@ if [ "$PKGS_FROM_CMDLINE" == 1 ]; then
     YUM_ACTION=install
 fi
 
+YUM_COMMAND="fakeroot yum $YUM_ACTION -y --downloadonly --downloaddir=$DOM0_UPDATES_DIR/packages"
+# check for --downloadonly option - if not supported (Debian), fallback to
+# yumdownloader
+if ! yum --help | grep -q downloadonly; then
+    if [ "$YUM_ACTION" = "upgrade" ]; then
+        PKGLIST=$UPDATES
+    fi
+    YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve"
+fi
+
 mkdir -p "$DOM0_UPDATES_DIR/packages"
 
 set -e
 
 if [ "$GUI" = 1 ]; then
     ( echo "1"
-    fakeroot yum $YUM_ACTION -y --downloadonly --downloaddir="$DOM0_UPDATES_DIR/packages" $OPTS $PKGLIST
+    $YUM_COMMAND $OPTS $PKGLIST
     echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \
          --text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates"
 else
-    fakeroot yum $YUM_ACTION -y --downloadonly --downloaddir="$DOM0_UPDATES_DIR/packages" $OPTS $PKGLIST
+    $YUM_COMMAND $OPTS $PKGLIST
 fi
 
 if ls $DOM0_UPDATES_DIR/packages/*.rpm > /dev/null 2>&1; then

misc/qubes-r2.repo

@@ -11,6 +11,13 @@ gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-2-primary
 gpgcheck = 1
 enabled=0
 
+[qubes-vm-r2-security-testing]
+name = Qubes OS Repository for VM (updates-testing)
+baseurl = http://yum.qubes-os.org/r2/security-testing/vm/fc$releasever
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-2-primary
+gpgcheck = 1
+enabled=0
+
 [qubes-vm-r2-unstable]
 name = Qubes OS Repository for VM (unstable)
 baseurl = http://yum.qubes-os.org/r2/unstable/vm/fc$releasever

misc/qubes-upgrade.repo

@@ -0,0 +1,20 @@
+[qubes-upgrade-vm-current]
+name = Qubes OS Repository for VM (updates)
+baseurl = http://yum.qubes-os.org/r3.0/current/vm/fc$releasever
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-upgrade-qubes-3-primary
+gpgcheck = 1
+
+[qubes-upgrade-vm-current-testing]
+name = Qubes OS Repository for VM (updates-testing)
+baseurl = http://yum.qubes-os.org/r3.0/current-testing/vm/fc$releasever
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-upgrade-qubes-3-primary
+gpgcheck = 1
+enabled=0
+
+[qubes-upgrade-vm-unstable]
+name = Qubes OS Repository for VM (unstable)
+baseurl = http://yum.qubes-os.org/r3.0/unstable/vm/fc$releasever
+gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-upgrade-qubes-3-unstable
+gpgcheck = 1
+enabled=0
+

misc/qubes.sudoers

@@ -1,3 +1,4 @@
+Defaults !requiretty
 user ALL=(ALL) NOPASSWD: ALL
 
 # WTF?! Have you lost your mind?!
@@ -44,3 +45,5 @@ user ALL=(ALL) NOPASSWD: ALL
 # be seen by the xinput program...)
 #
 # joanna.
+
+# vim: ft=sudoers

misc/sudoers.d_qt_x11_no_mitshm

@@ -0,0 +1,2 @@
+# Don't allow QT to used shared memory to prevent errors
+Defaults env_keep += "QT_X11_NO_MITSHM"

misc/sudoers.d_umask

@@ -0,0 +1,3 @@
+# Sudo's defualt umask is 077 so set sane default of 022
+Defaults umask = 0002
+Defaults umask_override

misc/xdg.py

@@ -0,0 +1,20 @@
+#!/usr/bin/python
+
+from gi.repository import Gio
+import sys
+import dbus
+
+def launch(desktop, *files):
+    launcher = Gio.DesktopAppInfo.new_from_filename(desktop)
+    if hasattr(launcher, 'get_boolean'):
+        activatable = launcher.get_boolean('DBusActivatable')
+        if activatable:
+            bus = dbus.SessionBus()
+            service_id = launcher.get_id()
+            # cut the .desktop suffix
+            service_id = service_id[:-8]
+            bus.start_service_by_name(service_id)
+    launcher.launch(files, None)
+
+if __name__ == "__main__":
+    launch(*sys.argv[1:])

network/00notify-hook

@@ -0,0 +1 @@
+DPkg::Post-Invoke {"/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'echo 0' || true";};

network/30-qubes-external-ip

@@ -1,8 +1,8 @@
 #!/bin/sh
-if [ x$2 == xup ]; then
+if [ x$2 = xup ]; then
 	INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
 	xenstore-write qubes-netvm-external-ip "$INET"
 fi
-if [ x$2 == xdown ]; then
+if [ x$2 = xdown ]; then
 	xenstore-write qubes-netvm-external-ip ""
 fi

network/filter-updates

@@ -1,6 +1,6 @@
 # Yum filters
 # -----------------------------------------------------------------------------
-/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$
+/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\|\.xz\)\?$
 /repodata/repomd\.xml$
 \.rpm$
 \.drpm$
@@ -14,6 +14,6 @@
 # -----------------------------------------------------------------------------
 \.deb\(\|\/\|\/download\|\?.*\)$
 /dists/[a-z-]*/\(InRelease\|Release\|Release.gpg\)\(\|\|/\|\/download\|\?.*\)$
-/dists/[a-z-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.gpg\)\(\|\|/\|\/download\|\?.*\)$
+/dists/[a-z/-]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.gpg\)\(\|\|/\|\/download\|\?.*\)$
-/dists/[a-z-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$
+/dists/[a-z/-]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$
-/dists/[a-z-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$
+/dists/[a-z/-]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)\(\|\|/\|\/download\|\?.*\)$

network/iptables-updates-proxy

@@ -3,7 +3,7 @@
 RULE_FILTER="INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
 RULE_NAT="PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
 
-if [ "$1" == "start" ]; then
+if [ "$1" = "start" ]; then
 cat <<__EOF__ | iptables-restore -n
 *filter
 -I $RULE_FILTER

network/qubes-firewall

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 
 PIDFILE=/var/run/qubes/qubes-firewall.pid
@@ -7,10 +7,10 @@ XENSTORE_IPTABLES_HEADER=qubes-iptables-header
 XENSTORE_ERROR=qubes-iptables-error
 OLD_RULES=""
 # PIDfile handling
-[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0
+[ -e "$PIDFILE" ] && kill -s 0 $(cat "$PIDFILE") 2>/dev/null && exit 0
 echo $$ >$PIDFILE
 
-trap 'exit 0' SIGTERM
+trap 'exit 0' TERM
 
 FIRST_TIME=yes
 
@@ -36,11 +36,12 @@ while true; do
 
 	RULES=$(xenstore-read $XENSTORE_IPTABLES_HEADER)
 	IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d')
-	OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true`
+	OUT=$(printf '%s\n%s\n' "$RULES" "$IPTABLES_SAVE" | sed 's/\\n\|\\x0a/\n/g' | iptables-restore 2>&1 || true)
 
 	for i in $(xenstore-list qubes-iptables-domainrules) ; do
 		RULES=$(xenstore-read qubes-iptables-domainrules/"$i")
-		ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true`
+		ERRS=$(printf '%s\n' "$RULES" | sed 's/\\n/\n/g' | /sbin/iptables-restore -n 2>&1 || true)
+		ERRS=$(printf '%s\n' "$RULES" | sed 's/\\n\|\\x0a/\n/g' | /sbin/iptables-restore -n 2>&1 || true)
 		if [ -n "$ERRS" ]; then
 			echo "Failed applying rules for $i: $ERRS" >&2
 			OUT="$OUT$ERRS"
@@ -48,7 +49,7 @@ while true; do
 	done		
 	xenstore-write $XENSTORE_ERROR "$OUT"
 	if [ -n "$OUT" ]; then
-		DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
+		DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($(hostname))" "$OUT" || :
 	fi
 
 	# Check if user didn't define some custom rules to be applied as well...

network/qubes-netwatcher

@@ -1,23 +1,23 @@
-#!/bin/bash
+#!/bin/sh
 set -e
 
 PIDFILE=/var/run/qubes/qubes-netwatcher.pid
 CURR_NETCFG=""
 
 # PIDfile handling
-[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0
+[ -e "$PIDFILE" ] && kill -s 0 $(cat "$PIDFILE") 2>/dev/null && exit 0
 echo $$ >$PIDFILE
 
-trap 'exit 0' SIGTERM
+trap 'exit 0' TERM
 
 while true; do
 	NET_DOMID=$(xenstore-read qubes-netvm-domid || :)
-	if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
+	if [ -n "$NET_DOMID" ] && [ $NET_DOMID -gt 0 ]; then
 		UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :)
 		# UNTRUSTED_NETCFG is not parsed in any way
 		# thus, no sanitization ready
 		# but be careful when passing it to other shell scripts
-		if [[ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]]; then
+		if [ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]; then
 			/sbin/service qubes-firewall stop
 			/sbin/service qubes-firewall start
 			CURR_NETCFG="$UNTRUSTED_NETCFG"

network/setup-ip

@@ -6,6 +6,15 @@ else
 	XENSTORE_READ="/usr/bin/xenstore-read"
 fi
 
+# Location of files which contains list of protected files
+PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
+
+# setup-ip is potentially invoked before qubes-sysinit.sh is done, therefore
+# we perform our xenstore reads here instead of relying on qvm-service 
+# files under /var/run/qubes-service/
+disablegw=`$XENSTORE_READ qubes-service/disable-default-route 2> /dev/null`
+disabledns=`$XENSTORE_READ qubes-service/disable-dns-server 2> /dev/null`
+
 ip=`$XENSTORE_READ qubes-ip 2> /dev/null`
 if [ x$ip != x ]; then
     netmask=`$XENSTORE_READ qubes-netmask`
@@ -14,28 +23,27 @@ if [ x$ip != x ]; then
     /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
     /sbin/ifconfig $INTERFACE up
     /sbin/route add -host $gateway dev $INTERFACE
+    if [ "x$disablegw" != "x1" ]; then
         /sbin/route add default gw $gateway
+    fi
     /sbin/ethtool -K $INTERFACE sg off
     /sbin/ethtool -K $INTERFACE tx off
+    if ! grep -rq "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+   	    echo > /etc/resolv.conf
+        if [ "x$disabledns" != "x1" ]; then
             echo "nameserver $gateway" > /etc/resolv.conf
             echo "nameserver $secondary_dns" >> /etc/resolv.conf
-	network=$($XENSTORE_READ qubes-netvm-network 2>/dev/null)
+        fi
-	if [ "x$network" != "x" ]; then
-		gateway=$($XENSTORE_READ qubes-netvm-gateway)
-		netmask=$($XENSTORE_READ qubes-netvm-netmask)
-		secondary_dns=$($XENSTORE_READ qubes-netvm-secondary-dns)
-		echo "NS1=$gateway" > /var/run/qubes/qubes-ns
-		echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
-		/usr/lib/qubes/qubes-setup-dnat-to-ns
-		[ -x /rw/config/qubes-ip-change-hook ] && /rw/config/qubes-ip-change-hook
-		# XXX: Backward compatibility
-		[ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook
     fi
     if [ -f /var/run/qubes-service/network-manager ]; then
-        cat > /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE <<__EOF__
+        nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
+        cat > $nm_config <<__EOF__
 [802-3-ethernet]
 duplex=full
 
+[ethernet]
+mac-address=`ip l show dev $INTERFACE |grep link|awk '{print $2}'`
+
 [connection]
 id=VM uplink $INTERFACE
 uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
@@ -46,10 +54,35 @@ method=ignore
 
 [ipv4]
 method=manual
-dns=$gateway;$secondary_dns
-address1=$ip/32,$gateway
 may-fail=false
 __EOF__
-        chmod 600 /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
+        if [ "x$disabledns" != "x1" ]; then
+            echo "dns=$gateway;$secondary_dns" >> $nm_config
+        fi
+        if [ "x$disablegw" != "x1" ]; then
+            echo "address1=$ip/32,$gateway" >> $nm_config
+        else
+            echo "address1=$ip/32" >> $nm_config
+        fi
+        chmod 600 $nm_config
+    fi
+	network=$($XENSTORE_READ qubes-netvm-network 2>/dev/null)
+	if [ "x$network" != "x" ] && [ "x$disabledns" != "x1" ]; then
+		gateway=$($XENSTORE_READ qubes-netvm-gateway)
+		netmask=$($XENSTORE_READ qubes-netvm-netmask)
+		secondary_dns=$($XENSTORE_READ qubes-netvm-secondary-dns)
+		echo "NS1=$gateway" > /var/run/qubes/qubes-ns
+		echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
+		/usr/lib/qubes/qubes-setup-dnat-to-ns
+    fi
+    if [ "x$network" != "x" ]; then
+		[ -x /rw/config/qubes-ip-change-hook ] && /rw/config/qubes-ip-change-hook
+		# XXX: Backward compatibility
+		[ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook
 	fi
 fi
+
+# tinyproxy loads /etc/resolv.conf only on startup, so need a restart after
+# network change
+service qubes-updates-proxy restart --no-block
+exit 0

network/show-hide-nm-applet.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-type nm-applet > /dev/null 2>&1 || exit 0
+which nm-applet > /dev/null 2>&1 || exit 0
 
 # Hide nm-applet when network-manager is disabled
 nm_enabled=false

qrexec/Makefile

@@ -18,8 +18,10 @@ clean:
 install:
 	install -d $(DESTDIR)/etc/qubes-rpc
 	install -d $(DESTDIR)/usr/lib/qubes
+	install -d $(DESTDIR)/usr/bin
 	install qrexec-agent $(DESTDIR)/usr/lib/qubes
-	install qrexec-client-vm $(DESTDIR)/usr/lib/qubes
+	install qrexec-client-vm $(DESTDIR)/usr/bin
-	ln -s qrexec-client-vm $(DESTDIR)/usr/lib/qubes/qrexec_client_vm
+	ln -s ../../bin/qrexec-client-vm $(DESTDIR)/usr/lib/qubes/qrexec-client-vm
+	ln -s ../../bin/qrexec-client-vm $(DESTDIR)/usr/lib/qubes/qrexec_client_vm
 	install qubes-rpc-multiplexer $(DESTDIR)/usr/lib/qubes
 

qrexec/qrexec-client-vm.c

@@ -26,6 +26,7 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <string.h>
+#include <errno.h>
 #include "qrexec.h"
 int connect_unix_socket()
 {
@@ -57,20 +58,60 @@ char *get_program_name(char *prog)
         return prog;
 }
 
+/* Returns:
+ *  0  - ok
+ *  -1 - EOF, FDs closed
+ *  -2 - error, already reported, break the loop
+ */
+static int handle_fd_data(int src, int dst) {
+    char buf[4096];
+    int buf_len, len, ret;
+
+    ret = read(src, buf, sizeof(buf));
+    if (ret == -1) {
+        perror("read");
+        return -2;
+    }
+    if (ret == 0) {
+        close(src);
+        close(dst);
+        return -1;
+    } else {
+        len = 0;
+        buf_len = ret;
+        while (len < buf_len) {
+            ret = write(dst, buf, ret);
+            if (ret == -1) {
+                if (errno == ECONNRESET || errno == EPIPE) {
+                    close(src);
+                    close(dst);
+                    return -1;
+                } else
+                    return -2;
+            } else
+                len += ret;
+        }
+    }
+    return 0;
+}
+
 int main(int argc, char **argv)
 {
     int trigger_fd;
     struct trigger_connect_params params;
     int local_fd[3], remote_fd[3];
     int i;
+    int exec_local_process = 0;
     char *abs_exec_path;
 
-	if (argc < 4) {
+    if (argc < 3) {
         fprintf(stderr,
-			"usage: %s target_vmname program_ident local_program [local program arguments]\n",
+                "usage: %s target_vmname program_ident [local_program [local program arguments]]\n",
                 argv[0]);
         exit(1);
     }
+    if (argc > 3)
+        exec_local_process = 1;
 
     trigger_fd = open(QREXEC_AGENT_TRIGGER_PATH, O_WRONLY);
     if (trigger_fd < 0) {
@@ -84,6 +125,7 @@ int main(int argc, char **argv)
             perror("read client fd");
             exit(1);
         }
+        if (exec_local_process) {
             if (i != 2 || getenv("PASS_LOCAL_STDERR")) {
                 char *env;
                 if (asprintf(&env, "SAVED_FD_%d=%d", i, dup(i)) < 0) {
@@ -93,6 +135,8 @@ int main(int argc, char **argv)
                 putenv(env);
                 dup2(local_fd[i], i);
                 close(local_fd[i]);
+            } else
+                close(local_fd[i]);
         }
     }
 
@@ -112,9 +156,50 @@ int main(int argc, char **argv)
 
     close(trigger_fd);
 
+    if (exec_local_process) {
         abs_exec_path = strdup(argv[3]);
         argv[3] = get_program_name(argv[3]);
         execv(abs_exec_path, argv + 3);
         perror("execv");
         return 1;
+    } else {
+        fd_set rd_set;
+        int ret, max_fd;
+
+        while (local_fd[0] > 0 || local_fd[1] > 0) {
+            FD_ZERO(&rd_set);
+            max_fd = 0;
+            if (local_fd[1] > 0) {
+                FD_SET(0, &rd_set);
+            }
+            if (local_fd[0] > 0) {
+                FD_SET(local_fd[0], &rd_set);
+                max_fd = local_fd[0];
+            }
+            ret = select(max_fd+1, &rd_set, NULL, NULL, NULL);
+            if (ret == -1) {
+                perror("select");
+                break;
+            }
+            if (FD_ISSET(0, &rd_set)) {
+                switch (handle_fd_data(0, local_fd[1])) {
+                    case -1:
+                        local_fd[1] = -1;
+                        break;
+                    case -2:
+                        exit(1);
+                }
+            }
+            if (FD_ISSET(local_fd[0], &rd_set)) {
+                switch (handle_fd_data(local_fd[0], 1)) {
+                    case -1:
+                        local_fd[0] = -1;
+                        break;
+                    case -2:
+                        exit(1);
+                }
+            }
+        }
+    }
+    return 0;
 }

qubes-rpc/prepare-suspend

@@ -11,7 +11,7 @@ if [ -r /rw/config/suspend-module-blacklist ]; then
     MODULES_BLACKLIST="$MODULES_BLACKLIST `cat /rw/config/suspend-module-blacklist`"
 fi
 
-if [ x"$action" == x"suspend" ]; then
+if [ x"$action" = x"suspend" ]; then
     dbus-send --system --print-reply          \
         --dest=org.freedesktop.NetworkManager \ 
         /org/freedesktop/NetworkManager       \
@@ -19,7 +19,7 @@ if [ x"$action" == x"suspend" ]; then
         service NetworkManager stop
     # Force interfaces down, just in case when NM didn't done it
     for if in `ls /sys/class/net|grep -v "lo\|vif"`; do 
-        if [ "`cat /sys/class/net/$if/device/devtype 2>/dev/null`" == "vif" ]; then
+        if [ "`cat /sys/class/net/$if/device/devtype 2>/dev/null`" = "vif" ]; then
             continue
         fi
         ip l s $if down

qubes-rpc/qfile-unpacker.c

@@ -5,6 +5,9 @@
 #include <stdlib.h>
 #include <pwd.h>
 #include <sys/stat.h>
+#include <sys/mount.h>
+#include <sys/wait.h>
+#include <fcntl.h>
 #include <string.h>
 #include <unistd.h>
 #include <sys/fsuid.h>
@@ -34,8 +37,11 @@ int prepare_creds_return_uid(const char *username)
 int main(int argc __attribute((__unused__)), char ** argv __attribute__((__unused__)))
 {
 	char *incoming_dir;
-	int uid;
+	int uid, ret;
+	pid_t pid;
 	const char *remote_domain;
+	char *procdir_path;
+	int procfs_fd;
 
 	uid = prepare_creds_return_uid("user");
 
@@ -50,9 +56,39 @@ int main(int argc __attribute((__unused__)), char ** argv __attribute__((__unuse
 	mkdir(incoming_dir, 0700);
 	if (chdir(incoming_dir))
 		gui_fatal("Error chdir to %s", incoming_dir); 
-	if (chroot(incoming_dir)) //impossible
+
+	if (mount(".", ".", NULL, MS_BIND | MS_NODEV | MS_NOEXEC | MS_NOSUID, NULL) < 0)
+		gui_fatal("Failed to mount a directory %s", incoming_dir);
+
+	/* parse the input in unprivileged child process, parent will hold root
+	 * access to unmount incoming dir */
+	switch (pid=fork()) {
+		case -1:
+			gui_fatal("Failed to create new process");
+		case 0:
+			if (asprintf(&procdir_path, "/proc/%d/fd", getpid()) < 0) {
+				gui_fatal("Error allocating memory");
+			}
+			procfs_fd = open(procdir_path, O_DIRECTORY | O_RDONLY);
+			if (procfs_fd < 0)
+				perror("Failed to open /proc");
+			else
+				set_procfs_fd(procfs_fd);
+			free(procdir_path);
+
+			if (chroot("."))
 				gui_fatal("Error chroot to %s", incoming_dir);
-	if (setuid(uid) < 0)
+			if (setuid(uid) < 0) {
-		gui_fatal("Error changing permissions to '%s'", "user");
+				/* no kdialog inside chroot */
+				perror("setuid");
+				exit(1);
+			}
 			return do_unpack();
+	}
+	if (waitpid(pid, &ret, 0) < 0) {
+		gui_fatal("Failed to wait for child process");
+	}
+	if (umount2(".", MNT_DETACH) < 0)
+		gui_fatal("Cannot umount incoming directory");
+	return ret;
 }

qubes-rpc/qrun-in-vm

@@ -1,4 +1,45 @@
-#!/bin/sh
+#!/usr/bin/python
-# pass aguments to the remote stdin, shovel back the remote output
+# Send the command to the remote side, and then transfer stdin from local to
-echo "$@"
+# remote and stdout from remote to local.
-exec /bin/cat >&$SAVED_FD_1
+#
+# The tricky part is delimiting the command from the stdin data.  If we were
+# implementing this from scratch, we'd probably use a null byte.  However, we'd
+# like to work with the existing qubes.VMShell service, whose implementation is
+# simply "/bin/bash", so users don't have to maintain duplicate RPC policy.  We
+# take advantage of the fact that when bash is executing commands from a pipe,
+# it reads one character at a time until it gets a newline that ends a command.
+# So the initial qubes.VMShell bash process, which is executing commands from
+# stdin, consumes exactly the line from the "write" below and then either
+# completes the "exec" or exits.  In no event does it touch the stdin data
+# intended for the command.
+
+import os
+import subprocess
+import sys
+
+cmd = ' '.join(sys.argv[1:])
+sys.stdout.write("exec bash -c '%s' || exit 127\n" % cmd.replace("'", "'\\''"))
+sys.stdout.flush()
+
+local_stdin = int(os.environ['SAVED_FD_0'])
+local_stdout = int(os.environ['SAVED_FD_1'])
+stdin_sender = subprocess.Popen(['cat'], stdin=local_stdin)
+stdout_receiver = subprocess.Popen(['cat'], stdout=local_stdout)
+
+# sys.std{in,out}.close() do not close the FDs, but they apparently stop Python
+# from trying to close the FDs again on exit and generating an exception.
+sys.stdin.close()
+sys.stdout.close()
+os.close(0)
+# The really important step, so this process doesn't prevent qrexec-client-vm
+# from seeing EOF on input.
+os.close(1)
+os.close(local_stdin)
+os.close(local_stdout)
+
+stdout_receiver.wait()
+# With the current Qubes RPC implementation, the stdout receiver doesn't get EOF
+# until the remote process has exited.  At that point, we want to finish and not
+# try to send more input.  This is the same behavior ssh appears to have.
+stdin_sender.terminate()
+stdin_sender.wait()

qubes-rpc/qubes.Backup

@@ -9,8 +9,7 @@ if [ -d "$args" ] ; then
 else
   echo "Checking if arguments is matching a command"
   COMMAND=`echo $args | cut -d ' ' -f 1`
-  TYPE=`type -t $COMMAND`
+  if which "$COMMAND"; then
-  if [ "$TYPE" == "file" ] ; then
     echo "Redirecting STDIN to $args"
     # Parsing args to handle quotes correctly
     # Dangerous method if args are uncontrolled

qubes-rpc/qubes.GetAppmenus

@@ -1,2 +1,2 @@
-find /usr/share/applications/ /usr/local/share/applications/ -name '*.desktop' | \
+find /usr/share/applications/ /usr/local/share/applications/ -name '*.desktop' 2>/dev/null | \
          xargs awk '/^\[/ { if (tolower($0) != "\[desktop entry\]") nextfile } /^Exec=/ { print FILENAME ":Exec=qubes-desktop-run " FILENAME; next } /=/ {print FILENAME ":" $0 }' 2> /dev/null

qubes-rpc/qubes.GetImageRGBA

@@ -1,31 +1,31 @@
 set -e
 read filename
 
-if [[ "${filename}" = xdgicon:* ]]; then
+if [ "${filename%%:*}" = xdgicon ]; then
     # get biggest icon from hicolor theme
 
     filename="${filename#*:}.png"
     candidate=
-    for dir in /usr/share/icons/{hicolor/,}; do
+    for dir in /usr/share/icons/hicolor/ /usr/share/icons/; do
         candidate=$(find -L "${dir}" -type f -name "${filename}")
-        if [[ -n "${candidate}" ]]; then
+        if [ -n "${candidate}" ]; then
             candidate=$(echo "${candidate}" | xargs ls --sort=size | head -1)
             break
         fi
     done
 
-    [[ -n "${candidate}" ]]
+    [ -n "${candidate}" ]
     filename="${candidate}"
 
-elif [[ "${filename}" = "-" ]] || [[ "${filename}" = *":-" ]]; then
+elif [ "${filename}" = "-" ] || [ "${filename##*:}" = "-" ]; then
     tmpfile="$(mktemp /tmp/qimg-XXXXXXXX)"
     cat > "${tmpfile}"
-    if [[ "$filename" = *":-" ]]; then
+    if [ "${filename##*:}" = "-" ]; then
         tmpfile="${filename%:*}:${tmpfile}"
     fi
     filename="${tmpfile}"
 
-elif ! [[ -r "${filename}" ]]; then
+elif ! [ -r "${filename}" ]; then
     exit 1
 fi
 
@@ -34,6 +34,6 @@ fi
 identify -format '%w %h\n' "$filename" | sed -e '/^$/d'
 convert -depth 8 "$filename" rgba:-
 
-[[ -n "${tmpfile}" ]] && rm -f ${tmpfile} || true
+[ -n "${tmpfile}" ] && rm -f ${tmpfile} || true
 
 # vim: ft=sh ts=4 sw=4 et

qubes-rpc/qubes.Restore

@@ -11,8 +11,7 @@ if [ -f "$args" ] ; then
 else
   echo "Checking if arguments is matching a command" >&2
   COMMAND=`echo $args | cut -d ' ' -f 1`
-  TYPE=`type -t $COMMAND`
+  if which "$COMMAND" >/dev/null; then
-  if [ "$TYPE" == "file" ] ; then
     tmpdir=`mktemp -d`
     mkfifo $tmpdir/backup-data
     echo "Redirecting $args to STDOUT" >&2

qubes-rpc/qvm-copy-gnome.desktop

@@ -1,9 +0,0 @@
-[Desktop Entry]
-Type=Action
-ToolbarLabel[C]=Copy to other AppVM
-Name[C]=Copy to other AppVM
-Profiles=profile-zero;
-
-[X-Action-Profile profile-zero]
-Exec=/usr/lib/qubes/qvm-copy-to-vm.gnome %F
-Name[C]=Default profile

qubes-rpc/qvm-dvm-gnome.desktop

@@ -1,9 +0,0 @@
-[Desktop Entry]
-Type=Action
-ToolbarLabel[C]=Open in DisposableVM
-Name[C]=Open in DisposableVM
-Profiles=profile-zero;
-
-[X-Action-Profile profile-zero]
-Exec=/usr/bin/qvm-open-in-dvm %f
-Name[C]=Default profile

qubes-rpc/qvm-move-gnome.desktop

@@ -1,9 +0,0 @@
-[Desktop Entry]
-Type=Action
-ToolbarLabel[C]=Move to other AppVM
-Name[C]=Move to other AppVM
-Profiles=profile-zero;
-
-[X-Action-Profile profile-zero]
-Exec=/usr/lib/qubes/qvm-move-to-vm.gnome %F
-Name[C]=Default profile

qubes-rpc/qvm-move-to-vm.gnome

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # The Qubes OS Project, http://www.qubes-os.org
 #

qubes-rpc/qvm-move-to-vm.kde

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # The Qubes OS Project, http://www.qubes-os.org
 #

qubes-rpc/qvm-open-in-dvm

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 #
 # The Qubes OS Project, http://www.qubes-os.org
 #

qubes-rpc/qvm-open-in-vm

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 #
 # The Qubes OS Project, http://www.qubes-os.org
 #

qubes-rpc/qvm-run

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 #
 # The Qubes OS Project, http://www.qubes-os.org
 #
@@ -21,8 +21,18 @@
 #
 
 if [ $# -lt 2 ] ; then 
-	echo "Usage: $0 vmname command arguments"
+	cat <<USAGE
-	echo "  you can use \$dispvm or --dispvm instead of vmname to start new DisposableVM"
+Usage: $0 vmname command arguments
+Executes a command in another VM using the qubes.VMShell RPC service.  The
+arguments are joined with spaces and passed to "bash -c".
+
+Standard input and output are connected to the command.  Unlike qvm-run in Dom0,
+this tool does not propagate standard error or exit codes, nor does it offer
+protection against the remote VM messing with your terminal if standard output
+is your terminal.
+
+You can use \$dispvm or --dispvm instead of vmname to start a new DisposableVM.
+USAGE
 	exit 1
 fi
 VMNAME=$1

qubes-rpc/qvm_copy_nautilus.py

@@ -0,0 +1,36 @@
+import subprocess
+
+from gi.repository import Nautilus, GObject
+
+
+class CopyToAppvmItemExtension(GObject.GObject, Nautilus.MenuProvider):
+    '''Copy file(s) to AppVM.
+
+    Uses the nautilus-python api to previce a context menu with Nautilus which
+    will enable the user to select file(s) to to copy to another AppVM
+    '''
+    def get_file_items(self, window, files):
+        '''Attaches context menu in Nautilus
+        '''
+        if not files:
+            return
+
+        menu_item = Nautilus.MenuItem(name='QubesMenuProvider::CopyToAppvm',
+                                      label='Copy To Other AppVM...',
+                                      tip='',
+                                      icon='')
+
+        menu_item.connect('activate', self.on_menu_item_clicked, files)
+        return menu_item,
+
+    def on_menu_item_clicked(self, menu, files):
+        '''Called when user chooses files though Nautilus context menu.
+        '''
+        for file_obj in files:
+
+            # Check if file still exists
+            if file_obj.is_gone():
+                return
+
+            gio_file = file_obj.get_location()
+            subprocess.call(['/usr/lib/qubes/qvm-copy-to-vm.gnome', gio_file.get_path()])

qubes-rpc/qvm_dvm_nautilus.py

@@ -0,0 +1,43 @@
+import os
+from subprocess import Popen
+
+from gi.repository import Nautilus, GObject
+
+
+class OpenInDvmItemExtension(GObject.GObject, Nautilus.MenuProvider):
+    '''Open File(s) in DisposableVM.
+
+    Uses the nautilus-python api to provide a context menu within Nautilus which
+    will enable the user to select file(s) to to open in a disposableVM
+    '''
+
+    def get_file_items(self, window, files):
+        '''Attaches context menu in Nautilus
+        '''
+        if not files:
+            return
+
+        menu_item = Nautilus.MenuItem(name='QubesMenuProvider::OpenInDvm',
+                                      label='Open In DisposableVM',
+                                      tip='',
+                                      icon='')
+
+        menu_item.connect('activate', self.on_menu_item_clicked, files)
+        return menu_item,
+
+    def on_menu_item_clicked(self, menu, files):
+        '''Called when user chooses files though Nautilus context menu.
+        '''
+        for file_obj in files:
+
+            # Check if file still exists
+            if file_obj.is_gone():
+                return
+
+            gio_file = file_obj.get_location()
+
+            # Use subprocess.DEVNULL in python >= 3.3
+            devnull = open(os.devnull, 'wb')
+
+            # Use Popen instead of subprocess.call to spawn the process
+            Popen(['nohup', '/usr/bin/qvm-open-in-dvm', gio_file.get_path()], stdout=devnull, stderr=devnull)

qubes-rpc/qvm_move_nautilus.py

@@ -0,0 +1,36 @@
+import subprocess
+
+from gi.repository import Nautilus, GObject
+
+
+class MoveToAppvmItemExtension(GObject.GObject, Nautilus.MenuProvider):
+    '''Move file(s) to AppVM.
+
+    Uses the nautilus-python api to provide a context menu within Nautilus which
+    will enable the user to select file(s) to to move to another AppVM
+    '''
+    def get_file_items(self, window, files):
+        '''Attaches context menu in Nautilus
+        '''
+        if not files:
+            return
+
+        menu_item = Nautilus.MenuItem(name='QubesMenuProvider::MoveToAppvm',
+                                      label='Move To Other AppVM...',
+                                      tip='',
+                                      icon='')
+
+        menu_item.connect('activate', self.on_menu_item_clicked, files)
+        return menu_item,
+
+    def on_menu_item_clicked(self, menu, files):
+        '''Called when user chooses files though Nautilus context menu.
+        '''
+        for file_obj in files:
+
+            # Check if file still exists
+            if file_obj.is_gone():
+                return
+
+            gio_file = file_obj.get_location()
+            subprocess.call(['/usr/lib/qubes/qvm-move-to-vm.gnome', gio_file.get_path()])

rpm_spec/core-vm.spec

@@ -45,10 +45,13 @@ Requires:   ethtool
 Requires:   tinyproxy
 Requires:   ntpdate
 Requires:   net-tools
-Requires:   nautilus-actions
+Requires:   nautilus-python
 Requires:   qubes-core-vm-kernel-placeholder
 Requires:   qubes-utils
 Requires:   initscripts
+# for qubes-desktop-run
+Requires:   pygobject3-base
+Requires:   dbus-python
 %if %{fedora} >= 20
 # gpk-update-viewer required by qubes-manager
 Requires:   gnome-packagekit-updater
@@ -64,11 +67,33 @@ Obsoletes:  qubes-core-proxyvm
 Obsoletes:  qubes-upgrade-vm < 2.0
 BuildRequires: xen-devel
 BuildRequires: qubes-utils-devel >= 2.0.5
+BuildRequires: libX11-devel
 
 %define _builddir %(pwd)
 
 %define kde_service_dir /usr/share/kde4/services
 
+%define installOverridenServices() \
+UNITDIR=/lib/systemd/system\
+OVERRIDEDIR=/usr/lib/qubes/init\
+# Install overriden services only when original exists\
+for srv in %*; do\
+    if [ -f $UNITDIR/$srv.service ]; then\
+        cp $OVERRIDEDIR/$srv.service /etc/systemd/system/\
+        /bin/systemctl is-enabled $srv.service >/dev/null && /bin/systemctl --no-reload reenable $srv.service 2>/dev/null\
+    fi\
+    if [ -f $UNITDIR/$srv.socket -a -f $OVERRIDEDIR/$srv.socket ]; then\
+        cp $OVERRIDEDIR/$srv.socket /etc/systemd/system/\
+        /bin/systemctl is-enabled $srv.socket >/dev/null && /bin/systemctl --no-reload reenable $srv.socket 2>/dev/null\
+    fi\
+    if [ -f $UNITDIR/$srv.path -a -f $OVERRIDEDIR/$srv.path ]; then\
+        cp $OVERRIDEDIR/$srv.path /etc/systemd/system/\
+        /bin/systemctl is-enabled $srv.path >/dev/null && /bin/systemctl --no-reload reenable $srv.path 2>/dev/null\
+    fi\
+done\
+/bin/systemctl daemon-reload\
+%{nil}
+
 %description
 The Qubes core files for installation inside a Qubes VM.
 
@@ -113,6 +138,9 @@ for f in ModemManager.service NetworkManager.service \
     cp $RPM_BUILD_ROOT/usr/lib/qubes/init/$f $RPM_BUILD_ROOT/etc/systemd/system/
 done
 
+cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes
+cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes
+
 %triggerin -- initscripts
 if [ -e /etc/init/serial.conf ]; then
 	cp /usr/share/qubes/serial.conf /etc/init/serial.conf
@@ -122,6 +150,25 @@ fi
 sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/pulseaudio.desktop
 echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/pulseaudio.desktop
 
+%triggerin -- iptables
+if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
+    cat <<EOF >>/etc/sysconfig/iptables-config
+
+### Automatically added by Qubes:
+# Override default rules location on Qubes
+IPTABLES_DATA=/etc/sysconfig/iptables.qubes
+EOF
+fi
+
+if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
+    cat <<EOF >>/etc/sysconfig/ip6tables-config
+
+### Automatically added by Qubes:
+# Override default rules location on Qubes
+IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
+EOF
+fi
+
 %post
 
 # disable some Upstart services
@@ -202,24 +249,49 @@ fi
 # Revert 'Prevent unnecessary updates in VMs':
 sed -i -e '/^exclude = kernel/d' /etc/yum.conf
 
+# Location of files which contains list of protected files
+mkdir -p /etc/qubes/protected-files.d
+PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
+
 # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
-if ! grep -q localhost /etc/hosts; then
+if ! grep -rq "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+    if ! grep -q localhost /etc/hosts; then
       cat <<EOF > /etc/hosts
 127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
 ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
 EOF
+    fi
 fi
 
+
 # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
 # in the form expected by qubes-sysinit.sh
-for ip in '127\.0\.0\.1' '::1'; do
+if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
+    for ip in '127\.0\.0\.1' '::1'; do
         if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
             sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
             sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
         else
             echo "${ip} `hostname`" >> /etc/hosts
         fi
-done
+    done
+fi
+
+%if %{fedora} >= 20
+# Make sure there is a default locale set so gnome-terminal will start
+if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
+    touch /etc/locale.conf
+    echo "LANG=en_US.UTF-8" >> /etc/locale.conf
+fi
+# ... and make sure it is really generated
+current_locale=`grep LANG /etc/locale.conf|cut -f 2 -d =`
+if [ -n "$current_locale" ] && ! locale -a | grep -q "$current_locale"; then
+    base=`echo "$current_locale" | cut -f 1 -d .`
+    charmap=`echo "$current_locale.UTF-8" | cut -f 2 -d .`
+    [ -n "$charmap" ] && charmap="-f $charmap"
+    localedef -i $base $charmap $current_locale
+fi
+%endif
 
 if [ "$1" !=  1 ] ; then
 # do the rest of %post thing only when updating for the first time...
@@ -295,6 +367,15 @@ fi
 %posttrans
     /usr/bin/glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || :
 
+# Make sure that /etc/sysconfig/ip(|6)tables exists. Otherwise iptales.service
+# would not start (even when configured to use another configuration file.
+if [ ! -e '/etc/sysconfig/iptables' ]; then
+  ln -s iptables.qubes /etc/sysconfig/iptables
+fi
+if [ ! -e '/etc/sysconfig/ip6tables' ]; then
+  ln -s ip6tables.qubes /etc/sysconfig/ip6tables
+fi
+
 %clean
 rm -rf $RPM_BUILD_ROOT
 rm -f %{name}-%{version}
@@ -317,30 +398,31 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla
 %config(noreplace) /etc/polkit-1/rules.d/00-qubes-allow-all.rules
 %dir /etc/qubes-rpc
-/etc/qubes-rpc/qubes.Filecopy
+%config(noreplace) /etc/qubes-rpc/qubes.Filecopy
-/etc/qubes-rpc/qubes.OpenInVM
+%config(noreplace) /etc/qubes-rpc/qubes.OpenInVM
-/etc/qubes-rpc/qubes.GetAppmenus
+%config(noreplace) /etc/qubes-rpc/qubes.GetAppmenus
-/etc/qubes-rpc/qubes.VMShell
+%config(noreplace) /etc/qubes-rpc/qubes.VMShell
-/etc/qubes-rpc/qubes.SyncNtpClock
+%config(noreplace) /etc/qubes-rpc/qubes.SyncNtpClock
-/etc/qubes-rpc/qubes.SuspendPre
+%config(noreplace) /etc/qubes-rpc/qubes.SuspendPre
-/etc/qubes-rpc/qubes.SuspendPost
+%config(noreplace) /etc/qubes-rpc/qubes.SuspendPost
-/etc/qubes-rpc/qubes.WaitForSession
+%config(noreplace) /etc/qubes-rpc/qubes.WaitForSession
-/etc/qubes-rpc/qubes.DetachPciDevice
+%config(noreplace) /etc/qubes-rpc/qubes.DetachPciDevice
-/etc/qubes-rpc/qubes.Backup
+%config(noreplace) /etc/qubes-rpc/qubes.Backup
-/etc/qubes-rpc/qubes.Restore
+%config(noreplace) /etc/qubes-rpc/qubes.Restore
-/etc/qubes-rpc/qubes.SelectFile
+%config(noreplace) /etc/qubes-rpc/qubes.SelectFile
-/etc/qubes-rpc/qubes.SelectDirectory
+%config(noreplace) /etc/qubes-rpc/qubes.SelectDirectory
-/etc/qubes-rpc/qubes.GetImageRGBA
+%config(noreplace) /etc/qubes-rpc/qubes.GetImageRGBA
-/etc/qubes-rpc/qubes.SetDateTime
+%config(noreplace) /etc/qubes-rpc/qubes.SetDateTime
 %config(noreplace) /etc/sudoers.d/qubes
-%config(noreplace) /etc/sysconfig/iptables
+%config(noreplace) /etc/sysconfig/iptables.qubes
-%config(noreplace) /etc/sysconfig/ip6tables
+%config(noreplace) /etc/sysconfig/ip6tables.qubes
+/usr/lib/qubes/init/iptables
+/usr/lib/qubes/init/ip6tables
 %config(noreplace) /etc/tinyproxy/filter-updates
 %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
 %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
 %config(noreplace) /etc/udev/rules.d/99-qubes-network.rules
 /etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
-/etc/xdg/nautilus-actions/nautilus-actions.conf
 /etc/xen/scripts/vif-route-qubes
 %config(noreplace) /etc/yum.conf.d/qubes-proxy.conf
 %config(noreplace) /etc/yum.repos.d/qubes-r2.repo
@@ -356,6 +438,7 @@ rm -f %{name}-%{version}
 /usr/bin/qvm-mru-entry
 /usr/bin/xenstore-watch-qubes
 /usr/bin/qubes-desktop-run
+/usr/bin/qrexec-client-vm
 %dir /usr/lib/qubes
 /usr/lib/qubes/vusb-ctl.py*
 /usr/lib/qubes/dispvm-prerun.sh
@@ -386,14 +469,16 @@ rm -f %{name}-%{version}
 /usr/lib/qubes/iptables-updates-proxy
 /usr/lib/qubes/close-window
 /usr/lib/yum-plugins/yum-qubes-hooks.py*
+/usr/lib64/python2.7/site-packages/qubes/xdg.py*
 /usr/sbin/qubes-firewall
 /usr/sbin/qubes-netwatcher
 /usr/share/qubes/serial.conf
 /usr/share/glib-2.0/schemas/org.gnome.settings-daemon.plugins.updates.gschema.override
 /usr/share/glib-2.0/schemas/org.gnome.nautilus.gschema.override
-/usr/share/file-manager/actions/qvm-copy-gnome.desktop
+/usr/share/nautilus-python/extensions/qvm_copy_nautilus.py*
-/usr/share/file-manager/actions/qvm-move-gnome.desktop
+/usr/share/nautilus-python/extensions/qvm_move_nautilus.py*
-/usr/share/file-manager/actions/qvm-dvm-gnome.desktop
+/usr/share/nautilus-python/extensions/qvm_dvm_nautilus.py*
+
 %dir /usr/share/qubes
 /usr/share/qubes/mime-override/globs
 %dir /home_volatile
@@ -503,6 +588,7 @@ The Qubes core startup configuration for SystemD init.
 /lib/systemd/system/qubes-update-check.timer
 /lib/systemd/system/qubes-updates-proxy.service
 /lib/systemd/system/qubes-qrexec-agent.service
+/lib/systemd/system-preset/75-qubes-vm.preset
 /lib/modules-load.d/qubes-core.conf
 /lib/modules-load.d/qubes-misc.conf
 %dir /usr/lib/qubes/init
@@ -519,6 +605,7 @@ The Qubes core startup configuration for SystemD init.
 /usr/lib/qubes/init/cups.path
 /usr/lib/qubes/init/ntpd.service
 /usr/lib/qubes/init/chronyd.service
+/usr/lib/qubes/init/crond.service
 %ghost %attr(0644,root,root) /etc/systemd/system/ModemManager.service
 %ghost %attr(0644,root,root) /etc/systemd/system/NetworkManager.service
 %ghost %attr(0644,root,root) /etc/systemd/system/NetworkManager-wait-online.service
@@ -529,106 +616,60 @@ The Qubes core startup configuration for SystemD init.
 %post systemd
 
 for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-updates-proxy qubes-qrexec-agent; do
-    /bin/systemctl enable $srv.service 2> /dev/null
+    /bin/systemctl --no-reload enable $srv.service 2> /dev/null
 done
 
-/bin/systemctl enable qubes-update-check.timer 2> /dev/null
+/bin/systemctl --no-reload enable qubes-update-check.timer 2> /dev/null
-
-UNITDIR=/lib/systemd/system
-OVERRIDEDIR=/usr/lib/qubes/init
-
-# Install overriden services only when original exists
-for srv in cups ModemManager NetworkManager NetworkManager-wait-online ntpd chronyd; do
-    if [ -f $UNITDIR/$srv.service ]; then
-        cp $OVERRIDEDIR/$srv.service /etc/systemd/system/
-    fi
-    if [ -f $UNITDIR/$srv.socket -a -f $OVERRIDEDIR/$srv.socket ]; then
-        cp $OVERRIDEDIR/$srv.socket /etc/systemd/system/
-    fi
-    if [ -f $UNITDIR/$srv.path -a -f $OVERRIDEDIR/$srv.path ]; then
-        cp $OVERRIDEDIR/$srv.path /etc/systemd/system/
-    fi
-done
 
 # Set default "runlevel"
 rm -f /etc/systemd/system/default.target
 ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
 
-DISABLE_SERVICES="alsa-store alsa-restore auditd avahi avahi-daemon backuppc cpuspeed crond"
+grep '^[[:space:]]*[^#;]' /lib/systemd/system-preset/75-qubes-vm.preset | while read action unit_name; do
-DISABLE_SERVICES="$DISABLE_SERVICES fedora-autorelabel fedora-autorelabel-mark ipmi hwclock-load hwclock-save"
+    case "$action" in
-DISABLE_SERVICES="$DISABLE_SERVICES mdmonitor multipathd openct rpcbind mcelog fedora-storage-init fedora-storage-init-late"
+    (disable)
-DISABLE_SERVICES="$DISABLE_SERVICES plymouth-start plymouth-read-write plymouth-quit plymouth-quit-wait"
+        if [ -f /lib/systemd/system/$unit_name.service ]; then
-DISABLE_SERVICES="$DISABLE_SERVICES sshd tcsd sm-client sendmail mdmonitor-takeover"
+            if fgrep -q '[Install]' /lib/systemd/system/$unit_name; then
-DISABLE_SERVICES="$DISABLE_SERVICES rngd smartd upower irqbalance colord"
+                /bin/systemctl --no-reload preset $unit_name 2> /dev/null
-for srv in $DISABLE_SERVICES; do
-    if [ -f /lib/systemd/system/$srv.service ]; then
-        if fgrep -q '[Install]' /lib/systemd/system/$srv.service; then
-            /bin/systemctl disable $srv.service 2> /dev/null
             else
                 # forcibly disable
-            ln -sf /dev/null /etc/systemd/system/$srv.service
+                ln -sf /dev/null /etc/systemd/system/$unit_name
             fi
         fi
+        ;;
+    esac
 done
 
 rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
 
 # Enable some services
-/bin/systemctl enable iptables.service 2> /dev/null
+/bin/systemctl --no-reload enable iptables.service 2> /dev/null
-/bin/systemctl enable ip6tables.service 2> /dev/null
+/bin/systemctl --no-reload enable ip6tables.service 2> /dev/null
-/bin/systemctl enable rsyslog.service 2> /dev/null
+/bin/systemctl --no-reload enable rsyslog.service 2> /dev/null
-/bin/systemctl enable ntpd.service 2> /dev/null
+/bin/systemctl --no-reload enable ntpd.service 2> /dev/null
+/bin/systemctl --no-reload enable crond.service 2> /dev/null
 
 # Enable cups only when it is real SystemD service
-[ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null
+[ -e /lib/systemd/system/cups.service ] && /bin/systemctl --no-reload enable cups.service 2> /dev/null
+
+/bin/systemctl daemon-reload
 
 exit 0
 
 %triggerin systemd -- NetworkManager
-UNITDIR=/lib/systemd/system
+%installOverridenServices ModemManager NetworkManager NetworkManager-wait-online
-OVERRIDEDIR=/usr/lib/qubes/init
-# Install overriden services only when original exists
-for srv in ModemManager NetworkManager NetworkManager-wait-online; do
-    if [ -f $UNITDIR/$srv.service ]; then
-        cp $OVERRIDEDIR/$srv.service /etc/systemd/system/
-    fi
-    if [ -f $UNITDIR/$srv.socket -a -f $OVERRIDEDIR/$srv.socket ]; then
-        cp $OVERRIDEDIR/$srv.socket /etc/systemd/system/
-    fi
-    if [ -f $UNITDIR/$srv.path -a -f $OVERRIDEDIR/$srv.path ]; then
-        cp $OVERRIDEDIR/$srv.path /etc/systemd/system/
-    fi
-done
-
-# Disable original service to enable overriden one
-/bin/systemctl disable ModemManager.service 2> /dev/null
-/bin/systemctl disable NetworkManager.service 2> /dev/null
 # Disable D-BUS activation of NetworkManager - in AppVm it causes problems (eg PackageKit timeouts)
 /bin/systemctl mask dbus-org.freedesktop.NetworkManager.service 2> /dev/null
-/bin/systemctl enable ModemManager.service 2> /dev/null
-/bin/systemctl enable NetworkManager.service 2> /dev/null
 # Fix for https://bugzilla.redhat.com/show_bug.cgi?id=974811
 /bin/systemctl enable NetworkManager-dispatcher.service 2> /dev/null
 exit 0
 
 %triggerin systemd -- cups
-UNITDIR=/lib/systemd/system
+%installOverridenServices cups
-OVERRIDEDIR=/usr/lib/qubes/init
+exit 0
-# Install overriden services only when original exists
-for srv in cups; do
-    if [ -f $UNITDIR/$srv.service ]; then
-        cp $OVERRIDEDIR/$srv.service /etc/systemd/system/
-    fi
-    if [ -f $UNITDIR/$srv.socket -a -f $OVERRIDEDIR/$srv.socket ]; then
-        cp $OVERRIDEDIR/$srv.socket /etc/systemd/system/
-    fi
-    if [ -f $UNITDIR/$srv.path -a -f $OVERRIDEDIR/$srv.path ]; then
-        cp $OVERRIDEDIR/$srv.path /etc/systemd/system/
-    fi
-done
 
-# Enable cups only when it is real SystemD service
+%triggerin systemd -- cronie
-[ -e /lib/systemd/system/cups.service ] && /bin/systemctl enable cups.service 2> /dev/null
+%installOverridenServices crond
 exit 0
 
 %triggerin systemd -- haveged

rpm_spec/upgrade-vm.spec

@@ -0,0 +1,28 @@
+Name:		qubes-upgrade-vm
+Version:	2.0
+Release:	1%{?dist}
+Summary:	Qubes upgrade VM package
+
+Group:		Qubes
+Vendor:		Invisible Things Lab
+License:	GPL
+URL:		http://www.qubes-os.org
+
+%define _builddir %(pwd)
+
+%description
+Upgrade package for Qubes VM.
+
+This package contains only minimal file set required to upgrade Qubes VM
+template to next Qubes release.
+
+%install
+mkdir -p $RPM_BUILD_ROOT/etc/pki/rpm-gpg
+install -m 644 misc/RPM-GPG-KEY-upgrade-qubes-* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
+
+mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
+install -m 644 misc/qubes-upgrade.repo $RPM_BUILD_ROOT/etc/yum.repos.d/
+
+%files
+/etc/yum.repos.d/qubes-upgrade.repo
+/etc/pki/rpm-gpg/RPM-GPG-KEY-upgrade-qubes*

version

@@ -1 +1 @@
-2.1.42
+2.1.68

vm-init.d/qubes-core

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # chkconfig: 345 90 90
 # description: Executes Qubes core scripts at VM boot
@@ -22,6 +22,11 @@ start()
 
 	mkdir -p /var/run/xen-hotplug
 
+	# Location of files which contains list of protected files
+	PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
+
+    # Set the hostname
+    if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then    
     	name=$(/usr/bin/xenstore-read name)
     	if ! [ -f /etc/this-is-dvm ] ; then
     		# we don't want to set hostname for DispVM
@@ -30,13 +35,17 @@ start()
     		hostname $name
     		sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
     	fi
+    fi
 
+    # Set the timezone
+	if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
     	timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null`
     	if [ -n "$timezone" ]; then
     		ln -f /usr/share/zoneinfo/$timezone /etc/localtime
     		echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
     		echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
     	fi
+    fi
 
 	yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null || /usr/bin/xenstore-read qubes-service/updates-proxy-setup 2>/dev/null )
     type=$(/usr/bin/xenstore-read qubes-vm-type)
@@ -55,8 +64,8 @@ start()
 	mkdir -p /var/run/qubes
 
 	if [ -e /dev/xvdb ] ; then
-		resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed"
 		mount /rw
+		resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed"
 
         if ! [ -d /rw/home ] ; then
             echo

vm-init.d/qubes-core-appvm

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # chkconfig: 345 85 85
 # description: Executes Qubes core scripts at AppVM boot
@@ -39,7 +39,8 @@ start()
 		sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop
 	else
 		# Disable notification icon
-		sed -i -e '/QUBES/!s/^NotShowIn=.*/\1QUBES;/' /etc/xdg/autostart/print-applet.desktop
+		sed -i -e '/QUBES/!s/^NotShowIn=\(.*\)/NotShowIn=QUBES;\1/' /etc/xdg/autostart/print-applet.desktop
+
 	fi
 
 	echo -n $"Executing Qubes Core scripts for AppVM:"

vm-init.d/qubes-core-netvm

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # chkconfig: 345 90 90
 # description: Executes Qubes core scripts at NetVM boot

vm-init.d/qubes-core.modules

@@ -1,4 +1,3 @@
 modprobe evtchn 2>/dev/null || modprobe xen-evtchn
 modprobe xen-blkback 2> /dev/null || modprobe blkbk
-modprobe xen-usbfront 2> /dev/null
 modprobe u2mfn 2>/dev/null

vm-init.d/qubes-firewall

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # chkconfig: 345 91 91
 # description: Starts Qubes Firewall monitor

vm-init.d/qubes-netwatcher

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # chkconfig: 345 92 92
 # description: Starts Qubes Network monitor

vm-init.d/qubes-qrexec-agent

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # chkconfig: 345 90 90
 # description: Executes Qubes core scripts at VM boot

vm-init.d/qubes-updates-proxy

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # tinyproxy     Startup script for the tinyproxy server as Qubes updates proxy
 #

vm-systemd/75-qubes-vm.preset

@@ -0,0 +1,53 @@
+# Units that should not run by default in Qubes VMs.
+#
+# This file is part of the qubes-core-vm-systemd package.  To ensure that the
+# default configuration is applied to all units in the list regardless of
+# package installation order, including units added to the list by
+# qubes-core-vm-systemd upgrades, all units in the list are preset by a
+# scriptlet every time qubes-core-vm-systemd is installed or upgraded.  That
+# means that to permanently enable a unit with an [Install] section, you must
+# create your own higher-priority preset file.  (It might be possible to be
+# smarter and keep a list of units previously preset, but this is not
+# implemented.)
+#
+# For units below with no [Install] section, the scriptlet masks them instead.
+# Qubes currently does not provide a way to permanently prevent such units from
+# being masked.
+#
+# https://groups.google.com/d/topic/qubes-users/dpM_GHfmEOk/discussion
+
+disable alsa-store.service
+disable alsa-restore.service
+disable auditd.service
+disable avahi.service
+disable avahi-daemon.service
+disable avahi-daemon.socket
+disable backuppc.service
+disable cpuspeed.service
+disable dnf-makecache.timer
+disable fedora-autorelabel.service
+disable fedora-autorelabel-mark.service
+disable ipmi.service
+disable hwclock-load.service
+disable hwclock-save.service
+disable mdmonitor.service
+disable multipathd.service
+disable openct.service
+disable rpcbind.service
+disable mcelog.service
+disable fedora-storage-init.service
+disable fedora-storage-init-late.service
+disable plymouth-start.service
+disable plymouth-read-write.service
+disable plymouth-quit.service
+disable plymouth-quit-wait.service
+disable sshd.service
+disable tcsd.service
+disable sm-client.service
+disable sendmail.service
+disable mdmonitor-takeover.service
+disable rngd.service
+disable smartd.service
+disable upower.service
+disable irqbalance.service
+disable colord.service

vm-systemd/crond.service

@@ -0,0 +1,10 @@
+.include /lib/systemd/system/crond.service
+[Unit]
+ConditionPathExists=/var/run/qubes-service/crond
+# For /rw
+After=qubes-misc-post.service
+
+[Service]
+ExecStartPre=/bin/mkdir --mode=0700 -p /rw/cron
+ExecStartPre=/bin/mount --bind /rw/cron /var/spool/cron
+ExecStopPost=/bin/umount /var/spool/cron

vm-systemd/misc-post.sh

@@ -23,9 +23,9 @@ fi
 INTERFACE=eth0 /usr/lib/qubes/setup-ip
 
 if [ -e /dev/xvdb -a ! -e /etc/this-is-dvm ] ; then
-    resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed"
     tune2fs -m 0 /dev/xvdb
     mount /rw
+    resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed"
 
     if ! [ -d /rw/home ] ; then
         echo
@@ -67,7 +67,7 @@ if [ ! -f /etc/systemd/system/cups.service ]; then
         sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop
     else
         # Disable notification icon
-        sed -i -e '/QUBES/!s/^NotShowIn=.*/\1QUBES;/' /etc/xdg/autostart/print-applet.desktop
+        sed -i -e '/QUBES/!s/^NotShowIn=\(.*\)/NotShowIn=QUBES;\1/' /etc/xdg/autostart/print-applet.desktop
     fi
 fi
 if [ -f /var/run/qubes-service/network-manager ]; then

vm-systemd/prepare-dvm.sh

@@ -9,7 +9,7 @@ possibly_run_save_script()
 	Xorg -config /etc/X11/xorg-preload-apps.conf :0 &
 	while ! [ -S /tmp/.X11-unix/X0 ]; do sleep 0.5; done
 	DISPLAY=:0 su - user -c /tmp/qubes-save-script
-	killall Xorg
+	killall Xorg Xorg.bin
 }
 
 if xenstore-read qubes-save-request 2>/dev/null ; then

vm-systemd/qubes-core.conf

@@ -1,4 +1,3 @@
 xen-evtchn
 xen-blkback
-xen-usbfront
 u2mfn

vm-systemd/qubes-sysinit.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # List of services enabled by default (in case of absence of xenstore entry)
 DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy"
@@ -12,6 +12,9 @@ XS_READ=/usr/bin/xenstore-read
 XS_LS=/usr/bin/xenstore-ls
 [ -x /usr/sbin/xenstore-ls ] && XS_LS=/usr/sbin/xenstore-ls
 
+# Location of files which contains list of protected files
+PROTECTED_FILE_LIST='/etc/qubes/protected-files.d'
+
 read_service() {
     $XS_READ qubes-service/$1 2> /dev/null
 }
@@ -61,8 +64,9 @@ for srv in `$XS_LS qubes-service 2>/dev/null |grep ' = "0"'|cut -f 1 -d ' '`; do
 done
 
 # Set the hostname
-name=`$XS_READ name`
+if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
-if [ -n "$name" ]; then
+    name=`$XS_READ name`
+    if [ -n "$name" ]; then
         hostname $name
         if [ -e /etc/debian_version ]; then
             ipv4_localhost_re="127\.0\.1\.1"
@@ -71,17 +75,21 @@ if [ -n "$name" ]; then
         fi
         sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
         sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
+    fi
 fi
 
-timezone=`$XS_READ qubes-timezone 2> /dev/null`
+# Set the timezone
-if [ -n "$timezone" ]; then
+if ! grep -rq "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
-    cp -p /usr/share/zoneinfo/$timezone /etc/localtime
+    timezone=`$XS_READ qubes-timezone 2> /dev/null`
+    if [ -n "$timezone" ]; then
+        ln -sf ../usr/share/zoneinfo/$timezone /etc/localtime
         if [ -e /etc/debian_version ]; then
             echo "$timezone" > /etc/timezone
         else
             echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
             echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
         fi
+    fi
 fi
 
 # Prepare environment for other services

vm-systemd/qubes-update-check.service

@@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check
 
 [Service]
 Type=oneshot
-ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'if [ -e /usr/bin/yum ]; then yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0; else apt-get -q update > /dev/null; apt-get -s upgrade | awk "/^Inst/{ print $2 }" | [[ $(wc -L) -eq 0 ]] && echo 0 || echo 1; fi'
+ExecStart=/usr/lib/qubes/qrexec-client-vm dom0 qubes.NotifyUpdates /bin/sh -c 'if [ -e /etc/system-release ]; then yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0; else apt-get -q update > /dev/null; apt-get -s upgrade | awk "/^Inst/{ print $2 }" | [ $(wc -L) -eq 0 ] && echo 0 || echo 1; fi'