From 6b315b1dada7a738c21792b352f1ef017db08dc2 Mon Sep 17 00:00:00 2001 From: ttasket Date: Sun, 12 Jun 2016 12:05:28 -0400 Subject: [PATCH 01/39] Add template reinstall support Issue #2061 Simple implementation checks for --action=reinstall but adds no sanity checks. --- dom0-updates/qubes-dom0-update | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index a34faf7..57607ff 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -22,13 +22,11 @@ if [ "$1" = "--help" ]; then exit fi -# Prevent template upgrade - this would override user changes -TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`" PKGS= -YUM_OPTS="$TEMPLATE_EXCLUDE_OPTS" +YUM_OPTS= GUI= CHECK_ONLY= -ALL_OPTS="$TEMPLATE_EXCLUDE_OPTS $*" +ALL_OPTS="$*" YUM_ACTION= QVMRUN_OPTS= CLEAN= @@ -63,6 +61,15 @@ while [ $# -gt 0 ]; do shift done +# Prevent template upgrade - this would override user changes - +# but do allow explicit template reinstalls +if [ "$YUM_ACTION" == "reinstall" ] ; then + TEMPLATE_EXCLUDE_OPTS="" +else TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`" +fi +YUM_OPTS="$TEMPLATE_EXCLUDE_OPTS $YUM_OPTS" +ALL_OPTS="$TEMPLATE_EXCLUDE_OPTS $ALL_OPTS" + ID=$(id -ur) if [ $ID != 0 -a -z "$GUI" -a -z "$CHECK_ONLY" ] ; then echo "This script should be run as root (when used in console mode), use sudo." >&2 From 17627cdf3caa79cd6b672740e83a32610954dc96 Mon Sep 17 00:00:00 2001 From: ttasket Date: Thu, 16 Jun 2016 07:59:28 -0400 Subject: [PATCH 02/39] Support in-place template reinstalls - for testing This doesn't yet prevent appvms from starting with invalid template during the reinstall, and doesn't deal with the Netvm setting problem. For issue #2061 --- dom0-updates/qubes-dom0-update | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index 57607ff..bbc72fb 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -63,9 +63,11 @@ done # Prevent template upgrade - this would override user changes - # but do allow explicit template reinstalls -if [ "$YUM_ACTION" == "reinstall" ] ; then +if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; then TEMPLATE_EXCLUDE_OPTS="" -else TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`" + echo "WARNING: Reinstalling a template will erase files in /home and /rw !" +else + TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`" fi YUM_OPTS="$TEMPLATE_EXCLUDE_OPTS $YUM_OPTS" ALL_OPTS="$TEMPLATE_EXCLUDE_OPTS $ALL_OPTS" From 6c7c25d9e7beda65efe32b007020b03ad08a6d56 Mon Sep 17 00:00:00 2001 From: ttasket Date: Sat, 18 Jun 2016 03:02:46 -0400 Subject: [PATCH 03/39] Backup root.img Just in case template %post scriptlet doesn't unlink during reinstall, or if reinstall fails. --- dom0-updates/qubes-dom0-update | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index bbc72fb..9990367 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -66,6 +66,17 @@ done if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; then TEMPLATE_EXCLUDE_OPTS="" echo "WARNING: Reinstalling a template will erase files in /home and /rw !" + + $ONEPKG=`cut -f 1 -d ' ' <<<$PKGS` + if [[ "$ONEPKG" == "qubes-template-"* ]] ; then + # Prepare to backup template root.img in case reinstall doesn't complete. + TEMPLATE=${ONEPKG#qubes-template-} + BAK_TEMPLATE_ROOT=`qvm-prefs $TEMPLATE root_img` || exit 1 + else + echo "ERROR: Specify only one template package for reinstall" + exit 1 + fi + else TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`" fi @@ -173,8 +184,25 @@ elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then $guiapp else yum check-update - if [ $? -eq 100 ]; then - yum $YUM_OPTS $YUM_ACTION + if [ $? -eq 100 ]; then # Run yum with options + + if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then + # Backup root.img just in case + echo -n "Renaming template root.img to root.img-bak..." + if mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" ; then + echo "OK" + else + echo; echo "ERROR: Could not rename root.img" + exit 1 + fi + fi + + yum $YUM_OPTS $YUM_ACTION ; RETCODE=$? + + if [ $RETCODE -eq 0 ] && [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then + # Reinstall went OK, remove backup file. + rm -f "$BAK_TEMPLATE_ROOT-bak" + fi fi fi yum -q check-update && rm -f $UPDATES_STAT_FILE From 8c7a225070f8e360fc5edff43da19cefc8330c46 Mon Sep 17 00:00:00 2001 From: ttasket Date: Sat, 18 Jun 2016 04:22:23 -0400 Subject: [PATCH 04/39] Backup root.img Just in case template %post scriptlet doesn't unlink during reinstall, or if reinstall fails. Fixed PKGS test. --- dom0-updates/qubes-dom0-update | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index 9990367..9638f22 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -68,12 +68,12 @@ if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; the echo "WARNING: Reinstalling a template will erase files in /home and /rw !" $ONEPKG=`cut -f 1 -d ' ' <<<$PKGS` - if [[ "$ONEPKG" == "qubes-template-"* ]] ; then + if [[ "$ONEPKG" == "qubes-template-"* ]] && [[ "$ONEPKG" == "${PKGS#\ }" ]]; then # test "$PKGS" minus space # Prepare to backup template root.img in case reinstall doesn't complete. TEMPLATE=${ONEPKG#qubes-template-} BAK_TEMPLATE_ROOT=`qvm-prefs $TEMPLATE root_img` || exit 1 else - echo "ERROR: Specify only one template package for reinstall" + echo "ERROR: Specify only one package to reinstall template" exit 1 fi @@ -201,6 +201,7 @@ elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then if [ $RETCODE -eq 0 ] && [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then # Reinstall went OK, remove backup file. + echo "Removing $BAK_TEMPLATE_ROOT-bak" rm -f "$BAK_TEMPLATE_ROOT-bak" fi fi From d316624f6120773955859c9c00bcd35b5501947f Mon Sep 17 00:00:00 2001 From: ttasket Date: Sat, 18 Jun 2016 05:24:18 -0400 Subject: [PATCH 05/39] Update qubes-dom0-update --- dom0-updates/qubes-dom0-update | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index 9638f22..36ce361 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -71,6 +71,8 @@ if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; the if [[ "$ONEPKG" == "qubes-template-"* ]] && [[ "$ONEPKG" == "${PKGS#\ }" ]]; then # test "$PKGS" minus space # Prepare to backup template root.img in case reinstall doesn't complete. TEMPLATE=${ONEPKG#qubes-template-} + TEMPLATE_NETVM=`qvm-prefs $TEMPLATE netvm` || exit 1 + if [[ "$TEMPLATE_NETVM" == *"(default)" ]] ; then TEMPLATE_NETVM="default" BAK_TEMPLATE_ROOT=`qvm-prefs $TEMPLATE root_img` || exit 1 else echo "ERROR: Specify only one package to reinstall template" @@ -199,10 +201,13 @@ elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then yum $YUM_OPTS $YUM_ACTION ; RETCODE=$? - if [ $RETCODE -eq 0 ] && [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then - # Reinstall went OK, remove backup file. - echo "Removing $BAK_TEMPLATE_ROOT-bak" - rm -f "$BAK_TEMPLATE_ROOT-bak" + if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then + qvm-prefs -s $TEMPLATE netvm $TEMPLATE_NETVM + if [ $RETCODE -eq 0 ] ; then + # Reinstall went OK, remove backup file. + echo "Removing $BAK_TEMPLATE_ROOT-bak" + rm -f "$BAK_TEMPLATE_ROOT-bak" + fi fi fi fi From 32a4269f4a8400c143d4e3b1c9bf78b21aec64c1 Mon Sep 17 00:00:00 2001 From: ttasket Date: Sat, 18 Jun 2016 12:00:00 -0400 Subject: [PATCH 06/39] Backup root.img Just in case template %post scriptlet doesn't unlink during reinstall, or if reinstall fails. Also preserves Netvm prefs setting. --- dom0-updates/qubes-dom0-update | 55 +++++++++++++++++----------------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index 36ce361..477a929 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -65,15 +65,15 @@ done # but do allow explicit template reinstalls if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; then TEMPLATE_EXCLUDE_OPTS="" - echo "WARNING: Reinstalling a template will erase files in /home and /rw !" + echo "WARNING: Reinstalling a template will erase all files in template's /home and /rw !" - $ONEPKG=`cut -f 1 -d ' ' <<<$PKGS` + ONEPKG=`cut -f 1 -d ' ' <<<$PKGS` if [[ "$ONEPKG" == "qubes-template-"* ]] && [[ "$ONEPKG" == "${PKGS#\ }" ]]; then # test "$PKGS" minus space # Prepare to backup template root.img in case reinstall doesn't complete. TEMPLATE=${ONEPKG#qubes-template-} - TEMPLATE_NETVM=`qvm-prefs $TEMPLATE netvm` || exit 1 - if [[ "$TEMPLATE_NETVM" == *"(default)" ]] ; then TEMPLATE_NETVM="default" - BAK_TEMPLATE_ROOT=`qvm-prefs $TEMPLATE root_img` || exit 1 + TEMPLATE_NETVM=`qvm-prefs --force-root $TEMPLATE netvm` || exit 1 + [[ "$TEMPLATE_NETVM" == *"(default)" ]] && TEMPLATE_NETVM="default" + BAK_TEMPLATE_ROOT=`qvm-prefs --force-root $TEMPLATE root_img` || exit 1 else echo "ERROR: Specify only one package to reinstall template" exit 1 @@ -179,7 +179,27 @@ if [ -z "$YUM_ACTION" ]; then fi if [ "x$PKGS" != "x" ]; then - yum $YUM_OPTS $YUM_ACTION $PKGS + if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then + # Backup root.img just in case + echo -n "Renaming template root.img to root.img-bak..." + if mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" ; then + echo "OK" + else + echo; echo "ERROR: Could not rename root.img" + exit 1 + fi + fi + + yum $YUM_OPTS $YUM_ACTION $PKGS ; RETCODE=$? + + if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then + qvm-prefs --force-root -s $TEMPLATE netvm $TEMPLATE_NETVM + if [ $RETCODE -eq 0 ] ; then + # Reinstall went OK, remove backup file. + echo "Removing $BAK_TEMPLATE_ROOT-bak" + rm -f "$BAK_TEMPLATE_ROOT-bak" + fi + fi elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then # Above file exists only when at least one package was downloaded if [ "$GUI" == "1" ]; then @@ -187,28 +207,7 @@ elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then else yum check-update if [ $? -eq 100 ]; then # Run yum with options - - if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then - # Backup root.img just in case - echo -n "Renaming template root.img to root.img-bak..." - if mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" ; then - echo "OK" - else - echo; echo "ERROR: Could not rename root.img" - exit 1 - fi - fi - - yum $YUM_OPTS $YUM_ACTION ; RETCODE=$? - - if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then - qvm-prefs -s $TEMPLATE netvm $TEMPLATE_NETVM - if [ $RETCODE -eq 0 ] ; then - # Reinstall went OK, remove backup file. - echo "Removing $BAK_TEMPLATE_ROOT-bak" - rm -f "$BAK_TEMPLATE_ROOT-bak" - fi - fi + yum $YUM_OPTS $YUM_ACTION fi fi yum -q check-update && rm -f $UPDATES_STAT_FILE From 457b275800ed1bb33b76cd58496eedd0a1add749 Mon Sep 17 00:00:00 2001 From: ttasket Date: Mon, 20 Jun 2016 13:36:30 -0400 Subject: [PATCH 07/39] Fix syntax @marmarek This works on my system. --- dom0-updates/qubes-dom0-update | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index 477a929..f804d76 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -71,9 +71,13 @@ if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; the if [[ "$ONEPKG" == "qubes-template-"* ]] && [[ "$ONEPKG" == "${PKGS#\ }" ]]; then # test "$PKGS" minus space # Prepare to backup template root.img in case reinstall doesn't complete. TEMPLATE=${ONEPKG#qubes-template-} - TEMPLATE_NETVM=`qvm-prefs --force-root $TEMPLATE netvm` || exit 1 - [[ "$TEMPLATE_NETVM" == *"(default)" ]] && TEMPLATE_NETVM="default" - BAK_TEMPLATE_ROOT=`qvm-prefs --force-root $TEMPLATE root_img` || exit 1 + if ! TEMPLATE_NETVM=`qvm-prefs --force-root $TEMPLATE netvm` \ + || ! BAK_TEMPLATE_ROOT=`qvm-prefs --force-root $TEMPLATE root_img` ; then + exit 1 + fi + if [[ "$TEMPLATE_NETVM" == *"(default)" ]] ; then + TEMPLATE_NETVM="default" + fi else echo "ERROR: Specify only one package to reinstall template" exit 1 @@ -181,11 +185,9 @@ fi if [ "x$PKGS" != "x" ]; then if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then # Backup root.img just in case - echo -n "Renaming template root.img to root.img-bak..." if mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" ; then - echo "OK" + echo "Renamed template root.img to root.img-bak" else - echo; echo "ERROR: Could not rename root.img" exit 1 fi fi @@ -195,7 +197,7 @@ if [ "x$PKGS" != "x" ]; then if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then qvm-prefs --force-root -s $TEMPLATE netvm $TEMPLATE_NETVM if [ $RETCODE -eq 0 ] ; then - # Reinstall went OK, remove backup file. + # Reinstall went OK, remove backup files. echo "Removing $BAK_TEMPLATE_ROOT-bak" rm -f "$BAK_TEMPLATE_ROOT-bak" fi From 577944c8fb7a307764ff33e7bb2a4d0a90721c3c Mon Sep 17 00:00:00 2001 From: ttasket Date: Mon, 20 Jun 2016 14:04:55 -0400 Subject: [PATCH 08/39] Try to handle private.img (fail) mv and rm private.img like root.img, but this results in no private.img after reinstall. do not use. --- dom0-updates/qubes-dom0-update | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index f804d76..d5d70a4 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -72,7 +72,8 @@ if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; the # Prepare to backup template root.img in case reinstall doesn't complete. TEMPLATE=${ONEPKG#qubes-template-} if ! TEMPLATE_NETVM=`qvm-prefs --force-root $TEMPLATE netvm` \ - || ! BAK_TEMPLATE_ROOT=`qvm-prefs --force-root $TEMPLATE root_img` ; then + || ! BAK_TEMPLATE_ROOT=`qvm-prefs --force-root $TEMPLATE root_img` \ + || ! BAK_TEMPLATE_PRIVATE=`qvm-prefs --force-root $TEMPLATE private_img` ; then exit 1 fi if [[ "$TEMPLATE_NETVM" == *"(default)" ]] ; then @@ -184,10 +185,16 @@ fi if [ "x$PKGS" != "x" ]; then if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then - # Backup root.img just in case - if mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" ; then + # Backup root.img and private.img just in case + if mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" \ + && mv "$BAK_TEMPLATE_PRIVATE" "$BAK_TEMPLATE_PRIVATE-bak" ; then echo "Renamed template root.img to root.img-bak" + echo "Renamed template private.img to private.img-bak" else + if [ -f "$BAK_TEMPLATE_ROOT-bak" ] ;then + echo "Aborting reinstall; Restoring root.img" + mv "$BAK_TEMPLATE_ROOT-bak" "$BAK_TEMPLATE_ROOT" + fi exit 1 fi fi @@ -200,6 +207,8 @@ if [ "x$PKGS" != "x" ]; then # Reinstall went OK, remove backup files. echo "Removing $BAK_TEMPLATE_ROOT-bak" rm -f "$BAK_TEMPLATE_ROOT-bak" + echo "Removing $BAK_TEMPLATE_PRIVATE-bak" + rm -f "$BAK_TEMPLATE_PRIVATE-bak" fi fi elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then From ef1ab342343a8f6ee0ba831a46589f43a63deb15 Mon Sep 17 00:00:00 2001 From: ttasket Date: Tue, 21 Jun 2016 10:57:57 -0400 Subject: [PATCH 09/39] Re-create private.img if missing This restores the netvm setting and also re-creates private.img if older rpm scriptlet doesn't create it. Issue #2061 --- dom0-updates/qubes-dom0-update | 35 ++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index d5d70a4..3a8cd36 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -184,31 +184,34 @@ if [ -z "$YUM_ACTION" ]; then fi if [ "x$PKGS" != "x" ]; then - if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then + if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then # Handle template details # Backup root.img and private.img just in case - if mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" \ - && mv "$BAK_TEMPLATE_PRIVATE" "$BAK_TEMPLATE_PRIVATE-bak" ; then - echo "Renamed template root.img to root.img-bak" - echo "Renamed template private.img to private.img-bak" - else - if [ -f "$BAK_TEMPLATE_ROOT-bak" ] ;then - echo "Aborting reinstall; Restoring root.img" - mv "$BAK_TEMPLATE_ROOT-bak" "$BAK_TEMPLATE_ROOT" - fi - exit 1 - fi + echo "Creating img backup files" + mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" + mv "$BAK_TEMPLATE_PRIVATE" "$BAK_TEMPLATE_PRIVATE-bak" fi yum $YUM_OPTS $YUM_ACTION $PKGS ; RETCODE=$? - if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then - qvm-prefs --force-root -s $TEMPLATE netvm $TEMPLATE_NETVM + if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then # Handle template details + if [ ! -f "$BAK_TEMPLATE_PRIVATE" ] ; then # Old template script did not create img + echo "--> Creating private.img..." + truncate -s 2G $BAK_TEMPLATE_PRIVATE + mkfs.ext4 -m 0 -q -F $BAK_TEMPLATE_PRIVATE + chown root:qubes $BAK_TEMPLATE_PRIVATE + chmod 0660 $BAK_TEMPLATE_PRIVATE + fi if [ $RETCODE -eq 0 ] ; then # Reinstall went OK, remove backup files. - echo "Removing $BAK_TEMPLATE_ROOT-bak" rm -f "$BAK_TEMPLATE_ROOT-bak" - echo "Removing $BAK_TEMPLATE_PRIVATE-bak" rm -f "$BAK_TEMPLATE_PRIVATE-bak" + else + echo "YUM ERROR: Restoring img files" + mv "$BAK_TEMPLATE_ROOT-bak" "$BAK_TEMPLATE_ROOT" + mv "$BAK_TEMPLATE_PRIVATE-bak" "$BAK_TEMPLATE_PRIVATE" + fi + if ! qvm-prefs --force-root -s $TEMPLATE netvm $TEMPLATE_NETVM ; then + echo "ERROR: NetVM setting could not be restored!" fi fi elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then From fbb58918afb167fa5d1424903e7e61a4219bb2a2 Mon Sep 17 00:00:00 2001 From: ttasket Date: Tue, 21 Jun 2016 15:15:34 -0400 Subject: [PATCH 10/39] Fixes Moved create private.img before yum. Shutdown templatevm first -- don't want to query possibly compromised vm running old private.img. Issue #2061 --- dom0-updates/qubes-dom0-update | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index 3a8cd36..d45626f 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -71,6 +71,9 @@ if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; the if [[ "$ONEPKG" == "qubes-template-"* ]] && [[ "$ONEPKG" == "${PKGS#\ }" ]]; then # test "$PKGS" minus space # Prepare to backup template root.img in case reinstall doesn't complete. TEMPLATE=${ONEPKG#qubes-template-} + if qvm-shutdown --wait $TEMPLATE ; then + echo "Template VM halted" + fi if ! TEMPLATE_NETVM=`qvm-prefs --force-root $TEMPLATE netvm` \ || ! BAK_TEMPLATE_ROOT=`qvm-prefs --force-root $TEMPLATE root_img` \ || ! BAK_TEMPLATE_PRIVATE=`qvm-prefs --force-root $TEMPLATE private_img` ; then @@ -189,29 +192,30 @@ if [ "x$PKGS" != "x" ]; then echo "Creating img backup files" mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak" mv "$BAK_TEMPLATE_PRIVATE" "$BAK_TEMPLATE_PRIVATE-bak" + TDIR=`qvm-prefs --force-root $TEMPLATE dir` + rm -f "$TDIR/volatile.img" + echo "--> Creating private.img..." + truncate -s 2G $BAK_TEMPLATE_PRIVATE + mkfs.ext4 -m 0 -q -F $BAK_TEMPLATE_PRIVATE + chown root:qubes $BAK_TEMPLATE_PRIVATE + chmod 0660 $BAK_TEMPLATE_PRIVATE fi yum $YUM_OPTS $YUM_ACTION $PKGS ; RETCODE=$? if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then # Handle template details - if [ ! -f "$BAK_TEMPLATE_PRIVATE" ] ; then # Old template script did not create img - echo "--> Creating private.img..." - truncate -s 2G $BAK_TEMPLATE_PRIVATE - mkfs.ext4 -m 0 -q -F $BAK_TEMPLATE_PRIVATE - chown root:qubes $BAK_TEMPLATE_PRIVATE - chmod 0660 $BAK_TEMPLATE_PRIVATE - fi if [ $RETCODE -eq 0 ] ; then # Reinstall went OK, remove backup files. rm -f "$BAK_TEMPLATE_ROOT-bak" rm -f "$BAK_TEMPLATE_PRIVATE-bak" else - echo "YUM ERROR: Restoring img files" + echo "Yum exit: Restoring img files" mv "$BAK_TEMPLATE_ROOT-bak" "$BAK_TEMPLATE_ROOT" mv "$BAK_TEMPLATE_PRIVATE-bak" "$BAK_TEMPLATE_PRIVATE" fi if ! qvm-prefs --force-root -s $TEMPLATE netvm $TEMPLATE_NETVM ; then echo "ERROR: NetVM setting could not be restored!" + exit 1 fi fi elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then From d9b37eec6c1d6cbf78d8ee2e355c6a0ab58b9cc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 24 Jun 2016 02:24:52 +0200 Subject: [PATCH 11/39] dom0-updates: whitespace fixes --- dom0-updates/qubes-dom0-update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index d45626f..0ba56de 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -66,7 +66,7 @@ done if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; then TEMPLATE_EXCLUDE_OPTS="" echo "WARNING: Reinstalling a template will erase all files in template's /home and /rw !" - + ONEPKG=`cut -f 1 -d ' ' <<<$PKGS` if [[ "$ONEPKG" == "qubes-template-"* ]] && [[ "$ONEPKG" == "${PKGS#\ }" ]]; then # test "$PKGS" minus space # Prepare to backup template root.img in case reinstall doesn't complete. @@ -86,7 +86,7 @@ if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; the echo "ERROR: Specify only one package to reinstall template" exit 1 fi - + else TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`" fi From db8aa6cf15f4b4f715de14219b2bacd9ee554876 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 24 Jun 2016 23:07:32 +0200 Subject: [PATCH 12/39] version 3.2.4 --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index b347b11..351227f 100644 --- a/version +++ b/version @@ -1 +1 @@ -3.2.3 +3.2.4 From e85363da2096dce65ec636dfdc634223fbc9afb1 Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Sun, 26 Jun 2016 12:36:31 +0000 Subject: [PATCH 13/39] Copy unmodified(!) 60-persistent-storage.rules from Fedora 23 --- system-config/60-persistent-storage.rules | 44 +++++++++++------------ 1 file changed, 20 insertions(+), 24 deletions(-) diff --git a/system-config/60-persistent-storage.rules b/system-config/60-persistent-storage.rules index f8c0253..5ab03fc 100644 --- a/system-config/60-persistent-storage.rules +++ b/system-config/60-persistent-storage.rules @@ -3,18 +3,10 @@ # persistent storage links: /dev/disk/{by-id,by-uuid,by-label,by-path} # scheme based on "Linux persistent device names", 2004, Hannes Reinecke -# forward scsi device event to corresponding block device -ACTION=="change", SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST=="block", ATTR{block/*/uevent}="change" - ACTION=="remove", GOTO="persistent_storage_end" -# enable in-kernel media-presence polling -ACTION=="add", SUBSYSTEM=="module", KERNEL=="block", ATTR{parameters/events_dfl_poll_msecs}=="0", ATTR{parameters/events_dfl_poll_msecs}="2000" - SUBSYSTEM!="block", GOTO="persistent_storage_end" - -# skip rules for inappropriate block devices -KERNEL=="loop*|fd*|mtd*|nbd*|gnbd*|btibm*|dm-*|md*|zram*", GOTO="persistent_storage_end" +KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*", GOTO="persistent_storage_end" # ignore partitions that span the entire disk TEST=="whole_disk", GOTO="persistent_storage_end" @@ -26,39 +18,43 @@ ENV{DEVTYPE}=="partition", IMPORT{parent}="ID_*" KERNEL=="vd*[!0-9]", ATTRS{serial}=="?*", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/virtio-$env{ID_SERIAL}" KERNEL=="vd*[0-9]", ATTRS{serial}=="?*", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/virtio-$env{ID_SERIAL}-part%n" -# ATA devices using the "scsi" subsystem +# ATA KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{vendor}=="ATA", IMPORT{program}="ata_id --export $devnode" -# ATA/ATAPI devices (SPC-3 or later) using the "scsi" subsystem + +# ATAPI devices (SPC-3 or later) KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{type}=="5", ATTRS{scsi_level}=="[6-9]*", IMPORT{program}="ata_id --export $devnode" # Run ata_id on non-removable USB Mass Storage (SATA/PATA disks in enclosures) KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", ATTR{removable}=="0", SUBSYSTEMS=="usb", IMPORT{program}="ata_id --export $devnode" -# Otherwise, fall back to using usb_id for USB devices + +# Fall back usb_id for USB devices KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id" -# scsi devices +# SCSI devices KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", IMPORT{program}="scsi_id --export --whitelisted -d $devnode", ENV{ID_BUS}="scsi" KERNEL=="cciss*", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}!="?*", IMPORT{program}="scsi_id --export --whitelisted -d $devnode", ENV{ID_BUS}="cciss" KERNEL=="sd*|sr*|cciss*", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/$env{ID_BUS}-$env{ID_SERIAL}" KERNEL=="sd*|cciss*", ENV{DEVTYPE}=="partition", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/$env{ID_BUS}-$env{ID_SERIAL}-part%n" -# firewire +# FireWire KERNEL=="sd*[!0-9]|sr*", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$attr{ieee1394_id}" KERNEL=="sd*[0-9]", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$attr{ieee1394_id}-part%n" -KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ATTRS{name}=="?*", ATTRS{serial}=="?*", ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}" +# MMC +KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ATTRS{name}=="?*", ATTRS{serial}=="?*", \ + ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}" KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}-part%n" -KERNEL=="mspblk[0-9]", SUBSYSTEMS=="memstick", ATTRS{name}=="?*", ATTRS{serial}=="?*", ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}" -KERNEL=="mspblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}-part%n" -# by-path (parent device path) +# Memstick +KERNEL=="msblk[0-9]|mspblk[0-9]", SUBSYSTEMS=="memstick", ATTRS{name}=="?*", ATTRS{serial}=="?*", \ + ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}" +KERNEL=="msblk[0-9]p[0-9]|mspblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}-part%n" + +# by-path ENV{DEVTYPE}=="disk", DEVPATH!="*/virtual/*", IMPORT{builtin}="path_id" ENV{DEVTYPE}=="disk", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}" ENV{DEVTYPE}=="partition", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}-part%n" -# skip unpartitioned removable media devices from drivers which do not send "change" events -ENV{DEVTYPE}=="disk", KERNEL!="sd*|sr*", ATTR{removable}=="1", GOTO="persistent_storage_end" - # probe filesystem metadata of optical drives which have a media inserted KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_TRACK_COUNT_DATA}=="?*", ENV{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}=="?*", \ IMPORT{builtin}="blkid --offset=$env{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}" @@ -69,9 +65,6 @@ KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_TRACK_COUNT_DAT # probe filesystem metadata of disks KERNEL!="sr*", IMPORT{builtin}="blkid" -# watch metadata changes by tools closing the device after writing -KERNEL!="sr*", OPTIONS+="watch" - # by-label/by-uuid links (filesystem metadata) ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_UUID_ENC}=="?*", SYMLINK+="disk/by-uuid/$env{ID_FS_UUID_ENC}" ENV{ID_FS_USAGE}=="filesystem|other", ENV{ID_FS_LABEL_ENC}=="?*", SYMLINK+="disk/by-label/$env{ID_FS_LABEL_ENC}" @@ -84,4 +77,7 @@ ENV{DEVTYPE}=="partition", ENV{ID_WWN_WITH_EXTENSION}=="?*", SYMLINK+="disk/by-i ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_UUID}=="?*", SYMLINK+="disk/by-partuuid/$env{ID_PART_ENTRY_UUID}" ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_NAME}=="?*", SYMLINK+="disk/by-partlabel/$env{ID_PART_ENTRY_NAME}" +# add symlink to GPT root disk +ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_GPT_AUTO_ROOT}=="1", SYMLINK+="gpt-auto-root" + LABEL="persistent_storage_end" From ae7656e348e643d9595820f35771c69e348becd9 Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Sun, 26 Jun 2016 12:51:20 +0000 Subject: [PATCH 14/39] Don't probe disk contents of loop* or xvd* Adds a standalone rule to the very top of 60-persistent-storage.rules. --- system-config/60-persistent-storage.rules | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/system-config/60-persistent-storage.rules b/system-config/60-persistent-storage.rules index 5ab03fc..38085c2 100644 --- a/system-config/60-persistent-storage.rules +++ b/system-config/60-persistent-storage.rules @@ -1,3 +1,9 @@ +# Qubes: Prevent probing of domU controlled disk contents. Note that it would +# nevertheless be insecure to attach block devices from domU to dom0 (xvd*) due +# to automatic kernel partition table scanners -- which are disabled for loop* +# devices created without LO_FLAGS_PARTSCAN. +SUBSYSTEM=="block", KERNEL=="loop*|xvd*", GOTO="persistent_storage_end" + # do not edit this file, it will be overwritten on update # persistent storage links: /dev/disk/{by-id,by-uuid,by-label,by-path} From fe6846d5ebd63c84b4dd5698a93675f09546e80a Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Sun, 26 Jun 2016 15:17:38 +0000 Subject: [PATCH 15/39] Add AEM services to 75-qubes-dom0.preset They will only start if booted with rd.antievilmaid anyway. --- system-config/75-qubes-dom0.preset | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/system-config/75-qubes-dom0.preset b/system-config/75-qubes-dom0.preset index 2f1c08c..1899e2c 100644 --- a/system-config/75-qubes-dom0.preset +++ b/system-config/75-qubes-dom0.preset @@ -45,4 +45,6 @@ enable qubes-qmemman.service enable qubes-suspend.service enable qubes-setupdvm.service enable qubes-block-cleaner.service - +enable anti-evil-maid-unseal.service +enable anti-evil-maid-check-mount-devs.service +enable anti-evil-maid-seal.service From e90c8a97fff936956b0f1168e6aa455b9011b743 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 14 Jul 2016 04:32:16 +0200 Subject: [PATCH 16/39] appmenus: fix detection of desktop environment In Fedora 23-based dom0, DESKTOP_SESSION environment contains full path to session file, instead of just basename. QubesOS/qubes-issues#1606 --- appmenus-scripts/qubes-core-appmenus.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/appmenus-scripts/qubes-core-appmenus.py b/appmenus-scripts/qubes-core-appmenus.py index f999a3e..6d5aa5a 100644 --- a/appmenus-scripts/qubes-core-appmenus.py +++ b/appmenus-scripts/qubes-core-appmenus.py @@ -319,7 +319,7 @@ def QubesVm_label_setter(self, _): # Apparently desktop environments heavily caches the icons, # see #751 for details - if os.environ.get("DESKTOP_SESSION", "") == "kde-plasma": + if "plasma" in os.environ.get("DESKTOP_SESSION", ""): try: os.unlink(os.path.expandvars( "$HOME/.kde/cache-$HOSTNAME/icon-cache.kcache")) @@ -337,7 +337,7 @@ def QubesVm_label_setter(self, _): dbus_interface="org.freedesktop.Notifications") except: pass - elif os.environ.get("DESKTOP_SESSION", "") == "xfce": + elif "xfce" in os.environ.get("DESKTOP_SESSION", ""): self.appmenus_remove() self.appmenus_create() From 7080c0371dc7bf8ea4de43b28adb9808240b98c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 15 Jul 2016 11:31:27 +0200 Subject: [PATCH 17/39] appmenus: force X-Qubes-VM category for all VM-related entries This will ease filtering entries when constructing applications menu. For example '' key used in Xfce4 before looks to introduce some problems. Fixes QubesOS/qubes-issues#2129 --- appmenus-files/qubes-appmenu-select.desktop | 2 +- appmenus-files/qubes-dispvm-firefox.desktop | 2 +- appmenus-files/qubes-start.desktop | 2 +- appmenus-scripts/qubes-receive-appmenus | 3 +++ 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/appmenus-files/qubes-appmenu-select.desktop b/appmenus-files/qubes-appmenu-select.desktop index f2561c4..93a6da7 100644 --- a/appmenus-files/qubes-appmenu-select.desktop +++ b/appmenus-files/qubes-appmenu-select.desktop @@ -7,4 +7,4 @@ Terminal=false Name=%VMNAME%: Add more shortcuts... GenericName=%VMNAME%: Add more shortcuts... StartupNotify=false -Categories=System; +Categories=System;X-Qubes-VM; diff --git a/appmenus-files/qubes-dispvm-firefox.desktop b/appmenus-files/qubes-dispvm-firefox.desktop index 449000c..5710012 100644 --- a/appmenus-files/qubes-dispvm-firefox.desktop +++ b/appmenus-files/qubes-dispvm-firefox.desktop @@ -7,4 +7,4 @@ Terminal=false Name=DispVM: Firefox web browser GenericName=DispVM: Web browser StartupNotify=false -Categories=Network; +Categories=Network;X-Qubes-VM; diff --git a/appmenus-files/qubes-start.desktop b/appmenus-files/qubes-start.desktop index a30950b..be55a98 100644 --- a/appmenus-files/qubes-start.desktop +++ b/appmenus-files/qubes-start.desktop @@ -7,4 +7,4 @@ Terminal=false Name=%VMNAME%: Start GenericName=%VMNAME%: Start StartupNotify=false -Categories=System; +Categories=System;X-Qubes-VM; diff --git a/appmenus-scripts/qubes-receive-appmenus b/appmenus-scripts/qubes-receive-appmenus index ab62a2c..75aa0b1 100755 --- a/appmenus-scripts/qubes-receive-appmenus +++ b/appmenus-scripts/qubes-receive-appmenus @@ -213,6 +213,9 @@ def create_template(path, values): if key in values: desktop_entry += "{0}=%VMNAME%: {1}\n".format(key, values[key]) + # force category X-Qubes-VM + values["Categories"] = values.get("Categories", "") + "X-Qubes-VM;" + for key in ["Comment", "Categories"]: if key in values: desktop_entry += "{0}={1}\n".format(key, values[key]) From db32b65d8146ef88175b0dc838c3d16a9a51ffeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 17 Jul 2016 00:00:47 +0200 Subject: [PATCH 18/39] appmenus: add xterm in Disposable VM menu entry Fixes QubesOS/qubes-issues#1612 --- appmenus-files/qubes-dispvm-xterm.desktop | 10 ++++++++++ rpm_spec/core-dom0-linux.spec | 5 +++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 appmenus-files/qubes-dispvm-xterm.desktop diff --git a/appmenus-files/qubes-dispvm-xterm.desktop b/appmenus-files/qubes-dispvm-xterm.desktop new file mode 100644 index 0000000..4d2abbd --- /dev/null +++ b/appmenus-files/qubes-dispvm-xterm.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Version=1.0 +Type=Application +Exec=sh -c 'echo xterm | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red' +Icon=dispvm-red +Terminal=false +Name=DispVM: xterm +GenericName=DispVM: Terminal +StartupNotify=false +Categories=Network;X-Qubes-VM; diff --git a/rpm_spec/core-dom0-linux.spec b/rpm_spec/core-dom0-linux.spec index b6e515b..f043a4b 100644 --- a/rpm_spec/core-dom0-linux.spec +++ b/rpm_spec/core-dom0-linux.spec @@ -186,7 +186,7 @@ for i in /usr/share/qubes/icons/*.png ; do done xdg-icon-resource forceupdate -xdg-desktop-menu install /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop +xdg-desktop-menu install /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-*.desktop /usr/lib/qubes/patch-dnf-yum-config @@ -200,7 +200,7 @@ if [ "$1" = 0 ] ; then xdg-icon-resource uninstall --novendor --size 48 $i done - xdg-desktop-menu uninstall /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop + xdg-desktop-menu uninstall /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-*.desktop systemctl disable qubes-suspend.service > /dev/null 2>&1 fi @@ -231,6 +231,7 @@ chmod -x /etc/grub.d/10_linux /usr/libexec/qubes-appmenus/remove-appvm-appmenus.sh /usr/share/qubes-appmenus/qubes-appmenu-select.desktop /usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop +/usr/share/qubes-appmenus/qubes-dispvm-xterm.desktop /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-servicevm.directory.template /usr/share/qubes-appmenus/qubes-start.desktop From 769e70e76a22381727e9f4ab4b8f2a51c24fa228 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 17 Jul 2016 04:57:35 +0200 Subject: [PATCH 19/39] version 3.2.5 --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index 351227f..5ae69bd 100644 --- a/version +++ b/version @@ -1 +1 @@ -3.2.4 +3.2.5 From 37f92396c4374669cc273cb373ec4f65922b0abe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 21 Jul 2016 13:42:33 +0200 Subject: [PATCH 20/39] install-kernel: handle custom EFI directory Fixes QubesOS/qubes-issues#1676 --- system-config/kernel-xen-efi.install | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/system-config/kernel-xen-efi.install b/system-config/kernel-xen-efi.install index 02773ac..07ce066 100755 --- a/system-config/kernel-xen-efi.install +++ b/system-config/kernel-xen-efi.install @@ -6,7 +6,23 @@ COMMAND="$1" KVER="$2" ESP_MOUNTPOINT=/boot/efi -EFI_DIR="$ESP_MOUNTPOINT/EFI/qubes" + +EFI_DIR=$(efibootmgr -v 2>/dev/null | awk ' + /^BootCurrent:/ { current=$2; } + /^Boot....\* / { + if ("Boot" current "*" == $1) { + sub(".*File\\(", ""); + sub("\\\\xen.efi\\)", ""); + gsub("\\\\", "/"); + print; + } + }') + +if [ -z "$EFI_DIR" ]; then + EFI_DIR="$ESP_MOUNTPOINT/EFI/qubes" +else + EFI_DIR="$ESP_MOUNTPOINT$EFI_DIR" +fi if [ ! -d "$EFI_DIR" ]; then # non-EFI system From e005836286ed4d5615c34608a088a30d9aa7a556 Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Mon, 15 Aug 2016 04:20:24 +0000 Subject: [PATCH 21/39] qrexec-client: Filter terminal output much more strictly qrexec-client -t/-T (and therefore, qvm-run --pass-io) only handled the escape character, \033. Everything else, such as Unicode and obscure control characters, was passed through from the VM to the dom0 terminal. Instead, replace all bytes except for a benign subset of ASCII. That's still enough to allow progress bars to be drawn (tested using "wget --progress=bar:force" and "pv --force"). --- qrexec/qrexec-client.c | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/qrexec/qrexec-client.c b/qrexec/qrexec-client.c index c062470..8bedb01 100644 --- a/qrexec/qrexec-client.c +++ b/qrexec/qrexec-client.c @@ -34,9 +34,9 @@ #include "qrexec.h" #include "libqrexec-utils.h" -// whether qrexec-client should replace ESC with _ before printing the output -int replace_esc_stdout = 0; -int replace_esc_stderr = 0; +// whether qrexec-client should replace problematic bytes with _ before printing the output +int replace_chars_stdout = 0; +int replace_chars_stderr = 0; #define VCHAN_BUFFER_SIZE 65536 @@ -332,12 +332,19 @@ static void handle_input(libvchan_t *vchan) } } -void do_replace_esc(char *buf, int len) { +void do_replace_chars(char *buf, int len) { int i; + unsigned char c; - for (i = 0; i < len; i++) - if (buf[i] == '\033') + for (i = 0; i < len; i++) { + c = buf[i]; + if ((c < '\040' || c > '\176') && /* not printable ASCII */ + (c != '\t') && /* not tab */ + (c != '\n') && /* not newline */ + (c != '\r') && /* not return */ + (c != '\b')) /* not backspace */ buf[i] = '_'; + } } static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf) @@ -378,8 +385,8 @@ static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf) case MSG_DATA_STDOUT: if (local_stdin_fd == -1) break; - if (replace_esc_stdout) - do_replace_esc(buf, hdr.len); + if (replace_chars_stdout) + do_replace_chars(buf, hdr.len); if (hdr.len == 0) { /* restore flags, as we may have not the only copy of this file descriptor */ @@ -408,8 +415,8 @@ static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf) } break; case MSG_DATA_STDERR: - if (replace_esc_stderr) - do_replace_esc(buf, hdr.len); + if (replace_chars_stderr) + do_replace_chars(buf, hdr.len); write_all(2, buf, hdr.len); break; case MSG_DATA_EXIT_CODE: @@ -542,7 +549,7 @@ static void usage(char *name) "-c request_id,src_domain_name,src_domain_id|" "-e] remote_cmdline\n" "-e means exit after sending cmd,\n" - "-t enables replacing ESC character with '_' in command output, -T is the same for stderr\n" + "-t enables replacing problematic bytes with '_' in command output, -T is the same for stderr\n" "-c: connect to existing process (response to trigger service call)\n" "-w timeout: override default connection timeout of 5s (set 0 for no timeout)\n", name); @@ -666,10 +673,10 @@ int main(int argc, char **argv) is_service = 1; break; case 't': - replace_esc_stdout = 1; + replace_chars_stdout = 1; break; case 'T': - replace_esc_stderr = 1; + replace_chars_stderr = 1; break; case 'w': connection_timeout = atoi(optarg); From c7ad14320ff5e3a37dc420efae308a36f966795b Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Wed, 17 Aug 2016 13:10:13 +0000 Subject: [PATCH 22/39] qrexec-client: Also allow the bell character --- qrexec/qrexec-client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/qrexec/qrexec-client.c b/qrexec/qrexec-client.c index 8bedb01..10c4d0c 100644 --- a/qrexec/qrexec-client.c +++ b/qrexec/qrexec-client.c @@ -342,7 +342,8 @@ void do_replace_chars(char *buf, int len) { (c != '\t') && /* not tab */ (c != '\n') && /* not newline */ (c != '\r') && /* not return */ - (c != '\b')) /* not backspace */ + (c != '\b') && /* not backspace */ + (c != '\a')) /* not bell */ buf[i] = '_'; } } From 1cee27275e8cc8b385ccee84e9e3a86f65df2d2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 31 Aug 2016 13:14:55 +0200 Subject: [PATCH 23/39] version 3.2.6 --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index 5ae69bd..34cde56 100644 --- a/version +++ b/version @@ -1 +1 @@ -3.2.5 +3.2.6 From be30203d8185c168fb7b8070759b37a8b7ac0c03 Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Mon, 5 Sep 2016 13:57:07 +0000 Subject: [PATCH 24/39] qubes-dom0-update: Show sync and download progress Use "script" (part of util-linux) to fake a dumb terminal in the updatevm, so dnf will show sync and download progress indicators. --- dom0-updates/qubes-dom0-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dom0-updates/qubes-dom0-update b/dom0-updates/qubes-dom0-update index 0ba56de..26d1de3 100755 --- a/dom0-updates/qubes-dom0-update +++ b/dom0-updates/qubes-dom0-update @@ -165,7 +165,7 @@ qvm-run $QVMRUN_OPTS -a $UPDATEVM true || exit 1 tar c /var/lib/rpm /etc/yum.repos.d /etc/yum.conf 2>/dev/null | \ qvm-run -p "$UPDATEVM" 'LC_MESSAGES=C tar x -C /var/lib/qubes/dom0-updates 2>&1 | grep -v -E "s in the future"' -qvm-run $QVMRUN_OPTS --pass-io $UPDATEVM "/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui $ALL_OPTS" +qvm-run $QVMRUN_OPTS --pass-io $UPDATEVM "script --quiet --return --command '/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui $ALL_OPTS' /dev/null" RETCODE=$? if [ "$CHECK_ONLY" == "1" ]; then exit $RETCODE From 2768b22494df8d44e4989bcc81420cc0cc9e01f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 3 Oct 2016 11:50:07 +0200 Subject: [PATCH 25/39] version 3.2.7 --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index 34cde56..406ebcb 100644 --- a/version +++ b/version @@ -1 +1 @@ -3.2.6 +3.2.7 From 1dff6361b7ca1c7b26d52cd00ca0cedceef2ac00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 28 Oct 2016 13:28:04 +0200 Subject: [PATCH 26/39] qrexec: fix "yes to all" for qrexec calls with custom argument If argument-specific policy file do not exists, create one based on generic one. Fixes QubesOS/qubes-issues#2403 Reported by @Rudd-O --- qrexec/qrexec-policy | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/qrexec/qrexec-policy b/qrexec/qrexec-policy index 0d236ae..cfb1df9 100755 --- a/qrexec/qrexec-policy +++ b/qrexec/qrexec-policy @@ -9,6 +9,7 @@ import qubes.guihelpers import libvirt from optparse import OptionParser import fcntl +import shutil POLICY_FILE_DIR="/etc/qubes-rpc/policy" # XXX: Backward compatibility, to be removed soon @@ -136,7 +137,12 @@ def confirm_execution(domain, target, service_name): def add_always_allow(domain, target, service_name, options): policy_file=POLICY_FILE_DIR+"/"+service_name if not os.path.isfile(policy_file): - return None + # if we add "always allow" for specifc argument value, base the new + # file on the generic one + policy_file_source = os.path.join(POLICY_FILE_DIR, service_name.split("+")[0]) + if not os.path.isfile(policy_file_source): + return None + shutil.copy2(policy_file_source, policy_file) f = open(policy_file, 'r+') fcntl.flock(f, fcntl.LOCK_EX) lines = [] From c15841c8281e8075ab1f63fcee06ff79089286c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 30 Oct 2016 21:32:21 +0100 Subject: [PATCH 27/39] version 3.2.8 --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index 406ebcb..f092941 100644 --- a/version +++ b/version @@ -1 +1 @@ -3.2.7 +3.2.8 From 610902a5c133786f365c78e4aef34d8e303c8b21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 31 Oct 2016 14:17:47 +0100 Subject: [PATCH 28/39] Revert "qrexec: fix "yes to all" for qrexec calls with custom argument" Do not copy policy file at arbitrary time. This reverts commit 1dff6361b7ca1c7b26d52cd00ca0cedceef2ac00. --- qrexec/qrexec-policy | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/qrexec/qrexec-policy b/qrexec/qrexec-policy index cfb1df9..0d236ae 100755 --- a/qrexec/qrexec-policy +++ b/qrexec/qrexec-policy @@ -9,7 +9,6 @@ import qubes.guihelpers import libvirt from optparse import OptionParser import fcntl -import shutil POLICY_FILE_DIR="/etc/qubes-rpc/policy" # XXX: Backward compatibility, to be removed soon @@ -137,12 +136,7 @@ def confirm_execution(domain, target, service_name): def add_always_allow(domain, target, service_name, options): policy_file=POLICY_FILE_DIR+"/"+service_name if not os.path.isfile(policy_file): - # if we add "always allow" for specifc argument value, base the new - # file on the generic one - policy_file_source = os.path.join(POLICY_FILE_DIR, service_name.split("+")[0]) - if not os.path.isfile(policy_file_source): - return None - shutil.copy2(policy_file_source, policy_file) + return None f = open(policy_file, 'r+') fcntl.flock(f, fcntl.LOCK_EX) lines = [] From 35d32aa3d7329c69f94780f3a8ae6686108a9e96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 31 Oct 2016 14:18:21 +0100 Subject: [PATCH 29/39] version 3.2.9 --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index f092941..e650c01 100644 --- a/version +++ b/version @@ -1 +1 @@ -3.2.8 +3.2.9 From e24f3535ff38bf513998594d3840cf50f08c985c Mon Sep 17 00:00:00 2001 From: Jean-Philippe Ouellet Date: Thu, 10 Nov 2016 06:42:39 -0500 Subject: [PATCH 30/39] Keep Makefile DRY --- doc/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/Makefile b/doc/Makefile index 3f6c472..04a923f 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -21,7 +21,7 @@ install: manpages manpages: $(TOOLS_DOCS) preview: $(rst) - pandoc -s -f rst -t man $(rst) | groff -mandoc -Tlatin1 | less -R + $(PANDOC) $(rst) | groff -mandoc -Tlatin1 | less -R clean: rm -f $(TOOLS_DOCS) From 9b7667c3a57c60655f42ba194d6d1818d0bbb436 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Ouellet Date: Fri, 11 Nov 2016 16:22:23 -0500 Subject: [PATCH 31/39] Ignore EFI boot args when parsing for filename I need to set some flags in order to boot as described here: https://www.qubes-os.org/doc/uefi-troubleshooting/ My settings look like this: $ efibootmgr -v BootCurrent: 0000 Boot0000* Qubes HD(...)/File(\EFI\qubes\xen.efi)p.l.a.c.e.h.o... which causes awk to get confused and think my $EFI_DIR should be: /EFI/qubesp.l.a.c.e.h.o.l.d.e.r. ./.m.a.p.b.s. ./.n.o.e.x.i.t.b.o.o.t. This causes the script to later bail: if [ ! -d "$EFI_DIR" ]; then # non-EFI system exit 0; fi So my xen.cfg did not get new entries when installing dom0 kernel packages. --- system-config/kernel-xen-efi.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system-config/kernel-xen-efi.install b/system-config/kernel-xen-efi.install index 07ce066..842eac3 100755 --- a/system-config/kernel-xen-efi.install +++ b/system-config/kernel-xen-efi.install @@ -12,7 +12,7 @@ EFI_DIR=$(efibootmgr -v 2>/dev/null | awk ' /^Boot....\* / { if ("Boot" current "*" == $1) { sub(".*File\\(", ""); - sub("\\\\xen.efi\\)", ""); + sub("\\\\xen.efi\\).*", ""); gsub("\\\\", "/"); print; } From 981a11cee14a10ad90a3f0c8803f956d102f9076 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 18 Nov 2016 02:51:25 +0100 Subject: [PATCH 32/39] qrexec: really do not match 'dom0' at '$anyvm', as documented Design documentation says: 'note string dom0 does not match the $anyvm pattern; all other names do' This behaviour was broken, because 'is not' in python isn't the same as string comparison. In theory this could result in some service erroneously allowed to execute in dom0, but in practice such services are not installed in dom0 at all, so the only impact was misleading error message. Fixes QubesOS/qubes-issues#2031 Reported by @Jeeppler --- qrexec/qrexec-policy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qrexec/qrexec-policy b/qrexec/qrexec-policy index 0d236ae..f4cfc07 100755 --- a/qrexec/qrexec-policy +++ b/qrexec/qrexec-policy @@ -70,7 +70,7 @@ def read_policy_file(service_name): return policy_list def is_match(item, config_term): - return (item is not "dom0" and config_term == "$anyvm") or item == config_term + return (item != "dom0" and config_term == "$anyvm") or item == config_term def get_default_policy(): dict={} From 73ba5f805b38b67c62b0162c8fd407f3f1e0f2a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 18 Nov 2016 03:17:29 +0100 Subject: [PATCH 33/39] version 3.2.10 --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index e650c01..f15386a 100644 --- a/version +++ b/version @@ -1 +1 @@ -3.2.9 +3.2.10 From be1d984364de9641312f56def13b0af27cfe1cd4 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Ouellet Date: Sat, 26 Nov 2016 21:59:16 -0500 Subject: [PATCH 34/39] Mitigate GUI DoS (part 2: qvm-xkill) Can close windows of a VM while it's paused, and can not accidentally harm dom0 by errant clicking. Discussion in https://github.com/QubesOS/qubes-issues/issues/881 Thanks to rustybird for suggested implementation. --- qvm-xkill | 10 ++++++++++ rpm_spec/core-dom0-linux.spec | 3 +++ 2 files changed, 13 insertions(+) create mode 100644 qvm-xkill diff --git a/qvm-xkill b/qvm-xkill new file mode 100644 index 0000000..25e8316 --- /dev/null +++ b/qvm-xkill @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +ID=$(xdotool selectwindow) + +xprop -id "$ID" _QUBES_VMNAME | grep -q ' = ' \ + || { echo "${0##* /}: Not killing dom0 window $ID" >&2; exit 1; } + +xdotool windowkill "$ID" diff --git a/rpm_spec/core-dom0-linux.spec b/rpm_spec/core-dom0-linux.spec index f043a4b..1c57783 100644 --- a/rpm_spec/core-dom0-linux.spec +++ b/rpm_spec/core-dom0-linux.spec @@ -48,6 +48,7 @@ BuildRequires: qubes-libvchan-devel Requires: qubes-core-dom0 Requires: qubes-utils >= 3.1.3 Requires: %{name}-kernel-install +Requires: xdotool %define _builddir %(pwd) @@ -159,6 +160,7 @@ install -m 644 -D system-config/75-qubes-dom0.preset \ $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/75-qubes-dom0.preset install -m 644 -D system-config/99-qubes-default-disable.preset \ $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/99-qubes-default-disable.preset +install -m 755 qvm-xkill $RPM_BUILD_ROOT/usr/bin/ # file copy to VM install -m 755 file-copy-vm/qfile-dom0-agent $RPM_BUILD_ROOT/usr/lib/qubes/ @@ -283,6 +285,7 @@ chmod -x /etc/grub.d/10_linux %config(noreplace) /etc/profile.d/zz-disable-lesspipe /usr/lib/systemd/system-preset/75-qubes-dom0.preset /usr/lib/systemd/system-preset/99-qubes-default-disable.preset +/usr/bin/qvm-xkill # Man %{_mandir}/man1/qvm-*.1* %{_mandir}/man1/qubes-*.1* From e59c863c23f827df2005080a69769f8fc136a2a8 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Ouellet Date: Sat, 26 Nov 2016 23:50:47 -0500 Subject: [PATCH 35/39] Fix a typo Thanks rustybird for catching it. --- qvm-xkill | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qvm-xkill b/qvm-xkill index 25e8316..32bfede 100644 --- a/qvm-xkill +++ b/qvm-xkill @@ -5,6 +5,6 @@ set -e ID=$(xdotool selectwindow) xprop -id "$ID" _QUBES_VMNAME | grep -q ' = ' \ - || { echo "${0##* /}: Not killing dom0 window $ID" >&2; exit 1; } + || { echo "${0##*/}: Not killing dom0 window $ID" >&2; exit 1; } xdotool windowkill "$ID" From c6e1f0536c51627afce1b3e162f738e813648111 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Ouellet Date: Mon, 28 Nov 2016 03:56:45 -0500 Subject: [PATCH 36/39] Move qvm-xkill to new tools/ dir --- rpm_spec/core-dom0-linux.spec | 2 +- qvm-xkill => tools/qvm-xkill | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename qvm-xkill => tools/qvm-xkill (100%) diff --git a/rpm_spec/core-dom0-linux.spec b/rpm_spec/core-dom0-linux.spec index 1c57783..2a6e878 100644 --- a/rpm_spec/core-dom0-linux.spec +++ b/rpm_spec/core-dom0-linux.spec @@ -160,7 +160,7 @@ install -m 644 -D system-config/75-qubes-dom0.preset \ $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/75-qubes-dom0.preset install -m 644 -D system-config/99-qubes-default-disable.preset \ $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/99-qubes-default-disable.preset -install -m 755 qvm-xkill $RPM_BUILD_ROOT/usr/bin/ +install -m 755 tools/qvm-xkill $RPM_BUILD_ROOT/usr/bin/ # file copy to VM install -m 755 file-copy-vm/qfile-dom0-agent $RPM_BUILD_ROOT/usr/lib/qubes/ diff --git a/qvm-xkill b/tools/qvm-xkill similarity index 100% rename from qvm-xkill rename to tools/qvm-xkill From 4d18800bc04fcaf4e5a55a961bbb9a1f447fd4cb Mon Sep 17 00:00:00 2001 From: Rusty Bird Date: Sun, 4 Dec 2016 16:52:18 +0000 Subject: [PATCH 37/39] v2: (dom0) qvm-move-to-vm: don't "rm -rf" vm name argument Fixes QubesOS/qubes-issues#2472 from commit bc29af7c0c5f1a48a17d2218e807497711af181d --- file-copy-vm/qvm-copy-to-vm | 4 ++++ file-copy-vm/qvm-move-to-vm | 24 ------------------------ rpm_spec/core-dom0-linux.spec | 2 +- 3 files changed, 5 insertions(+), 25 deletions(-) delete mode 100644 file-copy-vm/qvm-move-to-vm diff --git a/file-copy-vm/qvm-copy-to-vm b/file-copy-vm/qvm-copy-to-vm index eee5e25..e464e70 100644 --- a/file-copy-vm/qvm-copy-to-vm +++ b/file-copy-vm/qvm-copy-to-vm @@ -37,3 +37,7 @@ mkfifo -- "$RESPONSE" # can't use $@ with --localcmd, and $* would fail on whitespace /usr/lib/qubes/qfile-dom0-agent "$@" <"$RESPONSE" | qvm-run --pass-io "$VM" "QUBESRPC qubes.Filecopy dom0" >"$RESPONSE" + +if [ "${0##*/}" = "qvm-move-to-vm" ]; then + rm -rf -- "$@" +fi diff --git a/file-copy-vm/qvm-move-to-vm b/file-copy-vm/qvm-move-to-vm deleted file mode 100644 index 475530f..0000000 --- a/file-copy-vm/qvm-move-to-vm +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -# -# The Qubes OS Project, http://www.qubes-os.org -# -# Copyright (C) 2015 Marek Marczykowski-Górecki -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# - -. qvm-copy-to-vm "$@" && -rm -rf -- "$@" diff --git a/rpm_spec/core-dom0-linux.spec b/rpm_spec/core-dom0-linux.spec index 2a6e878..8865df8 100644 --- a/rpm_spec/core-dom0-linux.spec +++ b/rpm_spec/core-dom0-linux.spec @@ -165,7 +165,7 @@ install -m 755 tools/qvm-xkill $RPM_BUILD_ROOT/usr/bin/ # file copy to VM install -m 755 file-copy-vm/qfile-dom0-agent $RPM_BUILD_ROOT/usr/lib/qubes/ install -m 755 file-copy-vm/qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin/ -install -m 755 file-copy-vm/qvm-move-to-vm $RPM_BUILD_ROOT/usr/bin/ +ln -s qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin/qvm-move-to-vm ### Icons mkdir -p $RPM_BUILD_ROOT/usr/share/qubes/icons From 97c13e15f0bde981864f931ad351d8cd4db6a7ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 6 Dec 2016 01:54:35 +0100 Subject: [PATCH 38/39] travis: remove debootstrap workaround Moved to qubes-builder --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index b99d8d4..66bde29 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,8 +2,6 @@ sudo: required dist: trusty language: generic install: git clone https://github.com/QubesOS/qubes-builder ~/qubes-builder -# debootstrap in trusty is old... -before_script: sudo ln -s sid /usr/share/debootstrap/scripts/stretch script: ~/qubes-builder/scripts/travis-build env: - DIST_DOM0=fc23 USE_QUBES_REPO_VERSION=3.2 USE_QUBES_REPO_TESTING=1 From 4f0878ccbf8a95f8264b54d2b6f4dc433ca0793a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Tue, 6 Dec 2016 01:55:11 +0100 Subject: [PATCH 39/39] version 3.2.11 --- version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version b/version index f15386a..17ce918 100644 --- a/version +++ b/version @@ -1 +1 @@ -3.2.10 +3.2.11