Merge remote-tracking branch 'nrgaway/r3-templates'

Makefile

@@ -73,7 +73,6 @@ install-sysvinit:
 	install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
 	install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
 
-
 install-rh: install-systemd install-sysvinit
 	install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo
 	install -d $(DESTDIR)/usr/share/glib-2.0/schemas/
@@ -86,7 +85,6 @@ install-rh: install-systemd install-sysvinit
 	install -m 644 misc/RPM-GPG-KEY-qubes* $(DESTDIR)/etc/pki/rpm-gpg/
 	install -D -m 644 misc/session-stop-timeout.conf $(DESTDIR)$(LIBDIR)/systemd/system/user@.service.d/90-session-stop-timeout.conf
 
-
 	install -d $(DESTDIR)/etc/yum.conf.d
 	touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
 

Makefile.builder

@@ -1,7 +1,20 @@
 ifeq ($(PACKAGE_SET),vm)
-RPM_SPEC_FILES := rpm_spec/core-vm.spec \
-    rpm_spec/core-vm-doc.spec \
-    rpm_spec/core-vm-kernel-placeholder.spec
-ARCH_BUILD_DIRS := archlinux
-DEBIAN_BUILD_DIRS := debian
+  RPM_SPEC_FILES := rpm_spec/core-vm.spec \
+  rpm_spec/core-vm-doc.spec \
+  rpm_spec/core-vm-kernel-placeholder.spec
+
+  ifneq ($(filter $(DISTRIBUTION), debian qubuntu),)
+    DEBIAN_BUILD_DIRS := debian
+    SOURCE_COPY_IN := source-debian-quilt-copy-in
+  endif
+
+  ARCH_BUILD_DIRS := archlinux
 endif
+
+source-debian-quilt-copy-in: VERSION = $(shell cat $(ORIG_SRC)/version)
+source-debian-quilt-copy-in: ORIG_FILE = "$(CHROOT_DIR)/$(DIST_SRC)/../qubes-core-agent_$(VERSION).orig.tar.gz"
+source-debian-quilt-copy-in:
+	-$(shell $(ORIG_SRC)/debian-quilt $(ORIG_SRC)/series-debian-vm.conf $(CHROOT_DIR)/$(DIST_SRC)/debian/patches)
+	tar cvfz $(ORIG_FILE) --exclude-vcs --exclude=debian -C $(CHROOT_DIR)/$(DIST_SRC) .
+
+# vim: filetype=make

archlinux/PKGBUILD.install

@@ -209,9 +209,13 @@ pre_install() {
   # Add qubes core related fstab entries
   echo "xen	/proc/xen	xenfs	defaults	0 0" >> /etc/fstab
 
+  # Add a qubes group
+  groupadd --force --system --gid 98 qubes
+
   # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this.
   # See https://bugs.archlinux.org/task/31831
   useradd --shell /bin/zsh --create-home user
+  usermod -a --groups qubes user
 }
 
 ## arg 1:  the new package version

debian-quilt

@@ -0,0 +1,31 @@
+#!/bin/bash
+# vim: set ts=4 sw=4 sts=4 et :
+#
+# Given a series.conf file and debian patches directory, patches
+# are copied to debian patch directory
+
+USAGE="${0} <series.conf> <patchdir>"
+
+set -e
+set -o pipefail
+
+DIR="${0%/*}"
+SERIES_CONF="${1}"
+PATCH_DIR="${2}"
+
+if test $# -lt 2 || [ ! -e "${SERIES_CONF}" ] || [ ! -d "${PATCH_DIR}" ] ; then
+	echo "${USAGE}" >&2
+	exit 1
+fi
+
+# Clear patch series.conf file
+rm -f "${PATCH_DIR}/series"
+touch "${PATCH_DIR}/series"
+
+while read patch_file
+do
+    if [ -e "${DIR}/${patch_file}" ]; then
+        echo -e "${patch_file##*/}" >> "${PATCH_DIR}/series"
+        cp "${DIR}/${patch_file}" "${PATCH_DIR}"
+    fi
+done < "${SERIES_CONF}"

debian/changelog

@@ -1,4 +1,4 @@
-qubes-core-agent (3.0.0) jessie; urgency=medium
+qubes-core-agent (3.0.0-1) jessie; urgency=medium
 
   [ Marek Marczykowski-Górecki ]
   * Improve handling of .desktop files

debian/control

@@ -3,7 +3,7 @@ Section: admin
 Priority: extra
 Maintainer: Davíð Steinn Geirsson <david@dsg.is>
 Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5)
-Standards-Version: 3.9.3
+Standards-Version: 3.9.5
 Homepage: http://www.qubes-os.org
 Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git
 

debian/qubes-core-agent.dirs

@@ -0,0 +1,2 @@
+var/lib/qubes
+lib/modules

debian/qubes-core-agent.postinst

@@ -413,7 +413,6 @@ case "${1}" in
                     ;;
             esac
         done
-        exit 0
         ;;
 
     *)

debian/qubes-core-agent.preinst

@@ -35,33 +35,31 @@ set -e
 
 if [ "$1" = "install" ] ; then
     # --------------------------------------------------------------------------
-    # Create required directories
+    # Required groups
     # --------------------------------------------------------------------------
-    mkdir -p /var/lib/qubes
-    mkdir -p /lib/modules
-    #mkdir -p -m 0700 /var/log/xen  # xen-utils-common should do this
-
-    # --------------------------------------------------------------------------
-    # Remove `mesg` from root/.profile?
-    # --------------------------------------------------------------------------
-    sed -i -e '/^mesg n/d' /root/.profile
+    groupadd --force --system --gid 98 qubes
+    groupadd --force --system sudo
 
     # --------------------------------------------------------------------------
     # User add / modifications
     # --------------------------------------------------------------------------
     id -u 'user' >/dev/null 2>&1 || {
-        useradd -U -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
+        useradd --user-group --create-home --shell /bin/bash user
     }
     id -u 'tinyproxy' >/dev/null 2>&1 || {
-        useradd -U -r -M --home /run/tinyproxy --shell /bin/false tinyproxy
+        useradd --user-group --system -M --home /run/tinyproxy --shell /bin/false tinyproxy
     }
     usermod -p '' root
-    usermod -L user
-    exit 0
+    usermod -L -a --groups qubes,sudo user
+
+    # --------------------------------------------------------------------------
+    # Remove `mesg` from root/.profile?
+    # --------------------------------------------------------------------------
+    sed -i -e '/^mesg n/d' /root/.profile
 fi
 
 if [ "$1" = "upgrade" ] ; then
-    exit 0
+    true 
 fi
 
 # dh_installdeb will replace this with shell code automatically

debian/rules

@@ -4,6 +4,7 @@
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
 
+include /usr/share/dpkg/default.mk
 export DESTDIR=$(shell pwd)/debian/qubes-core-agent
 
 %:

debian/source/format

@@ -1 +1 @@
-3.0 (native)
+3.0 (quilt)

misc/udev-qubes-misc.rules

@@ -1,2 +1 @@
 SUBSYSTEM=="memory", ACTION=="add", ATTR{state}=="offline", ATTR{state}="online"
-KERNEL=="xen/evtchn", MODE="0666"

patches.debian/qrexec_disable_all_warnings_as_errors.patch

@@ -0,0 +1,19 @@
+qrexec: Disable all warnings being treated as errors
+
+gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -I. -g -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-xen` -D_FORTIFY_SOURCE=2  -c -o qrexec-agent-data.o qrexec-agent-data.c
+qrexec-agent-data.c: In function 'handle_remote_data':
+qrexec-agent-data.c:217:17: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing]
+                 status = *(unsigned int *)buf;
+                 ^
+cc1: all warnings being treated as errors
+<builtin>: recipe for target 'qrexec-agent-data.o' failed
+
+--- a/qrexec/Makefile
++++ b/qrexec/Makefile
+@@ -1,5 +1,5 @@
+ CC=gcc
+-CFLAGS+=-I. -g -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)`
++CFLAGS+=-I. -g -Wall -Wextra -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)`
+ LIBS=`pkg-config --libs vchan-$(BACKEND_VMM)` -lqrexec-utils
+ 
+ all: qrexec-agent qrexec-client-vm

rpm_spec/core-vm.spec

@@ -111,6 +111,12 @@ for dir in qubes-rpc qrexec misc; do
 done
 
 %pre
+# Make sure there is a qubes group
+groupadd --force --system --gid 98 qubes
+id -u 'user' >/dev/null 2>&1 || {
+  useradd --user-group --create-home --shell /bin/bash user
+}
+usermod -a --groups qubes user
 
 if [ "$1" !=  1 ] ; then
 # do this whole %pre thing only when updating for the first time...
@@ -122,7 +128,6 @@ if [ -e /etc/fstab ] ; then
 mv /etc/fstab /var/lib/qubes/fstab.orig
 fi
 
-adduser --create-home user
 usermod -p '' root
 usermod -L user
 

series-debian-vm.conf

@@ -0,0 +1 @@
+patches.debian/qrexec_disable_all_warnings_as_errors.patch

vm-systemd/qubes-sysinit.sh

@@ -34,6 +34,10 @@ mkdir -p /var/run/xen-hotplug
 # Set permissions to /proc/xen/xenbus, so normal user can use qubesdb-read
 chmod 666 /proc/xen/xenbus
 
+# Set permissions to /proc/xen/privcmd, so a user in qubes group can access
+chmod 660 /proc/xen/privcmd
+chgrp qubes /proc/xen/privcmd
+
 [ -e /proc/u2mfn ] || modprobe u2mfn
 # Set permissions to files needed to listen at vchan
 chmod 666 /proc/u2mfn