Added facl function to restore file permissions on files copied to image

functions.sh

@@ -1,3 +1,6 @@
+#!/bin/bash
+# vim: set ts=4 sw=4 sts=4 et :
+
 ################################################################################
 # Global functions
 ################################################################################
@@ -168,24 +171,50 @@ customStep() {
 
 # ------------------------------------------------------------------------------
 # Copy extra file tree to $INSTALLDIR 
+#
+# To set file permissions is a PITA since git won't save them and will
+# complain heavily if they are set to root only read, so this is the procdure:
+#
+# 1. Change to the directory that you want to have file permissions retained
+# 2. Change all the file permissions / ownership as you want
+# 3. Change back to the root of the exta directory (IE: extra-qubes-files)
+# 4. getfacl -R . > ".facl"
+# 5. If git complains; reset file ownership back to user.  The .facl file stored
+#    the file permissions and will be used to reset the file permissions after
+#    they get copied over to $INSTALLDIR
+# NOTE: Don't forget to redo this process if you add -OR- remove files
 # ------------------------------------------------------------------------------
 copy_dirs() {
-    DIR="$1"
+    dir="$1"
-    info "Entering Copy extra file tree to $INSTALLDIR..."
+    install_dir="$(readlink -m ${INSTALLDIR})"
+
+    info "copy_dirs(): ${install_dir}"
     if [ -n "${TEMPLATE_FLAVOR}" ]; then
-        CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}_${TEMPLATE_FLAVOR}/${DIR}"
+        custom_dir="${SCRIPTSDIR}/custom_${DIST}_${TEMPLATE_FLAVOR}/${dir}"
     else
-        CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}/${DIR}"
+        custom_dir="${SCRIPTSDIR}/custom_${DIST}/${dir}"
     fi
 
-    if [ -d "$CUSTOMDIR" ]; then
+    if [ -d "${custom_dir}" ]; then
-        debug "Copying $CUSTOMDIR/* $INSTALLDIR..."
+        dir="${custom_dir}/"
-        cp -rp "$CUSTOMDIR/"* "$INSTALLDIR"
+    elif [ -d "${SCRIPTSDIR}/${dir}" ]; then
-    elif [ -d "$SCRIPTSDIR/${DIR}" ]; then
+        dir="${SCRIPTSDIR}/${dir}/"
-        debug "Copying $SCRIPTSDIR/${DIR}/* $INSTALLDIR"
-        cp -rp "$SCRIPTSDIR/${DIR}/"* "$INSTALLDIR"
     else
-        debug "No extra files to copy"
+        debug "No extra files to copy for ${dir}"
+	return 0
+    fi
+
+    dir="$(readlink -m $dir)"
+    debug "Copying ${dir}/* ${install_dir}"
+    cp -rp "${dir}/"* "${install_dir}"
+
+    if [ -f "${dir}/.facl" ]; then
+        debug "Restoring file permissions..."
+        pushd "$install_dir"
+        {
+            setfacl --restore="${dir}/.facl" 2>/dev/null ||:
+        }
+        popd
     fi
 }
 

scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/.facl

@@ -0,0 +1,77 @@
+# file: .
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/udev
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/udev/rules.d
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/udev/rules.d/99-qubes-whonix.rules
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
+# file: .facl
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
+# file: usr
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: usr/lib
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: usr/lib/whonix
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: usr/lib/whonix/setup-ip
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: usr/lib/whonix/replace-ips
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+

scripts_debian/extra-qubes-files/.facl

@@ -0,0 +1,273 @@
+# file: .
+# owner: user
+# group: user
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/udev
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/udev/rules.d
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/udev/rules.d/xen-backend.rules
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
+# file: etc/udev/rules.d/98-kexec.rules
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
+# file: etc/xen
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vif-bridge
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vtpm-delete
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vif2
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vtpm
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/external-device-migrate
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vif-route-qubes
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/xen/scripts/network-nat
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/xen-hotplug-common.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vtpm-common.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vtpm-impl
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/locking.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/xen-hotplug-cleanup
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/xen-network-common.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/block-nbd
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/block
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/hotplugpath.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vtpm-migration.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/network-bridge
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/block-enbd
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vif-common.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vif-setup
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vif-nat
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vif-route
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vscsi
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/network-route
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/blktap
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/xen-script-common.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/logging.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/block-common.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: etc/xen/scripts/vtpm-hotplug-common.sh
+# owner: root
+# group: root
+user::rwx
+group::---
+other::---
+
+# file: .facl
+# owner: user
+# group: user
+user::rwx
+group::rwx
+other::rwx
+