diff --git a/network/filter-qubes-yum b/network/filter-qubes-yum new file mode 100644 index 0000000..b244f3c --- /dev/null +++ b/network/filter-qubes-yum @@ -0,0 +1,6 @@ +.*/repodata/[A-Za-z0-9-]*\(primary\|filelist\|comps\(-[a-z0-9]*\)\?\|other\|prestodelta\)\.\(sqlite\|xml\)\(\.bz2\|\.gz\)\?$ +.*/repodata/repomd\.xml$ +.*\.rpm$ +.*\.drpm$ +mirrors.fedoraproject.org:443 +^http://mirrors\..*/mirrorlist diff --git a/network/iptables b/network/iptables index 6e6e6d8..5977ff2 100644 --- a/network/iptables +++ b/network/iptables @@ -4,7 +4,9 @@ :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :PR-QBS - [0:0] +:PR-QBS-SERVICES - [0:0] -A PREROUTING -j PR-QBS +-A PREROUTING -j PR-QBS-SERVICES -A POSTROUTING -o vif+ -j ACCEPT -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -j MASQUERADE diff --git a/network/tinyproxy-qubes-yum.conf b/network/tinyproxy-qubes-yum.conf new file mode 100644 index 0000000..43b5082 --- /dev/null +++ b/network/tinyproxy-qubes-yum.conf @@ -0,0 +1,30 @@ +User tinyproxy +Group tinyproxy +Port 8082 +Timeout 60 +DefaultErrorFile "/usr/share/tinyproxy/default.html" + +#StatHost "tinyproxy.stats" +StatFile "/usr/share/tinyproxy/stats.html" +Syslog On +LogLevel Notice +PidFile "/var/run/tinyproxy/tinyproxy-qubes-yum.pid" + +MaxClients 50 +MinSpareServers 2 +MaxSpareServers 10 +StartServers 2 +MaxRequestsPerChild 0 +ViaProxyName "tinyproxy" + +Allow 127.0.0.1 +Allow 10.137.0.0/16 + + +Filter "/etc/tinyproxy/filter-qubes-yum" +FilterURLs On +#FilterExtended On +#FilterCaseSensitive On +FilterDefaultDeny Yes +ConnectPort 443 + diff --git a/network/vif-route-qubes b/network/vif-route-qubes index c807017..6809028 100755 --- a/network/vif-route-qubes +++ b/network/vif-route-qubes @@ -53,8 +53,9 @@ if [ "${ip}" ] ; then for addr in ${ip} ; do ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric done - echo ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP - ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + back_ip=${ip%.*}.1 + ${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif} fi log debug "Successful vif-route-qubes $command for $vif." diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 0b9d5ff..06004ea 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -37,6 +37,7 @@ Requires: yum-plugin-post-transaction-actions Requires: NetworkManager >= 0.8.1-1 Requires: /usr/bin/mimeopen Requires: /sbin/ethtool +Requires: tinyproxy Provides: qubes-core-vm Obsoletes: qubes-core-commonvm Obsoletes: qubes-core-appvm @@ -80,7 +81,7 @@ su user -c 'touch /home/user/.gnome2/nautilus-scripts/.scripts_created2' %install -install -D misc/fstab $RPM_BUILD_ROOT/etc/fstab +install -m 0644 -D misc/fstab $RPM_BUILD_ROOT/etc/fstab install -d $RPM_BUILD_ROOT/etc/init.d install vm-init.d/* $RPM_BUILD_ROOT/etc/init.d/ @@ -116,7 +117,7 @@ mkdir -p $RPM_BUILD_ROOT/usr/lib/qubes install -D misc/qubes_core.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes_core.modules -install network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules +install -m 0644 network/qubes_network.rules $RPM_BUILD_ROOT/etc/udev/rules.d/99-qubes_network.rules install network/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/lib/qubes install network/qubes_fix_nm_conf.sh $RPM_BUILD_ROOT/usr/lib/qubes install network/setup_ip $RPM_BUILD_ROOT/usr/lib/qubes/ @@ -126,7 +127,12 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes -install -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables +install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf +install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum + +install -d $RPM_BUILD_ROOT/etc/yum.conf.d +touch $RPM_BUILD_ROOT/etc/yum.conf.d/qubes-proxy.conf install -d $RPM_BUILD_ROOT/usr/sbin install network/qubes_firewall $RPM_BUILD_ROOT/usr/sbin/ @@ -233,6 +239,12 @@ fi # Remove ip_forward setting from sysctl, so NM will not reset it sed 's/^net.ipv4.ip_forward.*/#\0/' -i /etc/sysctl.conf +if ! grep -q '/etc/yum\.conf\.d/qubes-proxy\.conf'; then + echo >> /etc/yum.conf + echo '# Yum does not support inclusion of config dir...' >> /etc/yum.conf + echo 'include=file:///etc/yum.conf.d/qubes-proxy.conf' >> /etc/yum.conf +fi + # Prevent unnecessary updates in VMs: sed -i -e '/^exclude = kernel/d' /etc/yum.conf echo 'exclude = kernel, xorg-x11-drv-*, xorg-x11-drivers, xorg-x11-server-*' >> /etc/yum.conf @@ -334,10 +346,13 @@ rm -rf $RPM_BUILD_ROOT /etc/sudoers.d/qubes /etc/sysconfig/iptables /etc/sysconfig/modules/qubes_core.modules +/etc/tinyproxy/filter-qubes-yum +/etc/tinyproxy/tinyproxy-qubes-yum.conf /etc/udev/rules.d/50-qubes_memory.rules /etc/udev/rules.d/99-qubes_block.rules /etc/udev/rules.d/99-qubes_network.rules /etc/xen/scripts/vif-route-qubes +/etc/yum.conf.d/qubes-proxy.conf /etc/yum.repos.d/qubes.repo /etc/yum/post-actions/qubes_trigger_sync_appmenus.action /lib/firmware/updates @@ -422,6 +437,7 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes_core_netvm /etc/init.d/qubes-firewall /etc/init.d/qubes-netwatcher +/etc/init.d/qubes-yum-proxy %post sysvinit @@ -454,6 +470,8 @@ chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-yum-proxy || echo "WARNING: Cannot add service qubes-yum-proxy!" +chkconfig qubes-yum-proxy on || echo "WARNING: Cannot enable service qubes-yum-proxy!" # TODO: make this not display the silly message about security context... sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab @@ -466,6 +484,7 @@ if [ "$1" = 0 ] ; then chkconfig qubes_core_appvm off chkconfig qubes-firewall off chkconfig qubes-netwatcher off + chkconfig qubes-yum-proxy off fi %package systemd @@ -495,6 +514,7 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-sysinit.service /lib/systemd/system/qubes-update-check.service /lib/systemd/system/qubes-update-check.timer +/lib/systemd/system/qubes-yum-proxy.service %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/network-proxy-setup.sh @@ -509,7 +529,7 @@ The Qubes core startup configuration for SystemD init. %post systemd -for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall; do +for srv in qubes-dvm qubes-meminfo-writer qubes-qrexec-agent qubes-sysinit qubes-misc-post qubes-netwatcher qubes-network qubes-firewall qubes-yum-proxy; do /bin/systemctl enable $srv.service 2> /dev/null done diff --git a/vm-init.d/qubes-yum-proxy b/vm-init.d/qubes-yum-proxy new file mode 100755 index 0000000..52f329b --- /dev/null +++ b/vm-init.d/qubes-yum-proxy @@ -0,0 +1,121 @@ +#!/bin/sh +# +# tinyproxy Startup script for the tinyproxy server as Qubes yum proxy +# +# chkconfig: - 85 15 +# description: small, efficient HTTP/SSL proxy daemon +# +# processname: tinyproxy +# config: /etc/tinyproxy/tinyproxy-qubes-yum.conf +# config: /etc/sysconfig/tinyproxy-qubes-yum +# pidfile: /var/run/tinyproxy/tinyproxy-qubes-yum.pid +# +# Note: pidfile is created by tinyproxy in its config +# see PidFile in the configuration file. + +# Source function library. +. /etc/rc.d/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +[ "$NETWORKING" = "no" ] && exit 0 + +exec="/usr/sbin/tinyproxy" +prog=$(basename $exec) +config="/etc/tinyproxy/tinyproxy-qubes-yum.conf" +pidfile="/var/run/tinyproxy/tinyproxy-qubes-yum.pid" + +[ -e /etc/sysconfig/tinyproxy-qubes-yum ] && . /etc/sysconfig/tinyproxy-qubes-yum + +lockfile=/var/lock/subsys/tinyproxy-qubes-yum + +start() { + type=`/usr/bin/xenstore-read qubes_vm_type` + start_yum_proxy=`/usr/bin/xenstore-read qubes-service/qubes-yum-proxy 2>/dev/null` + if [ -z "$start_yum_proxy" ] && [ "$type" != "NetVM" ] || [ "$start_yum_proxy" != "1" ]; then + # Yum proxy disabled + exit 0 + fi + + [ -x $exec ] || exit 5 + [ -f $config ] || exit 6 + # setup network redirection + /sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + /sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + + echo -n $"Starting $prog (as Qubes yum proxy): " + daemon $exec -c $config + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc -p $pidfile $prog + retval=$? + echo + /sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + /sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + [ $retval -eq 0 ] && rm -f $lockfile + return $retval +} + +restart() { + stop + start +} + +reload() { + echo -n $"Reloading $prog: " + killproc -p $pidfile $prog -HUP + echo +} + +force_reload() { + restart +} + +rh_status() { + status $prog +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? + diff --git a/vm-init.d/qubes_core b/vm-init.d/qubes_core index 7193d38..de194f8 100755 --- a/vm-init.d/qubes_core +++ b/vm-init.d/qubes_core @@ -36,6 +36,13 @@ start() echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi + yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null) + if [ "$yum_proxy_setup" != "0" ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf + else + echo > /etc/yum.conf.d/qubes-proxy.conf + fi + # Set IP address again (besides action in udev rules); this is needed by # DispVM (to override DispVM-template IP) and in case when qubes_ip was # called by udev before loading evtchn kernel module - in which case diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index 9ebdf2e..dbefd43 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -1,5 +1,11 @@ #!/bin/sh +if [ -f /var/run/qubes-service/yum-proxy-setup ]; then + echo proxy=http://10.137.255.254:8082/ > /etc/yum.conf.d/qubes-proxy.conf +else + echo > /etc/yum.conf.d/qubes-proxy.conf +fi + # Set IP address again (besides action in udev rules); this is needed by # DispVM (to override DispVM-template IP) and in case when qubes_ip was # called by udev before loading evtchn kernel module - in which case diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 02e2a9a..0c8e9d0 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -1,7 +1,7 @@ #!/bin/sh # List of services enabled by default (in case of absence of xenstore entry) -DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check" +DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-yum-proxy" DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check" DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check" DEFAULT_ENABLED_TEMPLATEVM=$DEFAULT_ENABLED_APPVM @@ -61,3 +61,11 @@ if [ -n "$timezone" ]; then echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock fi + +# Prepare environment for other services +echo > /var/run/qubes-service-environment + +debug_mode=`$XS_READ qubes-debug-mode 2> /dev/null` +if [ -n "$debug_mode" -a "$debug_mode" -gt 0 ]; then + echo "GUI_OPTS=-vv" >> /var/run/qubes-service-environment +fi diff --git a/vm-systemd/qubes-update-check.service b/vm-systemd/qubes-update-check.service index 5566eda..6ac37e3 100644 --- a/vm-systemd/qubes-update-check.service +++ b/vm-systemd/qubes-update-check.service @@ -4,4 +4,4 @@ ConditionPathExists=/var/run/qubes-service/qubes-update-check [Service] Type=oneshot -ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update|wc -l' +ExecStart=/usr/lib/qubes/qrexec_client_vm dom0 qubes.NotifyUpdates /bin/sh -c 'yum -q check-update >/dev/null; [ $? -eq 100 ] && echo 1 || echo 0' diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service new file mode 100644 index 0000000..b03c34d --- /dev/null +++ b/vm-systemd/qubes-yum-proxy.service @@ -0,0 +1,15 @@ +[Unit] +Description=Qubes yum proxy (tinyproxy) +ConditionPathExists=/var/run/qubes-service/qubes-yum-proxy +After=iptables.service + +[Service] +ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy +ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT +ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf +ExecStopPost=/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +ExecStopPost=/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + +[Install] +WantedBy=multi-user.target