From 328430d3bf3022463c99fd27befbb1fe4afc905a Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sat, 7 Feb 2015 04:51:45 -0500 Subject: [PATCH 1/5] debian: Remove 'exit 0' in maintainer section scripts to all other debhelpers (if any) to also execute --- debian/qubes-core-agent.postinst | 1 - debian/qubes-core-agent.preinst | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst index beeb3f2..faccf83 100755 --- a/debian/qubes-core-agent.postinst +++ b/debian/qubes-core-agent.postinst @@ -412,7 +412,6 @@ case "${1}" in ;; esac done - exit 0 ;; *) diff --git a/debian/qubes-core-agent.preinst b/debian/qubes-core-agent.preinst index 2779846..30ee1db 100755 --- a/debian/qubes-core-agent.preinst +++ b/debian/qubes-core-agent.preinst @@ -57,11 +57,10 @@ if [ "$1" = "install" ] ; then } usermod -p '' root usermod -L user - exit 0 fi if [ "$1" = "upgrade" ] ; then - exit 0 + true fi # dh_installdeb will replace this with shell code automatically From ccff1f3149e6a07cb7d2a28c57cb2aac02dbd465 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sat, 7 Feb 2015 06:07:35 -0500 Subject: [PATCH 2/5] Add a qubes group and then add the user 'user' to the group This is to allow permissions to be set on some devices where the user needs less restrictive permissions. /etc/udev/rules.d/99-qubes-misc.rules changes a few xen devices to allow the users in the qubes group access --- archlinux/PKGBUILD.install | 4 ++++ debian/qubes-core-agent.preinst | 30 ++++++++++++++++++------------ rpm_spec/core-vm.spec | 7 ++++++- 3 files changed, 28 insertions(+), 13 deletions(-) diff --git a/archlinux/PKGBUILD.install b/archlinux/PKGBUILD.install index 40be6fa..3b1e8a4 100644 --- a/archlinux/PKGBUILD.install +++ b/archlinux/PKGBUILD.install @@ -209,9 +209,13 @@ pre_install() { # Add qubes core related fstab entries echo "xen /proc/xen xenfs defaults 0 0" >> /etc/fstab + # Add a qubes group + groupadd --force --system --gid 98 qubes + # Archlinux bash version has a 'bug' when running su -c, /etc/profile is not loaded because bash consider there is no interactive pty when running 'su - user -c' or something like this. # See https://bugs.archlinux.org/task/31831 useradd --shell /bin/zsh --create-home user + usermod --groups qubes user } ## arg 1: the new package version diff --git a/debian/qubes-core-agent.preinst b/debian/qubes-core-agent.preinst index 30ee1db..e99f74a 100755 --- a/debian/qubes-core-agent.preinst +++ b/debian/qubes-core-agent.preinst @@ -34,6 +34,24 @@ set -e # the debian-policy package if [ "$1" = "install" ] ; then + # -------------------------------------------------------------------------- + # Required groups + # -------------------------------------------------------------------------- + groupadd --force --system --gid 98 qubes + groupadd --force --system sudo + + # -------------------------------------------------------------------------- + # User add / modifications + # -------------------------------------------------------------------------- + id -u 'user' >/dev/null 2>&1 || { + useradd --user-group --create-home --shell /bin/bash user + } + id -u 'tinyproxy' >/dev/null 2>&1 || { + useradd --user-group --system -M --home /run/tinyproxy --shell /bin/false tinyproxy + } + usermod -p '' root + usermod -L --groups qubes,sudo user + # -------------------------------------------------------------------------- # Create required directories # -------------------------------------------------------------------------- @@ -45,18 +63,6 @@ if [ "$1" = "install" ] ; then # Remove `mesg` from root/.profile? # -------------------------------------------------------------------------- sed -i -e '/^mesg n/d' /root/.profile - - # -------------------------------------------------------------------------- - # User add / modifications - # -------------------------------------------------------------------------- - id -u 'user' >/dev/null 2>&1 || { - useradd -U -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user - } - id -u 'tinyproxy' >/dev/null 2>&1 || { - useradd -U -r -M --home /run/tinyproxy --shell /bin/false tinyproxy - } - usermod -p '' root - usermod -L user fi if [ "$1" = "upgrade" ] ; then diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index fd02ce4..d55e07e 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -111,6 +111,12 @@ for dir in qubes-rpc qrexec misc; do done %pre +# Make sure there is a qubes group +groupadd --force --system --gid 98 qubes +id -u 'user' >/dev/null 2>&1 || { + useradd --user-group --create-home --shell /bin/bash user +} +usermod --groups qubes user if [ "$1" != 1 ] ; then # do this whole %pre thing only when updating for the first time... @@ -122,7 +128,6 @@ if [ -e /etc/fstab ] ; then mv /etc/fstab /var/lib/qubes/fstab.orig fi -adduser --create-home user usermod -p '' root usermod -L user From 4366dd9ba7063b33c11c8b75b45b3399ab2e0ff6 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sat, 7 Feb 2015 06:18:13 -0500 Subject: [PATCH 3/5] Remove 'xen.evtchn' udev rule This rule already gets set in linux-utils linux-utils/udev/udev-qubes-misc.rules:KERNEL=="xen/evtchn", MODE="0660", GROUP="qubes" --- misc/udev-qubes-misc.rules | 1 - 1 file changed, 1 deletion(-) diff --git a/misc/udev-qubes-misc.rules b/misc/udev-qubes-misc.rules index cf69b73..9a0c95a 100644 --- a/misc/udev-qubes-misc.rules +++ b/misc/udev-qubes-misc.rules @@ -1,2 +1 @@ SUBSYSTEM=="memory", ACTION=="add", ATTR{state}=="offline", ATTR{state}="online" -KERNEL=="xen/evtchn", MODE="0666" From 87bf833368a22d5117815158fe2a3c4e830c4a4b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sat, 7 Feb 2015 06:26:51 -0500 Subject: [PATCH 4/5] Set permissions to /proc/xen/privcmd, so a user in qubes group can access --- vm-systemd/qubes-sysinit.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh index 877447e..ede3b9b 100755 --- a/vm-systemd/qubes-sysinit.sh +++ b/vm-systemd/qubes-sysinit.sh @@ -32,6 +32,10 @@ mkdir -p /var/run/xen-hotplug # Set permissions to /proc/xen/xenbus, so normal user can use qubesdb-read chmod 666 /proc/xen/xenbus +# Set permissions to /proc/xen/privcmd, so a user in qubes group can access +chmod 660 /proc/xen/privcmd +chgrp qubes /proc/xen/privcmd + [ -e /proc/u2mfn ] || modprobe u2mfn # Set permissions to files needed to listen at vchan chmod 666 /proc/u2mfn From 0df84c7796ad400c6f6c576880c791360825784f Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 10 Feb 2015 10:40:51 -0500 Subject: [PATCH 5/5] debian: Converted debian package to a quilt package to allow patches Applied patch to qrexec Makefile to prevent compile failure on warnings qrexec: Disable all warnings being treated as errors gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -I. -g -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-xen` -D_FORTIFY_SOURCE=2 -c -o qrexec-agent-data.o qrexec-agent-data.c qrexec-agent-data.c: In function 'handle_remote_data': qrexec-agent-data.c:217:17: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] status = *(unsigned int *)buf; ^ cc1: all warnings being treated as errors : recipe for target 'qrexec-agent-data.o' failed --- Makefile | 4 + debian/README.configuration | 77 +++++++++++++++++++ debian/changelog | 2 +- debian/control | 4 +- ...rexec_disable_all_warnings_as_errors.patch | 19 +++++ debian/patches/series | 1 + debian/rules | 5 +- debian/source/format | 2 +- 8 files changed, 109 insertions(+), 5 deletions(-) create mode 100644 debian/README.configuration create mode 100644 debian/patches/qrexec_disable_all_warnings_as_errors.patch create mode 100644 debian/patches/series diff --git a/Makefile b/Makefile index 1b53112..537c6f8 100644 --- a/Makefile +++ b/Makefile @@ -190,6 +190,10 @@ install-common: install -d $(DESTDIR)/home_volatile/user install -d $(DESTDIR)/rw +# Create a quilt orig package so we can build xen in Debian +dist: + tar cvfz "../qubes-core-agent_$(VERSION).orig.tar.gz" --exclude-vcs --exclude=debian . + install-deb: mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list diff --git a/debian/README.configuration b/debian/README.configuration new file mode 100644 index 0000000..e36e514 --- /dev/null +++ b/debian/README.configuration @@ -0,0 +1,77 @@ +Debian Packaging Guide +---------------------- +https://www.debian.org/doc/manuals/maint-guide/first.en.html + + +=============================================================================== + Bash.rc +=============================================================================== +# Assume usename 'user' running this, otherwise +# /home/user/.bashrc +cat >>~/.bashrc <<'EOF' +DEBMAIL="user@chroot.local" +DEBFULLNAME="Qubes Builder" +export DEBMAIL DEBFULLNAME + +alias dquilt="quilt --quiltrc=${HOME}/.quiltrc-dpkg" +complete -F _quilt_completion $_quilt_complete_opt dquilt +EOF + + +=============================================================================== + Quilt RC +=============================================================================== +cat >>~/.quiltrc-dpkg <<'EOF' +d=. ; while [ ! -d $d/debian -a `readlink -e $d` != / ]; do d=$d/..; done +if [ -d $d/debian ] && [ -z $QUILT_PATCHES ]; then + # if in Debian packaging tree with unset $QUILT_PATCHES + QUILT_PATCHES="debian/patches" + QUILT_PATCH_OPTS="--reject-format=unified" + QUILT_DIFF_ARGS="-p ab --no-timestamps --no-index --color=auto" + QUILT_REFRESH_ARGS="-p ab --no-timestamps --no-index" + QUILT_COLORS="diff_hdr=1;32:diff_add=1;34:diff_rem=1;31:diff_hunk=1;33:diff_ctx=35:diff_cctx=33" + if ! [ -d $d/debian/patches ]; then mkdir $d/debian/patches; fi +fi +EOF + +=============================================================================== + Create a fresh Debian configuration +=============================================================================== +apt-get dh-make + +# Example +$ cd ~/gentoo +$ wget http://example.org/gentoo-0.9.12.tar.gz +$ tar -xvzf gentoo-0.9.12.tar.gz +$ cd gentoo-0.9.12 +$ dh_make -f ../gentoo-0.9.12.tar.gz + + +=============================================================================== + Adding Patches +=============================================================================== +https://www.debian.org/doc/manuals/maint-guide/modify.en.html + +# When anyone (including yourself) provides a patch foo.patch to the source +# later, modifying a 3.0 (quilt) source package is quite simple: +$ dpkg-source -x gentoo_0.9.12.dsc +$ cd gentoo-0.9.12 +$ dquilt import ../foo.patch +$ dquilt push +$ dquilt refresh +$ dquilt header -e +... describe patch + + + +=============================================================================== + Other +=============================================================================== +# To list all dh_ modules... +man -k dh_ + +# To indicate what build-depends are required! +dpkg-depcheck -d ./configure + +# Test build (unsigned) +dpkg-buildpackage -us -uc diff --git a/debian/changelog b/debian/changelog index 5a211fc..90cf085 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -qubes-core-agent (3.0.0) jessie; urgency=medium +qubes-core-agent (3.0.0-1) jessie; urgency=medium [ Marek Marczykowski-Górecki ] * Improve handling of .desktop files diff --git a/debian/control b/debian/control index 6793733..019cf62 100644 --- a/debian/control +++ b/debian/control @@ -2,8 +2,8 @@ Source: qubes-core-agent Section: admin Priority: extra Maintainer: Davíð Steinn Geirsson -Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-dev, dh-systemd (>= 1.5) -Standards-Version: 3.9.3 +Build-Depends: qubes-utils (>= 2.0.17), libvchan-xen-dev, python, debhelper, quilt, libxen-qubes-vm-dev, dh-systemd (>= 1.5) +Standards-Version: 3.9.5 Homepage: http://www.qubes-os.org Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git diff --git a/debian/patches/qrexec_disable_all_warnings_as_errors.patch b/debian/patches/qrexec_disable_all_warnings_as_errors.patch new file mode 100644 index 0000000..f339717 --- /dev/null +++ b/debian/patches/qrexec_disable_all_warnings_as_errors.patch @@ -0,0 +1,19 @@ +qrexec: Disable all warnings being treated as errors + +gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -I. -g -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-xen` -D_FORTIFY_SOURCE=2 -c -o qrexec-agent-data.o qrexec-agent-data.c +qrexec-agent-data.c: In function 'handle_remote_data': +qrexec-agent-data.c:217:17: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing] + status = *(unsigned int *)buf; + ^ +cc1: all warnings being treated as errors +: recipe for target 'qrexec-agent-data.o' failed + +--- a/qrexec/Makefile ++++ b/qrexec/Makefile +@@ -1,5 +1,5 @@ + CC=gcc +-CFLAGS+=-I. -g -Wall -Wextra -Werror -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)` ++CFLAGS+=-I. -g -Wall -Wextra -pie -fPIC `pkg-config --cflags vchan-$(BACKEND_VMM)` + LIBS=`pkg-config --libs vchan-$(BACKEND_VMM)` -lqrexec-utils + + all: qrexec-agent qrexec-client-vm diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..05ecef2 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +qrexec_disable_all_warnings_as_errors.patch diff --git a/debian/rules b/debian/rules index ff4db5c..f9b13cf 100755 --- a/debian/rules +++ b/debian/rules @@ -4,10 +4,13 @@ # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/default.mk + export DESTDIR=$(shell pwd)/debian/qubes-core-agent %: - dh $@ --with systemd + dh $@ --with systemd --with autotools-dev override_dh_auto_build: make all diff --git a/debian/source/format b/debian/source/format index 89ae9db..163aaf8 100644 --- a/debian/source/format +++ b/debian/source/format @@ -1 +1 @@ -3.0 (native) +3.0 (quilt)