From 6ba03ed65bc5aecde7a123bdafbf524a344853f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 15 Sep 2017 05:15:23 +0200
Subject: [PATCH] Mark /var/lib/qubes to not expose loop devices pointing
 inside

DM_UDEV_DISABLE_DISK_RULES_FLAG flag sometimes isn't properly
propagated, so just to be sure, add a flag file
/var/lib/qubes/.qubes-exclude-block-devices to exclude that directory.

Fixes 5c84a0b "udev: don't exclude loop devices pointing outside of
/var/lib/qubes"

QubesOS/qubes-issues#3084
---
 rpm_spec/core-dom0-linux.spec | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rpm_spec/core-dom0-linux.spec b/rpm_spec/core-dom0-linux.spec
index c67be49..a6a24de 100644
--- a/rpm_spec/core-dom0-linux.spec
+++ b/rpm_spec/core-dom0-linux.spec
@@ -143,6 +143,8 @@ install -m 644 -D system-config/75-qubes-dom0.preset \
 install -m 644 -D system-config/99-qubes-default-disable.preset \
     $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/99-qubes-default-disable.preset
 
+touch $RPM_BUILD_ROOT/var/lib/qubes/.qubes-exclude-block-devices
+
 # file copy to VM
 install -m 755 file-copy-vm/qfile-dom0-agent $RPM_BUILD_ROOT/usr/lib/qubes/
 install -m 755 file-copy-vm/qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin/
@@ -224,6 +226,7 @@ chmod -x /etc/grub.d/10_linux
 %config(noreplace) /etc/profile.d/zz-disable-lesspipe.sh
 /usr/lib/systemd/system-preset/75-qubes-dom0.preset
 /usr/lib/systemd/system-preset/99-qubes-default-disable.preset
+/var/lib/qubes/.qubes-exclude-block-devices
 # Man
 %{_mandir}/man1/qvm-*.1*
 %{_mandir}/man1/qubes-*.1*