Commit Graph

361 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
ed434ad63f
systemd: include tor-disabling drop-ins in the package
QubesOS/qubes-issues#1625
2016-07-27 05:19:47 +02:00
Marek Marczykowski-Górecki
90be5be630
systemd: cleanup removed services
Fixes QubesOS/qubes-issues#2192
2016-07-27 05:19:46 +02:00
Marek Marczykowski-Górecki
f4d53fb7e6
Include Qubes Master Key in the VM template
It is useful to verify other qubes-related keys.

Fixes QubesOS/qubes-issues#1614
2016-07-17 04:26:01 +02:00
Marek Marczykowski-Górecki
65f0b26600
systemd: plug random seed loading into systemd-random-seed
Reuse its dependencies to make sure it is loaded early enough.

Reported by @adrelanos
Fixes QubesOS/qubes-issues#1761
2016-07-17 04:26:01 +02:00
Marek Marczykowski-Górecki
10cadc58a0
Revert "systemd: preset xendriverdomain on update"
This doesn't help when xen update is installed after this one. So, deal
with it in xen %post itself.
This reverts commit f2257e1e3b.

QubesOS/qubes-issues#2141
2016-07-16 01:37:12 +02:00
Marek Marczykowski-Górecki
4996dd7609
rpm: fix misleading systemd warnings during upgrade
systemctl preset output lengthy warning when trying to operate on
non-existing unit. This preset action is meant to disable unit, so it's
even better it doesn't exists.
2016-07-13 22:13:17 +02:00
Marek Marczykowski-Górecki
f2257e1e3b
systemd: preset xendriverdomain on update
Make sure it is enabled, regardless of update installation order.
2016-07-13 21:48:42 +02:00
Marek Marczykowski-Górecki
4cb4d656c4
Cleanup R3.1->R3.2 transitional package 2016-05-18 23:42:17 +02:00
Marek Marczykowski-Górecki
19921274e1
Implement qubes.OpenURL service instead of wrapping URLs in HTML
This have many advantages:
 - prevent XSS (QubesOS/qubes-issues#1462)
 - use default browser instead of default HTML viewer
 - better qrexec policy control
 - easier to control where are opened files vs URLs

For now allow only http(s):// and ftp:// addresses (especially prevent
file://). But this list can be easily extended.

QubesOS/qubes-issues#1462
Fixes QubesOS/qubes-issues#1487
2016-05-18 01:32:54 +02:00
Marek Marczykowski-Górecki
7301a898a1
qubes.SuspendPreAll and qubes.SuspendPostAll services
Those services are called just before/after host suspend.

Thanks @adrelanos for help.
Fixes QubesOS/qubes-issues#1663
2016-03-15 23:33:11 +01:00
Marek Marczykowski-Górecki
b1731c2768
rpm: Add bind-dirs.sh to spec file 2016-03-14 16:23:11 +01:00
Marek Marczykowski-Górecki
dca5265958
qubes-open: switch from mimeopen to xdg-open
xdg-open is more robust in choosing default application for particular
file type: it supports fallback if the preferred application isn't
working, and most importantly it support system-wide defaults
(/usr/share/applications/defaults.list,
 /usr/share/applications/mimeapps.list), so no "random" application is
chosen.

By default xdg-open tries to use environment-specific tool, like
gvfs-open - which isn't good for us, because many such tools do not wait
for editor/viewer termination. That would mean that DisposableVM would
be destroyed just after opening the file.
To avoid such effect, we set DE=generic.

Fixes QubesOS/qubes-issues#1621
2016-02-02 03:28:34 +01:00
Marek Marczykowski-Górecki
0211ea5d1d
Move opening file viewer/editor into separate shell script
No functional change.

This will make it easier to switch the tool (without recompiling
vm-file-editor), or even use differrent tools depending on some
conditions.

QubesOS/qubes-issues#1621
2016-02-01 12:17:15 +01:00
Marek Marczykowski-Górecki
d4c238c45e
Unload USB controllers drivers in USB VM before going to sleep
Many USB controllers doesn't play nice with suspend when attached to PV
domain, so unload those drivers by default. This is just a configuration
file, so user is free to change this setting if his/shes particular
controller doesn't have such problem.

Fixes QubesOS/qubes-issues#1565
2016-01-11 19:34:10 +01:00
Marek Marczykowski-Górecki
2478cb5c05
Package DNF plugin for both python2 and python3
DNF in Fedora 22 uses python2, but in Fedora 23 - python3. Package both
of them, in separate packages (according to Fedora packaging guidelines)
and depend on the right one depending on target distribution version.

Fixes QubesOS/qubes-issues#1529
2015-12-23 02:04:26 +01:00
Marek Marczykowski-Górecki
181c15f422
updates-proxy: explicitly block connection looping back to the proxy IP
Explicitly block something like "curl http://10.137.255.254:8082" and
return error page in this case. This error page is used in Whonix to
detect if the proxy is torrified. If not blocked, it may happen that
empty response is returned instead of error. See linked ticket for
details.

Fixes QubesOS/qubes-issues#1482
2015-12-04 14:57:07 +01:00
Marek Marczykowski-Górecki
a11897a1d0
Revert "network: use drop-ins for NetworkManager configuration (#1176)"
Apparently unmanaged devices are loaded only from main
NetworkManager.conf. Exactly the same line pasted (not typed!) to main
NetworkManager.conf works, but in
/etc/NetworkManager/conf.d/30-qubes.conf it doesn't.
BTW There was a typo in option name ("unmanaged_devices" instead of
"unmanaged-devices", but it wasn't the cause).

This reverts commit 6c4831339c.

QubesOS/qubes-issues#1176
2015-11-28 17:43:15 +01:00
Olivier MEDOC
fa081f1dd9 rpm_spec: declare InstallUpdateGUI qrexec_service 2015-11-17 09:46:16 +01:00
Marek Marczykowski-Górecki
69bb71bea0
updates-proxy: disable filtering at all
Since this proxy is used only when explicitly configured in application
(package manager), there is no point in worrying about user
_erroneously_ using web browser through this proxy. If the user really
want to access the network from some other application he/she can always
alter firewall rules for that.

Fixes QubesOS/qubes-issues#1188
2015-11-15 03:57:51 +01:00
Marek Marczykowski-Górecki
13c9149b6c
Use improved update-notify script also in Fedora
Among other things this also fixes build failure - those scripts were
installed but not listed in spec file.

Actual check doesn't perform 'apt-get update', so do that when running
"standalone" (not as a hook from 'apt-get').

QubesOS/qubes-issues#1066
2015-11-13 05:28:47 +01:00
Marek Marczykowski-Górecki
3324307ee2
Merge remote-tracking branch 'origin/pr/46'
* origin/pr/46:
  No longer start /etc/init.d/tinyproxy by default anymore.
2015-11-11 16:04:40 +01:00
Patrick Schleizer
5d6cf722a8
No longer start /etc/init.d/tinyproxy by default anymore.
But allow users to re-enable it through qubes-service framework.
/var/run/qubes-service/tinyproxy

Thanks to @marmarek for helping with this fix!

https://github.com/QubesOS/qubes-issues/issues/1401
2015-11-11 14:57:36 +00:00
Marek Marczykowski-Górecki
e2ab963a27
Minor improvements to packaging (based on rpmlint)
There is much more to fix, but lets start with low hanging fruits.
2015-11-11 15:19:43 +01:00
Marek Marczykowski-Górecki
2a589f2c20
updates-proxy: use separate directory for PID file
And also use systemd-tmpfiles for that directory creation.

Fixes QubesOS/qubes-issues#1401
2015-11-11 05:57:57 +01:00
Marek Marczykowski-Górecki
164387426b
Bump qubes-utils version requirement
Those commits needs updated qubes-utils:
823954c qrexec: use #define for protocol-specified strings
5774c78 qfile-agent: move data handling code to libqubes-rpc-filecopy

QubesOS/qubes-issues#1324
QubesOS/qubes-issues#1392
2015-11-11 05:25:17 +01:00
Marek Marczykowski-Górecki
7cca1b23ee
Get rid of qubes-core-vm-kernel-placeholder
Since /lib/modules is not mounted read-only anymore (only a selected
subdirectory there), it is no longer required to prevent kernel package
installation. Even more - since PV Grub being supported, it makes sense
to have kernel installed in the VM.

QubesOS/qubes-issues#1354
2015-11-11 02:36:57 +01:00
Marek Marczykowski-Górecki
ba28c9f140
fedora: do not require/use yum-plugin-post-transaction-actions in F>=22
Since Fedora 22+ obsoletes yum, do not require yum-specific package to
be installed.

QubesOS/qubes-issues#1282
2015-11-11 02:36:57 +01:00
Marek Marczykowski-Górecki
b6cfcdcc6f
Implement dnf hooks for post-update actions
Similar to previous yum hooks:
 - notify dom0 about installed updates (possibly clear "updates pending"
   marker)
 - trigger appmenus synchronization

QubesOS/qubes-issues#1282
2015-11-11 02:36:57 +01:00
Marek Marczykowski-Górecki
074309e6a3
dracut: disable hostonly mode
Initramfs created in TemplateVM may be used also in AppVMs based on it, so
technically it is different system. Especially it has different devices
mounted (own /rw, own swap etc), so prevent hardcoding UUIDs here.

QubesOS/qubes-issues#1354
2015-11-10 16:36:00 +01:00
Olivier MEDOC
0c33c73b8e dropins: implement dropins for systemd user starting with pulseaudio systemd service and socket masking
Conflicts:
	Makefile
2015-11-07 19:12:30 +01:00
Olivier MEDOC
4b5332081e add DROPINS for org.cups.cupsd systemd files. 2015-11-06 19:36:52 +01:00
Marek Marczykowski-Górecki
c2596a0435
Setup updates proxy in dnf and PackageKit
DNF doesn't support even including another config file, so all the
settings needs to go into `/etc/dnf/dnf.conf`. The same about
PackageKit, which is needed because it doesn't use `dnf.conf`:
http://lists.freedesktop.org/archives/packagekit/2015-September/026389.html

Because that proxy settings goes to so many places now, create a
separate script for that.

QubesOS/qubes-issues#1282
QubesOS/qubes-issues#1197
2015-10-30 15:13:56 +01:00
Marek Marczykowski-Górecki
22365369d2
Require new enough qubes-utils package for updated libqrexec-utils
Required by 97a3793 "qrexec: implement buffered write to a child stdin"
2015-10-24 22:25:19 +02:00
Marek Marczykowski-Górecki
457578280b
rpm: remove duplicated entry 2015-10-24 20:54:17 +02:00
Marek Marczykowski-Górecki
92bec3173a
rpm: add /etc/sysctl.d/20_tcp_timestamps.conf
Missing part of previous commit.

QubesOS/qubes-issues#1344
2015-10-24 20:54:07 +02:00
Patrick Schleizer
f063b4a90f
Renamed qubes-mount-home to qubes-mount-dirs.
Renamed qubes-mount-home service and mount-home.sh script to qubes-mount-dirs service and mount-dirs.sh.
Because mount-home.sh also processed /rw/usrlocal.
preparation to fix the following issues:
- upstream bind-directories functionality to Qubes - https://phabricator.whonix.org/T414
- Bind mount /rw/usrlocal -> /usr/local instead of symlink - https://github.com/QubesOS/qubes-issues/issues/1150
- /bin/sync hangs forever in whonix-ws-dvm - https://github.com/QubesOS/qubes-issues/issues/1328
2015-10-15 20:57:43 +00:00
Patrick Schleizer
2eb0ed2be1
removed trailing spaces 2015-10-15 04:34:55 +02:00
Marek Marczykowski-Górecki
afb70cf040
Add missing R: dconf to hide nm-applet when not used
Without dconf, gsettings uses "memory" backend which isn't saved
anywhere and isn't shared across applications. This makes gsettings
pretty useless.

Fixes QubesOS/qubes-issues#1299
2015-10-10 16:23:47 +02:00
Marek Marczykowski-Górecki
7963fb91c7
systemd: actually enable qubes-random-seed service
QubesOS/qubes-issues#1311
2015-10-10 16:23:46 +02:00
Marek Marczykowski-Górecki
6c4831339c
network: use drop-ins for NetworkManager configuration (#1176)
Do not modify main /etc/NetworkManager/NetworkManager.conf as it would
cause conflicts during updates. Use
/etc/NetworkManager/conf.d/30-qubes.conf instead.
Also remove some dead code for dynamically generated parts (no longer
required to "blacklist" eth0 in VMs - we have proper connection
generated for it). It was commented out for some time already

Fixes QubesOS/qubes-issues#1176
2015-10-06 15:15:26 +02:00
Marek Marczykowski-Górecki
f2222a9b53
Cleanup R3.0->R3.1 transitional package
QubesOS/qubes-issues#1276
2015-10-05 19:06:21 +02:00
Marek Marczykowski-Górecki
8e497bffc0
Merge branch 'qubes-iptables'
Conflicts:
	debian/control
	rpm_spec/core-vm.spec

QubesOS/qubes-issues#1067
2015-10-05 01:47:01 +02:00
Marek Marczykowski-Górecki
2a39adfe0f
Enlarge /tmp and /dev/shm
Initial size of those tmpfs-mounted directories is calculated as 50% of
RAM at VM startup time. Which happen to be quite small number, like
150M. Having such small /tmp and/or /dev/shm apparently isn't enough for
some applications like Google chrome. So set the size statically at 1GB,
which would be the case for baremetal system with 2GB of RAM.

Fixes QubesOS/qubes-issues#1003
2015-10-04 23:07:10 +02:00
Marek Marczykowski-Górecki
c615afb88f
Merge remote-tracking branch 'origin/pr/28'
* origin/pr/28:
  qubes-rpc: fix icon selection using pyxdg and support SVG icons
  qubes-rpc: fix broken temporary file deletion in qubes.GetImageRGBA

Conflicts:
	qubes-rpc/qubes.GetImageRGBA
	rpm_spec/core-vm.spec
2015-09-28 12:47:49 +02:00
Marek Marczykowski-Górecki
3552bc7e41
rpm: add dbus-python dependency
This package is required by lots of stuff in Fedora anyway, but this
doesn't mean that we can have broken dependencies.
2015-09-28 12:22:19 +02:00
qubesuser
7f9fdc8327 qubes-rpc: fix icon selection using pyxdg and support SVG icons 2015-09-06 22:02:27 +02:00
Marek Marczykowski-Górecki
c8ac55b179 Merge branch 'autostart-dropins'
Conflicts:
	misc/qubes-trigger-desktop-file-install

Fixes qubesos/qubes-issues#1151
2015-09-02 01:16:19 +02:00
Marek Marczykowski-Górecki
4703e3fca7
Remove dynamically generated autostart desktop files
qubesos/qubes-issues#1151
2015-08-27 22:08:04 +02:00
Marek Marczykowski-Górecki
3d06ce1ee9
Implement dropins for /etc/xdg/autostart (#1151)
Usage of _static_ files (dropins) to override some of autostart entries
(enable/disable them in appropriate VM types) is much simpler and less
error prone than automatic generators.

Handling code is implemented in qubes-session-autostart, which is called
from qubes-session.

qubesos/qubes-issues#1151
2015-08-27 22:08:00 +02:00
Marek Marczykowski-Górecki
d710970e4d
Move .desktop launching code to python moules so it can be reused 2015-08-27 22:07:59 +02:00