Commit Graph

2724 Commits

Author SHA1 Message Date
Frédéric Pierret (fepitre)
bf7d580622
package-managers: improve DIST detection 2021-01-25 21:48:51 +01:00
Demi Marie Obenour
9801dd7d16
Merge commit '1aa3893f440ce3c30f13ec1165090acbb23af7ad' 2021-01-11 12:47:54 -05:00
Demi Marie Obenour
188ea74993
sudo isn’t always built with SELinux support
Red Hat- and Debian- derived distributions support SELinux, and so their
sudo packages are built with SELinux support.  However, other
distributions (notably Arch) build sudo without SELinux.  Such sudo
builds will fail to parse the `ROLE=unconfined_r TYPE=unconfined_t`
string added in 0fac1aa45c.  They *can*
parse `role=unconfined_r, type=unconfined_t` in `Defaults`, but that
causes problems on some Fedora 33 systems if SELinux is turned off and
the root account is locked.

To solve both of these problems at once, we install a different
`/etc/sudoers.d/qubes` file depending on the distribution.  As a
heuristic, we use the presents of `/etc/redhat-release` or
`/etc/debian_version`.  If either is present, sudo probably supports
SELinux, and we should include the corresponding entries.  If both are
missing, then we shouldn’t risk it.  The `qubes.sudoers` file in the git
repository includes the full file (with SELinux); we use `sed` to strip
the SELinux portion when needed.
2021-01-11 04:23:38 -05:00
Marek Marczykowski-Górecki
1aa3893f44
version 4.1.22 2021-01-10 03:14:13 +01:00
Marek Marczykowski-Górecki
165551fe36
Merge remote-tracking branch 'origin/pr/287'
* origin/pr/287:
  qubes-early-vm-config.service: Wants=network-pre.target
2021-01-10 03:13:47 +01:00
Marek Marczykowski-Górecki
a28a381469
rpm: order -systemd post script after -networking
qubes-core-agent-networking package brings in new systemd units, which
needs to be enabled. Standard %systemd_post macro handles it only on
initial installation, but not on update. The function that handle
updates is in %post of qubes-core-agent-systemd package. To avoid
duplication, simply enforce proper installation order, instead of
modifying %post of qubes-core-agent-networking package.

OrderWithRequires influences only ordering, but does not introduce
actual dependency, so it's still possible to not install
qubes-core-agent-networking package.

Fixes 0e0c229 "rpm: enable qubes-network-uplink.service on install"
2021-01-09 05:18:14 +01:00
Rusty Bird
882c1ec6b5
qubes-early-vm-config.service: Wants=network-pre.target
The unit on the Before= side of network-pre.target also has to pull it
in as a dependency:

https://www.freedesktop.org/software/systemd/man/systemd.special.html#network-pre.target

Fixes QubesOS/qubes-issues#5570
2021-01-08 10:24:39 +00:00
Marek Marczykowski-Górecki
ab9627caf0
version 4.1.21 2021-01-08 05:40:50 +01:00
Marek Marczykowski-Górecki
0fac1aa45c
Fix sudo SELinux settings
By settinf Defaults role/type parameters, sudo starts asking for
password when called as root. It isn't clear why this happens, but
rollback that change. Instead, set ROLE/TYPE just for the rule for the
'qubes' group, which already has NOPASSWD option.

Fixes 3bcc1c3 "“sudo” must remove SELinux restrictions"
2021-01-08 05:21:19 +01:00
Marek Marczykowski-Górecki
4dfd0a4278
version 4.1.20 2021-01-05 20:51:04 +01:00
Olivier MEDOC
17d828dcea
archlinux: pin PKGBUILD to python3.X major version as new python version will break the API
(cherry picked from commit 1fae41332219ba22d3e0bc2bfc73abea10f5bb97)
2021-01-05 20:50:49 +01:00
Marek Marczykowski-Górecki
0e0c22910b
rpm: enable qubes-network-uplink.service on install 2021-01-04 20:25:54 +01:00
Marek Marczykowski-Górecki
244fca8f66
network: skip calling setup-ip from network-manager-prepare-conf-dir
The setup-ip script requires extra parameters (action and interface) not
only env variables. Since NetworkManager service is already ordered
after qubes-network-uplink.service, the setup-ip already did its job at
this time - remove the call instead of fixing it.
2021-01-03 22:36:08 +01:00
Marek Marczykowski-Górecki
932727b3df
version 4.1.19 2021-01-03 06:38:51 +01:00
Marek Marczykowski-Górecki
e71edb8584
Merge branch 'network-wait-fix'
* network-wait-fix:
  Increase upgrades-status-notify verbosity
  network: fix waiting for VM network uplink
2021-01-03 06:11:48 +01:00
Marek Marczykowski-Górecki
e1ebbf2893
archlinux: checkupdates output is not checked anymore, ignore it 2021-01-03 05:28:38 +01:00
Marek Marczykowski-Górecki
f95f08e15f
Merge remote-tracking branch 'origin/pr/267'
* origin/pr/267:
  fix for ArchLinux: notify dom0 about installed updates The launch of the qubes-update-check service failed on ArchLinux, because the qubes-rpc uses the `service` command which isn't available for this OS.
  fix archlinux detection of available upgrades note: checkupdates return 2 when no updates are available (source: man page and source code)
  upgrades-installed-check requires pacman-contrib for checkupdates
2021-01-03 05:25:57 +01:00
Marek Marczykowski-Górecki
d28ada95ec
Merge remote-tracking branch 'origin/pr/269'
* origin/pr/269:
  Avoid spawning a Zenity progress meter
  Harden shell scripts against metacharacters
2021-01-03 05:23:48 +01:00
Marek Marczykowski-Górecki
c2f4e026a5
Merge remote-tracking branch 'origin/pr/272'
* origin/pr/272:
  Allow SELinux to stay enabled
2021-01-03 05:21:53 +01:00
Marek Marczykowski-Górecki
ce9f6b2fa7
Increase upgrades-status-notify verbosity
Print errors on stderr. yum_output variable isn't used anywhere, so
not capturing stderr wont be a problem either.
2021-01-03 04:55:10 +01:00
Marek Marczykowski-Górecki
90ae037a3a
Merge remote-tracking branch 'origin/pr/280'
* origin/pr/280:
  Ignore more options of qubes-dom0-update
2021-01-03 04:24:19 +01:00
Marek Marczykowski-Górecki
e8f2f64270
Merge remote-tracking branch 'origin/pr/281'
* origin/pr/281:
  Avoid deprecated /var/run directory
2021-01-03 04:23:54 +01:00
Marek Marczykowski-Górecki
79bb5a8658
Merge remote-tracking branch 'origin/pr/283'
Fixes QubesOS/qubes-issues#6290

* origin/pr/283:
  Handle UnicodeError in firewall when resolving hostname
2021-01-03 04:22:09 +01:00
Marek Marczykowski-Górecki
882059d494
Merge remote-tracking branch 'origin/pr/282'
Fixes QubesOS/qubes-issues#6291

* origin/pr/282:
  Fix comments in default qubes-firewall-user-script
2021-01-03 04:20:04 +01:00
Marek Marczykowski-Górecki
ff86bf9fff
archlinux: add missing python-setuptools makedepends 2021-01-03 03:55:34 +01:00
icequbes1
ed33374f67
Handle UnicodeError in firewall when resolving hostname 2021-01-02 15:29:58 -08:00
icequbes1
c25513f930
Fix comments in default qubes-firewall-user-script 2021-01-02 13:11:18 -08:00
Demi Marie Obenour
48b9d5c69b
Avoid deprecated /var/run directory
It causes systemd to emit warnings.
2020-12-28 22:06:40 -05:00
Demi Marie Obenour
3f5bb373fb
Ignore more options of qubes-dom0-update 2020-12-28 22:05:41 -05:00
Marek Marczykowski-Górecki
d602da4ae9
network: fix waiting for VM network uplink
The network-uplink-wait.sh script may be called before xen-netfront
module is even loaded (by udev). In that case, `get_qubes_managed_iface`
will fail to get the interface name and the wait will be skipped.

Fix this by loading xen-netfront module explicitly (do not try to
synchronize with udev, which is tricky not knowing the device
name).
2020-12-28 20:44:24 +01:00
Marek Marczykowski-Górecki
ba4e7f853d
Actually install unit files into /usr/lib/systemd/system
Fixes 57b30d3 "Use /usr/lib instead of /lib"
2020-12-28 19:09:59 +01:00
Marek Marczykowski-Górecki
9943585d93
Merge remote-tracking branch 'origin/pr/279'
* origin/pr/279:
  Use 022 instead of 002 as sudo umask
2020-12-28 16:57:28 +01:00
Marek Marczykowski-Górecki
a9e98cc13c
Merge remote-tracking branch 'origin/pr/278'
* origin/pr/278:
  “sudo” must remove SELinux restrictions
  Only give the “qubes” group full Polkit access
2020-12-28 16:57:15 +01:00
Marek Marczykowski-Górecki
46df6fc32b
Merge remote-tracking branch 'origin/pr/274'
* origin/pr/274:
  Use /usr/lib instead of /lib
2020-12-28 16:48:27 +01:00
Marek Marczykowski-Górecki
cba3f59623
Merge remote-tracking branch 'origin/pr/268'
* origin/pr/268:
  Don’t rely on an arbitrary length limit
  Don’t assume dom0 will never have a network connection
  Add conntrack-tools dependency to qubes-core-agent-networking
  Keep shellcheck from complaining
  Stop disabling checksum offload
  Remove spurious line continuation; add quotes.
  vif-route-qubes: Check that the -e flag is set
  Purge stale connection tracking entries
2020-12-28 16:43:29 +01:00
Demi Marie Obenour
3bcc1c37ce
“sudo” must remove SELinux restrictions
Otherwise, if “user” has the SELinux user “staff_u”, the user will
typically need to write “sudo -r unconfined_r -t unconfined_t”, which is
annoying.  If SELinux is disabled, these fields are ignored.
2020-12-24 15:48:33 -05:00
Demi Marie Obenour
16f48b6298
Only give the “qubes” group full Polkit access
This is consistent with the rest of qubes-core-agent-passwordless-root,
and helps prevent sandbox escapes by daemons with dbus access.
2020-12-24 15:46:08 -05:00
Demi Marie Obenour
951b25e8c5
Use 022 instead of 002 as sudo umask
The comment already mentions 022, which is presumably what was intended.
2020-12-24 15:40:51 -05:00
Demi Marie Obenour
6adad25f51
Avoid spawning a Zenity progress meter
Newer versions of qubes-dom0-update will spawn
qubes-download-dom0-updates.sh in an xterm if GUI mode is enabled.
Therefore, we don’t need to spawn our own progress bar.
2020-12-23 13:23:03 -05:00
Demi Marie Obenour
274df33d4d
Harden shell scripts against metacharacters
`qubes-download-dom0-updates.sh` can now handle spaces in its inputs,
for example.
2020-12-23 13:19:58 -05:00
Demi Marie Obenour
a42b3806b6
Metadata is now signed 2020-12-22 16:08:57 -05:00
Demi Marie Obenour
1ea361bc79
Always pass ‘-y’ to dnf
DNF should never be used unattended without ‘-y’.
2020-12-22 15:53:15 -05:00
Demi Marie Obenour
9bcfc5dc9f
Allow SELinux to stay enabled
Users who have their own SELinux policies should be able to keep QubesOS
from disabling SELinux.
2020-12-17 23:45:28 -05:00
Demi Marie Obenour
e5b56b96c4
Don’t rely on an arbitrary length limit
We can check for overlong domids without hardcoding the length in a
regex.  Just check if the length is longer than that of the max XID.
2020-12-17 23:39:19 -05:00
Demi Marie Obenour
c09909c702
Don’t assume dom0 will never have a network connection
In test setups, this actually happens!
2020-12-17 23:09:16 -05:00
Demi Marie Obenour
bf443ef6e6
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into usr-lib-merge 2020-12-17 17:43:38 -05:00
Demi Marie Obenour
95022f94e9
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into no-tabs-please 2020-12-17 17:42:28 -05:00
Demi Marie Obenour
220adcae9e
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into conntrack-purge 2020-12-17 15:54:21 -05:00
Demi Marie Obenour
6565facec3
Add conntrack-tools dependency to qubes-core-agent-networking
Otherwise no vif-* interfaces come up.
2020-12-16 01:54:05 -05:00
Demi Marie Obenour
20a6a94724
Replace tabs with spaces
Purely a cosmetic fix.
2020-12-14 12:52:28 -05:00