This doesn't make all dom0 code VM-username independent, still 'user' is
hardcoded in many places. This only change behavior of qvm-run, especially for use in HVM.
This can cause some rules to fail and eg remove dm-* devices. Replace it with
what is really needed to hide mounted (and other ignored) devices from
qubes-block-devices.
Missed settings in new firewall configuration caused exception. In old qubes-manager (before #582 done) this exception silently broke saving operation, leaving user with progress bar windows infinitely...
To simplify configuration, automatically enable 'yum-proxy-setup'
pseudo-service when allowing access to the proxy. Also disable this service,
when access is revoked. Thanks to this the user can enable this feature by one
click in firewall settings.
New setting for access to qubes-yum-proxy. The difference from other firewall
setting (and reason for new top-level setting): 'deny' is enforced even if
policy is set to 'allow'. This proxy service is mainly used to filter network
traffic, so do not expose it to VMs which can connect to any host directly (eg
'untrusted' VM).
The simplest way is just add proxy=... entry to /etc/yum.conf, but sometimes it
is reasonable to bypass the proxy. Some examples:
- usage of non-standard repos with some exotic file layout, which will be
blocked by the proxy
- usage of repos not-accessible via proxy (eg only via VPN stared in VpnVM)
This commit introduces 'yum-proxy-setup' pseudo-service, which can be
controlled via standard qvm-service or qubes-manager. When enabled - yum will
be configured at VM startup to use qubes proxy, otherwise - to connect directly
(proxy setting will be cleared).
On FC>=15 /var/run is on tmpfs, so /var/run/tinyproxy from rpm don't survive
reboot. This is bug in Fedora package (should include config file for tmpfiles
service). For now create dir just before starting service.
Introduce proxy service, which allow only http(s) traffic to yum repos. The
filter rules are based on URL regexp, so it isn't full-featured content
inspection and can be easy bypassed, but should be enough to prevent some
erroneus user actions (like clicking on invalid link).
It is set up to intercept connections to 10.137.255.254:8082, so VM can connect
to this IP regardless of VM in which proxy is running. By default it is
started in every NetVM, but this can be changed using qvm-service or
qubes-manager (as always).