minimal-vms: mask gvfs-daemon to prevent dbus timeout

Makefile

@@ -146,20 +146,23 @@ endif
 
 # Systemd service files
 SYSTEMD_ALL_SERVICES := $(wildcard vm-systemd/qubes-*.service) vm-systemd/dev-xvdc1-swap.service
-SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service vm-systemd/qubes-antispoof.service vm-systemd/qubes-sysctl-minimal-sys-net.service
+SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service vm-systemd/qubes-antispoof.service
 SYSTEMD_SELINUX_SERVICES := vm-systemd/qubes-relabel-root.service vm-systemd/qubes-relabel-rw.service
 SYSTEMD_CORE_SERVICES := $(filter-out $(SYSTEMD_NETWORK_SERVICES) $(SYSTEMD_SELINUX_SERVICES), $(SYSTEMD_ALL_SERVICES))
+SYSTEMD_USER_SERVICES := $(wildcard vm-systemd/user/qubes-*.service)
 
 .PHONY: install-systemd
 install-systemd: install-init
 	install -d $(DESTDIR)$(SYSLIBDIR)/systemd/system{,-preset} \
+		$(DESTDIR)$(SYSLIBDIR)/systemd/user{,-preset} \
 		$(DESTDIR)$(LIBDIR)/qubes/init \
 		$(DESTDIR)$(SYSLIBDIR)/modules-load.d \
 		$(DESTDIR)/etc/systemd/system \
 		$(DESTDIR)$(SYSLIBDIR)/systemd/network \
 		$(DESTDIR)$(SYSLIBDIR)/systemd/resolved.conf.d/ \
 		$(DESTDIR)$(SYSLIBDIR)/systemd/user-environment-generators
 	install -m 0644 $(SYSTEMD_CORE_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/system/
+	install -m 0644 $(SYSTEMD_USER_SERVICES) $(DESTDIR)$(SYSLIBDIR)/systemd/user/
 	install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
 	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
@@ -169,6 +172,8 @@ install-systemd: install-init
 	install -m 0644 vm-systemd/home.mount $(DESTDIR)$(SYSLIBDIR)/systemd/system/
 	install -m 0755 vm-systemd/user-environment-generators/30-qubes.sh $(DESTDIR)$(SYSLIBDIR)/systemd/user-environment-generators/30-qubes.sh
 	install -m 0644 vm-systemd/usr-local.mount $(DESTDIR)$(SYSLIBDIR)/systemd/system/
+	install -m 0755 vm-systemd/setup-minimal-vm $(DESTDIR)$(LIBDIR)/qubes/setup-minimal-vm
+	install -m 0644 vm-systemd/user/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/user-preset/
 
 .PHONY: install-sysvinit
 install-sysvinit: install-init

debian/qubes-core-agent-networking.install

@@ -18,7 +18,6 @@ lib/systemd/system/qubes-antispoof.service
 lib/systemd/system/qubes-network.service
 lib/systemd/system/qubes-network-uplink.service
 lib/systemd/system/[email protected]
-lib/systemd/system/qubes-sysctl-minimal-sys-net.service
 lib/systemd/system/qubes-updates-proxy.service
 lib/systemd/network/80-qubes-vif.link
 usr/lib/qubes/init/network-proxy-setup.sh

debian/qubes-core-agent.install

@@ -100,6 +100,7 @@ lib/systemd/system/qubes-early-vm-config.service
 lib/systemd/system/qubes-misc-post.service
 lib/systemd/system/qubes-mount-dirs.service
 lib/systemd/system/qubes-rootfs-resize.service
+lib/systemd/system/qubes-setup-minimal-vm.service
 lib/systemd/system/qubes-sysinit.service
 lib/systemd/system/qubes-update-check.service
 lib/systemd/system/qubes-update-check.timer
@@ -122,7 +123,9 @@ lib/systemd/system/[email protected]/90-session-stop-timeout.conf
 lib/systemd/resolved.conf.d/30_resolved-no-mdns-or-llmnr.conf
 lib/systemd/system/home.mount
 lib/systemd/system/usr-local.mount
+lib/systemd/user/qubes-setup-minimal-vm.service
 lib/systemd/user-environment-generators/30-qubes.sh
+lib/systemd/user-preset/75-qubes-vm.preset
 usr/lib/sysctl.d/20-qubes-core.conf
 usr/lib/systemd/user/tracker-extract-3.service.d/30_qubes.conf
 usr/lib/systemd/user/tracker-miner-fs-3.service.d/30_qubes.conf
@@ -189,6 +192,7 @@ usr/lib/qubes/qvm-move-to-vm.gnome
 usr/lib/qubes/qvm-move-to-vm.kde
 usr/lib/qubes/qvm-service-wrapper
 usr/lib/qubes/resize-rootfs
+usr/lib/qubes/setup-minimal-vm
 usr/lib/qubes/tar2qfile
 usr/lib/qubes/update-proxy-configs
 usr/lib/qubes/upgrades-installed-check

debian/qubes-core-agent.postinst

@@ -129,11 +129,13 @@ case "${1}" in
 
             # Systemd preload-all
             preset_units /lib/systemd/system-preset/75-qubes-vm.preset initial
+            preset_units /lib/systemd/user-preset/75-qubes-vm.preset initial "--global"
 
             # Maybe install overridden serial.conf init script
             installSerialConf
         else
             preset_units /lib/systemd/system-preset/75-qubes-vm.preset upgrade
+            preset_units /lib/systemd/user-preset/75-qubes-vm.preset upgrade "--global"
         fi
         systemctl reenable haveged || :
 

rpm_spec/core-agent.spec.in

@@ -1145,7 +1145,6 @@ rm -f %{name}-%{version}
 %_unitdir/qubes-network.service
 %_unitdir/qubes-network-uplink.service
 %_unitdir/[email protected]
-%_unitdir/qubes-sysctl-minimal-sys-net.service
 %_unitdir/qubes-updates-proxy.service
 /usr/lib/systemd/network/80-qubes-vif.link
 /usr/lib/qubes/init/network-proxy-setup.sh
@@ -1251,6 +1250,7 @@ The Qubes core startup configuration for SystemD init.
 %_unitdir/systemd-nsresourced.service.d/30_qubes.conf
 %dir %_unitdir/systemd-nsresourced.socket.d
 %_unitdir/systemd-nsresourced.socket.d/30_qubes.conf
+%_unitdir/qubes-setup-minimal-vm.service
 %dir %_userunitdir/*.service.d
 %_userunitdir/tracker-extract-3.service.d/30_qubes.conf
 %_userunitdir/tracker-miner-fs-3.service.d/30_qubes.conf
@@ -1267,6 +1267,9 @@ The Qubes core startup configuration for SystemD init.
 %_userunitdir/pipewire.service.d/40_minimal.conf
 %_userunitdir/wireplumber.service.d/30_qubes.conf
 /usr/lib/systemd/user-environment-generators/30-qubes.sh
+%_userunitdir/qubes-setup-minimal-vm.service
+%{_userunitdir}-preset/75-qubes-vm.preset
+/usr/lib/qubes/setup-minimal-vm
 
 %post systemd
 
@@ -1277,9 +1280,11 @@ changed=
 if [ $1 -eq 1 ]
 then
     preset_units %{_presetdir}/%qubes_preset_file initial
+    preset_units %{_userunitdir}-preset/75-qubes-vm.preset initial "--global"
     changed=true
 else
     preset_units %{_presetdir}/%qubes_preset_file upgrade
+    preset_units %{_userunitdir}-preset/75-qubes-vm.preset upgrade "--global"
     changed=true
     # Upgrade path - now qubes-iptables is used instead
     for svc in iptables ip6tables

vm-systemd/75-qubes-vm.preset

@@ -118,7 +118,7 @@ enable [email protected] default sys-usb
 enable dev-xvdc1-swap.service
 enable NetworkManager.service
 enable NetworkManager-dispatcher.service
-enable qubes-sysctl-minimal-sys-net.service
+enable qubes-setup-minimal-vm.service
 
 # Disable useless Xen services in Qubes VM
 disable xenstored.service

vm-systemd/qubes-setup-minimal-vm.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Apply minimal vm runtime configuration
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-modules-load.service qubes-sysinit.service
+Before=sysinit.target shutdown.target
+ConditionPathExists=|/var/run/qubes-service/minimal-netvm
+ConditionPathExists=|/var/run/qubes-service/minimal-usbvm
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/qubes/setup-minimal-vm
+
+[Install]
+WantedBy=sysinit.target

vm-systemd/setup-minimal-vm

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# License: GPL-2+
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+
+is_minimal_netvm() {
+	test -f /run/qubes-service/minimal-netvm
+}
+
+is_minimal_usbvm() {
+	test -f /run/qubes-service/minimal-usbvm
+}
+
+
+setup_minimal_netvm() {
+	if [ "$UID" == "0" ]; then
+		/usr/lib/systemd/systemd-sysctl /etc/sysctl.d/82-qubes-minimal-sys-net.conf.optional
+	else
+		/usr/bin/systemctl --user --runtime mask gvfs-daemon.service
+	fi
+}
+
+is_minimal_netvm && setup_minimal_netvm

vm-systemd/user/75-qubes-vm.preset

@@ -0,0 +1,3 @@
+# Units below this line will be re-preset on package upgrade
+
+enable qubes-setup-minimal-vm.service

vm-systemd/user/qubes-setup-minimal-vm.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Apply minimal vm runtime configuration
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-modules-load.service qubes-sysinit.service
+Before=sysinit.target shutdown.target
+ConditionPathExists=|/var/run/qubes-service/minimal-netvm
+ConditionPathExists=|/var/run/qubes-service/minimal-usbvm
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/qubes/setup-minimal-vm
+
+[Install]
+WantedBy=default.target