suzanne.soy/qubes-core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,361 Commits 8 Branches 534 Tags 6.8 MiB
9a142fb654
Commit Graph

75 Commits

Author SHA1 Message Date
Jason Mehring
faf20db7ac
debian: Allow apt-get post hook to fail gracefully (won't work in chroot) 2015-05-01 05:04:17 -04:00
Jason Mehring
d39112fa8c
debian: Only notify dom0 on apt-get post hook; don't update package index 
There is a possiblilty of the apt-get post hook getting triggered
more than once for each apt-get session, therefore we only notify
dom0 that there are no updates available and do not perform an
apt-get update.

The qubes-update-check.service will still perform an update so even
if the dist-upgrade failed and there was actually more files to update
the qubes-update-check.serivce would then at some point notify dom0
about those updates being available
 2015-05-01 01:42:48 -04:00
Jason Mehring
bbcfdd4c90
debian: Update notification now notifies dom0 when an upgrade is completed 2015-04-26 03:29:13 -04:00
Jason Mehring
482f003283 Changed location of PROTECTED_FILE_LIST to /etc/qubes/protected-files.d 2015-04-25 02:29:39 +02:00
Jason Mehring
24cfe20e1f whonix: Added protected-files file used to prevent scripts from modifying files that need to be protected 
A file is created in /var/lib/qubes/protected-files.  Scripts can grep this file before modifying
known files to be protected and skip any modifications if the file path is within protected-files.

Usage Example:
    if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then

Also cleaned up maintainer scripts removing unneeded systemd status functions and streamlined
the enable/disable systemd unit files functions
 2015-04-25 02:29:38 +02:00
Marek Marczykowski-Górecki
24224496c1 network: restart updates proxy after network change to reload DNS address 2015-04-25 00:16:30 +02:00
Marek Marczykowski-Górecki
a04bcf602b updates-proxy: allow xz compressed metadata (fc21) 
(cherry picked from commit b655d968c4)
 2015-03-05 00:52:31 +01:00
Marek Marczykowski-Górecki
36d9330f36 network: fix handling newline in firewall rules 
Since the rules are no more directly handed to echo -e, sed needs to
handle all escape sequences used in rules (newline only, but in
different notations).

(cherry picked from commit 4dbd9e205c)

Conflicts:
	network/qubes-firewall
 2015-03-05 00:52:14 +01:00
HW42
ec8bf45dd1 remove 'bashisms' or explicit use bash 2015-02-05 03:14:41 +01:00
Marek Marczykowski-Górecki
a714162dfe network: support for not setting DNS and/or default gateway (v2) 
This patch introduces two new qvm-services:
 - disable-default-route
 - disable-dns-server
Both disabled by default. You can enable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.

This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C7FB59.2020603%40openmailbox.org
 2015-01-29 01:10:34 +01:00
Marek Marczykowski-Górecki
b62665d63c network: support for not setting DNS and/or default gateway 
This patch introduces two new qvm-services:
 - set-default-route
 - set-dns-server
Both enabled by default. You can disable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.

This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C39656.3090303%40openmailbox.org
 2015-01-27 00:27:08 +01:00
Marek Marczykowski-Górecki
ceb352a6e0 network: fix NM config preparation 
The same variables are reused to configure downlink in ProxyVM, so
create NM config before they got overrided.
 2014-12-22 00:04:16 +01:00
Marek Marczykowski-Górecki
4ed2abb030 network: set uplink configuration based on MAC (NetworkManager) 2014-12-22 00:03:37 +01:00
Marek Marczykowski-Górecki
584bce7181 Update update-proxy rules for debian security fixes repo 
The name can be "wheezy/updates".
 2014-12-03 00:18:43 +01:00
Marek Marczykowski-Górecki
ea4eef7de8 network: fix indentation 2014-11-13 23:19:34 +01:00
Jason Mehring
848c53adc2 debian: Updated tinyproxy filter rules 2014-11-11 13:38:26 -05:00
Marek Marczykowski-Górecki
427decd793 network: fix NM uplink config permissions 
Otherwise NM will not use the file.
 2014-11-09 05:35:07 +01:00
Marek Marczykowski-Górecki
7027633e80 network: do not use ifcfg-rh NM plugin 
Apparently eth0 in ProxyVM can be configured using plain keyfile plugin,
which is present on all distributions.
 2014-11-09 05:31:22 +01:00
Jason Mehring
44230f7f35 debian: Remove absolute path to xenstore-* 2014-11-07 09:59:41 -05:00
Jason Mehring
a6e6c86764 debian: Made debian proxy filter rules more restrictive 2014-11-07 00:09:13 -05:00
Marek Marczykowski-Górecki
c817bb0282 little fix for the official template 
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJUWE+GAAoJEIwFIWzgnAk8azoQAJPOdglmiJlu+p5nRQ0ZRP6F
 nammIQhOg1oE0hCTX6H4DnEMnaZmFyGj96JWUX3zES8NF9zYvq4sgJCtZVEK35lm
 /Fxe899NpDlHaHwPqnXoYAKWZnMnyx3Z5XTxYb3A8JQdJCVWJPi2qYw2TBb6iBIp
 hzznI3drhOd8rdkFHXGk/FsBjqFP1mn98GDP4N/XLOZUnK+MiWyxrp0c+QVgybRX
 2XOUhsBPbr/XS/fkMBEia1hJhBf+FYJsFeCARGjYnbI+TKMaPrYaIX6DRqjFMhSS
 eEALEWsYsDiYGerWNBNGxbJ7RWsN4vm+WDfKdi7Hp2TgHeH0z93w40VegU3k7Asx
 NjfehCwT3wjMmtUFYhfhYfIop5305LLLJPPkY/ML+u6Mznzr7OkostMeyMhDxcrq
 lSELqg2HDwEsSwtwEz7kP6fYyfpJRd8yndg48cVonatwPwdjoCMiAz93TIF7Tvvz
 xQaNUidkKL8qQi67ArSQUlQlwGJNngwLRhepaMo0FD4JWSQ5pHc00EYxtJio2LPs
 7prv8ETbTj0bcFb/xKNSxBCGOrLdleHAEdhrpvqHa5nUzMiHw+tMuJbX+f0jOx/Q
 OSgx/dvK9GIyxM7UlsS+Whye3iGeNwsA1ai4TL0n1PFM+DjemBjEbfIl2nxLjG3O
 cXas4+wsl0+qXRk/PDOn
 =6kCH
 -----END PGP SIGNATURE-----

Merge tag 'hw42_debian-systemd-3' into debian

Conflicts:
	debian/control
	Merged postinst scripts from hw42 and nrgaway
 2014-11-05 04:35:23 +01:00
HW42
63e915f6d4 Tag for commit 5d68e2cc70 
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUTruhAAoJEAY5OLpCz6ck7IcP/i4JXNEMO8vDSgphM50NIIz6
 +hLb+kXBGeL9SsQKRlz000BUOcIsg+d2ibwnTsi1kNuq2OgJOAHAp5hHgHGc5ddG
 0PLFf/Ddexl7/2cG/hKekXiIpXGcuhqgsIfatqcKB228mVLG8y/kqwViIDbMgg10
 X8Aiq1ba0EeHI7xskkPb1hzkszOfLFoEXCRjt+BQsmr+Bll+sAzCS3G9vSbhczFl
 wmTtgOiu2fWsPgOB2O6HYeO0PUUX+jGF/jncZYf85pEwMccNqRIWjSJC6ti533zv
 5x1bWKWFymBAUcTS+xi00FPeatmQ7b5ywMxTwbqIQkE1Mrt436Dz/B1r0E58q0AH
 gu4qG/KPBNdRBD4vPrvLKiyood/XIpvz0+6QqS9rFMKt71OSzmMR1WeLgclCn768
 cR510iZyJjmqe9lLQQTCJr+oqvwiVot7sfsgj1XP5PozalTkdIawioIZjeX5Zz4O
 +zo+P+jIV+P6QbN+0nD+vrW8kSZlM8vt+OVBPhon/bMFxGKZervs7kFUCNPn6fUK
 WNw8lSrKQqJe/a805Ktku8moatVElmexj7XTkII1nnAnEu6/bokJqjCHQ933794l
 ERRwitFN+BWm3OBXq/BsdSnCotT+gnlMEDtuHiD0JHQBGwxAZGQtliQhWLF25Ekh
 BJkmYBjqgnjCsQFUBMnn
 =shGW
 -----END PGP SIGNATURE-----

Merge tag 'mm_5d68e2cc' into debian-systemd

Tag for commit 5d68e2cc70

Conflicts:
	Makefile
	debian/rules
	network/qubes-firewall
	vm-systemd/misc-post.sh
	vm-systemd/qubes-sysinit.sh
 2014-11-03 04:28:00 +01:00
Jason Mehring
f02780421d debian: Added less restrictive filter option for debian packages 
Sites like sourceforge append ?downloadxxx to end
 2014-11-02 16:22:42 -05:00
Jason Mehring
b04594ed60 Allow hyphenated distro names in tinyproxy filter 2014-10-30 16:35:12 -04:00
HW42
4886411570 various patches for debian 
this should enable debian based templates to be used as proxy/netvm
 2014-09-29 05:25:24 +02:00
HW42
70bbc7923d install iptables/forwarding for debian 2014-09-29 05:25:14 +02:00
Marek Marczykowski-Górecki
e93cf3e81b updates-proxy: add rules for debian repositories (#887) 2014-09-29 04:05:24 +02:00
Marek Marczykowski-Górecki
3f19c89301 Rename qubes-yum-proxy service to qubes-updates-proxy 
It is no longer Fedora-only proxy, so rename to not confuse the user.
Also documentation refer to it as "updates proxy" for a long time.
 2014-09-27 00:32:52 +02:00
Marek Marczykowski-Górecki
41f65f1f5a firewall: show error message only on actual error 2014-09-03 09:59:59 +02:00
Marek Marczykowski-Górecki
53b0d8ab17 network: fix IP address of backend network interface 
Get it from settings provided by dom0, do not calculate itself. This
makes a difference for DispVMs.
 2014-08-13 09:23:51 +02:00
Marek Marczykowski-Górecki
a288939156 Revert "network: use the same gateway IP generation method as backend" 
This reverts commit 4ef785a016.
Actually this change was wrong - the frontend IP was correct, the
problem was with backend IP.
 2014-08-13 08:58:10 +02:00
Marek Marczykowski-Górecki
4ef785a016 network: use the same gateway IP generation method as backend 
Backend domain generates its IP address based on frontend IP, not
settings given from dom0. So change frontend method to the same (for
DispVM it makes a difference). Now "qubes-gateway" xenstore entry is
basically primary DNS address only.
 2014-08-13 08:12:37 +02:00
Marek Marczykowski-Górecki
4d300ff137 Fix bashism 
Debian has dash as default shell.
 2014-07-26 03:58:21 +02:00
Davíð Steinn Geirsson
e5fa610b0d Use xenstore.h instead of xs.h when xen >= 4.2 2014-07-23 05:13:06 +02:00
Davíð Steinn Geirsson
2ddea415b2 Check for xenstore-read in /usr/sbin as well (default on debian) 2014-07-23 05:11:31 +02:00
Marek Marczykowski-Górecki
510edfb071 network: setup NM connection when its active in the ProxyVM 2014-05-22 01:36:15 +02:00
Marek Marczykowski-Górecki
486b148a08 Configure only installed programs 2014-05-22 01:31:43 +02:00
Marek Marczykowski-Górecki
e88b6e38be network: suppress NetworkManager from touching inter-vm interfaces (#774) 
Those interfaces are configured by qubes scripts (based on xenstore data
filled by qubes core).
 2014-03-28 02:57:12 +01:00
Marek Marczykowski-Górecki
4c3d5a46c2 firewall: replace deprecated "state" iptables module with "conntrack" 2014-03-28 02:56:43 +01:00
Marek Marczykowski-Górecki
f2ff044539 yum-proxy: fix iptables rules order 
Add the rules at the beginning of chain, so before final REJECT rule.
 2014-03-26 00:02:10 +01:00
Marek Marczykowski-Górecki
a19ef6d0db qubes-firewall: log errors to stderr -> syslog 
Not only display as notifications (which may be easily missed).
 2014-02-22 01:23:27 +01:00
Marek Marczykowski-Górecki
18ed540158 yum-proxy: fix stop command - iptables-restore do not accept -D 
iptables-restore format accept only "-A" command, so remove the rules
with direct call to iptables
 2014-02-21 13:28:49 +01:00
Marek Marczykowski-Górecki
d660f260b8 Hide nm-applet when NetworkManager is disabled (retry) 
It isn't done automatically by nm-applet itself since nm-applet 0.9.9.0
(fc19+), this one commit:
https://git.gnome.org/browse/network-manager-applet/commit?id=276a702000ee9e509321891f5ffa9789acfb053c
At the same time they've introduced option to manually hide the icon:
https://git.gnome.org/browse/network-manager-applet/commit?id=e7331a3f33ab422ea6c1bbc015ad44d8d9c83bc3
 2014-02-07 02:16:39 +01:00
Marek Marczykowski
8c9433fc00 yum-proxy: use iptables-restore to set firewall rules 
Simple iptables sometimes returns EBUSY.
 2013-08-05 02:08:52 +02:00
Marek Marczykowski
30ca124784 The Underscores Revolution: xenstore paths 2013-03-14 04:29:15 +01:00
Marek Marczykowski
ecc812f350 The Underscores Revolution: filenames 
Get rid of underscores in filenames, use dashes instead.
This is first part of cleanup in filenames.
"qubes_rpc" still untouched - will be in separate commit.
 2013-03-14 01:07:49 +01:00
Marek Marczykowski
c8e6ec3a7f Remove obsolete files. 2013-03-12 18:02:54 +01:00
Marek Marczykowski
ff47b0a8b8 vm/network: create NetworkManager config link only once 2013-01-11 05:05:39 +01:00
Marek Marczykowski
965846532a vm/network: disable tx-checksumming offload (#700) 
It doesn't work on xen-netfront.
 2013-01-08 03:03:44 +01:00
Marek Marczykowski
7131bb7dcd vm/network: do not fail service on failed xenstore-read 2012-10-13 11:47:32 +02:00