From 8e559c3899c9ae239c0f32c9a620da68af2b6e5e Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Wed, 26 Aug 2020 16:16:51 -0400
Subject: [PATCH 1/2] Adds configurations for mime type handing and paxctld in
 config package

* Provides files required to open in a DispVM by default
* Provides mime handling definitions for sd-app, sd-devices and sd-viewer AppVMs to be handled by salt
---
 .../debian/changelog-buster                   |   6 +
 securedrop-workstation-config/debian/postinst |  46 +++
 .../securedrop-workstation-config.install     |   5 +
 .../mimeapps.list.sd-app                      | 297 +++++++++++++++++
 .../mimeapps.list.sd-devices-dvm              | 298 ++++++++++++++++++
 .../mimeapps.list.sd-viewer                   |  31 ++
 .../open-in-dvm.desktop                       |  10 +
 securedrop-workstation-config/paxctld.conf    | 117 +++++++
 8 files changed, 810 insertions(+)
 create mode 100644 securedrop-workstation-config/debian/postinst
 create mode 100644 securedrop-workstation-config/debian/securedrop-workstation-config.install
 create mode 100644 securedrop-workstation-config/mimeapps.list.sd-app
 create mode 100644 securedrop-workstation-config/mimeapps.list.sd-devices-dvm
 create mode 100644 securedrop-workstation-config/mimeapps.list.sd-viewer
 create mode 100644 securedrop-workstation-config/open-in-dvm.desktop
 create mode 100644 securedrop-workstation-config/paxctld.conf

diff --git a/securedrop-workstation-config/debian/changelog-buster b/securedrop-workstation-config/debian/changelog-buster
index 2f49a3c8..1ee4f4bb 100644
--- a/securedrop-workstation-config/debian/changelog-buster
+++ b/securedrop-workstation-config/debian/changelog-buster
@@ -1,3 +1,9 @@
+securedrop-workstation-config (0.1.4+buster) unstable; urgency=medium
+
+  * Provides mime type files all VMs for template consolidation
+
+ -- SecureDrop Team <securedrop@freedom.press>  Wed, 26 Aug 2020 15:24:29 -0400
+
 securedrop-workstation-config (0.1.3+buster) unstable; urgency=medium
 
   * Adds securedrop-keyring to list of dependencies
diff --git a/securedrop-workstation-config/debian/postinst b/securedrop-workstation-config/debian/postinst
new file mode 100644
index 00000000..66a5e197
--- /dev/null
+++ b/securedrop-workstation-config/debian/postinst
@@ -0,0 +1,46 @@
+#!/bin/sh
+# postinst script for securedrop-workstation-config
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    configure)
+    # move pax flags and restart paxctld service
+    # except for whonix-based VMs
+    if [ ! -e "/etc/whonix_version" ]; then
+      cp /opt/sdw/paxctld.conf /etc/paxctld.conf
+      systemctl restart paxctld
+    fi
+
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff --git a/securedrop-workstation-config/debian/securedrop-workstation-config.install b/securedrop-workstation-config/debian/securedrop-workstation-config.install
new file mode 100644
index 00000000..6e7768a0
--- /dev/null
+++ b/securedrop-workstation-config/debian/securedrop-workstation-config.install
@@ -0,0 +1,5 @@
+mimeapps.list.sd-viewer opt/sdw/
+mimeapps.list.sd-app opt/sdw/
+mimeapps.list.sd-devices-dvm opt/sdw/
+open-in-dvm.desktop usr/share/applications/
+paxctld.conf opt/sdw/
diff --git a/securedrop-workstation-config/mimeapps.list.sd-app b/securedrop-workstation-config/mimeapps.list.sd-app
new file mode 100644
index 00000000..6a23b860
--- /dev/null
+++ b/securedrop-workstation-config/mimeapps.list.sd-app
@@ -0,0 +1,297 @@
+[Default Applications]
+application/x-dia-diagram=open-in-dvm.desktop;
+text/x-vcard=open-in-dvm.desktop;
+text/directory=open-in-dvm.desktop;
+text/calendar=open-in-dvm.desktop;
+application/x-cd-image=open-in-dvm.desktop;
+application/x-desktop=open-in-dvm.desktop;
+application/x-raw-disk-image=open-in-dvm.desktop;
+application/x-raw-disk-image-xz-compressed=open-in-dvm.desktop;
+image/x-compressed-xcf=open-in-dvm.desktop;
+image/x-xcf=open-in-dvm.desktop;
+image/x-psd=open-in-dvm.desktop;
+image/x-fits=open-in-dvm.desktop;
+image/bmp=open-in-dvm.desktop;
+image/gif=open-in-dvm.desktop;
+image/x-icb=open-in-dvm.desktop;
+image/x-ico=open-in-dvm.desktop;
+image/x-pcx=open-in-dvm.desktop;
+image/x-portable-anymap=open-in-dvm.desktop;
+image/x-portable-bitmap=open-in-dvm.desktop;
+image/x-portable-graymap=open-in-dvm.desktop;
+image/x-portable-pixmap=open-in-dvm.desktop;
+image/x-xbitmap=open-in-dvm.desktop;
+image/x-xpixmap=open-in-dvm.desktop;
+image/svg+xml=open-in-dvm.desktop;
+application/vnd.ms-word=open-in-dvm.desktop;
+application/vnd.wordperfect=open-in-dvm.desktop;
+application/vnd.sun.xml.writer=open-in-dvm.desktop;
+application/vnd.sun.xml.writer.global=open-in-dvm.desktop;
+application/vnd.sun.xml.writer.template=open-in-dvm.desktop;
+application/vnd.stardivision.writer=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.text=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.text-template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.text-web=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.text-master=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.wordprocessingml.document=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.wordprocessingml.template=open-in-dvm.desktop;
+application/vnd.ms-excel=open-in-dvm.desktop;
+application/vnd.stardivision.calc=open-in-dvm.desktop;
+application/vnd.sun.xml.calc=open-in-dvm.desktop;
+application/vnd.sun.xml.calc.template=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.spreadsheetml.sheet=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.spreadsheetml.template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.spreadsheet=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.spreadsheet-template=open-in-dvm.desktop;
+application/vnd.ms-powerpoint=open-in-dvm.desktop;
+application/vnd.stardivision.impress=open-in-dvm.desktop;
+application/vnd.sun.xml.impress=open-in-dvm.desktop;
+application/vnd.sun.xml.impress.template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.presentation=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.presentation-template=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.presentationml.presentation=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.presentationml.template=open-in-dvm.desktop;
+application/vnd.stardivision.draw=open-in-dvm.desktop;
+application/vnd.sun.xml.draw=open-in-dvm.desktop;
+application/vnd.sun.xml.draw.template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.graphics=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.graphics-template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.formula=open-in-dvm.desktop;
+application/vnd.sun.xml.math=open-in-dvm.desktop;
+application/vnd.stardivision.math=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.database=open-in-dvm.desktop;
+application/vnd.sun.xml.base=open-in-dvm.desktop;
+application/pdf=open-in-dvm.desktop;
+application/postscript=open-in-dvm.desktop;
+application/x-qw=open-in-dvm.desktop;
+application/x-gnucash=open-in-dvm.desktop;
+application/vnd.lotus-1-2-3=open-in-dvm.desktop;
+application/x-oleo=open-in-dvm.desktop;
+application/x-gnumeric=open-in-dvm.desktop;
+application/x-xbase=open-in-dvm.desktop;
+application/x-abiword=open-in-dvm.desktop;
+application/x-dvi=open-in-dvm.desktop;
+application/x-catalog=open-in-dvm.desktop;
+application/x-rpm=open-in-dvm.desktop;
+text/csv=open-in-dvm.desktop;
+text/plain=open-in-dvm.desktop;
+text/html=open-in-dvm.desktop;
+application/xhtml+xml=open-in-dvm.desktop;
+inode/directory=open-in-dvm.desktop;
+x-content/blank-cd=open-in-dvm.desktop;
+x-content/blank-dvd=open-in-dvm.desktop;
+x-content/blank-bd=open-in-dvm.desktop;
+x-content/blank-hddvd=open-in-dvm.desktop;
+x-content/video-dvd=open-in-dvm.desktop;
+x-content/video-vcd=open-in-dvm.desktop;
+x-content/video-svcd=open-in-dvm.desktop;
+#x-content/video-bluray=open-in-dvm.desktop;
+#x-content/video-hddvd=open-in-dvm.desktop;
+x-content/audio-cdda=open-in-dvm.desktop;
+x-content/audio-dvd=open-in-dvm.desktop;
+x-content/audio-player=open-in-dvm.desktop;
+x-content/image-dcf=open-in-dvm.desktop;
+x-content/image-picturecd=open-in-dvm.desktop;
+# URI scheme handlers
+x-scheme-handler/mailto=open-in-dvm.desktop;
+x-scheme-handler/http=open-in-dvm.desktop;
+x-scheme-handler/https=open-in-dvm.desktop;
+application/mxf=open-in-dvm.desktop;
+application/ogg=open-in-dvm.desktop;
+application/ram=open-in-dvm.desktop;
+application/sdp=open-in-dvm.desktop;
+application/smil=open-in-dvm.desktop;
+application/smil+xml=open-in-dvm.desktop;
+application/vnd.apple.mpegurl=open-in-dvm.desktop;
+application/vnd.ms-wpl=open-in-dvm.desktop;
+application/vnd.rn-realmedia=open-in-dvm.desktop;
+application/x-extension-m4a=open-in-dvm.desktop;
+application/x-extension-mp4=open-in-dvm.desktop;
+application/x-flac=open-in-dvm.desktop;
+application/x-flash-video=open-in-dvm.desktop;
+application/x-matroska=open-in-dvm.desktop;
+application/x-netshow-channel=open-in-dvm.desktop;
+application/x-ogg=open-in-dvm.desktop;
+application/x-quicktime-media-link=open-in-dvm.desktop;
+application/x-quicktimeplayer=open-in-dvm.desktop;
+application/x-shorten=open-in-dvm.desktop;
+application/x-smil=open-in-dvm.desktop;
+application/xspf+xml=open-in-dvm.desktop;
+audio/3gpp=open-in-dvm.desktop;
+audio/ac3=open-in-dvm.desktop;
+audio/AMR=open-in-dvm.desktop;
+audio/AMR-WB=open-in-dvm.desktop;
+audio/basic=open-in-dvm.desktop;
+audio/midi=open-in-dvm.desktop;
+audio/mp2=open-in-dvm.desktop;
+audio/mp4=open-in-dvm.desktop;
+audio/mpeg=open-in-dvm.desktop;
+audio/mpegurl=open-in-dvm.desktop;
+audio/ogg=open-in-dvm.desktop;
+audio/prs.sid=open-in-dvm.desktop;
+audio/vnd.rn-realaudio=open-in-dvm.desktop;
+audio/x-aiff=open-in-dvm.desktop;
+audio/x-ape=open-in-dvm.desktop;
+audio/x-flac=open-in-dvm.desktop;
+audio/x-gsm=open-in-dvm.desktop;
+audio/x-it=open-in-dvm.desktop;
+audio/x-m4a=open-in-dvm.desktop;
+audio/x-matroska=open-in-dvm.desktop;
+audio/x-mod=open-in-dvm.desktop;
+audio/x-mp3=open-in-dvm.desktop;
+audio/x-mpeg=open-in-dvm.desktop;
+audio/x-mpegurl=open-in-dvm.desktop;
+audio/x-ms-asf=open-in-dvm.desktop;
+audio/x-ms-asx=open-in-dvm.desktop;
+audio/x-ms-wax=open-in-dvm.desktop;
+audio/x-ms-wma=open-in-dvm.desktop;
+audio/x-musepack=open-in-dvm.desktop;
+audio/x-pn-aiff=open-in-dvm.desktop;
+audio/x-pn-au=open-in-dvm.desktop;
+audio/x-pn-realaudio=open-in-dvm.desktop;
+audio/x-pn-realaudio-plugin=open-in-dvm.desktop;
+audio/x-pn-wav=open-in-dvm.desktop;
+audio/x-pn-windows-acm=open-in-dvm.desktop;
+audio/x-realaudio=open-in-dvm.desktop;
+audio/x-real-audio=open-in-dvm.desktop;
+audio/x-s3m=open-in-dvm.desktop;
+audio/x-sbc=open-in-dvm.desktop;
+audio/x-scpls=open-in-dvm.desktop;
+audio/x-speex=open-in-dvm.desktop;
+audio/x-stm=open-in-dvm.desktop;
+audio/x-tta=open-in-dvm.desktop;
+audio/x-wav=open-in-dvm.desktop;
+audio/x-wavpack=open-in-dvm.desktop;
+audio/x-vorbis=open-in-dvm.desktop;
+audio/x-vorbis+ogg=open-in-dvm.desktop;
+audio/x-xm=open-in-dvm.desktop;
+image/vnd.rn-realpix=open-in-dvm.desktop;
+image/x-pict=open-in-dvm.desktop;
+misc/ultravox=open-in-dvm.desktop;
+text/google-video-pointer=open-in-dvm.desktop;
+text/x-google-video-pointer=open-in-dvm.desktop;
+video/3gp=open-in-dvm.desktop;
+video/3gpp=open-in-dvm.desktop;
+video/dv=open-in-dvm.desktop;
+video/divx=open-in-dvm.desktop;
+video/fli=open-in-dvm.desktop;
+video/flv=open-in-dvm.desktop;
+video/mp2t=open-in-dvm.desktop;
+video/mp4=open-in-dvm.desktop;
+video/mp4v-es=open-in-dvm.desktop;
+video/mpeg=open-in-dvm.desktop;
+video/msvideo=open-in-dvm.desktop;
+video/ogg=open-in-dvm.desktop;
+video/quicktime=open-in-dvm.desktop;
+video/vivo=open-in-dvm.desktop;
+video/vnd.divx=open-in-dvm.desktop;
+video/vnd.mpegurl=open-in-dvm.desktop;
+video/vnd.rn-realvideo=open-in-dvm.desktop;
+video/vnd.vivo=open-in-dvm.desktop;
+video/webm=open-in-dvm.desktop;
+video/x-anim=open-in-dvm.desktop;
+video/x-avi=open-in-dvm.desktop;
+video/x-flc=open-in-dvm.desktop;
+video/x-fli=open-in-dvm.desktop;
+video/x-flic=open-in-dvm.desktop;
+video/x-flv=open-in-dvm.desktop;
+video/x-m4v=open-in-dvm.desktop;
+video/x-matroska=open-in-dvm.desktop;
+video/x-mpeg=open-in-dvm.desktop;
+video/x-mpeg2=open-in-dvm.desktop;
+video/x-ms-asf=open-in-dvm.desktop;
+video/x-ms-asx=open-in-dvm.desktop;
+video/x-msvideo=open-in-dvm.desktop;
+video/x-ms-wm=open-in-dvm.desktop;
+video/x-ms-wmv=open-in-dvm.desktop;
+video/x-ms-wmx=open-in-dvm.desktop;
+video/x-ms-wvx=open-in-dvm.desktop;
+video/x-nsv=open-in-dvm.desktop;
+video/x-ogm+ogg=open-in-dvm.desktop;
+video/x-theora+ogg=open-in-dvm.desktop;
+video/x-totem-stream=open-in-dvm.desktop;
+x-content/video-dvd=open-in-dvm.desktop;
+x-content/video-vcd=open-in-dvm.desktop;
+x-content/video-svcd=open-in-dvm.desktop;
+x-scheme-handler/pnm=open-in-dvm.desktop;
+x-scheme-handler/mms=open-in-dvm.desktop;
+x-scheme-handler/net=open-in-dvm.desktop;
+x-scheme-handler/rtp=open-in-dvm.desktop;
+x-scheme-handler/rtmp=open-in-dvm.desktop;
+x-scheme-handler/rtsp=open-in-dvm.desktop;
+x-scheme-handler/mmsh=open-in-dvm.desktop;
+x-scheme-handler/uvox=open-in-dvm.desktop;
+x-scheme-handler/icy=open-in-dvm.desktop;
+x-scheme-handler/icyx=open-in-dvm.desktop;
+application/x-7z-compressed=open-in-dvm.desktop;
+application/x-7z-compressed-tar=open-in-dvm.desktop;
+application/x-ace=open-in-dvm.desktop;
+application/x-alz=open-in-dvm.desktop;
+application/x-ar=open-in-dvm.desktop;
+application/x-arj=open-in-dvm.desktop;
+application/x-bzip=open-in-dvm.desktop;
+application/x-bzip-compressed-tar=open-in-dvm.desktop;
+application/x-bzip1=open-in-dvm.desktop;
+application/x-bzip1-compressed-tar=open-in-dvm.desktop;
+application/x-cabinet=open-in-dvm.desktop;
+application/x-cbr=open-in-dvm.desktop;
+application/x-cbz=open-in-dvm.desktop;
+application/x-compress=open-in-dvm.desktop;
+application/x-compressed-tar=open-in-dvm.desktop;
+application/x-cpio=open-in-dvm.desktop;
+application/x-deb=open-in-dvm.desktop;
+application/x-ear=open-in-dvm.desktop;
+application/x-ms-dos-executable=open-in-dvm.desktop;
+application/x-gtar=open-in-dvm.desktop;
+application/x-gzip=open-in-dvm.desktop;
+application/x-gzpostscript=open-in-dvm.desktop;
+application/x-java-archive=open-in-dvm.desktop;
+application/x-lha=open-in-dvm.desktop;
+application/x-lhz=open-in-dvm.desktop;
+application/x-lrzip=open-in-dvm.desktop;
+application/x-lrzip-compressed-tar=open-in-dvm.desktop;
+application/x-lzip=open-in-dvm.desktop;
+application/x-lzip-compressed-tar=open-in-dvm.desktop;
+application/x-lzma=open-in-dvm.desktop;
+application/x-lzma-compressed-tar=open-in-dvm.desktop;
+application/x-lzop=open-in-dvm.desktop;
+application/x-lzop-compressed-tar=open-in-dvm.desktop;
+application/x-ms-wim=open-in-dvm.desktop;
+application/x-rar=open-in-dvm.desktop;
+application/x-rar-compressed=open-in-dvm.desktop;
+application/x-rzip=open-in-dvm.desktop;
+application/x-tar=open-in-dvm.desktop;
+application/x-tarz=open-in-dvm.desktop;
+application/x-stuffit=open-in-dvm.desktop;
+application/x-war=open-in-dvm.desktop;
+application/x-xz=open-in-dvm.desktop;
+application/x-xz-compressed-tar=open-in-dvm.desktop;
+application/x-zip=open-in-dvm.desktop;
+application/x-zip-compressed=open-in-dvm.desktop;
+application/x-zoo=open-in-dvm.desktop;
+application/zip=open-in-dvm.desktop;
+application/x-archive=open-in-dvm.desktop;
+application/vnd.ms-cab-compressed=open-in-dvm.desktop;
+application/x-source-rpm=open-in-dvm.desktop;
+image/bmp=open-in-dvm.desktop;
+image/gif=open-in-dvm.desktop;
+image/jpeg=open-in-dvm.desktop;
+image/jpg=open-in-dvm.desktop;
+image/pjpeg=open-in-dvm.desktop;
+image/png=open-in-dvm.desktop;
+image/tiff=open-in-dvm.desktop;
+image/x-bmp=open-in-dvm.desktop;
+image/x-gray=open-in-dvm.desktop;
+image/x-icb=open-in-dvm.desktop;
+image/x-ico=open-in-dvm.desktop;
+image/x-png=open-in-dvm.desktop;
+image/x-portable-anymap=open-in-dvm.desktop;
+image/x-portable-bitmap=open-in-dvm.desktop;
+image/x-portable-graymap=open-in-dvm.desktop;
+image/x-portable-pixmap=open-in-dvm.desktop;
+image/x-xbitmap=open-in-dvm.desktop;
+image/x-xpixmap=open-in-dvm.desktop;
+image/x-pcx=open-in-dvm.desktop;
+image/svg+xml=open-in-dvm.desktop;
+image/svg+xml-compressed=open-in-dvm.desktop;
+image/vnd.wap.wbmp=open-in-dvm.desktop;
diff --git a/securedrop-workstation-config/mimeapps.list.sd-devices-dvm b/securedrop-workstation-config/mimeapps.list.sd-devices-dvm
new file mode 100644
index 00000000..886a600b
--- /dev/null
+++ b/securedrop-workstation-config/mimeapps.list.sd-devices-dvm
@@ -0,0 +1,298 @@
+[Default Applications]
+application/x-sd-export=send-to-usb.desktop;
+application/x-dia-diagram=open-in-dvm.desktop;
+text/x-vcard=open-in-dvm.desktop;
+text/directory=open-in-dvm.desktop;
+text/calendar=open-in-dvm.desktop;
+application/x-cd-image=open-in-dvm.desktop;
+application/x-desktop=open-in-dvm.desktop;
+application/x-raw-disk-image=open-in-dvm.desktop;
+application/x-raw-disk-image-xz-compressed=open-in-dvm.desktop;
+image/x-compressed-xcf=open-in-dvm.desktop;
+image/x-xcf=open-in-dvm.desktop;
+image/x-psd=open-in-dvm.desktop;
+image/x-fits=open-in-dvm.desktop;
+image/bmp=open-in-dvm.desktop;
+image/gif=open-in-dvm.desktop;
+image/x-icb=open-in-dvm.desktop;
+image/x-ico=open-in-dvm.desktop;
+image/x-pcx=open-in-dvm.desktop;
+image/x-portable-anymap=open-in-dvm.desktop;
+image/x-portable-bitmap=open-in-dvm.desktop;
+image/x-portable-graymap=open-in-dvm.desktop;
+image/x-portable-pixmap=open-in-dvm.desktop;
+image/x-xbitmap=open-in-dvm.desktop;
+image/x-xpixmap=open-in-dvm.desktop;
+image/svg+xml=open-in-dvm.desktop;
+application/vnd.ms-word=open-in-dvm.desktop;
+application/vnd.wordperfect=open-in-dvm.desktop;
+application/vnd.sun.xml.writer=open-in-dvm.desktop;
+application/vnd.sun.xml.writer.global=open-in-dvm.desktop;
+application/vnd.sun.xml.writer.template=open-in-dvm.desktop;
+application/vnd.stardivision.writer=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.text=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.text-template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.text-web=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.text-master=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.wordprocessingml.document=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.wordprocessingml.template=open-in-dvm.desktop;
+application/vnd.ms-excel=open-in-dvm.desktop;
+application/vnd.stardivision.calc=open-in-dvm.desktop;
+application/vnd.sun.xml.calc=open-in-dvm.desktop;
+application/vnd.sun.xml.calc.template=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.spreadsheetml.sheet=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.spreadsheetml.template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.spreadsheet=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.spreadsheet-template=open-in-dvm.desktop;
+application/vnd.ms-powerpoint=open-in-dvm.desktop;
+application/vnd.stardivision.impress=open-in-dvm.desktop;
+application/vnd.sun.xml.impress=open-in-dvm.desktop;
+application/vnd.sun.xml.impress.template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.presentation=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.presentation-template=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.presentationml.presentation=open-in-dvm.desktop;
+application/vnd.openxmlformats-officedocument.presentationml.template=open-in-dvm.desktop;
+application/vnd.stardivision.draw=open-in-dvm.desktop;
+application/vnd.sun.xml.draw=open-in-dvm.desktop;
+application/vnd.sun.xml.draw.template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.graphics=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.graphics-template=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.formula=open-in-dvm.desktop;
+application/vnd.sun.xml.math=open-in-dvm.desktop;
+application/vnd.stardivision.math=open-in-dvm.desktop;
+application/vnd.oasis.opendocument.database=open-in-dvm.desktop;
+application/vnd.sun.xml.base=open-in-dvm.desktop;
+application/pdf=open-in-dvm.desktop;
+application/postscript=open-in-dvm.desktop;
+application/x-qw=open-in-dvm.desktop;
+application/x-gnucash=open-in-dvm.desktop;
+application/vnd.lotus-1-2-3=open-in-dvm.desktop;
+application/x-oleo=open-in-dvm.desktop;
+application/x-gnumeric=open-in-dvm.desktop;
+application/x-xbase=open-in-dvm.desktop;
+application/x-abiword=open-in-dvm.desktop;
+application/x-dvi=open-in-dvm.desktop;
+application/x-catalog=open-in-dvm.desktop;
+application/x-rpm=open-in-dvm.desktop;
+text/csv=open-in-dvm.desktop;
+text/plain=open-in-dvm.desktop;
+text/html=open-in-dvm.desktop;
+application/xhtml+xml=open-in-dvm.desktop;
+inode/directory=open-in-dvm.desktop;
+x-content/blank-cd=open-in-dvm.desktop;
+x-content/blank-dvd=open-in-dvm.desktop;
+x-content/blank-bd=open-in-dvm.desktop;
+x-content/blank-hddvd=open-in-dvm.desktop;
+x-content/video-dvd=open-in-dvm.desktop;
+x-content/video-vcd=open-in-dvm.desktop;
+x-content/video-svcd=open-in-dvm.desktop;
+#x-content/video-bluray=open-in-dvm.desktop;
+#x-content/video-hddvd=open-in-dvm.desktop;
+x-content/audio-cdda=open-in-dvm.desktop;
+x-content/audio-dvd=open-in-dvm.desktop;
+x-content/audio-player=open-in-dvm.desktop;
+x-content/image-dcf=open-in-dvm.desktop;
+x-content/image-picturecd=open-in-dvm.desktop;
+# URI scheme handlers
+x-scheme-handler/mailto=open-in-dvm.desktop;
+x-scheme-handler/http=open-in-dvm.desktop;
+x-scheme-handler/https=open-in-dvm.desktop;
+application/mxf=open-in-dvm.desktop;
+application/ogg=open-in-dvm.desktop;
+application/ram=open-in-dvm.desktop;
+application/sdp=open-in-dvm.desktop;
+application/smil=open-in-dvm.desktop;
+application/smil+xml=open-in-dvm.desktop;
+application/vnd.apple.mpegurl=open-in-dvm.desktop;
+application/vnd.ms-wpl=open-in-dvm.desktop;
+application/vnd.rn-realmedia=open-in-dvm.desktop;
+application/x-extension-m4a=open-in-dvm.desktop;
+application/x-extension-mp4=open-in-dvm.desktop;
+application/x-flac=open-in-dvm.desktop;
+application/x-flash-video=open-in-dvm.desktop;
+application/x-matroska=open-in-dvm.desktop;
+application/x-netshow-channel=open-in-dvm.desktop;
+application/x-ogg=open-in-dvm.desktop;
+application/x-quicktime-media-link=open-in-dvm.desktop;
+application/x-quicktimeplayer=open-in-dvm.desktop;
+application/x-shorten=open-in-dvm.desktop;
+application/x-smil=open-in-dvm.desktop;
+application/xspf+xml=open-in-dvm.desktop;
+audio/3gpp=open-in-dvm.desktop;
+audio/ac3=open-in-dvm.desktop;
+audio/AMR=open-in-dvm.desktop;
+audio/AMR-WB=open-in-dvm.desktop;
+audio/basic=open-in-dvm.desktop;
+audio/midi=open-in-dvm.desktop;
+audio/mp2=open-in-dvm.desktop;
+audio/mp4=open-in-dvm.desktop;
+audio/mpeg=open-in-dvm.desktop;
+audio/mpegurl=open-in-dvm.desktop;
+audio/ogg=open-in-dvm.desktop;
+audio/prs.sid=open-in-dvm.desktop;
+audio/vnd.rn-realaudio=open-in-dvm.desktop;
+audio/x-aiff=open-in-dvm.desktop;
+audio/x-ape=open-in-dvm.desktop;
+audio/x-flac=open-in-dvm.desktop;
+audio/x-gsm=open-in-dvm.desktop;
+audio/x-it=open-in-dvm.desktop;
+audio/x-m4a=open-in-dvm.desktop;
+audio/x-matroska=open-in-dvm.desktop;
+audio/x-mod=open-in-dvm.desktop;
+audio/x-mp3=open-in-dvm.desktop;
+audio/x-mpeg=open-in-dvm.desktop;
+audio/x-mpegurl=open-in-dvm.desktop;
+audio/x-ms-asf=open-in-dvm.desktop;
+audio/x-ms-asx=open-in-dvm.desktop;
+audio/x-ms-wax=open-in-dvm.desktop;
+audio/x-ms-wma=open-in-dvm.desktop;
+audio/x-musepack=open-in-dvm.desktop;
+audio/x-pn-aiff=open-in-dvm.desktop;
+audio/x-pn-au=open-in-dvm.desktop;
+audio/x-pn-realaudio=open-in-dvm.desktop;
+audio/x-pn-realaudio-plugin=open-in-dvm.desktop;
+audio/x-pn-wav=open-in-dvm.desktop;
+audio/x-pn-windows-acm=open-in-dvm.desktop;
+audio/x-realaudio=open-in-dvm.desktop;
+audio/x-real-audio=open-in-dvm.desktop;
+audio/x-s3m=open-in-dvm.desktop;
+audio/x-sbc=open-in-dvm.desktop;
+audio/x-scpls=open-in-dvm.desktop;
+audio/x-speex=open-in-dvm.desktop;
+audio/x-stm=open-in-dvm.desktop;
+audio/x-tta=open-in-dvm.desktop;
+audio/x-wav=open-in-dvm.desktop;
+audio/x-wavpack=open-in-dvm.desktop;
+audio/x-vorbis=open-in-dvm.desktop;
+audio/x-vorbis+ogg=open-in-dvm.desktop;
+audio/x-xm=open-in-dvm.desktop;
+image/vnd.rn-realpix=open-in-dvm.desktop;
+image/x-pict=open-in-dvm.desktop;
+misc/ultravox=open-in-dvm.desktop;
+text/google-video-pointer=open-in-dvm.desktop;
+text/x-google-video-pointer=open-in-dvm.desktop;
+video/3gp=open-in-dvm.desktop;
+video/3gpp=open-in-dvm.desktop;
+video/dv=open-in-dvm.desktop;
+video/divx=open-in-dvm.desktop;
+video/fli=open-in-dvm.desktop;
+video/flv=open-in-dvm.desktop;
+video/mp2t=open-in-dvm.desktop;
+video/mp4=open-in-dvm.desktop;
+video/mp4v-es=open-in-dvm.desktop;
+video/mpeg=open-in-dvm.desktop;
+video/msvideo=open-in-dvm.desktop;
+video/ogg=open-in-dvm.desktop;
+video/quicktime=open-in-dvm.desktop;
+video/vivo=open-in-dvm.desktop;
+video/vnd.divx=open-in-dvm.desktop;
+video/vnd.mpegurl=open-in-dvm.desktop;
+video/vnd.rn-realvideo=open-in-dvm.desktop;
+video/vnd.vivo=open-in-dvm.desktop;
+video/webm=open-in-dvm.desktop;
+video/x-anim=open-in-dvm.desktop;
+video/x-avi=open-in-dvm.desktop;
+video/x-flc=open-in-dvm.desktop;
+video/x-fli=open-in-dvm.desktop;
+video/x-flic=open-in-dvm.desktop;
+video/x-flv=open-in-dvm.desktop;
+video/x-m4v=open-in-dvm.desktop;
+video/x-matroska=open-in-dvm.desktop;
+video/x-mpeg=open-in-dvm.desktop;
+video/x-mpeg2=open-in-dvm.desktop;
+video/x-ms-asf=open-in-dvm.desktop;
+video/x-ms-asx=open-in-dvm.desktop;
+video/x-msvideo=open-in-dvm.desktop;
+video/x-ms-wm=open-in-dvm.desktop;
+video/x-ms-wmv=open-in-dvm.desktop;
+video/x-ms-wmx=open-in-dvm.desktop;
+video/x-ms-wvx=open-in-dvm.desktop;
+video/x-nsv=open-in-dvm.desktop;
+video/x-ogm+ogg=open-in-dvm.desktop;
+video/x-theora+ogg=open-in-dvm.desktop;
+video/x-totem-stream=open-in-dvm.desktop;
+x-content/video-dvd=open-in-dvm.desktop;
+x-content/video-vcd=open-in-dvm.desktop;
+x-content/video-svcd=open-in-dvm.desktop;
+x-scheme-handler/pnm=open-in-dvm.desktop;
+x-scheme-handler/mms=open-in-dvm.desktop;
+x-scheme-handler/net=open-in-dvm.desktop;
+x-scheme-handler/rtp=open-in-dvm.desktop;
+x-scheme-handler/rtmp=open-in-dvm.desktop;
+x-scheme-handler/rtsp=open-in-dvm.desktop;
+x-scheme-handler/mmsh=open-in-dvm.desktop;
+x-scheme-handler/uvox=open-in-dvm.desktop;
+x-scheme-handler/icy=open-in-dvm.desktop;
+x-scheme-handler/icyx=open-in-dvm.desktop;
+application/x-7z-compressed=open-in-dvm.desktop;
+application/x-7z-compressed-tar=open-in-dvm.desktop;
+application/x-ace=open-in-dvm.desktop;
+application/x-alz=open-in-dvm.desktop;
+application/x-ar=open-in-dvm.desktop;
+application/x-arj=open-in-dvm.desktop;
+application/x-bzip=open-in-dvm.desktop;
+application/x-bzip-compressed-tar=open-in-dvm.desktop;
+application/x-bzip1=open-in-dvm.desktop;
+application/x-bzip1-compressed-tar=open-in-dvm.desktop;
+application/x-cabinet=open-in-dvm.desktop;
+application/x-cbr=open-in-dvm.desktop;
+application/x-cbz=open-in-dvm.desktop;
+application/x-compress=open-in-dvm.desktop;
+application/x-compressed-tar=open-in-dvm.desktop;
+application/x-cpio=open-in-dvm.desktop;
+application/x-deb=open-in-dvm.desktop;
+application/x-ear=open-in-dvm.desktop;
+application/x-ms-dos-executable=open-in-dvm.desktop;
+application/x-gtar=open-in-dvm.desktop;
+application/x-gzip=open-in-dvm.desktop;
+application/x-gzpostscript=open-in-dvm.desktop;
+application/x-java-archive=open-in-dvm.desktop;
+application/x-lha=open-in-dvm.desktop;
+application/x-lhz=open-in-dvm.desktop;
+application/x-lrzip=open-in-dvm.desktop;
+application/x-lrzip-compressed-tar=open-in-dvm.desktop;
+application/x-lzip=open-in-dvm.desktop;
+application/x-lzip-compressed-tar=open-in-dvm.desktop;
+application/x-lzma=open-in-dvm.desktop;
+application/x-lzma-compressed-tar=open-in-dvm.desktop;
+application/x-lzop=open-in-dvm.desktop;
+application/x-lzop-compressed-tar=open-in-dvm.desktop;
+application/x-ms-wim=open-in-dvm.desktop;
+application/x-rar=open-in-dvm.desktop;
+application/x-rar-compressed=open-in-dvm.desktop;
+application/x-rzip=open-in-dvm.desktop;
+application/x-tar=open-in-dvm.desktop;
+application/x-tarz=open-in-dvm.desktop;
+application/x-stuffit=open-in-dvm.desktop;
+application/x-war=open-in-dvm.desktop;
+application/x-xz=open-in-dvm.desktop;
+application/x-xz-compressed-tar=open-in-dvm.desktop;
+application/x-zip=open-in-dvm.desktop;
+application/x-zip-compressed=open-in-dvm.desktop;
+application/x-zoo=open-in-dvm.desktop;
+application/zip=open-in-dvm.desktop;
+application/x-archive=open-in-dvm.desktop;
+application/vnd.ms-cab-compressed=open-in-dvm.desktop;
+application/x-source-rpm=open-in-dvm.desktop;
+image/bmp=open-in-dvm.desktop;
+image/gif=open-in-dvm.desktop;
+image/jpeg=open-in-dvm.desktop;
+image/jpg=open-in-dvm.desktop;
+image/pjpeg=open-in-dvm.desktop;
+image/png=open-in-dvm.desktop;
+image/tiff=open-in-dvm.desktop;
+image/x-bmp=open-in-dvm.desktop;
+image/x-gray=open-in-dvm.desktop;
+image/x-icb=open-in-dvm.desktop;
+image/x-ico=open-in-dvm.desktop;
+image/x-png=open-in-dvm.desktop;
+image/x-portable-anymap=open-in-dvm.desktop;
+image/x-portable-bitmap=open-in-dvm.desktop;
+image/x-portable-graymap=open-in-dvm.desktop;
+image/x-portable-pixmap=open-in-dvm.desktop;
+image/x-xbitmap=open-in-dvm.desktop;
+image/x-xpixmap=open-in-dvm.desktop;
+image/x-pcx=open-in-dvm.desktop;
+image/svg+xml=open-in-dvm.desktop;
+image/svg+xml-compressed=open-in-dvm.desktop;
+image/vnd.wap.wbmp=open-in-dvm.desktop;
diff --git a/securedrop-workstation-config/mimeapps.list.sd-viewer b/securedrop-workstation-config/mimeapps.list.sd-viewer
new file mode 100644
index 00000000..3b65b180
--- /dev/null
+++ b/securedrop-workstation-config/mimeapps.list.sd-viewer
@@ -0,0 +1,31 @@
+[Default Applications]
+text/plain=org.gnome.gedit.desktop
+text/csv=libreoffice-base.desktop
+application/vnd.oasis.opendocument.text=libreoffice-base.desktop
+application/vnd.oasis.opendocument.spreadsheet=libreoffice-base.desktop
+application/vnd.oasis.opendocument.presentation=libreoffice-base.desktop
+application/msword=libreoffice-base.desktop
+application/vnd.ms-excel=libreoffice-base.desktop
+application/vnd.ms-powerpoint=libreoffice-base.desktop
+application/vnd.openxmlformats-officedocument.wordprocessingml.document=libreoffice-base.desktop
+application/vnd.openxmlformats-officedocument.spreadsheetml.sheet=libreoffice-base.desktop
+application/vnd.openxmlformats-officedocument.presentationml.presentation=libreoffice-base.desktop
+application/pdf=org.gnome.Evince.desktop
+application/x-desktop=org.gnome.gedit.desktop
+audio/mpeg=audacious.desktop
+audio/x-vorbis+ogg=audacious.desktop
+audio/x-wav=audacious.desktop
+video/quicktime=org.gnome.Totem.desktop
+video/x-theora+ogg=org.gnome.Totem.desktop
+video/mp4=org.gnome.Totem.desktop
+video/x-msvideo=org.gnome.Totem.desktop
+video/x-ms-wmv=org.gnome.Totem.desktop
+image/jpeg=eog.desktop
+image/gif=eog.desktop
+image/tiff=org.gnome.Evince.desktop
+image/png=eog.desktop
+image/svg+xml=eog.desktop
+image/vnd.djvu=org.gnome.Evince.desktop
+application/vnd.rar=org.gnome.FileRoller.desktop
+application/zip=org.gnome.FileRoller.desktop
+application/x-7z-compressed=org.gnome.FileRoller.desktop
diff --git a/securedrop-workstation-config/open-in-dvm.desktop b/securedrop-workstation-config/open-in-dvm.desktop
new file mode 100644
index 00000000..5dd26816
--- /dev/null
+++ b/securedrop-workstation-config/open-in-dvm.desktop
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Type=Application
+Version=1.0
+Name=Open in Disposable VM
+Comment=Open file in a Disposable VM
+TryExec=/usr/bin/qvm-open-in-vm
+Exec=/usr/bin/qvm-open-in-vm --view-only '@dispvm:sd-viewer' %f
+Icon=/usr/share/icons/Qubes/dispvm-gray.png
+Terminal=false
+Categories=Qubes;Utility;
diff --git a/securedrop-workstation-config/paxctld.conf b/securedrop-workstation-config/paxctld.conf
new file mode 100644
index 00000000..b41b399f
--- /dev/null
+++ b/securedrop-workstation-config/paxctld.conf
@@ -0,0 +1,117 @@
+# This file was provisioned via securedrop-workstation-svs-disp
+# grub
+
+/usr/bin/grub-script-check	E
+/usr/bin/grub-bios-setup	E
+/usr/sbin/grub-mkdevicemap	E
+/usr/sbin/grub-probe		E
+
+# qemu
+/usr/bin/qemu-alpha		m
+/usr/bin/qemu-arm		m
+/usr/bin/qemu-armeb		m
+/usr/bin/qemu-cris		m
+/usr/bin/qemu-i386		m
+/usr/bin/qemu-m68k		m
+/usr/bin/qemu-microblaze	m
+/usr/bin/qemu-microblazeel	m
+/usr/bin/qemu-mips		m
+/usr/bin/qemu-mips64		m
+/usr/bin/qemu-mips64el		m
+/usr/bin/qemu-mipsel		m
+/usr/bin/qemu-mipsn32		m
+/usr/bin/qemu-mipsn32el		m
+/usr/bin/qemu-or32		m
+/usr/bin/qemu-ppc		m
+/usr/bin/qemu-ppc64		m
+/usr/bin/qemu-ppc64abi32	m
+/usr/bin/qemu-s390x		m
+/usr/bin/qemu-sh4		m
+/usr/bin/qemu-sh4eb		m
+/usr/bin/qemu-sparc		m
+/usr/bin/qemu-sparc32plus	m
+/usr/bin/qemu-sparc64		m
+/usr/bin/qemu-unicore32		m
+/usr/bin/qemu-x86_64		m
+
+/usr/bin/qemu-system-aarch64		m
+/usr/bin/qemu-system-alpha		m
+/usr/bin/qemu-system-arm		m
+/usr/bin/qemu-system-cris		m
+/usr/bin/qemu-system-i386		m
+/usr/bin/qemu-system-lm32		m
+/usr/bin/qemu-system-m68k		m
+/usr/bin/qemu-system-microblaze		m
+/usr/bin/qemu-system-microblazeel	m
+/usr/bin/qemu-system-mips		m
+/usr/bin/qemu-system-mips64		m
+/usr/bin/qemu-system-mips64el		m
+/usr/bin/qemu-system-mipsel		m
+/usr/bin/qemu-system-moxie		m
+/usr/bin/qemu-system-or32		m
+/usr/bin/qemu-system-ppc		m
+/usr/bin/qemu-system-ppc64		m
+/usr/bin/qemu-system-ppcemb		m
+/usr/bin/qemu-system-s390x		m
+/usr/bin/qemu-system-sh4		m
+/usr/bin/qemu-system-sh4eb		m
+/usr/bin/qemu-system-sparc		m
+/usr/bin/qemu-system-sparc64		m
+/usr/bin/qemu-system-unicore32		m
+/usr/bin/qemu-system-x86_64		m
+/usr/bin/qemu-system-xtensa		m
+/usr/bin/qemu-system-xtensaeb		m
+
+# skype
+/usr/lib/skype/skype		m
+/usr/lib32/skype/skype		m
+
+# steam
+/usr/lib32/ld-linux.so.2	m
+
+# node
+/usr/bin/node			m
+
+# chrome
+/opt/google/chrome/chrome-sandbox	m
+/opt/google/chrome/nacl_helper		m
+/opt/google/chrome/chrome		m
+
+# chromium
+/usr/lib/chromium-browser/chromium-browser m
+
+# firefox
+/usr/lib/firefox/firefox		m
+/usr/lib/firefox/plugin-container	m
+
+# webapp-container
+/usr/bin/webapp-container	m
+
+# oxide
+/usr/lib/x86_64-linux-gnu/oxide-qt/oxide-renderer m
+
+# valgrind
+/usr/bin/valgrind		m
+
+# python
+/usr/bin/python2.7		E
+/usr/bin/python3.5		E
+
+# java
+/usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/java		m
+/usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/javaws		m
+/usr/lib/jvm/java-6-openjdk/jre/bin/java		m
+/usr/lib/jvm/java-6-openjdk/jre/bin/java		m
+/usr/lib/jvm/java-8-openjdk/jre/bin/java		m
+/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java   m
+# openrc
+/lib/rc/bin/lsb2rcconf		E
+
+# libreoffice
+# Ubuntu doesn't seem to carry this patch:
+# https://bz.apache.org/ooo/show_bug.cgi?id=80816
+# libreoffice will still run fine without the below line,
+# but it will report an RWX mprotect attempt
+# /usr/lib/libreoffice/program/soffice.bin	m
+
+/usr/bin/totem			m

From ad99ec3ec862ba526bd6f885ef8f0eef8067a35e Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Fri, 28 Aug 2020 09:50:16 -0400
Subject: [PATCH 2/2] open-in-dvm.desktop already supplied by other packages

Current versions of securedrop-client, securedrop-export, securedrop-workstation-svs-disp already manage this file in /usr/share/applications/, which causes an error on install. In order to allow the coexistance of these packages, we need to place and move these files manually ourselves. Once we clean up the other packages (at the final phase of template-consolidation) we can manage this file properly directly through the .install file, and have it handled by this package. All other packages (client, export, svs-disp) will not handle the mimetype config, it will be handled via salt in AppVM's private volume.
---
 securedrop-workstation-config/debian/postinst                   | 2 +-
 .../debian/securedrop-workstation-config.install                | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/securedrop-workstation-config/debian/postinst b/securedrop-workstation-config/debian/postinst
index 66a5e197..7918e4fb 100644
--- a/securedrop-workstation-config/debian/postinst
+++ b/securedrop-workstation-config/debian/postinst
@@ -26,7 +26,7 @@ case "$1" in
       cp /opt/sdw/paxctld.conf /etc/paxctld.conf
       systemctl restart paxctld
     fi
-
+    cp /opt/sdw/open-in-dvm.desktop /usr/share/applications/
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/securedrop-workstation-config/debian/securedrop-workstation-config.install b/securedrop-workstation-config/debian/securedrop-workstation-config.install
index 6e7768a0..5301fe0d 100644
--- a/securedrop-workstation-config/debian/securedrop-workstation-config.install
+++ b/securedrop-workstation-config/debian/securedrop-workstation-config.install
@@ -1,5 +1,5 @@
 mimeapps.list.sd-viewer opt/sdw/
 mimeapps.list.sd-app opt/sdw/
 mimeapps.list.sd-devices-dvm opt/sdw/
-open-in-dvm.desktop usr/share/applications/
+open-in-dvm.desktop opt/sdw/
 paxctld.conf opt/sdw/