Mark /var/lib/qubes to not expose loop devices pointing inside

DM_UDEV_DISABLE_DISK_RULES_FLAG flag sometimes isn't properly propagated, so just to be sure, add a flag file /var/lib/qubes/.qubes-exclude-block-devices to exclude that directory. Fixes 5c84a0b "udev: don't exclude loop devices pointing outside of /var/lib/qubes" QubesOS/qubes-issues#3084
2017-09-15 05:15:23 +02:00 · 2017-09-15 05:15:23 +02:00 · 6ba03ed65b
commit 6ba03ed65b
parent 1f6546f484
1 changed files with 3 additions and 0 deletions
--- a/rpm_spec/core-dom0-linux.spec
+++ b/rpm_spec/core-dom0-linux.spec
@ -143,6 +143,8 @@ install -m 644 -D system-config/75-qubes-dom0.preset \
 install -m 644 -D system-config/99-qubes-default-disable.preset \
    $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/99-qubes-default-disable.preset

+touch $RPM_BUILD_ROOT/var/lib/qubes/.qubes-exclude-block-devices
+
 # file copy to VM
 install -m 755 file-copy-vm/qfile-dom0-agent $RPM_BUILD_ROOT/usr/lib/qubes/
 install -m 755 file-copy-vm/qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin/
@ -224,6 +226,7 @@ chmod -x /etc/grub.d/10_linux
 %config(noreplace) /etc/profile.d/zz-disable-lesspipe.sh
 /usr/lib/systemd/system-preset/75-qubes-dom0.preset
 /usr/lib/systemd/system-preset/99-qubes-default-disable.preset
+/var/lib/qubes/.qubes-exclude-block-devices
 # Man
 %{_mandir}/man1/qvm-*.1*
 %{_mandir}/man1/qubes-*.1*