Commit Graph

2270 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
977f41276b
version 4.0.17 2018-01-18 19:30:32 +01:00
Rusty Bird
b23e2ed70d
Remove stranded block-snapshot script
The real block-snapshot script is in qubes-core-admin.
2018-01-16 06:35:45 +00:00
Rusty Bird
6c2b9fd638
qvm-run-vm: wait for X11 in DispVM case
qvm-run-vm cannot make a separate qubes.WaitForSession call for a
DispVM. Instead, pass the new WaitForSession argument to qubes.VMShell,
which will do the equivalent.
2018-01-14 19:21:01 +00:00
Rusty Bird
72fef1ee4c
qvm-run-vm: appease ShellCheck without comment 2018-01-14 19:20:59 +00:00
Rusty Bird
ce1f0af216
Set 'wait-for-session=1' for 'qubes.VMShell+WaitForSession'
This is intended to be used for DispVMs for which only a single RPC call
can be made before they are destroyed.

Fixes QubesOS/qubes-issues#3012
2018-01-14 19:20:58 +00:00
Marek Marczykowski-Górecki
1b774f9a87
version 4.0.16 2018-01-12 06:18:51 +01:00
Marek Marczykowski-Górecki
7ecb74ae3b
Disable automatic scaling in GNOME/GTK applications
GNOME automatically set scaling factor to 2 when HiDPI is detected.
Unfortunately it does it also on not really HiDPI displays, making the
whole UI unusably large. There is no middle ground - scaling factor must
be integer, so 1.5 is not supported. Lets opt on a conservative side and
fallback to scaling factor 1.

Solution by @alyssais, thanks!
Fixes QubesOS/qubes-issues#3108
2018-01-12 06:00:18 +01:00
Marek Marczykowski-Górecki
4cd16a2734
Enable gnome settings daemon xsettings plugin
When one use scaling set by gnome tools (gsettings or
gnome-tweak-tool), gsd-xsettings must be running to apply the change
also to other applications.
This include auto scaling on HiDPI screens.

This commit fixes non-uniform behaviour on different VM types.

QubesOS/qubes-issues#3108
2018-01-12 05:44:54 +01:00
Marek Marczykowski-Górecki
d4f6eb1f4a
Install KDE actions for KDE5
Fixes QubesOS/qubes-issues#3449
2018-01-09 17:42:21 +01:00
Marek Marczykowski-Górecki
7d82029aec
Fix kdialog --progressbar usage
Returned dbus reference is multi-word string, it was not quoted on
purpose. ShellCheck was wrong about it.

QubesOS/qubes-issues#3449
2018-01-08 03:07:14 +01:00
Marek Marczykowski-Górecki
a8aa41e040
Merge remote-tracking branch 'qubesos/pr/83'
* qubesos/pr/83:
  qrexec: fix infinite loop when multiple services are waiting for GUI
2018-01-05 19:00:27 +01:00
Marek Marczykowski-Górecki
4c47ce139e
qrexec: fix infinite loop when multiple services are waiting for GUI
Reported by @ctrlaltdel
Fixes QubesOS/qubes-issues#3433
2017-12-28 17:31:06 +01:00
Marek Marczykowski-Górecki
c324b16252
firewall: allow also related traffic
This include ICMP error messages for allowed traffic.

Fixes QubesOS/qubes-issues#3406
2017-12-28 05:34:30 +01:00
Marek Marczykowski-Górecki
3a83623647
firewall: don't crash the whole qubes-firewall service on DNS fail
If DNS resolution fails, just block the traffic (for this VM), but don't
crash the whole service.

Fixes QubesOS/qubes-issues#3277
2017-12-28 05:15:00 +01:00
Marek Marczykowski-Górecki
180146a5c2
version 4.0.15 2017-12-23 02:53:43 +01:00
Marek Marczykowski-Górecki
ec83df64e3
qubes.GetImageRGBA: fix handling '-' path without explicit type
There was a bug that interpreted '-' as file type. But convert don't
know how to handle '-' file type, so refused to proceed.

Fixes QubesOS/qubes-issues#3085
2017-12-22 16:48:37 +01:00
Marek Marczykowski-Górecki
e8656e1b41
Merge remote-tracking branch 'qubesos/pr/79'
* qubesos/pr/79:
  make apt-get apt-transport-tor broken in Qubes non-networked TemplateVMs
2017-12-22 01:19:59 +01:00
Marek Marczykowski-Górecki
57d43430e1
qrexec: setup process environment when not using fork server
If fork server is used, proper environment is inherited from the
session. But in other case (like non-default user), it needs to be
created by qrexec-agent itself. PAM provide some variables, but not the
most basic: HOME, SHELL, USER, LOGNAME. Also process should be started
in user home directory (if available).

Fixes QubesOS/qubes-issues#3416
2017-12-22 01:14:19 +01:00
MB
3339df739d
Fall back to direct execution when dbus is not installed or running
I have been using this with a dbus-less Gentoo template since the original
change, and have tested recently on whonix-gw with dbus enabled and running.

(cherry picked from commit bf69335074b45157734b881cc14d54ea43e7902a)
2017-12-20 20:56:29 +01:00
Patrick Schleizer
7fd008b1a8
make apt-get apt-transport-tor broken in Qubes non-networked TemplateVMs
fixes https://github.com/QubesOS/qubes-issues/issues/3403
2017-12-16 19:17:38 +01:00
Marek Marczykowski-Górecki
29e4ac8f97
version 4.0.14 2017-12-15 09:23:22 +01:00
Marek Marczykowski-Górecki
47e6a84f79
debian: use systemd-preset logic from rpm package
It is more robust, especially handle "# Units below this line will be
re-preset on package upgrade" part of 75-qubes-vm.preset file. This is
needed to fix system configuration without the need to rebuild the whole
template.

QubesOS/qubes-issues#2913
2017-12-15 02:50:05 +01:00
unman
a95aa43864
Disable wpa_supplicant@.service
(cherry picked from commit 51f80d39a1064dd6075ccf6af1d5ba78fba6327c)
2017-12-14 23:22:06 +01:00
Rusty Bird
8d8902f32a
qvm-{copy,move}: fix spurious deprecation message
qvm-{copy,move} run qvm-{copy,move}-to-vm with $default as the VM
argument. Don't print the deprecation message in that case.
2017-12-13 23:48:39 +00:00
Marek Marczykowski-Górecki
84374bbdec
Merge remote-tracking branch 'qubesos/pr/76'
* qubesos/pr/76:
  Fix language issues and usability issue
2017-12-13 19:48:24 +01:00
Marek Marczykowski-Górecki
1651866aa2
Merge remote-tracking branch 'qubesos/pr/72'
* qubesos/pr/72:
  Fix UCA mistake and qvm-actions script
  Fix ShellCheck comments
  Add debian package support
  Disable Thunar thumbnails
  Add support for Thunar Qubes VM tools
2017-12-13 19:47:16 +01:00
TomZ
3abc3b1b75
Fix language issues and usability issue 2017-12-13 10:15:20 +01:00
Marek Marczykowski-Górecki
362e19349f
Add hint to use qvm-copy/qvm-move instead of qvm-*-to-vm
Fixes QubesOS/qubes-issues#3251
2017-12-13 02:51:41 +01:00
Frédéric Pierret
c34a0a9e07
Fix UCA mistake and qvm-actions script 2017-12-12 22:12:48 +01:00
Marek Marczykowski-Górecki
4d51ea9387
Fix IPv6 support in qubes-firewall
Chain name in IPv6 cannot be longer than 29 chars, so strip IPv6 prefix
from it.
ICMP on IPv6 is a different protocol than on IPv4 - handle iptables rule
accordingly.

QubesOS/qubes-issues#718
2017-12-07 01:41:56 +01:00
Marek Marczykowski-Górecki
20d9a0bb61
network: drop unsolicited IPv6 neighbor advertisements by default
It could be used to poison neighbor table...

QubesOS/qubes-issues#718
2017-12-07 01:41:56 +01:00
Marek Marczykowski-Górecki
715693b93d
network: IPv6-enabled firewall
If IPv6 is configured in the VM, and it is providing network to others,
apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing
traffix), instead of blocking everything. Also, enable IP forwarding for
IPv6 in such a case.

Fixes QubesOS/qubes-issues#718
2017-12-07 01:41:55 +01:00
Marek Marczykowski-Górecki
44f8cceb38
network: configure IPv6 when enabled
If dom0 expose IPv6 address settings, configure it on the interface.
Both backend and frontend side. If no IPv6 configuration is provided,
block IPv6 as it was before.

Fixes QubesOS/qubes-issues#718
2017-12-07 01:30:05 +01:00
Marek Marczykowski-Górecki
aab5a28fbe
Merge remote-tracking branch 'qubesos/pr/67'
* qubesos/pr/67:
  archlinux fix .service added twice in networking install script
  Makefile: install-netvm shouldn't be a dependency of itself.
  archlinux: add recently splitted packages as optional dependencies of qubes-vm-core
  archlinux: fix incorrect keyring being populated
  Makefile: remove invalid reference to network dropins install target
  archlinux: fix shellcheck issues
  archlinux: create a keyring package to install binary repository automatically
  Makefile: add network install targets to install-deb
  Makefile: fix typo created when spliting the install targets
  Makefile: add basic networking to the new install-corevm target
  archlinux: split core-agent from netvm-agent
  Makefile: ensure that everything is installed by default for rh based agents
  Makefile: split network install target from core agent install target
2017-12-06 01:35:58 +01:00
Marek Marczykowski-Górecki
414f944cf9
Disable cups-browsed service together with cups
It tries to connect to cups every second and doesn't do anything else
when cups is disabled. So disable (or enable) both of them at the same
time.
2017-12-05 17:58:35 +01:00
Frédéric Pierret
6226531bd5
Fix ShellCheck comments 2017-11-22 15:45:51 +01:00
Frédéric Pierret
3dc294f3bb
Add debian package support 2017-11-22 13:06:51 +01:00
Marek Marczykowski-Górecki
0500719f4d
version 4.0.13 2017-11-21 04:51:28 +01:00
Olivier MEDOC
9345a29b7e archlinux fix .service added twice in networking install script 2017-11-20 16:58:26 +01:00
Olivier MEDOC
0cd100b91a Makefile: install-netvm shouldn't be a dependency of itself. 2017-11-20 16:56:57 +01:00
Marek Marczykowski-Górecki
3fb258db47
network: order qubes-firewall service before enabling IP forwarding
Start qubes-firewall (which will add "DROP by default" rule) before
enabling IP forwarding, to not leave a time slot where some connection
could go around configured firewall.

QubesOS/qubes-issues#3269
2017-11-20 02:42:39 +01:00
Marek Marczykowski-Górecki
6b0013503b
Merge remote-tracking branch 'qubesos/pr/74'
* qubesos/pr/74:
  Add iptables dep to qubes-core-agent-networking RPM spec
2017-11-20 01:56:38 +01:00
Marek Marczykowski-Górecki
9293da7329
Merge remote-tracking branch 'qubesos/pr/69'
* qubesos/pr/69:
  Fix the Archlinux template update proxy to work for HTTPS URLs as well
2017-11-20 01:56:35 +01:00
Marek Marczykowski-Górecki
c0e5501f55
Enable qubes-firewall also in "NetVM"
In some cases it may make sense to enfoce outgoing firewall also on
sys-net. If the service is disabled, firewall settings will be
(silently) ignored, so better be on the safe side and enable.

QubesOS/qubes-issues#3290
2017-11-20 01:56:15 +01:00
Marek Marczykowski-Górecki
e53db1386d
Dumb down meminfo-writer enabling logic
Let dom0 decide whether it should be enabled or not, regardless of PCI
devices or any other factor.

Fixes QubesOS/qubes-issues#3207
2017-11-20 01:56:15 +01:00
Marek Marczykowski-Górecki
57a3c2d67e
network: have safe fallback in case of qubes-firewall crash/error
When qubes-firewall service is started, modify firewall to have "DROP"
policy, so if something goes wrong, no data got leaked.
But keep default action "ACCEPT" in case of legitimate service stop, or
not starting it at all - because one may choose to not use this service
at all.
Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and
keep it there while qubes-firewall service is running.

Fixes QubesOS/qubes-issues#3269
2017-11-20 01:56:14 +01:00
Rusty Bird
c3b2aeb289
Add iptables dep to qubes-core-agent-networking RPM spec
Only the Debian package had declared the dependecy. And apparently,
fedora-26-minimal does not include the iptables package by default
anymore.
2017-11-19 15:48:32 +00:00
Olivier MEDOC
5b45cf1808 archlinux: add recently splitted packages as optional dependencies of qubes-vm-core
Also improve package description and comments.
2017-11-19 08:57:31 +01:00
Frédéric Pierret
82656bb5df
Disable Thunar thumbnails 2017-11-18 13:19:41 +01:00
Frédéric Pierret
0fd109b8f1
Add support for Thunar Qubes VM tools 2017-11-18 13:19:40 +01:00