version 3.0.20

Host suspend notification may be useful not only to driver domains. For
example Whonix needs to resync time after suspend.

Thanks @adrelanos for help.

Fixes QubesOS/qubes-issues#1663

(cherry picked from commit e0c875a367)

dom0-updates/qubes-dom0-update

@@ -86,7 +86,7 @@ if [ "$GUI" == "1" ]; then
         if type $app &>/dev/null; then
             guiapp=$app
             case $guiapp in
-                apper) guiapp="apper --updates" ;;
+                apper) guiapp="apper --updates --nofork" ;;
                 *) guiapp=$app ;;
             esac
             break;
@@ -119,6 +119,7 @@ fi
 
 if [ -n "$CLEAN" ]; then
     rm -f /var/lib/qubes/updates/rpm/*
+    rm -f /var/lib/qubes/updates/repodata/*
 fi
 rm -f /var/lib/qubes/updates/errors
 
@@ -169,5 +170,6 @@ elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then
     fi
     yum -q check-update && rm -f $UPDATES_STAT_FILE
 else
+    rm -f $UPDATES_STAT_FILE
     echo "No updates avaliable" >&2
 fi

dom0-updates/qubes-dom0-updates.cron

@@ -1,7 +1,5 @@
 #!/bin/bash
 
-# Get normal user name 
-LOCAL_USER=`users | sed -e 's/root *//' | cut -d' ' -f 1`
 NOTIFY_ICON=/usr/share/qubes/icons/dom0-update-avail.svg
 UPDATES_STAT_FILE=/var/lib/qubes/updates/dom0-updates-available
 UPDATES_DISABLE_FLAG=/var/lib/qubes/updates/disable-updates
@@ -19,10 +17,7 @@ if [ "$RETCODE" -ne 100 ]; then
     exit $RETCODE
 fi
 
-if [ -z "$LOCAL_USER" ]; then
-    echo "ERROR: no user logged in, cannot nofity about updates" >&2
-    exit 1
-fi
-
 # Touch stat file for qubes-manager
-touch $UPDATES_STAT_FILE
+touch "$UPDATES_STAT_FILE"
+chgrp qubes "$UPDATES_STAT_FILE"
+chmod g+w "$UPDATES_STAT_FILE"

dracut/modules.d/90extra-modules/module-setup.sh

@@ -3,5 +3,9 @@
 
 installkernel() {
     # ehci-hcd split off
-    instmods ehci-pci ehci-platform || :
+    hostonly='' instmods ehci-pci ehci-platform || :
+    # xhci-hcd split off
+    hostonly='' instmods xhci-pci xhci-plat-hcd || :
+    # ohci-hcd split off
+    hostonly='' instmods ohci-pci || :
 }

pm-utils/01qubes-sync-vms-clock

@@ -6,9 +6,9 @@ sync_qubes_vms_wallclock()
     DATE=$(date)
     echo
     echo "Syncing VMs clock to: $DATE"
-    qvm-run --all -u root "date -s \"$DATE\""
+    qvm-run --all -u root --localcmd="date -u -Iseconds" "qubes.SetDateTime dom0"
     # Then try to sync from the network
-    /usr/bin/qvm-sync-clock &
+    /usr/bin/qvm-sync-clock
 }
 
 case "$1" in

pm-utils/52qubes-pause-vms

@@ -12,6 +12,7 @@ if sys.argv[1] in ["suspend", "hibernate"]:
     for vm in qc.values():
         if vm.is_running():
             try:
+                vm.run_service("qubes.SuspendPreAll", user="root")
                 vm.suspend()
             except Exception as e:
                 print >>sys.stderr, "Failed to suspend VM %s: %s" % (vm.name, e.message)
@@ -21,5 +22,6 @@ elif sys.argv[1] in ["resume", "thaw"]:
         if vm.get_power_state() in ["Paused", "Suspended"]:
             try:
                 vm.resume()
+                vm.run_service("qubes.SuspendPostAll", user="root")
             except Exception as e:
                 print >>sys.stderr, "Failed to resume VM %s: %s" % (vm.name, e.message)

qrexec/qrexec-client.c

@@ -170,10 +170,14 @@ void do_exec(const char *prog)
 static void do_exit(int code)
 {
     int status;
-    // sever communication lines; wait for child, if any
+    /* restore flags, as we may have not the only copy of this file descriptor
-    // so that qrexec-daemon can count (recursively) spawned processes correctly
+     */
+    if (local_stdin_fd != -1)
+        set_block(local_stdin_fd);
     close(local_stdin_fd);
     close(local_stdout_fd);
+    // sever communication lines; wait for child, if any
+    // so that qrexec-daemon can count (recursively) spawned processes correctly
     waitpid(-1, &status, 0);
     exit(code);
 }
@@ -269,9 +273,15 @@ static void handle_input(libvchan_t *vchan)
 {
     char buf[MAX_DATA_CHUNK];
     int ret;
+    size_t max_len;
     struct msg_header hdr;
 
-    ret = read(local_stdout_fd, buf, sizeof(buf));
+    max_len = libvchan_buffer_space(vchan)-sizeof(hdr);
+    if (max_len > sizeof(buf))
+        max_len = sizeof(buf);
+    if (max_len == 0)
+        return;
+    ret = read(local_stdout_fd, buf, max_len);
     if (ret < 0) {
         perror("read");
         do_exit(1);
@@ -328,12 +338,25 @@ void do_replace_esc(char *buf, int len) {
 			buf[i] = '_';
 }
 
-static void handle_vchan_data(libvchan_t *vchan)
+static int handle_vchan_data(libvchan_t *vchan, struct buffer *stdin_buf)
 {
     int status;
     struct msg_header hdr;
     char buf[MAX_DATA_CHUNK];
 
+    if (local_stdin_fd != -1) {
+        switch(flush_client_data(local_stdin_fd, stdin_buf)) {
+            case WRITE_STDIN_ERROR:
+                perror("write stdin");
+                close(local_stdin_fd);
+                local_stdin_fd = -1;
+                break;
+            case WRITE_STDIN_BUFFERED:
+                return WRITE_STDIN_BUFFERED;
+            case WRITE_STDIN_OK:
+                break;
+        }
+    }
     if (libvchan_recv(vchan, &hdr, sizeof hdr) < 0) {
         perror("read vchan");
         do_exit(1);
@@ -356,16 +379,29 @@ static void handle_vchan_data(libvchan_t *vchan)
             if (replace_esc_stdout)
                 do_replace_esc(buf, hdr.len);
             if (hdr.len == 0) {
+                /* restore flags, as we may have not the only copy of this file descriptor
+                */
+                if (local_stdin_fd != -1)
+                    set_block(local_stdin_fd);
                 close(local_stdin_fd);
                 local_stdin_fd = -1;
-            } else if (!write_all(local_stdin_fd, buf, hdr.len)) {
+            } else {
-                if (errno == EPIPE) {
+                switch (write_stdin(local_stdin_fd, buf, hdr.len, stdin_buf)) {
-                    // remote side have closed its stdin, handle data in oposite
+                    case WRITE_STDIN_BUFFERED:
-                    // direction (if any) before exit
+                        return WRITE_STDIN_BUFFERED;
-                    local_stdin_fd = -1;
+                    case WRITE_STDIN_ERROR:
-                } else {
+                        if (errno == EPIPE) {
-                    perror("write local stdout");
+                            // local process have closed its stdin, handle data in oposite
-                    do_exit(1);
+                            // direction (if any) before exit
+                            close(local_stdin_fd);
+                            local_stdin_fd = -1;
+                        } else {
+                            perror("write local stdout");
+                            do_exit(1);
+                        }
+                        break;
+                    case WRITE_STDIN_OK:
+                        break;
                 }
             }
             break;
@@ -381,12 +417,17 @@ static void handle_vchan_data(libvchan_t *vchan)
             else
                 memcpy(&status, buf, sizeof(status));
 
+            flush_client_data(local_stdin_fd, stdin_buf);
             do_exit(status);
             break;
         default:
             fprintf(stderr, "unknown msg %d\n", hdr.type);
             do_exit(1);
     }
+    /* intentionally do not distinguish between _ERROR and _OK, because in case
+     * of write error, we simply eat the data - no way to report it to the
+     * other side */
+    return WRITE_STDIN_OK;
 }
 
 static void check_child_status(libvchan_t *vchan)
@@ -409,36 +450,52 @@ static void check_child_status(libvchan_t *vchan)
 static void select_loop(libvchan_t *vchan)
 {
     fd_set select_set;
+    fd_set wr_set;
     int max_fd;
     int ret;
     int vchan_fd;
     sigset_t selectmask;
     struct timespec zero_timeout = { 0, 0 };
     struct timespec select_timeout = { 10, 0 };
+    struct buffer stdin_buf;
 
     sigemptyset(&selectmask);
     sigaddset(&selectmask, SIGCHLD);
     sigprocmask(SIG_BLOCK, &selectmask, NULL);
     sigemptyset(&selectmask);
+    buffer_init(&stdin_buf);
+    /* remember to set back to blocking mode before closing the FD - this may
+     * be not the only copy and some processes may misbehave when get
+     * nonblocking FD for input/output
+     */
+    set_nonblock(local_stdin_fd);
 
     for (;;) {
         vchan_fd = libvchan_fd_for_select(vchan);
         FD_ZERO(&select_set);
+        FD_ZERO(&wr_set);
         FD_SET(vchan_fd, &select_set);
         max_fd = vchan_fd;
-        if (local_stdout_fd != -1 && libvchan_buffer_space(vchan)) {
+        if (local_stdout_fd != -1 &&
+                (size_t)libvchan_buffer_space(vchan) > sizeof(struct msg_header)) {
             FD_SET(local_stdout_fd, &select_set);
             if (local_stdout_fd > max_fd)
                 max_fd = local_stdout_fd;
         }
         if (child_exited && local_stdout_fd == -1)
             check_child_status(vchan);
-        if (libvchan_data_ready(vchan) > 0) {
+        if (local_stdin_fd != -1 && buffer_len(&stdin_buf)) {
+            FD_SET(local_stdin_fd, &wr_set);
+            if (local_stdin_fd > max_fd)
+                max_fd = local_stdin_fd;
+        }
+        if ((local_stdin_fd == -1 || buffer_len(&stdin_buf) == 0) &&
+                libvchan_data_ready(vchan) > 0) {
             /* check for other FDs, but exit immediately */
-            ret = pselect(max_fd + 1, &select_set, NULL, NULL,
+            ret = pselect(max_fd + 1, &select_set, &wr_set, NULL,
                     &zero_timeout, &selectmask);
         } else
-            ret = pselect(max_fd + 1, &select_set, NULL, NULL,
+            ret = pselect(max_fd + 1, &select_set, &wr_set, NULL,
                     &select_timeout, &selectmask);
         if (ret < 0) {
             if (errno == EINTR && local_pid > 0) {
@@ -456,8 +513,18 @@ static void select_loop(libvchan_t *vchan)
         }
         if (FD_ISSET(vchan_fd, &select_set))
             libvchan_wait(vchan);
+        if (buffer_len(&stdin_buf) &&
+                local_stdin_fd != -1 &&
+                FD_ISSET(local_stdin_fd, &wr_set)) {
+            if (flush_client_data(local_stdin_fd, &stdin_buf) == WRITE_STDIN_ERROR) {
+                perror("write stdin");
+                close(local_stdin_fd);
+                local_stdin_fd = -1;
+            }
+        }
         while (libvchan_data_ready(vchan))
-            handle_vchan_data(vchan);
+            if (handle_vchan_data(vchan, &stdin_buf) != WRITE_STDIN_OK)
+                break;
 
         if (local_stdout_fd != -1
                 && FD_ISSET(local_stdout_fd, &select_set))

qrexec/qrexec-policy

@@ -4,7 +4,9 @@ import os
 import os.path
 import subprocess
 from qubes.qubes import vmm
+from qubes.qubes import QubesVmCollection
 import qubes.guihelpers
+import libvirt
 from optparse import OptionParser
 import fcntl
 
@@ -82,45 +84,36 @@ def find_policy(policy, domain, target):
         return iter
     return get_default_policy()
 
-def is_domain_running(target):
-    if target == "dom0":
-        return True
-    libvirt_dom = vmm.libvirt_conn.lookupByName(target)
-    if libvirt_dom:
-        return libvirt_dom.isActive()
-    else:
-        return False
-
 def validate_target(target):
     # special targets
-    if target in ['$dispvm', 'dom0']:
+    if target in ['$dispvm']:
         return True
 
-    from qubes.qubes import QubesVmCollection
-
     qc = QubesVmCollection()
     qc.lock_db_for_reading()
     qc.load()
     qc.unlock_db()
 
-    return qc.get_vm_by_name(target) is not None
+    return qc.get_vm_by_name(target)
 
-def spawn_target_if_necessary(target):
+def spawn_target_if_necessary(vm):
-    if is_domain_running(target):
+    if vm.is_running():
         return
-    null=open("/dev/null", "r+")
+    # use qvm-run instead of vm.start() to make sure that nothing is written
-    subprocess.call(["qvm-run", "-a", "-q", target, "true"], stdin=null, stdout=null)
+    # to stdout and nothing is read from stdin
+    null = open("/dev/null", "r+")
+    subprocess.call(["qvm-run", "-a", "--tray", "-q", vm.name, "true"],
+                    stdin=null, stdout=null)
     null.close()
 
-def do_execute(domain, target, user, service_name, process_ident):
+def do_execute(domain, target, user, service_name, process_ident, vm=None):
     if target == "$dispvm":
         cmd = "/usr/lib/qubes/qfile-daemon-dvm " + service_name + " " + domain + " " +user
         os.execl(QREXEC_CLIENT, "qrexec-client",
                 "-d", "dom0", "-c", process_ident, cmd)
     else:
-        # see the previous commit why "qvm-run -a" is broken and dangerous
+        if isinstance(vm, qubes.qubes.QubesVm):
-        # also, dangling "xl" would keep stderr open and may prevent closing connection
+            spawn_target_if_necessary(vm)
-        spawn_target_if_necessary(target)
         if target == "dom0":
             cmd = QUBES_RPC_MULTIPLEXER_PATH + " " + service_name + " " + domain
         else:
@@ -151,10 +144,25 @@ def add_always_allow(domain, target, service_name, options):
     f.write("".join(lines))
     f.close()
 
+def info_dialog(msg_type, text):
+    if msg_type not in ['info', 'warning', 'error']:
+        raise ValueError("Invalid msg_type value")
+    try:
+        subprocess.call(["/usr/bin/zenity", "--{}".format(msg_type), "--text",
+                         text])
+    except OSError:
+        kdialog_msg_type = {
+            'info': 'msgbox',
+            'warning': 'sorry',
+            'error': 'error'
+        }[msg_type]
+        subprocess.call(["/usr/bin/kdialog", "--{}".format(kdialog_msg_type),
+                         text])
+
 def policy_editor(domain, target, service_name):
     text = "No policy definition found for " + service_name + " action. "
     text+= "Please create a policy file in Dom0 in " + POLICY_FILE_DIR + "/" + service_name
-    subprocess.call(["/usr/bin/zenity", "--info", "--text", text])
+    info_dialog("warning", text)
 
 def main():
     usage = "usage: %prog [options] <src-domain-id> <src-domain> <target-domain> <service> <process-ident>"
@@ -175,11 +183,12 @@ def main():
     # connection
     process_ident+=","+domain+","+domain_id
 
-    if not validate_target(target):
+    vm = validate_target(target)
+    if vm is None:
         print >> sys.stderr, "Rpc failed (unknown domain):", domain, target, service_name
         text = "Domain '%s' doesn't exist (service %s called by domain %s)." % (
                 target, service_name, domain)
-        subprocess.call(["/usr/bin/zenity", "--error", "--text", text])
+        info_dialog("error", text)
         exit(1)
 
     policy_list=read_policy_file(service_name)
@@ -218,7 +227,7 @@ def main():
         else:
             user="DEFAULT"
         print >> sys.stderr, "Rpc allowed:", domain, target, service_name
-        do_execute(domain, target, user, service_name, process_ident)
+        do_execute(domain, target, user, service_name, process_ident, vm=vm)
 
     print >> sys.stderr, "Rpc denied:", domain, target, service_name
     exit(1)

rpm_spec/core-dom0-linux.spec

@@ -43,10 +43,10 @@ URL:		http://www.qubes-os.org
 
 BuildRequires:  ImageMagick
 BuildRequires:  pandoc
-BuildRequires:  qubes-utils-devel >= 2.0.5
+BuildRequires:  qubes-utils-devel >= 3.0.12
 BuildRequires:  qubes-libvchan-devel
 Requires:	qubes-core-dom0
-Requires:	qubes-utils >= 2.0.6
+Requires:	qubes-utils >= 3.0.12
 Requires:	%{name}-kernel-install
 
 %define _builddir %(pwd)

version

@@ -1 +1 @@
-3.0.15
+3.0.20