Commit Graph

1507 Commits

Author SHA1 Message Date
Jason Mehring
21d89335fe
debian: Update notification now notifies dom0 when an upgrade is completed 2015-04-25 03:44:28 -04:00
Marek Marczykowski-Górecki
32374123cd version 3.0.7 2015-04-25 02:36:55 +02:00
Jason Mehring
4373cda566 Changed location of PROTECTED_FILE_LIST to /etc/qubes/protected-files.d 2015-04-25 02:36:43 +02:00
Jason Mehring
56b0685aaa whonix: Added protected-files file used to prevent scripts from modifying files that need to be protected
A file is created in /var/lib/qubes/protected-files.  Scripts can grep this file before modifying
        known files to be protected and skip any modifications if the file path is within protected-files.

        Usage Example:
            if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then

        Also cleaned up maintainer scripts removing unneeded systemd status functions and streamlined
        the enable/disable systemd unit files functions
2015-04-25 02:36:43 +02:00
Marek Marczykowski-Górecki
0c0cb5f6b2 rpm: cleanup R2->R3.0 transitional package 2015-04-23 02:20:56 +02:00
Marek Marczykowski-Górecki
c49d9283f0 network: wait for iptables lock instead of aborting
vif-route-qubes can be called simultaneously, for example in case of:
 - multiple domains startup
 - HVM startup (two interfaces: one to the target domain, second one to
   stubdom)
If that happens, one of calls can fail because of iptables lock.
2015-04-21 04:41:57 +02:00
Marek Marczykowski-Górecki
f2cf6933b9 prepare-dvm: fix bashism
$(( )) is POSIX syntax for shell arithmetic operations. Especially dash
(default shell in Debian) doesn't support $[ ].
2015-04-15 18:52:42 +02:00
Marek Marczykowski-Górecki
ab38410f5c debian: install qubes-download-dom0-updates.sh 2015-04-14 00:22:35 +02:00
Marek Marczykowski-Górecki
3768426306 version 3.0.6 2015-04-11 03:40:57 +02:00
Marek Marczykowski-Górecki
ff63a0b876 Minor fixes in mount-home.sh
Hide unneeded messages.
2015-04-11 02:51:10 +02:00
Marek Marczykowski-Górecki
65bc22fd1d Fix resizing of /rw partition (private.img)
Offline resize requires to run fsck -f first. Because we support only
growing that image, we can simply use online resize instead.

This finally fixes qubesos/qubes-issues#772
2015-04-11 02:47:16 +02:00
Marek Marczykowski-Górecki
3c8a294221 dispvm: do not start GUI apps during prerun
Apparently it doesn't help much with DispVM startup time, but causes a
lot of problems when such app do not close in time (either can be killed
forcibly and will complain about it at next run, or will spontaneously
show itself when DispVM is started).
2015-04-11 02:43:03 +02:00
Marek Marczykowski-Górecki
285071bd59 systemd: disable avahi-daemon and dnf-makecache
Especially dnf-makecache is senseless as its state will not survive VM
restart, but it takes a lot of CPU time.
2015-04-10 18:23:14 +02:00
Marek Marczykowski-Górecki
5fef29e1a4 rpm/systemd: do not use preset-all during package upgrade
This will probably break some user configuration. Do that only when
installing for the first time (during template build), during upgrade
set only those installed by this package instead of all.
2015-04-10 18:08:28 +02:00
Marek Marczykowski-Górecki
731ee3e09a qrexec: do not reset umask to 077 for every started process
This umask will be inherited by any process started directly by qrexec
(i.e. without help of fork-server).
2015-04-10 18:07:32 +02:00
Marek Marczykowski-Górecki
e8c9f010ad version 3.0.5 2015-04-07 14:58:36 +02:00
Marek Marczykowski-Górecki
12e5300040 systemd: install overridden unit file for chronyd 2015-04-07 02:36:16 +02:00
Marek Marczykowski-Górecki
343ce1814c systemd: use presets to enable services, call preset-all
This way the services will be enabled/disabled regardless of its initial
state.
2015-04-07 02:30:59 +02:00
Marek Marczykowski-Górecki
2951e1ba02 version 3.0.4 2015-04-02 00:55:09 +02:00
Marek Marczykowski-Górecki
6f303a9bf2 Update repository definition: r3 -> r3.0 2015-04-02 00:53:18 +02:00
Marek Marczykowski-Górecki
5c3ab559c6 Merge branch 'master' of git://github.com/woju/qubes-core-agent-linux 2015-03-31 22:25:23 +02:00
Marek Marczykowski-Górecki
d41ae5bc7f debian: update NetworkManager configuration
Especially add unmanaged-devices, otherwise NM will break vif*
configuration.
2015-03-30 22:49:50 +02:00
Marek Marczykowski-Górecki
52d502bce2 debian: fix handling SysV units in disableSystemdUnits
systemctl is-enabled always reports "disabled" for them (actually not a
real "disabled", but and error, but exit code is the same). So simply
always disable the unit, it is no-op for already disabled ones.
BTW systemctl preset also do not work for them.
2015-03-30 21:46:01 +02:00
Marek Marczykowski-Górecki
0f67930d0e rpm: add missing BuildRequires: libX11-devel
misc/close-window.c requires it.
2015-03-30 21:43:16 +02:00
Marek Marczykowski-Górecki
74490b0b94 qrexec: try to recover from fork-server communication error
Simply forget about that connection, instead of waiting for further
messages. If that connection is no longer available, select would return
EBADF, which would cause qrexec-agent termination.
2015-03-29 15:43:21 +02:00
Marek Marczykowski-Górecki
b05fa062be version 3.0.3 2015-03-27 01:24:43 +01:00
Marek Marczykowski-Górecki
905e30ceb9 Enable updates repos by default 2015-03-27 01:24:18 +01:00
Marek Marczykowski-Górecki
add158d8e7 version 3.0.2 2015-03-26 23:56:25 +01:00
Marek Marczykowski-Górecki
d4023791a2 dom0-update: allow to specify custom yum action 2015-03-26 01:00:55 +01:00
Marek Marczykowski-Górecki
a58d0f95f7 Update comments and xenbus intf in startup scripts regarding vchan requirements 2015-03-25 00:20:11 +01:00
Marek Marczykowski-Górecki
7abc2c2779 fedora: override iptables configuration on initial installation
Otherwise Qubes-specific configuration will not be placed at all (in
Fedora 21, which provide some example iptables config).
2015-03-22 03:50:13 +01:00
Wojtek Porczyk
daf4a72f28 sudoers: do not require TTY
This is required to run sudo from qubes-rpc.
2015-03-21 01:49:17 +01:00
Wojtek Porczyk
6c0e567929 qubes-rpc-multiplexer: deprecate /etc/qubes_rpc, allow /usr/local
/usr/local resides in private.img, so it is possible to define per-appvm RPC

Also, with the upcoming 3.0 release support for old (R1) paths is
removed.
2015-03-21 01:48:06 +01:00
Marek Marczykowski-Górecki
04b5bd1b0a Do not load xen-usbfront automatically
We no longer provide this module (it looks to be a dead project).
Instead in newer kernel USBIP can be used.
2015-03-21 00:54:19 +01:00
Marek Marczykowski-Górecki
c33565b001 qrexec: enable compiler optimization
Besides obvious profits, it also enables some additional compiler
warnings.
2015-03-20 12:06:33 +01:00
Marek Marczykowski-Górecki
b718747c09 qrexec: do not wait for local process if no one exists 2015-03-20 12:05:48 +01:00
Marek Marczykowski-Górecki
9fe45aeae5 qrexec: fix compile warning 2015-03-20 03:05:05 +01:00
Marek Marczykowski-Górecki
b0c90d9d6c Provide stub files in /rw/config 2015-03-19 23:40:25 +01:00
Marek Marczykowski-Górecki
34a38c668e Create filesystem if the private.img is empty 2015-03-18 00:33:30 +01:00
Marek Marczykowski-Górecki
58da94acad Add support for comments in qubes-suspend-module-blacklist 2015-03-18 00:30:57 +01:00
Marek Marczykowski-Górecki
9a7b161c37 qrexec: move qrexec-client-vm to /usr/bin 2015-03-17 23:11:47 +01:00
Marek Marczykowski-Górecki
0d7a0e1beb qrexec: get rid of shell in services using EOF for any signaling
Additional running shell could prevent EOF from being detected.
2015-03-17 14:51:10 +01:00
Marek Marczykowski-Górecki
4b451ef680 qrexec: execute RPC service directly (without a shell) if it has executable bit set
This will allow to use some different shell/language for a service (for
example python).
2015-03-17 14:47:29 +01:00
Marek Marczykowski-Górecki
0f75603d6d qrexec: do not leak FDs to logger process
This would prevent qrexec from detecting EOF.
2015-03-17 14:46:53 +01:00
Marek Marczykowski-Górecki
a86d980ff4 qrexec: add option to use real stdin/out of qrexec-client-vm 2015-03-17 14:17:01 +01:00
Marek Marczykowski-Górecki
8f00bdb4a6 qrexec: process vchan data queue (esp MSG_EXIT_CODE) before sending anything
In case of remote process exit even when some messages are still
waiting, vchan connection can be already closed. If we try to send some
data in this case (for example stdout of local process), there will be
an error, which will terminate qrexec-client-vm/qrexec-agent child. So
first check vchan data (where could be MSG_EXIT_CODE queued) , then
local process.

There is still some race condition in this code - remote process could
exit just after we check vchan, but before we send some data. But this
is much less probable and in the worst case we only loose remote process
exit code.
2015-03-17 12:39:30 +01:00
Marek Marczykowski-Górecki
16c27fc409 qrexec: minor readability fix 2015-03-16 21:41:36 +01:00
Marek Marczykowski-Górecki
55e040cbef qrexec: do not break connection on duplicated SIGUSR1
Child process can request to use single socket for both stdin and
stdout by sending SIGUSR1 signal. If it does so twice or more, previous
code broke the connection by closing the socket.
2015-03-16 21:39:34 +01:00
Marek Marczykowski-Górecki
23fc3599e8 qrexec: better handle remote process termination
If remote end terminates without proper protocol finish
(MSG_DATA_EXIT_CODE), terminate also local part instead of waiting
indefinitely.
2015-03-16 21:37:59 +01:00
Marek Marczykowski-Górecki
4eb1d72aee qrexec: return remote process status as qrexec-client-vm exit code
This doesn't cover all the cases, because local process could want to
receive that value (currently it cant), but I can't think of any simple,
*compatible* way to pass it there.
2015-03-16 21:32:34 +01:00