From 067fb100a11c2aeb6cbf5193d83dea1d4686cb5d Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 25 Feb 2012 13:54:39 +0100 Subject: [PATCH 1/6] dom0/modules: support for pvops modules in dom0 --- dom0/aux-tools/qubes-dom0.modules | 2 +- dom0/dracut/modules.d/90qubes-pciback/installkernel | 3 ++- dom0/dracut/modules.d/90qubes-pciback/qubes-pciback.sh | 2 +- dom0/init.d/qubes_core | 2 +- rpm_spec/core-dom0.spec | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/dom0/aux-tools/qubes-dom0.modules b/dom0/aux-tools/qubes-dom0.modules index 60965743..31431c69 100755 --- a/dom0/aux-tools/qubes-dom0.modules +++ b/dom0/aux-tools/qubes-dom0.modules @@ -1 +1 @@ -modprobe pciback +modprobe pciback 2> /dev/null || modprobe xen-pciback diff --git a/dom0/dracut/modules.d/90qubes-pciback/installkernel b/dom0/dracut/modules.d/90qubes-pciback/installkernel index e360576f..427e99d3 100755 --- a/dom0/dracut/modules.d/90qubes-pciback/installkernel +++ b/dom0/dracut/modules.d/90qubes-pciback/installkernel @@ -1,2 +1,3 @@ #!/bin/bash -instmods pciback +modinfo -k $kernel pciback > /dev/null 2>&1 && instmods pciback +modinfo -k $kernel xen-pciback > /dev/null 2>&1 && instmods xen-pciback diff --git a/dom0/dracut/modules.d/90qubes-pciback/qubes-pciback.sh b/dom0/dracut/modules.d/90qubes-pciback/qubes-pciback.sh index cc76ea39..2ba649be 100755 --- a/dom0/dracut/modules.d/90qubes-pciback/qubes-pciback.sh +++ b/dom0/dracut/modules.d/90qubes-pciback/qubes-pciback.sh @@ -4,5 +4,5 @@ HIDE_PCI=`lspci -mm -n | grep '^[^ ]* "02'|awk '{ ORS="";print "(" $1 ")";}'` # ... and hide them so that Dom0 doesn't load drivers for them -modprobe pciback hide=$HIDE_PCI +modprobe pciback hide=$HIDE_PCI 2> /dev/null || modprobe xen-pciback hide=$HIDE_PCI diff --git a/dom0/init.d/qubes_core b/dom0/init.d/qubes_core index 26ca4189..a3974289 100755 --- a/dom0/init.d/qubes_core +++ b/dom0/init.d/qubes_core @@ -20,7 +20,7 @@ start() { echo -n $"Executing Qubes Core scripts:" - modprobe evtchn + modprobe evtchn 2> /dev/null || modprobe xen-evtchn chgrp qubes /etc/xen chmod 710 /etc/xen chgrp qubes /var/run/xenstored/* diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index 06bbbc91..b1d532f5 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -231,7 +231,7 @@ if ! [ -e /etc/sysconfig/network ]; then fi # Load evtchn module - xenstored needs it -modprobe evtchn +modprobe evtchn 2> /dev/null || modprobe xen-evtchn service xenstored start if ! [ -e /var/lib/qubes/qubes.xml ]; then From 40762c5497d04c885e68d6c8f02ae3ff404b4432 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 26 Feb 2012 00:07:06 +0100 Subject: [PATCH 2/6] dom0/qvm-core: update icon cache after label change --- dom0/qvm-core/qubes.py | 1 + 1 file changed, 1 insertion(+) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 72a58106..44f564ab 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -348,6 +348,7 @@ class QubesVm(object): except: pass os.symlink (new_label.icon_path, self.icon_path) + subprocess.call(['sudo', 'xdg-icon-resource', 'forceupdate']) @property def ip(self): From f54f851b4236bc2fc8fa5ae3c870d261477e1eeb Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 26 Feb 2012 00:12:54 +0100 Subject: [PATCH 3/6] dom0/qvm-prefs: add missing exit(1) --- dom0/qvm-tools/qvm-prefs | 1 + 1 file changed, 1 insertion(+) diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index 3b36dd2b..beecfcd1 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -72,6 +72,7 @@ def do_list(vm): def set_label(vms, vm, args): if len (args) != 1: print >> sys.stderr, "Missing label name argument!" + exit (1) label = args[0] if label not in QubesVmLabels: From 23adeb8ea49b181f60d9235fe8b54097fc5361e1 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 26 Feb 2012 00:13:07 +0100 Subject: [PATCH 4/6] dom0/qvm-prefs: icon already updated in qvm-core --- dom0/qvm-tools/qvm-prefs | 1 - 1 file changed, 1 deletion(-) diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs index beecfcd1..08fbc0b8 100755 --- a/dom0/qvm-tools/qvm-prefs +++ b/dom0/qvm-tools/qvm-prefs @@ -82,7 +82,6 @@ def set_label(vms, vm, args): exit (1) vm.label = QubesVmLabels[label] - subprocess.check_call (["ln", "-sf", vm.label.icon_path, vm.icon_path]) def set_memory(vms, vm, args): if len (args) != 1: From 1a1ef8a3a01b8c34fa9de4dfd4781b5efd9c1e69 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 26 Feb 2012 13:10:04 +0100 Subject: [PATCH 5/6] vm/yum.repo: use separate key for unstable repo --- misc/RPM-GPG-KEY-qubes-1-unstable | 31 +++++++++++++++++++++++++++++++ misc/qubes.repo | 2 +- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 misc/RPM-GPG-KEY-qubes-1-unstable diff --git a/misc/RPM-GPG-KEY-qubes-1-unstable b/misc/RPM-GPG-KEY-qubes-1-unstable new file mode 100644 index 00000000..97d55826 --- /dev/null +++ b/misc/RPM-GPG-KEY-qubes-1-unstable @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQENBE9KHjMBCADgs1Zw+Gag5MXDqAHzVfo/JSJ0q7Oj096l+/TU0/P2qpoF7sTo +uLpDLCfOOSqil7omOKMjn6yl/73RAd4oWIRivJMQKjgD4Tk8qlLI1NrBGhEdwyLm +SZ+7CU79HzahN8w8+l9H978obIN6S0UD36z7su42QnFmKQqT0EnD1NVZpqvq1iKC +0o0TqhZ90QE8YqWxjnbjDkk1mX2K4iHNJJ2mS/r1+4fXqvHzcmSB+vopGGGXxNB7 +fbNM6nI9RTpPecmnfKrqKrXYfHfyaLVUFXf2xZW/V85qq70dmEPi5g3YpRCXadJ+ +wKt1uZvi4xomPCxymHooF9Fplzv9MpKVIDNlABEBAAG0J1F1YmVzIE9TIFJlbGVh +c2UgMSBVbnN0YWJsZSBTaWduaW5nIEtleYkBPgQTAQIAKAUCT0ogagIbAwUJAeEz +gAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ77E0ZaTirKEbpgf8C9zqmkqo +u+dudzcrPPUW12FjK2WAYQd7WNYpBY4wOmvOUkvq68FUJ0mwNyjEkNhvLnrxlMqn +Z9vraqw1m2FwIAJfmbpnvJ6LeldNj/SYbutY9Y320eQDgLDZp5Xk0w6z1+Q1RXVJ +AkU935sXhtmVYVa4Cnk7Su6lG0Une3b5dpE90M5ewehYllqsqmtKIwqbRaBmvM6y +QHVqOJwNNo9XK78r0dKvXigXBObqatwItM2gan2oF0dplwTD//DqjldBzZ4mgrN8 +M/SZtynfTnoV8Yw7+JlsPCHIfcIXXWqJtLhNO3LqFAG6PwJX032eHNSrT+4UWIbP +q8Ccvhbxa7iNabkBDQRPSh4zAQgA7OyPodlWz93OuP8/Bh83dHDd1xV7tXByBDUX +O9am5uGKybcx3V8kBqJXbefds/aem1w2MLtDG+CxDC8Gi5gfNQNeCnIw3mpnZnMU +ZNjtXIn3VfKRyhmaHNvaNZiBzKovfjw152UuMsHfzsSMaWldj5J8oFz+eBthGJTT +uxktijIxHiZ/9RqzJLPMBQ5qRPbpqUn9piWEGxx2c4FbqeEOzzV49rX92adBPmUJ +KBo96vW+L6izE0RcQoTMhicbAqF+K2QUGzy0uTp5+G2V0q5HAfrCMIr1Zx93yuz0 +yQZNNLsGYGnYjrFjYiRpJRBbxerlCdGjlwnfXCk5EKRNuqr5twARAQABiQElBBgB +AgAPBQJPSh4zAhsMBQkB4TOAAAoJEO+xNGWk4qyh33MIAIOS9A0rkmBTPZwAsdJv +sz/J9+8AvfwMisN2sKTfEBTO8kEnSPcBZuau3JxKCGHxaPwXhGmnc9xnz/TY3JCj +6ZUgjgQQ3iT/BJk+h6n4xom9NRw5hn4j4NeIpboC6p6JfcYzZyapUNFmAsrSjakw +RxxpaVLb4moOfYzS7i7JqsEetBwoYAeFZoPYZpo4VH9PUPVAih6psmO/bz6Y8W+/ +tkXzViq15bwPUmDwBzX0nX0T8nQqMl85nCLDM2rVMs/lnVxfJas4QjTfzgeZOHQ6 +0ikGqwlnyWk/oUzUXFV/P7sKAXoOaMSEVHtfSxLjVH0RYsAv6SotjHwPAatrynyp +gYY= +=UROF +-----END PGP PUBLIC KEY BLOCK----- diff --git a/misc/qubes.repo b/misc/qubes.repo index a0417e94..4a763bcb 100644 --- a/misc/qubes.repo +++ b/misc/qubes.repo @@ -14,7 +14,7 @@ enabled=0 [qubes-vm-unstable] name = Qubes OS Repository for VM (unstable) baseurl = http://yum.qubes-os.org/r1/unstable/vm/fc$releasever -gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-1-primary +gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-1-unstable gpgcheck = 1 enabled=0 From 0ca08d48b8feaae9058865802c447b5b75ea66e1 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 27 Feb 2012 02:02:42 +0100 Subject: [PATCH 6/6] dom0/qubes-firewall: allow to specify protocol, do not assume always tcp --- dom0/qvm-core/qubes.py | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 44f564ab..20fe5be4 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -993,15 +993,21 @@ class QubesVm(object): ) for rule in conf["rules"]: + # For backward compatibility + if "proto" not in rule: + rule["proto"] = "tcp" element = xml.etree.ElementTree.Element( "rule", address=rule["address"], - port=str(rule["portBegin"]), + proto=str(rule["proto"]), ) if rule["netmask"] is not None and rule["netmask"] != 32: element.set("netmask", str(rule["netmask"])) - if rule["portEnd"] is not None: + if rule["portBegin"] is not None and rule["portBegin"] > 0: + element.set("port", str(rule["portBegin"])) + if rule["portEnd"] is not None and rule["portEnd"] > 0: element.set("toport", str(rule["portEnd"])) + root.append(element) tree = xml.etree.ElementTree.ElementTree(root) @@ -1038,7 +1044,7 @@ class QubesVm(object): for element in root: rule = {} - attr_list = ("address", "netmask", "port", "toport") + attr_list = ("address", "netmask", "proto", "port", "toport") for attribute in attr_list: rule[attribute] = element.get(attribute) @@ -1048,7 +1054,15 @@ class QubesVm(object): else: rule["netmask"] = 32 - rule["portBegin"] = int(rule["port"]) + # For backward compatibility default to tcp + if rule["proto" is None: + rule["proto"] = "tcp" + + if rule["port"] is not None: + rule["portBegin"] = int(rule["port"]) + else: + # backward compatibility + rule["portBegin"] = 0 if rule["toport"] is not None: rule["portEnd"] = int(rule["toport"]) @@ -1814,10 +1828,12 @@ class QubesProxyVm(QubesNetVm): if rule["netmask"] != 32: iptables += "/{0}".format(rule["netmask"]) - if rule["portBegin"] is not None and rule["portBegin"] > 0: - iptables += " -p tcp --dport {0}".format(rule["portBegin"]) - if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: - iptables += ":{0}".format(rule["portEnd"]) + if rule["proto"] is not None and rule["proto"] != "any": + iptables += " -p {0}".format(rule["proto"]) + if rule["portBegin"] is not None and rule["portBegin"] > 0: + iptables += " --dport {0}".format(rule["portBegin"]) + if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: + iptables += ":{0}".format(rule["portEnd"]) iptables += " -j {0}\n".format(rules_action)