Compare commits
13 Commits
master
...
release4.0
| Author | SHA1 | Date | |
|---|---|---|---|
|
e71ddc3075 | ||
|
|
f22e19bf37 | ||
|
|
dcd14a4697 | ||
|
|
4f2a86d956 | ||
|
|
cb782bd07b | ||
|
|
1cf11798ec | ||
|
|
154031d7cf | ||
|
|
cc60e99eec | ||
|
|
3ea1fa775d | ||
|
|
51d74f777d | ||
|
|
4f0152ba7c | ||
|
|
13d6c90561 | ||
|
|
1b9d4f5e01 |
@ -1,8 +1,7 @@
|
||||
sudo: required
|
||||
dist: trusty
|
||||
dist: bionic
|
||||
language: generic
|
||||
install: git clone https://github.com/QubesOS/qubes-builder ~/qubes-builder
|
||||
script: ~/qubes-builder/scripts/travis-build
|
||||
env:
|
||||
- DIST_DOM0=fc25 USE_QUBES_REPO_VERSION=4.0 USE_QUBES_REPO_TESTING=1
|
||||
- DIST_DOM0=fc29 USE_QUBES_REPO_VERSION=4.1 USE_QUBES_REPO_TESTING=1
|
||||
|
||||
@ -1,5 +1,28 @@
|
||||
#!/bin/bash
|
||||
|
||||
escape_args() {
|
||||
local eargs=""
|
||||
|
||||
for arg in "$@"; do
|
||||
printf -v eargs '%s%q ' "$eargs" "$arg"
|
||||
done
|
||||
|
||||
echo "${eargs%?}"
|
||||
}
|
||||
|
||||
find_regex_in_args() {
|
||||
local regex="${1}"
|
||||
shift 1
|
||||
|
||||
for arg in "${@}"; do
|
||||
if echo "${arg}" | grep -q -e "${regex}"; then
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
UPDATEVM=`qubes-prefs --force-root updatevm`
|
||||
UPDATES_STAT_FILE=/var/lib/qubes/updates/dom0-updates-available
|
||||
|
||||
@ -22,11 +45,11 @@ if [ "$1" = "--help" ]; then
|
||||
exit
|
||||
fi
|
||||
|
||||
PKGS=
|
||||
YUM_OPTS=
|
||||
PKGS=()
|
||||
YUM_OPTS=()
|
||||
GUI=
|
||||
CHECK_ONLY=
|
||||
ALL_OPTS="$*"
|
||||
ALL_OPTS=( "${@}" )
|
||||
YUM_ACTION=
|
||||
QVMRUN_OPTS=
|
||||
CLEAN=
|
||||
@ -51,10 +74,10 @@ while [ $# -gt 0 ]; do
|
||||
YUM_ACTION=${1#--action=}
|
||||
;;
|
||||
-*)
|
||||
YUM_OPTS="$YUM_OPTS $1"
|
||||
YUM_OPTS+=( "${1}" )
|
||||
;;
|
||||
*)
|
||||
PKGS="$PKGS $1"
|
||||
PKGS+=( "${1}" )
|
||||
if [ -z "$YUM_ACTION" ]; then
|
||||
YUM_ACTION=install
|
||||
fi
|
||||
@ -66,13 +89,16 @@ done
|
||||
# Prevent implicit update of template - this would override user changes -
|
||||
# but do allow explicit template upgrade, downgrade, reinstall
|
||||
if [ "$YUM_ACTION" == "reinstall" ] || [ "$YUM_ACTION" == "upgrade" ] || [ "$YUM_ACTION" == "upgrade-to" ] \
|
||||
|| [ "$YUM_ACTION" == "downgrade" ] && [[ "$PKGS" == *"qubes-template-"* ]]; then
|
||||
TEMPLATE_EXCLUDE_OPTS=""
|
||||
|| [ "$YUM_ACTION" == "downgrade" ] && find_regex_in_args '^qubes-template-' "${PKGS[@]}"; then
|
||||
TEMPLATE_EXCLUDE_OPTS=()
|
||||
echo "WARNING: Replacing a template will erase all files in template's /home and /rw !"
|
||||
|
||||
ONEPKG=`cut -f 1 -d ' ' <<<$PKGS`
|
||||
if [[ "$ONEPKG" == "qubes-template-"* ]] && [[ "$ONEPKG" == "${PKGS#\ }" ]]; then # test "$PKGS" minus space
|
||||
ONEPKG=`sed -r 's/-[0-9]+(\.[0-9-]+)+(\.noarch)*$//' <<<$ONEPKG` # Remove version suffix
|
||||
# At least one package name matches the regex '^qubes-template-',
|
||||
# so if there is only one package name in the array, then the
|
||||
# code can safely assume that the array includes only a template
|
||||
# package name.
|
||||
if [[ ${#PKGS[@]} -eq 1 ]]; then
|
||||
ONEPKG="$(echo "${PKGS[0]}" | sed -r 's/-[0-9]+(\.[0-9-]+)+(\.noarch)*$//')" # Remove version suffix
|
||||
TEMPLATE=${ONEPKG#qubes-template-} # Remove prefix
|
||||
|
||||
if qvm-shutdown --wait $TEMPLATE ; then
|
||||
@ -96,12 +122,13 @@ if [ "$YUM_ACTION" == "reinstall" ] || [ "$YUM_ACTION" == "upgrade" ] || [ "$YUM
|
||||
exit 1
|
||||
fi
|
||||
elif [ "$YUM_ACTION" == "search" ] || [ "$YUM_ACTION" == "info" ]; then # No need to shutdown for search/info
|
||||
TEMPLATE_EXCLUDE_OPTS=""
|
||||
TEMPLATE_EXCLUDE_OPTS=()
|
||||
else
|
||||
TEMPLATE_EXCLUDE_OPTS="--exclude=`rpm -qa --qf '%{NAME},' qubes-template-\*|head -c -1`"
|
||||
TEMPLATE_EXCLUDE_OPTS=( "--exclude=$(rpm -qa --qf '%{NAME},' qubes-template-\*|head -c -1)" )
|
||||
fi
|
||||
YUM_OPTS="$TEMPLATE_EXCLUDE_OPTS $YUM_OPTS"
|
||||
ALL_OPTS="$TEMPLATE_EXCLUDE_OPTS $ALL_OPTS"
|
||||
|
||||
YUM_OPTS=( "${TEMPLATE_EXCLUDE_OPTS[@]}" "${YUM_OPTS[@]}" )
|
||||
ALL_OPTS=( "${TEMPLATE_EXCLUDE_OPTS[@]}" "${ALL_OPTS[@]}" )
|
||||
|
||||
ID=$(id -ur)
|
||||
if [ $ID != 0 -a -z "$GUI" -a -z "$CHECK_ONLY" ] ; then
|
||||
@ -109,7 +136,7 @@ if [ $ID != 0 -a -z "$GUI" -a -z "$CHECK_ONLY" ] ; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$GUI" == "1" -a -n "$PKGS" ]; then
|
||||
if [ "$GUI" == "1" -a ${#PKGS[@]} -ne 0 ]; then
|
||||
echo "ERROR: GUI mode can be used only for updates" >&2
|
||||
exit 1
|
||||
fi
|
||||
@ -174,7 +201,7 @@ qvm-run --nogui -q $UPDATEVM 'rm -rf /var/lib/qubes/dom0-updates/etc' || exit 1
|
||||
tar c /var/lib/rpm /etc/yum.repos.d /etc/yum.conf 2>/dev/null | \
|
||||
qvm-run --nogui -q --pass-io "$UPDATEVM" 'LC_MESSAGES=C tar x -C /var/lib/qubes/dom0-updates 2>&1 | grep -v -E "s in the future"'
|
||||
|
||||
qvm-run $QVMRUN_OPTS --pass-io $UPDATEVM "script --quiet --return --command '/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui $ALL_OPTS' /dev/null"
|
||||
qvm-run $QVMRUN_OPTS --pass-io $UPDATEVM "script --quiet --return --command '/usr/lib/qubes/qubes-download-dom0-updates.sh --doit --nogui $(escape_args "${ALL_OPTS[@]}")' /dev/null" < /dev/null
|
||||
RETCODE=$?
|
||||
if [ "$CHECK_ONLY" == "1" ]; then
|
||||
exit $RETCODE
|
||||
@ -195,18 +222,18 @@ if [ -z "$YUM_ACTION" ]; then
|
||||
YUM_ACTION=upgrade
|
||||
fi
|
||||
|
||||
if [ -n "$PKGS" ]; then
|
||||
if [ ${#PKGS[@]} -gt 0 ]; then
|
||||
if [ -n "$TEMPLATE" ]; then
|
||||
TEMPLATE_NETVM=$(qvm-prefs --force-root $TEMPLATE netvm)
|
||||
fi
|
||||
|
||||
dnf $YUM_OPTS $YUM_ACTION $PKGS ; RETCODE=$?
|
||||
dnf "${YUM_OPTS[@]}" $YUM_ACTION "${PKGS[@]}" ; RETCODE=$?
|
||||
|
||||
if [ -n "$TEMPLATE_BACKUP" -a "$RETCODE" -eq 0 ]; then
|
||||
# Remove backup, if we made one. Better to do this only on success and
|
||||
# potentially leave extra backups around than do it on an exit trap and
|
||||
# clean up more reliably but potentially brick a system.
|
||||
qvm-remove -- "$TEMPLATE_BACKUP"
|
||||
qvm-remove -f -- "$TEMPLATE_BACKUP"
|
||||
fi
|
||||
|
||||
if [ -n "$TEMPLATE" -a -n "$TEMPLATE_NETVM" -a x"$TEMPLATE_NETVM" != xNone ]; then
|
||||
@ -224,7 +251,7 @@ elif [ -f /var/lib/qubes/updates/repodata/repomd.xml ]; then
|
||||
else
|
||||
dnf check-update
|
||||
if [ $? -eq 100 ]; then # Run dnf with options
|
||||
dnf $YUM_OPTS $YUM_ACTION
|
||||
dnf "${YUM_OPTS[@]}" $YUM_ACTION
|
||||
fi
|
||||
fi
|
||||
dnf -q check-update && qvm-features dom0 updates-available ''
|
||||
|
||||
@ -31,13 +31,12 @@ updates_dir = "/var/lib/qubes/updates"
|
||||
updates_rpm_dir = updates_dir + "/rpm"
|
||||
updates_repodata_dir = updates_dir + "/repodata"
|
||||
updates_error_file = updates_dir + "/errors"
|
||||
updates_error_file_handle = None
|
||||
|
||||
comps_file = None
|
||||
if os.path.exists('/usr/share/qubes/Qubes-comps.xml'):
|
||||
comps_file = '/usr/share/qubes/Qubes-comps.xml'
|
||||
|
||||
package_regex = re.compile(r"^[A-Za-z0-9._+-]{1,128}.rpm$")
|
||||
package_regex = re.compile(r"^[A-Za-z0-9._+-]{1,128}\.rpm$")
|
||||
# example valid outputs:
|
||||
# .....rpm: rsa sha1 (md5) pgp md5 OK
|
||||
# .....rpm: (sha1) dsa sha1 md5 gpg OK
|
||||
@ -47,18 +46,15 @@ package_regex = re.compile(r"^[A-Za-z0-9._+-]{1,128}.rpm$")
|
||||
gpg_ok_regex = re.compile(r": [a-z0-9() ]* (pgp|gpg) [a-z0-9 ]*OK$")
|
||||
|
||||
|
||||
def dom0updates_fatal(pkg, msg):
|
||||
global updates_error_file_handle
|
||||
def dom0updates_fatal(msg):
|
||||
print(msg, file=sys.stderr)
|
||||
if updates_error_file_handle is None:
|
||||
updates_error_file_handle = open(updates_error_file, "a")
|
||||
updates_error_file_handle.write(msg + "\n")
|
||||
os.remove(pkg)
|
||||
with open(updates_error_file, "a") as updates_error_file_handle:
|
||||
updates_error_file_handle.write(msg + "\n")
|
||||
shutil.rmtree(updates_rpm_dir)
|
||||
exit(1)
|
||||
|
||||
|
||||
def handle_dom0updates(updatevm):
|
||||
global updates_error_file_handle
|
||||
|
||||
source = os.getenv("QREXEC_REMOTE_DOMAIN")
|
||||
if source != updatevm.name:
|
||||
print('Domain ' + str(source) + ' not allowed to send dom0 updates',
|
||||
@ -77,14 +73,14 @@ def handle_dom0updates(updatevm):
|
||||
os.mkdir(updates_rpm_dir)
|
||||
os.chown(updates_rpm_dir, -1, qubes_gid)
|
||||
os.chmod(updates_rpm_dir, 0o0775)
|
||||
subprocess.check_call(["/usr/libexec/qubes/qfile-dom0-unpacker",
|
||||
str(os.getuid()), updates_rpm_dir])
|
||||
# Verify received files
|
||||
for untrusted_f in os.listdir(updates_rpm_dir):
|
||||
if not package_regex.match(untrusted_f):
|
||||
dom0updates_fatal(updates_rpm_dir + '/' + untrusted_f,
|
||||
'Domain ' + source + ' sent unexpected file: ' + untrusted_f)
|
||||
else:
|
||||
try:
|
||||
subprocess.check_call(["/usr/libexec/qubes/qfile-dom0-unpacker",
|
||||
str(os.getuid()), updates_rpm_dir])
|
||||
# Verify received files
|
||||
for untrusted_f in os.listdir(updates_rpm_dir):
|
||||
if not package_regex.match(untrusted_f):
|
||||
raise Exception(
|
||||
'Domain ' + source + ' sent unexpected file')
|
||||
f = untrusted_f
|
||||
assert '/' not in f
|
||||
assert '\0' not in f
|
||||
@ -92,19 +88,19 @@ def handle_dom0updates(updatevm):
|
||||
|
||||
full_path = updates_rpm_dir + "/" + f
|
||||
if os.path.islink(full_path) or not os.path.isfile(full_path):
|
||||
dom0updates_fatal(
|
||||
full_path, 'Domain ' + source + ' sent not regular file')
|
||||
raise Exception(
|
||||
'Domain ' + source + ' sent not regular file')
|
||||
p = subprocess.Popen(["/bin/rpm", "-K", full_path],
|
||||
stdout=subprocess.PIPE)
|
||||
output = p.communicate()[0].decode('ascii')
|
||||
if p.returncode != 0:
|
||||
dom0updates_fatal(full_path,
|
||||
raise Exception(
|
||||
'Error while verifing %s signature: %s' % (f, output))
|
||||
if not gpg_ok_regex.search(output.strip()):
|
||||
dom0updates_fatal(full_path,
|
||||
raise Exception(
|
||||
'Domain ' + source + ' sent not signed rpm: ' + f)
|
||||
if updates_error_file_handle is not None:
|
||||
updates_error_file_handle.close()
|
||||
except Exception as e:
|
||||
dom0updates_fatal(str(e))
|
||||
# After updates received - create repo metadata
|
||||
createrepo_cmd = ["/usr/bin/createrepo_c"]
|
||||
if comps_file:
|
||||
@ -128,4 +124,6 @@ def main():
|
||||
exit(1)
|
||||
handle_dom0updates(updatevm)
|
||||
|
||||
main()
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
|
||||
@ -708,6 +708,8 @@ int main(int argc, char **argv)
|
||||
usage(argv[0]);
|
||||
remote_cmdline = argv[optind];
|
||||
|
||||
signal(SIGPIPE, SIG_IGN);
|
||||
|
||||
register_exec_func(&do_exec);
|
||||
|
||||
if (just_exec + connect_existing + (local_cmdline != 0) > 1) {
|
||||
|
||||
@ -127,6 +127,7 @@ install -m 0440 -D system-config/qubes.sudoers $RPM_BUILD_ROOT/etc/sudoers.d/qub
|
||||
install -D system-config/polkit-1-qubes-allow-all.rules $RPM_BUILD_ROOT/etc/polkit-1/rules.d/00-qubes-allow-all.rules
|
||||
install -D system-config/qubes-dom0.modules $RPM_BUILD_ROOT/etc/sysconfig/modules/qubes-dom0.modules
|
||||
install -D system-config/qubes-sync-clock.cron $RPM_BUILD_ROOT/etc/cron.d/qubes-sync-clock.cron
|
||||
install -D system-config/lvm-cleanup.cron-daily $RPM_BUILD_ROOT/etc/cron.daily/lvm-cleanup
|
||||
install -d $RPM_BUILD_ROOT/etc/udev/rules.d
|
||||
install -m 644 system-config/00-qubes-ignore-devices.rules $RPM_BUILD_ROOT/etc/udev/rules.d/
|
||||
install -m 644 system-config/12-qubes-ignore-lvm-devices.rules $RPM_BUILD_ROOT/etc/udev/rules.d/
|
||||
@ -235,6 +236,7 @@ chmod -x /etc/grub.d/10_linux
|
||||
%config /etc/udev/rules.d/00-qubes-ignore-devices.rules
|
||||
%config /etc/udev/rules.d/12-qubes-ignore-lvm-devices.rules
|
||||
%attr(0644,root,root) /etc/cron.d/qubes-sync-clock.cron
|
||||
/etc/cron.daily/lvm-cleanup
|
||||
%config(noreplace) /etc/profile.d/zz-disable-lesspipe.sh
|
||||
%config(noreplace) /etc/dnf/protected.d/qubes-core-dom0.conf
|
||||
/usr/lib/systemd/system-preset/75-qubes-dom0.preset
|
||||
|
||||
3
system-config/lvm-cleanup.cron-daily
Executable file
3
system-config/lvm-cleanup.cron-daily
Executable file
@ -0,0 +1,3 @@
|
||||
#!/bin/sh
|
||||
|
||||
find /etc/lvm/archive/ -type f -mtime +1 -name '*.vg' -delete
|
||||
Loading…
Reference in New Issue
Block a user