Design documentation says:
'note string dom0 does not match the $anyvm pattern; all other names do'
This behaviour was broken, because 'is not' in python isn't the same as
string comparison. In theory this could result in some service
erroneously allowed to execute in dom0, but in practice such services are
not installed in dom0 at all, so the only impact was misleading error
message.
FixesQubesOS/qubes-issues#2031
Reported by @Jeeppler
(cherry picked from commit 981a11cee1)
qrexec-client -t/-T (and therefore, qvm-run --pass-io) only handled the
escape character, \033. Everything else, such as Unicode and obscure
control characters, was passed through from the VM to the dom0 terminal.
Instead, replace all bytes except for a benign subset of ASCII. That's
still enough to allow progress bars to be drawn (tested using
"wget --progress=bar:force" and "pv --force").
(cherry picked from commit e005836286)
Moved create private.img before yum.
Shutdown templatevm first -- don't want to query possibly compromised vm running old private.img.
Issue #2061
(cherry picked from commit fbb58918af)
This restores the netvm setting and also re-creates private.img if older rpm scriptlet doesn't create it.
Issue #2061
(cherry picked from commit ef1ab34234)
Just in case template %post scriptlet doesn't unlink during reinstall, or if reinstall fails.
Also preserves Netvm prefs setting.
(cherry picked from commit 32a4269f4a)
This doesn't yet prevent appvms from starting with invalid template during the reinstall, and doesn't deal with the Netvm setting problem.
For issue #2061
(cherry picked from commit 17627cdf3c)
The entry may be already present for example when reinstalling package,
or calling the script multiple times (which apparently is the case
during system installation).
(cherry picked from commit 4d4e7cc5e9)
This will allow to use some different shell/language for a service (for
example python).
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
(cherry picked from commit f8d23d0d64)
This would prevent qrexec from detecting EOF.
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
(cherry picked from commit 7b582e0339)
In non-EFI installation /boot/efi/EFI/qubes may not exists. In this case
do not try to touch (non-existing) files there.
FixesQubesOS/qubes-issues#1829
(cherry picked from commit f7eaa7bec2)
After installing "codeblocks" app in TemplateVM it doesn't appear in Qubes VM Manager's available app shortcuts.
If I run in a Dom0 Terminal: /usr/libexec/qubes-appmenus/qubes-receive-appmenus fedora-23
I get this: "Warning: ignoring key 'Name' of codeblocks.desktop"
The "Name" key in that file has value "Code::Blocks"
The problem comes from line 168, because of the colons in the app Name.
By adding the colon ":" to the std_re used to match valid characters for "Name", the app is correctly parsed and I can add the shortcut to AppVMs
(cherry picked from commit 3acfb8e4b3)
Notes from origin:
FixesQubesOS/qubes-issues#1852
Host suspend notification may be useful not only to driver domains. For
example Whonix needs to resync time after suspend.
Thanks @adrelanos for help.
FixesQubesOS/qubes-issues#1663
qvm-sync-clock running in background is killed as soon as
qubes-suspend.service is terminated.
Additionally restore --verbose option, which was the case (implicitly)
in previous qvm-run based code.
FixesQubesOS/qubes-issues#1795
* qubesos/pr/5:
Use #!/bin/bash and && in qvm-move-to-vm
qvm-copy-to-vm: Fix running with multiple file arguments
qvm-move-to-vm: Remove duplicated code
After suspend VMs clocks are desynchronized in most cases (because VMs
were paused). Since directly after suspent there may be no network
access, normal `qvm-sync-clock` call isn't good (it aborts if NTP call
fails). But with new `qvm-sync-clock --force` switch, it sync VMs even
if NTP is unreachable.
QubesOS/qubes-issues#1728
When qrexec-agent crashes for any reason (for example
QubesOS/qubes-issues#1389), it will never connect back and qrexec-client
will wait forever. In worst case it may happen while holding qubes.xml
write lock (in case of DispVM startup) effectively locking the whole
system.
FixesQubesOS/qubes-issues#1636
#!/bin/bash because qvm-move-to-vm sources qvm-copy-to-vm, which has
a bashism (-o pipefail).
&& is safer in case qvm-*copy*-to-vm is ever changed to call 'set +e'.
dracut in Fedora 20 doesn't know about *-pci modules (which were split
of *-hcd). So add them manually, in all flavors (ehci, ohci, xhci).
FixesQubesOS/qubes-issues#1517
Unfortunate side effect (to be solved at Qubes Manager side): it will
block Qubes Manager until all updates are installed (not only updater
launched).
FixesQubesOS/qubes-issues#1511
