Since the rules are no more directly handed to echo -e, sed needs to
handle all escape sequences used in rules (newline only, but in
different notations).
(cherry picked from commit 4dbd9e205c)
Conflicts:
network/qubes-firewall
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJU0uQnAAoJEIwFIWzgnAk8/RkP/jpxwugpbPGSZwEl6X3P4D7D
MI7kh6sMatIaqj/+vHok165OVtsxZsQZURvlZ5FSh9YFKPcly+ibnSEV5cUf0RxZ
n0BytRVHV4ZLzP00uEnYpvsvc22qP4CzeUbbM1t8QA4BncNDkqTrMGDF8ZE6CueA
DtMXRWCpMUxzIfDMOTYntG1ohet+evY1Ymy4acwfxb0XSzwCzewfe1sUZeIXd9oz
Mez/ddeBmty37uJUJd233uCrH/lpG3Zpr+1aWziPpZtxm9IyICIDqG2cWG1+KDaa
KBPFqOHtJ6xylCqARNfzkiPlvnuFP0Ojt8f9dUTK62JBzd4zOczXZlHLhfkVIEOp
3d5oDNI9c6OTGunUTdz5Yvi2YQ4uKqu3dAGPRyYA4MjsVaRuFqfcMqGT/gJD9ffB
7tybYAsvGT104cVQXQpiduLMw1Ki7wimzmeD2u4bq9L0mdG2zZ1aFZmIOdP7wf9c
1ShPLIo5MayQ3qKMSjgi7pF/LMt5+RGUjeoaCPs+6T+dIM1XOkpsbMEwoOxiCTN5
CssC97h0MFhFI30oluJuHRJMxAro+NTVc+CCVPMX16HKVHzlkwPRDx60mLmtlda8
hjjoPZ46vlwcaUJPY7YrvKGzsS+LWvbx21FKNADzHz8ySbimqjAff9VUb3dZyC9k
1upOvyF+jkD+zU+HRZwn
=zO0z
-----END PGP SIGNATURE-----
Merge tag 'hw42_62a0b065' into release2
tag for commit 62a0b065ab
# gpg: Signature made Thu Feb 5 04:31:51 2015 CET using RSA key ID E09C093C
# gpg: Good signature from "HW42 (Qubes Signing Key) <hw42-qubes@ipsumj.de>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FC1A C023 76D0 4C68 341F 406F 8C05 216C E09C 093C
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJU0t3QAAoJEIwFIWzgnAk8vuwP/RahfA4Zxm4RA5sstvcodVOO
nArqQOQ8G3oawttNDbRa4VZ0fSRXGYinGNH79Z5s26LFwu1NTWq7RoyDDc2N8CS8
VLhAV+jUE2EmouTC0ZL4ytLOdQefstoO2c9YkOFHdeWvzlUxwsf05SoqaHGDIiaq
k6BAv1/kcCMJfVXgj8z/5nwdefjju+O/91mF0H1cLzW2EdcH2chmll9gKFHlg4iA
rUUROzHQPrwmqNGlZYBddB2Pr6HgVWACnpTjXs1rzY87JcGs/0iiUCOW6tKd2RuU
JwRGQ9ITTdHB1YFjB644iG9TH9l8gf/K9ZgmNxT194oDSh26LuWtX7hYFY4geVxv
CEJa2XiND9sevlHF5bBWEU/Q4ToOJd+d4HtrWODFMRX3eQKFdMLYDYsGPZLIeUEV
0VO01lFuPgOp9PYemr52tnRMHxOJuAB1GA3s7SKxu9uJAK3/GMZpdDfcOBGVTksG
X/jtfGAZmvPvionmuGLgVjjtOosEohh5gQwKmHxVRLckN9uE0ble2et4Ib7r54NS
FmIfVr2f5FPGfCv9jAwAsyVzrVAf0VfQpzmnmAPG0o/WK6hsyovim2CLHs2E3sfS
rQXzTf+SU8Jhpl7uDV9gqMtaeCkGtBGnlfTGP1YTGW4g0oqZvAQhf1tHQiiXnX7H
7m0aBNPxkTH0V3p5Ttpm
=EloY
-----END PGP SIGNATURE-----
Merge tag 'hw42_de9b3b55' into release2
tag for commit de9b3b55a6
# gpg: Signature made Thu Feb 5 04:04:48 2015 CET using RSA key ID E09C093C
# gpg: Good signature from "HW42 (Qubes Signing Key) <hw42-qubes@ipsumj.de>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FC1A C023 76D0 4C68 341F 406F 8C05 216C E09C 093C
Generate user-groups via -U instead of explicit via groupadd. This also
fix the problem that the tinyproxy group were not gererated as
"system"-group.
Also suppress unneeded output of the existence test.
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJU0tR+AAoJEIwFIWzgnAk88SMQAKdutkGwOt9gYIcoZ95JsxCP
h7Bj8ZU1t8oZUN7RXuQlqRD6iOL5/VThhCr7TCQcoZQzAUrjIBUkQ7uoTxGocdsO
uBOlT8MCXQsd3K0n1loHtdmVGGuQSeLO/sg+l0BOhW0PPwEPoGCQOWWK3uyfnwnC
pQTSryRQQaCzqJLrNdJk7HPZ7RT5K0vhggsTs9f0FfK557QQIFwr6cFyPmuV4611
1cmDXVGUGMZOW+HTbty+jvcw6xGE64Mph2YC7HM6dxmPppOSnWmpGQu99LE3DY9e
nM/roi7JOHmswTo7PBh5yZyKtuovUs1PLfTW+G0XoBO2wcCcnzncishdamv/E5uF
NdbLYaY/5qIbxb7GERJoreRnYyLq1n5ksvSfAJgD2aXwkbXNlqjh9vcZGX5oxERf
AmpkDYKJFMp63iSPZS1tQxVWET2mhqUAOyEF+E/+4fonYGi04J4leeVlEAX1jyIH
fmhCPlzyJQTgMQi+elJISNi+2IevIyon10yZqGbZDX0OmCywEjub5UVdSnkyMUnd
MyEHXjKi1/pOUbtbH7V9PJaz3K14fVfW3eDHnsz/va+KWUOKVgBuvIpO56Ni3/VL
/8QTBQj5z5dkxvvSDGZaL3Odnsmx8pAPZazNZTlxhwOxlPCd49P3dnAt7OJpxJTR
VSEc276o4piogx6Icg8S
=XUGP
-----END PGP SIGNATURE-----
Merge tag 'hw42_413d6ffa' into release2
tag for commit 413d6ffa0e
# gpg: Signature made Thu Feb 5 03:25:02 2015 CET using RSA key ID E09C093C
# gpg: Good signature from "HW42 (Qubes Signing Key) <hw42-qubes@ipsumj.de>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FC1A C023 76D0 4C68 341F 406F 8C05 216C E09C 093C
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJU0jm2AAoJEIwFIWzgnAk8zVMP/A8iXCWtHL5dVsXhVfFWHTDB
OMuPzpkTWHcmwHtGWEsNXuKUhpBARqoBEX4y+xmnTYfUXimxrxZLaEkgWw9+js3O
HCH7u0FYcUphs6g/v0xhfKkB9YDYQpJuajSsc0qvytkJ+Y7jauPw327rwyDEVPQ6
fSc0okX/cNOd9iOdnb3ZyHZr/LX/OkXI1/jT4Xn5fPG3hP8GlBNOsCF/ebwm0KT0
xunc7N9Q5xsYoZHAeaPUP9yXyB63yzKwMFBZTp/JHDKE4C/sXdkAIgXiLpY58Mzo
FzXadVvVltRvpXNWhMVmP8ETtGd4s5A7ou3JObqkoBlnKwvoUBNOOstL3EWhE7zO
CRhWJZJm+tC9L1m8GoKCdgAb9wo2lcrq++BXSOuF80HLJEJiqe6dqlnrNLmmdqkI
WrReexfyTNal/57fyl+sfwQ0z0l38sFciCQ0g8mShI3/Y1+btfQNjkxbhCO/SP1A
yk1SYUOEH4H/lHMW0cDI+GrzqzeXbZjHmL34UoWr3IhByUd8Sf3YgubZyCwdIAIZ
YVe6nIpGEmFzVHaGvMJsMNsDXgXI7UB4kChB9lLahKQwpDYL07hlvXTQmxbJUGXc
q3+OJnpLn7GQaO9MUTZB7QfgCFG2J35WXSddFnP+owizm1otGuIFhzFIrA6U6wsR
8ASxygaDOnVudY97TZlz
=eitW
-----END PGP SIGNATURE-----
Merge tag 'hw42_977da9cc' into release2
tag for commit 977da9ccef
# gpg: Signature made Wed Feb 4 16:24:38 2015 CET using RSA key ID E09C093C
# gpg: Good signature from "HW42 (Qubes Signing Key) <hw42-qubes@ipsumj.de>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FC1A C023 76D0 4C68 341F 406F 8C05 216C E09C 093C
Starting services in the postinst script doesn't make much sense since
the package is normally installed in the template. In addition the start
can fail when executed through a trigger.
/etc/iptables/rules.* are already part of the packet.
The removed code has never done something in debian (since
/etc/iptables/rules.* already exists).
This patch introduces two new qvm-services:
- disable-default-route
- disable-dns-server
Both disabled by default. You can enable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.
This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C7FB59.2020603%40openmailbox.org
/proc is needed to link files opened with O_TMPFILE to the filesystem.
If not available, fallback to using permissions to block file access,
instead of failing the whole file copy.
This patch introduces two new qvm-services:
- set-default-route
- set-dns-server
Both enabled by default. You can disable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.
This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C39656.3090303%40openmailbox.org
Otherwise, when the user moves directory, which is still in transfer,
somewhere else, it could allow malicious source domain to escape chroot
and place a file in arbitrary location.
It looks like bind mount is just enough - simple rename fails with
EXDEV, so tools are forced to perform copy+delete, which is enough to
keep unpacker process away from new file location.
One inconvenient detail is that we must clean the mount after transfer
finishes, so root perms cannot be dropped completely. We keep separate
process for only that reason.
