Commit Graph

2668 Commits

Author SHA1 Message Date
Demi Marie Obenour
3bcc1c37ce
“sudo” must remove SELinux restrictions
Otherwise, if “user” has the SELinux user “staff_u”, the user will
typically need to write “sudo -r unconfined_r -t unconfined_t”, which is
annoying.  If SELinux is disabled, these fields are ignored.
2020-12-24 15:48:33 -05:00
Demi Marie Obenour
16f48b6298
Only give the “qubes” group full Polkit access
This is consistent with the rest of qubes-core-agent-passwordless-root,
and helps prevent sandbox escapes by daemons with dbus access.
2020-12-24 15:46:08 -05:00
Demi Marie Obenour
95022f94e9
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into no-tabs-please 2020-12-17 17:42:28 -05:00
Demi Marie Obenour
20a6a94724
Replace tabs with spaces
Purely a cosmetic fix.
2020-12-14 12:52:28 -05:00
Frédéric Pierret (fepitre)
b15ff53bc6
debian: update compat 2020-12-12 11:44:47 +01:00
Frédéric Pierret (fepitre)
edde0d573e
debian: update control 2020-12-12 11:11:18 +01:00
Marek Marczykowski-Górecki
66b3e628f2
Order NetworkManager after qubes-network-uplink.service
Make sure NM config for uplink interface (eth0) is created before
starting NetworkManager itself. Otherwise NM helpfully will try to use
automatic DHCP configuration, which will fail and cause delays on
network start.
2020-12-05 18:13:27 +01:00
Marek Marczykowski-Górecki
519e82b7c0
init/functions: do not guess 'eth0' as Qubes-managed interface
... if it doesn't exist.
The /qubes-mac qubesdb entry is present on Qubes 4.1, but not 4.0. It is
ok to depend on it here, but keep safer fallback if this code would need
to be backported.
2020-12-04 12:30:57 +01:00
Marek Marczykowski-Górecki
8a3cd3db1d
Make init/functions suitable for running with 'set -u'
Initialize local variables.
2020-12-04 03:24:03 +01:00
Marek Marczykowski-Górecki
6aa2b89fba
Cleanup setup-ip script a bit
There is no longer a case where $INTERFACE is not set.
2020-12-04 03:24:02 +01:00
Marek Marczykowski-Górecki
dd8de797e3
Move network uplink setup to a separate service
Previously, network uplink (eth0) was configured in two places:
 - udev (asynchronously)
 - qubes-misc-post.service - at the very end of the boot process

This caused multiple issues:
1. Depending on udev event processing (non-deterministic), network
   uplink could be enabled too early, for example before setting up
   firewall.
2. Again depending on udev processing, it can be enabled quite late in
   the boot process, after network.target is up and services assume
   network already configured. This for example causes qubes-firewall to
   fail DNS queries.
3. If udev happen try to enable enable networking even earlier, it may
   happend before qubesdb-daemon is started, in which case network setup
   fill fail. For this case, there was network re-setup in
   qubes-misc-post service - much later in the boot.

Fix the above by placing network uplink setup in a dedicated
qubes-network-uplink@${INTERFACE}.service unit ordered after
network-pre.target and pulled in by udev based on vif device existence,
to handle also dynamic network attach/detach.
Then, create qubes-network-uplink.service unit waiting for appropriate
interface-specific unit (if one is expected!) and order it before
network.target.

QubesOS/qubes-issues#5576
2020-12-04 03:24:02 +01:00
Marek Marczykowski-Górecki
e344dcc4c9
Order qubes-early-vm-config.service before networking
Fixes QubesOS/qubes-issues#5570
2020-12-03 20:52:51 +01:00
Marek Marczykowski-Górecki
0caa7fcf75
network: stop IP forwarding before disabling firewall
Stop IP forwarding when stopping qubes-network service (which initially
enables it). This makes ordering against qubes-firewall safe - firewall
is applied before allowing IP forward and then is removed when IP
forward is already disabled.

Fixes QubesOS/qubes-issues#5599
2020-12-03 20:52:51 +01:00
Marek Marczykowski-Górecki
f66a494cc2
Allow DHCPv6 replies on uplink interface, if ipv6 is enabled
Fixes QubesOS/qubes-issues#5886
2020-12-03 20:52:51 +01:00
Marek Marczykowski-Górecki
5ddc118429
Merge remote-tracking branch 'origin/pr/266'
* origin/pr/266:
  Only allow known-safe characters in socket paths
2020-12-01 03:57:57 +01:00
Marek Marczykowski-Górecki
6da7f77013
Merge remote-tracking branch 'origin/pr/265'
* origin/pr/265:
  Replace custom script reloading with sourcing /etc/profile in qubes.GetAppmenus

Fixes QubesOS/qubes-issues#6163
2020-12-01 03:56:02 +01:00
Marek Marczykowski-Górecki
4543d4f003
Merge remote-tracking branch 'origin/pr/232'
* origin/pr/232:
  Use netvm_gw_ip instead of netvm_ip
  Remove commented-out code
  Add NetVM-facing neighbor entry in NAT namespace
  Optimization: use `ip -n` over `ip netns exec`
  NAT network namespaces need neighbor entries
  vif-route-qubes: better input validation
  Don’t use onlink flag for nexthop
  Fix running under -euo pipefail
  Don’t hardcode MAC addresses
  Add gateway IP+MAC, not VM’s own
  Add permanent neighbor entries
  network: prevent IP spoofing on upstream (eth0) interface
  network: setup anti-spoofing firewall rules before enabling the interface
2020-12-01 03:53:31 +01:00
Demi Marie Obenour
06d84b5198
Only allow known-safe characters in socket paths
The socket path will be included in a shell command and then as a socat
argument, so only allow a small subset of known-safe characters.  In
practice, this has not been a problem because mktemp doesn’t include
these characters in its output.
2020-11-27 15:25:29 -05:00
ejose19
489fde7cb3
Replace custom script reloading with sourcing /etc/profile in qubes.GetAppmenus 2020-11-26 14:45:57 -03:00
Marek Marczykowski-Górecki
c3761ac7e7
Merge remote-tracking branch 'origin/pr/264'
* origin/pr/264:
  qubes.ShowInTerminal requires socat
2020-11-26 00:20:39 +01:00
Demi Marie Obenour
5e0d1cd1d8
qubes.ShowInTerminal requires socat 2020-11-24 17:38:14 -05:00
Marek Marczykowski-Górecki
156e18190f
gitlab-ci: install test dependencies
- python3-gobject-base (for PyGTK)
- ShellCheck
2020-11-23 12:49:38 +01:00
Marek Marczykowski-Górecki
3b6a878851
gitlab-ci: include codecov 2020-11-23 05:10:30 +01:00
Marek Marczykowski-Górecki
7c42fb68bb
gitlab-ci: move tests earlier, rename job
It isn't just shellcheck
2020-11-23 04:55:32 +01:00
Demi Marie Obenour
0580fe545b
Use netvm_gw_ip instead of netvm_ip
They are usually identical, but this is not guaranteed.
2020-11-22 17:52:54 -05:00
Demi Marie Obenour
9d10ecc08f
Remove commented-out code 2020-11-19 15:19:40 -05:00
Demi Marie Obenour
e4eeb2ee1b
Add NetVM-facing neighbor entry in NAT namespace
Since AppVMs will have their own NetVM-facing neighbor entries, a user
might (correctly) conclude that NetVMs do not need ARP or NDP enabled.
For this to work with NAT namespaces, they need their own neighbor
entries.
2020-11-19 12:16:15 -05:00
Demi Marie Obenour
097342bd08
Optimization: use ip -n over ip netns exec
This saves an exec call.
2020-11-19 12:10:26 -05:00
Demi Marie Obenour
6517cca2a4
NAT network namespaces need neighbor entries
If we are using a NAT network namespace, it needs its own neighbor
entries.  For consistency, give it the same MAC address as the VM it
connects to.
2020-11-19 12:08:23 -05:00
Frédéric Pierret (fepitre)
b28f8a27e8
Add .gitlab-ci.yml 2020-11-17 16:53:26 +01:00
Demi Marie Obenour
791b08c2ec
vif-route-qubes: better input validation
The input is trusted, but this will help debugging if something goes
wrong.
2020-11-13 13:15:24 -05:00
Demi Marie Obenour
9646acb18e
Don’t use onlink flag for nexthop
This is rejected by the kernel.
2020-11-13 12:51:15 -05:00
Demi Marie Obenour
3e7552856f
Fix running under -euo pipefail
Some qubesdb-read commands are expected to fail.  I ultimately did not
wind up including -e, but this version should be ready for it.
2020-11-11 14:07:55 -05:00
Demi Marie Obenour
377add43d1
Don’t hardcode MAC addresses 2020-11-10 22:31:18 -05:00
Demi Marie Obenour
0a322958e4
Add gateway IP+MAC, not VM’s own 2020-11-10 22:09:54 -05:00
Demi Marie Obenour
aa71677cbd
Add permanent neighbor entries
This allows network traffic to flow even if ARP and NDP do not work or
ave explicitly been disabled.
2020-11-10 16:28:53 -05:00
Marek Marczykowski-Górecki
74f5fb5ac7
network: prevent IP spoofing on upstream (eth0) interface
Currently there is just one anti-spoofing firewall rule ensuring packets
coming through vif+ interfaces have the right source address. Add
another rule ensuring that addresses that belongs to VMs behind those
vif+ interface do not appear on other interfaces (specifically eth0, but
also physical ones).

Normally it wouldn't be an issue because of rp_filter (doing the same
based on route table), default DROP in FORWARD chain and also conntrack
(the need to guess exact port numbers and sequence numbers). But it
appears all three mechanisms are ineffective in some cases:
 - rp_filter in many distributions (including Fedora and Debian) was
 switched to Loose Mode, which doesn't verify exact interface
 - there is a rule in FORWARD table allowing established connections and
 conntrack does not keep track of input/output interfaces
 - CVE-2019-14899 allows to guess all the data needed to inject packets

Reported-by: Demi M. Obenour <demiobenour@gmail.com>
2020-11-10 15:47:25 -05:00
Marek Marczykowski-Górecki
68b61c2c6d
network: setup anti-spoofing firewall rules before enabling the interface
Previously enabling the interface was the first action in the setup
steps. Linux theoretically do not forward the traffic until proper
IP address and route is added to the interface (depending on rp_filter
setting). But instead of relying on this opaque behavior better setup
anti-spoofing rules earlier. Also, add 'set -o pipefail' for more
reliable error handling.
Note the rules for actual VM traffic (qvm-firewall) are properly
enforced - until those rules are loaded, traffic from appropriate vif
interface is blocked. But this relies on proper source IP address,
anti-spoofing rules need to be setup race-free.

Reported-by: Demi M. Obenour <demiobenour@gmail.com>
2020-11-10 15:46:22 -05:00
Marek Marczykowski-Górecki
05a213a7e3
Relax private.img condition for mkfs even further
Check just 10 MiB of the private volume + blkid before considering it
empty and calling mkfs. Avoid reading 1GB of data at the VM boot -
which should speed up startup even further, especially for fresh
DispVMs.

QubesOS/qubes-issues#3758
2020-11-06 16:00:31 +01:00
Marek Marczykowski-Górecki
2d7a10add7
Drop systemd re-exec during boot
We don't have systemd in dom0-provided initrd anymore, so this
workaround is not needed now.

Fixes QubesOS/qubes-issues#5992
2020-11-03 05:20:15 +01:00
Marek Marczykowski-Górecki
7f15690e43
Add a service to enable swap early - before fsck of the root filesystem
fsck may require significant amount of RAM, enable swap earlier to avoid
out of memory condition. Implement this as a separate service unit, not
a swap unit, because the latter requires udev running (implicit
dependency on dev-xvdc1.device) which is not the case before remounting
root filesystem read-write.

QubesOS/qubes-issues#6174
2020-11-03 05:18:57 +01:00
Marek Marczykowski-Górecki
aa50b2fedc
grub: override GRUB_DEVICE with /dev/mapper/dmroot
Grub scripts are very persistent in trying to use what is currently
mounted as /. Even if currently (TemplateVM) /dev/xvda3 is mounted
directly, all the configuration should use /dev/mapper/dmroot, to work
also in AppVM.
GRUB_DEVICE is used in various places as root device (including
constructing root= parameter in some versions). Force it to
/dev/mapper/dmroot

QubesOS/qubes-issues#6174
2020-11-02 04:33:56 +01:00
Marek Marczykowski-Górecki
75ffdf6a53
version 4.1.18 2020-10-31 05:39:07 +01:00
Frédéric Pierret (fepitre)
c16fb05d2d
dnf-plugin: restrict to only version provided by plateform-python
Fix multiple indentations
2020-10-30 10:46:56 +01:00
Marek Marczykowski-Górecki
0fd872f717
Merge remote-tracking branch 'origin/pr/254'
* origin/pr/254:
  archlinux: improve pacman proxy implementation
2020-10-29 04:19:02 +01:00
ejose19
e09675c2b9
archlinux: improve pacman proxy implementation 2020-10-29 00:11:06 -03:00
Marek Marczykowski-Górecki
6262580660
Merge remote-tracking branch 'origin/pr/255'
* origin/pr/255:
  Overwrite .rpmdb for debian updatevm

Fixes QubesOS/qubes-issues#6124
Fixes QubesOS/qubes-issues#5282
2020-10-29 01:37:23 +01:00
icequbes1
adf6568670
Overwrite .rpmdb for debian updatevm
Resolves issue where the dom0 rpm database does not get used on
successive calls to qubes-dom0-update for debian updatevms.

Also resolves "cannot remove .rpmdbold.####" occurrences.

qubesos/qubes-issues#6124
2020-10-28 06:21:20 -07:00
Frédéric Pierret (fepitre)
bab3ccb617
archlinux: disable check on unassigned pkgdir var 2020-10-21 08:37:53 +02:00
Frédéric Pierret (fepitre)
e38ec9743f
archlinux: remove uneeded 'rm -rf' after rework of makefiles 2020-10-21 07:35:18 +02:00