Commit Graph

37 Commits

Author SHA1 Message Date
Jean-Philippe Ouellet
be1d984364
Mitigate GUI DoS (part 2: qvm-xkill)
Can close windows of a VM while it's paused, and can not accidentally
harm dom0 by errant clicking.

Discussion in https://github.com/QubesOS/qubes-issues/issues/881

Thanks to rustybird for suggested implementation.
2016-11-26 21:59:16 -05:00
Marek Marczykowski-Górecki
db32b65d81
appmenus: add xterm in Disposable VM menu entry
Fixes QubesOS/qubes-issues#1612
2016-07-17 00:00:47 +02:00
Marek Marczykowski-Górecki
60488d4439
system-config: add systemd-preset configuration
Fixes QubesOS/qubes-issues#2049
2016-06-06 02:22:58 +02:00
Marek Marczykowski-Górecki
01f357ae3a
dom0-updates: patch dnf.conf to use local repository
Add the same options as for yum. And do that with nice markers, instead
of forcefully overriding the entries.

QubesOS/qubes-issues#1807
2016-06-03 20:21:04 +02:00
Marek Marczykowski-Górecki
8f52c83f0b
Require new enough qubes-utils package for updated libqrexec-utils (again)
It is required for additional file-copy functions, moved from
core-agent-linux (qfile-agent).

QubesOS/qubes-issues#1324
2015-11-11 05:12:42 +01:00
Marek Marczykowski-Górecki
4e498c90e6
Implement qvm-copy-to-vm and qvm-move-to-vm utilities
QubesOS/qubes-issues#1324
2015-11-11 05:09:21 +01:00
Marek Marczykowski-Górecki
520e250966
Require new enough qubes-utils package for updated libqrexec-utils
Required by 0c288aa "qrexec: implement buffered write to child stdin to
prevent deadlock"
2015-10-30 15:10:18 +01:00
Marek Marczykowski-Górecki
867baa7266
kernel-install: add new kernel to xen.cfg for xen.efi
QubesOS/qubes-issues#794
2015-09-26 03:56:16 +02:00
Marek Marczykowski-Górecki
f795e58483
Undo 'Boot Loader Spec' by deleting /boot/MACHINE_ID
The specification doesn't cover how to boot Xen (or any other multiboot
binary), but the sole presence of such directory changes dracut default
path. So get rid of that directory.
2015-08-03 03:00:59 +02:00
Marek Marczykowski-Górecki
e062c431dd
rpm: move os-prober removing code to kernel-install subpackage
Main qubes-core-dom0 should not be installed as part of installer image,
but os-prober dependency pulls that in. So move it into
qubes-core-dom0-kernel-install subpackage. After all this is where grub
config regeneration code is placed, so it is more logical place.
2015-07-29 21:35:04 +02:00
Marek Marczykowski-Górecki
7fdff6a735 rpm: force removal os-prober package
It can be can be harmful, because it accesses (and mounts) every block
device, including VM controlled /dev/loop*.
2015-07-27 17:27:35 +02:00
Marek Marczykowski-Górecki
5e6d3a273d
Prevent installing all the qubes packages in the installer image
Split kernel-install hook into separate package, as only this part is
needed by the installer. This will prevent installing all the Qubes/Xen
staff in the installer, especially udev scripts and xenstored, which
doesn't play well with anaconda.
2015-07-14 23:27:03 +02:00
Marek Marczykowski-Górecki
f056e0341e
rpm: provide qubes-core-dom0-linux-kernel-install virtual pkg
This is for kernel package dependencies, since we have the same kernel
packages for both R2 and R3.0
2015-07-12 01:53:48 +02:00
Marek Marczykowski-Górecki
2a14ae9c0b
Add kernel post-installation script to regenerate grub2 config
Since we now allow using Fedora kernel, add a script to generate proper
bootloader configuration then. Standard Fedora mechanism relies on
Boot Loader Specification support in grub2, which sadly does not support
Xen, so it is useless in Qubes.
2015-07-10 17:54:24 +02:00
Marek Marczykowski-Górecki
8acd40905d Disable lesspipe in dom0
It can be dangerous when processing untrusted content (for example VM
logs).
Details:
https://groups.google.com/d/msgid/qubes-users/20150527215812.GA13915%40mail-itl
2015-06-25 02:37:29 +02:00
Marek Marczykowski-Górecki
5035fc7eed Remove iptables config
Dom0 have no network at all, it isn't needed.
2015-03-31 22:55:25 +02:00
Marek Marczykowski-Górecki
af66472c36 rpm: add missing vchan-devel build requires 2014-11-19 15:23:10 +01:00
Marek Marczykowski-Górecki
8f2a03e672 rpm: fix permissions of /etc/qubes-rpc{,/policy}
Group qubes should have write right there.
2014-10-30 06:40:34 +01:00
Marek Marczykowski-Górecki
1e8b3ea876 rpm: do not save removed udev script
As Qubes dom0 is standalone system, not an addon to Fedora (for some
time...), we do not longer need to save such scripts to handle
package remove.
2014-09-30 23:51:10 +02:00
Marek Marczykowski-Górecki
5af0530e8d udev: prevent VM disks content from being accessed by dom0 processes
To not expose dom0 processes like blkid for attacks from VM (e.g. by
placing malicious filesystem header in private.img).
2014-06-11 02:41:20 +02:00
Marek Marczykowski-Górecki
6f1ba98230 rpm: disable non-Xen grub entry on upgrade 2014-04-14 04:14:18 +02:00
Marek Marczykowski-Górecki
1205d9e01f rpm: fix dom0 updates with F20 firewallvm
F20 yum version have changed a way of parsing system-release package
version (so $releasever variable). Force it to use qubes-release package
version, not redhat-release.
2014-03-04 02:07:50 +01:00
Marek Marczykowski-Górecki
30535e59d2 rpm: require qubes-utils >= 2.0.6 for imgconverter 2014-02-07 05:46:19 +01:00
Marek Marczykowski-Górecki
ea7b4eb5cb rpm: BR:qubes-utils-devel >= 2.0.5 - because of slight API change
Note that R: will be generated automatically (on library name).
2014-02-07 05:36:56 +01:00
Marek Marczykowski-Górecki
7ad1183793 rpm: speedup package installation
Do not rebuild cache after each icon installation.
2013-12-26 05:07:11 +01:00
Marek Marczykowski-Górecki
c000f24def appmenus: fallback hardcoded appmenus for HVM with qrexec installed
If VM didn't returned any appmenus data, the service is most likely not
available there. Actually it hasn't been written yet.
2013-12-04 03:05:34 +01:00
Marek Marczykowski-Górecki
d0509caf9e pm-utils: hook qubes suspend scripts to systemd
Apparently new KDE doesn't call pm-suspend anymore, instead use systemd
suspend logic. So hook our scripts also there.
2013-11-04 01:28:36 +01:00
Marek Marczykowski-Górecki
aa5635b4f5 rpm: fix policy/qubes.SyncAppMenus name (v2) 2013-10-23 05:40:27 +02:00
Marek Marczykowski-Górecki
72b528ddd1 Revert "rpm: fix policy/qubes.SyncAppMenus name"
This reverts commit de087e9b8d.
Mangled two changes together.
2013-10-23 05:39:46 +02:00
Marek Marczykowski-Górecki
de087e9b8d rpm: fix policy/qubes.SyncAppMenus name 2013-10-23 00:25:50 +02:00
Marek Marczykowski-Górecki
b4ab187793 dracut: change the way to include ehci-pci module
Apparently add_drivers doesn't work. Looking at kernel-modules dracut
code, it can only be used for block-device driver and only makes sense
in --host-only mode.
So add additional module, which unconditionally install kernel modules.
2013-08-13 00:39:35 +02:00
Marek Marczykowski
0f384aacd9 spec: create 'qubes' group is not exists
This group can be created also by qubes-core-dom0 package, but add
relevant code also here to simplify dependencies.
2013-03-25 16:21:43 +01:00
Marek Marczykowski
158bfff3cf Add qrexec back, use qubes-utils libraries for common code 2013-03-20 06:24:17 +01:00
Marek Marczykowski
dbe9693851 Other Linux-specific files 2013-03-16 19:52:16 +01:00
Marek Marczykowski
e5f9e46e19 dom0-updates code 2013-03-16 18:54:21 +01:00
Marek Marczykowski
d06bbdc967 appmenus: include standalone qvm-sync-appmenus and its manpage 2013-03-16 18:34:40 +01:00
Marek Marczykowski
ad522026d3 Initial commit: appmenus handling code, icons 2013-03-16 18:23:22 +01:00