Commit Graph

346 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
181c15f422
updates-proxy: explicitly block connection looping back to the proxy IP
Explicitly block something like "curl http://10.137.255.254:8082" and
return error page in this case. This error page is used in Whonix to
detect if the proxy is torrified. If not blocked, it may happen that
empty response is returned instead of error. See linked ticket for
details.

Fixes QubesOS/qubes-issues#1482
2015-12-04 14:57:07 +01:00
Marek Marczykowski-Górecki
a11897a1d0
Revert "network: use drop-ins for NetworkManager configuration (#1176)"
Apparently unmanaged devices are loaded only from main
NetworkManager.conf. Exactly the same line pasted (not typed!) to main
NetworkManager.conf works, but in
/etc/NetworkManager/conf.d/30-qubes.conf it doesn't.
BTW There was a typo in option name ("unmanaged_devices" instead of
"unmanaged-devices", but it wasn't the cause).

This reverts commit 6c4831339c.

QubesOS/qubes-issues#1176
2015-11-28 17:43:15 +01:00
Olivier MEDOC
fa081f1dd9 rpm_spec: declare InstallUpdateGUI qrexec_service 2015-11-17 09:46:16 +01:00
Marek Marczykowski-Górecki
69bb71bea0
updates-proxy: disable filtering at all
Since this proxy is used only when explicitly configured in application
(package manager), there is no point in worrying about user
_erroneously_ using web browser through this proxy. If the user really
want to access the network from some other application he/she can always
alter firewall rules for that.

Fixes QubesOS/qubes-issues#1188
2015-11-15 03:57:51 +01:00
Marek Marczykowski-Górecki
13c9149b6c
Use improved update-notify script also in Fedora
Among other things this also fixes build failure - those scripts were
installed but not listed in spec file.

Actual check doesn't perform 'apt-get update', so do that when running
"standalone" (not as a hook from 'apt-get').

QubesOS/qubes-issues#1066
2015-11-13 05:28:47 +01:00
Marek Marczykowski-Górecki
3324307ee2
Merge remote-tracking branch 'origin/pr/46'
* origin/pr/46:
  No longer start /etc/init.d/tinyproxy by default anymore.
2015-11-11 16:04:40 +01:00
Patrick Schleizer
5d6cf722a8
No longer start /etc/init.d/tinyproxy by default anymore.
But allow users to re-enable it through qubes-service framework.
/var/run/qubes-service/tinyproxy

Thanks to @marmarek for helping with this fix!

https://github.com/QubesOS/qubes-issues/issues/1401
2015-11-11 14:57:36 +00:00
Marek Marczykowski-Górecki
e2ab963a27
Minor improvements to packaging (based on rpmlint)
There is much more to fix, but lets start with low hanging fruits.
2015-11-11 15:19:43 +01:00
Marek Marczykowski-Górecki
2a589f2c20
updates-proxy: use separate directory for PID file
And also use systemd-tmpfiles for that directory creation.

Fixes QubesOS/qubes-issues#1401
2015-11-11 05:57:57 +01:00
Marek Marczykowski-Górecki
164387426b
Bump qubes-utils version requirement
Those commits needs updated qubes-utils:
823954c qrexec: use #define for protocol-specified strings
5774c78 qfile-agent: move data handling code to libqubes-rpc-filecopy

QubesOS/qubes-issues#1324
QubesOS/qubes-issues#1392
2015-11-11 05:25:17 +01:00
Marek Marczykowski-Górecki
7cca1b23ee
Get rid of qubes-core-vm-kernel-placeholder
Since /lib/modules is not mounted read-only anymore (only a selected
subdirectory there), it is no longer required to prevent kernel package
installation. Even more - since PV Grub being supported, it makes sense
to have kernel installed in the VM.

QubesOS/qubes-issues#1354
2015-11-11 02:36:57 +01:00
Marek Marczykowski-Górecki
ba28c9f140
fedora: do not require/use yum-plugin-post-transaction-actions in F>=22
Since Fedora 22+ obsoletes yum, do not require yum-specific package to
be installed.

QubesOS/qubes-issues#1282
2015-11-11 02:36:57 +01:00
Marek Marczykowski-Górecki
b6cfcdcc6f
Implement dnf hooks for post-update actions
Similar to previous yum hooks:
 - notify dom0 about installed updates (possibly clear "updates pending"
   marker)
 - trigger appmenus synchronization

QubesOS/qubes-issues#1282
2015-11-11 02:36:57 +01:00
Marek Marczykowski-Górecki
074309e6a3
dracut: disable hostonly mode
Initramfs created in TemplateVM may be used also in AppVMs based on it, so
technically it is different system. Especially it has different devices
mounted (own /rw, own swap etc), so prevent hardcoding UUIDs here.

QubesOS/qubes-issues#1354
2015-11-10 16:36:00 +01:00
Olivier MEDOC
0c33c73b8e dropins: implement dropins for systemd user starting with pulseaudio systemd service and socket masking
Conflicts:
	Makefile
2015-11-07 19:12:30 +01:00
Olivier MEDOC
4b5332081e add DROPINS for org.cups.cupsd systemd files. 2015-11-06 19:36:52 +01:00
Marek Marczykowski-Górecki
c2596a0435
Setup updates proxy in dnf and PackageKit
DNF doesn't support even including another config file, so all the
settings needs to go into `/etc/dnf/dnf.conf`. The same about
PackageKit, which is needed because it doesn't use `dnf.conf`:
http://lists.freedesktop.org/archives/packagekit/2015-September/026389.html

Because that proxy settings goes to so many places now, create a
separate script for that.

QubesOS/qubes-issues#1282
QubesOS/qubes-issues#1197
2015-10-30 15:13:56 +01:00
Marek Marczykowski-Górecki
22365369d2
Require new enough qubes-utils package for updated libqrexec-utils
Required by 97a3793 "qrexec: implement buffered write to a child stdin"
2015-10-24 22:25:19 +02:00
Marek Marczykowski-Górecki
457578280b
rpm: remove duplicated entry 2015-10-24 20:54:17 +02:00
Marek Marczykowski-Górecki
92bec3173a
rpm: add /etc/sysctl.d/20_tcp_timestamps.conf
Missing part of previous commit.

QubesOS/qubes-issues#1344
2015-10-24 20:54:07 +02:00
Patrick Schleizer
f063b4a90f
Renamed qubes-mount-home to qubes-mount-dirs.
Renamed qubes-mount-home service and mount-home.sh script to qubes-mount-dirs service and mount-dirs.sh.
Because mount-home.sh also processed /rw/usrlocal.
preparation to fix the following issues:
- upstream bind-directories functionality to Qubes - https://phabricator.whonix.org/T414
- Bind mount /rw/usrlocal -> /usr/local instead of symlink - https://github.com/QubesOS/qubes-issues/issues/1150
- /bin/sync hangs forever in whonix-ws-dvm - https://github.com/QubesOS/qubes-issues/issues/1328
2015-10-15 20:57:43 +00:00
Patrick Schleizer
2eb0ed2be1
removed trailing spaces 2015-10-15 04:34:55 +02:00
Marek Marczykowski-Górecki
afb70cf040
Add missing R: dconf to hide nm-applet when not used
Without dconf, gsettings uses "memory" backend which isn't saved
anywhere and isn't shared across applications. This makes gsettings
pretty useless.

Fixes QubesOS/qubes-issues#1299
2015-10-10 16:23:47 +02:00
Marek Marczykowski-Górecki
7963fb91c7
systemd: actually enable qubes-random-seed service
QubesOS/qubes-issues#1311
2015-10-10 16:23:46 +02:00
Marek Marczykowski-Górecki
6c4831339c
network: use drop-ins for NetworkManager configuration (#1176)
Do not modify main /etc/NetworkManager/NetworkManager.conf as it would
cause conflicts during updates. Use
/etc/NetworkManager/conf.d/30-qubes.conf instead.
Also remove some dead code for dynamically generated parts (no longer
required to "blacklist" eth0 in VMs - we have proper connection
generated for it). It was commented out for some time already

Fixes QubesOS/qubes-issues#1176
2015-10-06 15:15:26 +02:00
Marek Marczykowski-Górecki
f2222a9b53
Cleanup R3.0->R3.1 transitional package
QubesOS/qubes-issues#1276
2015-10-05 19:06:21 +02:00
Marek Marczykowski-Górecki
8e497bffc0
Merge branch 'qubes-iptables'
Conflicts:
	debian/control
	rpm_spec/core-vm.spec

QubesOS/qubes-issues#1067
2015-10-05 01:47:01 +02:00
Marek Marczykowski-Górecki
2a39adfe0f
Enlarge /tmp and /dev/shm
Initial size of those tmpfs-mounted directories is calculated as 50% of
RAM at VM startup time. Which happen to be quite small number, like
150M. Having such small /tmp and/or /dev/shm apparently isn't enough for
some applications like Google chrome. So set the size statically at 1GB,
which would be the case for baremetal system with 2GB of RAM.

Fixes QubesOS/qubes-issues#1003
2015-10-04 23:07:10 +02:00
Marek Marczykowski-Górecki
c615afb88f
Merge remote-tracking branch 'origin/pr/28'
* origin/pr/28:
  qubes-rpc: fix icon selection using pyxdg and support SVG icons
  qubes-rpc: fix broken temporary file deletion in qubes.GetImageRGBA

Conflicts:
	qubes-rpc/qubes.GetImageRGBA
	rpm_spec/core-vm.spec
2015-09-28 12:47:49 +02:00
Marek Marczykowski-Górecki
3552bc7e41
rpm: add dbus-python dependency
This package is required by lots of stuff in Fedora anyway, but this
doesn't mean that we can have broken dependencies.
2015-09-28 12:22:19 +02:00
qubesuser
7f9fdc8327 qubes-rpc: fix icon selection using pyxdg and support SVG icons 2015-09-06 22:02:27 +02:00
Marek Marczykowski-Górecki
c8ac55b179 Merge branch 'autostart-dropins'
Conflicts:
	misc/qubes-trigger-desktop-file-install

Fixes qubesos/qubes-issues#1151
2015-09-02 01:16:19 +02:00
Marek Marczykowski-Górecki
4703e3fca7
Remove dynamically generated autostart desktop files
qubesos/qubes-issues#1151
2015-08-27 22:08:04 +02:00
Marek Marczykowski-Górecki
3d06ce1ee9
Implement dropins for /etc/xdg/autostart (#1151)
Usage of _static_ files (dropins) to override some of autostart entries
(enable/disable them in appropriate VM types) is much simpler and less
error prone than automatic generators.

Handling code is implemented in qubes-session-autostart, which is called
from qubes-session.

qubesos/qubes-issues#1151
2015-08-27 22:08:00 +02:00
Marek Marczykowski-Górecki
d710970e4d
Move .desktop launching code to python moules so it can be reused 2015-08-27 22:07:59 +02:00
Jason Mehring
9644d86845
sudoers.d: Stops QT from using the MIT-SHM X11 Shared Memory Extension
Fedora now needs this sudoer rule.  Allows sudo to keep the `QT_X11_NO_MITSHM` ENV
variable which prevents MIT-SHM errors for Fedora and Debian when running a QT
application:

    `Defaults env_keep += "QT_X11_NO_MITSHM"`

A complementary commit has been made in gui-agent-linux:
    Commit: a02e54b71a9ee17f4b10558065a8fc9deaf69984)
    Author: Jason Mehring <nrgaway@gmail.com>
    Date:   Sat Aug 15 20:13:48 2015 -0400
2015-08-16 08:22:19 -04:00
Marek Marczykowski-Górecki
65e9e4c72c
network: use own iptables service instead of repurposing existing one
There were multiple problems with reusing existing one:
 - need to sync with upstream changes (configuration path etc)
 - conflicts resolution on updates
 - lack of iptables --wait, which causes firewall fail to load sometimes

QubesOS/qubes-issues#1067
2015-08-09 20:09:51 +02:00
Marek Marczykowski-Górecki
13c54badcb
Move /usr/share/qubes/xdg to /var/lib/qubes/xdg
No files in /usr should be modified during package runtime, `/var` is
for that. So move this data there.
2015-08-08 02:01:15 +02:00
Jason Mehring
edc9dd404d fedora: Use 'slider' org.mate.NotificationDaemon theme 2015-08-07 09:20:44 -04:00
Jason Mehring
b6c19fc2ef qubes-desktop-file-install: Manages xdg desktop entry files
qubes-desktop-file-install is called by qubes-triggers-desktop-file-install. It's
arguments are based on the Gnome desktop-install-file utility to allow it to be replaced
by same.  Currently the Gnome utility can not be used since it automatically validates
the .desktop entry files with no option to skip validation and will fail on some third
party .desktop files that are not formed properly.

A single trigger script is shared between Fedora, Debian.  This script is used by the
package managers triggers and will copy original .desktop files from `/etc/xdg/autostart`
to `/usr/share/qubes/xdg/autostart` and modify the OnlyShownIn / NotShownIn, etc.  The
original .desktop files are left untouched and left in place.

Qubes modifies the XDG_CONFIG_DIRS to first include the `/usr/share/qubes/xdg`
directory (XDG_CONFIG_DIRS=/usr/share/qubes/xdg:/etc/xdg).

If a package gets removed, it's desktop entry is also removed from the /usr/share/qubes/xdg
directory.

'qubes-desktop-file-install' options:
   --dir DIR                          Install desktop files to the DIR directory (default: <FILE>)
   --force                            Force overwrite of existing desktop files (default: False)
   --remove-show-in                   Remove the "OnlyShowIn" and "NotShowIn" entries from the desktop file (default: False)
   --remove-key KEY                   Remove the KEY key from the desktop files, if present
   --set-key (KEY VALUE)              Set the KEY key to VALUE
   --remove-only-show-in ENVIRONMENT  Remove ENVIRONMENT from the list of desktop environment where the desktop files should be displayed
   --add-only-show-in ENVIRONMENT     Add ENVIRONMENT to the list of desktop environment where the desktop files should be displayed
   --remove-not-show-in ENVIRONMENT   Remove ENVIRONMENT from the list of desktop environment where the desktop files should not be displayed
   --add-not-show-in ENVIRONMENT      Add ENVIRONMENT to the list of desktop environment where the desktop files should not be displayed
2015-08-07 09:15:30 -04:00
Marek Marczykowski-Górecki
e9e38c04a2
fedora: fix default locale generation
If /etc/locale/conf contains LANG="en_US.UTF-8" (with quotes), it was
improperly parsed.
2015-08-04 23:20:11 +02:00
Marek Marczykowski-Górecki
1ca8b51c03
fedora: simulate preset-all only on first install, not upgrade 2015-08-04 20:42:14 +02:00
Marek Marczykowski-Górecki
050bfe42db
fedora: do not own dropins directories
It may cause conflicts in the future
2015-08-04 18:49:02 +02:00
Jason Mehring
9c53ed7d47 fedora: Add systemd drop-in support which include conditionals to prevent services from starting
Modified core-vm.spec to use drop-ins and removed old code that was using overrides
2015-08-04 10:32:20 -04:00
Jason Mehring
cba9e8f5ca
Remove '.service' from systemd enable loop as unit_name already contains .service in name 2015-08-02 17:45:40 -04:00
Marek Marczykowski-Górecki
916824eb3f qubes-core-vm-kernel-placeholder 1.0-3 2015-07-08 06:09:12 +02:00
Marek Marczykowski-Górecki
3491c1401b kernel-placeholder: prevent xl2tpd from pulling kernel packages 2015-07-02 17:51:12 +02:00
Marek Marczykowski-Górecki
5176228abc fedora/systemd: fix service enabling code
Do not try to enable qubes-update-check.service, it is meant to be
started by qubes-update-check.timer (which is correctly enabled).
2015-06-26 19:57:44 +02:00
Marek Marczykowski-Górecki
3aca3f8c48 fedora: ensure that /etc/sysconfig/iptables exists (Fedora 20)
Even when iptables.service is configured to use different file, the
service would not start when there is no /etc/sysconfig/iptables. Fedora
20 package does not provide it.
2015-06-26 19:54:22 +02:00
Marek Marczykowski-Górecki
0382f84eae rpm: improve setting iptables rules
Instead of overriding /etc/sysconfig/ip{,6}tables, store qubes rules in
/etc/sysconfig/iptables.qubes and configure the service to use that file
instead. This will prevent conflict on that file and also handle upgrades.
2015-06-19 09:42:55 +02:00