From e54d35b8d1ca4e5e1a1d4414d4347d0db77a8093 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 19 Jul 2013 03:40:06 +0200 Subject: [PATCH 01/11] suspend: Blacklist iwldvm Some users reports that this module causes problems on resume. So unload it before suspend and load again at resume. --- qubes-rpc/prepare-suspend | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/qubes-rpc/prepare-suspend b/qubes-rpc/prepare-suspend index a12b1af..a840c3d 100755 --- a/qubes-rpc/prepare-suspend +++ b/qubes-rpc/prepare-suspend @@ -10,7 +10,10 @@ if [ x"$action" == x"suspend" ]; then ip l s $if down done modprobe -r uhci_hcd ehci_hcd ehci_pci + lsmod|grep -q iwldvm && touch /var/run/qubes/suspend-iwldvm-loaded + modprobe -r iwldvm else - modprobe ehci_pci; modprobe uhci_hcd; + modprobe ehci_pci; modprobe uhci_hcd + test -e /var/run/qubes/suspend-iwldvm-loaded && modprobe iwldvm nmcli nm sleep false || { [ -x /bin/systemctl ] && systemctl start NetworkManager.service; } || service qubes-core-netvm start fi From 8c9433fc005a5c376508699f0c96d4430af14d98 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 5 Aug 2013 02:08:52 +0200 Subject: [PATCH 02/11] yum-proxy: use iptables-restore to set firewall rules Simple iptables sometimes returns EBUSY. --- Makefile | 1 + network/iptables-yum-proxy | 17 +++++++++++++++++ rpm_spec/core-vm.spec | 1 + vm-systemd/qubes-yum-proxy.service | 6 ++---- 4 files changed, 21 insertions(+), 4 deletions(-) create mode 100755 network/iptables-yum-proxy diff --git a/Makefile b/Makefile index 52477a4..b099384 100644 --- a/Makefile +++ b/Makefile @@ -103,6 +103,7 @@ install-vm: install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables install -m 0644 -D network/tinyproxy-qubes-yum.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-qubes-yum.conf install -m 0644 -D network/filter-qubes-yum $(DESTDIR)/etc/tinyproxy/filter-qubes-yum + install -m 0755 -D network/iptables-yum-proxy $(DESTDIR)/usr/lib/qubes/iptables-yum-proxy install -d $(DESTDIR)/etc/yum.conf.d touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf diff --git a/network/iptables-yum-proxy b/network/iptables-yum-proxy new file mode 100755 index 0000000..eaaa4f0 --- /dev/null +++ b/network/iptables-yum-proxy @@ -0,0 +1,17 @@ +#!/bin/sh + +if [ "$1" == "start" ]; then + CMD="-I" +else + # Remove rules + CMD="-D" +fi + +cat <<__EOF__ | iptables-restore -n +*filter +$CMD INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT +COMMIT +*nat +$CMD PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +COMMIT +__EOF__ diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 1335a4e..3b10c52 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -323,6 +323,7 @@ rm -f %{name}-%{version} /usr/lib/qubes/setup-ip /usr/lib/qubes/vm-file-editor /usr/lib/qubes/wrap-in-html-if-url.sh +/usr/lib/qubes/iptables-yum-proxy /usr/lib/yum-plugins/yum-qubes-hooks.py* /usr/sbin/qubes-firewall /usr/sbin/qubes-netwatcher diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service index b03c34d..22381b3 100644 --- a/vm-systemd/qubes-yum-proxy.service +++ b/vm-systemd/qubes-yum-proxy.service @@ -5,11 +5,9 @@ After=iptables.service [Service] ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy -ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT -ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +ExecStartPre=/usr/lib/qubes/iptables-yum-proxy start ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf -ExecStopPost=/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT -ExecStopPost=/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT +ExecStopPost=/usr/lib/qubes/iptables-yum-proxy stop [Install] WantedBy=multi-user.target From 596a3ebd8e502101248d57d1a47c504a831acbf2 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Mon, 29 Apr 2013 02:48:18 +0200 Subject: [PATCH 03/11] network: do not fail when eth0 doesn't exists It can be perfectly right case for wireless-only netvm. --- vm-systemd/network-proxy-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/network-proxy-setup.sh b/vm-systemd/network-proxy-setup.sh index ce91acb..020edb2 100755 --- a/vm-systemd/network-proxy-setup.sh +++ b/vm-systemd/network-proxy-setup.sh @@ -11,5 +11,5 @@ if [ "x$network" != "x" ]; then echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns /usr/lib/qubes/qubes-setup-dnat-to-ns echo "1" > /proc/sys/net/ipv4/ip_forward - /sbin/ethtool -K eth0 sg off + /sbin/ethtool -K eth0 sg off || : fi From bfd544eb874f61bd991ebb32691d70e3ccfdc3d4 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Wed, 7 Aug 2013 11:20:33 +0200 Subject: [PATCH 04/11] makefile: Use the sbindir variable instead of a fixed path --- Makefile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index b099384..93cfd32 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,7 @@ VERSION := $(shell cat version) DIST ?= fc18 KDESERVICEDIR ?= /usr/share/kde4/services +SBINDIR ?= /usr/sbin help: @echo "make rpms -- generate binary rpm packages" @@ -54,7 +55,7 @@ install-vm: install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes install -D -m 0644 misc/qubes.repo $(DESTDIR)/etc/yum.repos.d/qubes.repo install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/lib/qubes/serial.conf - install -D misc/qubes-serial-login $(DESTDIR)/sbin/qubes-serial-login + install -D misc/qubes-serial-login $(DESTDIR)$(SBINDIR)/qubes-serial-login install -d $(DESTDIR)/usr/share/glib-2.0/schemas/ install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/ install -d $(DESTDIR)/usr/lib/yum-plugins/ @@ -108,9 +109,9 @@ install-vm: install -d $(DESTDIR)/etc/yum.conf.d touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf - install -d $(DESTDIR)/usr/sbin - install network/qubes-firewall $(DESTDIR)/usr/sbin/ - install network/qubes-netwatcher $(DESTDIR)/usr/sbin/ + install -d $(DESTDIR)$(SBINDIR) + install network/qubes-firewall $(DESTDIR)$(SBINDIR)/ + install network/qubes-netwatcher $(DESTDIR)$(SBINDIR)/ install -d $(DESTDIR)/usr/bin From 6e4e45a2c832acfd3f9da959436e9b7c5eb4a727 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Wed, 7 Aug 2013 11:21:26 +0200 Subject: [PATCH 05/11] archlinux: avoid installing tools into /sbin or /usr/sbin as required by archlinux --- archlinux/PKGBUILD | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index eae108b..ab9fa17 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -6,7 +6,7 @@ # Maintainer: Olivier Medoc pkgname=qubes-vm-core pkgver=`cat version` -pkgrel=12 +pkgrel=13 epoch= pkgdesc="The Qubes core files for installation inside a Qubes VM." arch=("x86_64") @@ -48,6 +48,11 @@ sed 's:/sbin/ethtool:ethtool:g' -i network/* sed 's:/sbin/ip:ip:g' -i network/* sed 's:/bin/grep:grep:g' -i network/* +# Fix for archlinux sbindir +sed 's:/usr/sbin/ntpdate:ntpdate:g' -i qubes-rpc/sync-ntp-clock +sed 's:/usr/sbin/qubes-netwatcher:qubes-netwatcher:g' -i vm-systemd/qubes-netwatcher.service +sed 's:/usr/sbin/qubes-firewall:qubes-firewall:g' -i vm-systemd/qubes-firewall.service + for dir in qubes-rpc qrexec misc; do (cd $dir; make) done @@ -55,10 +60,11 @@ done } package() { + # Note: Archlinux removed use of directory such as /sbin /bin /usr/sbin (https://mailman.archlinux.org/pipermail/arch-dev-public/2012-March/022625.html) + + (cd qrexec; make install DESTDIR=$pkgdir SBINDIR=/usr/bin) - (cd qrexec; make install DESTDIR=$pkgdir) - - make install-vm DESTDIR=$pkgdir DIST=archlinux + make install-vm DESTDIR=$pkgdir SBINDIR=/usr/bin DIST=archlinux # Convert module loading to ARCHLINUX mkdir -p $pkgdir/etc/modules-load.d/ From 4a657d77fb3f321104513f7ec283228d1c056364 Mon Sep 17 00:00:00 2001 From: Olivier MEDOC Date: Tue, 13 Aug 2013 09:36:35 +0200 Subject: [PATCH 06/11] archlinux: fix systemd scripts to ensure that absolute path are used --- archlinux/PKGBUILD | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index ab9fa17..346bab5 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -49,9 +49,9 @@ sed 's:/sbin/ip:ip:g' -i network/* sed 's:/bin/grep:grep:g' -i network/* # Fix for archlinux sbindir -sed 's:/usr/sbin/ntpdate:ntpdate:g' -i qubes-rpc/sync-ntp-clock -sed 's:/usr/sbin/qubes-netwatcher:qubes-netwatcher:g' -i vm-systemd/qubes-netwatcher.service -sed 's:/usr/sbin/qubes-firewall:qubes-firewall:g' -i vm-systemd/qubes-firewall.service +sed 's:/usr/sbin/ntpdate:/usr/bin/ntpdate:g' -i qubes-rpc/sync-ntp-clock +sed 's:/usr/sbin/qubes-netwatcher:/usr/bin/qubes-netwatcher:g' -i vm-systemd/qubes-netwatcher.service +sed 's:/usr/sbin/qubes-firewall:/usr/bin/qubes-firewall:g' -i vm-systemd/qubes-firewall.service for dir in qubes-rpc qrexec misc; do (cd $dir; make) From 099971dcd5c6004f461710169310706d3cc2a8e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 14 Aug 2013 03:51:41 +0200 Subject: [PATCH 07/11] fedora: update spec and serial.conf to match /usr/sbin path --- misc/serial.conf | 2 +- rpm_spec/core-vm.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/misc/serial.conf b/misc/serial.conf index 48f5f6d..de82389 100644 --- a/misc/serial.conf +++ b/misc/serial.conf @@ -18,4 +18,4 @@ stop on runlevel [016] instance $DEV respawn pre-start exec /sbin/securetty $DEV -exec /sbin/agetty -l /sbin/qubes-serial-login /dev/$DEV $SPEED vt100-nav +exec /sbin/agetty -l /usr/sbin/qubes-serial-login /dev/$DEV $SPEED vt100-nav diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 3b10c52..c29073c 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -291,7 +291,7 @@ rm -f %{name}-%{version} %config(noreplace) /etc/yum.repos.d/qubes.repo /etc/yum/pluginconf.d/yum-qubes-hooks.conf /etc/yum/post-actions/qubes-trigger-sync-appmenus.action -/sbin/qubes-serial-login +/usr/sbin/qubes-serial-login /usr/bin/qvm-copy-to-vm /usr/bin/qvm-open-in-dvm /usr/bin/qvm-open-in-vm From 3cfd7f57b415abfbb951713fbfb74c2bc8094391 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 14 Aug 2013 22:12:46 +0200 Subject: [PATCH 08/11] qvm-copy-to-vm: implement --ignore-symlinks option Can be useful when copying to VM which doesn't support symlinks (or user doesn't have privilege to create it). --- qubes-rpc/qfile-agent.c | 9 ++++++++- qubes-rpc/qvm-copy-to-vm | 2 +- qubes-rpc/qvm-copy-to-vm.gnome | 2 +- qubes-rpc/qvm-copy-to-vm.kde | 2 +- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/qubes-rpc/qfile-agent.c b/qubes-rpc/qfile-agent.c index 51a7337..c3c8178 100644 --- a/qubes-rpc/qfile-agent.c +++ b/qubes-rpc/qfile-agent.c @@ -18,6 +18,8 @@ enum { PROGRESS_FLAG_DONE }; +int ignore_symlinks = 0; + unsigned long crc32_sum; int write_all_with_crc(int fd, void *buf, int size) { @@ -143,7 +145,7 @@ int single_file_processor(char *filename, struct stat *st) hdr.filelen = 0; write_headers(&hdr, filename); } - if (S_ISLNK(mode)) { + if (S_ISLNK(mode) && !ignore_symlinks) { char name[st->st_size + 1]; if (readlink(filename, name, sizeof(name)) != st->st_size) gui_fatal("readlink %s", filename); @@ -227,6 +229,11 @@ int main(int argc, char **argv) crc32_sum = 0; cwd = getcwd(NULL, 0); for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "--ignore-symlinks")==0) { + ignore_symlinks = 1; + continue; + } + entry = get_abs_path(cwd, argv[i]); do { diff --git a/qubes-rpc/qvm-copy-to-vm b/qubes-rpc/qvm-copy-to-vm index be0804a..3d1716c 100755 --- a/qubes-rpc/qvm-copy-to-vm +++ b/qubes-rpc/qvm-copy-to-vm @@ -37,7 +37,7 @@ VM="$1" shift if [ $PROGRESS_TYPE = console ] ; then - export FILECOPY_TOTAL_SIZE=$(du --apparent-size -c "$@" | tail -1 | cut -f 1) + export FILECOPY_TOTAL_SIZE=$(du --apparent-size -c -- "$@" 2> /dev/null | tail -1 | cut -f 1) fi exec /usr/lib/qubes/qrexec-client-vm $VM qubes.Filecopy /usr/lib/qubes/qfile-agent "$@" diff --git a/qubes-rpc/qvm-copy-to-vm.gnome b/qubes-rpc/qvm-copy-to-vm.gnome index 4199476..4b69c06 100755 --- a/qubes-rpc/qvm-copy-to-vm.gnome +++ b/qubes-rpc/qvm-copy-to-vm.gnome @@ -23,7 +23,7 @@ VM=$(qvm-mru-entry --title="File Copy" --text="Enter the destination domain name:" --mrufile "qvm-mru-filecopy") if [ X$VM = X ] ; then exit 0 ; fi -SIZE=$(du --apparent-size -c "$@" | tail -1 | cut -f 1) +SIZE=$(du --apparent-size -c -- "$@" 2>/dev/null | tail -1 | cut -f 1) export PROGRESS_TYPE=gui diff --git a/qubes-rpc/qvm-copy-to-vm.kde b/qubes-rpc/qvm-copy-to-vm.kde index 74ebf7b..740cf8a 100755 --- a/qubes-rpc/qvm-copy-to-vm.kde +++ b/qubes-rpc/qvm-copy-to-vm.kde @@ -23,7 +23,7 @@ VM=$(kdialog -inputbox "Enter the VM name to send files to:") if [ X$VM = X ] ; then exit 0 ; fi -SIZE=$(du --apparent-size -c "$@" | tail -1 | cut -f 1) +SIZE=$(du --apparent-size -c -- "$@" 2> /dev/null | tail -1 | cut -f 1) REF=$(kdialog --progressbar "Copy progress") qdbus $REF org.freedesktop.DBus.Properties.Set "" maximum $SIZE From c939cc049ecda348dfcfcb14e7c0f03106ef06b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 14 Aug 2013 22:13:44 +0200 Subject: [PATCH 09/11] qvm-copy-to-vm: show last processed filename on error --- qubes-rpc/qfile-agent.c | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/qubes-rpc/qfile-agent.c b/qubes-rpc/qfile-agent.c index c3c8178..22712c7 100644 --- a/qubes-rpc/qfile-agent.c +++ b/qubes-rpc/qfile-agent.c @@ -53,6 +53,9 @@ void do_notify_progress(long long total, int flag) void wait_for_result() { struct result_header hdr; + struct result_header_ext hdr_ext; + char last_filename[MAX_PATH_LENGTH + 1]; + char last_filename_prefix[] = "; Last file: "; if (!read_all(0, &hdr, sizeof(hdr))) { if (errno == EAGAIN) { @@ -63,17 +66,35 @@ void wait_for_result() exit(1); // hopefully remote has produced error message } } + if (!read_all(0, &hdr_ext, sizeof(hdr_ext))) { + // remote used old result_header struct + hdr_ext.last_namelen = 0; + } + if (hdr_ext.last_namelen > MAX_PATH_LENGTH) { + // read only at most MAX_PATH_LENGTH chars + hdr_ext.last_namelen = MAX_PATH_LENGTH; + } + if (!read_all(0, last_filename, hdr_ext.last_namelen)) { + fprintf(stderr, "Failed to get last filename\n"); + hdr_ext.last_namelen = 0; + } + last_filename[hdr_ext.last_namelen] = '\0'; + if (!hdr_ext.last_namelen) + /* set prefix to empty string */ + last_filename_prefix[0] = '\0'; + + errno = hdr.error_code; if (hdr.error_code != 0) { switch (hdr.error_code) { case EEXIST: - gui_fatal("File copy: not overwriting existing file. Clean QubesIncoming dir, and retry copy"); + gui_fatal("File copy: not overwriting existing file. Clean QubesIncoming dir, and retry copy%s%s", last_filename_prefix, last_filename); break; case EINVAL: - gui_fatal("File copy: Corrupted data from packer"); + gui_fatal("File copy: Corrupted data from packer%s%s", last_filename_prefix, last_filename); break; default: - gui_fatal("File copy: %s", - strerror(hdr.error_code)); + gui_fatal("File copy: %s%s%s", + strerror(hdr.error_code), last_filename_prefix, last_filename); } } if (hdr.crc32 != crc32_sum) { From 1d41cb4c1846bde4f0432bcfee70d484c7a40208 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 1 Sep 2013 01:28:07 +0200 Subject: [PATCH 10/11] Add qubes.DetachPciDevice for live PCI detach (#708) --- Makefile | 1 + qubes-rpc/qubes.DetachPciDevice | 4 ++++ rpm_spec/core-vm.spec | 1 + 3 files changed, 6 insertions(+) create mode 100644 qubes-rpc/qubes.DetachPciDevice diff --git a/Makefile b/Makefile index 93cfd32..cb73fd8 100644 --- a/Makefile +++ b/Makefile @@ -131,6 +131,7 @@ install-vm: install -m 0644 qubes-rpc/{qubes.Filecopy,qubes.OpenInVM,qubes.VMShell,qubes.SyncNtpClock} $(DESTDIR)/etc/qubes-rpc install -m 0644 qubes-rpc/{qubes.SuspendPre,qubes.SuspendPost,qubes.GetAppmenus} $(DESTDIR)/etc/qubes-rpc install -m 0644 qubes-rpc/qubes.WaitForSession $(DESTDIR)/etc/qubes-rpc + install -m 0644 qubes-rpc/qubes.DetachPciDevice $(DESTDIR)/etc/qubes-rpc install -d $(DESTDIR)/usr/share/file-manager/actions install -m 0644 qubes-rpc/*-gnome.desktop $(DESTDIR)/usr/share/file-manager/actions diff --git a/qubes-rpc/qubes.DetachPciDevice b/qubes-rpc/qubes.DetachPciDevice new file mode 100644 index 0000000..0edfadf --- /dev/null +++ b/qubes-rpc/qubes.DetachPciDevice @@ -0,0 +1,4 @@ +#!/bin/sh +read dev +BDF=0000:$dev +echo $BDF > /sys/bus/pci/devices/$BDF/driver/unbind diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index c29073c..114ecda 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -276,6 +276,7 @@ rm -f %{name}-%{version} /etc/qubes-rpc/qubes.SuspendPre /etc/qubes-rpc/qubes.SuspendPost /etc/qubes-rpc/qubes.WaitForSession +/etc/qubes-rpc/qubes.DetachPciDevice /etc/sudoers.d/qubes %config(noreplace) /etc/sysconfig/iptables %config(noreplace) /etc/sysconfig/ip6tables From 68435da334577f1d63f159e8f756c6011e61956e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 17 Sep 2013 04:34:32 +0200 Subject: [PATCH 11/11] version 2.1.15 --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index 1b5105d..67da954 100644 --- a/version +++ b/version @@ -1 +1 @@ -2.1.14 +2.1.15