custom-persist: disable /home and /usr/local mounts

If not explicitly configured, /rw/home and /rw/usrlocal must not be bind mounted to /home and /usr/local. Instead, the original /home and /usr/local is mounted. SystemD drop-ins are used to override the resource to mount (What= option in unit)
QubesOS · marmarek · Mar 1, 2025 · Jan 19, 2025 · Jan 23, 2025 · Jan 26, 2025
commit 91d312aef52c90dd6718294966a0d2708a49f2f6
diff --git a/init/functions b/init/functions
@@ -250,3 +250,15 @@ initialize_home() {
         for waitpid in $waitpids ; do wait "$waitpid" ; done ; waitpids=
     done
 }
+
+disable_persistent_home() {
+    echo "Disabling persistent /home"
+    mkdir /run/systemd/system/home.mount.d
+    echo -e '[Mount]\nWhat=/home' > /run/systemd/system/home.mount.d/30_qubes.conf
+}
+
+disable_persistent_usrlocal() {
+    echo "Disabling persistent /usr/local"
+    mkdir /run/systemd/system/usr-local.mount.d
+    echo -e '[Mount]\nWhat=/usr/local' > /run/systemd/system/usr-local.mount.d/30_qubes.conf
+}
diff --git a/vm-systemd/mount-dirs.sh b/vm-systemd/mount-dirs.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # Source Qubes library.
 # shellcheck source=init/functions
@@ -10,4 +10,29 @@ set -e
 if [ -e /dev/xvdb ] ; then mount /rw ; fi
 /usr/lib/qubes/init/setup-rw.sh
 
-initialize_home "/rw/home" ifneeded
+if is_custom_persist_enabled; then
+  mount_home=false
+  mount_usr_local=false
+
+  while read -r qubes_persist_entry; do
+    [[ "$qubes_persist_entry" =~ \=\ /home$ ]] && mount_home=true
+    [[ "$qubes_persist_entry" =~ \=\ /usr/local$ ]] && mount_usr_local=true
+  done <<< "$(qubesdb-multiread /persist/)"
+else
+  mount_home=true
+  mount_usr_local=true
+fi
+
+if $mount_home; then
+  initialize_home "/rw/home" ifneeded
+else
+  disable_persistent_home
+  initialize_home "/home" unconditionally
+fi
+
+if ! $mount_usr_local; then
+  disable_persistent_usrlocal
+fi
+
+systemctl daemon-reload
+