diff --git a/Makefile b/Makefile index 6096db4..3fbba15 100644 --- a/Makefile +++ b/Makefile @@ -88,21 +88,27 @@ install-rh: install-systemd install-sysvinit install -d $(DESTDIR)/etc/yum.conf.d touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf -install-common: - install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes + install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/ + install -d $(DESTDIR)/var/lib/qubes/dom0-updates + install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action + install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login + install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables + install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables + +install-common: + install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes + install -d $(DESTDIR)/var/lib/qubes install -D misc/xenstore-watch $(DESTDIR)/usr/bin/xenstore-watch-qubes install -d $(DESTDIR)/etc/udev/rules.d install -m 0644 misc/udev-qubes-misc.rules $(DESTDIR)/etc/udev/rules.d/50-qubes-misc.rules install -d $(DESTDIR)/usr/lib/qubes/ - install misc/qubes-download-dom0-updates.sh $(DESTDIR)/usr/lib/qubes/ install misc/vusb-ctl.py $(DESTDIR)/usr/lib/qubes/ install misc/qubes-trigger-sync-appmenus.sh $(DESTDIR)/usr/lib/qubes/ - install -D -m 0644 misc/qubes-trigger-sync-appmenus.action $(DESTDIR)/etc/yum/post-actions/qubes-trigger-sync-appmenus.action install -D misc/polkit-1-qubes-allow-all.pkla $(DESTDIR)/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla install -D misc/polkit-1-qubes-allow-all.rules $(DESTDIR)/etc/polkit-1/rules.d/00-qubes-allow-all.rules install -D -m 0644 misc/mime-globs $(DESTDIR)/usr/share/qubes/mime-override/globs @@ -129,8 +135,6 @@ install-common: install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes - install -m 0400 -D network/iptables $(DESTDIR)/etc/sysconfig/iptables - install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf install -m 0644 -D network/filter-updates $(DESTDIR)/etc/tinyproxy/filter-updates install -m 0755 -D network/iptables-updates-proxy $(DESTDIR)/usr/lib/qubes/iptables-updates-proxy @@ -176,7 +180,6 @@ install-common: install -D misc/nautilus-actions.conf $(DESTDIR)/etc/xdg/nautilus-actions/nautilus-actions.conf install -d $(DESTDIR)/mnt/removable - install -d $(DESTDIR)/var/lib/qubes/dom0-updates install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf @@ -188,5 +191,9 @@ install-deb: mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`cat /etc/debian_version | cut -d/ -f 1`/" misc/qubes-r2.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r2.list install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg + install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4 + install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6 + install -d $(DESTDIR)/etc/sysctl.d + install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/ install-vm: install-rh install-common diff --git a/debian/control b/debian/control index a4e6164..8f57a9a 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git Package: qubes-core-agent Architecture: any -Depends: qubes-utils, libvchan-xen, xenstore-utils, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, ${shlibs:Depends}, ${misc:Depends} +Depends: qubes-utils, libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, tinyproxy, ethtool, python2.7, init-system-helpers, ${shlibs:Depends}, ${misc:Depends} Conflicts: qubes-core-agent-linux Description: Qubes core agent This package includes various daemons necessary for qubes domU support, diff --git a/debian/files b/debian/files deleted file mode 100644 index 67ae435..0000000 --- a/debian/files +++ /dev/null @@ -1 +0,0 @@ -qubes-core-agent_2.1.33_amd64.deb admin extra diff --git a/debian/postinst b/debian/postinst index 39a707b..4c9e94e 100755 --- a/debian/postinst +++ b/debian/postinst @@ -105,13 +105,21 @@ case "$1" in # Revert 'Prevent unnecessary updates in VMs': #sed -i -e '/^exclude = kernel/d' /etc/yum.conf - # qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content - #if ! grep -q localhost /etc/hosts; then - cat < /etc/hosts -127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname` -::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -EOF - #fi + # ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is + # in the form expected by qubes-sysinit.sh + for ip in '127\.0\.1\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts + else + echo "${ip} `hostname`" >> /etc/hosts + fi + done + # remove hostname from 127.0.0.1 line (in debian the hostname is by default + # resolved to 127.0.1.1) + sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + + chown user:user /home_volatile/user #if [ "$1" != 1 ] ; then # # do the rest of %post thing only when updating for the first time... diff --git a/misc/dispvm-prerun.sh b/misc/dispvm-prerun.sh index 8bb2583..9489144 100755 --- a/misc/dispvm-prerun.sh +++ b/misc/dispvm-prerun.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash apps="evince /usr/libexec/evinced soffice firefox" diff --git a/misc/qubes-r2.list.in b/misc/qubes-r2.list.in index 77a444f..0ab7837 100644 --- a/misc/qubes-r2.list.in +++ b/misc/qubes-r2.list.in @@ -1,11 +1,11 @@ # Main qubes updates repository -deb http://deb.qubes-os.org/r2/vm @DIST@ main +deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@ main deb-src http://deb.qubes-os.org/r2/vm @DIST@ main # Qubes updates candidates repository -#deb http://deb.qubes-os.org/r2/vm @DIST@-testing main +#deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@-testing main #deb-src http://deb.qubes-os.org/r2/vm @DIST@-testing main # Qubes experimental/unstable repository -#deb http://deb.qubes-os.org/r2/vm @DIST@-unstable main +#deb [arch=amd64] http://deb.qubes-os.org/r2/vm @DIST@-unstable main #deb-src http://deb.qubes-os.org/r2/vm @DIST@-unstable main diff --git a/network/80-qubes.conf b/network/80-qubes.conf new file mode 100644 index 0000000..119d730 --- /dev/null +++ b/network/80-qubes.conf @@ -0,0 +1 @@ +net.ipv4.ip_forward=1 diff --git a/network/qubes-firewall b/network/qubes-firewall index 9f8aa44..35a23a1 100755 --- a/network/qubes-firewall +++ b/network/qubes-firewall @@ -23,8 +23,8 @@ while true; do TRIGGER=reload else # Wait for changes in xenstore file - /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES - TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + xenstore-watch-qubes $XENSTORE_IPTABLES + TRIGGER=$(xenstore-read $XENSTORE_IPTABLES) fi if ! [ "$TRIGGER" = "reload" ]; then continue ; fi @@ -34,19 +34,19 @@ while true; do # during the time when the rules are being (re)applied echo "0" > /proc/sys/net/ipv4/ip_forward - RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER) - IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') - OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || true` + RULES=$(xenstore-read $XENSTORE_IPTABLES_HEADER) + IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d') + OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true` for i in $(xenstore-list qubes-iptables-domainrules) ; do - RULES=$(/usr/bin/xenstore-read qubes-iptables-domainrules/"$i") + RULES=$(xenstore-read qubes-iptables-domainrules/"$i") ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true` if [ -n "$ERRS" ]; then echo "Failed applying rules for $i: $ERRS" >&2 OUT="$OUT$ERRS" fi done - /usr/bin/xenstore-write $XENSTORE_ERROR "$OUT" + xenstore-write $XENSTORE_ERROR "$OUT" if [ -n "$OUT" ]; then DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || : fi diff --git a/network/qubes-netwatcher b/network/qubes-netwatcher index 0acab7f..81edffe 100755 --- a/network/qubes-netwatcher +++ b/network/qubes-netwatcher @@ -11,9 +11,9 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM while true; do - NET_DOMID=$(/usr/bin/xenstore-read qubes-netvm-domid || :) + NET_DOMID=$(xenstore-read qubes-netvm-domid || :) if [[ -n "$NET_DOMID" ]] && [[ $NET_DOMID -gt 0 ]]; then - UNTRUSTED_NETCFG=$(/usr/bin/xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) + UNTRUSTED_NETCFG=$(xenstore-read /local/domain/$NET_DOMID/qubes-netvm-external-ip || :) # UNTRUSTED_NETCFG is not parsed in any way # thus, no sanitization ready # but be careful when passing it to other shell scripts @@ -21,11 +21,11 @@ while true; do /sbin/service qubes-firewall stop /sbin/service qubes-firewall start CURR_NETCFG="$UNTRUSTED_NETCFG" - /usr/bin/xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" + xenstore-write qubes-netvm-external-ip "$CURR_NETCFG" fi - /usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid + xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes-netvm-external-ip qubes-netvm-domid else - /usr/bin/xenstore-watch -n 2 qubes-netvm-domid + xenstore-watch -n 2 qubes-netvm-domid fi done diff --git a/network/qubes-setup-dnat-to-ns b/network/qubes-setup-dnat-to-ns index 6a30126..a1f9bc1 100755 --- a/network/qubes-setup-dnat-to-ns +++ b/network/qubes-setup-dnat-to-ns @@ -10,7 +10,7 @@ addrule() fi } export PATH=$PATH:/sbin:/bin -source /var/run/qubes/qubes-ns +. /var/run/qubes/qubes-ns if [ "X"$NS1 = "X" ] ; then exit ; fi iptables -t nat -F PR-QBS FIRSTONE=yes diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 43cbf9f..2a71a9c 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -210,6 +210,17 @@ if ! grep -q localhost /etc/hosts; then EOF fi +# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is +# in the form expected by qubes-sysinit.sh +for ip in '127\.0\.0\.1' '::1'; do + if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then + sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts + sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts + else + echo "${ip} `hostname`" >> /etc/hosts + fi +done + if [ "$1" != 1 ] ; then # do the rest of %post thing only when updating for the first time... exit 0 diff --git a/vm-systemd/network-proxy-setup.sh b/vm-systemd/network-proxy-setup.sh index 020edb2..2227920 100755 --- a/vm-systemd/network-proxy-setup.sh +++ b/vm-systemd/network-proxy-setup.sh @@ -1,11 +1,11 @@ #!/bin/sh # Setup gateway for all the VMs this netVM is serviceing... -network=$(/usr/bin/xenstore-read qubes-netvm-network 2>/dev/null) +network=$(xenstore-read qubes-netvm-network 2>/dev/null) if [ "x$network" != "x" ]; then - gateway=$(/usr/bin/xenstore-read qubes-netvm-gateway) - netmask=$(/usr/bin/xenstore-read qubes-netvm-netmask) - secondary_dns=$(/usr/bin/xenstore-read qubes-netvm-secondary-dns) + gateway=$(xenstore-read qubes-netvm-gateway) + netmask=$(xenstore-read qubes-netvm-netmask) + secondary_dns=$(xenstore-read qubes-netvm-secondary-dns) modprobe netbk 2> /dev/null || modprobe xen-netback echo "NS1=$gateway" > /var/run/qubes/qubes-ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns diff --git a/vm-systemd/prepare-dvm.sh b/vm-systemd/prepare-dvm.sh index bdd1506..c0f30a8 100755 --- a/vm-systemd/prepare-dvm.sh +++ b/vm-systemd/prepare-dvm.sh @@ -29,7 +29,7 @@ if xenstore-read qubes-save-request 2>/dev/null ; then echo "Waiting for save/restore..." # ... wait until qubes-restore.c (in Dom0) recreates VM-specific keys while ! xenstore-read qubes-restore-complete 2>/dev/null ; do - usleep 10000 + sleep 0.01 done echo Back to life. fi diff --git a/vm-systemd/qubes-qrexec-agent.service b/vm-systemd/qubes-qrexec-agent.service index e08e986..38d8f71 100644 --- a/vm-systemd/qubes-qrexec-agent.service +++ b/vm-systemd/qubes-qrexec-agent.service @@ -3,6 +3,7 @@ Description=Qubes remote exec agent After=qubes-dvm.service [Service] +ExecStartPre=/bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn' ExecStart=/usr/lib/qubes/qrexec-agent StandardOutput=syslog diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 0b3e6ca..54f7138 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # List of services enabled by default (in case of absence of xenstore entry) DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy" @@ -33,6 +33,8 @@ mkdir -p /var/run/xen-hotplug # Set permissions to /proc/xen/xenbus, so normal user can use xenstore-read chmod 666 /proc/xen/xenbus + +[ -e /proc/u2mfn ] || modprobe u2mfn # Set permissions to files needed to listen at vchan chmod 666 /proc/u2mfn @@ -62,14 +64,24 @@ done name=`$XS_READ name` if [ -n "$name" ]; then hostname $name - sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts + if [ -e /etc/debian_version ]; then + ipv4_localhost_re="127\.0\.1\.1" + else + ipv4_localhost_re="127\.0\.0\.1" + fi + sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts + sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts fi timezone=`$XS_READ qubes-timezone 2> /dev/null` if [ -n "$timezone" ]; then - ln -f /usr/share/zoneinfo/$timezone /etc/localtime - echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock - echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock + cp -p /usr/share/zoneinfo/$timezone /etc/localtime + if [ -e /etc/debian_version ]; then + echo "$timezone" > /etc/timezone + else + echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock + echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock + fi fi # Prepare environment for other services