version 2.0.31

rpm: move os-prober removing code to kernel-install subpackage
Main qubes-core-dom0 should not be installed as part of installer image, but os-prober dependency pulls that in. So move it into qubes-core-dom0-kernel-install subpackage. After all this is where grub config regeneration code is placed, so it is more logical place. (cherry picked from commit e062c431dd)
2015-10-01 11:51:42 +02:00 · 2015-10-01 11:51:20 +02:00 · 2015-10-01 11:51:17 +02:00 · 2015-10-01 11:50:52 +02:00 · 2015-10-01 11:50:52 +02:00 · 2015-10-01 11:50:47 +02:00
10 changed files with 55 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 rpm/
+pkgs/
--- a/appmenus-scripts/create-apps-for-appvm.sh
+++ b/appmenus-scripts/create-apps-for-appvm.sh
@ -58,6 +58,6 @@ fi
 echo "--> Adding Apps to the Menu..."
 LC_COLLATE=C xdg-desktop-menu install $APPSDIR/*.directory $APPSDIR/*.desktop

-if [ -n "$KDE_SESSION_UID" ]; then
+if [ -n "$KDE_SESSION_UID" -a -z "$SKIP_CACHE_REBUILD" ]; then
    kbuildsycoca4
 fi
--- a/appmenus-scripts/qubes-receive-appmenus
+++ b/appmenus-scripts/qubes-receive-appmenus
@ -42,13 +42,13 @@ appmenus_line_size = 1024
 appmenus_line_count = 100000

 # regexps for sanitization of retrieved values
-std_re = re.compile(r"^[/a-zA-Z0-9.,&() -]*$")
+std_re = re.compile(r"^[/a-zA-Z0-9.,&()_ -]*$")
 fields_regexp = {
    "Name": std_re,
    "GenericName": std_re,
    "Comment": std_re,
    "Categories": re.compile(r"^[a-zA-Z0-9/.;:'() -]*$"),
-    "Exec": re.compile(r"^[a-zA-Z0-9()%&>/{}\"'\\:.= -]*$"),
+    "Exec": re.compile(r"^[a-zA-Z0-9()_%&>/{}\"'\\:.= -]*$"),
    "Icon": re.compile(r"^[a-zA-Z0-9/_.-]*$"),
 }

@ -207,7 +207,7 @@ def create_template(path, values):
        if values.has_key(key):
            desktop_file.write("{0}={1}\n".format(key, values[key]))

-    desktop_file.write("Exec=qvm-run -q --tray -a %VMNAME% {0}\n".format(pipes.quote(values['Exec'])))
+    desktop_file.write("Exec=qvm-run -q --tray -a %VMNAME% -- {0}\n".format(pipes.quote(values['Exec'])))
    desktop_file.close()


@ -324,11 +324,15 @@ def main():
            shutil.copy(system_path['appmenu_start_hvm_template'], vm.appmenus_templates_dir)

    if hasattr(vm, 'appvms'):
+        os.putenv('SKIP_CACHE_REBUILD', '1')
        for child_vm in vm.appvms.values():
            try:
                child_vm.appmenus_recreate()
            except Exception, e:
                print >> sys.stderr, "---> Failed to recreate appmenus for "  \
                                     "'{0}': {1}".format(child_vm.name, str(e))
+        if 'KDE_SESSION_UID' in os.environ:
+            subprocess.call(['kbuildsycoca4'])
+        os.unsetenv('SKIP_CACHE_REBUILD')

 main()
--- a/dom0-updates/qubes-dom0-update
+++ b/dom0-updates/qubes-dom0-update
@ -21,11 +21,13 @@ if [ "$1" = "--help" ]; then
    exit
 fi

+# Prevent template upgrade - this would override user changes
+TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*`"
 PKGS=
-YUM_OPTS=
+YUM_OPTS="$TEMPLATE_EXCLUDE_OPTS"
 GUI=
 CHECK_ONLY=
-ALL_OPTS=$*
+ALL_OPTS="$TEMPLATE_EXCLUDE_OPTS $*"
 QVMRUN_OPTS=
 CLEAN=
 # Filter out some yum options and collect packages list
@ -110,6 +112,7 @@ fi
 if [ -n "$CLEAN" ]; then
    rm -f /var/lib/qubes/updates/rpm/*
 fi
+rm -f /var/lib/qubes/updates/errors

 # We should ensure the clocks in Dom0 and UpdateVM are in sync
 # becuase otherwise yum might complain about future timestamps
--- a/dom0-updates/qubes-receive-updates
+++ b/dom0-updates/qubes-receive-updates
@ -40,7 +40,13 @@ if os.path.exists('/usr/share/qubes/Qubes-comps.xml'):
    comps_file = '/usr/share/qubes/Qubes-comps.xml'

 package_regex = re.compile(r"^[A-Za-z0-9._+-]{1,128}.rpm$")
-gpg_ok_regex = re.compile(r"pgp md5 OK$")
+# example valid outputs:
+#  .....rpm: rsa sha1 (md5) pgp md5 OK
+#  .....rpm: (sha1) dsa sha1 md5 gpg OK
+# example INVALID outputs:
+#  .....rpm: sha1 md5 OK
+#  .....rpm: RSA sha1 ((MD5) PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#246110c1)
+gpg_ok_regex = re.compile(r": [a-z0-9() ]* (pgp|gpg) [a-z0-9 ]*OK$")

 def dom0updates_fatal(pkg, msg):
    global updates_error_file_handle
--- a/qrexec/qrexec-daemon.c
+++ b/qrexec/qrexec-daemon.c
@ -519,7 +519,7 @@ void handle_execute_predefined_command(void)
 		close(i);
 	signal(SIGCHLD, SIG_DFL);
 	signal(SIGPIPE, SIG_DFL);
-	execl("/usr/lib/qubes/qrexec-policy", "qrexec-policy",
+	execl("/usr/lib/qubes/qrexec-policy", "qrexec-policy", "--",
 	      remote_domain_name, params.target_vmname,
 	      params.exec_index, params.process_fds.ident, NULL);
 	perror("execl");
--- a/rpm_spec/core-dom0-linux.spec
+++ b/rpm_spec/core-dom0-linux.spec
@ -46,6 +46,7 @@ BuildRequires:  pandoc
 BuildRequires:  qubes-utils-devel >= 2.0.5
 Requires:	qubes-core-dom0
 Requires:	qubes-utils >= 2.0.6
+Requires:	%{name}-kernel-install

 %define _builddir %(pwd)

@ -54,6 +55,17 @@ Linux customizations required to use system as Qubes dom0.
 Additionally some graphical elements for every Linux desktop envirnment (icons,
 appmenus etc).

+%package kernel-install
+Summary:	Kernel install hook for Xen-based system
+
+# get rid of os-prober, it tries to mount and parse all the block devices in
+# the system, including loop*
+Provides: os-prober
+Obsoletes: os-prober
+
+%description kernel-install
+Kernel install hook for Xen-based system.
+
 %prep
 # we operate on the current directory, so no need to unpack anything
 # symlink is to generate useful debuginfo packages
@ -138,6 +150,8 @@ install -D system-config/qubes-sync-clock.cron $RPM_BUILD_ROOT/etc/cron.d/qubes-
 install -d $RPM_BUILD_ROOT/etc/udev/rules.d
 install -m 644 system-config/00-qubes-ignore-devices.rules $RPM_BUILD_ROOT/etc/udev/rules.d/
 install -m 644 system-config/60-persistent-storage.rules $RPM_BUILD_ROOT/etc/udev/rules.d/
+install -m 644 -D system-config/disable-lesspipe $RPM_BUILD_ROOT/etc/profile.d/zz-disable-lesspipe
+install -m 755 -D system-config/kernel-grub2.install $RPM_BUILD_ROOT/usr/lib/kernel/install.d/90-grub2.install

 ### Icons
 mkdir -p $RPM_BUILD_ROOT/usr/share/qubes/icons
@ -257,9 +271,12 @@ chmod -x /etc/grub.d/10_linux
 %config /etc/udev/rules.d/00-qubes-ignore-devices.rules
 %config(noreplace) /etc/udev/rules.d/60-persistent-storage.rules
 %attr(0644,root,root) /etc/cron.d/qubes-sync-clock.cron
+%config(noreplace) /etc/profile.d/zz-disable-lesspipe
 # Man
 %{_mandir}/man1/qvm-*.1*
 %{_mandir}/man1/qubes-*.1*

+%files kernel-install
+/usr/lib/kernel/install.d/90-grub2.install

 %changelog
--- a/system-config/disable-lesspipe
+++ b/system-config/disable-lesspipe
@ -0,0 +1 @@
+unset LESSOPEN LESSCLOSE
--- a/system-config/kernel-grub2.install
+++ b/system-config/kernel-grub2.install
@ -0,0 +1,14 @@
+#!/bin/sh
+
+COMMAND="$1"
+KVER="$2"
+
+case "$COMMAND" in
+    add)
+        dracut -f "/boot/initramfs-${KVER}.img" "$KVER"
+        ;;
+    remove)
+        rm -f "/boot/initramfs-${KVER}.img"
+        ;;
+esac
+grub2-mkconfig -o /boot/grub2/grub.cfg
--- a/2
+++ b/2
@ -1 +1 @@
-2.0.24
+2.0.31
Author	SHA1	Message	Date
Marek Marczykowski-Górecki	2695a6ec90	version 2.0.31	2015-10-01 11:51:42 +02:00
Marek Marczykowski-Górecki	af0fdb3cd3	rpm: move os-prober removing code to kernel-install subpackage Main qubes-core-dom0 should not be installed as part of installer image, but os-prober dependency pulls that in. So move it into qubes-core-dom0-kernel-install subpackage. After all this is where grub config regeneration code is placed, so it is more logical place. (cherry picked from commit `e062c431dd`)	2015-10-01 11:51:20 +02:00
Marek Marczykowski-Górecki	1d5b55465f	Prevent installing all the qubes packages in the installer image Split kernel-install hook into separate package, as only this part is needed by the installer. This will prevent installing all the Qubes/Xen staff in the installer, especially udev scripts and xenstored, which doesn't play well with anaconda. (cherry picked from commit `5e6d3a273d`) Conflicts: rpm_spec/core-dom0-linux.spec	2015-10-01 11:51:17 +02:00
Marek Marczykowski-Górecki	bc3c9fa422	Generate initramfs in kernel-install hook The default one generates initramfs in location expected by Boot Loader Specification, which as noted before, isn't useful for Qubes. (cherry picked from commit `fddeb4a23c`)	2015-10-01 11:50:52 +02:00
Marek Marczykowski-Górecki	dab1417c24	rpm: provide qubes-core-dom0-linux-kernel-install virtual pkg This is for kernel package dependencies, since we have the same kernel packages for both R2 and R3.0 (cherry picked from commit `f056e0341e`)	2015-10-01 11:50:52 +02:00
Marek Marczykowski-Górecki	ed6ab1e598	Add kernel post-installation script to regenerate grub2 config Since we now allow using Fedora kernel, add a script to generate proper bootloader configuration then. Standard Fedora mechanism relies on Boot Loader Specification support in grub2, which sadly does not support Xen, so it is useless in Qubes. (cherry picked from commit `2a14ae9c0b`) Conflicts: rpm_spec/core-dom0-linux.spec	2015-10-01 11:50:47 +02:00
Marek Marczykowski-Górecki	eccca4e59e	version 2.0.30	2015-09-29 10:50:41 +02:00
Marek Marczykowski-Górecki	740994b8d9	Disable lesspipe in dom0 It can be dangerous when processing untrusted content (for example VM logs). Details: https://groups.google.com/d/msgid/qubes-users/20150527215812.GA13915%40mail-itl (cherry picked from commit `8acd40905d`)	2015-09-27 23:41:23 +02:00
Marek Marczykowski-Górecki	15451be6f8	version 2.0.29	2015-07-28 00:32:57 +02:00
Marek Marczykowski-Górecki	547854bed6	rpm: force removal os-prober package It can be can be harmful, because it accesses (and mounts) every block device, including VM controlled /dev/loop*.	2015-07-28 00:32:44 +02:00
Marek Marczykowski-Górecki	b96016101c	version 2.0.28	2015-06-20 22:00:36 +02:00
Marek Marczykowski-Górecki	1c7fcb7de4	appmenus: allow '_' in Exec and other fields (cherry picked from commit `07de8f7515`)	2015-06-20 22:00:36 +02:00
Marek Marczykowski-Górecki	43f2865c41	dom0-update: improve package validation regexp - include DSA case (#988 ) Apparently when package is signed with DSA key, rpm -K output is totally different. This is the case for bumblebee package on rpmfusion. Fixes qubesos/qubes-issues#988 (cherry picked from commit `a5650d3251`)	2015-06-20 22:00:36 +02:00
Marek Marczykowski-Górecki	3cbe2fa7e7	dom0-update: clear error marker before downloading new packages (#987 ) Otherwise if some package download fails once - further tries will also report errors. Fixes qubesos/qubes-issues#987 (cherry picked from commit `f2b5cf1cc0`)	2015-06-20 22:00:35 +02:00
Marek Marczykowski-Górecki	690e10ffd4	dom0-update: prevent template package upgrades (#996 ) This would override user changes to the template. Previous method (Obsoletes: rpm header) doesn't work now, so add explicit exclude list as yum option Fixes qubesos/qubes-issues#996 (cherry picked from commit `4cab815317`) Conflicts: dom0-updates/qubes-dom0-update	2015-06-20 21:50:53 +02:00
Marek Marczykowski-Górecki	d276a1590c	gitignore (cherry picked from commit `ed363452c9`)	2015-05-16 23:17:30 +02:00
Marek Marczykowski-Górecki	d018452cd8	version 2.0.27	2015-02-10 06:47:33 +01:00
Marek Marczykowski-Górecki	49c1fe9004	Add "--" to separate options from (untrusted) non-options arguments This will prevent passing an option instead of command (qvm-run) / domain name (qrexec-policy). In both cases when VM tries to pass some option it would fail because missing argument then - VM can not pass additional arguments, so if one act as an option, one argument will be missing). (cherry picked from commit `d031126737`) Conflicts: qrexec/qrexec-daemon.c	2015-02-10 02:39:06 +01:00
Marek Marczykowski-Górecki	423bd89069	version 2.0.26	2015-01-30 23:38:33 +01:00
Marek Marczykowski-Górecki	4b27e24ac9	appmenus: call kbuildsycoca4 only once after template update (#886 )	2015-01-26 03:59:22 +01:00
Marek Marczykowski-Górecki	ab708e0b6b	version 2.0.25	2014-11-18 17:24:33 +01:00
 @ -1 +1 @@
 .0.24
 .0.31