Move MIME handling to systemd services (boot provisioning)

Fixes freedomofpress/securedrop-workstation#1042

debian/rules

@@ -38,3 +38,7 @@ override_dh_installdeb:
 override_dh_installsystemd:
 	dh_installsystemd --name securedrop-log-server
 	dh_installsystemd --name securedrop-logging-disabled
+	dh_installsystemd --name mime-handling-default
+	dh_installsystemd --name mime-handling-sd-app
+	dh_installsystemd --name mime-handling-sd-devices
+	dh_installsystemd --name mime-handling-sd-viewer

debian/securedrop-workstation-config.install

@@ -1,6 +1,7 @@
 workstation-config/mailcap.default opt/sdw/
 workstation-config/mimeapps.list.sd-viewer opt/sdw/
 workstation-config/mimeapps.list.sd-app opt/sdw/
-workstation-config/mimeapps.list.sd-devices-dvm opt/sdw/
+workstation-config/mimeapps.list.sd-devices opt/sdw/
 workstation-config/open-in-dvm.desktop opt/sdw/
 workstation-config/paxctld.conf opt/sdw/
+workstation-config/securedrop-mime-handling usr/sbin/

debian/securedrop-workstation-config.lintian-overrides

@@ -12,3 +12,6 @@ securedrop-workstation-config: maintainer-script-calls-systemctl [postinst:28]
 
 # We're not shipping CDs, so this is fine
 securedrop-workstation-config: package-has-long-file-name
+
+# We don't care
+securedrop-workstation-config: no-manual-page

debian/securedrop-workstation-config.mime-handling-default.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Securedrop Mimetype Handling Override (default)
+ConditionPathExists=/var/run/qubes-service/securedrop-mime-handling-default
+OnFailure=systemd-halt.service
+
+[Service]
+User=user
+ExecStart=/usr/sbin/securedrop-mime-handling
+
+[Install]
+WantedBy=multi-user.target

debian/securedrop-workstation-config.mime-handling-sd-app.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Securedrop Mimetype Handling Override (sd-app)
+ConditionPathExists=/var/run/qubes-service/securedrop-mime-handling-sd-app
+OnFailure=systemd-halt.service
+
+[Service]
+User=user
+ExecStart=/usr/sbin/securedrop-mime-handling sd-app
+
+[Install]
+WantedBy=multi-user.target

debian/securedrop-workstation-config.mime-handling-sd-devices.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Securedrop Mimetype Handling Override (sd-devices)
+ConditionPathExists=/var/run/qubes-service/securedrop-mime-handling-sd-devices
+OnFailure=systemd-halt.service
+
+[Service]
+User=user
+ExecStart=/usr/sbin/securedrop-mime-handling sd-devices
+
+[Install]
+WantedBy=multi-user.target

debian/securedrop-workstation-config.mime-handling-sd-viewer.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Securedrop Mimetype Handling Override (sd-viewer)
+ConditionPathExists=/var/run/qubes-service/securedrop-mime-handling-sd-viewer
+OnFailure=systemd-halt.service
+
+[Service]
+User=user
+ExecStart=/usr/sbin/securedrop-mime-handling sd-viewer
+
+[Install]
+WantedBy=multi-user.target

workstation-config/securedrop-mime-handling

@@ -0,0 +1,34 @@
+#!/bin/sh
+##
+# securedrop-mime-handling
+# =====================
+#
+# Overrides mimetype handling for certain VMs. Instead of relying on the
+# /usr/share/applications (system volume), we instead use /home/user/.local/share/
+# to be provisioned on boot by systemd.
+##
+
+# Fail early to ensure all the script ran successful
+set -e
+
+ln -sf /opt/sdw/mailcap.default /home/user/.mailcap
+
+mkdir -p /home/user/.local/share/applications
+
+# XXX receive qube name (or its template in case of disposable) via arg due to
+# qubesdb not being able to obtain template name in case of disposable.
+if [ -n "$1" ]; then
+    mimeapps_override_path="/opt/sdw/mimeapps.list.$1"
+else
+    mimeapps_override_path="/opt/sdw/mimeapps.list.default"
+fi
+# obtain
+
+if [ -f "$mimeapps_override_path" ]; then
+    ln -sf "$mimeapps_override_path" /home/user/.local/share/applications/mimeapps.list
+else
+    ln -sf /opt/sdw/mimeapps.list.default /home/user/.local/share/applications/mimeapps.list
+fi
+
+# Sleep forver to leave the systemd service that started it running
+sleep infinity