Commit Graph

1647 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
181c15f422
updates-proxy: explicitly block connection looping back to the proxy IP
Explicitly block something like "curl http://10.137.255.254:8082" and
return error page in this case. This error page is used in Whonix to
detect if the proxy is torrified. If not blocked, it may happen that
empty response is returned instead of error. See linked ticket for
details.

Fixes QubesOS/qubes-issues#1482
2015-12-04 14:57:07 +01:00
Marek Marczykowski-Górecki
5aa0f32c78
version 3.1.6 2015-11-29 00:34:34 +01:00
Marek Marczykowski-Górecki
a11897a1d0
Revert "network: use drop-ins for NetworkManager configuration (#1176)"
Apparently unmanaged devices are loaded only from main
NetworkManager.conf. Exactly the same line pasted (not typed!) to main
NetworkManager.conf works, but in
/etc/NetworkManager/conf.d/30-qubes.conf it doesn't.
BTW There was a typo in option name ("unmanaged_devices" instead of
"unmanaged-devices", but it wasn't the cause).

This reverts commit 6c4831339c.

QubesOS/qubes-issues#1176
2015-11-28 17:43:15 +01:00
Marek Marczykowski-Górecki
8482fbbd13
version 3.1.5 2015-11-28 14:48:34 +01:00
Marek Marczykowski-Górecki
5157d9822e
backup: Use 'type' instead of 'which' to prevent unnecessary dependency
This fixes using minimal-template based VMs to store/retrieve backup.
2015-11-27 12:31:33 +01:00
Marek Marczykowski-Górecki
c99dca37ce
debian: update build-depends for split qubes-utils package
QubesOS/qubes-issues#1416
2015-11-26 22:26:50 +01:00
Marek Marczykowski-Górecki
d4cf78652c
debian: reformat Build-Depends:
QubesOS/qubes-issues#1416
2015-11-26 21:10:23 +01:00
Marek Marczykowski-Górecki
808b3ab660
Package needrestart config only for Debian
On Fedora there is no such package.
2015-11-24 06:18:36 +01:00
Marek Marczykowski-Górecki
2c076f3915
Merge remote-tracking branch 'origin/pr/53'
* origin/pr/53:
  Have qubes-sysinit create /var/run/qubes VM type files.
2015-11-23 16:19:20 +01:00
Marek Marczykowski-Górecki
c603f32d23
Merge remote-tracking branch 'origin/pr/51'
* origin/pr/51:
  Prevent services from being accidentally restarted by `needrestart`.
2015-11-23 16:18:42 +01:00
Marek Marczykowski-Górecki
308e4857bc
Merge remote-tracking branch 'origin/pr/50'
* origin/pr/50:
  archlinux: enforce minimum versionning of qubes-utils
  rpm_spec: declare InstallUpdateGUI qrexec_service
  updates-proxy: remove remaining traces of proxy filtering file from Makefile
2015-11-23 16:18:26 +01:00
Patrick Schleizer
e323d3f4bd
Have qubes-sysinit create /var/run/qubes VM type files.
- /var/run/qubes/this-is-appvm
- /var/run/qubes/this-is-netvm
- /var/run/qubes/this-is-proxyvm
- /var/run/qubes/this-is-templatevm

This is useful for checking ConditionPathExists from within systemd units.

(Came up in https://phabricator.whonix.org/T432#7206.)
2015-11-22 21:55:51 +00:00
Patrick Schleizer
7dc99ee662
Prevent services from being accidentally restarted by needrestart.
Because those services do not yet support being restarted.

Extended variable `$nrconf{override_rc}`, i.e. packages only reported to need
restart, but blacklisted from default/suggested automatic restarted with
`qubes-core-agent` and `qubes-gui-agent`.

See also `$nrconf{override_rc}`:
10bd2db5e2/ex/needrestart.conf (L65)

Thanks to @liske for helping with this.
https://github.com/liske/needrestart/issues/13#issuecomment-136804625
2015-11-20 16:35:06 +01:00
Olivier MEDOC
c70ee7049f archlinux: enforce minimum versionning of qubes-utils 2015-11-17 09:47:21 +01:00
Olivier MEDOC
fa081f1dd9 rpm_spec: declare InstallUpdateGUI qrexec_service 2015-11-17 09:46:16 +01:00
Olivier MEDOC
15c69f434b updates-proxy: remove remaining traces of proxy filtering file from Makefile 2015-11-17 09:45:15 +01:00
Patrick Schleizer
7a0286d58f clean up /etc/tinyproxy/filter-updates
https://github.com/QubesOS/qubes-issues/issues/1188
2015-11-15 12:31:32 +00:00
Marek Marczykowski-Górecki
b725c050c7
version 3.1.4 2015-11-15 04:29:30 +01:00
Marek Marczykowski-Górecki
fa8b05a83c
network: disable proxy_arp
Since both sides have proper routing tables set, it isn't required to
set it anymore.

Fixes QubesOS/qubes-issues#1421
2015-11-15 04:04:06 +01:00
Marek Marczykowski-Górecki
69bb71bea0
updates-proxy: disable filtering at all
Since this proxy is used only when explicitly configured in application
(package manager), there is no point in worrying about user
_erroneously_ using web browser through this proxy. If the user really
want to access the network from some other application he/she can always
alter firewall rules for that.

Fixes QubesOS/qubes-issues#1188
2015-11-15 03:57:51 +01:00
Marek Marczykowski-Górecki
5377dc50dc
Really fix update-proxy rules for debian security fixes repo
Reported by @adrelanos
Fixes QubesOS/qubes-issues#1422
2015-11-14 00:42:01 +01:00
Marek Marczykowski-Górecki
f0de6c5b16
Implement qubes.InstallUpdatesGUI qrexec service
It should be up to the VM what GUI tool is used for installing updates.
For now stick with console tools in xterm...

Fixes QubesOS/qubes-issues#1249
2015-11-13 05:32:44 +01:00
Marek Marczykowski-Górecki
13c9149b6c
Use improved update-notify script also in Fedora
Among other things this also fixes build failure - those scripts were
installed but not listed in spec file.

Actual check doesn't perform 'apt-get update', so do that when running
"standalone" (not as a hook from 'apt-get').

QubesOS/qubes-issues#1066
2015-11-13 05:28:47 +01:00
Marek Marczykowski-Górecki
d23f3d8ddb
network: let NetworkManager configure VM uplink, if enabled
Previously even if NetworkManager was enabled, our script manually
configured network parameters. This apparently have negative effects,
because NetworkManager tries to configure some things differently - for
example use metric 1024 for default gateway.

Fixes QubesOS/qubes-issues#1052
2015-11-13 04:26:23 +01:00
Marek Marczykowski-Górecki
3c7844d408
Merge remote-tracking branch 'origin/pr/48'
* origin/pr/48:
  Allow to provide customized DispVM home directly in the template VM

This allows to put a customized DispVM home directly in /home_volatile
in the template instead of placing it in the -dvm internal AppVM.

This significantly speeds up DispVM startup for large customized homes,
since none of the home data has to be copied out from saved_cows.tar to
volatile.img, and instead CoW is used.

It's not a very user friendly or discoverable solution, but it only
takes a few lines of code, and so seems a reasonable stopgap until a
much more complex solution with copy-on-write for the private.img is
written.
2015-11-13 03:06:55 +01:00
qubesuser
f380c346cf Allow to provide customized DispVM home directly in the template VM
This significantly speeds up DispVM creation for large customized
homes, since no data has to be copied, and instead CoW is used.
2015-11-12 15:33:01 +01:00
Marek Marczykowski-Górecki
914bab048a
Explicitly fail upgrades-installed-check on other distributions
QubesOS/qubes-issues#1066
2015-11-12 00:36:43 +01:00
Marek Marczykowski-Górecki
b569f93d0c
Merge remote-tracking branch 'origin/pr/39'
* origin/pr/39:
  misc/upgrades-installed-check: handle apt-get errors
  fixed inverted logic issue in upgrades-installed-check
  Improved upgrade notifications sent to QVMM.

Fixes QubesOS/qubes-issues#1066
2015-11-12 00:35:38 +01:00
Patrick Schleizer
52917593c5
misc/upgrades-installed-check: handle apt-get errors 2015-11-11 21:13:17 +00:00
Patrick Schleizer
d5acf83916
fixed inverted logic issue in upgrades-installed-check
928013f819 (commitcomment-13968627)
2015-11-11 16:10:23 +00:00
Patrick Schleizer
aeb6d188cc
Improved upgrade notifications sent to QVMM.
Each time some arbitrary package was installed using dpkg or apt-get, the update notification in Qubes VM Manager was cleared.
No matter if there were still updates pending. (Could happen even after the user running `apt-get dist-upgrade` in case of package manager issues.)
No longer clear upgrade notification in QVMM on arbitrary package installation.
Check if upgrades have been actually installed before clearing the notifications.

https://github.com/QubesOS/qubes-issues/issues/1066#issuecomment-150044906
2015-11-11 15:45:00 +00:00
Marek Marczykowski-Górecki
06828a9374
Merge remote-tracking branch 'origin/pr/47'
* origin/pr/47:
  minor, removed trailing space
2015-11-11 16:05:11 +01:00
Marek Marczykowski-Górecki
97e5072315
Revert "preset disable tinyproxy by default"
This reverts commit f32dccb5e3.
Not needed anymore since dropin approach is implemented.
2015-11-11 16:04:52 +01:00
Marek Marczykowski-Górecki
3324307ee2
Merge remote-tracking branch 'origin/pr/46'
* origin/pr/46:
  No longer start /etc/init.d/tinyproxy by default anymore.
2015-11-11 16:04:40 +01:00
Patrick Schleizer
cfab7d2068 minor, removed trailing space 2015-11-11 14:59:43 +00:00
Patrick Schleizer
5d6cf722a8
No longer start /etc/init.d/tinyproxy by default anymore.
But allow users to re-enable it through qubes-service framework.
/var/run/qubes-service/tinyproxy

Thanks to @marmarek for helping with this fix!

https://github.com/QubesOS/qubes-issues/issues/1401
2015-11-11 14:57:36 +00:00
Marek Marczykowski-Górecki
a6799cfcaf
Merge remote-tracking branch 'origin/pr/45'
* origin/pr/45:
  minor indent
2015-11-11 15:48:42 +01:00
Marek Marczykowski-Górecki
76ba45c281
Merge remote-tracking branch 'origin/pr/44'
* origin/pr/44:
  removed confusing comments
2015-11-11 15:48:29 +01:00
Patrick Schleizer
91e213a681 minor indent 2015-11-11 14:39:05 +00:00
Patrick Schleizer
ba5910f633 removed confusing comments 2015-11-11 14:37:39 +00:00
Marek Marczykowski-Górecki
e2ab963a27
Minor improvements to packaging (based on rpmlint)
There is much more to fix, but lets start with low hanging fruits.
2015-11-11 15:19:43 +01:00
Marek Marczykowski-Górecki
5d74a8cbc0
version 3.1.3 2015-11-11 06:29:21 +01:00
Marek Marczykowski-Górecki
2a589f2c20
updates-proxy: use separate directory for PID file
And also use systemd-tmpfiles for that directory creation.

Fixes QubesOS/qubes-issues#1401
2015-11-11 05:57:57 +01:00
Marek Marczykowski-Górecki
90b4398863
Merge remote-tracking branch 'origin/pr/43'
* origin/pr/43:
  preset disable tinyproxy by default
2015-11-11 05:27:52 +01:00
Marek Marczykowski-Górecki
164387426b
Bump qubes-utils version requirement
Those commits needs updated qubes-utils:
823954c qrexec: use #define for protocol-specified strings
5774c78 qfile-agent: move data handling code to libqubes-rpc-filecopy

QubesOS/qubes-issues#1324
QubesOS/qubes-issues#1392
2015-11-11 05:25:17 +01:00
Marek Marczykowski-Górecki
49c7473848
dom0-updates: do not use 'yum check-update -q'
Depending on yum version, adding '-q' option may hide not only
informational messages, but also updates list. This is especially the
case for yum-deprecated in Fedora 22.
So instead of '-q' option, filter the output manually.

QubesOS/qubes-issues#1282
2015-11-11 05:22:26 +01:00
Marek Marczykowski-Górecki
3466f3df35
systemd: make sure that update check is started only after qrexec-agent 2015-11-11 02:36:57 +01:00
Marek Marczykowski-Górecki
7cca1b23ee
Get rid of qubes-core-vm-kernel-placeholder
Since /lib/modules is not mounted read-only anymore (only a selected
subdirectory there), it is no longer required to prevent kernel package
installation. Even more - since PV Grub being supported, it makes sense
to have kernel installed in the VM.

QubesOS/qubes-issues#1354
2015-11-11 02:36:57 +01:00
Marek Marczykowski-Górecki
ba28c9f140
fedora: do not require/use yum-plugin-post-transaction-actions in F>=22
Since Fedora 22+ obsoletes yum, do not require yum-specific package to
be installed.

QubesOS/qubes-issues#1282
2015-11-11 02:36:57 +01:00
Marek Marczykowski-Górecki
b6cfcdcc6f
Implement dnf hooks for post-update actions
Similar to previous yum hooks:
 - notify dom0 about installed updates (possibly clear "updates pending"
   marker)
 - trigger appmenus synchronization

QubesOS/qubes-issues#1282
2015-11-11 02:36:57 +01:00