Merge remote-tracking branch 'origin/pr/551'

* origin/pr/551:
  bind-dirs: fix permissions on $fso_ro
  bind-dirs: add x-gvfs-hide mount option to bind dirs This allows to hide mountpoints from Thunar sidebar (happens when bind mounting a file or dir in $HOME).
  custom-persist: prevent mount units from starting instead of bind mounting When disabling persistent /home or /usr/local, custom-persist was using a systemd drop-in to override the What= option and set it to the same value as the Where= one. This bind mount is unnecessary and was causing trouble when bind mounting other resources in /home or /usr/local. Instead, a ConditionPathExists= option is added to control whether this mount happens.
  custom-persist: pre-create parents with correct ownership When using custom-persist to pre-create the resource before bind mounting it, we might have to create its parents too. That was done using mkdir --parents that was causing parents to be created with root:root ownership which can leads to errors if, for example, a user wants to bind mount a directory inside its home dir. With this fix, parents are created with the same ownership as the resource.
  bind-dirs: fix /rw/home and /rw/usrlocal initialization from template files
  custom-persist: handle mounts from /rw/home and /rw/usrlocal Custom persist disables /home and /usr/local persistence by default but a user may want to bind mount a file or a directory in one of those locations without mounting the whole directories. For example, we should be able to mount /home/user/.ssh/ but keep the rest of /home/user non-persistent. With this fix, bind dirs detects when an object is located under /home or /usr/local and will look in the associated /rw/home or /rw/usrlocal instead of /rw/bind-dirs. If needed, custom-persist will pre-create the objects in the same location.
  custom-persist: prefer objets pre-creation in /rw This commit changes the files and dirs pre-creation path. Instead of pre-create files and dirs directly on the RO file system and let bind_dirs() function populate /rw/bind-dirs, custom-persist creates objects in /rw/bind-dirs like a regular user would do.
  custom-persist: files and directory auto-creation The support of metadata has been added to the custom-persist feature to allow automatic creation of files and directories declared through this feature. A type (file|dir), user, group and file mode must be specified before the path declaration.
  fix: bind-dirs should create files parent directories if they don't exist
  fix under_systemd function on debian Read command name in /proc
  custom-persist: init.d compatibility if the current VM is not under systemD we need to mount /home and /usr/local explicitly
  custom-persist: user suspend modules blacklist
  custom-persist: do not read user rc.local scripts when the feature is enabled
  custom-persist: disable user firewall rules when custom persist is enabled
  custom-persist: disable /home and /usr/local mounts If not explicitly configured, /rw/home and /rw/usrlocal must not be bind mounted to /home and /usr/local. Instead, the original /home and /usr/local is mounted. SystemD drop-ins are used to override the resource to mount (What= option in unit)
  custom-persist: mount binds configured in qubes-db Config is read from qubes database and every bind directory is mounted excepted /home and /usr/local which need to be handled differently
  custom-persist: systemd mount units for /home and /usr/local and services start dependencies The custom-persist feature should disable /home and /usr/local mounts by default. To do this, we can use SystemD drop-ins which requires to remove fstab entries and convert them to regular SystemD units as drop-ins does not seem to work with units generated by systemd-fstab-generator. Mount command in mount_dirs.sh is not required anymore and need to be deleted as it causes issues. Instead, a we can use SystemD unit options to ensure /home and /usr/local are mounted before loading user bind dirs
  custom-persist: ignore /rw/config bind-dirs if custom-persist enabled When the custom-persist feature is enabled, we no longer need to worry about the bind directories configured in /rw/config/qubes-bind-dirs.d.

Pull request description:

This PR adds a new feature ``custom-persist`` described in QubesOS/qubes-issues#1006

Author: marmarek

Makefile

@@ -166,6 +166,8 @@ install-systemd: install-init
 	install -m 0644 vm-systemd/xendriverdomain.service $(DESTDIR)/etc/systemd/system/
 	install -m 0644 vm-systemd/80-qubes-vif.link $(DESTDIR)$(SYSLIBDIR)/systemd/network/
 	install -m 0644 vm-systemd/30_resolved-no-mdns-or-llmnr.conf $(DESTDIR)$(SYSLIBDIR)/systemd/resolved.conf.d/
+	install -m 0644 vm-systemd/home.mount $(DESTDIR)$(SYSLIBDIR)/systemd/system/
+	install -m 0644 vm-systemd/usr-local.mount $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 
 .PHONY: install-sysvinit
 install-sysvinit: install-init

debian/qubes-core-agent.install

@@ -89,6 +89,7 @@ lib/systemd/system/org.cups.cupsd.service.d/30_qubes.conf
 lib/systemd/system/org.cups.cupsd.socket.d/30_qubes.conf
 lib/systemd/system/polkit.service.d/30_qubes.conf
 lib/systemd/system/dev-xvdc1-swap.service
+lib/systemd/system/qubes-bind-dirs.service
 lib/systemd/system/qubes-early-vm-config.service
 lib/systemd/system/qubes-misc-post.service
 lib/systemd/system/qubes-mount-dirs.service
@@ -114,6 +115,8 @@ lib/systemd/system/systemd-nsresourced.socket.d/30_qubes.conf
 lib/systemd/system/systemd-userdbd.service.d/30_qubes.conf
 lib/systemd/system/systemd-userdbd.socket.d/30_qubes.conf
 lib/systemd/resolved.conf.d/30_resolved-no-mdns-or-llmnr.conf
+lib/systemd/system/home.mount
+lib/systemd/system/usr-local.mount
 usr/lib/sysctl.d/20-qubes-core.conf
 usr/lib/systemd/user/tracker-extract-3.service.d/30_qubes.conf
 usr/lib/systemd/user/tracker-miner-fs-3.service.d/30_qubes.conf

filesystem/fstab

@@ -6,8 +6,6 @@
 
 /dev/mapper/dmroot   /              ext4    defaults,discard,noatime    1 1
 /dev/xvdb            /rw            auto    noauto,defaults,discard,nosuid,nodev    1 2
-/rw/home             /home          none    noauto,bind,defaults,nosuid,nodev        0 0
-/rw/usrlocal         /usr/local     none    noauto,bind,defaults        0 0
 /dev/xvdc1           swap           swap    defaults                    0 0
 tmpfs                /dev/shm       tmpfs   defaults,size=1G            0 0
 devpts               /dev/pts       devpts  gid=5,mode=620              0 0

init/functions

@@ -23,7 +23,9 @@ qsvc() {
 }
 
 under_systemd() {
-    pidof systemd >/dev/null 2>&1
+    local init_command_name
+    read -r init_command_name < /proc/1/comm
+    [ "$init_command_name" = "systemd" ]
 }
 
 systemd_version_changed() {
@@ -57,6 +59,10 @@ is_appvm() {
     [ "$(qubes_vm_type)" = "AppVM" ]
 }
 
+is_custom_persist_enabled() {
+    [ -f "/var/run/qubes-service/custom-persist" ]
+}
+
 is_proxyvm() {
     [ "$(qubes_vm_type)" = "ProxyVM" ]
 }
@@ -246,3 +252,13 @@ initialize_home() {
         for waitpid in $waitpids ; do wait "$waitpid" ; done ; waitpids=
     done
 }
+
+disable_persistent_home() {
+    echo "Disabling persistent /home"
+    touch /var/run/qubes/disable_persistent_home_dir
+}
+
+disable_persistent_usrlocal() {
+    echo "Disabling persistent /usr/local"
+    touch /var/run/qubes/disable_persistent_usrlocal_dir
+}

qubes-rpc/prepare-suspend

@@ -16,7 +16,7 @@ MODULES_BLACKLIST=""
 if [ -r /etc/qubes-suspend-module-blacklist ]; then
     MODULES_BLACKLIST="$MODULES_BLACKLIST $(grep -v '^#' /etc/qubes-suspend-module-blacklist)"
 fi
-if [ -r /rw/config/suspend-module-blacklist ]; then
+if [ -r /rw/config/suspend-module-blacklist ] && ! is_custom_persist_enabled; then
     MODULES_BLACKLIST="$MODULES_BLACKLIST $(grep -v '^#' /rw/config/suspend-module-blacklist)"
 fi
 

qubesagent/firewall.py

@@ -86,10 +86,15 @@ def get_connected_ips(self, family):
             return []
         return ips.decode().split()
 
+    def is_custom_persist_enabled(self) -> bool:
+        """Check if the feature custom-persist is enabled on the current VM"""
+        return os.path.isfile('/var/run/qubes-service/custom-persist')
+
     def run_firewall_dir(self):
         """Run scripts dir contents, before user script"""
-        script_dir_paths = ['/etc/qubes/qubes-firewall.d',
-                            '/rw/config/qubes-firewall.d']
+        script_dir_paths = ['/etc/qubes/qubes-firewall.d']
+        if not self.is_custom_persist_enabled():
+            script_dir_paths.append('/rw/config/qubes-firewall.d')
         for script_dir_path in script_dir_paths:
             if not os.path.isdir(script_dir_path):
                 continue
@@ -328,7 +333,8 @@ def main(self):
         self.terminate_requested = False
         self.init()
         self.run_firewall_dir()
-        self.run_user_script()
+        if not self.is_custom_persist_enabled():
+            self.run_user_script()
         self.sd_notify('READY=1')
         self.qdb.watch('/qubes-firewall/')
         self.qdb.watch('/connected-ips')

rpm_spec/core-agent.spec.in

@@ -1263,6 +1263,8 @@ The Qubes core startup configuration for SystemD init.
 %defattr(-,root,root,-)
 /etc/systemd/system/xendriverdomain.service
 %_unitdir/dev-xvdc1-swap.service
+%_unitdir/home.mount
+%_unitdir/qubes-bind-dirs.service
 %_unitdir/qubes-misc-post.service
 %_unitdir/qubes-mount-dirs.service
 %_unitdir/qubes-rootfs-resize.service
@@ -1274,6 +1276,7 @@ The Qubes core startup configuration for SystemD init.
 %_unitdir/qubes-sync-time.timer
 %_unitdir/[email protected]
 %_unitdir/qubes-updates-proxy-forwarder.socket
+%_unitdir/usr-local.mount
 %{_unitdir}-preset/%qubes_preset_file
 %_modulesloaddir/qubes-core.conf
 %_unitdir/abrtd.service.d/30_qubes.conf

vm-systemd/75-qubes-vm.preset

@@ -96,6 +96,7 @@ enable qubes-network.service
 enable qubes-network-uplink.service
 enable qubes-qrexec-agent.service
 enable qubes-mount-dirs.service
+enable qubes-bind-dirs.service
 enable qubes-rootfs-resize.service
 enable qubes-firewall.service
 enable qubes-meminfo-writer.service

vm-systemd/NetworkManager.service.d/30_qubes.conf

@@ -1,7 +1,7 @@
 [Unit]
 ConditionPathExists=/var/run/qubes-service/network-manager
 # For /rw
-After=qubes-mount-dirs.service
+After=qubes-bind-dirs.service
 # For /var/run/qubes-service
 After=qubes-sysinit.service
 # For configuration of qubes-provided interfaces

vm-systemd/bind-dirs.sh

@@ -29,6 +29,8 @@ shopt -s nullglob dotglob
 # shellcheck source=init/functions
 source /usr/lib/qubes/init/functions
 
+readonly DEFAULT_RW_BIND_DIR="/rw/bind-dirs"
+
 prerequisite() {
    if is_fully_persistent ; then
       echo "No TemplateBasedVM/DisposableVM detected. Exiting."
@@ -37,7 +39,7 @@ prerequisite() {
 }
 
 init() {
-   [ -n "$rw_dest_dir" ] || rw_dest_dir="/rw/bind-dirs"
+   [ -n "$rw_dest_dir" ] || rw_dest_dir="$DEFAULT_RW_BIND_DIR"
    [ -n "$symlink_level_max" ] || symlink_level_max="10"
    mkdir --parents "$rw_dest_dir"
 }
@@ -49,6 +51,21 @@ legacy() {
    true
 }
 
+rw_from_ro() {
+  ro="$1"
+  # special cases for files/dirs in /home or /usr/local
+  if [[ "$ro" =~ ^/home/ ]]; then
+    # use /rw/home for /home/... binds
+    rw="/rw${ro}"
+  elif [[ "$ro" =~ ^/usr/local/ ]]; then
+    # use /rw/usrlocal for /usr/local/... binds
+    rw="/rw/usrlocal/$(echo "$ro" | cut -d/ -f4-)"
+  else
+    [ -z "$rw_dest_dir" ] && rw="${DEFAULT_RW_BIND_DIR}${ro}" || rw="${rw_dest_dir}${ro}"
+  fi
+  echo "$rw"
+}
+
 bind_dirs() {
    ## legend
    ## fso: file system object
@@ -77,7 +94,7 @@ bind_dirs() {
       done
 
       true "fso_ro: $fso_ro"
-      fso_rw="${rw_dest_dir}${fso_ro}"
+      fso_rw="$(rw_from_ro "$fso_ro")"
 
       # Make sure fso_ro is not mounted.
       umount "$fso_ro" 2> /dev/null || true
@@ -90,14 +107,22 @@ bind_dirs() {
       if [ -d "$fso_rw" ] || [ -f "$fso_rw" ]; then
          if [ ! -e "$fso_ro" ]; then
             ## Create empty file or directory if path exists in /rw to allow to bind mount none existing files/dirs.
-            test -d "$fso_rw" && mkdir --parents "$fso_ro"
-            test -f "$fso_rw" && touch "$fso_ro"
+            # shellcheck disable=SC2046
+            test -d "$fso_rw" && mk_parent_dirs "$fso_ro" $(stat --printf "%U %G" "$fso_rw")
+            if [ -f "$fso_rw" ]; then
+              parent_directory="$(dirname "$fso_ro")"
+              # shellcheck disable=SC2046
+              test -d "$parent_directory" || mk_parent_dirs "$parent_directory" $(stat --printf "%U %G" "$fso_rw")
+              touch "$fso_ro"
+            fi
          fi
       else
          if [ -d "$fso_ro" ] || [ -f "$fso_ro" ]; then
             ## Initially copy over data directories to /rw if rw directory does not exist.
-            echo "Initializing $rw_dest_dir with files from $fso_ro" >&2
-            cp --archive --recursive --parents "$fso_ro" "$rw_dest_dir"
+            echo "Initializing $fso_rw with files from $fso_ro" >&2
+            parent_directory="$(dirname "$fso_rw")"
+            test -d "$parent_directory" || mkdir --parents "$parent_directory"
+            cp --archive --recursive "$fso_ro" "$fso_rw"
          else
             echo "$fso_ro is neither a directory nor a file and the path does not exist below /rw, skipping."
             continue
@@ -106,10 +131,23 @@ bind_dirs() {
 
       # Bind the fso.
       echo "Bind mounting $fso_rw onto $fso_ro" >&2
-      mount --bind "$fso_rw" "$fso_ro"
+      mount --bind -o x-gvfs-hide "$fso_rw" "$fso_ro"
    done
 }
 
+mk_parent_dirs() {
+  local target="$1"
+  local owner="$2"
+  local group="$3"
+  local depth="$4"
+  [[ "$depth" -gt 100 ]] && echo "Maximum recursion depth reached" >&2 && return 1
+  [ -e "$target" ] && return 0
+  mk_parent_dirs "$(dirname "$target")" "$owner" "$group" "$(( depth + 1 ))" || return 1
+  mkdir "$target" || return 1
+  chown "$owner":"$group" "$target" || return 1
+  return 0
+}
+
 main() {
    prerequisite "$@"
    init "$@"
@@ -118,7 +156,12 @@ main() {
 }
 
 binds=()
-for source_folder in /usr/lib/qubes-bind-dirs.d /etc/qubes-bind-dirs.d /rw/config/qubes-bind-dirs.d ; do
+sources=( "/usr/lib/qubes-bind-dirs.d" "/etc/qubes-bind-dirs.d" )
+if [ ! -f "/var/run/qubes-service/custom-persist" ]; then
+    sources+=( "/rw/config/qubes-bind-dirs.d" )
+fi
+
+for source_folder in "${sources[@]}"; do
    true "source_folder: $source_folder"
    if [ ! -d "$source_folder" ]; then
       continue
@@ -130,6 +173,60 @@ for source_folder in /usr/lib/qubes-bind-dirs.d /etc/qubes-bind-dirs.d /rw/confi
    done
 done
 
+# read binds in QubesDB if custom-persist feature is enabled
+if is_custom_persist_enabled; then
+  while read -r qubes_persist_entry; do
+    [[ "$qubes_persist_entry" =~ =\ (.*)$ ]] || continue
+    target="${BASH_REMATCH[1]}"
+
+    # if the first char is not a slash, options should be extracted from
+    # the value
+    if [[ "$target" != /* ]]; then
+      resource_type="$(echo "$target" | cut -d':' -f1)"
+      owner="$(echo "$target" | cut -d':' -f2)"
+      group="$(echo "$target" | cut -d':' -f3)"
+      mode="$(echo "$target" | cut -d':' -f4)"
+      path="$(echo "$target" | cut -d':' -f5-)"
+
+      if [ -z "$path" ] || [[ "$path" != /* ]]; then
+        echo "Skipping invalid custom-persist value '${target}'" >&2
+        continue
+      fi
+
+      rw_path="$(rw_from_ro "${path}")"
+      # create resource if it does not exist
+      if ! [ -e "${path}" ] && ! [ -e "$rw_path" ]; then
+        if [ "$resource_type" = "file" ]; then
+          # for files, we need to create parent directories
+          parent_directory="$(dirname "$rw_path")"
+          echo "custom-persist: pre-creating file ${rw_path} with rights ${owner}:${group} ${mode}"
+          if [ ! -d "$parent_directory" ]; then
+            if ! mk_parent_dirs "$parent_directory" "$owner" "$group"; then
+              echo "Unable to create ${rw_path} parent dirs, skipping"
+              continue
+            fi
+          fi
+          touch "${rw_path}"
+        elif [ "$resource_type" = "dir" ]; then
+          echo "custom-persist: pre-creating directory ${rw_path} with rights ${owner}:${group} ${mode}"
+          if ! mk_parent_dirs "$rw_path" "$owner" "$group"; then
+            echo "Unable to create ${rw_path} parent dirs, skipping"
+            continue
+          fi
+        else
+          echo "Invalid entry ${target}, skipping"
+          continue
+        fi
+        chown "$owner":"$group" "${rw_path}"
+        chmod "$mode" "${rw_path}"
+      fi
+      target="$path"
+    fi
+    [[ "$target" =~ ^(\/home|\/usr\/local)$ ]] && continue
+    binds+=( "$target" )
+  done <<< "$(qubesdb-multiread /persist/)"
+fi
+
 main "$@"
 
 true "OK: END."

vm-systemd/home.mount

@@ -0,0 +1,8 @@
+[Unit]
+ConditionPathExists=!/var/run/qubes/disable_persistent_home_dir
+
+[Mount]
+What=/rw/home
+Where=/home
+Type=none
+Options=noauto,bind,defaults,nosuid,nodev

vm-systemd/misc-post.sh

@@ -11,9 +11,11 @@ if [ -n "$(ls -A /usr/local/lib 2>/dev/null)" ] || \
     ldconfig
 fi
 
-for rc in /rw/config/rc.local.d/*.rc /rw/config/rc.local; do
-    [ -f "${rc}" ] || continue
-    [ -x "${rc}" ] || continue
-    "${rc}"
-done
+if ! is_custom_persist_enabled; then
+  for rc in /rw/config/rc.local.d/*.rc /rw/config/rc.local; do
+      [ -f "${rc}" ] || continue
+      [ -x "${rc}" ] || continue
+      "${rc}"
+  done
+fi
 unset rc

vm-systemd/mount-dirs.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # Source Qubes library.
 # shellcheck source=init/functions
@@ -10,9 +10,31 @@ set -e
 if [ -e /dev/xvdb ] ; then mount /rw ; fi
 /usr/lib/qubes/init/setup-rw.sh
 
-initialize_home "/rw/home" ifneeded
-echo "Mounting /rw/home onto /home" >&2
-mount /home
-echo "Mounting /rw/usrlocal onto /usr/local" >&2
-mount /usr/local
-/usr/lib/qubes/init/bind-dirs.sh
+if is_custom_persist_enabled; then
+  mount_home=false
+  mount_usr_local=false
+
+  while read -r qubes_persist_entry; do
+    [[ "$qubes_persist_entry" =~ \=\ /home$ ]] && mount_home=true
+    [[ "$qubes_persist_entry" =~ \=\ /usr/local$ ]] && mount_usr_local=true
+  done <<< "$(qubesdb-multiread /persist/)"
+else
+  mount_home=true
+  mount_usr_local=true
+fi
+
+if $mount_home; then
+  initialize_home "/rw/home" ifneeded
+  under_systemd || mount -o noauto,bind,defaults,nosuid,nodev /rw/home /home
+else
+  under_systemd && disable_persistent_home
+  initialize_home "/home" unconditionally
+fi
+
+if $mount_usr_local; then
+  under_systemd || mount -o noauto,bind,defaults /rw/usrlocal /usr/local
+else
+  under_systemd && disable_persistent_usrlocal
+fi
+
+under_systemd && systemctl daemon-reload || exit 0