Commit Graph

142 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
e1a2f8dcb2
Enable autoescape in libvirt xml template
This avoids XML-injection by a malformed property value. If a property
value is controlled by a less privileged entity (like Management VM), it
could lead to a privilege escalation.

Reported by @DemiMarie
2021-03-03 18:31:34 +01:00
Marek Marczykowski-Górecki
e1991d5c33
Merge remote-tracking branch 'origin/pr/389'
* origin/pr/389:
  app: save qubes.xml with utils.replace_file()
  app: use suppress() in simple cases
  firewall: save firewall.xml with utils.replace_file()
  utils: take tweaked helper functions from storage/reflink
  storage/reflink: quote logged filenames
2021-02-11 13:48:12 +01:00
Rusty Bird
12d117b20a
app: save qubes.xml with utils.replace_file()
That takes care of the missing fsync() calls.

Fixes QubesOS/qubes-issues#3376
2021-02-10 12:58:02 +00:00
Rusty Bird
9b6d082673
app: use suppress() in simple cases 2021-02-10 12:58:01 +00:00
Rusty Bird
7c5988f696
log: don't write to qubes.log or vm-*.log, only stderr 2021-02-05 18:39:17 +00:00
Marek Marczykowski-Górecki
1500ed8fcb
Make pylint happy
- ignore raise-missing-from
- fix super-with-arguments
2020-08-23 02:55:40 +02:00
Marta Marczykowska-Górecka
6b9528316f
Replaced error on nonexisting label name with a more descriptive one
Instead of unintuitive Value Error now we have dedicated QubesLabelNotFoundError.
Goal: to make qvm-prefs be less strange when one mixes up gray and grey again.
2020-08-23 01:58:43 +02:00
Marta Marczykowska-Górecka
b506586089
Fixed grey label color value causing accidental green icons
fixes QubesOS/qubes-issues#3471
2020-08-23 01:58:43 +02:00
Marta Marczykowska-Górecka
f35a7a78b3
Fixed property-reset event not firing for default_dispvm global property
fixes QubesOS/qubes-issues#5977
2020-08-03 22:12:02 +02:00
Rusty Bird
c2ce28936e
storage/reflink: prefer canonical values for setup_check 2020-06-22 14:03:19 +00:00
Marek Marczykowski-Górecki
dc1b3b4d86
Do not announce RDRAND instruction on Ivy Bridge
XSA-320 / CVE-2020-0543 affects Ivy Bridge and later platforms, but a
fix (microcode update) won't be available for Ivy Bridge. Disable
affected instruction (do not announce it in CPUID - complying software
should not use it then).
2020-06-10 06:12:46 +02:00
Marek Marczykowski-Górecki
64edbdf7d3
Merge remote-tracking branch 'origin/pr/344'
* origin/pr/344:
  travis: pip -> pip3
  Update .travis.yml
  Drop initial root thin pool definition
  Prevent double hyphens in thin_pool parsing
  Rename default root thin pool from 'lvm' to 'root'
2020-05-24 02:19:37 +02:00
Marek Marczykowski-Górecki
dc2cf1db5d
Convert handler to use property-reset instead of property-del
There was also one case of triggering property-{del => reset}
synthetically on default value change. Adjust it too and drop -pre-
event call in that case.

QubesOS/qubes-issues#5834
2020-05-23 03:57:42 +02:00
Marek Marczykowski-Górecki
4e473dd190
Remove leftovers of default_fw_netvm
The property is long gone, remove handling its change.
2020-05-23 03:57:42 +02:00
Frédéric Pierret (fepitre)
f06f41d594
Drop initial root thin pool definition
See https://github.com/QubesOS/qubes-core-admin/pull/344#issuecomment-629626978
2020-05-18 14:13:51 +02:00
Frédéric Pierret (fepitre)
71159bfca2
Rename default root thin pool from 'lvm' to 'root'
New partition output split dom0 and VM thin pools

https://github.com/QubesOS/qubes-anaconda-addon/pull/7
QubesOS/qubes-issues#5763
2020-05-12 17:32:07 +02:00
Rusty Bird
6605bf406d
collections.Callable -> collections.abc.Callable
"Deprecated since version 3.3, will be removed in version 3.10"
- https://docs.python.org/3/library/collections.html
2020-04-07 21:30:21 +00:00
Frédéric Pierret (fepitre)
795ff1233a
Support for AudioVM 2020-03-08 17:05:33 +01:00
Pawel Marczewski
f1ff6c26d8
Move devices check to on_domain_pre_deleted 2020-01-21 15:35:30 +01:00
Marek Marczykowski-Górecki
a89d3f0cae
tests: allow extensions to cleanup objects references
Extension objects are singletons and normally do not require any special
cleanup. But in case of tests, we try to remove all the qubes objects
between tests and the cache in usb extension makes it hard.
Add a 'qubes-close' event that extensions can handle to remove extra
references stored in extension objects themselves.
2020-01-11 01:22:30 +01:00
Marek Marczykowski-Górecki
5d77cf2298
Avoid resetting clocksync service of just enabled clockvm
When setting global clockvm property, 'clocksync' service is
automatically added to the new value and then removed from the old one.
But if the new value is the same as the old one, the service gets
removed from the just set new value.
Check for this case explicitly.

Fixes QubesOS/qubes-issues#4939
2019-11-30 05:20:08 +01:00
Frédéric Pierret (fepitre)
85edf511cb
default_guivm: set to dom0 due to migration R4.0->R4.1 problems 2019-11-16 13:04:42 +01:00
Marek Marczykowski-Górecki
5908ab1568
app: fix get_free_xen_memory function
It's app.vmm.xc, not app.xc. Since nobody have noticed it, this function
might be unused...
2019-10-30 15:46:11 +01:00
Marek Marczykowski-Górecki
361550c621
vm: improve error message about missing IOMMU
Handle this case specifically, as way too many users ignore the message
during installation and complain it doesn't work later.

Name the problem explicitly, instead of pointing at libvirt error log.

Fixes QubesOS/qubes-issues#4689
2019-10-30 15:45:52 +01:00
Frédéric Pierret (fepitre)
7c8556891c
app: fix docstrings PEP8 refactor 2019-10-22 09:26:25 +02:00
Frédéric Pierret (fepitre)
d2d1ffb806
Make pylint happier 2019-10-20 16:40:40 +02:00
Frédéric Pierret (fepitre)
27aad9bd38
Handle GuiVM properties 2019-10-20 13:22:31 +02:00
Frédéric Pierret (fepitre)
a52cb6bb91
Make PEP8 happier 2019-10-20 13:22:29 +02:00
Marek Marczykowski-Górecki
8e36a2ac61
app: re-register event handler after libvirt daemon restart
When libvirt daemon is restarted, qubesd attempt to re-connect to the
new instance transparently (through virConnect object wrapper). But the
code lacked re-registering event handlers.
Fix this by adding reconnect callback argument to virConnectWrappper, to
be called after new connection is established. This callback will
additionally get old connection as an argument, if any cleanup is
needed. The old connection is closed just after callback returns.

Use this to re-register event handler, but also unregister old handler
first. While full unregister wont work on since old libvirt daemon
instance is dead already, it will still cleanup client structures.

Since the old libvirt connection is closed now, adjust also domain
reconnection logic, to handle stale connection object. In that case
isAlive() call throws an exception.

Fixes QubesOS/qubes-issues#5303
2019-09-26 01:57:59 +02:00
Marta Marczykowska-Górecka
9d20877a43
Fixed unexpected error on empty default template and incorrect error handling
Qubesd wrongly required default_template global property to be not None.
Furthermore, even without hard failure set, require_property method
raised an exception in case of a property having incorrect None value.
It now logs an error message instead, as designed.

fixes QubesOS/qubes-issues#5326
2019-09-19 20:20:36 +02:00
Marek Marczykowski-Górecki
39d64eabc8
api/stats: improve cpu_usage normalization, add cpu_usage_raw
Give raw cpu_time value, instead of normalized one (to number of vcpus),
as documented.
Move the normalization to cpu_usage calculation. At the same time, add
cpu_usage_raw without it, if anyone needs it.

QubesOS/qubes-issues#4531
2019-08-01 04:51:05 +02:00
Rusty Bird
1d89acf698
app: setup_pools() must be a coroutine
This is needed as a consequence of d8b6d3ef ("Make add_pool/remove_pool
coroutines, allow Pool.{setup,destroy} as coroutines"), but there hasn't
been any problem so far because no storage driver implemented pool
setup() as a coroutine.
2019-06-28 10:29:26 +00:00
Rusty Bird
fe97a15d11
factor out utils.coro_maybe() 2019-06-28 10:29:24 +00:00
Marek Marczykowski-Górecki
aa798bf943
app: add missing load_stage=3 to global properties
Global properties should be loaded in stage 3, mark them as such.
Otherwise they are not loaded at all.
This applies to stats_interval and check_updates_vm. Others were
correct.

Fixes QubesOS/qubes-issues#4856
2019-03-14 14:56:01 +01:00
Marek Marczykowski-Górecki
27a0fe25ab
app: allow removing VM referencing only itself
Fixes QubesOS/qubes-issues#4224
2019-02-27 06:03:57 +01:00
Marek Marczykowski-Górecki
80e57e16be
Allow setting default_template to none
It may make sense to force explicit template choice on VM creation,
especially with more restrictive qrexec policy.
2019-02-27 06:03:57 +01:00
Marek Marczykowski-Górecki
4f5687440f
Prevent removal of in-use storage pool
Fixes QubesOS/qubes-issues#4454
2019-02-27 06:03:57 +01:00
Marek Marczykowski-Górecki
23bfc18535
Add pool-add, pool-pre-delete, pool-delete events 2019-02-27 06:04:01 +01:00
Marek Marczykowski-Górecki
d8b6d3efde
Make add_pool/remove_pool coroutines, allow Pool.{setup,destroy} as coroutines
Pool setup/destroy may be a time consuming operation, allow them to be
asynchronous. Fortunately add_pool and remove_pool are used only through
Admin API, so the change does not require modification of other
components.
2019-02-27 06:03:57 +01:00
Marek Marczykowski-Górecki
7d1bcaf64c Introduce management_dispvm property
The new property is meant for management stack (Salt) to set which DVM
template should be used to maintain given VM. Since the DispVM based on
it will be given ultimate control over target VM (qubes.VMShell
service), it should be trusted. The one pointed to by default_dispvm
not necessary is one.

The property defaults to the value from the template (if any), and then
to a global management_dispvm property. By default it is set to None.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
2018-12-03 19:18:26 +01:00
Marek Marczykowski-Górecki
e1f65bdf7b
vm: add shutdown_timeout property, make vm.shutdown(wait=True) use it
vm.shutdown(wait=True) waited indefinitely for the shutdown, which makes
useless without some boilerplate handling the timeout. Since the timeout
may depend on the operating system inside, add a per-VM property for it,
with value inheritance from template and then from global
default_shutdown_timeout property.

When timeout is reached, the method raises exception - whether to kill
it or not is left to the caller.

Fixes QubesOS/qubes-issues#1696
2018-10-26 23:54:04 +02:00
Rusty Bird
bee69a98b9
Add default_qrexec_timeout to qubes-prefs
When a VM (or its template) does not explicitly set a qrexec_timeout,
fall back to a global default_qrexec_timeout (with default value 60),
instead of hardcoding the fallback value to 60.

This makes it easy to set a higher timeout for the whole system, which
helps users who habitually launch applications from several (not yet
started) VMs at the same time. 60 seconds can be too short for that.
2018-09-16 18:42:48 +00:00
Rusty Bird
b3983f5ef8
'except FileNotFoundError' instead of ENOENT check 2018-09-13 19:46:45 +00:00
AJ Jordan
5aa35a1208
Make log location more explicit in error message
See https://github.com/QubesOS/qubes-issues/issues/4224#issuecomment-414513721.
2018-09-12 22:40:21 -04:00
Rusty Bird
8d1913a8cc
app: create /var/lib/qubes as file-reflink if supported
Use the file-reflink storage driver if /var/lib/qubes is on a filesystem
that supports reflinks, e.g. when the btrfs layout was selected in
Anaconda. If it doesn't support reflinks (or if detection fails, e.g. in
an unprivileged test environment), use 'file' as before.
2018-09-11 23:50:26 +00:00
Rusty Bird
53ef5ed431
app: uncouple pool setup from loading initial configuration
And ensure that setup is called on every type of these pools, not just
lvm_thin.
2018-09-11 23:50:25 +00:00
Marek Marczykowski-Górecki
57c9b2edf7
code style fixes 2018-09-02 03:27:14 +02:00
Jean-Philippe Ouellet
e95ef5f61d
Add domain-paused/-unpaused events
Needed for event-driven domains-tray UI updating and anti-GUI-DoS
usability improvements.

Catches errors from event handlers to protect libvirt, and logs to
main qubesd logger singleton (by default meaning systemd journal).
2018-08-01 05:41:50 -04:00
Marek Marczykowski-Górecki
be2465c1f9
Fix issues found by pylint 2.0
Resolve:
 - no-else-return
 - useless-object-inheritance
 - useless-return
 - consider-using-set-comprehension
 - consider-using-in
 - logging-not-lazy

Ignore:
 - not-an-iterable - false possitives for asyncio coroutines

Ignore all the above in qubespolicy/__init__.py, as the file will be
moved to separate repository (core-qrexec) - it already has a copy
there, don't desynchronize them.
2018-07-15 23:51:15 +02:00
Marek Marczykowski-Górecki
99f430511a
storage: move and generalize RootThinPool helper class
This is a class for finding thin pool containing root filesytem.
Generalize it to work for other filesystems too and rename to
DirectoryThinPool.
2018-03-20 16:52:48 +01:00