From a5de68de7e51eb955e667d6716693da7b9f91704 Mon Sep 17 00:00:00 2001
From: Christopher Laprise <tasket@protonmail.com>
Date: Thu, 29 Mar 2018 09:54:31 -0400
Subject: [PATCH] Fix: Remove quotes from copy glob

---
 vm-boot-protect.service |  1 +
 vm-boot-protect.sh      | 12 ++++++------
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/vm-boot-protect.service b/vm-boot-protect.service
index 0553a34..dc5b5d0 100644
--- a/vm-boot-protect.service
+++ b/vm-boot-protect.service
@@ -12,6 +12,7 @@ OnFailureJobMode=replace-irreversibly
 [Service]
 Type=oneshot
 RemainAfterExit=no
+# privdirs must begin with /rw
 #Environment="privdirs=/rw/config /rw/usrlocal /rw/bind-dirs"
 ExecStart=/usr/lib/qubes/init/vm-boot-protect.sh
 
diff --git a/vm-boot-protect.sh b/vm-boot-protect.sh
index 50bcc9b..ac997e8 100644
--- a/vm-boot-protect.sh
+++ b/vm-boot-protect.sh
@@ -46,7 +46,7 @@ fi
 # Protection measures for /rw dirs:
 # Activated by presence of vm-boot-protect-root Qubes service.
 #   * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
-#   * Remove /rw root startup files (config, usrlocal, bind-dirs).
+#   * Remove /rw root startup files - except whitelist.
 #   * Contents of vms/vms.all and vms/$vmname folders will be copied.
 defdir="/etc/default/vms"
 privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"}
@@ -78,10 +78,10 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
     cd /root
 
     # Deactivate private.img config dirs
-    mkdir -p `dirname $dir`/vm-boot-protect
+    mkdir -p $rw/vm-boot-protect
     for dir in $privdirs; do
-        bakdir=`dirname $dir`/vm-boot-protect/BAK-`basename $dir`
-        origdir=`dirname $dir`/vm-boot-protect/ORIG-`basename $dir`
+        bakdir=$rw/vm-boot-protect/BAK-`basename $dir`
+        origdir=$rw/vm-boot-protect/ORIG-`basename $dir`
         if [ -d $bakdir ] && [ ! -d $origdir ]; then
             mv $bakdir $origdir
         fi
@@ -97,7 +97,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
         | while read wlfile; do
             # Must begin with '/rw/'
             if echo $wlfile |grep -q "^\/rw\/"; then #Was [ $wlfile =~ ^\/rw\/ ];
-                srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/BAK-\1|\"`"
+                srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/vm-boot-protect/BAK-\1|\"`"
                 dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
                 dstdir="`dirname \"$dstfile\"`"
                 if [ ! -e "$srcfile" ]; then
@@ -119,7 +119,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
 
         # Copy default files...
         if [ -d $defdir/$vmset/rw ]; then
-            cp -af "$defdir/$vmset/rw/*" $rw
+            cp -af $defdir/$vmset/rw/* $rw
         fi
         
     done