Chris Laprise: > I am trying to setup templates so the startup sequence in template-based > VMs can take action on /rw contents before they can affect the execution > environment (bind-dirs, rc.local, etc). > > Unless there is a setting for this (disabling startup execution of > private.img contents) that I'm not aware of, I think some modification > of Qubes would be necessary to properly enable such action. This is > because currently bind-dirs.sh activation is lumped-in with mount-dirs.sh. > > My suggestion would be to put the activation of qubes/init/bind-dirs.sh > under a separate systemd service. Alternately, mount-dirs.sh could have > a hook that points to a specific user script in /etc. >
Btw you can hook between mount-dirs.sh and bind-dirs.sh already. https://github.com/QubesOS/qubes-core-agent-linux/blob/d177e73bba077815ebfd15d9782f0787772067d9/vm-systemd/bind-dirs.sh#L121-L131 does the trick. You could a hook here: /usr/lib/qubes-bind-dirs.d/20_vm-sudo-protect.conf Since all files in that folder get `source`ed by (`bash`) `bind-dirs.sh`. The actual functionality of bind-dirs.sh would run after that. https://github.com/QubesOS/qubes-core-agent-linux/blob/d177e73bba077815ebfd15d9782f0787772067d9/vm-systemd/bind-dirs.sh#L133 (Kicked off by: main "$@") A bit hacky? Since that folder was supposed for configuration files, but running hooks from there would work as well. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/958b6638-cade-0a60-bbc3-ff18c1fd295c%40riseup.net. For more options, visit https://groups.google.com/d/optout.
