From 45590a8190f62899fdb761dff35d487080fc395f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Wed, 19 Sep 2012 12:55:45 +0200 Subject: [PATCH 1/9] vm/yum-proxy: allow pkgtags repodata --- network/filter-qubes-yum | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/network/filter-qubes-yum b/network/filter-qubes-yum index 2e712dd..eea5faa 100644 --- a/network/filter-qubes-yum +++ b/network/filter-qubes-yum @@ -1,4 +1,4 @@ -.*/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ +.*/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ .*/repodata/repomd\.xml$ .*\.rpm$ .*\.drpm$ From 8d69c40a370d883a7589452a76667a84ba98a79a Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sun, 23 Sep 2012 23:25:39 +0200 Subject: [PATCH 2/9] vm/systemd: early user-configurable init script --- vm-systemd/misc-post.sh | 1 + vm-systemd/qubes-sysinit.sh | 3 +++ 2 files changed, 4 insertions(+) diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index b86e6a7..7db58d2 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -21,6 +21,7 @@ if [ -e /dev/xvdb ] ; then mkdir -p /rw/config touch /rw/config/rc.local + touch /rw/config/rc.local-early mkdir -p /rw/home cp -a /home.orig/user /home diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 77dac3f..b785a25 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -69,3 +69,6 @@ debug_mode=`$XS_READ qubes-debug-mode 2> /dev/null` if [ -n "$debug_mode" -a "$debug_mode" -gt 0 ]; then echo "GUI_OPTS=-vv" >> /var/run/qubes-service-environment fi + +[ -x /rw/config/rc.local-early ] && /rw/config/rc.local-early + From 615a6c0098e38cc18df339cb91f4f3dc8979010f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 25 Sep 2012 13:34:59 +0200 Subject: [PATCH 3/9] vm/yum-proxy: filter regexp: add missing ^$ marks, remove unneded .* at the beginning Reported-by: Igor Bukanov --- network/filter-qubes-yum | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/network/filter-qubes-yum b/network/filter-qubes-yum index eea5faa..0bea36a 100644 --- a/network/filter-qubes-yum +++ b/network/filter-qubes-yum @@ -1,6 +1,6 @@ -.*/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ -.*/repodata/repomd\.xml$ -.*\.rpm$ -.*\.drpm$ -mirrors.fedoraproject.org:443 +/repodata/[A-Za-z0-9-]*\(primary\|filelists\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\|updateinfo\|pkgtags\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ +/repodata/repomd\.xml$ +\.rpm$ +\.drpm$ +^mirrors.fedoraproject.org:443$ ^http://mirrors\..*/mirrorlist From 3839c156554d4477d8d524bd20c25dd890affd6f Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 25 Sep 2012 15:08:06 +0200 Subject: [PATCH 4/9] vm/yum-proxy: one more regexp fix --- network/filter-qubes-yum | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/filter-qubes-yum b/network/filter-qubes-yum index 0bea36a..828010e 100644 --- a/network/filter-qubes-yum +++ b/network/filter-qubes-yum @@ -2,5 +2,5 @@ /repodata/repomd\.xml$ \.rpm$ \.drpm$ -^mirrors.fedoraproject.org:443$ -^http://mirrors\..*/mirrorlist +^mirrors\.fedoraproject\.org:443$ +^http://mirrors\..*/mirrorlist\? From 6345c4570a23ab7cb12e21aa776a847c029cee40 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Tue, 25 Sep 2012 16:04:47 +0200 Subject: [PATCH 5/9] vm/iptables: block IPv6 traffic This isn't properly handled by Qubes VMs yet, so block it in all the VMs. Also restrict access to firewall config. --- network/ip6tables | 8 ++++++++ rpm_spec/core-vm.spec | 6 +++++- 2 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 network/ip6tables diff --git a/network/ip6tables b/network/ip6tables new file mode 100644 index 0000000..8a906f5 --- /dev/null +++ b/network/ip6tables @@ -0,0 +1,8 @@ +# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012 +*filter +:INPUT DROP [1:72] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -i lo -j ACCEPT +COMMIT +# Completed on Tue Sep 25 16:00:20 2012 diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index f9ba774..0c576bf 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -139,7 +139,8 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes -install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0400 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0400 -D network/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum @@ -371,6 +372,7 @@ rm -rf $RPM_BUILD_ROOT /etc/qubes_rpc/qubes.SuspendPost /etc/sudoers.d/qubes /etc/sysconfig/iptables +/etc/sysconfig/ip6tables /etc/sysconfig/modules/qubes_core.modules /etc/tinyproxy/filter-qubes-yum /etc/tinyproxy/tinyproxy-qubes-yum.conf @@ -489,6 +491,7 @@ chkconfig rsyslog on chkconfig haldaemon on chkconfig messagebus on chkconfig iptables on +chkconfig ip6tables on chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core_netvm!" @@ -610,6 +613,7 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service # Enable some services /bin/systemctl enable iptables.service 2> /dev/null +/bin/systemctl enable ip6tables.service 2> /dev/null /bin/systemctl enable rsyslog.service 2> /dev/null /bin/systemctl enable ntpd.service 2> /dev/null # Disable original service to enable overriden one From 004e5d9476a4e149f2e94272aded787fde8172f5 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 27 Sep 2012 02:06:26 +0200 Subject: [PATCH 6/9] vm/file-editor: connect /dev/null as stdin (#657) If stdin is closed (not connected to /dev/null) first opened file will get fd=0 and will be treated as stdin. --- qubes_rpc/vm-file-editor.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/qubes_rpc/vm-file-editor.c b/qubes_rpc/vm-file-editor.c index 96c3bd4..4a83785 100644 --- a/qubes_rpc/vm-file-editor.c +++ b/qubes_rpc/vm-file-editor.c @@ -57,7 +57,7 @@ main() { struct stat stat_pre, stat_post, session_stat; char *filename = get_filename(); - int child, status, log_fd; + int child, status, log_fd, null_fd; char var[1024], val[4096]; FILE *env_file; FILE *waiter_pidfile; @@ -100,7 +100,9 @@ main() perror("fork"); exit(1); case 0: - close(0); + null_fd = open("/dev/null", O_RDONLY); + dup2(null_fd, 0); + close(null_fd); env_file = fopen("/tmp/qubes-session-env", "r"); while(fscanf(env_file, "%1024[^=]=%4096[^\n]\n", var, val) == 2) { From c2a049ef3297bc8f2787d413f407e8cda099a151 Mon Sep 17 00:00:00 2001 From: Bruce A Downs Date: Thu, 27 Sep 2012 10:25:18 -0600 Subject: [PATCH 7/9] vm/spec: mod to core-vm.spec to add test for files core rpm was failing during uninstall attempting to move non-existent files * /var/lib/qubes/fstab.orig * /var/lib/qubes/serial.orig --- rpm_spec/core-vm.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 0c576bf..f1a5e5d 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -328,9 +328,13 @@ mkdir -p /rw %preun if [ "$1" = 0 ] ; then # no more packages left + if [ -e /var/lib/qubes/fstab.orig ] ; then mv /var/lib/qubes/fstab.orig /etc/fstab + fi mv /var/lib/qubes/removed-udev-scripts/* /etc/udev/rules.d/ + if [ -e /var/lib/qubes/serial.orig ] ; then mv /var/lib/qubes/serial.orig /etc/init/serial.conf + fi fi %postun From e2caaf0764470c789e83409cd5cdbfe0377ba3d1 Mon Sep 17 00:00:00 2001 From: Bruce A Downs Date: Thu, 27 Sep 2012 10:35:48 -0600 Subject: [PATCH 8/9] vm: Added 'most recently used' feature to 'copy to vm' dialog * replaced zenity to qvm-mru-entry in qubes_rpc/qvm-copy-to-vm.gnome * added python script qubes_rpc/qvm-mru-entry * added /usr/bin/qvm-mru-entry to rpm_spec/core-vm.spec --- qubes_rpc/qvm-copy-to-vm.gnome | 2 +- qubes_rpc/qvm-mru-entry | 165 +++++++++++++++++++++++++++++++++ rpm_spec/core-vm.spec | 3 +- 3 files changed, 168 insertions(+), 2 deletions(-) create mode 100755 qubes_rpc/qvm-mru-entry diff --git a/qubes_rpc/qvm-copy-to-vm.gnome b/qubes_rpc/qvm-copy-to-vm.gnome index cb2b86e..e6c6c70 100755 --- a/qubes_rpc/qvm-copy-to-vm.gnome +++ b/qubes_rpc/qvm-copy-to-vm.gnome @@ -20,7 +20,7 @@ # # -VM=$(zenity --entry --title="File Copy" --text="Enter the destination domain name:") +VM=$(qvm-mru-entry --title="File Copy" --text="Enter the destination domain name:" --mrufile "qvm-mru-filecopy") if [ X$VM = X ] ; then exit 0 ; fi SIZE=$(du --apparent-size -c "$@" | tail -1 | cut -f 1) diff --git a/qubes_rpc/qvm-mru-entry b/qubes_rpc/qvm-mru-entry new file mode 100755 index 0000000..b516753 --- /dev/null +++ b/qubes_rpc/qvm-mru-entry @@ -0,0 +1,165 @@ +#!/usr/bin/python +# +# The Qubes OS Project, http://www.qubes-os.org +# +# Copyright (C) 2012 Bruce Downs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# +import os +from optparse import OptionParser +import gtk + +class QubesMruDialog(gtk.Dialog): + entry = None + mrufile = None + + def __init__(self, title, text, mrufile): + self.mrufile = mrufile + + gtk.Dialog.__init__( + self, + title, + None, + 0, + (gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL, + gtk.STOCK_OK, gtk.RESPONSE_OK)) + + # setting the default response to 'ok' + # does not work as advertised + # using key-press-event instead + #self.set_default_response(gtk.RESPONSE_OK) + + self.connect("destroy", lambda *w: gtk.main_quit()) + self.connect("response", self.response_callback) + self.connect("key-press-event", self.key_press_callback) + + self.set_position(gtk.WIN_POS_CENTER) + self.set_resizable(True) + + vbox = gtk.VBox(True, 5) + self.vbox.pack_start(vbox, True, True, 0) + vbox.set_border_width(5) + + label = gtk.Label() + label.set_markup(text) + vbox.pack_start(label, False, False, 0) + + # Create our entry + self.entry = gtk.Entry() + vbox.pack_start(self.entry, False, False, 0) + + # Create the completion object + completion = gtk.EntryCompletion() + + # Assign the completion to the entry + self.entry.set_completion(completion) + + # Create a tree model and use it as the completion model + completion_model, firstline = self.create_completion_model() + completion.set_model(completion_model) + + # Use model column 0 as the text column + completion.set_text_column(0) + + if firstline: + self.entry.set_text(firstline) + + self.show_all() + + def create_completion_model(self): + store = gtk.ListStore(str) + firstline = None + + if self.mrufile and os.access(self.mrufile, os.R_OK): + # read lines from mru file + lines = [line.strip() for line in open(self.mrufile)] + for line in lines: + if not firstline: + firstline = line + + iter = store.append() + store.set(iter, 0, line) + + return store, firstline + + def handle_ok(self): + my_entry = self.entry.get_text() + + if len(my_entry) > 0: + linesorg = [] + linesorg.insert(0, my_entry) + + # calc mru lines + if os.access(self.mrufile, os.R_OK): + # read lines from existing mru file + fMru = open(self.mrufile, "r") + linesorg += [line.strip() for line in fMru] + fMru.close() + + #uniqify + linesuniq = [] + for lineuniq in linesorg: + if (len(lineuniq) > 0 and lineuniq not in linesuniq): + linesuniq.append(lineuniq) + + # write to mru + # up to 50 unique + fMru = file(self.mrufile, "w") + fMru.writelines( "%s\n" % line for line in linesuniq[:50] ) + fMru.close() + + # print entry to stdout + print my_entry + + def response_callback(self, button, response_id): + if response_id == gtk.RESPONSE_OK: + self.handle_ok() + self.destroy() + + def key_press_callback(self, button, event): + if event.keyval == gtk.keysyms.Return: + self.handle_ok() + self.destroy() + +def main(): + usage = "usage: %prog [--title 'Qubes Title'] [--text 'Qubes Text'] [--mrufile 'mru file name']" + parser = OptionParser (usage) + parser.add_option ("-l", "--title", + action="store", + dest="title", + default="Qubes MRU Dialog Entry", + help="Set the dialog title [%default]") + parser.add_option ("-x", "--text", + action="store", + dest="text", + default="Enter Qubes text:", + help="Set the dialog text [%default]") + parser.add_option ("-f", "--mrufile", + action="store", + dest="mrufile", + default='qvm-mru', + help="MRU file name [%default]") + (options, args) = parser.parse_args () + + mrudir = os.path.expanduser('~') + os.sep + '.config' + if not os.path.exists(mrudir): + os.makedirs(mrudir) + QubesMruDialog(options.title, options.text, mrudir + os.sep + options.mrufile) + gtk.main() + +main() + diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index f1a5e5d..72bf87a 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -153,7 +153,7 @@ install network/qubes_netwatcher $RPM_BUILD_ROOT/usr/sbin/ install -d $RPM_BUILD_ROOT/usr/bin -install qubes_rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-run} $RPM_BUILD_ROOT/usr/bin +install qubes_rpc/{qvm-open-in-dvm,qvm-open-in-vm,qvm-copy-to-vm,qvm-run,qvm-mru-entry} $RPM_BUILD_ROOT/usr/bin install qubes_rpc/wrap_in_html_if_url.sh $RPM_BUILD_ROOT/usr/lib/qubes install qubes_rpc/qvm-copy-to-vm.kde $RPM_BUILD_ROOT/usr/lib/qubes install qubes_rpc/qvm-copy-to-vm.gnome $RPM_BUILD_ROOT/usr/lib/qubes @@ -393,6 +393,7 @@ rm -rf $RPM_BUILD_ROOT /usr/bin/qvm-open-in-dvm /usr/bin/qvm-open-in-vm /usr/bin/qvm-run +/usr/bin/qvm-mru-entry /usr/bin/xenstore-watch-qubes %dir /usr/lib/qubes /usr/lib/qubes/block_add_change From 949222f6922ebbc1c64579ae2a48083ff12636ea Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Thu, 4 Oct 2012 05:29:10 +0200 Subject: [PATCH 9/9] vm/spec: fix adding yum-proxy configuration Do not add entry if already present. --- rpm_spec/core-vm.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 72bf87a..dd5e26a 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -257,7 +257,7 @@ if ! [ -e /lib/firmware/updates ]; then ln -s /lib/modules/firmware /lib/firmware/updates fi -if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf'; then +if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf' /etc/yum.conf; then echo >> /etc/yum.conf echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf