-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJU0tR+AAoJEIwFIWzgnAk88SMQAKdutkGwOt9gYIcoZ95JsxCP
h7Bj8ZU1t8oZUN7RXuQlqRD6iOL5/VThhCr7TCQcoZQzAUrjIBUkQ7uoTxGocdsO
uBOlT8MCXQsd3K0n1loHtdmVGGuQSeLO/sg+l0BOhW0PPwEPoGCQOWWK3uyfnwnC
pQTSryRQQaCzqJLrNdJk7HPZ7RT5K0vhggsTs9f0FfK557QQIFwr6cFyPmuV4611
1cmDXVGUGMZOW+HTbty+jvcw6xGE64Mph2YC7HM6dxmPppOSnWmpGQu99LE3DY9e
nM/roi7JOHmswTo7PBh5yZyKtuovUs1PLfTW+G0XoBO2wcCcnzncishdamv/E5uF
NdbLYaY/5qIbxb7GERJoreRnYyLq1n5ksvSfAJgD2aXwkbXNlqjh9vcZGX5oxERf
AmpkDYKJFMp63iSPZS1tQxVWET2mhqUAOyEF+E/+4fonYGi04J4leeVlEAX1jyIH
fmhCPlzyJQTgMQi+elJISNi+2IevIyon10yZqGbZDX0OmCywEjub5UVdSnkyMUnd
MyEHXjKi1/pOUbtbH7V9PJaz3K14fVfW3eDHnsz/va+KWUOKVgBuvIpO56Ni3/VL
/8QTBQj5z5dkxvvSDGZaL3Odnsmx8pAPZazNZTlxhwOxlPCd49P3dnAt7OJpxJTR
VSEc276o4piogx6Icg8S
=XUGP
-----END PGP SIGNATURE-----
Merge tag 'hw42_413d6ffa' into release2
tag for commit 413d6ffa0e
# gpg: Signature made Thu Feb 5 03:25:02 2015 CET using RSA key ID E09C093C
# gpg: Good signature from "HW42 (Qubes Signing Key) <hw42-qubes@ipsumj.de>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FC1A C023 76D0 4C68 341F 406F 8C05 216C E09C 093C
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJU0jm2AAoJEIwFIWzgnAk8zVMP/A8iXCWtHL5dVsXhVfFWHTDB
OMuPzpkTWHcmwHtGWEsNXuKUhpBARqoBEX4y+xmnTYfUXimxrxZLaEkgWw9+js3O
HCH7u0FYcUphs6g/v0xhfKkB9YDYQpJuajSsc0qvytkJ+Y7jauPw327rwyDEVPQ6
fSc0okX/cNOd9iOdnb3ZyHZr/LX/OkXI1/jT4Xn5fPG3hP8GlBNOsCF/ebwm0KT0
xunc7N9Q5xsYoZHAeaPUP9yXyB63yzKwMFBZTp/JHDKE4C/sXdkAIgXiLpY58Mzo
FzXadVvVltRvpXNWhMVmP8ETtGd4s5A7ou3JObqkoBlnKwvoUBNOOstL3EWhE7zO
CRhWJZJm+tC9L1m8GoKCdgAb9wo2lcrq++BXSOuF80HLJEJiqe6dqlnrNLmmdqkI
WrReexfyTNal/57fyl+sfwQ0z0l38sFciCQ0g8mShI3/Y1+btfQNjkxbhCO/SP1A
yk1SYUOEH4H/lHMW0cDI+GrzqzeXbZjHmL34UoWr3IhByUd8Sf3YgubZyCwdIAIZ
YVe6nIpGEmFzVHaGvMJsMNsDXgXI7UB4kChB9lLahKQwpDYL07hlvXTQmxbJUGXc
q3+OJnpLn7GQaO9MUTZB7QfgCFG2J35WXSddFnP+owizm1otGuIFhzFIrA6U6wsR
8ASxygaDOnVudY97TZlz
=eitW
-----END PGP SIGNATURE-----
Merge tag 'hw42_977da9cc' into release2
tag for commit 977da9ccef
# gpg: Signature made Wed Feb 4 16:24:38 2015 CET using RSA key ID E09C093C
# gpg: Good signature from "HW42 (Qubes Signing Key) <hw42-qubes@ipsumj.de>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FC1A C023 76D0 4C68 341F 406F 8C05 216C E09C 093C
Starting services in the postinst script doesn't make much sense since
the package is normally installed in the template. In addition the start
can fail when executed through a trigger.
/etc/iptables/rules.* are already part of the packet.
The removed code has never done something in debian (since
/etc/iptables/rules.* already exists).
This patch introduces two new qvm-services:
- disable-default-route
- disable-dns-server
Both disabled by default. You can enable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.
This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C7FB59.2020603%40openmailbox.org
/proc is needed to link files opened with O_TMPFILE to the filesystem.
If not available, fallback to using permissions to block file access,
instead of failing the whole file copy.
This patch introduces two new qvm-services:
- set-default-route
- set-dns-server
Both enabled by default. You can disable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.
This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C39656.3090303%40openmailbox.org
Otherwise, when the user moves directory, which is still in transfer,
somewhere else, it could allow malicious source domain to escape chroot
and place a file in arbitrary location.
It looks like bind mount is just enough - simple rename fails with
EXDEV, so tools are forced to perform copy+delete, which is enough to
keep unpacker process away from new file location.
One inconvenient detail is that we must clean the mount after transfer
finishes, so root perms cannot be dropped completely. We keep separate
process for only that reason.
Moved iptables configuration to /usr/lib/qubes/init
fc21 + debian + arch will place them in proper place on postinst
Fixes dedian bug of not having them in proper place
