From bda9264e19a1726e6bbfeae8ee685309ca95736a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 2 Mar 2018 20:39:28 +0100 Subject: [PATCH] Add qubes.GetDate proxy service This enable two things: 1. Follow global clockvm setting, without adjusting qrexec policy. 2. Avoid starting clockvm by arbitrary VM. Fixes QubesOS/qubes-issues#3588 --- Makefile | 1 + qubes-rpc-policy/qubes.GetDate.policy | 2 +- qubes-rpc/qubes.GetDate | 42 +++++++++++++++++++++++++++ rpm_spec/core-dom0.spec | 1 + 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100755 qubes-rpc/qubes.GetDate diff --git a/Makefile b/Makefile index b536c64a..54ebaa76 100644 --- a/Makefile +++ b/Makefile @@ -184,6 +184,7 @@ endif cp qubes-rpc-policy/qubes.GetDate.policy $(DESTDIR)/etc/qubes-rpc/policy/qubes.GetDate cp qubes-rpc-policy/policy.RegisterArgument.policy $(DESTDIR)/etc/qubes-rpc/policy/policy.RegisterArgument cp qubes-rpc/qubes.FeaturesRequest $(DESTDIR)/etc/qubes-rpc/ + cp qubes-rpc/qubes.GetDate $(DESTDIR)/etc/qubes-rpc/ cp qubes-rpc/qubes.GetRandomizedTime $(DESTDIR)/etc/qubes-rpc/ cp qubes-rpc/qubes.NotifyTools $(DESTDIR)/etc/qubes-rpc/ cp qubes-rpc/qubes.NotifyUpdates $(DESTDIR)/etc/qubes-rpc/ diff --git a/qubes-rpc-policy/qubes.GetDate.policy b/qubes-rpc-policy/qubes.GetDate.policy index fa81b588..24c72be4 100644 --- a/qubes-rpc-policy/qubes.GetDate.policy +++ b/qubes-rpc-policy/qubes.GetDate.policy @@ -3,4 +3,4 @@ ## Please use a single # to start your custom comments -$anyvm $anyvm allow,target=sys-net +$anyvm $anyvm allow,target=dom0 diff --git a/qubes-rpc/qubes.GetDate b/qubes-rpc/qubes.GetDate new file mode 100755 index 00000000..8daca33b --- /dev/null +++ b/qubes-rpc/qubes.GetDate @@ -0,0 +1,42 @@ +#!/usr/bin/python3 +# +# The Qubes OS Project, https://www.qubes-os.org/ +# +# Copyright (C) 2017 Marek Marczykowski-Górecki +# +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, see . +# + +import qubesadmin +import datetime +import subprocess + +def main(): + app = qubesadmin.Qubes() + + clockvm = app.clockvm + if clockvm is None: + return + + if not clockvm.is_running(): + # print dom0 time if clockvm is not running + print(datetime.datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%S+00:00')) + else: + # passthrough request to the clockvm + p = clockvm.run_service('qubes.GetDate', stdout=None, stdin=subprocess.DEVNULL) + p.wait() + +if __name__ == '__main__': + main() diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index c91e35f1..3780fbed 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -438,6 +438,7 @@ fi %attr(0664,root,qubes) %config(noreplace) /etc/qubes-rpc/policy/policy.RegisterArgument /etc/qubes-rpc/admin.* /etc/qubes-rpc/qubes.FeaturesRequest +/etc/qubes-rpc/qubes.GetDate /etc/qubes-rpc/qubes.GetRandomizedTime /etc/qubes-rpc/qubes.NotifyTools /etc/qubes-rpc/qubes.NotifyUpdates