diff --git a/Makefile b/Makefile index 4068121..daa8a1b 100644 --- a/Makefile +++ b/Makefile @@ -73,7 +73,6 @@ install-sysvinit: install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules - install-rh: install-systemd install-sysvinit install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo install -d $(DESTDIR)/usr/share/glib-2.0/schemas/ @@ -86,7 +85,6 @@ install-rh: install-systemd install-sysvinit install -m 644 misc/RPM-GPG-KEY-qubes* $(DESTDIR)/etc/pki/rpm-gpg/ install -D -m 644 misc/session-stop-timeout.conf $(DESTDIR)$(LIBDIR)/systemd/system/user@.service.d/90-session-stop-timeout.conf - install -d $(DESTDIR)/etc/yum.conf.d touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf diff --git a/Makefile.builder b/Makefile.builder index e21f02c..fea5262 100644 --- a/Makefile.builder +++ b/Makefile.builder @@ -1,7 +1,20 @@ ifeq ($(PACKAGE_SET),vm) -RPM_SPEC_FILES := rpm_spec/core-vm.spec \ - rpm_spec/core-vm-doc.spec \ - rpm_spec/core-vm-kernel-placeholder.spec -ARCH_BUILD_DIRS := archlinux -DEBIAN_BUILD_DIRS := debian + RPM_SPEC_FILES := rpm_spec/core-vm.spec \ + rpm_spec/core-vm-doc.spec \ + rpm_spec/core-vm-kernel-placeholder.spec + + ifneq ($(filter $(DISTRIBUTION), debian qubuntu),) + DEBIAN_BUILD_DIRS := debian + SOURCE_COPY_IN := source-debian-quilt-copy-in + endif + + ARCH_BUILD_DIRS := archlinux endif + +source-debian-quilt-copy-in: VERSION = $(shell cat $(ORIG_SRC)/version) +source-debian-quilt-copy-in: ORIG_FILE = "$(CHROOT_DIR)/$(DIST_SRC)/../qubes-core-agent_$(VERSION).orig.tar.gz" +source-debian-quilt-copy-in: + -$(shell $(ORIG_SRC)/debian-quilt $(ORIG_SRC)/series-debian-vm.conf $(CHROOT_DIR)/$(DIST_SRC)/debian/patches) + tar cvfz $(ORIG_FILE) --exclude-vcs --exclude=debian -C $(CHROOT_DIR)/$(DIST_SRC) . + +# vim: filetype=make diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install index 40be6fa..dc95332 100644 --- a/archlinux/PKGBUILD.install +++ b/archlinux/PKGBUILD.install @@ -209,9 +209,13 @@ pre_install() { # Add qubes core related fstab entries echo "xen /proc/xen xenfs defaults 0 0" >> /etc/fstab + # Add a qubes group + groupadd --force --system --gid 98 qubes + # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this. # See https://bugs.archlinux.org/task/31831 useradd --shell /bin/zsh --create-home user + usermod -a --groups qubes user } ## arg 1: the new package version diff --git a/debian-quilt b/debian-quilt new file mode 100755 index 0000000..140ffd9 --- /dev/null +++ b/debian-quilt @@ -0,0 +1,31 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : +# +# Given a series.conf file and debian patches directory, patches +# are copied to debian patch directory + +USAGE="${0} " + +set -e +set -o pipefail + +DIR="${0%/*}" +SERIES_CONF="${1}" +PATCH_DIR="${2}" + +if test $# -lt 2 || [ ! -e "${SERIES_CONF}" ] || [ ! -d "${PATCH_DIR}" ] ; then + echo "${USAGE}" >&2 + exit 1 +fi + +# Clear patch series.conf file +rm -f "${PATCH_DIR}/series" +touch "${PATCH_DIR}/series" + +while read patch_file +do + if [ -e "${DIR}/${patch_file}" ]; then + echo -e "${patch_file##*/}" >> "${PATCH_DIR}/series" + cp "${DIR}/${patch_file}" "${PATCH_DIR}" + fi +done < "${SERIES_CONF}" diff --git a/debian/changelog b/debian/changelog index 5a211fc..90cf085 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -qubes-core-agent (3.0.0) jessie; urgency=medium +qubes-core-agent (3.0.0-1) jessie; urgency=medium [ Marek Marczykowski-Górecki ] * Improve handling of .desktop files diff --git a/debian/control b/debian/control index 6793733..81b477d 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: admin Priority: extra Maintainer: Davíð Steinn Geirsson Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5) -Standards-Version: 3.9.3 +Standards-Version: 3.9.5 Homepage: http://www.qubes-os.org Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git diff --git a/debian/patches/.gitignore b/debian/patches/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/debian/qubes-core-agent.dirs b/debian/qubes-core-agent.dirs new file mode 100644 index 0000000..fa73b65 --- /dev/null +++ b/debian/qubes-core-agent.dirs @@ -0,0 +1,2 @@ +var/lib/qubes +lib/modules diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index e82be24..a891ae9 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -413,7 +413,6 @@ case "${1}" in ;; esac done - exit 0 ;; *) diff --git a/debian/qubes-core-agent.preinst b/debian/qubes-core-agent.preinst index 2779846..edcea6f 100755 --- a/debian/qubes-core-agent.preinst +++ b/debian/qubes-core-agent.preinst @@ -35,33 +35,31 @@ set -e if [ "$1" = "install" ] ; then # -------------------------------------------------------------------------- - # Create required directories + # Required groups # -------------------------------------------------------------------------- - mkdir -p /var/lib/qubes - mkdir -p /lib/modules - #mkdir -p -m 0700 /var/log/xen # xen-utils-common should do this - - # -------------------------------------------------------------------------- - # Remove `mesg` from root/.profile? - # -------------------------------------------------------------------------- - sed -i -e '/^mesg n/d' /root/.profile + groupadd --force --system --gid 98 qubes + groupadd --force --system sudo # -------------------------------------------------------------------------- # User add / modifications # -------------------------------------------------------------------------- id -u 'user' >/dev/null 2>&1 || { - useradd -U -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + useradd --user-group --create-home --shell /bin/bash user } id -u 'tinyproxy' >/dev/null 2>&1 || { - useradd -U -r -M --home /run/tinyproxy --shell /bin/false tinyproxy + useradd --user-group --system -M --home /run/tinyproxy --shell /bin/false tinyproxy } usermod -p '' root - usermod -L user - exit 0 + usermod -L -a --groups qubes,sudo user + + # -------------------------------------------------------------------------- + # Remove `mesg` from root/.profile? + # -------------------------------------------------------------------------- + sed -i -e '/^mesg n/d' /root/.profile fi if [ "$1" = "upgrade" ] ; then - exit 0 + true fi # dh_installdeb will replace this with shell code automatically diff --git a/debian/rules b/debian/rules index ff4db5c..7ed1434 100755 --- a/debian/rules +++ b/debian/rules @@ -4,6 +4,7 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +include /usr/share/dpkg/default.mk export DESTDIR=$(shell pwd)/debian/qubes-core-agent %: diff --git a/debian/source/format b/debian/source/format index 89ae9db..163aaf8 100644 --- a/debian/source/format +++ b/debian/source/format @@ -1 +1 @@ -3.0 (native) +3.0 (quilt) diff --git a/misc/udev-qubes-misc.rules b/misc/udev-qubes-misc.rules index cf69b73..9a0c95a 100644 --- a/misc/udev-qubes-misc.rules +++ b/misc/udev-qubes-misc.rules @@ -1,2 +1 @@ SUBSYSTEM=="memory", ACTION=="add", ATTR{state}=="offline", ATTR{state}="online" -KERNEL=="xen/evtchn", MODE="0666" diff --git a/patches.debian/qrexec_disable_all_warnings_as_errors.patch b/patches.debian/qrexec_disable_all_warnings_as_errors.patch new file mode 100644 index 0000000..f339717 --- /dev/null +++ b/patches.debian/qrexec_disable_all_warnings_as_errors.patch @@ -0,0 +1,19 @@ +qrexec: Disable all warnings being treated as errors + +gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -I. -g -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-xen` -D_FORTIFY_SOURCE=2 -c -o qrexec-agent-data.o qrexec-agent-data.c +qrexec-agent-data.c: In function 'handle_remote_data': +qrexec-agent-data.c:217:17: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] + status = *(unsigned int *)buf; + ^ +cc1: all warnings being treated as errors +: recipe for target 'qrexec-agent-data.o' failed + +--- a/qrexec/Makefile ++++ b/qrexec/Makefile +@@ -1,5 +1,5 @@ + CC=gcc +-CFLAGS+=-I. -g -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)` ++CFLAGS+=-I. -g -Wall -Wextra -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)` + LIBS=`pkg-config --libs vchan-$(BACKEND_VMM)` -lqrexec-utils + + all: qrexec-agent qrexec-client-vm diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index a9484cf..babd75e 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -111,6 +111,12 @@ for dir in qubes-rpc qrexec misc; do done %pre +# Make sure there is a qubes group +groupadd --force --system --gid 98 qubes +id -u 'user' >/dev/null 2>&1 || { + useradd --user-group --create-home --shell /bin/bash user +} +usermod -a --groups qubes user if [ "$1" != 1 ] ; then # do this whole %pre thing only when updating for the first time... @@ -122,7 +128,6 @@ if [ -e /etc/fstab ] ; then mv /etc/fstab /var/lib/qubes/fstab.orig fi -adduser --create-home user usermod -p '' root usermod -L user diff --git a/series-debian-vm.conf b/series-debian-vm.conf new file mode 100644 index 0000000..66bb7a9 --- /dev/null +++ b/series-debian-vm.conf @@ -0,0 +1 @@ +patches.debian/qrexec_disable_all_warnings_as_errors.patch diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 83f0034..d04af9c 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -34,6 +34,10 @@ mkdir -p /var/run/xen-hotplug # Set permissions to /proc/xen/xenbus, so normal user can use qubesdb-read chmod 666 /proc/xen/xenbus +# Set permissions to /proc/xen/privcmd, so a user in qubes group can access +chmod 660 /proc/xen/privcmd +chgrp qubes /proc/xen/privcmd + [ -e /proc/u2mfn ] || modprobe u2mfn # Set permissions to files needed to listen at vchan chmod 666 /proc/u2mfn