Merge branch 'master' of git.qubes-os.org:/var/lib/qubes/git/marmarek/core

dom0/aux-tools/qubes-notify-updates

@@ -0,0 +1,78 @@
+#!/usr/bin/python
+#
+# The Qubes OS Project, http://www.qubes-os.org
+#
+# Copyright (C) 2012  Marek Marczykowski  <marmarek@invisiblethingslab.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+#
+import os
+import os.path
+import sys
+import subprocess
+import shutil
+from datetime import datetime
+from qubes.qubes import QubesVmCollection
+from qubes.qubes import updates_stat_file
+
+def main():
+
+    qvm_collection = QubesVmCollection()
+    qvm_collection.lock_db_for_reading()
+    qvm_collection.load()
+    qvm_collection.unlock_db()
+
+    source = os.getenv("QREXEC_REMOTE_DOMAIN")
+
+    if source is None:
+        print >> sys.stderr, 'This script must be called as qrexec service!'
+        exit(1)
+
+    source_vm = qvm_collection.get_vm_by_name(source)
+    if source_vm is None:
+        print >> sys.stderr, 'Domain ' + source + ' does not exists (?!)'
+        exit(1)
+
+    update_count = sys.stdin.readline(128).strip()
+    if not update_count.isdigit():
+        print >> sys.stderr, 'Domain ' + source + ' sent invalid number of updates: ' + update_count
+        exit(1)
+    if source_vm.updateable:
+        # Just trust information from VM itself
+        update_f = open(source_vm.dir_path + '/' + updates_stat_file, "w")
+        update_f.write(update_count)
+        update_f.close()
+    elif source_vm.template is not None:
+        # Hint about updates availability in template
+        # If template is running - it will notify about updates itself
+        if source_vm.template.is_running():
+            return
+        # Ignore no-updates info
+        if int(update_count) > 0:
+            stat_file = source_vm.template.dir_path + '/' + updates_stat_file
+            # If VM is started before last updates.stat - it means that updates
+            # already was installed (but VM still hasn't been restarted), or other
+            # VM has already notified about updates availability
+            if os.path.exists(stat_file) and \
+                source_vm.get_start_time() < datetime.fromtimestamp(os.path.getmtime(stat_file)):
+                    return
+            update_f = open(stat_file, "w")
+            update_f.write(update_count)
+            update_f.close()
+        else:
+            print >> sys.stderr, 'Ignoring notification of no updates'
+
+main()

dom0/aux-tools/qubes-receive-updates

@@ -75,6 +75,15 @@ def handle_dom0updates(updatevm):
     subprocess.check_call(["/usr/bin/createrepo", "-q", updates_dir])
     os.chown(updates_repodata_dir, -1, qubes_gid)
     os.chmod(updates_repodata_dir, 0775)
+    # Clean old cache
+    subprocess.call(["/usr/bin/yum", "-q", "clean", "all"], stdout=sys.stderr)
+    # This will fail because of "smart" detection of no-network, but it will invalidate the cache
+    try:
+        null = open('/dev/null','w')
+        subprocess.call(["/usr/bin/pkcon", "refresh"], stdout=null)
+        null.close()
+    except:
+        pass
     exit(0)
 
 def main():

dom0/aux-tools/qubes.NotifyUpdates

@@ -0,0 +1 @@
+/usr/lib/qubes/qubes-notify-updates

dom0/aux-tools/qubes.NotifyUpdates.policy

@@ -0,0 +1,6 @@
+## Note that policy parsing stops at the first match,
+## so adding anything below "$anyvm $anyvm action" line will have no effect
+
+## Please use a single # to start your custom comments
+
+$anyvm	dom0	allow

dom0/aux-tools/reset_vm_configs.py

@@ -1,24 +0,0 @@
-#!/usr/bin/python2.6
-from qubes.qubes import QubesVmCollection
-import sys
-def main():
-    if len(sys.argv) != 2:
-        print 'Usage: fixconf templatename'
-        sys.exit(1)
-    qvm_collection = QubesVmCollection()
-    qvm_collection.lock_db_for_reading()
-    qvm_collection.load()
-    qvm_collection.unlock_db()
-    templ = sys.argv[1]
-    tvm = qvm_collection.get_vm_by_name(templ)
-    if tvm is None:
-        print 'Template', templ, 'does not exist'
-        sys.exit(1)
-    if not tvm.is_template():
-        print templ, 'is not a template'
-        sys.exit(1)
-    for vm in qvm_collection.values():
-        if vm.template is not None and vm.template.qid == tvm.qid:
-            vm.create_config_file()
-    
-main()

dom0/qvm-core/qubes.py

@@ -82,6 +82,7 @@ config_template_pv = '/usr/share/qubes/vm-template.conf'
 qubes_whitelisted_appmenus = 'whitelisted-appmenus.list'
 
 dom0_update_check_interval = 6*3600
+updates_stat_file = 'updates.stat'
 
 # how long (in sec) to wait for VMs to shutdown
 # before killing them (when used qvm-run with --wait option)
@@ -979,9 +980,18 @@ class QubesVm(object):
             for f in ("vmlinuz", "initramfs", "modules.img"):
                 shutil.copy(kernels_dir + '/' + f, self.dir_path + '/kernels/' + f)
 
+            if verbose:
+                print >> sys.stderr, "--> Copying the template's appmenus templates dir:\n{0} ==>\n{1}".\
+                        format(source_template.appmenus_templates_dir, self.appmenus_templates_dir)
+            shutil.copytree (source_template.appmenus_templates_dir, self.appmenus_templates_dir)
+
         # Create volatile.img
         self.reset_volatile_storage(source_template = source_template, verbose=verbose)
 
+        if verbose:
+            print >> sys.stderr, "--> Creating icon symlink: {0} -> {1}".format(self.icon_path, self.label.icon_path)
+        os.symlink (self.label.icon_path, self.icon_path)
+
     def create_appmenus(self, verbose, source_template = None):
         if source_template is None:
             source_template = self.template
@@ -994,9 +1004,9 @@ class QubesVm(object):
 
         try:
             if source_template is not None:
-                subprocess.check_call ([qubes_appmenu_create_cmd, source_template.appmenus_templates_dir, self.name])
+                subprocess.check_call ([qubes_appmenu_create_cmd, source_template.appmenus_templates_dir, self.name, vmtype])
             elif self.appmenus_templates_dir is not None:
-                subprocess.check_call ([qubes_appmenu_create_cmd, self.appmenus_templates_dir, self.name])
+                subprocess.check_call ([qubes_appmenu_create_cmd, self.appmenus_templates_dir, self.name, vmtype])
             else:
                 # Only add apps to menu
                 subprocess.check_call ([qubes_appmenu_create_cmd, "none", self.name, vmtype])
@@ -1821,6 +1831,22 @@ class QubesNetVm(QubesVm):
         self.__external_ip_allowed_xids.discard(int(xid))
         self.update_external_ip_permissions()
 
+    def create_on_disk(self, verbose, source_template = None):
+        if dry_run:
+            return
+
+        super(QubesNetVm, self).create_on_disk(verbose, source_template=source_template)
+
+        if os.path.exists(source_template.dir_path + '/netvm-' + qubes_whitelisted_appmenus):
+            if verbose:
+                print >> sys.stderr, "--> Creating default whitelisted apps list: {0}".\
+                    format(self.dir_path + '/' + qubes_whitelisted_appmenus)
+            shutil.copy(source_template.dir_path + '/netvm-' + qubes_whitelisted_appmenus,
+                    self.dir_path + '/' + qubes_whitelisted_appmenus)
+
+        if not self.internal:
+            self.create_appmenus (verbose, source_template=source_template)
+
 class QubesProxyVm(QubesNetVm):
     """
     A class that represents a ProxyVM, ex FirewallVM. A child of QubesNetVM.
@@ -2116,16 +2142,6 @@ class QubesAppVm(QubesVm):
 
         super(QubesAppVm, self).create_on_disk(verbose, source_template=source_template)
 
-        if self.updateable:
-            if verbose:
-                print >> sys.stderr, "--> Copying the template's appmenus templates dir:\n{0} ==>\n{1}".\
-                        format(source_template.appmenus_templates_dir, self.appmenus_templates_dir)
-            shutil.copytree (source_template.appmenus_templates_dir, self.appmenus_templates_dir)
-
-        if verbose:
-            print >> sys.stderr, "--> Creating icon symlink: {0} -> {1}".format(self.icon_path, self.label.icon_path)
-        os.symlink (self.label.icon_path, self.icon_path)
-
         if not self.internal:
             self.create_appmenus (verbose, source_template=source_template)
 

dom0/qvm-core/qubesutils.py

@@ -645,6 +645,11 @@ def backup_prepare(base_backup_dir, vms_list = None, exclude_list = [], print_ca
     if not 'dom0' in exclude_list:
         local_user = grp.getgrnam('qubes').gr_mem[0]
         home_dir = pwd.getpwnam(local_user).pw_dir
+        # Home dir should have only user-owned files, so fix it now to prevent
+        # permissions problems - some root-owned files can left after
+        # 'sudo bash' and similar commands
+        subprocess.check_call(['sudo', 'chown', '-R', local_user, home_dir])
+
         home_sz = get_disk_usage(home_dir)
         home_to_backup = [ { "path" : home_dir, "size": home_sz, "subdir": 'dom0-home'} ]
         files_to_backup += home_to_backup

dom0/qvm-tools/qvm-pci

@@ -73,6 +73,8 @@ def main():
             exit(1)
         if vm.pcidevs.count(pci) == 0:
             vm.pcidevs.append(pci)
+            if vm.is_running():
+                print >>sys.stderr, "NOTICE: Changes will be seen by VM after VM restart"
         qvm_collection.save()
         qvm_collection.unlock_db()
 
@@ -84,6 +86,8 @@ def main():
         pci = args[1]
         if vm.pcidevs.count(pci) > 0:
             vm.pcidevs.remove(pci)
+            if vm.is_running():
+                print >>sys.stderr, "NOTICE: Changes will be seen by VM after VM restart"
         qvm_collection.save()
         qvm_collection.unlock_db()
 

misc/fstab

@@ -13,4 +13,5 @@ tmpfs                   /dev/shm                tmpfs   defaults        0 0
 devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
 sysfs                   /sys                    sysfs   defaults        0 0
 proc                    /proc                   proc    defaults        0 0
+xen                     /proc/xen               xenfs   defaults        0 0
 /dev/xvdi	/mnt/removable	auto noauto,user,rw 0 0

rpm_spec/core-dom0.spec

@@ -102,13 +102,13 @@ cp aux-tools/convert_apptemplate2vm.sh $RPM_BUILD_ROOT/usr/lib/qubes
 cp aux-tools/convert_dirtemplate2vm.sh $RPM_BUILD_ROOT/usr/lib/qubes
 cp aux-tools/create_apps_for_appvm.sh $RPM_BUILD_ROOT/usr/lib/qubes
 cp aux-tools/remove_appvm_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes
-cp aux-tools/reset_vm_configs.py  $RPM_BUILD_ROOT/usr/lib/qubes
 cp qmemman/server.py $RPM_BUILD_ROOT/usr/lib/qubes/qmemman_daemon.py
 cp ../misc/meminfo-writer $RPM_BUILD_ROOT/usr/lib/qubes/
 cp ../qrexec/qrexec_daemon $RPM_BUILD_ROOT/usr/lib/qubes/
 cp ../qrexec/qrexec_client $RPM_BUILD_ROOT/usr/lib/qubes/
 cp ../qrexec/qrexec_policy $RPM_BUILD_ROOT/usr/lib/qubes/
 cp aux-tools/qfile-dom0-unpacker $RPM_BUILD_ROOT/usr/lib/qubes/
+cp aux-tools/qubes-notify-updates $RPM_BUILD_ROOT/usr/lib/qubes/
 cp aux-tools/qubes-receive-updates $RPM_BUILD_ROOT/usr/lib/qubes/
 cp ../misc/block_add_change $RPM_BUILD_ROOT/usr/lib/qubes/
 cp ../misc/block_remove $RPM_BUILD_ROOT/usr/lib/qubes/
@@ -121,6 +121,8 @@ cp ../qubes_rpc/qubes.VMShell.policy $RPM_BUILD_ROOT/etc/qubes_rpc/policy/qubes.
 cp qubes.SyncAppMenus.policy $RPM_BUILD_ROOT/etc/qubes_rpc/policy/qubes.SyncAppMenus
 cp qubes.SyncAppMenus $RPM_BUILD_ROOT/etc/qubes_rpc/
 cp ../qrexec/qubes_rpc_multiplexer $RPM_BUILD_ROOT/usr/lib/qubes
+cp aux-tools/qubes.NotifyUpdates.policy $RPM_BUILD_ROOT/etc/qubes_rpc/policy/qubes.NotifyUpdates
+cp aux-tools/qubes.NotifyUpdates $RPM_BUILD_ROOT/etc/qubes_rpc/
 cp aux-tools/qubes.ReceiveUpdates.policy $RPM_BUILD_ROOT/etc/qubes_rpc/policy/qubes.ReceiveUpdates
 cp aux-tools/qubes.ReceiveUpdates $RPM_BUILD_ROOT/etc/qubes_rpc/
 install -D aux-tools/qubes-dom0.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes-dom0.modules
@@ -331,10 +333,10 @@ fi
 /usr/lib/qubes/convert_dirtemplate2vm.sh
 /usr/lib/qubes/create_apps_for_appvm.sh
 /usr/lib/qubes/remove_appvm_appmenus.sh
-/usr/lib/qubes/reset_vm_configs.py*
 /usr/lib/qubes/qmemman_daemon.py*
 /usr/lib/qubes/meminfo-writer
 /usr/lib/qubes/qfile-daemon-dvm*
+/usr/lib/qubes/qubes-notify-updates
 /usr/lib/qubes/qubes-receive-updates
 /usr/lib/qubes/block_add_change
 /usr/lib/qubes/block_remove
@@ -378,9 +380,11 @@ fi
 %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.Filecopy
 %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.OpenInVM
 %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.SyncAppMenus
+%attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.NotifyUpdates
 %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.ReceiveUpdates
 %attr(0664,root,qubes) /etc/qubes_rpc/policy/qubes.VMShell
 /etc/qubes_rpc/qubes.SyncAppMenus
+/etc/qubes_rpc/qubes.NotifyUpdates
 /etc/qubes_rpc/qubes.ReceiveUpdates
 %attr(4750,root,qubes) /usr/lib/qubes/qrexec_daemon
 %attr(2770,root,qubes) %dir /var/log/qubes

rpm_spec/core-vm.spec

@@ -87,6 +87,7 @@ install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/
 install -d $RPM_BUILD_ROOT/lib/systemd/system $RPM_BUILD_ROOT/usr/lib/qubes/init
 install -m 0755 vm-systemd/*.sh $RPM_BUILD_ROOT/usr/lib/qubes/init/
 install -m 0644 vm-systemd/qubes-*.service $RPM_BUILD_ROOT/lib/systemd/system/
+install -m 0644 vm-systemd/qubes-*.timer $RPM_BUILD_ROOT/lib/systemd/system/
 install -m 0644 vm-systemd/NetworkManager.service $RPM_BUILD_ROOT/usr/lib/qubes/init/
 install -m 0644 vm-systemd/cups.service $RPM_BUILD_ROOT/usr/lib/qubes/init/
 install -m 0644 vm-systemd/ntpd.service $RPM_BUILD_ROOT/usr/lib/qubes/init/
@@ -484,6 +485,8 @@ The Qubes core startup configuration for SystemD init.
 /lib/systemd/system/qubes-netwatcher.service
 /lib/systemd/system/qubes-network.service
 /lib/systemd/system/qubes-sysinit.service
+/lib/systemd/system/qubes-update-check.service
+/lib/systemd/system/qubes-update-check.timer
 %dir /usr/lib/qubes/init
 /usr/lib/qubes/init/prepare-dvm.sh
 /usr/lib/qubes/init/network-proxy-setup.sh
@@ -502,6 +505,8 @@ for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes
     /bin/systemctl enable $srv.service 2> /dev/null
 done
 
+/bin/systemctl enable qubes-update-check.timer 2> /dev/null
+
 # Install overriden services only when original exists
 for srv in cups NetworkManager ntpd; do
     if [ -f /lib/systemd/system/$srv.service ]; then

version_dom0

@@ -1 +1 @@
-1.7.20
+1.7.21

version_vm

@@ -1 +1 @@
-1.7.20
+1.7.21

vm-systemd/qubes-sysinit.service

@@ -2,7 +2,7 @@
 Description=Init Qubes Services settings
 DefaultDependencies=no
 Before=sysinit.target
-After=local-fs.target proc-xen.mount
+After=local-fs.target
 
 [Service]
 Type=oneshot

vm-systemd/qubes-sysinit.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
 
 # List of services enabled by default (in case of absence of xenstore entry)
-DEFAULT_ENABLED_NETVM="network-manager qubes-network"
+DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check"
-DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher"
+DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check"
-DEFAULT_ENABLED_APPVM="meminfo-writer cups"
+DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check"
 DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM
 DEFAULT_ENABLED="meminfo-writer"
 

vm-systemd/qubes-update-check.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Qubes check for VM updates and notify dom0
+ConditionPathExists=/var/run/qubes-service/qubes-update-check
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update|wc -l'

vm-systemd/qubes-update-check.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Periodically check for updates
+ConditionPathExists=/var/run/qubes-service/qubes-update-check
+
+[Timer]
+OnBootSec=5min
+OnUnitActiveSec=2d
+
+[Install]
+WantedBy=multi-user.target
+