From 6d9d0e38fec53356f80955d73e27ca5f5d1940e0 Mon Sep 17 00:00:00 2001
From: Antoine Martin <dev@ayakael.net>
Date: Mon, 11 May 2026 20:11:19 -0400
Subject: [PATCH] qubes-db-vm: add xen_privcmd modprobe config

XSA-482 patch modified behavior of /dev/xen/privcmd, to disallow most
operations. This breaks vchan which uses xc_evtchn_status() (not
available via /dev/xen/evtchn yet).
Until proper abstraction via /dev/xen/evtchn is available, lift the
limitation via kernel parameter.

Unfortunately, the usual cmdline 'xen_privcmd.unrestricted` used in
other OSs does not work on Alpine Linux. We need to set
`xen_privcmd.unrestricted=1`. Thus, set via modprobe conf
---
 qubes-db-vm/APKBUILD          | 11 ++++++++++-
 qubes-db-vm/xen-modprobe.conf |  1 +
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 qubes-db-vm/xen-modprobe.conf

diff --git a/qubes-db-vm/APKBUILD b/qubes-db-vm/APKBUILD
index 647c2cf..6bba3f6 100644
--- a/qubes-db-vm/APKBUILD
+++ b/qubes-db-vm/APKBUILD
@@ -3,7 +3,7 @@
 pkgname=qubes-db-vm
 subpackages="$pkgname-openrc"
 pkgver=4.3.2
-pkgrel=2
+pkgrel=3
 _gittag="v$pkgver"
 pkgdesc="QubesDB libs and daemon service."
 arch="x86_64"
@@ -22,6 +22,7 @@ source="
 	0001-musl-build.patch
 	0001-create_pidfile.patch
 	qubes-db.openrc
+	xen-modprobe.conf
 	"
 builddir="$srcdir"/qubes-core-qubesdb-$pkgver
 subpackages="$pkgname-dev $pkgname-openrc"
@@ -41,10 +42,18 @@ package() {
 	# Install all with python bindings
 	make install DESTDIR=$pkgdir LIBDIR=/usr/lib BINDIR=/usr/bin SBINDIR=/usr/sbin
 	install -Dm 755 "$srcdir"/qubes-db.openrc "$pkgdir"/etc/init.d/qubes-db
+
+	# Enable xen_privcmd.unrestricted for inter-vm communication to work
+	# cmdline xen_privcmd.unrestricted via command line should do - which is
+	# already set with default-kernelopts-common.txt on dom0, but for some reason
+	# alpine needs xen_privcmd.unrestricted=1, so set via modprobe conf
+	# see https://github.com/QubesOS/qubes-linux-kernel/commit/ca0fa03aa2b5bb0f2c0cf3e9e1fe33701b416bc1
+	install -Dm 644 "$srcdir"/xen-modprobe.conf "$pkgdir"/etc/modprobe.d/xen.conf
 }
 sha512sums="
 e8e55015d16d20965a0bd20bc48e3840e6125af3e9f13b245e8899ccb77c76f3463f8d6364b52657ae464e1dee3bee9498cc7ee075309aa179400b244598fcfe  qubes-db-vm-v4.3.2.tar.gz
 af86268c264c843b94f9cefb735b9d078dc58819c890fc0a31dd79fa2761d3c2fa87aed73752bca1db07948ba86ecfe16a745b19672ccc10dfb9461df24aa207  0001-musl-build.patch
 892eb29b9bab4d9e662678d13a5607df04cdb024c2f28332f40fa4b7c644476a4b26a9fc038dfcdac1e0b8d328165d21d50d894d2c1e27f792287dd57449e7eb  0001-create_pidfile.patch
 e8c8dc6975d5b59a2afed0e397dca008c95ae747a5e5dedb4b847bbd876d9d50e937d9ed3b8ea08592c8d0e05e7929d1a85467a72c4d45175ef77236a0c3fdec  qubes-db.openrc
+4d0e5cebb3d76d8c7658ed39b2f68a17298e2629144684689eb906100b935f38b3d1d860e4527e5002871c9a0ecfab85c307f8e27ed66f2810b7a98b01e3a8ef  xen-modprobe.conf
 "
diff --git a/qubes-db-vm/xen-modprobe.conf b/qubes-db-vm/xen-modprobe.conf
new file mode 100644
index 0000000..341a3e4
--- /dev/null
+++ b/qubes-db-vm/xen-modprobe.conf
@@ -0,0 +1 @@
+options xen_privcmd unrestricted=1
-- 
2.52.0