From 41f65f1f5a6a68c32adb95a5d3b3657b8a7f13a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 3 Sep 2014 09:59:59 +0200 Subject: [PATCH 01/22] firewall: show error message only on actual error --- network/qubes-firewall | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/network/qubes-firewall b/network/qubes-firewall index 0b8da66..9f8aa44 100755 --- a/network/qubes-firewall +++ b/network/qubes-firewall @@ -41,11 +41,13 @@ while true; do for i in $(xenstore-list qubes-iptables-domainrules) ; do RULES=$(/usr/bin/xenstore-read qubes-iptables-domainrules/"$i") ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true` - echo "Failed applying rules for $i: $ERRS" >&2 - OUT="$OUT$ERRS" + if [ -n "$ERRS" ]; then + echo "Failed applying rules for $i: $ERRS" >&2 + OUT="$OUT$ERRS" + fi done /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" - if [ "$OUT" ]; then + if [ -n "$OUT" ]; then DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : fi From 54755ac44469894ac42cb119f7355cefdd5ac89c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 5 Sep 2014 22:42:14 +0200 Subject: [PATCH 02/22] Avoid 100MB reserved space in private ext4 partition The ext4 reserved space is necessary for root partitions, but in the private.img data partition, it is wasted space (accessible only to root processes), which means losing 100 MB of the default 2GB. From mkfs.ext4 man page: "-m reserved-blocks-percentage Specify the percentage of the filesystem blocks reserved for the super-user." ... "The default percentage is 5%." --- vm-systemd/misc-post.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index e718d02..f0a9f1b 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -14,6 +14,7 @@ INTERFACE=eth0 /usr/lib/qubes/setup-ip if [ -e /dev/xvdb -a ! -e /etc/this-is-dvm ] ; then resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed" + tune2fs -m 0 /dev/xvdb mount /rw if ! [ -d /rw/home ] ; then From 4bd9971006f9f42a06797dea33ff7c1815e6bb45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sat, 20 Sep 2014 01:20:11 +0200 Subject: [PATCH 03/22] gui-fatal: do not run as root GTK+ refuses to initialize. --- qubes-rpc/gui-fatal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/qubes-rpc/gui-fatal.c b/qubes-rpc/gui-fatal.c index 0bda201..1b71b00 100644 --- a/qubes-rpc/gui-fatal.c +++ b/qubes-rpc/gui-fatal.c @@ -28,6 +28,8 @@ static void produce_message(const char * type, const char *fmt, va_list args) case -1: exit(1); //what else case 0: + if (geteuid() == 0) + setuid(getuid()); fix_display(); #ifdef USE_KDIALOG execlp("/usr/bin/kdialog", "kdialog", "--sorry", dialog_msg, NULL); From 1e842c985d6c05cdfdc8c15355641c5032d6a9a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 23 Sep 2014 05:44:09 +0200 Subject: [PATCH 04/22] fedora: workaround slow system shutdown (#852) It looks to be related to this report: https://bugzilla.redhat.com/show_bug.cgi?id=1088619 Workaround idea was from comment 37. The hanging process in Qubes VM is most likely dconf-service, but there is a lot of possible causes. To start with a non-standard method of accessing the X session (no real login manager, processes started by qrexec-agent). So instead of wasting a lot of time on digging through gnome services, simply shorten the stop timeout - the processes would be killed anyway. --- Makefile | 1 + misc/session-stop-timeout.conf | 2 ++ rpm_spec/core-vm.spec | 1 + 3 files changed, 4 insertions(+) create mode 100644 misc/session-stop-timeout.conf diff --git a/Makefile b/Makefile index b318c3b..63a77aa 100644 --- a/Makefile +++ b/Makefile @@ -68,6 +68,7 @@ install-rh: install -D -m 0644 misc/yum-qubes-hooks.conf $(DESTDIR)/etc/yum/pluginconf.d/yum-qubes-hooks.conf install -d -m 755 $(DESTDIR)/etc/pki/rpm-gpg install -m 644 misc/RPM-GPG-KEY-qubes* $(DESTDIR)/etc/pki/rpm-gpg/ + install -D -m 644 misc/session-stop-timeout.conf $(DESTDIR)/usr/lib/systemd/system/user@.service.d/90-session-stop-timeout.conf install -D misc/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules install -D misc/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules diff --git a/misc/session-stop-timeout.conf b/misc/session-stop-timeout.conf new file mode 100644 index 0000000..fb8e422 --- /dev/null +++ b/misc/session-stop-timeout.conf @@ -0,0 +1,2 @@ +[Service] +TimeoutStopSec=500000us diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index d5fd886..323e93a 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -336,6 +336,7 @@ rm -f %{name}-%{version} %config(noreplace) /etc/yum.repos.d/qubes-r2.repo /etc/yum/pluginconf.d/yum-qubes-hooks.conf /etc/yum/post-actions/qubes-trigger-sync-appmenus.action +/usr/lib/systemd/system/user@.service.d/90-session-stop-timeout.conf /usr/sbin/qubes-serial-login /usr/bin/qvm-copy-to-vm /usr/bin/qvm-move-to-vm From 3f19c8930115e128ecb718c17443fe461f17948a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sat, 27 Sep 2014 00:11:10 +0200 Subject: [PATCH 05/22] Rename qubes-yum-proxy service to qubes-updates-proxy It is no longer Fedora-only proxy, so rename to not confuse the user. Also documentation refer to it as "updates proxy" for a long time. --- Makefile | 6 ++--- network/{filter-qubes-yum => filter-updates} | 0 ...ables-yum-proxy => iptables-updates-proxy} | 0 ...-qubes-yum.conf => tinyproxy-updates.conf} | 4 ++-- rpm_spec/core-vm.spec | 18 +++++++-------- .../{qubes-yum-proxy => qubes-updates-proxy} | 22 +++++++++---------- vm-systemd/qubes-sysinit.sh | 2 +- vm-systemd/qubes-updates-proxy.service | 16 ++++++++++++++ vm-systemd/qubes-yum-proxy.service | 15 ------------- 9 files changed, 42 insertions(+), 41 deletions(-) rename network/{filter-qubes-yum => filter-updates} (100%) rename network/{iptables-yum-proxy => iptables-updates-proxy} (100%) rename network/{tinyproxy-qubes-yum.conf => tinyproxy-updates.conf} (82%) rename vm-init.d/{qubes-yum-proxy => qubes-updates-proxy} (76%) create mode 100644 vm-systemd/qubes-updates-proxy.service delete mode 100644 vm-systemd/qubes-yum-proxy.service diff --git a/Makefile b/Makefile index 63a77aa..44e4a09 100644 --- a/Makefile +++ b/Makefile @@ -120,9 +120,9 @@ install-common: install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables - install -m 0644 -D network/tinyproxy-qubes-yum.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-qubes-yum.conf - install -m 0644 -D network/filter-qubes-yum $(DESTDIR)/etc/tinyproxy/filter-qubes-yum - install -m 0755 -D network/iptables-yum-proxy $(DESTDIR)/usr/lib/qubes/iptables-yum-proxy + install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf + install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates + install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy install -d $(DESTDIR)/etc/xdg/autostart install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)/usr/lib/qubes/show-hide-nm-applet.sh install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop diff --git a/network/filter-qubes-yum b/network/filter-updates similarity index 100% rename from network/filter-qubes-yum rename to network/filter-updates diff --git a/network/iptables-yum-proxy b/network/iptables-updates-proxy similarity index 100% rename from network/iptables-yum-proxy rename to network/iptables-updates-proxy diff --git a/network/tinyproxy-qubes-yum.conf b/network/tinyproxy-updates.conf similarity index 82% rename from network/tinyproxy-qubes-yum.conf rename to network/tinyproxy-updates.conf index 43b5082..110b96e 100644 --- a/network/tinyproxy-qubes-yum.conf +++ b/network/tinyproxy-updates.conf @@ -8,7 +8,7 @@ DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" Syslog On LogLevel Notice -PidFile "/var/run/tinyproxy/tinyproxy-qubes-yum.pid" +PidFile "/var/run/tinyproxy/tinyproxy-updates.pid" MaxClients 50 MinSpareServers 2 @@ -21,7 +21,7 @@ Allow 127.0.0.1 Allow 10.137.0.0/16 -Filter "/etc/tinyproxy/filter-qubes-yum" +Filter "/etc/tinyproxy/filter-updates" FilterURLs On #FilterExtended On #FilterCaseSensitive On diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 323e93a..0bf9ee7 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -325,8 +325,8 @@ rm -f %{name}-%{version} %config(noreplace) /etc/sysconfig/ip6tables /etc/sysconfig/modules/qubes-core.modules /etc/sysconfig/modules/qubes-misc.modules -%config(noreplace) /etc/tinyproxy/filter-qubes-yum -%config(noreplace) /etc/tinyproxy/tinyproxy-qubes-yum.conf +%config(noreplace) /etc/tinyproxy/filter-updates +%config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules %config(noreplace) /etc/udev/rules.d/99-qubes-network.rules /etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop @@ -372,7 +372,7 @@ rm -f %{name}-%{version} /usr/lib/qubes/tar2qfile /usr/lib/qubes/vm-file-editor /usr/lib/qubes/wrap-in-html-if-url.sh -/usr/lib/qubes/iptables-yum-proxy +/usr/lib/qubes/iptables-updates-proxy /usr/lib/qubes/close-window /usr/lib/yum-plugins/yum-qubes-hooks.py* /usr/sbin/qubes-firewall @@ -407,7 +407,7 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes-core-netvm /etc/init.d/qubes-firewall /etc/init.d/qubes-netwatcher -/etc/init.d/qubes-yum-proxy +/etc/init.d/qubes-updates-proxy /etc/init.d/qubes-qrexec-agent %post sysvinit @@ -442,8 +442,8 @@ chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewa chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!" -chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" -chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" +chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!" +chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!" chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!" chkconfig qubes-qrexec-agent on || echo "WARNING: Cannot enable service qubes-qrexec-agent!" @@ -458,7 +458,7 @@ if [ "$1" = 0 ] ; then chkconfig qubes-core-appvm off chkconfig qubes-firewall off chkconfig qubes-netwatcher off - chkconfig qubes-yum-proxy off + chkconfig qubes-updates-proxy off chkconfig qubes-qrexec-agent off fi @@ -487,7 +487,7 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-sysinit.service /lib/systemd/system/qubes-update-check.service /lib/systemd/system/qubes-update-check.timer -/lib/systemd/system/qubes-yum-proxy.service +/lib/systemd/system/qubes-updates-proxy.service /lib/systemd/system/qubes-qrexec-agent.service %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh @@ -512,7 +512,7 @@ The Qubes core startup configuration for SystemD init. %post systemd -for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-yum-proxy qubes-qrexec-agent; do +for srv in qubes-dvm qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-updates-proxy qubes-qrexec-agent; do /bin/systemctl enable $srv.service 2> /dev/null done diff --git a/vm-init.d/qubes-yum-proxy b/vm-init.d/qubes-updates-proxy similarity index 76% rename from vm-init.d/qubes-yum-proxy rename to vm-init.d/qubes-updates-proxy index 00a3634..577a386 100755 --- a/vm-init.d/qubes-yum-proxy +++ b/vm-init.d/qubes-updates-proxy @@ -1,14 +1,14 @@ #!/bin/sh # -# tinyproxy Startup script for the tinyproxy server as Qubes yum proxy +# tinyproxy Startup script for the tinyproxy server as Qubes updates proxy # # chkconfig: - 85 15 # description: small, efficient HTTP/SSL proxy daemon # # processname: tinyproxy -# config: /etc/tinyproxy/tinyproxy-qubes-yum.conf -# config: /etc/sysconfig/tinyproxy-qubes-yum -# pidfile: /var/run/tinyproxy/tinyproxy-qubes-yum.pid +# config: /etc/tinyproxy/tinyproxy-updates.conf +# config: /etc/sysconfig/tinyproxy-updates +# pidfile: /var/run/tinyproxy/tinyproxy-updates.pid # # Note: pidfile is created by tinyproxy in its config # see PidFile in the configuration file. @@ -24,17 +24,17 @@ exec="/usr/sbin/tinyproxy" prog=$(basename $exec) -config="/etc/tinyproxy/tinyproxy-qubes-yum.conf" -pidfile="/var/run/tinyproxy/tinyproxy-qubes-yum.pid" +config="/etc/tinyproxy/tinyproxy-updates.conf" +pidfile="/var/run/tinyproxy/tinyproxy-updates.pid" -[ -e /etc/sysconfig/tinyproxy-qubes-yum ] && . /etc/sysconfig/tinyproxy-qubes-yum +[ -e /etc/sysconfig/tinyproxy-updates ] && . /etc/sysconfig/tinyproxy-updates -lockfile=/var/lock/subsys/tinyproxy-qubes-yum +lockfile=/var/lock/subsys/tinyproxy-updates start() { type=`/usr/bin/xenstore-read qubes-vm-type` - start_yum_proxy=`/usr/bin/xenstore-read qubes-service/qubes-yum-proxy 2>/dev/null` - if [ -z "$start_yum_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_yum_proxy" != "1" ]; then + start_updates_proxy=`/usr/bin/xenstore-read qubes-service/qubes-updates-proxy 2>/dev/null` + if [ -z "$start_updates_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_updates_proxy" != "1" ]; then # Yum proxy disabled exit 0 fi @@ -45,7 +45,7 @@ start() { /sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT /sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT - echo -n $"Starting $prog (as Qubes yum proxy): " + echo -n $"Starting $prog (as Qubes updates proxy): " daemon $exec -c $config retval=$? echo diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 17d9fde..6833682 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,7 +1,7 @@ #!/bin/sh # List of services enabled by default (in case of absence of xenstore entry) -DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" +DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy" DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup" diff --git a/vm-systemd/qubes-updates-proxy.service b/vm-systemd/qubes-updates-proxy.service new file mode 100644 index 0000000..cb88922 --- /dev/null +++ b/vm-systemd/qubes-updates-proxy.service @@ -0,0 +1,16 @@ +[Unit] +Description=Qubes updates proxy (tinyproxy) +ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy +ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy +After=iptables.service + +[Service] +ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy +ExecStartPre=/usr/lib/qubes/iptables-updates-proxy start +ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-updates.conf +ExecStopPost=/usr/lib/qubes/iptables-updates-proxy stop +Restart=on-failure +RestartSec=5s + +[Install] +WantedBy=multi-user.target diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service deleted file mode 100644 index 379d3df..0000000 --- a/vm-systemd/qubes-yum-proxy.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=Qubes yum proxy (tinyproxy) -ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy -After=iptables.service - -[Service] -ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy -ExecStartPre=/usr/lib/qubes/iptables-yum-proxy start -ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf -ExecStopPost=/usr/lib/qubes/iptables-yum-proxy stop -Restart=on-failure -RestartSec=5s - -[Install] -WantedBy=multi-user.target From 2e4cdc2f8d6ad676edcabda22cf440e6ebaa3584 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sat, 27 Sep 2014 01:52:19 +0200 Subject: [PATCH 06/22] Rename yum-proxy-setup service to updates-proxy-setup Fedora is no longer the only supported distribution, so change the service name to be more generic. Old name still supported for compatibility. --- vm-init.d/qubes-core | 2 +- vm-systemd/misc-post.sh | 2 +- vm-systemd/qubes-sysinit.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/vm-init.d/qubes-core b/vm-init.d/qubes-core index 8c8e588..2ecf8cf 100755 --- a/vm-init.d/qubes-core +++ b/vm-init.d/qubes-core @@ -38,7 +38,7 @@ start() echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi - yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null) + yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null || /usr/bin/xenstore-read qubes-service/updates-proxy-setup 2>/dev/null ) type=$(/usr/bin/xenstore-read qubes-vm-type) if [ "$yum_proxy_setup" != "0" ] || [ -z "$yum_proxy_setup" -a "$type" == "TemplateVM" ]; then echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index f0a9f1b..d667080 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -1,6 +1,6 @@ #!/bin/sh -if [ -f /var/run/qubes-service/yum-proxy-setup ]; then +if [ -f /var/run/qubes-service/yum-proxy-setup -o -f /var/run/qubes-service/updates-proxy-setup ]; then echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf else echo > /etc/yum.conf.d/qubes-proxy.conf diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 6833682..2a4ad5b 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -4,7 +4,7 @@ DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy" DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" -DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM yum-proxy-setup" +DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup" DEFAULT_ENABLED="meminfo-writer" XS_READ=/usr/bin/xenstore-read From e93cf3e81b523f93d0340a90ed8d2ad207b7a31a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 29 Sep 2014 04:05:24 +0200 Subject: [PATCH 07/22] updates-proxy: add rules for debian repositories (#887) --- network/filter-updates | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/network/filter-updates b/network/filter-updates index 828010e..c1afa54 100644 --- a/network/filter-updates +++ b/network/filter-updates @@ -4,3 +4,8 @@ \.drpm$ ^mirrors\.fedoraproject\.org:443$ ^http://mirrors\..*/mirrorlist\? +\.deb$ +/dists/[a-z]*/\(InRelease\|Release\|Release.gpg\)$ +/dists/[a-z]*/.*/\(Packages\|Sources\|Release\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\)$ +/dists/[a-z]*/.*/\(Contents\|Translation\)-.*\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ +/dists/[a-z]*/.*/\(Contents-.*\|Translation-.*\|Packages\)\.diff/\(Index\|[0-9.-]*\)\(\|\.gz\|\.xz\|\.bz2\|\.lzma\)$ From 64e8eedcb0ae2d9be23c9f2c01d5e13c4305d395 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 29 Sep 2014 21:04:47 +0200 Subject: [PATCH 08/22] qrexec: check for setuid() error when calling zenity/kdialog Mostly to mute compiler warning - only emit log message but still continue. --- qubes-rpc/gui-fatal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/qubes-rpc/gui-fatal.c b/qubes-rpc/gui-fatal.c index 1b71b00..5292f06 100644 --- a/qubes-rpc/gui-fatal.c +++ b/qubes-rpc/gui-fatal.c @@ -29,7 +29,8 @@ static void produce_message(const char * type, const char *fmt, va_list args) exit(1); //what else case 0: if (geteuid() == 0) - setuid(getuid()); + if (setuid(getuid()) != 0) + perror("setuid failed, calling kdialog/zenity as root"); fix_display(); #ifdef USE_KDIALOG execlp("/usr/bin/kdialog", "kdialog", "--sorry", dialog_msg, NULL); From 4bccdb0ba53ba80e02a48f81c33c58791ebf8534 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 29 Sep 2014 21:31:10 +0200 Subject: [PATCH 09/22] Use systemd mechanism for loading kernel modules (when available) One more thing done in more generic way (not Fedora-specific). --- rpm_spec/core-vm.spec | 6 ++++-- {misc => vm-init.d}/qubes-core.modules | 0 {misc => vm-init.d}/qubes-misc.modules | 0 vm-systemd/qubes-core.conf | 3 +++ vm-systemd/qubes-misc.conf | 1 + 5 files changed, 8 insertions(+), 2 deletions(-) rename {misc => vm-init.d}/qubes-core.modules (100%) rename {misc => vm-init.d}/qubes-misc.modules (100%) create mode 100644 vm-systemd/qubes-core.conf create mode 100644 vm-systemd/qubes-misc.conf diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 0bf9ee7..131eed0 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -323,8 +323,6 @@ rm -f %{name}-%{version} %config(noreplace) /etc/sudoers.d/qubes %config(noreplace) /etc/sysconfig/iptables %config(noreplace) /etc/sysconfig/ip6tables -/etc/sysconfig/modules/qubes-core.modules -/etc/sysconfig/modules/qubes-misc.modules %config(noreplace) /etc/tinyproxy/filter-updates %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules @@ -409,6 +407,8 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes-netwatcher /etc/init.d/qubes-updates-proxy /etc/init.d/qubes-qrexec-agent +/etc/sysconfig/modules/qubes-core.modules +/etc/sysconfig/modules/qubes-misc.modules %post sysvinit @@ -489,6 +489,8 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-update-check.timer /lib/systemd/system/qubes-updates-proxy.service /lib/systemd/system/qubes-qrexec-agent.service +/lib/modules-load.d/qubes-core.conf +/lib/modules-load.d/qubes-misc.conf %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/network-proxy-setup.sh diff --git a/misc/qubes-core.modules b/vm-init.d/qubes-core.modules similarity index 100% rename from misc/qubes-core.modules rename to vm-init.d/qubes-core.modules diff --git a/misc/qubes-misc.modules b/vm-init.d/qubes-misc.modules similarity index 100% rename from misc/qubes-misc.modules rename to vm-init.d/qubes-misc.modules diff --git a/vm-systemd/qubes-core.conf b/vm-systemd/qubes-core.conf new file mode 100644 index 0000000..236bd8c --- /dev/null +++ b/vm-systemd/qubes-core.conf @@ -0,0 +1,3 @@ +xen-evtchn +xen-blkback +xen-usbfront diff --git a/vm-systemd/qubes-misc.conf b/vm-systemd/qubes-misc.conf new file mode 100644 index 0000000..e799241 --- /dev/null +++ b/vm-systemd/qubes-misc.conf @@ -0,0 +1 @@ +dummy-hcd From 240066fc2349afc0be14ab04cb869739d15aa425 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 29 Sep 2014 21:38:11 +0200 Subject: [PATCH 10/22] Add missing u2mfn module load Is loaded as part of gui-agent startup, but qrexec-agent also needs it so eliminate race condition here. --- vm-init.d/qubes-core.modules | 1 + vm-systemd/qubes-core.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/vm-init.d/qubes-core.modules b/vm-init.d/qubes-core.modules index 42ce0fb..064151b 100755 --- a/vm-init.d/qubes-core.modules +++ b/vm-init.d/qubes-core.modules @@ -1,3 +1,4 @@ modprobe evtchn 2>/dev/null || modprobe xen-evtchn modprobe xen-blkback 2> /dev/null || modprobe blkbk modprobe xen-usbfront 2> /dev/null +modprobe u2mfn 2>/dev/null diff --git a/vm-systemd/qubes-core.conf b/vm-systemd/qubes-core.conf index 236bd8c..e87a760 100644 --- a/vm-systemd/qubes-core.conf +++ b/vm-systemd/qubes-core.conf @@ -1,3 +1,4 @@ xen-evtchn xen-blkback xen-usbfront +u2mfn From 71802a47787bc7903162b80e1f929e58b04cdc44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 29 Sep 2014 21:40:35 +0200 Subject: [PATCH 11/22] archlinux: modules-load.d handled now in generic files It is no longer Archlinux specific. --- archlinux/PKGBUILD | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/archlinux/PKGBUILD b/archlinux/PKGBUILD index c675ea1..fcb8ffd 100644 --- a/archlinux/PKGBUILD +++ b/archlinux/PKGBUILD @@ -66,27 +66,11 @@ package() { make install-vm DESTDIR=$pkgdir SBINDIR=/usr/bin DIST=archlinux - # Convert module loading to ARCHLINUX - mkdir -p $pkgdir/etc/modules-load.d/ - - #misc/qubes-core.modules - echo xen-evtchn > $pkgdir/etc/modules-load.d/qubes_core.conf - echo xen-blkback >> $pkgdir/etc/modules-load.d/qubes_core.conf - # Note : need to compile pvusb drivers for this last one? - echo xen-usbfront >> $pkgdir/etc/modules-load.d/qubes_core.conf - - #misc/qubes-misc.modules - #install -D misc/qubes_misc.modules $pkgdir/etc/sysconfig/modules/qubes_misc.modules - echo dummy-hcd > $pkgdir/etc/modules-load.d/qubes_misc.conf - # Change the place for iptable rules to match archlinux standard mkdir -p $pkgdir/etc/iptables mv $pkgdir/etc/sysconfig/iptables $pkgdir/etc/iptables/iptables.rules mv $pkgdir/etc/sysconfig/ip6tables $pkgdir/etc/iptables/ip6tables.rules - # Note: appears in the gui package but required for qrexec agent to work - echo u2mfn > $pkgdir/etc/modules-load.d/qubes_u2mfn.conf - # Remove things non wanted in archlinux rm -r $pkgdir/etc/yum* rm -r $pkgdir/etc/init.d From e83a91e3d36c8a7eaddd3396730ba70166472bc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 29 Sep 2014 22:57:55 +0200 Subject: [PATCH 12/22] debian: migrate to native systemd services --- Makefile | 29 ++-- debian/control | 2 +- debian/init.d | 224 -------------------------- debian/rules | 12 +- vm-systemd/qubes-qrexec-agent.service | 1 + vm-systemd/qubes-sysinit.sh | 10 +- 6 files changed, 36 insertions(+), 242 deletions(-) delete mode 100644 debian/init.d diff --git a/Makefile b/Makefile index 44e4a09..928f83c 100644 --- a/Makefile +++ b/Makefile @@ -43,22 +43,36 @@ all: make -C qrexec make -C qubes-rpc -install-rh: - install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab - install -d $(DESTDIR)/etc/init.d - install vm-init.d/* $(DESTDIR)/etc/init.d/ - - install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init +install-systemd: + install -d $(DESTDIR)/lib/systemd/system $(DESTDIR)/usr/lib/qubes/init $(DESTDIR)/lib/modules-load.d install -m 0755 vm-systemd/*.sh $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/qubes-*.service $(DESTDIR)/lib/systemd/system/ install -m 0644 vm-systemd/qubes-*.timer $(DESTDIR)/lib/systemd/system/ install -m 0644 vm-systemd/ModemManager.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/NetworkManager.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/NetworkManager-wait-online.service $(DESTDIR)/usr/lib/qubes/init/ + install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)/lib/modules-load.d/ + install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)/lib/modules-load.d/ install -m 0644 vm-systemd/cups.* $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/ntpd.service $(DESTDIR)/usr/lib/qubes/init/ install -m 0644 vm-systemd/chronyd.service $(DESTDIR)/usr/lib/qubes/init/ +install-sysvinit: + install -d $(DESTDIR)/etc/init.d + install vm-init.d/qubes-core $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-core-appvm $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-core-netvm $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-firewall $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-netwatcher $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-qrexec-agent $(DESTDIR)/etc/init.d/ + install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/ + install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules + install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules + + +install-rh: install-systemd install-sysvinit + install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab + install -D -m 0644 misc/qubes-r2.repo $(DESTDIR)/etc/yum.repos.d/qubes-r2.repo install -d $(DESTDIR)/usr/share/glib-2.0/schemas/ install -m 0644 misc/org.gnome.settings-daemon.plugins.updates.gschema.override $(DESTDIR)/usr/share/glib-2.0/schemas/ @@ -70,9 +84,6 @@ install-rh: install -m 644 misc/RPM-GPG-KEY-qubes* $(DESTDIR)/etc/pki/rpm-gpg/ install -D -m 644 misc/session-stop-timeout.conf $(DESTDIR)/usr/lib/systemd/system/user@.service.d/90-session-stop-timeout.conf - install -D misc/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules - install -D misc/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules - install -d $(DESTDIR)/etc/yum.conf.d touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf diff --git a/debian/control b/debian/control index 62967a7..2523068 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: qubes-core-agent Section: admin Priority: extra Maintainer: Davíð Steinn Geirsson -Build-Depends: qubes-utils, libvchan-xen-dev, python, debhelper, quilt, libxen-dev +Build-Depends: qubes-utils, libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5) Standards-Version: 3.9.3 Homepage: http://www.qubes-os.org Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git diff --git a/debian/init.d b/debian/init.d deleted file mode 100644 index 1ec6ad9..0000000 --- a/debian/init.d +++ /dev/null @@ -1,224 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: qubes-core-agent -# Required-Start: $network $local_fs $remote_fs -# Required-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Qubes qrexec agent -# Description: The qrexec agent runs in qubes domU domains. It runs -# commands on request from dom0. -### END INIT INFO - -# Author: Davíð Steinn Geirsson -# Most of this script is copied from vm-init.d/qubes-core with -# some fedora-specific stuff removed. - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC=qrexec-agent -NAME=qrexec-agent -DAEMON=/usr/lib/qubes/qrexec-agent -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x $DAEMON ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - - # Ensure necessary modules are loaded - modprobe xen_evtchn - modprobe u2mfn - - - # Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read - chmod 666 /proc/xen/xenbus - # Set permissions to files needed to listen at vchan - chmod 666 /proc/u2mfn - - mkdir -p /var/run/xen-hotplug - - name=$(/usr/sbin/xenstore-read name) - if ! [ -f /etc/this-is-dvm ] ; then - # we don't want to set hostname for DispVM - # because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-) - # (let's be frank: nobody's gonna use xterm on DispVM) - if ! [ -z "$name" ]; then - echo $name > /etc/hostname - hostname $name - grep '127.0.1.1' /etc/hosts > /dev/null - if [ $? -ne 0 ]; then - echo "127.0.1.1 $name" >> /etc/hosts - else - sed -i "s/127\.0\.1\.1.*/127.0.1.1 $name/" /etc/hosts - fi - fi - fi - - timezone=`/usr/sbin/xenstore-read qubes-timezone 2> /dev/null` - if [ -n "$timezone" ]; then - ln -f /usr/share/zoneinfo/$timezone /etc/localtime - fi - - # Set IP address again (besides action in udev rules); this is needed by - # DispVM (to override DispVM-template IP) and in case when qubes-ip was - # called by udev before loading evtchn kernel module - in which case - # xenstore-read fails - INTERFACE=eth0 /usr/lib/qubes/setup-ip - - mkdir -p /var/run/qubes - - if [ -e /dev/xvdb ] ; then - resize2fs /dev/xvdb 2> /dev/null || echo "'resize2fs /dev/xvdb' failed" - mount /rw - - if ! [ -d /rw/home ] ; then - echo - echo "--> Virgin boot of the VM: Linking /home to /rw/home" - - mkdir -p /rw/config - touch /rw/config/rc.local - - mkdir -p /rw/home - cp -a /home.orig/user /rw/home - - mkdir -p /rw/usrlocal - cp -a /usr/local.orig/* /rw/usrlocal - - touch /var/lib/qubes/first-boot-completed - fi - fi - if [ -L /home ]; then - rm /home - mkdir /home - fi - mount /home - - [ -x /rw/config/rc.local ] && /rw/config/rc.local - - - start-stop-daemon --start --quiet -b --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet -b --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/debian/rules b/debian/rules index dc13a10..2923714 100755 --- a/debian/rules +++ b/debian/rules @@ -7,17 +7,21 @@ export DESTDIR=$(shell pwd)/debian/qubes-core-agent %: - dh $@ + dh $@ --with systemd override_dh_auto_build: make all override_dh_auto_install: - make install-common install-deb + make install-common install-deb install-systemd make -C qrexec install override_dh_fixperms: dh_fixperms -a -Xqfile-unpacker -override_dh_installinit: - dh_installinit --no-restart-on-upgrade +override_dh_systemd_start: + dh_systemd_start --no-restart-on-upgrade + +override_dh_auto_clean: + dh_auto_clean + rm -f deb/* rpm/*/* diff --git a/vm-systemd/qubes-qrexec-agent.service b/vm-systemd/qubes-qrexec-agent.service index 483e694..e08e986 100644 --- a/vm-systemd/qubes-qrexec-agent.service +++ b/vm-systemd/qubes-qrexec-agent.service @@ -8,3 +8,4 @@ StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-core-agent.service diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 2a4ad5b..0f236c0 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -8,7 +8,9 @@ DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup" DEFAULT_ENABLED="meminfo-writer" XS_READ=/usr/bin/xenstore-read +[ -x /usr/sbin/xenstore-read ] && XS_READ=/usr/sbin/xenstore-read XS_LS=/usr/bin/xenstore-ls +[ -x /usr/sbin/xenstore-read ] && XS_LS=/usr/sbin/xenstore-ls read_service() { $XS_READ qubes-service/$1 2> /dev/null @@ -36,10 +38,10 @@ chmod 666 /proc/u2mfn # Set default services depending on VM type TYPE=`$XS_READ qubes-vm-type 2> /dev/null` -[ "$TYPE" == "AppVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_APPVM -[ "$TYPE" == "NetVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_NETVM -[ "$TYPE" == "ProxyVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_PROXYVM -[ "$TYPE" == "TemplateVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_TEMPLATEVM +[ "$TYPE" = "AppVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_APPVM +[ "$TYPE" = "NetVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_NETVM +[ "$TYPE" = "ProxyVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_PROXYVM +[ "$TYPE" = "TemplateVM" ] && DEFAULT_ENABLED=$DEFAULT_ENABLED_TEMPLATEVM # Enable default services for srv in $DEFAULT_ENABLED; do From 4ee0de9fb81615a91259e64a85b32e73e4a03985 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 30 Sep 2014 00:36:53 +0200 Subject: [PATCH 13/22] updates-proxy-setup: support setting proxy for apt (#887) --- vm-systemd/misc-post.sh | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index d667080..82f7745 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -1,9 +1,19 @@ #!/bin/sh if [ -f /var/run/qubes-service/yum-proxy-setup -o -f /var/run/qubes-service/updates-proxy-setup ]; then - echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf + if [ -d /etc/apt/apt.conf.d ]; then + echo 'Acquire::http::Proxy "http://10.137.255.254:8082/;"' >> /etc/apt/apt.conf.d/01qubes-proxy + fi + if [ -d /etc/yum.conf.d ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf + fi else - echo > /etc/yum.conf.d/qubes-proxy.conf + if [ -d /etc/apt/apt.conf.d ]; then + rm -f /etc/apt/apt.conf.d/01qubes-proxy + fi + if [ -d /etc/yum.conf.d ]; then + echo > /etc/yum.conf.d/qubes-proxy.conf + fi fi # Set IP address again (besides action in udev rules); this is needed by From 7339dd1ece24aa0e9b8d6dc455482f0b7dacccc8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 30 Sep 2014 03:29:58 +0200 Subject: [PATCH 14/22] Introduce qubes.SetDateTime service for time synchronization It would be called by qvm-sync-clock instead of 'date' directly. This gives a lot of flexibility - VM can control whether it want to sync time this way. For now slight corrections (+-2sec) are ignored to not cause problems by frequent time changes. But it can be easily extended to refuse time sync when some other mechanism is used. --- Makefile | 1 + qubes-rpc/qubes.SetDateTime | 11 +++++++++++ rpm_spec/core-vm.spec | 1 + 3 files changed, 13 insertions(+) create mode 100644 qubes-rpc/qubes.SetDateTime diff --git a/Makefile b/Makefile index 928f83c..97d0ead 100644 --- a/Makefile +++ b/Makefile @@ -167,6 +167,7 @@ install-common: install -m 0644 qubes-rpc/qubes.{Backup,Restore} $(DESTDIR)/etc/qubes-rpc install -m 0644 qubes-rpc/qubes.Select{File,Directory} $(DESTDIR)/etc/qubes-rpc install -m 0644 qubes-rpc/qubes.GetImageRGBA $(DESTDIR)/etc/qubes-rpc + install -m 0644 qubes-rpc/qubes.SetDateTime $(DESTDIR)/etc/qubes-rpc install -d $(DESTDIR)/usr/share/file-manager/actions install -m 0644 qubes-rpc/*-gnome.desktop $(DESTDIR)/usr/share/file-manager/actions diff --git a/qubes-rpc/qubes.SetDateTime b/qubes-rpc/qubes.SetDateTime new file mode 100644 index 0000000..6ecc9e6 --- /dev/null +++ b/qubes-rpc/qubes.SetDateTime @@ -0,0 +1,11 @@ +#!/bin/sh + +# it is in format of `date -u -Iseconds`, example: 2014-09-29T22:59:21+0000 +# it comes from dom0, so is trusted +read timestamp +timediff=$(( `date -u +'+%Y%m%d%H%M%S'` - `date -u -d "$timestamp" +'+%Y%m%d%H%M%S'` )) +if [ $timediff -le 2 -a $timediff -ge -2 ]; then + # don't bother + exit 0 +fi +date -u -s "$timestamp" diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 131eed0..0af2b77 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -320,6 +320,7 @@ rm -f %{name}-%{version} /etc/qubes-rpc/qubes.SelectFile /etc/qubes-rpc/qubes.SelectDirectory /etc/qubes-rpc/qubes.GetImageRGBA +/etc/qubes-rpc/qubes.SetDateTime %config(noreplace) /etc/sudoers.d/qubes %config(noreplace) /etc/sysconfig/iptables %config(noreplace) /etc/sysconfig/ip6tables From a2e17ef24474c3e9b80a3a6f290f120defe5e6f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 19 Oct 2014 04:11:15 +0200 Subject: [PATCH 15/22] systemd: fix 'service' path On Fedora it is all the same because /sbin -> /usr/sbin symlink. But on Debian it does matter. --- vm-systemd/misc-post.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index 82f7745..6b37887 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -62,7 +62,7 @@ fi # Start AppVM specific services if [ ! -f /etc/systemd/system/cups.service ]; then if [ -f /var/run/qubes-service/cups ]; then - /sbin/service cups start + /usr/sbin/service cups start # Allow also notification icon sed -i -e '/^NotShowIn=.*QUBES/s/;QUBES//' /etc/xdg/autostart/print-applet.desktop else From be266a00dd22142905af317de7a95f64762d9501 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 19 Oct 2014 04:32:57 +0200 Subject: [PATCH 16/22] Include /rw in the package On Fedora it was created in %post, but on Debian not. Unify it to simply provide the directory as standard package content. --- Makefile | 1 + rpm_spec/core-vm.spec | 1 + 2 files changed, 2 insertions(+) diff --git a/Makefile b/Makefile index 97d0ead..6579547 100644 --- a/Makefile +++ b/Makefile @@ -181,6 +181,7 @@ install-common: install -d $(DESTDIR)/var/run/qubes install -d $(DESTDIR)/home_volatile/user + install -d $(DESTDIR)/rw install-deb: mkdir -p $(DESTDIR)/etc/apt/sources.list.d diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 0af2b77..7b229d6 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -387,6 +387,7 @@ rm -f %{name}-%{version} %dir /home_volatile %attr(700,user,user) /home_volatile/user %dir /mnt/removable +%dir /rw %package sysvinit Summary: Qubes unit files for SysV init style or upstart From 20a2cfbce747f662a3393f584c1aa29ae1384c1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 21 Oct 2014 05:29:20 +0200 Subject: [PATCH 17/22] debian: custom dh_auto_clean no longer needed qubes-builder now takes care of it --- debian/rules | 4 ---- 1 file changed, 4 deletions(-) diff --git a/debian/rules b/debian/rules index 2923714..ff4db5c 100755 --- a/debian/rules +++ b/debian/rules @@ -21,7 +21,3 @@ override_dh_fixperms: override_dh_systemd_start: dh_systemd_start --no-restart-on-upgrade - -override_dh_auto_clean: - dh_auto_clean - rm -f deb/* rpm/*/* From 15f3a1b8d04634fb3e9f578d46c148706054a511 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 24 Oct 2014 00:45:39 +0200 Subject: [PATCH 18/22] debian: fix proxy setup --- vm-systemd/misc-post.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index 6b37887..f4169e7 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -2,7 +2,7 @@ if [ -f /var/run/qubes-service/yum-proxy-setup -o -f /var/run/qubes-service/updates-proxy-setup ]; then if [ -d /etc/apt/apt.conf.d ]; then - echo 'Acquire::http::Proxy "http://10.137.255.254:8082/;"' >> /etc/apt/apt.conf.d/01qubes-proxy + echo 'Acquire::http::Proxy "http://10.137.255.254:8082/";' >> /etc/apt/apt.conf.d/01qubes-proxy fi if [ -d /etc/yum.conf.d ]; then echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf From d208e9baa543802b39f84f2056995be8dc877834 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sat, 25 Oct 2014 01:49:58 +0200 Subject: [PATCH 19/22] version 2.1.42 --- debian/changelog | 22 ++++++++++++++++++++++ version | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index a5d67a9..9a1924c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,25 @@ +qubes-core-agent (2.1.42) jessie; urgency=medium + + * firewall: show error message only on actual error + * Avoid 100MB reserved space in private ext4 partition + * gui-fatal: do not run as root + * fedora: workaround slow system shutdown (#852) + * Rename qubes-yum-proxy service to qubes-updates-proxy + * Rename yum-proxy-setup service to updates-proxy-setup + * updates-proxy: add rules for debian repositories (#887) + * qrexec: check for setuid() error when calling zenity/kdialog + * Use systemd mechanism for loading kernel modules (when available) + * Add missing u2mfn module load + * archlinux: modules-load.d handled now in generic files + * debian: migrate to native systemd services + * updates-proxy-setup: support setting proxy for apt (#887) + * Introduce qubes.SetDateTime service for time synchronization + * systemd: fix 'service' path + * Include /rw in the package + * debian: custom dh_auto_clean no longer needed + + -- Marek Marczykowski-Górecki Sat, 25 Oct 2014 01:49:58 +0200 + qubes-core-agent (2.1.41) jessie; urgency=medium [ Marek Marczykowski-Górecki ] diff --git a/version b/version index b2581af..0f72d83 100644 --- a/version +++ b/version @@ -1 +1 @@ -2.1.41 +2.1.42 From 0613a5896179cb2408ae2af274409f5bd7d071e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 27 Oct 2014 12:25:45 +0100 Subject: [PATCH 20/22] Improve handling of .desktop files Instead of directly using Exec= line, parse the file (at the launch time) with Gio library. The main reason for this change is to handle Terminal= option, but generally this approach should be more bulletproof, especially when some fancy options are present in desktop files. --- Makefile | 1 + misc/qubes-desktop-run | 11 +++++++++++ qubes-rpc/qubes.GetAppmenus | 3 ++- rpm_spec/core-vm.spec | 1 + 4 files changed, 15 insertions(+), 1 deletion(-) create mode 100755 misc/qubes-desktop-run diff --git a/Makefile b/Makefile index 6579547..6096db4 100644 --- a/Makefile +++ b/Makefile @@ -172,6 +172,7 @@ install-common: install -d $(DESTDIR)/usr/share/file-manager/actions install -m 0644 qubes-rpc/*-gnome.desktop $(DESTDIR)/usr/share/file-manager/actions + install -D -m 0755 misc/qubes-desktop-run $(DESTDIR)/usr/bin/qubes-desktop-run install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf install -d $(DESTDIR)/mnt/removable diff --git a/misc/qubes-desktop-run b/misc/qubes-desktop-run new file mode 100755 index 0000000..14e3f8b --- /dev/null +++ b/misc/qubes-desktop-run @@ -0,0 +1,11 @@ +#!/usr/bin/python + +from gi.repository import Gio +import sys + +def main(myname, desktop, *files): + launcher = Gio.DesktopAppInfo.new_from_filename(desktop) + launcher.launch(files, None) + +if __name__ == "__main__": + main(*sys.argv) diff --git a/qubes-rpc/qubes.GetAppmenus b/qubes-rpc/qubes.GetAppmenus index 71e7b33..e26b15b 100644 --- a/qubes-rpc/qubes.GetAppmenus +++ b/qubes-rpc/qubes.GetAppmenus @@ -1 +1,2 @@ -find /usr/share/applications/ /usr/local/share/applications/ -name '*.desktop' | xargs awk '/^\[/ { if (tolower($0) != "\[desktop entry\]") nextfile } /=/ {print FILENAME ":" $0 }' 2> /dev/null +find /usr/share/applications/ /usr/local/share/applications/ -name '*.desktop' | \ + xargs awk '/^\[/ { if (tolower($0) != "\[desktop entry\]") nextfile } /^Exec=/ { print FILENAME ":Exec=qubes-desktop-run " FILENAME; next } /=/ {print FILENAME ":" $0 }' 2> /dev/null diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 7b229d6..43743bf 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -344,6 +344,7 @@ rm -f %{name}-%{version} /usr/bin/qvm-run /usr/bin/qvm-mru-entry /usr/bin/xenstore-watch-qubes +/usr/bin/qubes-desktop-run %dir /usr/lib/qubes /usr/lib/qubes/vusb-ctl.py* /usr/lib/qubes/dispvm-prerun.sh From e0d2424d5eed621dcdaf6694652d4166a435f35f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 27 Oct 2014 15:07:06 +0100 Subject: [PATCH 21/22] suspend: do not disable network frontend devices --- qubes-rpc/prepare-suspend | 3 +++ 1 file changed, 3 insertions(+) diff --git a/qubes-rpc/prepare-suspend b/qubes-rpc/prepare-suspend index 8e8e738..975e06f 100755 --- a/qubes-rpc/prepare-suspend +++ b/qubes-rpc/prepare-suspend @@ -19,6 +19,9 @@ if [ x"$action" == x"suspend" ]; then service NetworkManager stop # Force interfaces down, just in case when NM didn't done it for if in `ls /sys/class/net|grep -v "lo\|vif"`; do + if [ "`cat /sys/class/net/$if/device/devtype 2>/dev/null`" == "vif" ]; then + continue + fi ip l s $if down done LOADED_MODULES="" From 5d68e2cc7009a1d368c224e9b0a2fc7286e3a210 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 27 Oct 2014 22:39:25 +0100 Subject: [PATCH 22/22] Handle tabs in /etc/hosts --- vm-init.d/qubes-core | 2 +- vm-systemd/qubes-sysinit.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vm-init.d/qubes-core b/vm-init.d/qubes-core index 2ecf8cf..77a71bf 100755 --- a/vm-init.d/qubes-core +++ b/vm-init.d/qubes-core @@ -28,7 +28,7 @@ start() # because it makes some of the pre-created dotfiles invalid (e.g. .kde/cache-) # (let's be frank: nobody's gonna use xterm on DispVM) hostname $name - sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts + sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts fi timezone=`/usr/bin/xenstore-read qubes-timezone 2> /dev/null` diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 0f236c0..8775998 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -62,7 +62,7 @@ done name=`$XS_READ name` if [ -n "$name" ]; then hostname $name - sed -i "s/^\(127\.0\.0\.1 .*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts + sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts fi timezone=`$XS_READ qubes-timezone 2> /dev/null`