-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJU0jm2AAoJEIwFIWzgnAk8zVMP/A8iXCWtHL5dVsXhVfFWHTDB
OMuPzpkTWHcmwHtGWEsNXuKUhpBARqoBEX4y+xmnTYfUXimxrxZLaEkgWw9+js3O
HCH7u0FYcUphs6g/v0xhfKkB9YDYQpJuajSsc0qvytkJ+Y7jauPw327rwyDEVPQ6
fSc0okX/cNOd9iOdnb3ZyHZr/LX/OkXI1/jT4Xn5fPG3hP8GlBNOsCF/ebwm0KT0
xunc7N9Q5xsYoZHAeaPUP9yXyB63yzKwMFBZTp/JHDKE4C/sXdkAIgXiLpY58Mzo
FzXadVvVltRvpXNWhMVmP8ETtGd4s5A7ou3JObqkoBlnKwvoUBNOOstL3EWhE7zO
CRhWJZJm+tC9L1m8GoKCdgAb9wo2lcrq++BXSOuF80HLJEJiqe6dqlnrNLmmdqkI
WrReexfyTNal/57fyl+sfwQ0z0l38sFciCQ0g8mShI3/Y1+btfQNjkxbhCO/SP1A
yk1SYUOEH4H/lHMW0cDI+GrzqzeXbZjHmL34UoWr3IhByUd8Sf3YgubZyCwdIAIZ
YVe6nIpGEmFzVHaGvMJsMNsDXgXI7UB4kChB9lLahKQwpDYL07hlvXTQmxbJUGXc
q3+OJnpLn7GQaO9MUTZB7QfgCFG2J35WXSddFnP+owizm1otGuIFhzFIrA6U6wsR
8ASxygaDOnVudY97TZlz
=eitW
-----END PGP SIGNATURE-----
Merge tag 'hw42_977da9cc' into release2
tag for commit 977da9ccef
# gpg: Signature made Wed Feb 4 16:24:38 2015 CET using RSA key ID E09C093C
# gpg: Good signature from "HW42 (Qubes Signing Key) <hw42-qubes@ipsumj.de>"
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FC1A C023 76D0 4C68 341F 406F 8C05 216C E09C 093C
Starting services in the postinst script doesn't make much sense since
the package is normally installed in the template. In addition the start
can fail when executed through a trigger.
/etc/iptables/rules.* are already part of the packet.
The removed code has never done something in debian (since
/etc/iptables/rules.* already exists).
This patch introduces two new qvm-services:
- disable-default-route
- disable-dns-server
Both disabled by default. You can enable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.
This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C7FB59.2020603%40openmailbox.org
/proc is needed to link files opened with O_TMPFILE to the filesystem.
If not available, fallback to using permissions to block file access,
instead of failing the whole file copy.
This patch introduces two new qvm-services:
- set-default-route
- set-dns-server
Both enabled by default. You can disable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.
This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C39656.3090303%40openmailbox.org
Otherwise, when the user moves directory, which is still in transfer,
somewhere else, it could allow malicious source domain to escape chroot
and place a file in arbitrary location.
It looks like bind mount is just enough - simple rename fails with
EXDEV, so tools are forced to perform copy+delete, which is enough to
keep unpacker process away from new file location.
One inconvenient detail is that we must clean the mount after transfer
finishes, so root perms cannot be dropped completely. We keep separate
process for only that reason.
Moved iptables configuration to /usr/lib/qubes/init
fc21 + debian + arch will place them in proper place on postinst
Fixes dedian bug of not having them in proper place
