Commit Graph

2017 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
a59ac1b4f9
qubes.ResizeDisk: handle dmroot being a symlink
In non-template-based-VMs it can be just a symlink (depending on
initramfs version).
2017-10-02 19:42:00 +02:00
Marek Marczykowski-Górecki
6bf395022a
qrexec: use user shell instead of hardcoded /bin/sh
Fixes QubesOS/qubes-issues#3139
2017-10-02 05:14:50 +02:00
Marek Marczykowski-Górecki
1497b3b05b
qrexec: code style fix - use spaces for indentation 2017-10-02 05:14:49 +02:00
Marek Marczykowski-Górecki
486f17ec2d
Add convenient wrappers for qvm-copy-to-vm and qvm-move-to-vm
Default `ask` policy ignore target domain specified by the caller, so it
doesn't make sense to specify one. Provide convenient wrappers not
needing one. Do not change behaviour of existing tools for compatibility
reasons.

Fixes QubesOS/qubes-issues#3141
2017-10-02 05:14:49 +02:00
Marek Marczykowski-Górecki
9c61ea0dcd
travis: add shellcheck call for all scripts in the repository
Scripts are detected by shebang, not an ideal approach, but should be
good enough.
2017-09-30 05:05:34 +02:00
Marek Marczykowski-Górecki
aad6fa6d19
Hint shellcheck where to look for sourced files, if in repository
This will ease running shellcheck from the repository.
2017-09-30 05:05:34 +02:00
Marek Marczykowski-Górecki
b42c1880b0
Few more shellcheck warnings fixes/ignores 2017-09-30 05:05:34 +02:00
Marek Marczykowski-Górecki
2ee73ecfe7
Fix shellcheck warnings in download-dom0-updates.sh 2017-09-30 05:05:33 +02:00
Marek Marczykowski-Górecki
e95b6f8d03
Fix shellcheck warnings in block-snapshot script 2017-09-30 05:05:33 +02:00
Marek Marczykowski-Górecki
f16753c67b
debian: fix shellcheck warnings in debian packaging 2017-09-30 05:05:33 +02:00
Marek Marczykowski-Górecki
8bb152f76e
init: fix issues found by shellcheck in init scripts
Most of them are missing quotes, `` -> $(), and -o/-a usage in
conditions. Also add few directives disabling checks where were too
verbose.
2017-09-30 04:49:21 +02:00
Marek Marczykowski-Górecki
9c839d789f
qubes-rpc: fix issues found by shellcheck
Most of them are missing quotes, `` -> $(), and -o/-a usage in
conditions. Also add few directives disabling checks where were too
verbose.
2017-09-30 04:45:31 +02:00
Marek Marczykowski-Górecki
bb220ce2eb
network: fix issues found by shellcheck 2017-09-30 04:43:04 +02:00
Marek Marczykowski-Górecki
d332a43f6a
centos: add package signing key, setup repository 2017-09-30 02:06:53 +02:00
Marek Marczykowski-Górecki
a7ef5726ed
version 4.0.9 2017-09-26 23:09:45 +02:00
Marek Marczykowski-Górecki
bdd6f95603
Merge branch 'start-app-kde'
* start-app-kde:
  Look for applications also in subdirectories of .../applications
2017-09-26 23:00:13 +02:00
Marek Marczykowski-Górecki
28b132c455
travis: add fc26 build 2017-09-26 22:59:19 +02:00
Frédéric Pierret
cb2448f1ab
dnf-qubes-hooks: handle newer DNF >= 2.x 2017-09-24 12:33:30 +02:00
Marek Marczykowski-Górecki
ac97a3ca87
Look for applications also in subdirectories of .../applications
This is especially needed for KDE applications, which live in
/usr/share/applications/kde4.

Fixes QubesOS/qubes-issues#3092
2017-09-16 12:25:39 +02:00
Marek Marczykowski-Górecki
abb6d23470
version 4.0.8 2017-09-15 13:44:17 +02:00
Marek Marczykowski-Górecki
6139ed59a3
(redo) updates-proxy: explicitly block connection looping back to the proxy IP
Explicitly block something like "curl http://127.0.0.1:8082" and
return error page in this case. This error page is used in Whonix to
detect if the proxy is torrified. If not blocked, it may happen that
empty response is returned instead of error. See linked ticket for
details.

This was previously done for 10.137.255.254, but since migration to
qrexec-based connection, 127.0.0.1 is used instead.

Fixes QubesOS/qubes-issues#1482
2017-09-15 05:00:05 +02:00
Marek Marczykowski-Górecki
eec37d38d6
Merge remote-tracking branch 'qubesos/pr/53'
* qubesos/pr/53:
  Handle fallthrough with attribute(noreturn) for consistancy and compatiblity with older GCC
  Add CENTOS/RHEL support (drop fedora-release dependancy as template builder will install it anyway and here it only make harder to support non-fedora builds)
2017-09-11 02:18:29 +02:00
Frederic Pierret (Epitre)
11f86ca4e4
Handle fallthrough with attribute(noreturn) for consistancy and compatiblity with older GCC 2017-09-07 16:38:35 +02:00
Frederic Pierret (Epitre)
08bfc8bbac
Add CENTOS/RHEL support (drop fedora-release dependancy as template builder will install it anyway and here it only make harder to support non-fedora builds) 2017-09-07 16:38:13 +02:00
Marek Marczykowski-Górecki
49b70f037c
dom0-updates: do not modify yum.conf
Few reasons for this:
1. new templates use dnf to download packages, so yum.conf is unused
2. dom0 in Qubes 4.0 don't have this file at all (so sed fails here)
3. $OPTS already contains --setopt=reposdir=...

Fixes QubesOS/qubes-issues#2945
2017-09-03 15:35:58 +02:00
Marek Marczykowski-Górecki
0fabc54aad
version 4.0.7 2017-08-11 13:33:36 +02:00
Marek Marczykowski-Górecki
c5fae6ac55
qubes-rpc: add 'wait-for-session=1' option for some services
Configure selected services to wait until GUI session is available.

QubesOS/qubes-issues#2974
2017-08-09 00:58:49 +02:00
Marek Marczykowski-Górecki
5ecd51dab7
document /etc/qubes/rpc-config
QubesOS/qubes-issues#2974
2017-08-09 00:58:48 +02:00
Marek Marczykowski-Górecki
c8140375fa
qrexec: add configurable waiting for session before starting service
Some services require GUI access. Make qrexec-agent handling this, based
on per-service configuration, instead of forcing every caller to call
qubes.WaitForSession service first. This is especially important for
Disposable VMs, because those are destroyed after a single service call.

This needs to be done in qrexec-agent (instead of service script, or
qubes-rpc-multiplexer), because agent will behave differently depending
on GUI session being available or not. Namely, will use
qrexec-fork-server (so the process will be a child of session leader),
or will open new session.

Service configuration lives in /etc/qubes/rpc-config/SERVICE_NAME, can
can contain 'key=value' entries (no space around '=' allowed). Currently
the only settings supported is 'wait-for-session', with value either '0'
or '1'.

QubesOS/qubes-issues#2974
2017-08-09 00:58:48 +02:00
Marek Marczykowski-Górecki
2a0c670a53
version 4.0.6 2017-07-29 05:31:13 +02:00
Marek Marczykowski-Górecki
45f06a7863
Announce if qubes-firewall service is supported+enabled in this template
Fixes QubesOS/qubes-issues#2003
2017-07-16 11:09:14 +02:00
Marek Marczykowski-Górecki
83aa6a375f
version 4.0.5 2017-07-12 23:40:54 +02:00
Marek Marczykowski-Górecki
b8fed7f754
clock sync: drop untrusted_ prefix after value validation, fix error msg 2017-07-12 21:03:54 +02:00
Marek Marczykowski-Górecki
3e6881f59f
Merge remote-tracking branch 'qubesos/pr/47'
* qubesos/pr/47:
  minor amends to clock synchronization
  clock synchronization rewrite
2017-07-12 10:38:34 +02:00
Marek Marczykowski-Górecki
89cb419d9c
qrexec: start process in a login shell
Prepend "-" to shell name, to instruct it being a login shell. This way
shell will initialize environment, load /etc/profile etc.

Fixes QubesOS/qubes-issues#2903
2017-07-11 23:52:55 +02:00
Marta Marczykowska-Górecka
a9caf2235e
minor amends to clock synchronization
renamed date_out variable to untrusted_date_out
2017-07-11 21:39:01 +02:00
Marek Marczykowski-Górecki
22f74641da
rpm: add services enabling/disabling logic
Since some systemd services are moved to other packages, appropriate
%post/%preun should contain the code to enable/disable them.

Fixes QubesOS/qubes-issues#2894
2017-07-11 20:21:56 +02:00
Marek Marczykowski-Górecki
5179cbc751
qrexec: ship pam configuration for debian
Debian have different base pam config files to include than Fedora.

Fixes QubesOS/qubes-issues#2903
2017-07-11 20:21:46 +02:00
Marta Marczykowska-Górecka
f55412cd1e
clock synchronization rewrite
clock synchronization mechanism rewritten to use systemd-timesync instead of NtpDate; at the moment, requires:
- modifying /etc/qubes-rpc/policy/qubes.GetDate to redirect GetDate to designated clockvm
- enabling clocksync service in clockvm ( qvm-features clockvm-name service/clocksync true )

Works as specified in issue listed below, except for:
- each VM synces with clockvm after boot and every 6h
- clockvm synces time with the Internet using systemd-timesync
- dom0 synces itself with clockvm every 1h (using cron)

fixes QubesOS/qubes-issues#1230
2017-07-06 23:37:26 +02:00
Marek Marczykowski-Górecki
e9e5795519
version 4.0.4 2017-07-05 14:02:22 +02:00
Marek Marczykowski-Górecki
80d41cd10a
Don't use 'su' in qubes.WaitForSession if not needed 2017-07-05 13:14:48 +02:00
Marek Marczykowski-Górecki
626d20b5c2
rpm: do not mess with locales in post-install script
It should be up to the base Fedora packages to setup locales correctly.
Additionally, locale sources may not be installed at all.
2017-07-05 13:02:36 +02:00
Marek Marczykowski-Górecki
24b363db31
grub: add console=tty0 to kernel cmdline
When there is only console=hvc0 (i.e. no output to emulated VGA) and
GRUB_TIMEOUT is set to 0, VM startup hangs. This may be very well some
race condition broken by either of console=tty0 or GRUB_TIMEOUT > 0, but
even in such a case, apply this as a workaround for now.
2017-07-05 12:52:43 +02:00
Marek Marczykowski-Górecki
11e8290d3d
version 4.0.3 2017-07-05 02:37:51 +02:00
Marek Marczykowski-Górecki
3af55c5cb3
qrexec: use PAM directly instead of calling su to setup the session
Instead of calling 'su' to switch the user, use own implementation of
this. Thanks to PAM it's pretty simple. The main reason is to have
control over process waiting for session termination (to call
pam_close_sesion/pam_end). Especially we don't want it to keep std* fds
open, which would prevent qrexec-agent from receiving EOF when one of
them will be closed.
Also, this will preserve QREXEC_AGENT_PID environment variable.

Fixes QubesOS/qubes-issues#2851
2017-07-05 02:17:43 +02:00
Vincent Penquerc'h
f49042211b
core-agent-linux: misc const fixups
(cherry picked from commit 475421b2e2)
Apparently some of this commit got reverted during cleanup before
Qubes 3.0 release.
2017-07-05 01:18:07 +02:00
Marek Marczykowski-Górecki
68d98179f0
Do not load 'dummy-hcd' kernel module
It isn't really needed. It was used to workaround libusb bug (causing
crash when the system does not have any USB controller), but since we
use HVM now which do have some USB controllers it isn't needed anymore.

Also, it is not available in stock Fedora kernels.
2017-07-05 00:20:57 +02:00
Marek Marczykowski-Górecki
6c34571b66
Merge remote-tracking branch 'qubesos/pr/46'
* qubesos/pr/46:
  Enable build for Zesty
2017-07-04 13:39:06 +02:00
Marek Marczykowski-Górecki
99c5815baf
version 4.0.2 2017-06-24 02:19:15 +02:00
Marek Marczykowski-Górecki
6bddcfcb52
qrexec: do not shutdown stdout socket inherited from parent
When qrexec-client-vm is started with socket on its stdout and no local
process requested, it will try to shutdown(SHUT_WR) this socket when
remote process exists. This is wrong, because this socket may be still
needed by other processes (for example shell from where qrexec-client-vm
was called).
In such a case, simple close() should be used.
2017-06-21 11:21:41 +02:00