Merge branch 'master' of git.qubes-os.org:/var/lib/qubes/git/marmarek/core

Conflicts:
	version_vm

Makefile

@@ -57,5 +57,6 @@ clean:
 	(cd dom0/restore && make clean)
 	(cd dom0/qmemman && make clean)
 	(cd common && make clean)
+	(cd u2mfn && make clean)
 	make -C qrexec clean
 	make -C vchan clean

appvm/Makefile

@@ -5,9 +5,9 @@ dvm_file_editor: dvm_file_editor.o ../common/ioall.o
 	$(CC) -pie -g -o $@ $^
 qfile-agent-dvm: qfile-agent-dvm.o ../common/ioall.o ../common/gui-fatal.o
 	$(CC) -pie -g -o $@ $^
-qfile-agent: qfile-agent.o ../common/ioall.o ../common/gui-fatal.o copy_file.o crc32.o
+qfile-agent: qfile-agent.o ../common/ioall.o ../common/gui-fatal.o ../common/copy_file.o ../common/crc32.o
 	$(CC) -pie -g -o $@ $^
-qfile-unpacker: qfile-unpacker.o ../common/ioall.o ../common/gui-fatal.o copy_file.o unpack.o crc32.o
+qfile-unpacker: qfile-unpacker.o ../common/ioall.o ../common/gui-fatal.o ../common/copy_file.o ../common/unpack.o ../common/crc32.o
 	$(CC) -pie -g -o $@ $^
 
 clean:

appvm/qvm-copy-to-vm

@@ -20,15 +20,15 @@
 #
 #
 
-if [ x"$1" = "x--with-progress" ] ; then
+if [ x"$1" = "x--without-progress" ] ; then
-	DO_PROGRESS=1
+	DO_PROGRESS=0
 	shift
 else
-	DO_PROGRESS=0
+	DO_PROGRESS=1
 fi
 
 if [ $# -lt 2 ] ; then
-	echo usage: $0 '[--with-progress] dest_vmname file [file]+'
+	echo usage: $0 '[--without-progress] dest_vmname file [file]+'
 	exit 1
 fi
 

common/Makefile

@@ -6,4 +6,4 @@ meminfo-writer: meminfo-writer.o
 xenstore-watch: xenstore-watch.o
 	$(CC) -o xenstore-watch xenstore-watch.o -lxenstore
 clean:
-	rm -f meminfo-writer *.o *~
+	rm -f meminfo-writer xenstore-watch *.o *~

common/block-snapshot

@@ -5,7 +5,16 @@
 # This creates dm-snapshot device on given arguments
 
 dir=$(dirname "$0")
-. "$dir/block-common.sh"
+if [ "$1" = "prepare" ] || [ "$1" = "cleanup" ]; then
+  . "$dir/xen-hotplug-common.sh"
+  command=$1
+else
+  . "$dir/block-common.sh"
+fi
+
+shopt -s nullglob
+
+HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}"
 
 get_dev() {
   dev=$1
@@ -89,7 +98,6 @@ create_dm_snapshot_origin() {
 
 t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING')
 
-
 case "$command" in
   add)
     case $t in
@@ -117,24 +125,81 @@ case "$command" in
         if [ "$t" == "snapshot" ]; then
           #that's all for snapshot, store name of prepared device
           xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname"
+          echo "/dev/mapper/$dm_devname" > "$HOTPLUG_STORE-node"
           write_dev /dev/mapper/$dm_devname
         elif [ "$t" == "origin" ]; then
           # for origin - prepare snapshot-origin device and store its name
           dm_devname=origin-$(stat -c '%D:%i' "$base")
           create_dm_snapshot_origin $dm_devname "$base"
           xenstore_write "$XENBUS_PATH/node" "/dev/mapper/$dm_devname"
+          echo "/dev/mapper/$dm_devname" > "$HOTPLUG_STORE-node"
           write_dev /dev/mapper/$dm_devname
         fi
+        # Save domain name for template commit on device remove
+        domain=$(xenstore_read_default "$XENBUS_PATH/domain" '')
+        if [ -z "$domain" ]; then
+          domid=$(xenstore_read "$XENBUS_PATH/frontend-id")
+          domain=$(xl domname $domid)
+        fi
+        echo $domain > "$HOTPLUG_STORE-domain"
+
+        release_lock "block"
+        exit 0
+        ;;
+    esac
+    ;;
+  prepare)
+    t=$2
+    case $t in
+      snapshot|origin)
+        p=$3
+        base=${p/:*/}
+        cow=${p/*:/}
+
+        if [ -L "$base" ]; then
+          base=$(readlink -f "$base") || fatal "$base link does not exist."
+        fi
+
+        if [ -L "$cow" ]; then
+          cow=$(readlink -f "$cow") || fatal "$cow link does not exist."
+        fi
+
+        # first ensure that snapshot device exists (to write somewhere changes from snapshot-origin)
+        dm_devname=$(get_dm_snapshot_name "$base" "$cow")
+
+        claim_lock "block"
+
+        # prepare snapshot device
+        create_dm_snapshot $dm_devname "$base" "$cow"
+
+        if [ "$t" == "snapshot" ]; then
+          #that's all for snapshot, store name of prepared device
+          echo "/dev/mapper/$dm_devname"
+        elif [ "$t" == "origin" ]; then
+          # for origin - prepare snapshot-origin device and store its name
+          dm_devname=origin-$(stat -c '%D:%i' "$base")
+          create_dm_snapshot_origin $dm_devname "$base"
+          echo "/dev/mapper/$dm_devname"
+        fi
 
         release_lock "block"
         exit 0
         ;;
     esac
     ;;
-  remove)
+  remove|cleanup)
+    if [ "$command" = "cleanup" ]; then
+      t=$2
+    else
+      t=$(cat $HOTPLUG_STORE-type)
+    fi
     case $t in
       snapshot|origin)
-        node=$(xenstore_read "$XENBUS_PATH/node")
+        if [ "$command" = "cleanup" ]; then
+          node=$3
+        else
+          node=$(cat "$HOTPLUG_STORE-node")
+        fi
 
         if [ -z "$node" ]; then
           fatal "No device node to remove"
@@ -174,14 +239,16 @@ case "$command" in
               dmsetup remove $snap
             fi
           done
-          # Commit template changes
+          if [ "$command" = "remove" ]; then
-          domain=$(xenstore_read "$XENBUS_PATH/domain")
+            # Commit template changes
-          if [ "$domain" ]; then
+            domain=$(cat "$HOTPLUG_STORE-domain")
-            # Dont stop on errors
+            if [ "$domain" ]; then
-            /usr/bin/qvm-template-commit "$domain" || true
+              # Dont stop on errors
+              /usr/bin/qvm-template-commit "$domain" || true
+            fi
           fi
         fi
-	
+
         if [ -e $node ]; then
           log debug "Removing $node"
           dmsetup remove $node

common/qubes_download_dom0_updates.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+DOM0_UPDATES_DIR=/var/lib/qubes/dom0-updates
+
+DOIT=0
+GUI=1
+while [ -n "$1" ]; do
+    if [ "x--doit" = "x$1" ]; then
+        DOIT=1
+    elif [ "x--nogui" = "x$1" ]; then
+        GUI=0
+    fi
+    shift
+done
+
+if ! [ -d "$DOM0_UPDATES_DIR" ]; then
+    echo "Dom0 updates dir does not exists: $DOM0_UPDATES_DIR"
+    exit 1
+fi
+
+mkdir -p $DOM0_UPDATES_DIR/etc
+cp /etc/yum.conf $DOM0_UPDATES_DIR/etc/
+
+echo "Checking for updates..."
+PKGLIST=`yum --installroot $DOM0_UPDATES_DIR check-update -q | cut -f 1 -d ' '`
+
+if [ -z $PKGLIST ]; then
+    # No new updates
+    exit 0
+fi
+
+if [ "$DOIT" != "1" ]; then
+    zenity --question --title="Qubes Dom0 updates" \
+      --text="Updates for dom0 available. Do you want to download its now?" || exit 0
+fi
+
+mkdir -p "$DOM0_UPDATES_DIR/packages"
+
+set -e
+
+if [ "$GUI" = 1 ]; then
+    ( echo "1"
+    yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $PKGLIST
+    echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \
+         --text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates"
+else
+    yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $PKGLIST
+fi
+
+# qvm-copy-to-vm works only from user
+su -c "qvm-copy-to-vm @dom0updates $DOM0_UPDATES_DIR/packages/*.rpm" user

common/qubes_network.rules

@@ -0,0 +1,2 @@
+
+SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/qubes/setup_ip"

common/qubes_trigger_sync_appmenus.action

@@ -0,0 +1 @@
+*:any:/usr/lib/qubes/qubes_trigger_sync_appmenus.sh

common/qubes_trigger_sync_appmenus.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+UPDATEABLE=`/usr/bin/xenstore-read qubes_vm_updateable`
+
+if [ "$UPDATEABLE" = "True" ]; then
+    echo -n SYNC > /var/run/qubes/qrexec_agent
+fi

common/setup_ip

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+ip=`/usr/bin/xenstore-read qubes_ip`
+netmask=`/usr/bin/xenstore-read qubes_netmask`
+gateway=`/usr/bin/xenstore-read qubes_gateway`
+secondary_dns=`/usr/bin/xenstore-read qubes_secondary_dns`
+if [ x$ip != x ]; then
+    /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
+    /sbin/ifconfig $INTERFACE up
+    /sbin/route add default dev $INTERFACE
+    echo "nameserver $gateway" > /etc/resolv.conf
+    echo "nameserver $secondary_dns" >> /etc/resolv.conf
+fi

common/unpack.c

@@ -1,3 +1,4 @@
+#define _GNU_SOURCE /* For O_NOFOLLOW. */
 #include <errno.h>
 #include <ioall.h>
 #include <fcntl.h>

netvm/dbus-nm-applet.conf

@@ -1,42 +0,0 @@
-<!DOCTYPE busconfig PUBLIC
- "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-	<!--
-	     WARNING: if running any D-Bus version prior to 1.2.6, you may be
-	     vulnerable to information leakage via the NM D-Bus interface.
-	     Previous D-Bus versions did not deny-by-default, and this permissions
-	     config file assumes that D-Bus will deny rules by default unless
-	     explicitly over-ridden with an <allow /> tag.
-	 -->
-
-        <policy user="root">
-                <allow own="org.freedesktop.NetworkManagerUserSettings"/>
-
-                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
-                       send_interface="org.freedesktop.NetworkManagerSettings"/>
-
-                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
-                       send_interface="org.freedesktop.NetworkManagerSettings.Connection"/>
-
-                <!-- Only root can get secrets -->
-                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
-                       send_interface="org.freedesktop.NetworkManagerSettings.Connection.Secrets"/>
-        </policy>
-        <policy user="user">
-                <allow own="org.freedesktop.NetworkManagerUserSettings"/>
-
-                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
-                       send_interface="org.freedesktop.NetworkManagerSettings"/>
-
-                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
-                       send_interface="org.freedesktop.NetworkManagerSettings.Connection"/>
-        </policy>
-        <policy context="default">
-                <allow send_destination="org.freedesktop.NetworkManagerUserSettings"
-                       send_interface="org.freedesktop.DBus.Introspectable"/>
-        </policy>
-
-        <limit name="max_replies_per_connection">512</limit>
-</busconfig>
-

proxyvm/bin/qubes_firewall

@@ -19,6 +19,9 @@ while true; do
 		IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
 		OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`
 		/usr/bin/xenstore-write $XENSTORE_ERROR "$OUT"
+		if [ "$OUT" ]; then
+			DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
+		fi
 
 		if [[ -z "$OUT" ]]; then
 			# If OK save it for later
@@ -29,5 +32,5 @@ while true; do
 	fi
 
 	# Wait for changes in xenstore file
-	/usr/bin/xenstore-watch $XENSTORE_IPTABLES
+	/usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES
 done

proxyvm/bin/qubes_netwatcher

@@ -24,8 +24,8 @@ while true; do
 			/usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG"
 		fi
 
-		/usr/bin/xenstore-watch /local/domain/$NET_DOMID/qubes_netvm_external_ip
+		/usr/bin/xenstore-watch-qubes /local/domain/$NET_DOMID/qubes_netvm_external_ip
 	else
-		/usr/bin/xenstore-watch qubes_netvm_domid
+		/usr/bin/xenstore-watch-qubes qubes_netvm_domid
 	fi
 done

rpm_spec/core-commonvm.spec

@@ -33,6 +33,7 @@ License:	GPL
 URL:		http://www.qubes-os.org
 Requires:	/usr/bin/xenstore-read
 Requires:   fedora-release
+Requires:   yum-plugin-post-transaction-actions
 BuildRequires: xen-devel
 
 %define _builddir %(pwd)/common
@@ -71,24 +72,76 @@ install -m 644 RPM-GPG-KEY-qubes* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
 mkdir -p $RPM_BUILD_ROOT/sbin
 cp qubes_serial_login $RPM_BUILD_ROOT/sbin
 mkdir -p $RPM_BUILD_ROOT/usr/bin
-cp xenstore-watch $RPM_BUILD_ROOT/usr/bin
+cp xenstore-watch $RPM_BUILD_ROOT/usr/bin/xenstore-watch-qubes
 mkdir -p $RPM_BUILD_ROOT/etc
 cp serial.conf $RPM_BUILD_ROOT/var/lib/qubes/
+mkdir -p $RPM_BUILD_ROOT/etc/udev/rules.d
+cp qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/
+mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes/
+cp setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/
+cp qubes_download_dom0_updates.sh $RPM_BUILD_ROOT/usr/lib/qubes/
+mkdir -p $RPM_BUILD_ROOT/etc/yum/post-actions
+cp qubes_trigger_sync_appmenus.action $RPM_BUILD_ROOT/etc/yum/post-actions/
+mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes
+cp qubes_trigger_sync_appmenus.sh $RPM_BUILD_ROOT/usr/lib/qubes/
+mkdir -p $RPM_BUILD_ROOT/var/lib/qubes/dom0-updates
 
 %triggerin -- initscripts
 cp /var/lib/qubes/serial.conf /etc/init/serial.conf
 
 %post
 
-# Disable gpk-update-icon
+# disable some Upstart services
-sed 's/^NotShowIn=KDE;$/\0QUBES;/' -i /etc/xdg/autostart/gpk-update-icon.desktop
+for F in plymouth-shutdown prefdm splash-manager start-ttys tty ; do
+	if [ -e /etc/init/$F.conf ]; then
+		mv -f /etc/init/$F.conf /etc/init/$F.conf.disabled
+	fi
+done
 
+remove_ShowIn () {
+	if [ -e /etc/xdg/autostart/$1.desktop ]; then
+		sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/$1.desktop
+	fi
+}
+
+# don't want it at all
+for F in abrt-applet deja-dup-monitor imsettings-start krb5-auth-dialog pulseaudio restorecond sealertauto ; do
+	if [ -e /etc/xdg/autostart/$F.desktop ]; then
+		remove_ShowIn $F
+		echo 'NotShowIn=QUBES' >> /etc/xdg/autostart/$F.desktop
+	fi
+done
+
+# don't want it in DisposableVM
+for F in gcm-apply ; do
+	if [ -e /etc/xdg/autostart/$F.desktop ]; then
+		remove_ShowIn $F
+		echo 'NotShowIn=DisposableVM' >> /etc/xdg/autostart/$F.desktop
+	fi
+done
+
+# want it in AppVM only
+for F in gnome-keyring-gpg gnome-keyring-pkcs11 gnome-keyring-secrets gnome-keyring-ssh gnome-settings-daemon user-dirs-update-gtk gsettings-data-convert ; do
+	if [ -e /etc/xdg/autostart/$F.desktop ]; then
+		remove_ShowIn $F
+		echo 'OnlyShowIn=GNOME;AppVM;' >> /etc/xdg/autostart/$F.desktop
+	fi
+done
+
+# remove existing rule to add own later
+for F in gpk-update-icon nm-applet ; do
+	remove_ShowIn $F
+done
+
+echo 'OnlyShowIn=GNOME;UpdateableVM;' >> /etc/xdg/autostart/gpk-update-icon.desktop || :
+echo 'OnlyShowIn=GNOME;NetVM;' >> /etc/xdg/autostart/nm-applet.desktop || :
+
+usermod -p '' root
 if [ "$1" !=  1 ] ; then
 # do this whole %post thing only when updating for the first time...
 exit 0
 fi
 
-usermod -L root
 if ! [ -f /var/lib/qubes/serial.orig ] ; then
 	cp /etc/init/serial.conf /var/lib/qubes/serial.orig
 fi
@@ -177,4 +230,9 @@ rm -rf $RPM_BUILD_ROOT
 /etc/yum.repos.d/qubes%{dist}.repo
 /etc/pki/rpm-gpg/RPM-GPG-KEY-qubes*
 /sbin/qubes_serial_login
-/usr/bin/xenstore-watch
+/usr/bin/xenstore-watch-qubes
+/etc/udev/rules.d/qubes_network.rules
+/usr/lib/qubes/setup_ip
+/etc/yum/post-actions/qubes_trigger_sync_appmenus.action
+/usr/lib/qubes/qubes_trigger_sync_appmenus.sh
+/usr/lib/qubes/qubes_download_dom0_updates.sh

rpm_spec/core-netvm.spec

@@ -66,9 +66,6 @@ mkdir -p $RPM_BUILD_ROOT/var/run/qubes
 mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts
 cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts
 
-mkdir -p $RPM_BUILD_ROOT/etc/dbus-1/system.d
-cp ../netvm/dbus-nm-applet.conf $RPM_BUILD_ROOT/etc/dbus-1/system.d/qubes-nm-applet.conf
-
 %post
 
 # Create NetworkManager configuration if we do not have it
@@ -91,11 +88,6 @@ if [ "$1" = 0 ] ; then
     chkconfig qubes_core_netvm off
 fi
 
-%triggerin -- NetworkManager
-# Fix PolicyKit settings to allow run as normal user not visible to ConsoleKit
-sed 's#<defaults>$#\0<allow_any>yes</allow_any>#' -i /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy
-
-
 %clean
 rm -rf $RPM_BUILD_ROOT
 
@@ -108,4 +100,3 @@ rm -rf $RPM_BUILD_ROOT
 /etc/NetworkManager/dispatcher.d/qubes_nmhook
 /etc/NetworkManager/dispatcher.d/30-qubes_external_ip
 /etc/xen/scripts/vif-route-qubes
-/etc/dbus-1/system.d/qubes-nm-applet.conf

version_vm

@@ -1 +1 @@
-1.5.28
+1.6.1