Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

various patches for debian

Browse Source 
this should enable debian based templates to be used as proxy/netvm
This commit is contained in:
HW42 2014-09-26 19:56:12 +02:00
parent 70bbc7923d
commit 4886411570
6 changed files with 40 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
network/qubes-firewall
View File

@ -23,8 +23,8 @@ while true; do
TRIGGER=reload TRIGGER=reload
else else
# Wait for changes in xenstore file # Wait for changes in xenstore file
/usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES xenstore-watch-qubes $XENSTORE_IPTABLES
TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) TRIGGER=$(xenstore-read $XENSTORE_IPTABLES)
fi fi
if ! [ "$TRIGGER" = "reload" ]; then continue ; fi if ! [ "$TRIGGER" = "reload" ]; then continue ; fi
@ -34,19 +34,19 @@ while true; do
# during the time when the rules are being (re)applied # during the time when the rules are being (re)applied
echo "0" > /proc/sys/net/ipv4/ip_forward echo "0" > /proc/sys/net/ipv4/ip_forward
RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER) RULES=$(xenstore-read $XENSTORE_IPTABLES_HEADER)
IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d')
OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true` OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true`
for i in $(xenstore-list qubes-iptables-domainrules) ; do for i in $(xenstore-list qubes-iptables-domainrules) ; do
RULES=$(/usr/bin/xenstore-read qubes-iptables-domainrules/"$i") RULES=$(xenstore-read qubes-iptables-domainrules/"$i")
ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true` ERRS=`echo -e "$RULES" | iptables-restore -n 2>&1 || true`
echo "Failed applying rules for $i: $ERRS" >&2 echo "Failed applying rules for $i: $ERRS" >&2
OUT="$OUT$ERRS" OUT="$OUT$ERRS"
done done
/usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" xenstore-write $XENSTORE_ERROR "$OUT"
if [ "$OUT" ]; then if [ "$OUT" ]; then
DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : DISPLAY=:0 notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
fi fi
# Check if user didn't define some custom rules to be applied as well... # Check if user didn't define some custom rules to be applied as well...

10
network/qubes-netwatcher
View File

@ -11,9 +11,9 @@ echo $$ >$PIDFILE
trap 'exit 0' SIGTERM trap 'exit 0' SIGTERM
while true; do while true; do
NET_DOMID=$(/usr/bin/xenstore-read qubes-netvm-domid || :) NET_DOMID=$(xenstore-read qubes-netvm-domid || :)
if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then
UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :)
# UNTRUSTED_NETCFG is not parsed in any way # UNTRUSTED_NETCFG is not parsed in any way
# thus, no sanitization ready # thus, no sanitization ready
# but be careful when passing it to other shell scripts # but be careful when passing it to other shell scripts
@ -21,11 +21,11 @@ while true; do
/sbin/service qubes-firewall stop /sbin/service qubes-firewall stop
/sbin/service qubes-firewall start /sbin/service qubes-firewall start
CURR_NETCFG="$UNTRUSTED_NETCFG" CURR_NETCFG="$UNTRUSTED_NETCFG"
/usr/bin/xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" xenstore-write qubes-netvm-external-ip "$CURR_NETCFG"
fi fi
/usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid
else else
/usr/bin/xenstore-watch -n 2 qubes-netvm-domid xenstore-watch -n 2 qubes-netvm-domid
fi fi
done done

2
network/qubes-setup-dnat-to-ns
View File

@ -10,7 +10,7 @@ addrule()
fi fi
} }
export PATH=$PATH:/sbin:/bin export PATH=$PATH:/sbin:/bin
source /var/run/qubes/qubes-ns . /var/run/qubes/qubes-ns
if [ "X"$NS1 = "X" ] ; then exit ; fi if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PR-QBS iptables -t nat -F PR-QBS
FIRSTONE=yes FIRSTONE=yes

16
vm-systemd/misc-post.sh
View File

@ -1,9 +1,17 @@
#!/bin/sh #!/bin/sh
if [ -f /var/run/qubes-service/yum-proxy-setup ]; then if [ -e /etc/debian_version ]; then
echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf if [ -f /var/run/qubes-service/yum-proxy-setup ]; then
echo 'Acquire::http::proxy "http://10.137.255.254:8082/";' > /etc/apt/apt.conf.d/80qubes-proxy
else
echo > /etc/apt/apt.conf.d/80qubes-proxy
fi
else else
echo > /etc/yum.conf.d/qubes-proxy.conf if [ -f /var/run/qubes-service/yum-proxy-setup ]; then
echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf
else
echo > /etc/yum.conf.d/qubes-proxy.conf
fi
fi fi
# Set IP address again (besides action in udev rules); this is needed by # Set IP address again (besides action in udev rules); this is needed by
@ -51,7 +59,7 @@ fi
# Start AppVM specific services # Start AppVM specific services
if [ ! -f /etc/systemd/system/cups.service ]; then if [ ! -f /etc/systemd/system/cups.service ]; then
if [ -f /var/run/qubes-service/cups ]; then if [ -f /var/run/qubes-service/cups ]; then
/sbin/service cups start service cups start
# Allow also notification icon # Allow also notification icon
sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop
else else

1
vm-systemd/qubes-qrexec-agent.service
View File

@ -3,6 +3,7 @@ Description=Qubes remote exec agent
After=qubes-dvm.service After=qubes-dvm.service
[Service] [Service]
ExecStartPre=/bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn'
ExecStart=/usr/lib/qubes/qrexec-agent ExecStart=/usr/lib/qubes/qrexec-agent
StandardOutput=syslog StandardOutput=syslog

18
vm-systemd/qubes-sysinit.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh #!/bin/bash
# List of services enabled by default (in case of absence of xenstore entry) # List of services enabled by default (in case of absence of xenstore entry)
DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy"
@ -7,8 +7,8 @@ DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check"
DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup" DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup"
DEFAULT_ENABLED="meminfo-writer" DEFAULT_ENABLED="meminfo-writer"
XS_READ=/usr/bin/xenstore-read XS_READ=xenstore-read
XS_LS=/usr/bin/xenstore-ls XS_LS=xenstore-ls
read_service() { read_service() {
$XS_READ qubes-service/$1 2> /dev/null $XS_READ qubes-service/$1 2> /dev/null
@ -31,6 +31,8 @@ mkdir -p /var/run/xen-hotplug
# Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read # Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read
chmod 666 /proc/xen/xenbus chmod 666 /proc/xen/xenbus
[ -e /proc/u2mfn ] || modprobe u2mfn
# Set permissions to files needed to listen at vchan # Set permissions to files needed to listen at vchan
chmod 666 /proc/u2mfn chmod 666 /proc/u2mfn
@ -65,9 +67,13 @@ fi
timezone=`$XS_READ qubes-timezone 2> /dev/null` timezone=`$XS_READ qubes-timezone 2> /dev/null`
if [ -n "$timezone" ]; then if [ -n "$timezone" ]; then
ln -f /usr/share/zoneinfo/$timezone /etc/localtime cp -p /usr/share/zoneinfo/$timezone /etc/localtime
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock if [ -e /etc/debian_version ]; then
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock echo "$timezone" > /etc/timezone
else
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
fi
fi fi
# Prepare environment for other services # Prepare environment for other services