Commit Graph

2639 Commits

Author SHA1 Message Date
Demi Marie Obenour
0580fe545b
Use netvm_gw_ip instead of netvm_ip
They are usually identical, but this is not guaranteed.
2020-11-22 17:52:54 -05:00
Demi Marie Obenour
9d10ecc08f
Remove commented-out code 2020-11-19 15:19:40 -05:00
Demi Marie Obenour
e4eeb2ee1b
Add NetVM-facing neighbor entry in NAT namespace
Since AppVMs will have their own NetVM-facing neighbor entries, a user
might (correctly) conclude that NetVMs do not need ARP or NDP enabled.
For this to work with NAT namespaces, they need their own neighbor
entries.
2020-11-19 12:16:15 -05:00
Demi Marie Obenour
097342bd08
Optimization: use ip -n over ip netns exec
This saves an exec call.
2020-11-19 12:10:26 -05:00
Demi Marie Obenour
6517cca2a4
NAT network namespaces need neighbor entries
If we are using a NAT network namespace, it needs its own neighbor
entries.  For consistency, give it the same MAC address as the VM it
connects to.
2020-11-19 12:08:23 -05:00
Demi Marie Obenour
791b08c2ec
vif-route-qubes: better input validation
The input is trusted, but this will help debugging if something goes
wrong.
2020-11-13 13:15:24 -05:00
Demi Marie Obenour
9646acb18e
Don’t use onlink flag for nexthop
This is rejected by the kernel.
2020-11-13 12:51:15 -05:00
Demi Marie Obenour
3e7552856f
Fix running under -euo pipefail
Some qubesdb-read commands are expected to fail.  I ultimately did not
wind up including -e, but this version should be ready for it.
2020-11-11 14:07:55 -05:00
Demi Marie Obenour
377add43d1
Don’t hardcode MAC addresses 2020-11-10 22:31:18 -05:00
Demi Marie Obenour
0a322958e4
Add gateway IP+MAC, not VM’s own 2020-11-10 22:09:54 -05:00
Demi Marie Obenour
aa71677cbd
Add permanent neighbor entries
This allows network traffic to flow even if ARP and NDP do not work or
ave explicitly been disabled.
2020-11-10 16:28:53 -05:00
Marek Marczykowski-Górecki
74f5fb5ac7
network: prevent IP spoofing on upstream (eth0) interface
Currently there is just one anti-spoofing firewall rule ensuring packets
coming through vif+ interfaces have the right source address. Add
another rule ensuring that addresses that belongs to VMs behind those
vif+ interface do not appear on other interfaces (specifically eth0, but
also physical ones).

Normally it wouldn't be an issue because of rp_filter (doing the same
based on route table), default DROP in FORWARD chain and also conntrack
(the need to guess exact port numbers and sequence numbers). But it
appears all three mechanisms are ineffective in some cases:
 - rp_filter in many distributions (including Fedora and Debian) was
 switched to Loose Mode, which doesn't verify exact interface
 - there is a rule in FORWARD table allowing established connections and
 conntrack does not keep track of input/output interfaces
 - CVE-2019-14899 allows to guess all the data needed to inject packets

Reported-by: Demi M. Obenour <demiobenour@gmail.com>
2020-11-10 15:47:25 -05:00
Marek Marczykowski-Górecki
68b61c2c6d
network: setup anti-spoofing firewall rules before enabling the interface
Previously enabling the interface was the first action in the setup
steps. Linux theoretically do not forward the traffic until proper
IP address and route is added to the interface (depending on rp_filter
setting). But instead of relying on this opaque behavior better setup
anti-spoofing rules earlier. Also, add 'set -o pipefail' for more
reliable error handling.
Note the rules for actual VM traffic (qvm-firewall) are properly
enforced - until those rules are loaded, traffic from appropriate vif
interface is blocked. But this relies on proper source IP address,
anti-spoofing rules need to be setup race-free.

Reported-by: Demi M. Obenour <demiobenour@gmail.com>
2020-11-10 15:46:22 -05:00
Marek Marczykowski-Górecki
75ffdf6a53
version 4.1.18 2020-10-31 05:39:07 +01:00
Frédéric Pierret (fepitre)
c16fb05d2d
dnf-plugin: restrict to only version provided by plateform-python
Fix multiple indentations
2020-10-30 10:46:56 +01:00
Marek Marczykowski-Górecki
0fd872f717
Merge remote-tracking branch 'origin/pr/254'
* origin/pr/254:
  archlinux: improve pacman proxy implementation
2020-10-29 04:19:02 +01:00
ejose19
e09675c2b9
archlinux: improve pacman proxy implementation 2020-10-29 00:11:06 -03:00
Marek Marczykowski-Górecki
6262580660
Merge remote-tracking branch 'origin/pr/255'
* origin/pr/255:
  Overwrite .rpmdb for debian updatevm

Fixes QubesOS/qubes-issues#6124
Fixes QubesOS/qubes-issues#5282
2020-10-29 01:37:23 +01:00
icequbes1
adf6568670
Overwrite .rpmdb for debian updatevm
Resolves issue where the dom0 rpm database does not get used on
successive calls to qubes-dom0-update for debian updatevms.

Also resolves "cannot remove .rpmdbold.####" occurrences.

qubesos/qubes-issues#6124
2020-10-28 06:21:20 -07:00
Frédéric Pierret (fepitre)
bab3ccb617
archlinux: disable check on unassigned pkgdir var 2020-10-21 08:37:53 +02:00
Frédéric Pierret (fepitre)
e38ec9743f
archlinux: remove uneeded 'rm -rf' after rework of makefiles 2020-10-21 07:35:18 +02:00
Frédéric Pierret (fepitre)
45745e80e6
archlinux: add passwordless-root package 2020-10-19 17:12:42 +02:00
Frédéric Pierret (fepitre)
5d8cd3249a
archlinux: ensure SYSLIBDIR and LIBDIR for app-menu and misc 2020-10-19 16:01:33 +02:00
Frédéric Pierret (fepitre)
d039eeaedc
archlinux: add missing misc content 2020-10-19 15:53:30 +02:00
Frédéric Pierret (fepitre)
168c41e8e3
Fix networking and remove qrexec pam related 2020-10-19 15:47:20 +02:00
Frédéric Pierret (fepitre)
37a4fe3fd3
archlinux: add missing qubes-session-autostart 2020-10-19 14:55:54 +02:00
Frédéric Pierret (fepitre)
ddeddae7b1
Fix root mount as ro 2020-10-19 14:48:11 +02:00
Frédéric Pierret (fepitre)
4e2eef52c1
Fix archlinux packaging 2020-10-18 14:28:02 +02:00
Marek Marczykowski-Górecki
d90f62f982
version 4.1.17 2020-10-10 05:13:44 +02:00
unman
2b32289ea4
Allow build for Focal
(cherry picked from commit e07297d3e613a90499a3468a8f95b576898b12e7)
2020-10-10 04:18:19 +02:00
Frédéric Pierret (fepitre)
5f8c52ea94
preset: handle dom0 and sys-usb qubes-psu-client 2020-10-03 19:34:58 +02:00
Saswat Padhi
4f55a3b085
Fixed menu item name 2020-09-26 22:48:35 +00:00
Frédéric Pierret (fepitre)
523ffc1ef8
vm-systemd: enable dummy modules and psu client 2020-09-20 15:13:03 +02:00
Marek Marczykowski-Górecki
748f254909
version 4.1.16 2020-09-17 14:37:05 +02:00
Marek Marczykowski-Górecki
214da30e82
Merge remote-tracking branch 'origin/pr/248'
* origin/pr/248:
  bind-dirs: run in DisposableVM, too
2020-09-17 04:17:44 +02:00
Marek Marczykowski-Górecki
ebd7ce87d5
Merge remote-tracking branch 'origin/pr/247'
* origin/pr/247:
  passwordless-root: sudo: grant access for group qubes
  passwordless-root: policykit: restrict access to group qubes
2020-09-17 04:17:32 +02:00
Marek Marczykowski-Górecki
e9466dd04f
Merge remote-tracking branch 'origin/pr/236'
* origin/pr/236:
  qvm-template: Add qubes.Template{Search,Download} files to the package.
  qubes.Template*: Add --refresh option and allow DNF cache to be used.
  qubes.Template*: Invoke curl with --silent.
  qubes.Template*: Change separator from : to | and include additional metadata.
  Fix shell quoting.
  Remove repofrompath.
  New qrexec calls for interacting with template repos.
2020-09-17 03:08:56 +02:00
Marek Marczykowski-Górecki
fee8f6cfef
Merge remote-tracking branch 'origin/pr/246'
* origin/pr/246:
  Advertise apparmor support
2020-09-17 02:57:27 +02:00
Marek Marczykowski-Górecki
5bb125fa67
Merge remote-tracking branch 'origin/pr/244'
* origin/pr/244:
  spec: don't build sysvinit for Fedora and CentOS
2020-09-17 02:48:28 +02:00
Marek Marczykowski-Górecki
87135138ac
Revert "rpm: do not build qubes-core-agent-sysvinit package"
This reverts commit 408bccdd5c.
2020-09-17 02:47:51 +02:00
Marek Marczykowski-Górecki
27d4ecefed
Merge remote-tracking branch 'origin/pr/245'
* origin/pr/245:
  Skip IGD when unbinding device drivers on suspend
2020-09-17 02:46:45 +02:00
Marek Marczykowski-Górecki
e729a8a8bc
debian: drop python2 in build deps
QubesOS/qubes-issues#5297
2020-09-16 16:40:07 +02:00
Marek Marczykowski-Górecki
408bccdd5c
rpm: do not build qubes-core-agent-sysvinit package
Since no currently supported distribution needs it, skip the build by
default. If necessary, can be enabled by adjusting %with_sysvinit macro
in the spec.
2020-09-16 16:14:02 +02:00
Marek Marczykowski-Górecki
55d8b99003
travis: allow bullseye install to fail - no dnf/yum available
QubesOS/qubes-issues#5940
2020-09-16 15:40:51 +02:00
Rusty Bird
4c4f2e7038
bind-dirs: run in DisposableVM, too
Allow the user to configure bind-dirs in the dvm template and have that
configuration applied when a DisposableVM is instantiated.

Fixes QubesOS/qubes-issues#4624
Fixes QubesOS/qubes-issues#5618
2020-09-15 10:52:59 +00:00
Peter Gerber
42fb54da20 passwordless-root: sudo: grant access for group qubes
For consistency with `su` and policykit, grant access to group
qubes rather than user user.
2020-09-13 14:17:06 +00:00
Peter Gerber
a8b29c3fa6 passwordless-root: policykit: restrict access to group qubes
Without this restriction system users can start processes with
root privileges:

  $ sudo -u mail systemd-run --pipe -q id
  uid=0(root) gid=0(root) groups=0(root)
2020-09-13 14:16:07 +00:00
herypt
9271763a6f
Advertise apparmor support 2020-09-02 14:37:25 +02:00
Frédéric Pierret (fepitre)
562b871188
spec: don't build sysvinit for Fedora and CentOS 2020-08-28 13:48:18 +02:00
Artur Puzio
21864ab563
Skip IGD when unbinding device drivers on suspend 2020-08-25 17:08:38 +02:00