QubesOS/qubes-core-admin-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #4 from QubesOS/master

Browse Source 
Update from original
This commit is contained in:
tasket 2017-03-07 02:15:00 -05:00 committed by GitHub
commit 05b57f4960
19 changed files with 176 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -2,8 +2,6 @@ sudo: required
dist: trusty dist: trusty
language: generic language: generic
install: git clone https://github.com/QubesOS/qubes-builder ~/qubes-builder install: git clone https://github.com/QubesOS/qubes-builder ~/qubes-builder
# debootstrap in trusty is old...
before_script: sudo ln -s sid /usr/share/debootstrap/scripts/stretch
script: ~/qubes-builder/scripts/travis-build script: ~/qubes-builder/scripts/travis-build
env: env:
- DIST_DOM0=fc23 USE_QUBES_REPO_VERSION=3.2 USE_QUBES_REPO_TESTING=1 - DIST_DOM0=fc23 USE_QUBES_REPO_VERSION=3.2 USE_QUBES_REPO_TESTING=1

2
appmenus-files/qubes-appmenu-select.desktop
View File

@ -7,4 +7,4 @@ Terminal=false
Name=%VMNAME%: Add more shortcuts... Name=%VMNAME%: Add more shortcuts...
GenericName=%VMNAME%: Add more shortcuts... GenericName=%VMNAME%: Add more shortcuts...
StartupNotify=false StartupNotify=false
Categories=System; Categories=System;X-Qubes-VM;

2
appmenus-files/qubes-dispvm-firefox.desktop
View File

@ -7,4 +7,4 @@ Terminal=false
Name=DispVM: Firefox web browser Name=DispVM: Firefox web browser
GenericName=DispVM: Web browser GenericName=DispVM: Web browser
StartupNotify=false StartupNotify=false
Categories=Network; Categories=Network;X-Qubes-VM;

10
appmenus-files/qubes-dispvm-xterm.desktop Normal file
View File

@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Type=Application
Exec=sh -c 'echo xterm | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red'
Icon=dispvm-red
Terminal=false
Name=DispVM: xterm
GenericName=DispVM: Terminal
StartupNotify=false
Categories=Network;X-Qubes-VM;

2
appmenus-files/qubes-start.desktop
View File

@ -7,4 +7,4 @@ Terminal=false
Name=%VMNAME%: Start Name=%VMNAME%: Start
GenericName=%VMNAME%: Start GenericName=%VMNAME%: Start
StartupNotify=false StartupNotify=false
Categories=System; Categories=System;X-Qubes-VM;

4
appmenus-scripts/qubes-core-appmenus.py
View File

@ -319,7 +319,7 @@ def QubesVm_label_setter(self, _):
# Apparently desktop environments heavily caches the icons, # Apparently desktop environments heavily caches the icons,
# see #751 for details # see #751 for details
if os.environ.get("DESKTOP_SESSION", "") == "kde-plasma": if "plasma" in os.environ.get("DESKTOP_SESSION", ""):
try: try:
os.unlink(os.path.expandvars( os.unlink(os.path.expandvars(
"$HOME/.kde/cache-$HOSTNAME/icon-cache.kcache")) "$HOME/.kde/cache-$HOSTNAME/icon-cache.kcache"))
@ -337,7 +337,7 @@ def QubesVm_label_setter(self, _):
dbus_interface="org.freedesktop.Notifications") dbus_interface="org.freedesktop.Notifications")
except: except:
pass pass
elif os.environ.get("DESKTOP_SESSION", "") == "xfce": elif "xfce" in os.environ.get("DESKTOP_SESSION", ""):
self.appmenus_remove() self.appmenus_remove()
self.appmenus_create() self.appmenus_create()

3
appmenus-scripts/qubes-receive-appmenus
View File

@ -213,6 +213,9 @@ def create_template(path, values):
if key in values: if key in values:
desktop_entry += "{0}=%VMNAME%: {1}\n".format(key, values[key]) desktop_entry += "{0}=%VMNAME%: {1}\n".format(key, values[key])
# force category X-Qubes-VM
values["Categories"] = values.get("Categories", "") + "X-Qubes-VM;"
for key in ["Comment", "Categories"]: for key in ["Comment", "Categories"]:
if key in values: if key in values:
desktop_entry += "{0}={1}\n".format(key, values[key]) desktop_entry += "{0}={1}\n".format(key, values[key])

2
doc/Makefile
View File

@ -21,7 +21,7 @@ install: manpages
manpages: $(TOOLS_DOCS) manpages: $(TOOLS_DOCS)
preview: $(rst) preview: $(rst)
pandoc -s -f rst -t man $(rst) | groff -mandoc -Tlatin1 | less -R $(PANDOC) $(rst) | groff -mandoc -Tlatin1 | less -R
clean: clean:
rm -f $(TOOLS_DOCS) rm -f $(TOOLS_DOCS)

74
dom0-updates/qubes-dom0-update
View File

@ -22,13 +22,11 @@ if [ "$1" = "--help" ]; then
exit exit
fi fi
# Prevent template upgrade - this would override user changes
TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`"
PKGS= PKGS=
YUM_OPTS="$TEMPLATE_EXCLUDE_OPTS" YUM_OPTS=
GUI= GUI=
CHECK_ONLY= CHECK_ONLY=
ALL_OPTS="$TEMPLATE_EXCLUDE_OPTS $*" ALL_OPTS="$*"
YUM_ACTION= YUM_ACTION=
QVMRUN_OPTS= QVMRUN_OPTS=
CLEAN= CLEAN=
@ -63,6 +61,38 @@ while [ $# -gt 0 ]; do
shift shift
done done
# Prevent template upgrade - this would override user changes -
# but do allow explicit template reinstalls
if [ "$YUM_ACTION" == "reinstall" ] && [[ "$PKGS" == *"qubes-template-"* ]]; then
TEMPLATE_EXCLUDE_OPTS=""
echo "WARNING: Reinstalling a template will erase all files in template's /home and /rw !"
ONEPKG=`cut -f 1 -d ' ' <<<$PKGS`
if [[ "$ONEPKG" == "qubes-template-"* ]] && [[ "$ONEPKG" == "${PKGS#\ }" ]]; then # test "$PKGS" minus space
# Prepare to backup template root.img in case reinstall doesn't complete.
TEMPLATE=${ONEPKG#qubes-template-}
if qvm-shutdown --wait $TEMPLATE ; then
echo "Template VM halted"
fi
if ! TEMPLATE_NETVM=`qvm-prefs --force-root $TEMPLATE netvm` \
|| ! BAK_TEMPLATE_ROOT=`qvm-prefs --force-root $TEMPLATE root_img` \
|| ! BAK_TEMPLATE_PRIVATE=`qvm-prefs --force-root $TEMPLATE private_img` ; then
exit 1
fi
if [[ "$TEMPLATE_NETVM" == *"(default)" ]] ; then
TEMPLATE_NETVM="default"
fi
else
echo "ERROR: Specify only one package to reinstall template"
exit 1
fi
else
TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`"
fi
YUM_OPTS="$TEMPLATE_EXCLUDE_OPTS $YUM_OPTS"
ALL_OPTS="$TEMPLATE_EXCLUDE_OPTS $ALL_OPTS"
ID=$(id -ur) ID=$(id -ur)
if [ $ID != 0 -a -z "$GUI" -a -z "$CHECK_ONLY" ] ; then if [ $ID != 0 -a -z "$GUI" -a -z "$CHECK_ONLY" ] ; then
echo "This script should be run as root (when used in console mode), use sudo." >&2 echo "This script should be run as root (when used in console mode), use sudo." >&2
@ -135,7 +165,7 @@ qvm-run $QVMRUN_OPTS -a $UPDATEVM true || exit 1
tar c /var/lib/rpm /etc/yum.repos.d /etc/yum.conf 2>/dev/null | \ tar c /var/lib/rpm /etc/yum.repos.d /etc/yum.conf 2>/dev/null | \
qvm-run -p "$UPDATEVM" 'LC_MESSAGES=C tar x -C /var/lib/qubes/dom0-updates 2>&1 | grep -v -E "s in the future"' qvm-run -p "$UPDATEVM" 'LC_MESSAGES=C tar x -C /var/lib/qubes/dom0-updates 2>&1 | grep -v -E "s in the future"'
qvm-run $QVMRUN_OPTS --pass-io $UPDATEVM "/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui $ALL_OPTS" qvm-run $QVMRUN_OPTS --pass-io $UPDATEVM "script --quiet --return --command '/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui $ALL_OPTS' /dev/null"
RETCODE=$? RETCODE=$?
if [ "$CHECK_ONLY" == "1" ]; then if [ "$CHECK_ONLY" == "1" ]; then
exit $RETCODE exit $RETCODE
@ -157,14 +187,44 @@ if [ -z "$YUM_ACTION" ]; then
fi fi
if [ "x$PKGS" != "x" ]; then if [ "x$PKGS" != "x" ]; then
yum $YUM_OPTS $YUM_ACTION $PKGS if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then # Handle template details
# Backup root.img and private.img just in case
echo "Creating img backup files"
mv "$BAK_TEMPLATE_ROOT" "$BAK_TEMPLATE_ROOT-bak"
mv "$BAK_TEMPLATE_PRIVATE" "$BAK_TEMPLATE_PRIVATE-bak"
TDIR=`qvm-prefs --force-root $TEMPLATE dir`
rm -f "$TDIR/volatile.img"
echo "--> Creating private.img..."
truncate -s 2G $BAK_TEMPLATE_PRIVATE
mkfs.ext4 -m 0 -q -F $BAK_TEMPLATE_PRIVATE
chown root:qubes $BAK_TEMPLATE_PRIVATE
chmod 0660 $BAK_TEMPLATE_PRIVATE
fi
yum $YUM_OPTS $YUM_ACTION $PKGS ; RETCODE=$?
if [[ -n "$BAK_TEMPLATE_ROOT" ]] ; then # Handle template details
if [ $RETCODE -eq 0 ] ; then
# Reinstall went OK, remove backup files.
rm -f "$BAK_TEMPLATE_ROOT-bak"
rm -f "$BAK_TEMPLATE_PRIVATE-bak"
else
echo "Yum exit: Restoring img files"
mv "$BAK_TEMPLATE_ROOT-bak" "$BAK_TEMPLATE_ROOT"
mv "$BAK_TEMPLATE_PRIVATE-bak" "$BAK_TEMPLATE_PRIVATE"
fi
if ! qvm-prefs --force-root -s $TEMPLATE netvm $TEMPLATE_NETVM ; then
echo "ERROR: NetVM setting could not be restored!"
exit 1
fi
fi
elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then
# Above file exists only when at least one package was downloaded # Above file exists only when at least one package was downloaded
if [ "$GUI" == "1" ]; then if [ "$GUI" == "1" ]; then
$guiapp $guiapp
else else
yum check-update yum check-update
if [ $? -eq 100 ]; then if [ $? -eq 100 ]; then # Run yum with options
yum $YUM_OPTS $YUM_ACTION yum $YUM_OPTS $YUM_ACTION
fi fi
fi fi

4
file-copy-vm/qvm-copy-to-vm
View File

@ -37,3 +37,7 @@ mkfifo -- "$RESPONSE"
# can't use $@ with --localcmd, and $* would fail on whitespace # can't use $@ with --localcmd, and $* would fail on whitespace
/usr/lib/qubes/qfile-dom0-agent "$@" <"$RESPONSE" | /usr/lib/qubes/qfile-dom0-agent "$@" <"$RESPONSE" |
qvm-run --pass-io "$VM" "QUBESRPC qubes.Filecopy dom0" >"$RESPONSE" qvm-run --pass-io "$VM" "QUBESRPC qubes.Filecopy dom0" >"$RESPONSE"
if [ "${0##*/}" = "qvm-move-to-vm" ]; then
rm -rf -- "$@"
fi

24
file-copy-vm/qvm-move-to-vm
View File

@ -1,24 +0,0 @@
#!/bin/bash
#
# The Qubes OS Project, http://www.qubes-os.org
#
# Copyright (C) 2015 Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#
. qvm-copy-to-vm "$@" &&
rm -rf -- "$@"

34
qrexec/qrexec-client.c
View File

@ -34,9 +34,9 @@
#include "qrexec.h" #include "qrexec.h"
#include "libqrexec-utils.h" #include "libqrexec-utils.h"
// whether qrexec-client should replace ESC with _ before printing the output // whether qrexec-client should replace problematic bytes with _ before printing the output
int replace_esc_stdout = 0; int replace_chars_stdout = 0;
int replace_esc_stderr = 0; int replace_chars_stderr = 0;
#define VCHAN_BUFFER_SIZE 65536 #define VCHAN_BUFFER_SIZE 65536
@ -332,12 +332,20 @@ static void handle_input(libvchan_t *vchan)
} }
} }
void do_replace_esc(char *buf, int len) { void do_replace_chars(char *buf, int len) {
int i; int i;
unsigned char c;
for (i = 0; i < len; i++) for (i = 0; i < len; i++) {
if (buf[i] == '\033') c = buf[i];
if ((c < '\040' || c > '\176') && /* not printable ASCII */
(c != '\t') && /* not tab */
(c != '\n') && /* not newline */
(c != '\r') && /* not return */
(c != '\b') && /* not backspace */
(c != '\a')) /* not bell */
buf[i] = '_'; buf[i] = '_';
}
} }
static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf) static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf)
@ -378,8 +386,8 @@ static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf)
case MSG_DATA_STDOUT: case MSG_DATA_STDOUT:
if (local_stdin_fd == -1) if (local_stdin_fd == -1)
break; break;
if (replace_esc_stdout) if (replace_chars_stdout)
do_replace_esc(buf, hdr.len); do_replace_chars(buf, hdr.len);
if (hdr.len == 0) { if (hdr.len == 0) {
/* restore flags, as we may have not the only copy of this file descriptor /* restore flags, as we may have not the only copy of this file descriptor
*/ */
@ -408,8 +416,8 @@ static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf)
} }
break; break;
case MSG_DATA_STDERR: case MSG_DATA_STDERR:
if (replace_esc_stderr) if (replace_chars_stderr)
do_replace_esc(buf, hdr.len); do_replace_chars(buf, hdr.len);
write_all(2, buf, hdr.len); write_all(2, buf, hdr.len);
break; break;
case MSG_DATA_EXIT_CODE: case MSG_DATA_EXIT_CODE:
@ -542,7 +550,7 @@ static void usage(char *name)
"-c request_id,src_domain_name,src_domain_id|" "-c request_id,src_domain_name,src_domain_id|"
"-e] remote_cmdline\n" "-e] remote_cmdline\n"
"-e means exit after sending cmd,\n" "-e means exit after sending cmd,\n"
"-t enables replacing ESC character with '_' in command output, -T is the same for stderr\n" "-t enables replacing problematic bytes with '_' in command output, -T is the same for stderr\n"
"-c: connect to existing process (response to trigger service call)\n" "-c: connect to existing process (response to trigger service call)\n"
"-w timeout: override default connection timeout of 5s (set 0 for no timeout)\n", "-w timeout: override default connection timeout of 5s (set 0 for no timeout)\n",
name); name);
@ -666,10 +674,10 @@ int main(int argc, char **argv)
is_service = 1; is_service = 1;
break; break;
case 't': case 't':
replace_esc_stdout = 1; replace_chars_stdout = 1;
break; break;
case 'T': case 'T':
replace_esc_stderr = 1; replace_chars_stderr = 1;
break; break;
case 'w': case 'w':
connection_timeout = atoi(optarg); connection_timeout = atoi(optarg);

2
qrexec/qrexec-policy
View File

@ -70,7 +70,7 @@ def read_policy_file(service_name):
return policy_list return policy_list
def is_match(item, config_term): def is_match(item, config_term):
return (item is not "dom0" and config_term == "$anyvm") or item == config_term return (item != "dom0" and config_term == "$anyvm") or item == config_term
def get_default_policy(): def get_default_policy():
dict={} dict={}

10
rpm_spec/core-dom0-linux.spec
View File

@ -48,6 +48,7 @@ BuildRequires: qubes-libvchan-devel
Requires: qubes-core-dom0 Requires: qubes-core-dom0
Requires: qubes-utils >= 3.1.3 Requires: qubes-utils >= 3.1.3
Requires: %{name}-kernel-install Requires: %{name}-kernel-install
Requires: xdotool
%define _builddir %(pwd) %define _builddir %(pwd)
@ -159,11 +160,12 @@ install -m 644 -D system-config/75-qubes-dom0.preset \
$RPM_BUILD_ROOT/usr/lib/systemd/system-preset/75-qubes-dom0.preset $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/75-qubes-dom0.preset
install -m 644 -D system-config/99-qubes-default-disable.preset \ install -m 644 -D system-config/99-qubes-default-disable.preset \
$RPM_BUILD_ROOT/usr/lib/systemd/system-preset/99-qubes-default-disable.preset $RPM_BUILD_ROOT/usr/lib/systemd/system-preset/99-qubes-default-disable.preset
install -m 755 tools/qvm-xkill $RPM_BUILD_ROOT/usr/bin/
# file copy to VM # file copy to VM
install -m 755 file-copy-vm/qfile-dom0-agent $RPM_BUILD_ROOT/usr/lib/qubes/ install -m 755 file-copy-vm/qfile-dom0-agent $RPM_BUILD_ROOT/usr/lib/qubes/
install -m 755 file-copy-vm/qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin/ install -m 755 file-copy-vm/qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin/
install -m 755 file-copy-vm/qvm-move-to-vm $RPM_BUILD_ROOT/usr/bin/ ln -s qvm-copy-to-vm $RPM_BUILD_ROOT/usr/bin/qvm-move-to-vm
### Icons ### Icons
mkdir -p $RPM_BUILD_ROOT/usr/share/qubes/icons mkdir -p $RPM_BUILD_ROOT/usr/share/qubes/icons
@ -186,7 +188,7 @@ for i in /usr/share/qubes/icons/*.png ; do
done done
xdg-icon-resource forceupdate xdg-icon-resource forceupdate
xdg-desktop-menu install /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop xdg-desktop-menu install /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-*.desktop
/usr/lib/qubes/patch-dnf-yum-config /usr/lib/qubes/patch-dnf-yum-config
@ -200,7 +202,7 @@ if [ "$1" = 0 ] ; then
xdg-icon-resource uninstall --novendor --size 48 $i xdg-icon-resource uninstall --novendor --size 48 $i
done done
xdg-desktop-menu uninstall /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop xdg-desktop-menu uninstall /usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm-*.desktop
systemctl disable qubes-suspend.service > /dev/null 2>&1 systemctl disable qubes-suspend.service > /dev/null 2>&1
fi fi
@ -231,6 +233,7 @@ chmod -x /etc/grub.d/10_linux
/usr/libexec/qubes-appmenus/remove-appvm-appmenus.sh /usr/libexec/qubes-appmenus/remove-appvm-appmenus.sh
/usr/share/qubes-appmenus/qubes-appmenu-select.desktop /usr/share/qubes-appmenus/qubes-appmenu-select.desktop
/usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop /usr/share/qubes-appmenus/qubes-dispvm-firefox.desktop
/usr/share/qubes-appmenus/qubes-dispvm-xterm.desktop
/usr/share/qubes-appmenus/qubes-dispvm.directory /usr/share/qubes-appmenus/qubes-dispvm.directory
/usr/share/qubes-appmenus/qubes-servicevm.directory.template /usr/share/qubes-appmenus/qubes-servicevm.directory.template
/usr/share/qubes-appmenus/qubes-start.desktop /usr/share/qubes-appmenus/qubes-start.desktop
@ -282,6 +285,7 @@ chmod -x /etc/grub.d/10_linux
%config(noreplace) /etc/profile.d/zz-disable-lesspipe %config(noreplace) /etc/profile.d/zz-disable-lesspipe
/usr/lib/systemd/system-preset/75-qubes-dom0.preset /usr/lib/systemd/system-preset/75-qubes-dom0.preset
/usr/lib/systemd/system-preset/99-qubes-default-disable.preset /usr/lib/systemd/system-preset/99-qubes-default-disable.preset
/usr/bin/qvm-xkill
# Man # Man
%{_mandir}/man1/qvm-*.1* %{_mandir}/man1/qvm-*.1*
%{_mandir}/man1/qubes-*.1* %{_mandir}/man1/qubes-*.1*

50
system-config/60-persistent-storage.rules
View File

@ -1,20 +1,18 @@
# Qubes: Prevent probing of domU controlled disk contents. Note that it would
# nevertheless be insecure to attach block devices from domU to dom0 (xvd*) due
# to automatic kernel partition table scanners -- which are disabled for loop*
# devices created without LO_FLAGS_PARTSCAN.
SUBSYSTEM=="block", KERNEL=="loop*|xvd*", GOTO="persistent_storage_end"
# do not edit this file, it will be overwritten on update # do not edit this file, it will be overwritten on update
# persistent storage links: /dev/disk/{by-id,by-uuid,by-label,by-path} # persistent storage links: /dev/disk/{by-id,by-uuid,by-label,by-path}
# scheme based on "Linux persistent device names", 2004, Hannes Reinecke <hare@suse.de> # scheme based on "Linux persistent device names", 2004, Hannes Reinecke <hare@suse.de>
# forward scsi device event to corresponding block device
ACTION=="change", SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST=="block", ATTR{block/*/uevent}="change"
ACTION=="remove", GOTO="persistent_storage_end" ACTION=="remove", GOTO="persistent_storage_end"
# enable in-kernel media-presence polling
ACTION=="add", SUBSYSTEM=="module", KERNEL=="block", ATTR{parameters/events_dfl_poll_msecs}=="0", ATTR{parameters/events_dfl_poll_msecs}="2000"
SUBSYSTEM!="block", GOTO="persistent_storage_end" SUBSYSTEM!="block", GOTO="persistent_storage_end"
KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*", GOTO="persistent_storage_end"
# skip rules for inappropriate block devices
KERNEL=="loop*|fd*|mtd*|nbd*|gnbd*|btibm*|dm-*|md*|zram*", GOTO="persistent_storage_end"
# ignore partitions that span the entire disk # ignore partitions that span the entire disk
TEST=="whole_disk", GOTO="persistent_storage_end" TEST=="whole_disk", GOTO="persistent_storage_end"
@ -26,39 +24,43 @@ ENV{DEVTYPE}=="partition", IMPORT{parent}="ID_*"
KERNEL=="vd*[!0-9]", ATTRS{serial}=="?*", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/virtio-$env{ID_SERIAL}" KERNEL=="vd*[!0-9]", ATTRS{serial}=="?*", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/virtio-$env{ID_SERIAL}"
KERNEL=="vd*[0-9]", ATTRS{serial}=="?*", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/virtio-$env{ID_SERIAL}-part%n" KERNEL=="vd*[0-9]", ATTRS{serial}=="?*", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/virtio-$env{ID_SERIAL}-part%n"
# ATA devices using the "scsi" subsystem # ATA
KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{vendor}=="ATA", IMPORT{program}="ata_id --export $devnode" KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{vendor}=="ATA", IMPORT{program}="ata_id --export $devnode"
# ATA/ATAPI devices (SPC-3 or later) using the "scsi" subsystem
# ATAPI devices (SPC-3 or later)
KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{type}=="5", ATTRS{scsi_level}=="[6-9]*", IMPORT{program}="ata_id --export $devnode" KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{type}=="5", ATTRS{scsi_level}=="[6-9]*", IMPORT{program}="ata_id --export $devnode"
# Run ata_id on non-removable USB Mass Storage (SATA/PATA disks in enclosures) # Run ata_id on non-removable USB Mass Storage (SATA/PATA disks in enclosures)
KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", ATTR{removable}=="0", SUBSYSTEMS=="usb", IMPORT{program}="ata_id --export $devnode" KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", ATTR{removable}=="0", SUBSYSTEMS=="usb", IMPORT{program}="ata_id --export $devnode"
# Otherwise, fall back to using usb_id for USB devices
# Fall back usb_id for USB devices
KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id" KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id"
# scsi devices # SCSI devices
KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", IMPORT{program}="scsi_id --export --whitelisted -d $devnode", ENV{ID_BUS}="scsi" KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", IMPORT{program}="scsi_id --export --whitelisted -d $devnode", ENV{ID_BUS}="scsi"
KERNEL=="cciss*", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}!="?*", IMPORT{program}="scsi_id --export --whitelisted -d $devnode", ENV{ID_BUS}="cciss" KERNEL=="cciss*", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}!="?*", IMPORT{program}="scsi_id --export --whitelisted -d $devnode", ENV{ID_BUS}="cciss"
KERNEL=="sd*|sr*|cciss*", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/$env{ID_BUS}-$env{ID_SERIAL}" KERNEL=="sd*|sr*|cciss*", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/$env{ID_BUS}-$env{ID_SERIAL}"
KERNEL=="sd*|cciss*", ENV{DEVTYPE}=="partition", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/$env{ID_BUS}-$env{ID_SERIAL}-part%n" KERNEL=="sd*|cciss*", ENV{DEVTYPE}=="partition", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/$env{ID_BUS}-$env{ID_SERIAL}-part%n"
# firewire # FireWire
KERNEL=="sd*[!0-9]|sr*", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$attr{ieee1394_id}" KERNEL=="sd*[!0-9]|sr*", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$attr{ieee1394_id}"
KERNEL=="sd*[0-9]", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$attr{ieee1394_id}-part%n" KERNEL=="sd*[0-9]", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$attr{ieee1394_id}-part%n"
KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ATTRS{name}=="?*", ATTRS{serial}=="?*", ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}" # MMC
KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ATTRS{name}=="?*", ATTRS{serial}=="?*", \
ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}"
KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}-part%n" KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}-part%n"
KERNEL=="mspblk[0-9]", SUBSYSTEMS=="memstick", ATTRS{name}=="?*", ATTRS{serial}=="?*", ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}"
KERNEL=="mspblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}-part%n"
# by-path (parent device path) # Memstick
KERNEL=="msblk[0-9]|mspblk[0-9]", SUBSYSTEMS=="memstick", ATTRS{name}=="?*", ATTRS{serial}=="?*", \
ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}"
KERNEL=="msblk[0-9]p[0-9]|mspblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/memstick-$env{ID_NAME}_$env{ID_SERIAL}-part%n"
# by-path
ENV{DEVTYPE}=="disk", DEVPATH!="*/virtual/*", IMPORT{builtin}="path_id" ENV{DEVTYPE}=="disk", DEVPATH!="*/virtual/*", IMPORT{builtin}="path_id"
ENV{DEVTYPE}=="disk", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}" ENV{DEVTYPE}=="disk", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}"
ENV{DEVTYPE}=="partition", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}-part%n" ENV{DEVTYPE}=="partition", ENV{ID_PATH}=="?*", SYMLINK+="disk/by-path/$env{ID_PATH}-part%n"
# skip unpartitioned removable media devices from drivers which do not send "change" events
ENV{DEVTYPE}=="disk", KERNEL!="sd*|sr*", ATTR{removable}=="1", GOTO="persistent_storage_end"
# probe filesystem metadata of optical drives which have a media inserted # probe filesystem metadata of optical drives which have a media inserted
KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_TRACK_COUNT_DATA}=="?*", ENV{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}=="?*", \ KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_TRACK_COUNT_DATA}=="?*", ENV{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}=="?*", \
IMPORT{builtin}="blkid --offset=$env{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}" IMPORT{builtin}="blkid --offset=$env{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}"
@ -69,9 +71,6 @@ KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_TRACK_COUNT_DAT
# probe filesystem metadata of disks # probe filesystem metadata of disks
KERNEL!="sr*", IMPORT{builtin}="blkid" KERNEL!="sr*", IMPORT{builtin}="blkid"
# watch metadata changes by tools closing the device after writing
KERNEL!="sr*", OPTIONS+="watch"
# by-label/by-uuid links (filesystem metadata) # by-label/by-uuid links (filesystem metadata)
ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_UUID_ENC}=="?*", SYMLINK+="disk/by-uuid/$env{ID_FS_UUID_ENC}" ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_UUID_ENC}=="?*", SYMLINK+="disk/by-uuid/$env{ID_FS_UUID_ENC}"
ENV{ID_FS_USAGE}=="filesystem|other", ENV{ID_FS_LABEL_ENC}=="?*", SYMLINK+="disk/by-label/$env{ID_FS_LABEL_ENC}" ENV{ID_FS_USAGE}=="filesystem|other", ENV{ID_FS_LABEL_ENC}=="?*", SYMLINK+="disk/by-label/$env{ID_FS_LABEL_ENC}"
@ -84,4 +83,7 @@ ENV{DEVTYPE}=="partition", ENV{ID_WWN_WITH_EXTENSION}=="?*", SYMLINK+="disk/by-i
ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_UUID}=="?*", SYMLINK+="disk/by-partuuid/$env{ID_PART_ENTRY_UUID}" ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_UUID}=="?*", SYMLINK+="disk/by-partuuid/$env{ID_PART_ENTRY_UUID}"
ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_NAME}=="?*", SYMLINK+="disk/by-partlabel/$env{ID_PART_ENTRY_NAME}" ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_NAME}=="?*", SYMLINK+="disk/by-partlabel/$env{ID_PART_ENTRY_NAME}"
# add symlink to GPT root disk
ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_GPT_AUTO_ROOT}=="1", SYMLINK+="gpt-auto-root"
LABEL="persistent_storage_end" LABEL="persistent_storage_end"

4
system-config/75-qubes-dom0.preset
View File

@ -45,4 +45,6 @@ enable qubes-qmemman.service
enable qubes-suspend.service enable qubes-suspend.service
enable qubes-setupdvm.service enable qubes-setupdvm.service
enable qubes-block-cleaner.service enable qubes-block-cleaner.service
enable anti-evil-maid-unseal.service
enable anti-evil-maid-check-mount-devs.service
enable anti-evil-maid-seal.service

18
system-config/kernel-xen-efi.install
View File

@ -6,7 +6,23 @@ COMMAND="$1"
KVER="$2" KVER="$2"
ESP_MOUNTPOINT=/boot/efi ESP_MOUNTPOINT=/boot/efi
EFI_DIR="$ESP_MOUNTPOINT/EFI/qubes"
EFI_DIR=$(efibootmgr -v 2>/dev/null | awk '
/^BootCurrent:/ { current=$2; }
/^Boot....\* / {
if ("Boot" current "*" == $1) {
sub(".*File\\(", "");
sub("\\\\xen.efi\\).*", "");
gsub("\\\\", "/");
print;
}
}')
if [ -z "$EFI_DIR" ]; then
EFI_DIR="$ESP_MOUNTPOINT/EFI/qubes"
else
EFI_DIR="$ESP_MOUNTPOINT$EFI_DIR"
fi
if [ ! -d "$EFI_DIR" ]; then if [ ! -d "$EFI_DIR" ]; then
# non-EFI system # non-EFI system

10
tools/qvm-xkill Normal file
View File

@ -0,0 +1,10 @@
#!/bin/sh
set -e
ID=$(xdotool selectwindow)
xprop -id "$ID" _QUBES_VMNAME | grep -q ' = ' \
|| { echo "${0##*/}: Not killing dom0 window $ID" >&2; exit 1; }
xdotool windowkill "$ID"

2
version
View File

@ -1 +1 @@
3.2.3 3.2.11