Merge remote-tracking branch 'origin/pr/636'

* origin/pr/636:
  minimal-vms: mask gvfs-daemon to prevent dbus timeout

Pull request description:

Some programs try to start gvfs-daemon, which refusing to start when minimal-vm is enabled, using a dbus method call and resulting in timeouts.

Trying to start a masked service is detected by Dbus and doesn't trigger any timeout.

The service is masked at runtime thanks to a new service executed when running a qube with minimal-netvm or minimal-usbvm.

Fixes QubesOS/qubes-issues#10165 (comment)

Author: marmarek

Makefile

@@ -146,7 +146,7 @@ endif
 
 # Systemd service files
 SYSTEMD_ALL_SERVICES := $(wildcard vm-systemd/qubes-*.service) vm-systemd/dev-xvdc1-swap.service
-SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service vm-systemd/qubes-antispoof.service vm-systemd/qubes-sysctl-minimal-sys-net.service
+SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service vm-systemd/qubes-antispoof.service
 SYSTEMD_SELINUX_SERVICES := vm-systemd/qubes-relabel-root.service vm-systemd/qubes-relabel-rw.service
 SYSTEMD_CORE_SERVICES := $(filter-out $(SYSTEMD_NETWORK_SERVICES) $(SYSTEMD_SELINUX_SERVICES), $(SYSTEMD_ALL_SERVICES))
 
@@ -169,6 +169,7 @@ install-systemd: install-init
 	install -m 0644 vm-systemd/home.mount $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0755 vm-systemd/user-environment-generators/30-qubes.sh $(DESTDIR)$(SYSLIBDIR)/systemd/user-environment-generators/30-qubes.sh
 	install -m 0644 vm-systemd/usr-local.mount $(DESTDIR)$(SYSLIBDIR)/systemd/system/
+	install -m 0755 vm-systemd/setup-minimal-vm $(DESTDIR)$(LIBDIR)/qubes/setup-minimal-vm
 
 .PHONY: install-sysvinit
 install-sysvinit: install-init

debian/qubes-core-agent-networking.install

@@ -18,7 +18,6 @@ lib/systemd/system/qubes-antispoof.service
 lib/systemd/system/qubes-network.service
 lib/systemd/system/qubes-network-uplink.service
 lib/systemd/system/qubes-network-uplink@.service
-lib/systemd/system/qubes-sysctl-minimal-sys-net.service
 lib/systemd/system/qubes-updates-proxy.service
 lib/systemd/network/80-qubes-vif.link
 usr/lib/qubes/init/network-proxy-setup.sh

debian/qubes-core-agent.install

@@ -99,6 +99,7 @@ lib/systemd/system/qubes-early-vm-config.service
 lib/systemd/system/qubes-misc-post.service
 lib/systemd/system/qubes-mount-dirs.service
 lib/systemd/system/qubes-rootfs-resize.service
+lib/systemd/system/qubes-setup-minimal-vm.service
 lib/systemd/system/qubes-sysinit.service
 lib/systemd/system/qubes-update-check.service
 lib/systemd/system/qubes-update-check.timer
@@ -189,6 +190,7 @@ usr/lib/qubes/qvm-move-to-vm.gnome
 usr/lib/qubes/qvm-move-to-vm.kde
 usr/lib/qubes/qvm-service-wrapper
 usr/lib/qubes/resize-rootfs
+usr/lib/qubes/setup-minimal-vm
 usr/lib/qubes/tar2qfile
 usr/lib/qubes/update-proxy-configs
 usr/lib/qubes/upgrades-installed-check

rpm_spec/core-agent.spec.in

@@ -1145,7 +1145,6 @@ rm -f %{name}-%{version}
 %_unitdir/qubes-network.service
 %_unitdir/qubes-network-uplink.service
 %_unitdir/qubes-network-uplink@.service
-%_unitdir/qubes-sysctl-minimal-sys-net.service
 %_unitdir/qubes-updates-proxy.service
 /usr/lib/systemd/network/80-qubes-vif.link
 /usr/lib/qubes/init/network-proxy-setup.sh
@@ -1251,6 +1250,7 @@ The Qubes core startup configuration for SystemD init.
 %_unitdir/systemd-nsresourced.service.d/30_qubes.conf
 %dir %_unitdir/systemd-nsresourced.socket.d
 %_unitdir/systemd-nsresourced.socket.d/30_qubes.conf
+%_unitdir/qubes-setup-minimal-vm.service
 %dir %_userunitdir/*.service.d
 %_userunitdir/tracker-extract-3.service.d/30_qubes.conf
 %_userunitdir/tracker-miner-fs-3.service.d/30_qubes.conf
@@ -1267,6 +1267,7 @@ The Qubes core startup configuration for SystemD init.
 %_userunitdir/pipewire.service.d/40_minimal.conf
 %_userunitdir/wireplumber.service.d/30_qubes.conf
 /usr/lib/systemd/user-environment-generators/30-qubes.sh
+/usr/lib/qubes/setup-minimal-vm
 
 %post systemd
 

vm-systemd/75-qubes-vm.preset

@@ -118,7 +118,7 @@ enable qubes-psu-client@.service default sys-usb
 enable dev-xvdc1-swap.service
 enable NetworkManager.service
 enable NetworkManager-dispatcher.service
-enable qubes-sysctl-minimal-sys-net.service
+enable qubes-setup-minimal-vm.service
 
 # Disable useless Xen services in Qubes VM
 disable xenstored.service

vm-systemd/qubes-setup-minimal-vm.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Apply minimal vm runtime configuration
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-modules-load.service qubes-sysinit.service
+Before=sysinit.target shutdown.target
+ConditionPathExists=|/var/run/qubes-service/minimal-netvm
+ConditionPathExists=|/var/run/qubes-service/minimal-usbvm
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/qubes/setup-minimal-vm
+
+[Install]
+WantedBy=sysinit.target

vm-systemd/qubes-sysctl-minimal-sys-net.service

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# License: GPL-2+
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+
+is_minimal_netvm() {
+	test -f /run/qubes-service/minimal-netvm
+}
+
+is_minimal_usbvm() {
+	test -f /run/qubes-service/minimal-usbvm
+}
+
+
+setup_minimal_netvm() {
+	if [ "$(id -u)" = "0" ]; then
+		systemd-sysctl /etc/sysctl.d/82-qubes-minimal-sys-net.conf.optional
+		systemctl --global --runtime mask gvfs-daemon.service
+	fi
+}
+
+if is_minimal_netvm; then
+	setup_minimal_netvm
+fi
+