Commit Graph

2752 Commits

Author SHA1 Message Date
3hhh
50e448e23a
firewall: put DNS resolving into its own function 2021-05-18 17:17:28 +02:00
3hhh
795bec8038
firewall: start watches before initial load
This should avoid a race condition where we miss an update to QubesDB
that happens right after the initial load, but before the watch start.

Instead, we might now install the same stuff twice - but that's no
problem.
2021-05-16 08:29:50 +02:00
3hhh
adfe982bfd
tests/firewall: added test for /dns/[ip]/[domain] info 2021-05-16 08:09:19 +02:00
3hhh
3230f471b0
tests/firewall: some code refactoring 2021-05-16 08:07:50 +02:00
3hhh
0993115bdc
add some checks for QubesDB /qubes-firewall_handled/[ip] 2021-05-16 07:32:10 +02:00
3hhh
3067e469d3
firewall: adjust tests to the new tuple returned by prepare_rules() 2021-05-15 22:13:01 +02:00
3hhh
78de37da92
firewall: mark an IP as handled in /qubes-firewall_handled/[ip] after
each handling iteration

Actually a counter is increased after each handling iteration.
This is useful for user applications to remain up to date with the
changes implemented by the Qubes firewall.
2021-05-15 12:35:50 +02:00
3hhh
dda500b837
mock qubesdb.rm() 2021-05-15 12:33:24 +02:00
3hhh
196014831b
firewall: refactor to remove side effects from prepare_rules() 2021-05-15 10:19:18 +02:00
3hhh
2a5af195f1
Export DNS information obtained during firewall setup to QubesDB
This can e.g. allow DNS applications to pin a FQDN to the IP
used during Qubes OS firewall setup.

Can help with QubesOS/qubes-issues#5225 and other related issues.
2021-05-14 12:55:10 +02:00
Neowutran
b1d8302b2b
fix #6346: quit loop only when the original process is terminated 2021-04-29 19:23:10 +02:00
Marek Marczykowski-Górecki
6b959262f8
version 4.1.25 2021-03-30 21:36:07 +02:00
Marek Marczykowski-Górecki
8306013cbf
network: enable MAC randomization for wifi connections by default
We do have NetworkManager new enough to handle this feature already.
Enable both scan MAC address randomization, and also connection mac
address randomization. The later do in a "stable" way - preserving the
same MAC _for a connection_, until reboot. This is a safe tradeoff
between full random, which breaks some captive portals. The stable MAC
is generated separate for each connection, so it also prevents
correlation of the same machine between different networks.

Do not enable it for wired connections, as those are less often used at
random untrusted localizations, but also more often it's desired to
get the same IP address each time (having random MAC would make it much
harder).

QubesOS/qubes-issues#938
2021-03-27 18:10:05 +01:00
Markus Fenske
78c37a7536
Fix typo in qvm_copy_nautilus.py 2021-03-14 15:14:37 +01:00
Marek Marczykowski-Górecki
3299112227
version 4.1.24 2021-02-13 14:53:18 +01:00
Marek Marczykowski-Górecki
dfcf870f5d
Merge branch 'fixes20210209' 2021-02-13 12:30:31 +01:00
Marek Marczykowski-Górecki
40fe209ea8
Merge remote-tracking branch 'origin/pr/294'
* origin/pr/294:
  remove trailing whitespaces; remove dest_vm argument
  keep qvm-copy-to-vm but with deprecated note
  addresses https://github.com/QubesOS/qubes-issues/issues/6374
2021-02-13 12:30:03 +01:00
Marek Marczykowski-Górecki
30f6c496bc
Remove haveged service override
It was needed for Debian stretch only.
2021-02-10 22:31:10 +01:00
Marek Marczykowski-Górecki
0e04298dfc
Start xfce4-notifyd when installed
It doesn't support bus-activation as the others notification daemons.
2021-02-09 20:24:51 +01:00
Chris P
0a40fd1939
remove trailing whitespaces; remove dest_vm argument 2021-02-04 12:47:09 +01:00
Marek Marczykowski-Górecki
a37427af5d
version 4.1.23 2021-02-02 16:26:09 +01:00
Marek Marczykowski-Górecki
dd57250747
Merge remote-tracking branch 'origin/pr/292'
* origin/pr/292:
  Avoid passing dom0-provided options to ‘dnf clean’
2021-02-02 04:30:15 +01:00
ravachol
ddbfcac7e2
keep qvm-copy-to-vm but with deprecated note 2021-01-30 17:41:14 +01:00
Christian Poeschl
84569bcdc5
addresses https://github.com/QubesOS/qubes-issues/issues/6374 2021-01-30 17:32:55 +01:00
Demi Marie Obenour
919dc49000
Avoid passing dom0-provided options to ‘dnf clean’
They are useless and can cause errors.
2021-01-28 16:36:33 -05:00
Marek Marczykowski-Górecki
936dacff65
Merge remote-tracking branch 'origin/pr/291'
* origin/pr/291:
  Install grub.qubes on Arch
2021-01-27 06:06:57 +01:00
Frédéric Pierret (fepitre)
bf7d580622
package-managers: improve DIST detection 2021-01-25 21:48:51 +01:00
Demi Marie Obenour
84101a426b
Merge commit '9801dd7d1625a5e4e4b7049a9571a0309a4406dd' into install-grub-arch 2021-01-13 13:49:04 -05:00
Demi Marie Obenour
d5ab91f54a
Install grub.qubes on Arch
This is necessary for in-VM kernels to work.
2021-01-12 19:36:18 -05:00
Demi Marie Obenour
9801dd7d16
Merge commit '1aa3893f440ce3c30f13ec1165090acbb23af7ad' 2021-01-11 12:47:54 -05:00
Demi Marie Obenour
188ea74993
sudo isn’t always built with SELinux support
Red Hat- and Debian- derived distributions support SELinux, and so their
sudo packages are built with SELinux support.  However, other
distributions (notably Arch) build sudo without SELinux.  Such sudo
builds will fail to parse the `ROLE=unconfined_r TYPE=unconfined_t`
string added in 0fac1aa45c.  They *can*
parse `role=unconfined_r, type=unconfined_t` in `Defaults`, but that
causes problems on some Fedora 33 systems if SELinux is turned off and
the root account is locked.

To solve both of these problems at once, we install a different
`/etc/sudoers.d/qubes` file depending on the distribution.  As a
heuristic, we use the presents of `/etc/redhat-release` or
`/etc/debian_version`.  If either is present, sudo probably supports
SELinux, and we should include the corresponding entries.  If both are
missing, then we shouldn’t risk it.  The `qubes.sudoers` file in the git
repository includes the full file (with SELinux); we use `sed` to strip
the SELinux portion when needed.
2021-01-11 04:23:38 -05:00
Marek Marczykowski-Górecki
1aa3893f44
version 4.1.22 2021-01-10 03:14:13 +01:00
Marek Marczykowski-Górecki
165551fe36
Merge remote-tracking branch 'origin/pr/287'
* origin/pr/287:
  qubes-early-vm-config.service: Wants=network-pre.target
2021-01-10 03:13:47 +01:00
Marek Marczykowski-Górecki
a28a381469
rpm: order -systemd post script after -networking
qubes-core-agent-networking package brings in new systemd units, which
needs to be enabled. Standard %systemd_post macro handles it only on
initial installation, but not on update. The function that handle
updates is in %post of qubes-core-agent-systemd package. To avoid
duplication, simply enforce proper installation order, instead of
modifying %post of qubes-core-agent-networking package.

OrderWithRequires influences only ordering, but does not introduce
actual dependency, so it's still possible to not install
qubes-core-agent-networking package.

Fixes 0e0c229 "rpm: enable qubes-network-uplink.service on install"
2021-01-09 05:18:14 +01:00
Rusty Bird
882c1ec6b5
qubes-early-vm-config.service: Wants=network-pre.target
The unit on the Before= side of network-pre.target also has to pull it
in as a dependency:

https://www.freedesktop.org/software/systemd/man/systemd.special.html#network-pre.target

Fixes QubesOS/qubes-issues#5570
2021-01-08 10:24:39 +00:00
Marek Marczykowski-Górecki
ab9627caf0
version 4.1.21 2021-01-08 05:40:50 +01:00
Marek Marczykowski-Górecki
0fac1aa45c
Fix sudo SELinux settings
By settinf Defaults role/type parameters, sudo starts asking for
password when called as root. It isn't clear why this happens, but
rollback that change. Instead, set ROLE/TYPE just for the rule for the
'qubes' group, which already has NOPASSWD option.

Fixes 3bcc1c3 "“sudo” must remove SELinux restrictions"
2021-01-08 05:21:19 +01:00
Marek Marczykowski-Górecki
4dfd0a4278
version 4.1.20 2021-01-05 20:51:04 +01:00
Olivier MEDOC
17d828dcea
archlinux: pin PKGBUILD to python3.X major version as new python version will break the API
(cherry picked from commit 1fae41332219ba22d3e0bc2bfc73abea10f5bb97)
2021-01-05 20:50:49 +01:00
Marek Marczykowski-Górecki
0e0c22910b
rpm: enable qubes-network-uplink.service on install 2021-01-04 20:25:54 +01:00
Marek Marczykowski-Górecki
244fca8f66
network: skip calling setup-ip from network-manager-prepare-conf-dir
The setup-ip script requires extra parameters (action and interface) not
only env variables. Since NetworkManager service is already ordered
after qubes-network-uplink.service, the setup-ip already did its job at
this time - remove the call instead of fixing it.
2021-01-03 22:36:08 +01:00
Marek Marczykowski-Górecki
932727b3df
version 4.1.19 2021-01-03 06:38:51 +01:00
Marek Marczykowski-Górecki
e71edb8584
Merge branch 'network-wait-fix'
* network-wait-fix:
  Increase upgrades-status-notify verbosity
  network: fix waiting for VM network uplink
2021-01-03 06:11:48 +01:00
Marek Marczykowski-Górecki
e1ebbf2893
archlinux: checkupdates output is not checked anymore, ignore it 2021-01-03 05:28:38 +01:00
Marek Marczykowski-Górecki
f95f08e15f
Merge remote-tracking branch 'origin/pr/267'
* origin/pr/267:
  fix for ArchLinux: notify dom0 about installed updates The launch of the qubes-update-check service failed on ArchLinux, because the qubes-rpc uses the `service` command which isn't available for this OS.
  fix archlinux detection of available upgrades note: checkupdates return 2 when no updates are available (source: man page and source code)
  upgrades-installed-check requires pacman-contrib for checkupdates
2021-01-03 05:25:57 +01:00
Marek Marczykowski-Górecki
d28ada95ec
Merge remote-tracking branch 'origin/pr/269'
* origin/pr/269:
  Avoid spawning a Zenity progress meter
  Harden shell scripts against metacharacters
2021-01-03 05:23:48 +01:00
Marek Marczykowski-Górecki
c2f4e026a5
Merge remote-tracking branch 'origin/pr/272'
* origin/pr/272:
  Allow SELinux to stay enabled
2021-01-03 05:21:53 +01:00
Marek Marczykowski-Górecki
ce9f6b2fa7
Increase upgrades-status-notify verbosity
Print errors on stderr. yum_output variable isn't used anywhere, so
not capturing stderr wont be a problem either.
2021-01-03 04:55:10 +01:00
Marek Marczykowski-Górecki
90ae037a3a
Merge remote-tracking branch 'origin/pr/280'
* origin/pr/280:
  Ignore more options of qubes-dom0-update
2021-01-03 04:24:19 +01:00
Marek Marczykowski-Górecki
e8f2f64270
Merge remote-tracking branch 'origin/pr/281'
* origin/pr/281:
  Avoid deprecated /var/run directory
2021-01-03 04:23:54 +01:00