Commit Graph

1307 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
c1cb78e0e8 qrexec: use sockets instead of pipes to communicate with child process
The main advantage is possible use of single socket for both stdin and
stdout. This is strictly required for using USBIP over qrexec.

For compatibility qrexec still creates three socket pairs (instead of
pipes) for stdin/out/err respectively. When qrexec-agent receives
SIGUSR1, it will close stdout socket and use stdin socket for both
directions.

Some additional work is needed here to actually allow child process to
send that signal - qrexec is running as root, but child as "user" in
most cases.
2015-02-17 01:36:09 +01:00
Marek Marczykowski-Górecki
b40c791914 debian: change systemctl set-default back to manual symlink
systemd in wheezy is old enough to not have this option.
2015-02-10 17:22:04 +01:00
Matt McCutchen
b37d391f91 Make qvm-run bidirectional and document its limitations. 2015-02-09 06:37:32 +01:00
Matt McCutchen
377e0b4cd4 Switch to preset file for systemd units to disable. 2015-02-09 06:35:05 +01:00
Marek Marczykowski-Górecki
ea47dfbd5d Merge remote-tracking branch 'woju/master' 2015-02-06 08:07:47 +01:00
HW42
97dd21bcff debian: preinst: cleanup user creation
Generate user-groups via -U instead of explicit via groupadd. This also
fix the problem that the tinyproxy group were not gererated as
"system"-group.

Also suppress unneeded output of the existence test.
2015-02-05 05:42:08 +01:00
HW42
166ec3323f debian: prerm: remove obsolete code
this code has been obsoleted by commit 56607800, eb18af4c and 707be87a.
2015-02-05 05:42:08 +01:00
HW42
5c54d48c36 debian: preinst: don't force the default shell to bash 2015-02-05 05:42:08 +01:00
HW42
dad5bfbd18 remove 'bashisms' or explicit use bash 2015-02-05 05:42:08 +01:00
HW42
77392fd3a9 debian: preinst: remove modification of /etc/modules
modules are already handled by systemd and /lib/modules-load/qubes-*
2015-02-05 01:23:00 +01:00
HW42
6ff749a13a debian: install fstab as normal config file 2015-02-05 01:23:00 +01:00
HW42
641c516d76 debian: postinst: remove redundant and misleading trigger output 2015-02-05 01:22:21 +01:00
HW42
60a181b3f4 debian: postinst: enable haveged only if installed 2015-02-05 01:22:21 +01:00
HW42
05da6e6379 debian: postinst: don't start systemd services
Starting services in the postinst script doesn't make much sense since
the package is normally installed in the template. In addition the start
can fail when executed through a trigger.
2015-02-05 01:22:20 +01:00
HW42
e8f25bfac8 debian: postinst: cleanup 2015-02-05 01:22:20 +01:00
HW42
de53e1d0bb debian: postinst: enable netfilter-persistent service 2015-02-05 01:22:20 +01:00
HW42
5080c7c2d3 debian: postinst: remove fedora specific code
/etc/iptables/rules.* are already part of the packet.
The removed code has never done something in debian (since
/etc/iptables/rules.* already exists).
2015-02-05 01:22:20 +01:00
HW42
07c2f2a5f4 debian: postinst: use systemctl to set default target 2015-02-05 01:22:20 +01:00
HW42
a5fbbea98d debian: postinst: don't create /rw - it is already part of the package 2015-02-05 01:22:20 +01:00
HW42
b2307cfee6 debian: postinst: don't remove /etc/udev/rules.d/*
removing /etc/udev/rules.d/* in debian makes no sense since this folder
is only for custom udev rules.
2015-02-05 01:22:20 +01:00
HW42
47550ee2b6 debian: don't generate regular conf files in postinst 2015-02-05 01:22:19 +01:00
HW42
8a9d2378f6 debian: postinst: use dpkg-divert
dpkg-divert is not ideal for config files but should work better than
direct cp/mv.
2015-02-05 01:22:19 +01:00
HW42
4faece9e89 debian: postinst: use systemctl mask 2015-02-05 01:22:19 +01:00
HW42
d7fac08792 debian: fix for QSB #014 requires up to date qubes-utils 2015-02-05 01:22:19 +01:00
Marek Marczykowski-Górecki
490176f180 rpm: add missing R: pygobject3-base 2015-02-05 01:19:33 +01:00
Wojtek Porczyk
591b95a81b spec: require linux-utils-3.0.1 2015-02-02 19:04:02 +01:00
Marek Marczykowski-Górecki
19a4c6d0dd network: support for not setting DNS and/or default gateway (v2)
This patch introduces two new qvm-services:
 - disable-default-route
 - disable-dns-server
Both disabled by default. You can enable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.

This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C7FB59.2020603%40openmailbox.org

Conflicts:
	network/setup-ip
	vm-init.d/qubes-core
	vm-systemd/qubes-sysinit.sh
2015-01-30 00:52:31 +01:00
Marek Marczykowski-Górecki
9f51c82666 filecopy: fallback to "open(..., 000)" method when /proc inaccessible
/proc is needed to link files opened with O_TMPFILE to the filesystem.
If not available, fallback to using permissions to block file access,
instead of failing the whole file copy.
2015-01-30 00:48:56 +01:00
Marek Marczykowski-Górecki
efb79d5784 systemd: allow to start cron daemon (#909) 2015-01-30 00:48:56 +01:00
Marek Marczykowski-Górecki
ab637395cb fedora: reload systemd only once 2015-01-30 00:48:56 +01:00
Marek Marczykowski-Górecki
5590445319 fedora: reduce code duplication in systemd triggers 2015-01-30 00:48:56 +01:00
Olivier MEDOC
898f223cd4 archlinux: align with fedora changes related to imsettings 2015-01-30 00:48:56 +01:00
Olivier MEDOC
a94f1f4111 archlinux: fix new packaging requirements related to sbin, lib64, run ... 2015-01-30 00:48:55 +01:00
Marek Marczykowski-Górecki
4637735882 network: support for not setting DNS and/or default gateway
This patch introduces two new qvm-services:
 - set-default-route
 - set-dns-server
Both enabled by default. You can disable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.

This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C39656.3090303%40openmailbox.org

Conflicts:
	network/setup-ip
	vm-init.d/qubes-core
	vm-systemd/qubes-sysinit.sh
2015-01-30 00:48:55 +01:00
HW42
13bca3d05f don't ignore asprintf() return value 2015-01-30 00:45:05 +01:00
Marek Marczykowski-Górecki
bc8a6a0a20 fedora: Fix iptables config installation one more time 2015-01-30 00:45:04 +01:00
Marek Marczykowski-Górecki
66620c1005 fedora: Fix iptables config install script 2015-01-30 00:45:04 +01:00
Marek Marczykowski-Górecki
efc7d4d1f2 filecopy: prevent files/dirs movement outside incoming directory during transfer
Otherwise, when the user moves directory, which is still in transfer,
somewhere else, it could allow malicious source domain to escape chroot
and place a file in arbitrary location.

It looks like bind mount is just enough - simple rename fails with
EXDEV, so tools are forced to perform copy+delete, which is enough to
keep unpacker process away from new file location.

One inconvenient detail is that we must clean the mount after transfer
finishes, so root perms cannot be dropped completely. We keep separate
process for only that reason.
2015-01-30 00:45:04 +01:00
Marek Marczykowski-Górecki
50b536bee3 fedora: Add security-testing repo definition
Conflicts:
	misc/qubes-r2.repo
2015-01-30 00:45:02 +01:00
Jason Mehring
546b4c7911 fc21: Remove left-over code comment 2015-01-30 00:43:31 +01:00
Jason Mehring
33d3a6c9ea fc21: iptables configurations conflict with fc21 yum package manager
Moved iptables configuration to /usr/lib/qubes/init
fc21 + debian + arch will place them in proper place on postinst
Fixes dedian bug of not having them in proper place
2015-01-30 00:43:31 +01:00
Marek Marczykowski-Górecki
0be213200a network: fix NM config preparation
The same variables are reused to configure downlink in ProxyVM, so
create NM config before they got overrided.

Conflicts:
	network/setup-ip
2015-01-30 00:43:29 +01:00
Marek Marczykowski-Górecki
b3429b596d network: set uplink configuration based on MAC (NetworkManager) 2015-01-30 00:39:37 +01:00
HW42
dbd19698b3 debian: remove unneeded acpid dependency
https://groups.google.com/forum/?_escaped_fragment_=msg/qubes-devel/oY7m9zNEXFw/N94pknsTg7oJ

Conflicts:
	debian/control
2015-01-30 00:39:35 +01:00
HW42
6f056486e0 debian: move not strictly required packages to Recommends-Section.
https://groups.google.com/forum/?_escaped_fragment_=msg/qubes-devel/oY7m9zNEXFw/N94pknsTg7oJ

Conflicts:
	debian/control
2015-01-30 00:38:07 +01:00
Marek Marczykowski-Górecki
5bd3080521 Update update-proxy rules for debian security fixes repo
The name can be "wheezy/updates".
2015-01-30 00:32:56 +01:00
Marek Marczykowski-Górecki
a4ad010a45 debian: fix service name in postinst script 2015-01-30 00:32:56 +01:00
Marek Marczykowski-Górecki
c3ef00303f debian: remove obsolete code from postinst script
NetworkManager-dispatcher.service issue seems to be already fixed in
upstream package.
2015-01-30 00:32:56 +01:00
Marek Marczykowski-Górecki
45e7cbb2ac debian: add missing python-gi to dependencies
Required for qubes-desktop-run tool.
2015-01-30 00:32:56 +01:00
Marek Marczykowski-Górecki
7476eb2f24 debian: fix generation of apt sources list file
Use codename, instead of release number.

Conflicts:
	Makefile
2015-01-30 00:32:49 +01:00