diff --git a/appvm/Makefile b/appvm/Makefile index 6bb1dea6..0ef375a7 100644 --- a/appvm/Makefile +++ b/appvm/Makefile @@ -1,11 +1,14 @@ CC=gcc CFLAGS=-Wall -all: qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm +all: qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm xenstore-watch qubes_penctl: qubes_penctl.o $(CC) -o qubes_penctl qubes_penctl.o -lxenstore qubes_add_pendrive_script: qubes_add_pendrive_script.o $(CC) -o qubes_add_pendrive_script qubes_add_pendrive_script.o -lxenstore qvm-open-in-dvm: qvm-open-in-dvm.o $(CC) -o qvm-open-in-dvm qvm-open-in-dvm.o -lxenstore +xenstore-watch: xenstore-watch.o + $(CC) -o xenstore-watch xenstore-watch.o -lxenstore + clean: - rm -f qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm *.o *~ + rm -f qubes_penctl qubes_add_pendrive_script qvm-open-in-dvm xenstore-watch *.o *~ diff --git a/appvm/xenstore-watch.c b/appvm/xenstore-watch.c new file mode 100644 index 00000000..497ed294 --- /dev/null +++ b/appvm/xenstore-watch.c @@ -0,0 +1,28 @@ +#include +#include +#include +#include +main(int argc, char **argv) +{ + struct xs_handle *xs; + unsigned int count; + char **vec; + char dummy; + if (argc != 2) { + fprintf(stderr, "usage: %s xenstore_path\n", argv[0]); + exit(1); + } + xs = xs_domain_open(); + if (!xs) { + perror("xs_domain_open"); + exit(1); + } + if (!xs_watch(xs, argv[1], &dummy)) { + perror("xs_watch"); + exit(1); + } + vec = xs_read_watch(xs, &count); + free(vec); + vec = xs_read_watch(xs, &count); + free(vec); +} diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 007a532f..1852d322 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -552,11 +552,16 @@ class QubesVm(object): self.force_shutdown() raise OSError ("ERROR: Cannot attach to network backend!") - #if verbose: - # print "--> Updating FirewallVMs rules..." - #for vm in qvm_collection.values(): - # if vm.is_proxyvm(): - # vm.write_iptables_xenstore_entry() + qvm_collection = QubesVmCollection() + qvm_collection.lock_db_for_reading() + qvm_collection.load() + qvm_collection.unlock_db() + + if verbose: + print "--> Updating FirewallVMs rules..." + for vm in qvm_collection.values(): + if vm.is_fwvm(): + vm.write_iptables_xenstore_entry() if verbose: print "--> Starting the VM..." @@ -991,6 +996,7 @@ class QubesNetVm(QubesCowVm): if "dir_path" not in kwargs or kwargs["dir_path"] is None: kwargs["dir_path"] = qubes_servicevms_dir + "/" + kwargs["name"] + self.__external_ip_allowed_xids = set() if "label" not in kwargs or kwargs["label"] is None: kwargs["label"] = default_servicevm_label @@ -1022,6 +1028,42 @@ class QubesNetVm(QubesCowVm): assert hi >= 0 and hi <= 254 and lo >= 2 and lo <= 254, "Wrong IP address for VM" return self.netprefix + "{0}.{1}".format(hi,lo) + def create_xenstore_entries(self, xid): + if dry_run: + return + + super(QubesNetVm, self).create_xenstore_entries(xid) + retcode = subprocess.check_call ([ + "/usr/bin/xenstore-write", + "/local/domain/{0}/qubes_netvm_external_ip".format(xid), + ""]) + self.update_external_ip_permissions() + + def update_external_ip_permissions(self): + xid = self.get_xid() + command = [ + "/usr/bin/xenstore-chmod", + "/local/domain/{0}/qubes_netvm_external_ip".format(xid) + ] + + command.append("r{0}".format(xid,xid)) + command.append("w{0}".format(xid,xid)) + + for id in self.__external_ip_allowed_xids: + command.append("r{0}".format(id)) + + return subprocess.check_call(command) + + def add_external_ip_permission(self, xid): + if int(xid) < 0: + return + self.__external_ip_allowed_xids.add(int(xid)) + self.update_external_ip_permissions() + + def remove_external_ip_permission(self, xid): + self.__external_ip_allowed_xids.discard(int(xid)) + self.update_external_ip_permissions() + def create_xml_element(self): element = xml.etree.ElementTree.Element( "QubesNetVm", @@ -1043,16 +1085,36 @@ class QubesProxyVm(QubesNetVm): """ def __init__(self, **kwargs): super(QubesProxyVm, self).__init__(uses_default_netvm=False, **kwargs) + self.rules_applied = None + self.netvm_vm.add_external_ip_permission(self.get_xid()) @property def type(self): return "ProxyVM" + def force_shutdown(self): + if dry_run: + return + self.netvm_vm.remove_external_ip_permission(self.get_xid()) + super(QubesFirewallVm, self).force_shutdown() + def create_xenstore_entries(self, xid): if dry_run: return super(QubesProxyVm, self).create_xenstore_entries(xid) + retcode = subprocess.check_call ([ + "/usr/bin/xenstore-write", + "/local/domain/{0}/qubes_netvm_domid".format(xid), + "{0}".format(self.netvm_vm.get_xid())]) + retcode = subprocess.check_call ([ + "/usr/bin/xenstore-write", + "/local/domain/{0}/qubes_iptables_error".format(xid), + ""]) + retcode = subprocess.check_call ([ + "/usr/bin/xenstore-chmod", + "/local/domain/{0}/qubes_iptables_error".format(xid), + "r{0}".format(xid), "w{0}".format(xid)]) self.write_iptables_xenstore_entry() def write_iptables_xenstore_entry(self): @@ -1123,6 +1185,7 @@ class QubesProxyVm(QubesNetVm): iptables += "COMMIT" + self.rules_applied = None return subprocess.check_call ([ "/usr/bin/xenstore-write", "/local/domain/{0}/qubes_iptables".format(self.get_xid()), diff --git a/fwvm/bin/qubes_firewall b/fwvm/bin/qubes_firewall new file mode 100755 index 00000000..6f1cc267 --- /dev/null +++ b/fwvm/bin/qubes_firewall @@ -0,0 +1,33 @@ +#!/bin/bash +set -e + +PIDFILE=/var/run/qubes/qubes_firewall.pid +XENSTORE_IPTABLES=qubes_iptables +XENSTORE_ERROR=qubes_iptables_error +OLD_RULES="" + +# PIDfile handling +[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0 +echo $$ >$PIDFILE + +trap 'exit 0' SIGTERM + +while true; do + RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + + if [[ "$RULES" != "$OLD_RULES" ]]; then + IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') + OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :` + /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" + + if [[ -z "$OUT" ]]; then + # If OK save it for later + /sbin/service iptables save >/dev/null + fi + + OLD_RULES="$RULES" + fi + + # Wait for changes in xenstore file + /usr/bin/xenstore-watch $XENSTORE_IPTABLES +done diff --git a/fwvm/init.d/qubes_core b/fwvm/init.d/qubes_core new file mode 100755 index 00000000..d6bcac28 --- /dev/null +++ b/fwvm/init.d/qubes_core @@ -0,0 +1,67 @@ +#!/bin/sh +# +# chkconfig: 345 90 90 +# description: Executes Qubes core scripts at VM boot +# +# Source function library. +. /etc/rc.d/init.d/functions + +start() +{ + echo -n $"Executing Qubes Core scripts FirewallVM:" + + if ! [ -x /usr/bin/xenstore-read ] ; then + echo "ERROR: /usr/bin/xenstore-read not found!" + exit 1 + fi + + name=$(/usr/bin/xenstore-read name) + hostname $name + + # Setup gateway for all the VMs this netVM is serviceing... + modprobe netbk + gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) + netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) + network=$(/usr/bin/xenstore-read qubes_netvm_network) + secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) + echo "NS1=$gateway" > /var/run/qubes/qubes_ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns + /usr/lib/qubes/qubes_setup_dnat_to_ns + echo "1" > /proc/sys/net/ipv4/ip_forward + + # Now setup "AppVM" part of FirewallVM + ip=$(/usr/bin/xenstore-read qubes_ip) + netmask=$(/usr/bin/xenstore-read qubes_netmask) + gateway=$(/usr/bin/xenstore-read qubes_gateway) + secondary_dns=$(/usr/bin/xenstore-read qubes_secondary_dns) + if [ x$ip != x ]; then + /sbin/ifconfig eth0 $ip netmask 255.255.255.255 up + /sbin/route add default dev eth0 + echo "nameserver $gateway" > /etc/resolv.conf + echo "nameserver $secondary_dns" >> /etc/resolv.conf + fi + + success + echo "" + return 0 +} + +stop() +{ + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/fwvm/init.d/qubes_firewall b/fwvm/init.d/qubes_firewall new file mode 100755 index 00000000..f970734f --- /dev/null +++ b/fwvm/init.d/qubes_firewall @@ -0,0 +1,42 @@ +#!/bin/sh +# +# chkconfig: 345 91 91 +# description: Starts Qubes Firewall monitor +# +# Source function library. +. /etc/rc.d/init.d/functions + +PIDFILE=/var/run/qubes/qubes_firewall.pid + +start() +{ + echo -n $"Starting Qubes Firewall monitor:" + /sbin/ethtool -K eth0 sg off + /usr/bin/qubes_firewall & + success + echo "" + return 0 +} + +stop() +{ + echo -n "Stopping Qubes Firewall monitor:" + kill $(cat $PIDFILE) 2>/dev/null && success || failure + echo "" + return 0 +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + *) + echo $"Usage: $0 {start|stop}" + exit 3 + ;; +esac + +exit $RETVAL diff --git a/netvm/30-qubes_external_ip b/netvm/30-qubes_external_ip new file mode 100755 index 00000000..66ae5269 --- /dev/null +++ b/netvm/30-qubes_external_ip @@ -0,0 +1,8 @@ +#!/bin/sh +if [ x$2 == xup ]; then + INET=$(/sbin/ip addr show dev $1 | /bin/grep inet) + /usr/bin/xenstore-write qubes_netvm_external_ip "$INET" +fi +if [ x$2 == xdown ]; then + /usr/bin/xenstore-write qubes_netvm_external_ip "" +fi diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index 83d88c29..47a04ff0 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -67,6 +67,7 @@ mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ +cp ../netvm/30-qubes_external_ip $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d cp ../netvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d mkdir -p $RPM_BUILD_ROOT/sbin