From ca2296714c1e5c818908cd4f9627253968bf50d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 16 Nov 2023 12:41:23 +0100
Subject: [PATCH] Relax permissions of usbguard configs

They don't have any secrets, and having them root-only breaks building
initramfs as non-root.

QubesOS/qubes-issues#8206
---
 rpm_spec/core-dom0-linux.spec.in | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rpm_spec/core-dom0-linux.spec.in b/rpm_spec/core-dom0-linux.spec.in
index 020d6171..afd2a66e 100644
--- a/rpm_spec/core-dom0-linux.spec.in
+++ b/rpm_spec/core-dom0-linux.spec.in
@@ -164,11 +164,11 @@ install -m 0644 system-config/dnf-protected-qubes-core-dom0.conf  \
         $RPM_BUILD_ROOT/etc/dnf/protected.d/qubes-core-dom0.conf
 
 # USBguard and PCIe device handling
-install -m 0700 -d -- "$RPM_BUILD_ROOT/etc/usbguard" \
+install -m 0755 -d -- "$RPM_BUILD_ROOT/etc/usbguard" \
         "$RPM_BUILD_ROOT/etc/usbguard/rules.d"
-install -m 0600 -- system-config/qubes-usbguard.conf \
+install -m 0644 -- system-config/qubes-usbguard.conf \
         "$RPM_BUILD_ROOT/etc/usbguard"
-install -m 0600 -- system-config/qubes-usb-rules.conf \
+install -m 0644 -- system-config/qubes-usb-rules.conf \
         "$RPM_BUILD_ROOT/etc/usbguard/rules.d/02-qubes.conf"
 install -D -m 0644 -- system-config/usbguard.service "$RPM_BUILD_ROOT%_unitdir/usbguard.service.d/30_qubes.conf"
 
@@ -283,8 +283,8 @@ chmod -x /etc/grub.d/10_linux
 %{_dracutmoddir}/90extra-modules/*
 %dir %{_dracutmoddir}/90qubes-udev
 %{_dracutmoddir}/90qubes-udev/*
-%attr(0600,root,root) /etc/usbguard/rules.d/02-qubes.conf
-%attr(0600,root,root) /etc/usbguard/qubes-usbguard.conf
+%config /etc/usbguard/rules.d/02-qubes.conf
+%config /etc/usbguard/qubes-usbguard.conf
 %_unitdir/usbguard.service.d/30_qubes.conf
 # file copy
 %_bindir/qvm-copy-to-vm