Commit Graph

2231 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
53c9b45c76
qubes-firewall: handle only traffic originating from VMs
Ignore packets coming from non-vif interfaces early.

Fixes QubesOS/qubes-issues#3644
2018-04-03 02:23:16 +02:00
Marek Marczykowski-Górecki
c281d6454f
network: do not assume IPv6 gateway is a link-local address
If IPv6 gateway address provided by dom0 isn't a link local address, add
a /128 route to it. Also, add this address on backend interfaces (vif*).

This is to allow proper ICMP host unreachable packets forwarding - if
gateway (address on vif* interface) have only fe80: address, it will be
used as a source for ICMP reply. It will be properly delivered to the VM
directly connected there (for example from sys-net to sys-firewall), but
because of being link-local address, it will not be forwarded any
further.
This results timeouts if host doesn't have IPv6 connectivity.
2018-04-02 23:19:31 +02:00
Marek Marczykowski-Górecki
c525d6213c
qubes-session-autostart: do not wait for applications exit
Since fixing QubesOS/qubes-issues#3213, launch function correctly waits
for some applications exit. This is undesirable for
qubes-session-autostart service, which should just start the
applications and exit.
2018-04-02 23:19:03 +02:00
Marek Marczykowski-Górecki
646c9f1aae
Load only test_* files when looking for tests (python) 2018-04-02 23:19:02 +02:00
Marek Marczykowski-Górecki
321cd06591
Fix waiting for application exit in qubesagent.xdg.launch
This is especially important for qubes-desktop-run used inside DispVM.
The DesktopAppInfo.launch() method returns after just launching the
application. In DispVM case it worked by a coincidence - because the
launched application was keeping stdin/out open, which also prevented
DispVM killing. Use DesktopAppInfo.launch_uris_as_manager which at least
allows to learn PIDs of spawned processes, to track them manually.

This still doesn't fix gnome-terminal issue, or any other application
using either DBus activation, or any other client-server model. But at
least fix basic apps like firefox and xterm.

Fixes QubesOS/qubes-issues#3213
2018-04-02 23:19:02 +02:00
Marek Marczykowski-Górecki
15c740d95e
Fix shell calls in Makefile 2018-04-02 23:19:01 +02:00
Marek Marczykowski-Górecki
4a7c668549
Move 'qubesxdg' into qubesagent python package
Since we have proper python package, use it instead of hacky one-file
package. This will ease installation and packaging, including switching
to python3.
2018-04-02 23:19:01 +02:00
Frédéric Pierret
e5cf780dbd
Remove _builddir 2018-04-01 11:37:23 +02:00
Frédéric Pierret
1c24968318
Create .spec.in and Source0 2018-04-01 11:35:33 +02:00
Marek Marczykowski-Górecki
0ef6297bfc
qrexec: fix arguments handling
Don't parse options for local command as qrexec-client-vm's own options.

Fixes QubesOS/qubes-issues#3762
2018-03-30 22:54:38 +02:00
Davíð Steinn Geirsson
d6d8d25345
Add misc/qubes-run-terminal to launch any available terminal emulator 2018-03-28 13:23:35 +00:00
Marek Marczykowski-Górecki
2301da6e6f
Merge remote-tracking branch 'qubesos/pr/102'
* qubesos/pr/102:
  qrexec-fork-server: Always initialize addrlen argument of accept()
2018-03-20 01:17:08 +01:00
Marek Marczykowski-Górecki
df1046362e
Merge remote-tracking branch 'qubesos/pr/103'
* qubesos/pr/103:
  Add missing services in Ubuntu templates.
2018-03-20 01:16:07 +01:00
Marek Marczykowski-Górecki
f8c40aa0f7
Merge branch 'configurable-ring-size'
* configurable-ring-size:
  qrexec: add qrexec-client-vm --buffer-size option
2018-03-20 01:15:29 +01:00
unman
aa95ccc48f
Add missing services in Ubuntu templates. 2018-03-19 17:32:10 +00:00
Simon Gaiser
f4c402e7c7 qrexec-fork-server: Always initialize addrlen argument of accept()
With the old code the addrlen argument were uninitialized on the first
call resulting in errors depending on the compiler behavior.
2018-03-15 20:45:12 +01:00
Marek Marczykowski-Górecki
4a09023451
qrexec: add qrexec-client-vm --buffer-size option
Add an option for custom vchan buffer size, to override default 64k (for
each direction). This is especially useful when the other side of
connection is MirageOS based, because of limited memory and default
grant table size (128 entries).
2018-03-14 01:45:14 +01:00
Marek Marczykowski-Górecki
24c875030e
debian: don't call dconf if it isn't installed
The dconf package isn't required by qubes-core-agent - the package ships
a configuration for it, useful if user have it installed for other
reasons. Don't try to rebuild dconf database if dconf isn't installed -
avoid misleading error message.

Fixes QubesOS/qubes-issues#3492
2018-03-13 17:10:40 +01:00
Marek Marczykowski-Górecki
0186d1c8c4
version 4.0.24 2018-02-27 15:17:51 +01:00
awokd
a0871a9e35
reinstal -> reinstall
unless it's getting truncated somewhere along the way
2018-02-27 10:17:40 +00:00
Marek Marczykowski-Górecki
1781568d08
Speed up initial /rw setup
On first VM's boot, setup-rwdev.sh script create filesystem on
/dev/xvdb. But it does so only after checking if /dev/xvdb is really
empty, by comparing it to /dev/zero. Speed up reads from /dev/zero bu
using larger blocks (default of head - 8k, instead of explicit 512).
This speed up the check over 5 times.
2018-02-27 05:12:44 +01:00
Marek Marczykowski-Górecki
ddbd24a815
Merge remote-tracking branch 'qubesos/pr/97'
* qubesos/pr/97:
  centos: fix conflict with dconf
2018-02-22 21:32:49 +01:00
Marek Marczykowski-Górecki
c07530dead
Merge remote-tracking branch 'qubesos/pr/96'
* qubesos/pr/96:
  Really enable qubes-sync-time.timer
2018-02-22 21:29:44 +01:00
Marek Marczykowski-Górecki
8750bf6338
Merge remote-tracking branch 'qubesos/pr/94'
* qubesos/pr/94:
  Drop fakeroot for list/search actions on Debian
  dom0-update: add some approximation of 'list', 'search' and 'reinstall'
  dom0-updates: refactor for ease adding new actions with old yum
2018-02-22 21:29:31 +01:00
Marek Marczykowski-Górecki
eacd069bf4
Merge remote-tracking branch 'qubesos/pr/93'
* qubesos/pr/93:
  Call qubes.PostInstall service to notify dom0 about all apps/features
  Drop Fedora < 22 support
2018-02-22 21:28:32 +01:00
Marek Marczykowski-Górecki
bcd0e4935a
version 4.0.23 2018-02-22 12:43:55 +01:00
Marek Marczykowski-Górecki
f0b057479e
qrexec: launch services in login shell
Previously the script was called through shell as:
    execl(shell, "-sh", "-c", "/usr/lib/qubes/qubes-rpc-multiplexer
            ...", 0);
This tells the shell to load login scripts, including /etc/profile.
Since 5512e4eada this is no longer the
case and the script is called directly. Since most services do expect
proper user session initialized (/etc/profile loaded etc), adjust the
script's shebang to behave like a login shell and load those startup
scripts.

Fixes QubesOS/qubes-issues#3615
2018-02-22 00:49:46 +01:00
Frédéric Pierret
39cb5888f8
centos: fix conflict with dconf 2018-02-21 19:12:57 +01:00
Marek Marczykowski-Górecki
d7957e8baa
version 4.0.22 2018-02-20 01:04:55 +01:00
Marek Marczykowski-Górecki
e02d5f1725
rpm: adjust dependencies 2018-02-20 00:27:33 +01:00
Marek Marczykowski-Górecki
878bb98a82
qrexec: translate keywords in target specification on the client side 2018-02-19 02:08:45 +01:00
Marek Marczykowski-Górecki
5512e4eada
qrexec: use exec_qubes_rpc_if_requested() from qubes-utils
This avoids duplicating service call parsing in multiple places.
Further improvements to that code (like avoid using shell) can be
implemented in one place.
2018-02-16 04:25:56 +01:00
Rusty Bird
4247d4f699
Really enable qubes-sync-time.timer
'systemctl enable' (and thus the preset) needs an [Install] section.
2018-02-14 13:52:17 +00:00
Marek Marczykowski-Górecki
68304ef9f5
Merge remote-tracking branch 'qubesos/pr/95'
* qubesos/pr/95:
  Add /etc/qubes path
  Add qubes-firewall.d feature
2018-02-14 13:57:02 +01:00
Christopher Laprise
10aee73bd7
Add /etc/qubes path 2018-02-13 23:39:28 -05:00
Marek Marczykowski-Górecki
76f5253341
Drop fakeroot for list/search actions on Debian
It isn't needed for informative actions and apparently fakeroot cause
problems on Whonix.

Suggested by @awokd
QubesOS/qubes-issues#3553
2018-02-14 03:12:05 +01:00
Marek Marczykowski-Górecki
c567222b6f
dom0-update: add some approximation of 'list', 'search' and 'reinstall'
... on systems lacking yum --downloadonly

Fixes QubesOS/qubes-issues#3553
2018-02-14 03:12:05 +01:00
Marek Marczykowski-Górecki
96aa933024
Wait for user session as X session owner
... instead of requested user. This makes sure that session startup
script will be able to send a signal here to notify about session
startup.

This is especially needed when the first service started in the VM is
called as root (like qubes.InstallUpdatesGUI).

Fixes QubesOS/qubes-issues#3526
2018-02-14 02:19:15 +01:00
Christopher Laprise
a262574f85
Add qubes-firewall.d feature 2018-02-13 17:38:14 -05:00
Marek Marczykowski-Górecki
3ddd687286
Call qubes.PostInstall service to notify dom0 about all apps/features
Update dom0 about all applications installed, not only desktop files for
them. Update also supported features and other things advertised
initially at template installation.

Fixes QubesOS/qubes-issues#3579
2018-02-13 17:05:42 +01:00
Marek Marczykowski-Górecki
f38e204aa7
Drop Fedora < 22 support
yum actions no longer relevant
2018-02-13 17:04:59 +01:00
Marek Marczykowski-Górecki
4a27d9e3fd
version 4.0.21 2018-02-13 04:56:43 +01:00
Marek Marczykowski-Górecki
06f0d865b4
Merge remote-tracking branch 'qubesos/pr/87'
* qubesos/pr/87:
  tests: check if qubes-firewall-user-script is called
  qubes-firewall: call firewall-user-script at service startup
2018-02-13 04:45:28 +01:00
Marek Marczykowski-Górecki
4914eb1437
Merge remote-tracking branch 'qubesos/pr/90'
* qubesos/pr/90:
  Stop Debian templates from forwarding by default.
2018-02-13 04:45:04 +01:00
Marek Marczykowski-Górecki
15301d3922
Merge remote-tracking branch 'qubesos/pr/91'
* qubesos/pr/91:
  bind-dirs.sh: don't fail on empty configuration directory
2018-02-13 04:42:34 +01:00
Marek Marczykowski-Górecki
65be69db5a
Merge remote-tracking branch 'qubesos/pr/92'
* qubesos/pr/92:
  network: reload DNS only on "up" event from NetworkManager
2018-02-13 04:40:53 +01:00
Marek Marczykowski-Górecki
c142e20baa
Do not sync VM time with clockvm if it's set to network time sync
When VM is set to synchronize the time with the network, to not sync its
time with clockvm.
Besides not having sense, in default configuration it will lead to
loopback qrexec connection (sys-net -> sys-net), which will hang.

QubesOS/qubes-issues#3333
2018-02-13 04:23:08 +01:00
Marek Marczykowski-Górecki
e497858768
Fix systemd-timesyncd.service startup
Add After=qubes-sysinit.service to avoid startup condition being
evaluated before initializing qubes-service directory.

Fixes QubesOS/qubes-issues#3333
2018-02-13 02:14:08 +01:00
Marek Marczykowski-Górecki
0b7f1fa905
dom0-updates: refactor for ease adding new actions with old yum
Some more actions could be implemented even without --downloadonly
option. Ease doing so.

QubesOS/qubes-issues#3553
2018-02-11 13:54:34 +01:00
Marek Marczykowski-Górecki
0639a4b932
network: reload DNS only on "up" event from NetworkManager
NetworkManager reports a bunch of events, reloading DNS at each of them
doesn't make sense and is harmful - systemd have ratelimit on service
restart.

Fixes QubesOS/qubes-issues#3135
2018-02-10 22:12:44 +01:00