diff --git a/.travis.yml b/.travis.yml index b99d8d4..66bde29 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,8 +2,6 @@ sudo: required dist: trusty language: generic install: git clone https://github.com/QubesOS/qubes-builder ~/qubes-builder -# debootstrap in trusty is old... -before_script: sudo ln -s sid /usr/share/debootstrap/scripts/stretch script: ~/qubes-builder/scripts/travis-build env: - DIST_DOM0=fc23 USE_QUBES_REPO_VERSION=3.2 USE_QUBES_REPO_TESTING=1 diff --git a/appmenus-files/qubes-appmenu-select.desktop b/appmenus-files/qubes-appmenu-select.desktop index f2561c4..93a6da7 100644 --- a/appmenus-files/qubes-appmenu-select.desktop +++ b/appmenus-files/qubes-appmenu-select.desktop @@ -7,4 +7,4 @@ Terminal=false Name=%VMNAME%: Add more shortcuts... GenericName=%VMNAME%: Add more shortcuts... StartupNotify=false -Categories=System; +Categories=System;X-Qubes-VM; diff --git a/appmenus-files/qubes-dispvm-firefox.desktop b/appmenus-files/qubes-dispvm-firefox.desktop index 449000c..5710012 100644 --- a/appmenus-files/qubes-dispvm-firefox.desktop +++ b/appmenus-files/qubes-dispvm-firefox.desktop @@ -7,4 +7,4 @@ Terminal=false Name=DispVM: Firefox web browser GenericName=DispVM: Web browser StartupNotify=false -Categories=Network; +Categories=Network;X-Qubes-VM; diff --git a/appmenus-files/qubes-dispvm-xterm.desktop b/appmenus-files/qubes-dispvm-xterm.desktop new file mode 100644 index 0000000..4d2abbd --- /dev/null +++ b/appmenus-files/qubes-dispvm-xterm.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Version=1.0 +Type=Application +Exec=sh -c 'echo xterm | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red' +Icon=dispvm-red +Terminal=false +Name=DispVM: xterm +GenericName=DispVM: Terminal +StartupNotify=false +Categories=Network;X-Qubes-VM; diff --git a/appmenus-files/qubes-start.desktop b/appmenus-files/qubes-start.desktop index a30950b..be55a98 100644 --- a/appmenus-files/qubes-start.desktop +++ b/appmenus-files/qubes-start.desktop @@ -7,4 +7,4 @@ Terminal=false Name=%VMNAME%: Start GenericName=%VMNAME%: Start StartupNotify=false -Categories=System; +Categories=System;X-Qubes-VM; diff --git a/appmenus-scripts/qubes-core-appmenus.py b/appmenus-scripts/qubes-core-appmenus.py index f999a3e..6d5aa5a 100644 --- a/appmenus-scripts/qubes-core-appmenus.py +++ b/appmenus-scripts/qubes-core-appmenus.py @@ -319,7 +319,7 @@ def QubesVm_label_setter(self, _): # Apparently desktop environments heavily caches the icons, # see #751 for details - if os.environ.get("DESKTOP_SESSION", "") == "kde-plasma": + if "plasma" in os.environ.get("DESKTOP_SESSION", ""): try: os.unlink(os.path.expandvars( "$HOME/.kde/cache-$HOSTNAME/icon-cache.kcache")) @@ -337,7 +337,7 @@ def QubesVm_label_setter(self, _): dbus_interface="org.freedesktop.Notifications") except: pass - elif os.environ.get("DESKTOP_SESSION", "") == "xfce": + elif "xfce" in os.environ.get("DESKTOP_SESSION", ""): self.appmenus_remove() self.appmenus_create() diff --git a/appmenus-scripts/qubes-receive-appmenus b/appmenus-scripts/qubes-receive-appmenus index ab62a2c..75aa0b1 100755 --- a/appmenus-scripts/qubes-receive-appmenus +++ b/appmenus-scripts/qubes-receive-appmenus @@ -213,6 +213,9 @@ def create_template(path, values): if key in values: desktop_entry += "{0}=%VMNAME%: {1}\n".format(key, values[key]) + # force category X-Qubes-VM + values["Categories"] = values.get("Categories", "") + "X-Qubes-VM;" + for key in ["Comment", "Categories"]: if key in values: desktop_entry += "{0}={1}\n".format(key, values[key]) diff --git a/doc/Makefile b/doc/Makefile index 3f6c472..04a923f 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -21,7 +21,7 @@ install: manpages manpages: $(TOOLS_DOCS) preview: $(rst) - pandoc -s -f rst -t man $(rst) | groff -mandoc -Tlatin1 | less -R + $(PANDOC) $(rst) | groff -mandoc -Tlatin1 | less -R clean: rm -f $(TOOLS_DOCS) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index a34faf7..26d1de3 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -22,13 +22,11 @@ if [ "$1" = "--help" ]; then exit fi -# Prevent template upgrade - this would override user changes -TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`" PKGS= -YUM_OPTS="$TEMPLATE_EXCLUDE_OPTS" +YUM_OPTS= GUI= CHECK_ONLY= -ALL_OPTS="$TEMPLATE_EXCLUDE_OPTS $*" +ALL_OPTS="$*" YUM_ACTION= QVMRUN_OPTS= CLEAN= @@ -63,6 +61,38 @@ while [ $# -gt 0 ]; do shift done +# Prevent template upgrade - this would override user changes - +# but do allow explicit template reinstalls +if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; then + TEMPLATE_EXCLUDE_OPTS="" + echo "WARNING: Reinstalling a template will erase all files in template's /home and /rw !" + + ONEPKG=`cut -f 1 -d ' ' <<<$PKGS` + if [[ "$ONEPKG" == "qubes-template-"* ]] && [[ "$ONEPKG" == "${PKGS#\ }" ]]; then # test "$PKGS" minus space + # Prepare to backup template root.img in case reinstall doesn't complete. + TEMPLATE=${ONEPKG#qubes-template-} + if qvm-shutdown --wait $TEMPLATE ; then + echo "Template VM halted" + fi + if ! TEMPLATE_NETVM=`qvm-prefs --force-root $TEMPLATE netvm` \ + || ! BAK_TEMPLATE_ROOT=`qvm-prefs --force-root $TEMPLATE root_img` \ + || ! BAK_TEMPLATE_PRIVATE=`qvm-prefs --force-root $TEMPLATE private_img` ; then + exit 1 + fi + if [[ "$TEMPLATE_NETVM" == *"(default)" ]] ; then + TEMPLATE_NETVM="default" + fi + else + echo "ERROR: Specify only one package to reinstall template" + exit 1 + fi + +else + TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`" +fi +YUM_OPTS="$TEMPLATE_EXCLUDE_OPTS $YUM_OPTS" +ALL_OPTS="$TEMPLATE_EXCLUDE_OPTS $ALL_OPTS" + ID=$(id -ur) if [ $ID != 0 -a -z "$GUI" -a -z "$CHECK_ONLY" ] ; then echo "This script should be run as root (when used in console mode), use sudo." >&2 @@ -135,7 +165,7 @@ qvm-run $QVMRUN_OPTS -a $UPDATEVM true || exit 1 tar c /var/lib/rpm /etc/yum.repos.d /etc/yum.conf 2>/dev/null | \ qvm-run -p "$UPDATEVM" 'LC_MESSAGES=C tar x -C /var/lib/qubes/dom0-updates 2>&1 | grep -v -E "s in the future"' -qvm-run $QVMRUN_OPTS --pass-io $UPDATEVM "/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui $ALL_OPTS" +qvm-run $QVMRUN_OPTS --pass-io $UPDATEVM "script --quiet --return --command '/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui $ALL_OPTS' /dev/null" RETCODE=$? if [ "$CHECK_ONLY" == "1" ]; then exit $RETCODE @@ -157,14 +187,44 @@ if [ -z "$YUM_ACTION" ]; then fi if [ "x$PKGS" != "x" ]; then - yum $YUM_OPTS $YUM_ACTION $PKGS + if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then # Handle template details + # Backup root.img and private.img just in case + echo "Creating img backup files" + mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" + mv "$BAK_TEMPLATE_PRIVATE" "$BAK_TEMPLATE_PRIVATE-bak" + TDIR=`qvm-prefs --force-root $TEMPLATE dir` + rm -f "$TDIR/volatile.img" + echo "--> Creating private.img..." + truncate -s 2G $BAK_TEMPLATE_PRIVATE + mkfs.ext4 -m 0 -q -F $BAK_TEMPLATE_PRIVATE + chown root:qubes $BAK_TEMPLATE_PRIVATE + chmod 0660 $BAK_TEMPLATE_PRIVATE + fi + + yum $YUM_OPTS $YUM_ACTION $PKGS ; RETCODE=$? + + if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then # Handle template details + if [ $RETCODE -eq 0 ] ; then + # Reinstall went OK, remove backup files. + rm -f "$BAK_TEMPLATE_ROOT-bak" + rm -f "$BAK_TEMPLATE_PRIVATE-bak" + else + echo "Yum exit: Restoring img files" + mv "$BAK_TEMPLATE_ROOT-bak" "$BAK_TEMPLATE_ROOT" + mv "$BAK_TEMPLATE_PRIVATE-bak" "$BAK_TEMPLATE_PRIVATE" + fi + if ! qvm-prefs --force-root -s $TEMPLATE netvm $TEMPLATE_NETVM ; then + echo "ERROR: NetVM setting could not be restored!" + exit 1 + fi + fi elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then # Above file exists only when at least one package was downloaded if [ "$GUI" == "1" ]; then $guiapp else yum check-update - if [ $? -eq 100 ]; then + if [ $? -eq 100 ]; then # Run yum with options yum $YUM_OPTS $YUM_ACTION fi fi diff --git a/file-copy-vm/qvm-copy-to-vm b/file-copy-vm/qvm-copy-to-vm index eee5e25..e464e70 100644 --- a/file-copy-vm/qvm-copy-to-vm +++ b/file-copy-vm/qvm-copy-to-vm @@ -37,3 +37,7 @@ mkfifo -- "$RESPONSE" # can't use $@ with --localcmd, and $* would fail on whitespace /usr/lib/qubes/qfile-dom0-agent "$@" <"$RESPONSE" | qvm-run --pass-io "$VM" "QUBESRPC qubes.Filecopy dom0" >"$RESPONSE" + +if [ "${0##*/}" = "qvm-move-to-vm" ]; then + rm -rf -- "$@" +fi diff --git a/file-copy-vm/qvm-move-to-vm b/file-copy-vm/qvm-move-to-vm deleted file mode 100644 index 475530f..0000000 --- a/file-copy-vm/qvm-move-to-vm +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -# -# The Qubes OS Project, http://www.qubes-os.org -# -# Copyright (C) 2015 Marek Marczykowski-Górecki -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# - -. qvm-copy-to-vm "$@" && -rm -rf -- "$@" diff --git a/qrexec/qrexec-client.c b/qrexec/qrexec-client.c index c062470..10c4d0c 100644 --- a/qrexec/qrexec-client.c +++ b/qrexec/qrexec-client.c @@ -34,9 +34,9 @@ #include "qrexec.h" #include "libqrexec-utils.h" -// whether qrexec-client should replace ESC with _ before printing the output -int replace_esc_stdout = 0; -int replace_esc_stderr = 0; +// whether qrexec-client should replace problematic bytes with _ before printing the output +int replace_chars_stdout = 0; +int replace_chars_stderr = 0; #define VCHAN_BUFFER_SIZE 65536 @@ -332,12 +332,20 @@ static void handle_input(libvchan_t *vchan) } } -void do_replace_esc(char *buf, int len) { +void do_replace_chars(char *buf, int len) { int i; + unsigned char c; - for (i = 0; i < len; i++) - if (buf[i] == '\033') + for (i = 0; i < len; i++) { + c = buf[i]; + if ((c < '\040' || c > '\176') && /* not printable ASCII */ + (c != '\t') && /* not tab */ + (c != '\n') && /* not newline */ + (c != '\r') && /* not return */ + (c != '\b') && /* not backspace */ + (c != '\a')) /* not bell */ buf[i] = '_'; + } } static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf) @@ -378,8 +386,8 @@ static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf) case MSG_DATA_STDOUT: if (local_stdin_fd == -1) break; - if (replace_esc_stdout) - do_replace_esc(buf, hdr.len); + if (replace_chars_stdout) + do_replace_chars(buf, hdr.len); if (hdr.len == 0) { /* restore flags, as we may have not the only copy of this file descriptor */ @@ -408,8 +416,8 @@ static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf) } break; case MSG_DATA_STDERR: - if (replace_esc_stderr) - do_replace_esc(buf, hdr.len); + if (replace_chars_stderr) + do_replace_chars(buf, hdr.len); write_all(2, buf, hdr.len); break; case MSG_DATA_EXIT_CODE: @@ -542,7 +550,7 @@ static void usage(char *name) "-c request_id,src_domain_name,src_domain_id|" "-e] remote_cmdline\n" "-e means exit after sending cmd,\n" - "-t enables replacing ESC character with '_' in command output, -T is the same for stderr\n" + "-t enables replacing problematic bytes with '_' in command output, -T is the same for stderr\n" "-c: connect to existing process (response to trigger service call)\n" "-w timeout: override default connection timeout of 5s (set 0 for no timeout)\n", name); @@ -666,10 +674,10 @@ int main(int argc, char **argv) is_service = 1; break; case 't': - replace_esc_stdout = 1; + replace_chars_stdout = 1; break; case 'T': - replace_esc_stderr = 1; + replace_chars_stderr = 1; break; case 'w': connection_timeout = atoi(optarg); diff --git a/qrexec/qrexec-policy b/qrexec/qrexec-policy index 0d236ae..f4cfc07 100755 --- a/qrexec/qrexec-policy +++ b/qrexec/qrexec-policy @@ -70,7 +70,7 @@ def read_policy_file(service_name): return policy_list def is_match(item, config_term): - return (item is not "dom0" and config_term == "$anyvm") or item == config_term + return (item != "dom0" and config_term == "$anyvm") or item == config_term def get_default_policy(): dict={} diff --git a/rpm_spec/core-dom0-linux.spec b/rpm_spec/core-dom0-linux.spec index b6e515b..8865df8 100644 --- a/rpm_spec/core-dom0-linux.spec +++ b/rpm_spec/core-dom0-linux.spec @@ -48,6 +48,7 @@ BuildRequires: qubes-libvchan-devel Requires: qubes-core-dom0 Requires: qubes-utils >= 3.1.3 Requires: %{name}-kernel-install +Requires: xdotool %define _builddir %(pwd) @@ -159,11 +160,12 @@ install -m 644 -D system-config/75-qubes-dom0.preset \ $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/75-qubes-dom0.preset install -m 644 -D system-config/99-qubes-default-disable.preset \ $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/99-qubes-default-disable.preset +install -m 755 tools/qvm-xkill $RPM_BUILD_ROOT/usr/bin/ # file copy to VM install -m 755 file-copy-vm/qfile-dom0-agent $RPM_BUILD_ROOT/usr/lib/qubes/ install -m 755 file-copy-vm/qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin/ -install -m 755 file-copy-vm/qvm-move-to-vm $RPM_BUILD_ROOT/usr/bin/ +ln -s qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin/qvm-move-to-vm ### Icons mkdir -p $RPM_BUILD_ROOT/usr/share/qubes/icons @@ -186,7 +188,7 @@ for i in /usr/share/qubes/icons/*.png ; do done xdg-icon-resource forceupdate -xdg-desktop-menu install /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop +xdg-desktop-menu install /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-*.desktop /usr/lib/qubes/patch-dnf-yum-config @@ -200,7 +202,7 @@ if [ "$1" = 0 ] ; then xdg-icon-resource uninstall --novendor --size 48 $i done - xdg-desktop-menu uninstall /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop + xdg-desktop-menu uninstall /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-*.desktop systemctl disable qubes-suspend.service > /dev/null 2>&1 fi @@ -231,6 +233,7 @@ chmod -x /etc/grub.d/10_linux /usr/libexec/qubes-appmenus/remove-appvm-appmenus.sh /usr/share/qubes-appmenus/qubes-appmenu-select.desktop /usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop +/usr/share/qubes-appmenus/qubes-dispvm-xterm.desktop /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-servicevm.directory.template /usr/share/qubes-appmenus/qubes-start.desktop @@ -282,6 +285,7 @@ chmod -x /etc/grub.d/10_linux %config(noreplace) /etc/profile.d/zz-disable-lesspipe /usr/lib/systemd/system-preset/75-qubes-dom0.preset /usr/lib/systemd/system-preset/99-qubes-default-disable.preset +/usr/bin/qvm-xkill # Man %{_mandir}/man1/qvm-*.1* %{_mandir}/man1/qubes-*.1* diff --git a/system-config/60-persistent-storage.rules b/system-config/60-persistent-storage.rules index f8c0253..38085c2 100644 --- a/system-config/60-persistent-storage.rules +++ b/system-config/60-persistent-storage.rules @@ -1,20 +1,18 @@ +# Qubes: Prevent probing of domU controlled disk contents. Note that it would +# nevertheless be insecure to attach block devices from domU to dom0 (xvd*) due +# to automatic kernel partition table scanners -- which are disabled for loop* +# devices created without LO_FLAGS_PARTSCAN. +SUBSYSTEM=="block", KERNEL=="loop*|xvd*", GOTO="persistent_storage_end" + # do not edit this file, it will be overwritten on update # persistent storage links: /dev/disk/{by-id,by-uuid,by-label,by-path} # scheme based on "Linux persistent device names", 2004, Hannes Reinecke -# forward scsi device event to corresponding block device -ACTION=="change", SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST=="block", ATTR{block/*/uevent}="change" - ACTION=="remove", GOTO="persistent_storage_end" -# enable in-kernel media-presence polling -ACTION=="add", SUBSYSTEM=="module", KERNEL=="block", ATTR{parameters/events_dfl_poll_msecs}=="0", ATTR{parameters/events_dfl_poll_msecs}="2000" - SUBSYSTEM!="block", GOTO="persistent_storage_end" - -# skip rules for inappropriate block devices -KERNEL=="loop*|fd*|mtd*|nbd*|gnbd*|btibm*|dm-*|md*|zram*", GOTO="persistent_storage_end" +KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*", GOTO="persistent_storage_end" # ignore partitions that span the entire disk TEST=="whole_disk", GOTO="persistent_storage_end" @@ -26,39 +24,43 @@ ENV{DEVTYPE}=="partition", IMPORT{parent}="ID_*" KERNEL=="vd*[!0-9]", ATTRS{serial}=="?*", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/virtio-$env{ID_SERIAL}" KERNEL=="vd*[0-9]", ATTRS{serial}=="?*", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/virtio-$env{ID_SERIAL}-part%n" -# ATA devices using the "scsi" subsystem +# ATA KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{vendor}=="ATA", IMPORT{program}="ata_id --export $devnode" -# ATA/ATAPI devices (SPC-3 or later) using the "scsi" subsystem + +# ATAPI devices (SPC-3 or later) KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{type}=="5", ATTRS{scsi_level}=="[6-9]*", IMPORT{program}="ata_id --export $devnode" # Run ata_id on non-removable USB Mass Storage (SATA/PATA disks in enclosures) KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", ATTR{removable}=="0", SUBSYSTEMS=="usb", IMPORT{program}="ata_id --export $devnode" -# Otherwise, fall back to using usb_id for USB devices + +# Fall back usb_id for USB devices KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id" -# scsi devices +# SCSI devices KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", IMPORT{program}="scsi_id --export --whitelisted -d $devnode", ENV{ID_BUS}="scsi" KERNEL=="cciss*", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}!="?*", IMPORT{program}="scsi_id --export --whitelisted -d $devnode", ENV{ID_BUS}="cciss" KERNEL=="sd*|sr*|cciss*", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/$env{ID_BUS}-$env{ID_SERIAL}" KERNEL=="sd*|cciss*", ENV{DEVTYPE}=="partition", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/$env{ID_BUS}-$env{ID_SERIAL}-part%n" -# firewire +# FireWire KERNEL=="sd*[!0-9]|sr*", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$attr{ieee1394_id}" KERNEL=="sd*[0-9]", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$attr{ieee1394_id}-part%n" -KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ATTRS{name}=="?*", ATTRS{serial}=="?*", ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}" +# MMC +KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ATTRS{name}=="?*", ATTRS{serial}=="?*", \ + ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}" KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}-part%n" -KERNEL=="mspblk[0-9]", SUBSYSTEMS=="memstick", ATTRS{name}=="?*", ATTRS{serial}=="?*", ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}" -KERNEL=="mspblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}-part%n" -# by-path (parent device path) +# Memstick +KERNEL=="msblk[0-9]|mspblk[0-9]", SUBSYSTEMS=="memstick", ATTRS{name}=="?*", ATTRS{serial}=="?*", \ + ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}" +KERNEL=="msblk[0-9]p[0-9]|mspblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}-part%n" + +# by-path ENV{DEVTYPE}=="disk", DEVPATH!="*/virtual/*", IMPORT{builtin}="path_id" ENV{DEVTYPE}=="disk", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}" ENV{DEVTYPE}=="partition", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}-part%n" -# skip unpartitioned removable media devices from drivers which do not send "change" events -ENV{DEVTYPE}=="disk", KERNEL!="sd*|sr*", ATTR{removable}=="1", GOTO="persistent_storage_end" - # probe filesystem metadata of optical drives which have a media inserted KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_TRACK_COUNT_DATA}=="?*", ENV{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}=="?*", \ IMPORT{builtin}="blkid --offset=$env{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}" @@ -69,9 +71,6 @@ KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_TRACK_COUNT_DAT # probe filesystem metadata of disks KERNEL!="sr*", IMPORT{builtin}="blkid" -# watch metadata changes by tools closing the device after writing -KERNEL!="sr*", OPTIONS+="watch" - # by-label/by-uuid links (filesystem metadata) ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_UUID_ENC}=="?*", SYMLINK+="disk/by-uuid/$env{ID_FS_UUID_ENC}" ENV{ID_FS_USAGE}=="filesystem|other", ENV{ID_FS_LABEL_ENC}=="?*", SYMLINK+="disk/by-label/$env{ID_FS_LABEL_ENC}" @@ -84,4 +83,7 @@ ENV{DEVTYPE}=="partition", ENV{ID_WWN_WITH_EXTENSION}=="?*", SYMLINK+="disk/by-i ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_UUID}=="?*", SYMLINK+="disk/by-partuuid/$env{ID_PART_ENTRY_UUID}" ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_NAME}=="?*", SYMLINK+="disk/by-partlabel/$env{ID_PART_ENTRY_NAME}" +# add symlink to GPT root disk +ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_GPT_AUTO_ROOT}=="1", SYMLINK+="gpt-auto-root" + LABEL="persistent_storage_end" diff --git a/system-config/75-qubes-dom0.preset b/system-config/75-qubes-dom0.preset index 2f1c08c..1899e2c 100644 --- a/system-config/75-qubes-dom0.preset +++ b/system-config/75-qubes-dom0.preset @@ -45,4 +45,6 @@ enable qubes-qmemman.service enable qubes-suspend.service enable qubes-setupdvm.service enable qubes-block-cleaner.service - +enable anti-evil-maid-unseal.service +enable anti-evil-maid-check-mount-devs.service +enable anti-evil-maid-seal.service diff --git a/system-config/kernel-xen-efi.install b/system-config/kernel-xen-efi.install index 02773ac..842eac3 100755 --- a/system-config/kernel-xen-efi.install +++ b/system-config/kernel-xen-efi.install @@ -6,7 +6,23 @@ COMMAND="$1" KVER="$2" ESP_MOUNTPOINT=/boot/efi -EFI_DIR="$ESP_MOUNTPOINT/EFI/qubes" + +EFI_DIR=$(efibootmgr -v 2>/dev/null | awk ' + /^BootCurrent:/ { current=$2; } + /^Boot....\* / { + if ("Boot" current "*" == $1) { + sub(".*File\\(", ""); + sub("\\\\xen.efi\\).*", ""); + gsub("\\\\", "/"); + print; + } + }') + +if [ -z "$EFI_DIR" ]; then + EFI_DIR="$ESP_MOUNTPOINT/EFI/qubes" +else + EFI_DIR="$ESP_MOUNTPOINT$EFI_DIR" +fi if [ ! -d "$EFI_DIR" ]; then # non-EFI system diff --git a/tools/qvm-xkill b/tools/qvm-xkill new file mode 100644 index 0000000..32bfede --- /dev/null +++ b/tools/qvm-xkill @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +ID=$(xdotool selectwindow) + +xprop -id "$ID" _QUBES_VMNAME | grep -q ' = ' \ + || { echo "${0##*/}: Not killing dom0 window $ID" >&2; exit 1; } + +xdotool windowkill "$ID" diff --git a/version b/version index b347b11..17ce918 100644 --- a/version +++ b/version @@ -1 +1 @@ -3.2.3 +3.2.11