Commit Graph

2716 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
0fac1aa45c
Fix sudo SELinux settings
By settinf Defaults role/type parameters, sudo starts asking for
password when called as root. It isn't clear why this happens, but
rollback that change. Instead, set ROLE/TYPE just for the rule for the
'qubes' group, which already has NOPASSWD option.

Fixes 3bcc1c3 "“sudo” must remove SELinux restrictions"
2021-01-08 05:21:19 +01:00
Marek Marczykowski-Górecki
4dfd0a4278
version 4.1.20 2021-01-05 20:51:04 +01:00
Olivier MEDOC
17d828dcea
archlinux: pin PKGBUILD to python3.X major version as new python version will break the API
(cherry picked from commit 1fae41332219ba22d3e0bc2bfc73abea10f5bb97)
2021-01-05 20:50:49 +01:00
Marek Marczykowski-Górecki
0e0c22910b
rpm: enable qubes-network-uplink.service on install 2021-01-04 20:25:54 +01:00
Marek Marczykowski-Górecki
244fca8f66
network: skip calling setup-ip from network-manager-prepare-conf-dir
The setup-ip script requires extra parameters (action and interface) not
only env variables. Since NetworkManager service is already ordered
after qubes-network-uplink.service, the setup-ip already did its job at
this time - remove the call instead of fixing it.
2021-01-03 22:36:08 +01:00
Marek Marczykowski-Górecki
932727b3df
version 4.1.19 2021-01-03 06:38:51 +01:00
Marek Marczykowski-Górecki
e71edb8584
Merge branch 'network-wait-fix'
* network-wait-fix:
  Increase upgrades-status-notify verbosity
  network: fix waiting for VM network uplink
2021-01-03 06:11:48 +01:00
Marek Marczykowski-Górecki
e1ebbf2893
archlinux: checkupdates output is not checked anymore, ignore it 2021-01-03 05:28:38 +01:00
Marek Marczykowski-Górecki
f95f08e15f
Merge remote-tracking branch 'origin/pr/267'
* origin/pr/267:
  fix for ArchLinux: notify dom0 about installed updates The launch of the qubes-update-check service failed on ArchLinux, because the qubes-rpc uses the `service` command which isn't available for this OS.
  fix archlinux detection of available upgrades note: checkupdates return 2 when no updates are available (source: man page and source code)
  upgrades-installed-check requires pacman-contrib for checkupdates
2021-01-03 05:25:57 +01:00
Marek Marczykowski-Górecki
d28ada95ec
Merge remote-tracking branch 'origin/pr/269'
* origin/pr/269:
  Avoid spawning a Zenity progress meter
  Harden shell scripts against metacharacters
2021-01-03 05:23:48 +01:00
Marek Marczykowski-Górecki
c2f4e026a5
Merge remote-tracking branch 'origin/pr/272'
* origin/pr/272:
  Allow SELinux to stay enabled
2021-01-03 05:21:53 +01:00
Marek Marczykowski-Górecki
ce9f6b2fa7
Increase upgrades-status-notify verbosity
Print errors on stderr. yum_output variable isn't used anywhere, so
not capturing stderr wont be a problem either.
2021-01-03 04:55:10 +01:00
Marek Marczykowski-Górecki
90ae037a3a
Merge remote-tracking branch 'origin/pr/280'
* origin/pr/280:
  Ignore more options of qubes-dom0-update
2021-01-03 04:24:19 +01:00
Marek Marczykowski-Górecki
e8f2f64270
Merge remote-tracking branch 'origin/pr/281'
* origin/pr/281:
  Avoid deprecated /var/run directory
2021-01-03 04:23:54 +01:00
Marek Marczykowski-Górecki
79bb5a8658
Merge remote-tracking branch 'origin/pr/283'
Fixes QubesOS/qubes-issues#6290

* origin/pr/283:
  Handle UnicodeError in firewall when resolving hostname
2021-01-03 04:22:09 +01:00
Marek Marczykowski-Górecki
882059d494
Merge remote-tracking branch 'origin/pr/282'
Fixes QubesOS/qubes-issues#6291

* origin/pr/282:
  Fix comments in default qubes-firewall-user-script
2021-01-03 04:20:04 +01:00
Marek Marczykowski-Górecki
ff86bf9fff
archlinux: add missing python-setuptools makedepends 2021-01-03 03:55:34 +01:00
icequbes1
ed33374f67
Handle UnicodeError in firewall when resolving hostname 2021-01-02 15:29:58 -08:00
icequbes1
c25513f930
Fix comments in default qubes-firewall-user-script 2021-01-02 13:11:18 -08:00
Demi Marie Obenour
48b9d5c69b
Avoid deprecated /var/run directory
It causes systemd to emit warnings.
2020-12-28 22:06:40 -05:00
Demi Marie Obenour
3f5bb373fb
Ignore more options of qubes-dom0-update 2020-12-28 22:05:41 -05:00
Marek Marczykowski-Górecki
d602da4ae9
network: fix waiting for VM network uplink
The network-uplink-wait.sh script may be called before xen-netfront
module is even loaded (by udev). In that case, `get_qubes_managed_iface`
will fail to get the interface name and the wait will be skipped.

Fix this by loading xen-netfront module explicitly (do not try to
synchronize with udev, which is tricky not knowing the device
name).
2020-12-28 20:44:24 +01:00
Marek Marczykowski-Górecki
ba4e7f853d
Actually install unit files into /usr/lib/systemd/system
Fixes 57b30d3 "Use /usr/lib instead of /lib"
2020-12-28 19:09:59 +01:00
Marek Marczykowski-Górecki
9943585d93
Merge remote-tracking branch 'origin/pr/279'
* origin/pr/279:
  Use 022 instead of 002 as sudo umask
2020-12-28 16:57:28 +01:00
Marek Marczykowski-Górecki
a9e98cc13c
Merge remote-tracking branch 'origin/pr/278'
* origin/pr/278:
  “sudo” must remove SELinux restrictions
  Only give the “qubes” group full Polkit access
2020-12-28 16:57:15 +01:00
Marek Marczykowski-Górecki
46df6fc32b
Merge remote-tracking branch 'origin/pr/274'
* origin/pr/274:
  Use /usr/lib instead of /lib
2020-12-28 16:48:27 +01:00
Marek Marczykowski-Górecki
cba3f59623
Merge remote-tracking branch 'origin/pr/268'
* origin/pr/268:
  Don’t rely on an arbitrary length limit
  Don’t assume dom0 will never have a network connection
  Add conntrack-tools dependency to qubes-core-agent-networking
  Keep shellcheck from complaining
  Stop disabling checksum offload
  Remove spurious line continuation; add quotes.
  vif-route-qubes: Check that the -e flag is set
  Purge stale connection tracking entries
2020-12-28 16:43:29 +01:00
Demi Marie Obenour
3bcc1c37ce
“sudo” must remove SELinux restrictions
Otherwise, if “user” has the SELinux user “staff_u”, the user will
typically need to write “sudo -r unconfined_r -t unconfined_t”, which is
annoying.  If SELinux is disabled, these fields are ignored.
2020-12-24 15:48:33 -05:00
Demi Marie Obenour
16f48b6298
Only give the “qubes” group full Polkit access
This is consistent with the rest of qubes-core-agent-passwordless-root,
and helps prevent sandbox escapes by daemons with dbus access.
2020-12-24 15:46:08 -05:00
Demi Marie Obenour
951b25e8c5
Use 022 instead of 002 as sudo umask
The comment already mentions 022, which is presumably what was intended.
2020-12-24 15:40:51 -05:00
Demi Marie Obenour
6adad25f51
Avoid spawning a Zenity progress meter
Newer versions of qubes-dom0-update will spawn
qubes-download-dom0-updates.sh in an xterm if GUI mode is enabled.
Therefore, we don’t need to spawn our own progress bar.
2020-12-23 13:23:03 -05:00
Demi Marie Obenour
274df33d4d
Harden shell scripts against metacharacters
`qubes-download-dom0-updates.sh` can now handle spaces in its inputs,
for example.
2020-12-23 13:19:58 -05:00
Demi Marie Obenour
a42b3806b6
Metadata is now signed 2020-12-22 16:08:57 -05:00
Demi Marie Obenour
1ea361bc79
Always pass ‘-y’ to dnf
DNF should never be used unattended without ‘-y’.
2020-12-22 15:53:15 -05:00
Demi Marie Obenour
9bcfc5dc9f
Allow SELinux to stay enabled
Users who have their own SELinux policies should be able to keep QubesOS
from disabling SELinux.
2020-12-17 23:45:28 -05:00
Demi Marie Obenour
e5b56b96c4
Don’t rely on an arbitrary length limit
We can check for overlong domids without hardcoding the length in a
regex.  Just check if the length is longer than that of the max XID.
2020-12-17 23:39:19 -05:00
Demi Marie Obenour
c09909c702
Don’t assume dom0 will never have a network connection
In test setups, this actually happens!
2020-12-17 23:09:16 -05:00
Demi Marie Obenour
bf443ef6e6
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into usr-lib-merge 2020-12-17 17:43:38 -05:00
Demi Marie Obenour
95022f94e9
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into no-tabs-please 2020-12-17 17:42:28 -05:00
Demi Marie Obenour
220adcae9e
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into conntrack-purge 2020-12-17 15:54:21 -05:00
Demi Marie Obenour
6565facec3
Add conntrack-tools dependency to qubes-core-agent-networking
Otherwise no vif-* interfaces come up.
2020-12-16 01:54:05 -05:00
Demi Marie Obenour
20a6a94724
Replace tabs with spaces
Purely a cosmetic fix.
2020-12-14 12:52:28 -05:00
Frédéric Pierret (fepitre)
b15ff53bc6
debian: update compat 2020-12-12 11:44:47 +01:00
Frédéric Pierret (fepitre)
edde0d573e
debian: update control 2020-12-12 11:11:18 +01:00
Demi Marie Obenour
ae48c7e04d
Merge commit '66b3e628f2bf0ec8f23b0b42484d014e5cad23bf' into conntrack-purge 2020-12-08 14:47:56 -05:00
Demi Marie Obenour
44b3c12d94
Keep shellcheck from complaining
The code was correct, but shellcheck didn’t recognize that ‘n’ had been
assigned as a local variable.
2020-12-07 14:57:03 -05:00
Demi Marie Obenour
d960f7af85
Stop disabling checksum offload
We now have a newer qemu in the stubdomain, so checksum offloading
should work.
2020-12-07 14:12:01 -05:00
Demi Marie Obenour
70253edeab
Remove spurious line continuation; add quotes.
Pipelines can extend over multiple lines without needing line
continuation.
2020-12-07 14:11:12 -05:00
Demi Marie Obenour
9840953f5f
vif-route-qubes: Check that the -e flag is set 2020-12-07 14:08:32 -05:00
Demi Marie Obenour
a8588c4e9c
Purge stale connection tracking entries
This ensures that a VM cannot use connection tracking entries created by
another VM.
2020-12-06 12:55:51 -05:00