Add qubes.GetDate proxy service

This enable two things:
1. Follow global clockvm setting, without adjusting qrexec policy.
2. Avoid starting clockvm by arbitrary VM.

Fixes QubesOS/qubes-issues#3588

Makefile

@@ -184,6 +184,7 @@ endif
 	cp qubes-rpc-policy/qubes.GetDate.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.GetDate
 	cp qubes-rpc-policy/policy.RegisterArgument.policy $(DESTDIR)/etc/qubes-rpc/policy/policy.RegisterArgument
 	cp qubes-rpc/qubes.FeaturesRequest $(DESTDIR)/etc/qubes-rpc/
+	cp qubes-rpc/qubes.GetDate $(DESTDIR)/etc/qubes-rpc/
 	cp qubes-rpc/qubes.GetRandomizedTime $(DESTDIR)/etc/qubes-rpc/
 	cp qubes-rpc/qubes.NotifyTools $(DESTDIR)/etc/qubes-rpc/
 	cp qubes-rpc/qubes.NotifyUpdates $(DESTDIR)/etc/qubes-rpc/

qubes-rpc-policy/qubes.GetDate.policy

@@ -3,4 +3,4 @@
 
 ## Please use a single # to start your custom comments
 
-$anyvm	$anyvm	allow,target=sys-net
+$anyvm	$anyvm	allow,target=dom0

qubes-rpc/qubes.GetDate

@@ -0,0 +1,42 @@
+#!/usr/bin/python3
+#
+# The Qubes OS Project, https://www.qubes-os.org/
+#
+# Copyright (C) 2017  Marek Marczykowski-Górecki
+#                                       <marmarek@invisiblethingslab.com>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <https://www.gnu.org/licenses/>.
+#
+
+import qubesadmin
+import datetime
+import subprocess
+
+def main():
+    app = qubesadmin.Qubes()
+
+    clockvm = app.clockvm
+    if clockvm is None:
+        return
+
+    if not clockvm.is_running():
+        # print dom0 time if clockvm is not running
+        print(datetime.datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%S+00:00'))
+    else:
+        # passthrough request to the clockvm
+        p = clockvm.run_service('qubes.GetDate', stdout=None, stdin=subprocess.DEVNULL)
+        p.wait()
+
+if __name__ == '__main__':
+    main()

rpm_spec/core-dom0.spec

@@ -438,6 +438,7 @@ fi
 %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/policy.RegisterArgument
 /etc/qubes-rpc/admin.*
 /etc/qubes-rpc/qubes.FeaturesRequest
+/etc/qubes-rpc/qubes.GetDate
 /etc/qubes-rpc/qubes.GetRandomizedTime
 /etc/qubes-rpc/qubes.NotifyTools
 /etc/qubes-rpc/qubes.NotifyUpdates