Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
2,707 Commits 1 Branch 0 Tags 6.4 MiB
e1ebbf2893
Commit Graph

2707 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Marek Marczykowski-Górecki
e1ebbf2893
archlinux: checkupdates output is not checked anymore, ignore it 2021-01-03 05:28:38 +01:00
Marek Marczykowski-Górecki
f95f08e15f
Merge remote-tracking branch 'origin/pr/267' 
* origin/pr/267:
  fix for ArchLinux: notify dom0 about installed updates The launch of the qubes-update-check service failed on ArchLinux, because the qubes-rpc uses the `service` command which isn't available for this OS.
  fix archlinux detection of available upgrades note: checkupdates return 2 when no updates are available (source: man page and source code)
  upgrades-installed-check requires pacman-contrib for checkupdates
 2021-01-03 05:25:57 +01:00
Marek Marczykowski-Górecki
d28ada95ec
Merge remote-tracking branch 'origin/pr/269' 
* origin/pr/269:
  Avoid spawning a Zenity progress meter
  Harden shell scripts against metacharacters
 2021-01-03 05:23:48 +01:00
Marek Marczykowski-Górecki
c2f4e026a5
Merge remote-tracking branch 'origin/pr/272' 
* origin/pr/272:
  Allow SELinux to stay enabled
 2021-01-03 05:21:53 +01:00
Marek Marczykowski-Górecki
90ae037a3a
Merge remote-tracking branch 'origin/pr/280' 
* origin/pr/280:
  Ignore more options of qubes-dom0-update
 2021-01-03 04:24:19 +01:00
Marek Marczykowski-Górecki
e8f2f64270
Merge remote-tracking branch 'origin/pr/281' 
* origin/pr/281:
  Avoid deprecated /var/run directory
 2021-01-03 04:23:54 +01:00
Marek Marczykowski-Górecki
79bb5a8658
Merge remote-tracking branch 'origin/pr/283' 
Fixes QubesOS/qubes-issues#6290

* origin/pr/283:
  Handle UnicodeError in firewall when resolving hostname
 2021-01-03 04:22:09 +01:00
Marek Marczykowski-Górecki
882059d494
Merge remote-tracking branch 'origin/pr/282' 
Fixes QubesOS/qubes-issues#6291

* origin/pr/282:
  Fix comments in default qubes-firewall-user-script
 2021-01-03 04:20:04 +01:00
Marek Marczykowski-Górecki
ff86bf9fff
archlinux: add missing python-setuptools makedepends 2021-01-03 03:55:34 +01:00
icequbes1
ed33374f67
Handle UnicodeError in firewall when resolving hostname 2021-01-02 15:29:58 -08:00
icequbes1
c25513f930
Fix comments in default qubes-firewall-user-script 2021-01-02 13:11:18 -08:00
Demi Marie Obenour
48b9d5c69b
Avoid deprecated /var/run directory 
It causes systemd to emit warnings.
 2020-12-28 22:06:40 -05:00
Demi Marie Obenour
3f5bb373fb
Ignore more options of qubes-dom0-update 2020-12-28 22:05:41 -05:00
Marek Marczykowski-Górecki
ba4e7f853d
Actually install unit files into /usr/lib/systemd/system 
Fixes 57b30d3 "Use /usr/lib instead of /lib"
 2020-12-28 19:09:59 +01:00
Marek Marczykowski-Górecki
9943585d93
Merge remote-tracking branch 'origin/pr/279' 
* origin/pr/279:
  Use 022 instead of 002 as sudo umask
 2020-12-28 16:57:28 +01:00
Marek Marczykowski-Górecki
a9e98cc13c
Merge remote-tracking branch 'origin/pr/278' 
* origin/pr/278:
  “sudo” must remove SELinux restrictions
  Only give the “qubes” group full Polkit access
 2020-12-28 16:57:15 +01:00
Marek Marczykowski-Górecki
46df6fc32b
Merge remote-tracking branch 'origin/pr/274' 
* origin/pr/274:
  Use /usr/lib instead of /lib
 2020-12-28 16:48:27 +01:00
Marek Marczykowski-Górecki
cba3f59623
Merge remote-tracking branch 'origin/pr/268' 
* origin/pr/268:
  Don’t rely on an arbitrary length limit
  Don’t assume dom0 will never have a network connection
  Add conntrack-tools dependency to qubes-core-agent-networking
  Keep shellcheck from complaining
  Stop disabling checksum offload
  Remove spurious line continuation; add quotes.
  vif-route-qubes: Check that the -e flag is set
  Purge stale connection tracking entries
 2020-12-28 16:43:29 +01:00
Demi Marie Obenour
3bcc1c37ce
“sudo” must remove SELinux restrictions 
Otherwise, if “user” has the SELinux user “staff_u”, the user will
typically need to write “sudo -r unconfined_r -t unconfined_t”, which is
annoying.  If SELinux is disabled, these fields are ignored.
 2020-12-24 15:48:33 -05:00
Demi Marie Obenour
16f48b6298
Only give the “qubes” group full Polkit access 
This is consistent with the rest of qubes-core-agent-passwordless-root,
and helps prevent sandbox escapes by daemons with dbus access.
 2020-12-24 15:46:08 -05:00
Demi Marie Obenour
951b25e8c5
Use 022 instead of 002 as sudo umask 
The comment already mentions 022, which is presumably what was intended.
 2020-12-24 15:40:51 -05:00
Demi Marie Obenour
6adad25f51
Avoid spawning a Zenity progress meter 
Newer versions of qubes-dom0-update will spawn
qubes-download-dom0-updates.sh in an xterm if GUI mode is enabled.
Therefore, we don’t need to spawn our own progress bar.
 2020-12-23 13:23:03 -05:00
Demi Marie Obenour
274df33d4d
Harden shell scripts against metacharacters 
`qubes-download-dom0-updates.sh` can now handle spaces in its inputs,
for example.
 2020-12-23 13:19:58 -05:00
Demi Marie Obenour
a42b3806b6
Metadata is now signed 2020-12-22 16:08:57 -05:00
Demi Marie Obenour
1ea361bc79
Always pass ‘-y’ to dnf 
DNF should never be used unattended without ‘-y’.
 2020-12-22 15:53:15 -05:00
Demi Marie Obenour
9bcfc5dc9f
Allow SELinux to stay enabled 
Users who have their own SELinux policies should be able to keep QubesOS
from disabling SELinux.
 2020-12-17 23:45:28 -05:00
Demi Marie Obenour
e5b56b96c4
Don’t rely on an arbitrary length limit 
We can check for overlong domids without hardcoding the length in a
regex.  Just check if the length is longer than that of the max XID.
 2020-12-17 23:39:19 -05:00
Demi Marie Obenour
c09909c702
Don’t assume dom0 will never have a network connection 
In test setups, this actually happens!
 2020-12-17 23:09:16 -05:00
Demi Marie Obenour
bf443ef6e6
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into usr-lib-merge 2020-12-17 17:43:38 -05:00
Demi Marie Obenour
95022f94e9
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into no-tabs-please 2020-12-17 17:42:28 -05:00
Demi Marie Obenour
220adcae9e
Merge commit 'b15ff53bc6dee36cecf28413554fb7c856ae0517' into conntrack-purge 2020-12-17 15:54:21 -05:00
Demi Marie Obenour
6565facec3
Add conntrack-tools dependency to qubes-core-agent-networking 
Otherwise no vif-* interfaces come up.
 2020-12-16 01:54:05 -05:00
Demi Marie Obenour
20a6a94724
Replace tabs with spaces 
Purely a cosmetic fix.
 2020-12-14 12:52:28 -05:00
Frédéric Pierret (fepitre)
b15ff53bc6
debian: update compat 2020-12-12 11:44:47 +01:00
Frédéric Pierret (fepitre)
edde0d573e
debian: update control 2020-12-12 11:11:18 +01:00
Demi Marie Obenour
ae48c7e04d
Merge commit '66b3e628f2bf0ec8f23b0b42484d014e5cad23bf' into conntrack-purge 2020-12-08 14:47:56 -05:00
Demi Marie Obenour
44b3c12d94
Keep shellcheck from complaining 
The code was correct, but shellcheck didn’t recognize that ‘n’ had been
assigned as a local variable.
 2020-12-07 14:57:03 -05:00
Demi Marie Obenour
d960f7af85
Stop disabling checksum offload 
We now have a newer qemu in the stubdomain, so checksum offloading
should work.
 2020-12-07 14:12:01 -05:00
Demi Marie Obenour
70253edeab
Remove spurious line continuation; add quotes. 
Pipelines can extend over multiple lines without needing line
continuation.
 2020-12-07 14:11:12 -05:00
Demi Marie Obenour
9840953f5f
vif-route-qubes: Check that the -e flag is set 2020-12-07 14:08:32 -05:00
Demi Marie Obenour
a8588c4e9c
Purge stale connection tracking entries 
This ensures that a VM cannot use connection tracking entries created by
another VM.
 2020-12-06 12:55:51 -05:00
Marek Marczykowski-Górecki
66b3e628f2
Order NetworkManager after qubes-network-uplink.service 
Make sure NM config for uplink interface (eth0) is created before
starting NetworkManager itself. Otherwise NM helpfully will try to use
automatic DHCP configuration, which will fail and cause delays on
network start.
 2020-12-05 18:13:27 +01:00
Marek Marczykowski-Górecki
519e82b7c0
init/functions: do not guess 'eth0' as Qubes-managed interface 
... if it doesn't exist.
The /qubes-mac qubesdb entry is present on Qubes 4.1, but not 4.0. It is
ok to depend on it here, but keep safer fallback if this code would need
to be backported.
 2020-12-04 12:30:57 +01:00
Marek Marczykowski-Górecki
8a3cd3db1d
Make init/functions suitable for running with 'set -u' 
Initialize local variables.
 2020-12-04 03:24:03 +01:00
Marek Marczykowski-Górecki
6aa2b89fba
Cleanup setup-ip script a bit 
There is no longer a case where $INTERFACE is not set.
 2020-12-04 03:24:02 +01:00
Marek Marczykowski-Górecki
dd8de797e3
Move network uplink setup to a separate service 
Previously, network uplink (eth0) was configured in two places:
 - udev (asynchronously)
 - qubes-misc-post.service - at the very end of the boot process

This caused multiple issues:
1. Depending on udev event processing (non-deterministic), network
   uplink could be enabled too early, for example before setting up
   firewall.
2. Again depending on udev processing, it can be enabled quite late in
   the boot process, after network.target is up and services assume
   network already configured. This for example causes qubes-firewall to
   fail DNS queries.
3. If udev happen try to enable enable networking even earlier, it may
   happend before qubesdb-daemon is started, in which case network setup
   fill fail. For this case, there was network re-setup in
   qubes-misc-post service - much later in the boot.

Fix the above by placing network uplink setup in a dedicated
qubes-network-uplink@${INTERFACE}.service unit ordered after
network-pre.target and pulled in by udev based on vif device existence,
to handle also dynamic network attach/detach.
Then, create qubes-network-uplink.service unit waiting for appropriate
interface-specific unit (if one is expected!) and order it before
network.target.

QubesOS/qubes-issues#5576
 2020-12-04 03:24:02 +01:00
Marek Marczykowski-Górecki
e344dcc4c9
Order qubes-early-vm-config.service before networking 
Fixes QubesOS/qubes-issues#5570
 2020-12-03 20:52:51 +01:00
Marek Marczykowski-Górecki
0caa7fcf75
network: stop IP forwarding before disabling firewall 
Stop IP forwarding when stopping qubes-network service (which initially
enables it). This makes ordering against qubes-firewall safe - firewall
is applied before allowing IP forward and then is removed when IP
forward is already disabled.

Fixes QubesOS/qubes-issues#5599
 2020-12-03 20:52:51 +01:00
Marek Marczykowski-Górecki
f66a494cc2
Allow DHCPv6 replies on uplink interface, if ipv6 is enabled 
Fixes QubesOS/qubes-issues#5886
 2020-12-03 20:52:51 +01:00
Demi Marie Obenour
57b30d3af6
Use /usr/lib instead of /lib 2020-12-02 11:21:53 -05:00