Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
1,406 Commits 1 Branch 0 Tags 34 MiB
32374123cd
Commit Graph

74 Commits

Author SHA1 Message Date
Jason Mehring
4373cda566 Changed location of PROTECTED_FILE_LIST to /etc/qubes/protected-files.d 2015-04-25 02:36:43 +02:00
Jason Mehring
56b0685aaa whonix: Added protected-files file used to prevent scripts from modifying files that need to be protected 
A file is created in /var/lib/qubes/protected-files.  Scripts can grep this file before modifying
        known files to be protected and skip any modifications if the file path is within protected-files.

        Usage Example:
            if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then

        Also cleaned up maintainer scripts removing unneeded systemd status functions and streamlined
        the enable/disable systemd unit files functions
 2015-04-25 02:36:43 +02:00
Marek Marczykowski-Górecki
c49d9283f0 network: wait for iptables lock instead of aborting 
vif-route-qubes can be called simultaneously, for example in case of:
 - multiple domains startup
 - HVM startup (two interfaces: one to the target domain, second one to
   stubdom)
If that happens, one of calls can fail because of iptables lock.
 2015-04-21 04:41:57 +02:00
Marek Marczykowski-Górecki
b655d968c4 updates-proxy: allow xz compressed metadata (fc21) 2015-02-17 14:11:09 +01:00
Marek Marczykowski-Górecki
4dbd9e205c network: fix handling newline in firewall rules 
Since the rules are no more directly handed to echo -e, sed needs to
handle all escape sequences used in rules (newline only, but in
different notations).
 2015-02-11 14:14:27 +01:00
HW42
dad5bfbd18 remove 'bashisms' or explicit use bash 2015-02-05 05:42:08 +01:00
Marek Marczykowski-Górecki
19a4c6d0dd network: support for not setting DNS and/or default gateway (v2) 
This patch introduces two new qvm-services:
 - disable-default-route
 - disable-dns-server
Both disabled by default. You can enable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.

This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C7FB59.2020603%40openmailbox.org

Conflicts:
	network/setup-ip
	vm-init.d/qubes-core
	vm-systemd/qubes-sysinit.sh
 2015-01-30 00:52:31 +01:00
Marek Marczykowski-Górecki
4637735882 network: support for not setting DNS and/or default gateway 
This patch introduces two new qvm-services:
 - set-default-route
 - set-dns-server
Both enabled by default. You can disable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.

This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C39656.3090303%40openmailbox.org

Conflicts:
	network/setup-ip
	vm-init.d/qubes-core
	vm-systemd/qubes-sysinit.sh
 2015-01-30 00:48:55 +01:00
Marek Marczykowski-Górecki
0be213200a network: fix NM config preparation 
The same variables are reused to configure downlink in ProxyVM, so
create NM config before they got overrided.

Conflicts:
	network/setup-ip
 2015-01-30 00:43:29 +01:00
Marek Marczykowski-Górecki
b3429b596d network: set uplink configuration based on MAC (NetworkManager) 2015-01-30 00:39:37 +01:00
Marek Marczykowski-Górecki
5bd3080521 Update update-proxy rules for debian security fixes repo 
The name can be "wheezy/updates".
 2015-01-30 00:32:56 +01:00
Marek Marczykowski-Górecki
9130636c88 Merge branch 'debian' 
Conflicts:
	misc/qubes-r2.list.in
	misc/qubes-trigger-sync-appmenus.sh
	network/30-qubes-external-ip
	network/qubes-firewall
	vm-systemd/network-proxy-setup.sh
	vm-systemd/prepare-dvm.sh
	vm-systemd/qubes-sysinit.sh
 2015-01-30 00:30:24 +01:00
Marek Marczykowski
db35abadc8 Use Qubes DB instead of Xenstore 2014-11-19 15:34:33 +01:00
Marek Marczykowski-Górecki
ea4eef7de8 network: fix indentation 2014-11-13 23:19:34 +01:00
Jason Mehring
848c53adc2 debian: Updated tinyproxy filter rules 2014-11-11 13:38:26 -05:00
Marek Marczykowski-Górecki
427decd793 network: fix NM uplink config permissions 
Otherwise NM will not use the file.
 2014-11-09 05:35:07 +01:00
Marek Marczykowski-Górecki
7027633e80 network: do not use ifcfg-rh NM plugin 
Apparently eth0 in ProxyVM can be configured using plain keyfile plugin,
which is present on all distributions.
 2014-11-09 05:31:22 +01:00
Jason Mehring
44230f7f35 debian: Remove absolute path to xenstore-* 2014-11-07 09:59:41 -05:00
Jason Mehring
a6e6c86764 debian: Made debian proxy filter rules more restrictive 2014-11-07 00:09:13 -05:00
Marek Marczykowski-Górecki
c817bb0282 little fix for the official template 
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJUWE+GAAoJEIwFIWzgnAk8azoQAJPOdglmiJlu+p5nRQ0ZRP6F
 nammIQhOg1oE0hCTX6H4DnEMnaZmFyGj96JWUX3zES8NF9zYvq4sgJCtZVEK35lm
 /Fxe899NpDlHaHwPqnXoYAKWZnMnyx3Z5XTxYb3A8JQdJCVWJPi2qYw2TBb6iBIp
 hzznI3drhOd8rdkFHXGk/FsBjqFP1mn98GDP4N/XLOZUnK+MiWyxrp0c+QVgybRX
 2XOUhsBPbr/XS/fkMBEia1hJhBf+FYJsFeCARGjYnbI+TKMaPrYaIX6DRqjFMhSS
 eEALEWsYsDiYGerWNBNGxbJ7RWsN4vm+WDfKdi7Hp2TgHeH0z93w40VegU3k7Asx
 NjfehCwT3wjMmtUFYhfhYfIop5305LLLJPPkY/ML+u6Mznzr7OkostMeyMhDxcrq
 lSELqg2HDwEsSwtwEz7kP6fYyfpJRd8yndg48cVonatwPwdjoCMiAz93TIF7Tvvz
 xQaNUidkKL8qQi67ArSQUlQlwGJNngwLRhepaMo0FD4JWSQ5pHc00EYxtJio2LPs
 7prv8ETbTj0bcFb/xKNSxBCGOrLdleHAEdhrpvqHa5nUzMiHw+tMuJbX+f0jOx/Q
 OSgx/dvK9GIyxM7UlsS+Whye3iGeNwsA1ai4TL0n1PFM+DjemBjEbfIl2nxLjG3O
 cXas4+wsl0+qXRk/PDOn
 =6kCH
 -----END PGP SIGNATURE-----

Merge tag 'hw42_debian-systemd-3' into debian

Conflicts:
	debian/control
	Merged postinst scripts from hw42 and nrgaway
 2014-11-05 04:35:23 +01:00
HW42
63e915f6d4 Tag for commit 5d68e2cc70 
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUTruhAAoJEAY5OLpCz6ck7IcP/i4JXNEMO8vDSgphM50NIIz6
 +hLb+kXBGeL9SsQKRlz000BUOcIsg+d2ibwnTsi1kNuq2OgJOAHAp5hHgHGc5ddG
 0PLFf/Ddexl7/2cG/hKekXiIpXGcuhqgsIfatqcKB228mVLG8y/kqwViIDbMgg10
 X8Aiq1ba0EeHI7xskkPb1hzkszOfLFoEXCRjt+BQsmr+Bll+sAzCS3G9vSbhczFl
 wmTtgOiu2fWsPgOB2O6HYeO0PUUX+jGF/jncZYf85pEwMccNqRIWjSJC6ti533zv
 5x1bWKWFymBAUcTS+xi00FPeatmQ7b5ywMxTwbqIQkE1Mrt436Dz/B1r0E58q0AH
 gu4qG/KPBNdRBD4vPrvLKiyood/XIpvz0+6QqS9rFMKt71OSzmMR1WeLgclCn768
 cR510iZyJjmqe9lLQQTCJr+oqvwiVot7sfsgj1XP5PozalTkdIawioIZjeX5Zz4O
 +zo+P+jIV+P6QbN+0nD+vrW8kSZlM8vt+OVBPhon/bMFxGKZervs7kFUCNPn6fUK
 WNw8lSrKQqJe/a805Ktku8moatVElmexj7XTkII1nnAnEu6/bokJqjCHQ933794l
 ERRwitFN+BWm3OBXq/BsdSnCotT+gnlMEDtuHiD0JHQBGwxAZGQtliQhWLF25Ekh
 BJkmYBjqgnjCsQFUBMnn
 =shGW
 -----END PGP SIGNATURE-----

Merge tag 'mm_5d68e2cc' into debian-systemd

Tag for commit 5d68e2cc70

Conflicts:
	Makefile
	debian/rules
	network/qubes-firewall
	vm-systemd/misc-post.sh
	vm-systemd/qubes-sysinit.sh
 2014-11-03 04:28:00 +01:00
Jason Mehring
f02780421d debian: Added less restrictive filter option for debian packages 
Sites like sourceforge append ?downloadxxx to end
 2014-11-02 16:22:42 -05:00
Jason Mehring
b04594ed60 Allow hyphenated distro names in tinyproxy filter 2014-10-30 16:35:12 -04:00
HW42
4886411570 various patches for debian 
this should enable debian based templates to be used as proxy/netvm
 2014-09-29 05:25:24 +02:00
HW42
70bbc7923d install iptables/forwarding for debian 2014-09-29 05:25:14 +02:00
Marek Marczykowski-Górecki
e93cf3e81b updates-proxy: add rules for debian repositories (#887) 2014-09-29 04:05:24 +02:00
Marek Marczykowski-Górecki
3f19c89301 Rename qubes-yum-proxy service to qubes-updates-proxy 
It is no longer Fedora-only proxy, so rename to not confuse the user.
Also documentation refer to it as "updates proxy" for a long time.
 2014-09-27 00:32:52 +02:00
Marek Marczykowski-Górecki
41f65f1f5a firewall: show error message only on actual error 2014-09-03 09:59:59 +02:00
Marek Marczykowski-Górecki
53b0d8ab17 network: fix IP address of backend network interface 
Get it from settings provided by dom0, do not calculate itself. This
makes a difference for DispVMs.
 2014-08-13 09:23:51 +02:00
Marek Marczykowski-Górecki
a288939156 Revert "network: use the same gateway IP generation method as backend" 
This reverts commit 4ef785a016.
Actually this change was wrong - the frontend IP was correct, the
problem was with backend IP.
 2014-08-13 08:58:10 +02:00
Marek Marczykowski-Górecki
4ef785a016 network: use the same gateway IP generation method as backend 
Backend domain generates its IP address based on frontend IP, not
settings given from dom0. So change frontend method to the same (for
DispVM it makes a difference). Now "qubes-gateway" xenstore entry is
basically primary DNS address only.
 2014-08-13 08:12:37 +02:00
Marek Marczykowski-Górecki
4d300ff137 Fix bashism 
Debian has dash as default shell.
 2014-07-26 03:58:21 +02:00
Davíð Steinn Geirsson
e5fa610b0d Use xenstore.h instead of xs.h when xen >= 4.2 2014-07-23 05:13:06 +02:00
Davíð Steinn Geirsson
2ddea415b2 Check for xenstore-read in /usr/sbin as well (default on debian) 2014-07-23 05:11:31 +02:00
Marek Marczykowski-Górecki
510edfb071 network: setup NM connection when its active in the ProxyVM 2014-05-22 01:36:15 +02:00
Marek Marczykowski-Górecki
486b148a08 Configure only installed programs 2014-05-22 01:31:43 +02:00
Marek Marczykowski-Górecki
e88b6e38be network: suppress NetworkManager from touching inter-vm interfaces (#774) 
Those interfaces are configured by qubes scripts (based on xenstore data
filled by qubes core).
 2014-03-28 02:57:12 +01:00
Marek Marczykowski-Górecki
4c3d5a46c2 firewall: replace deprecated "state" iptables module with "conntrack" 2014-03-28 02:56:43 +01:00
Marek Marczykowski-Górecki
f2ff044539 yum-proxy: fix iptables rules order 
Add the rules at the beginning of chain, so before final REJECT rule.
 2014-03-26 00:02:10 +01:00
Marek Marczykowski-Górecki
a19ef6d0db qubes-firewall: log errors to stderr -> syslog 
Not only display as notifications (which may be easily missed).
 2014-02-22 01:23:27 +01:00
Marek Marczykowski-Górecki
18ed540158 yum-proxy: fix stop command - iptables-restore do not accept -D 
iptables-restore format accept only "-A" command, so remove the rules
with direct call to iptables
 2014-02-21 13:28:49 +01:00
Marek Marczykowski-Górecki
d660f260b8 Hide nm-applet when NetworkManager is disabled (retry) 
It isn't done automatically by nm-applet itself since nm-applet 0.9.9.0
(fc19+), this one commit:
https://git.gnome.org/browse/network-manager-applet/commit?id=276a702000ee9e509321891f5ffa9789acfb053c
At the same time they've introduced option to manually hide the icon:
https://git.gnome.org/browse/network-manager-applet/commit?id=e7331a3f33ab422ea6c1bbc015ad44d8d9c83bc3
 2014-02-07 02:16:39 +01:00
Marek Marczykowski
8c9433fc00 yum-proxy: use iptables-restore to set firewall rules 
Simple iptables sometimes returns EBUSY.
 2013-08-05 02:08:52 +02:00
Marek Marczykowski
30ca124784 The Underscores Revolution: xenstore paths 2013-03-14 04:29:15 +01:00
Marek Marczykowski
ecc812f350 The Underscores Revolution: filenames 
Get rid of underscores in filenames, use dashes instead.
This is first part of cleanup in filenames.
"qubes_rpc" still untouched - will be in separate commit.
 2013-03-14 01:07:49 +01:00
Marek Marczykowski
c8e6ec3a7f Remove obsolete files. 2013-03-12 18:02:54 +01:00
Marek Marczykowski
ff47b0a8b8 vm/network: create NetworkManager config link only once 2013-01-11 05:05:39 +01:00
Marek Marczykowski
965846532a vm/network: disable tx-checksumming offload (#700) 
It doesn't work on xen-netfront.
 2013-01-08 03:03:44 +01:00
Marek Marczykowski
7131bb7dcd vm/network: do not fail service on failed xenstore-read 2012-10-13 11:47:32 +02:00
Marek Marczykowski
f33d2e4f42 vm/iptables: block IPv6 traffic 
This isn't properly handled by Qubes VMs yet, so block it in all the VMs.
Also restrict access to firewall config.
 2012-09-25 16:14:06 +02:00