From 3ba3709523065f8ae941c4cb80f9cc22e0a005dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 26 Apr 2024 04:08:17 +0200 Subject: [PATCH 1/6] Use new built-in TCP support in qrexec for qubes.ConnectTCP Enable exit-on-service-eof feature, since that is what socat did. QubesOS/qubes-issues#9037 --- debian/qubes-core-agent.install | 1 + qubes-rpc/Makefile | 2 +- qubes-rpc/qubes.ConnectTCP | 10 ---------- qubes-rpc/qubes.ConnectTCP.config | 2 ++ rpm_spec/core-agent.spec.in | 1 + 5 files changed, 5 insertions(+), 11 deletions(-) delete mode 100644 qubes-rpc/qubes.ConnectTCP create mode 100644 qubes-rpc/qubes.ConnectTCP.config diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install index 6fe9208a4..633a212a1 100644 --- a/debian/qubes-core-agent.install +++ b/debian/qubes-core-agent.install @@ -43,6 +43,7 @@ etc/qubes/autostart/* etc/qubes/applications/* etc/qubes/post-install.d/README etc/qubes/post-install.d/*.sh +etc/qubes/rpc-config/qubes.ConnectTCP etc/qubes/rpc-config/qubes.OpenInVM etc/qubes/rpc-config/qubes.OpenURL etc/qubes/rpc-config/qubes.SelectFile diff --git a/qubes-rpc/Makefile b/qubes-rpc/Makefile index b16e25924..28e34cec3 100644 --- a/qubes-rpc/Makefile +++ b/qubes-rpc/Makefile @@ -76,10 +76,10 @@ install: qubes.PostInstall \ qubes.GetDate \ qubes.ShowInTerminal \ - qubes.ConnectTCP \ qubes.TemplateSearch \ qubes.TemplateDownload $(LN) qubes.VMExec $(DESTDIR)$(QUBESRPCCMDDIR)/qubes.VMExecGUI + $(LN) /dev/tcp/127.0.0.1 $(DESTDIR)$(QUBESRPCCMDDIR)/qubes.ConnectTCP for config in *.config; do \ install -D -m 0644 "$$config" "$(DESTDIR)$(QUBESRPCCONFDIR)/$${config%.config}"; \ done diff --git a/qubes-rpc/qubes.ConnectTCP b/qubes-rpc/qubes.ConnectTCP deleted file mode 100644 index c9493d8b1..000000000 --- a/qubes-rpc/qubes.ConnectTCP +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -PORT="$1" -[[ -z "$PORT" ]] && { echo "Please provide PORT"; exit 1; }; - -if [[ "$PORT" -ge 1 ]] && [[ "$PORT" -le 65535 ]]; then - socat STDIO TCP:localhost:"$PORT" -else - echo "Invalid port provided" - exit 1 -fi diff --git a/qubes-rpc/qubes.ConnectTCP.config b/qubes-rpc/qubes.ConnectTCP.config new file mode 100644 index 000000000..a4e2df2c1 --- /dev/null +++ b/qubes-rpc/qubes.ConnectTCP.config @@ -0,0 +1,2 @@ +skip-service-descriptor=true +exit-on-service-eof=true diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 469b32793..f524c7be0 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -909,6 +909,7 @@ rm -f %{name}-%{version} %config(noreplace) /etc/qubes-rpc/qubes.StartApp %config(noreplace) /etc/qubes-rpc/qubes.PostInstall %config(noreplace) /etc/qubes-rpc/qubes.GetDate +%config(noreplace) /etc/qubes/rpc-config/qubes.ConnectTCP %config(noreplace) /etc/qubes/rpc-config/qubes.OpenInVM %config(noreplace) /etc/qubes/rpc-config/qubes.OpenURL %config(noreplace) /etc/qubes/rpc-config/qubes.SelectFile From 110064b0d75a9f5c2c32f0775991b67cf63ccee4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 26 Apr 2024 04:08:17 +0200 Subject: [PATCH 2/6] Use new built-in TCP support in qrexec for qubes.UpdatesProxy Enable exit-on-service-eof feature, since that is what socat did. QubesOS/qubes-issues#9037 --- Makefile | 2 -- debian/qubes-core-agent-networking.install | 1 + qubes-rpc/Makefile | 1 + qubes-rpc/qubes.UpdatesProxy | 2 -- qubes-rpc/qubes.UpdatesProxy.config | 2 ++ rpm_spec/core-agent.spec.in | 1 + 6 files changed, 5 insertions(+), 4 deletions(-) delete mode 100755 qubes-rpc/qubes.UpdatesProxy create mode 100644 qubes-rpc/qubes.UpdatesProxy.config diff --git a/Makefile b/Makefile index bc0434438..9848a8e83 100644 --- a/Makefile +++ b/Makefile @@ -229,8 +229,6 @@ install-netvm: install-systemd-networking-dropins install-networkmanager install -m 0400 -D network/qubes-antispoof.nft $(DESTDIR)/etc/qubes/qubes-antispoof.nft install -m 0400 -D network/qubes-ipv6-disabled.nft $(DESTDIR)/etc/qubes/qubes-ipv6-disabled.nft - install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy - # networkmanager install target allow integration of NetworkManager for Qubes VM: # * make connections config persistent # * adjust DNS redirections when needed diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install index d9c675d58..c2e53429d 100644 --- a/debian/qubes-core-agent-networking.install +++ b/debian/qubes-core-agent-networking.install @@ -1,5 +1,6 @@ etc/dhclient.d/qubes-setup-dnat-to-ns.sh etc/qubes-rpc/qubes.UpdatesProxy +etc/qubes/rpc-config/qubes.UpdatesProxy etc/qubes/qubes-ipv6-disabled.nft etc/qubes/qubes-ipv6.nft etc/qubes/qubes-ipv4.nft diff --git a/qubes-rpc/Makefile b/qubes-rpc/Makefile index 28e34cec3..71867d85f 100644 --- a/qubes-rpc/Makefile +++ b/qubes-rpc/Makefile @@ -80,6 +80,7 @@ install: qubes.TemplateDownload $(LN) qubes.VMExec $(DESTDIR)$(QUBESRPCCMDDIR)/qubes.VMExecGUI $(LN) /dev/tcp/127.0.0.1 $(DESTDIR)$(QUBESRPCCMDDIR)/qubes.ConnectTCP + $(LN) /dev/tcp/127.0.0.1/8082 $(DESTDIR)$(QUBESRPCCMDDIR)/qubes.UpdatesProxy for config in *.config; do \ install -D -m 0644 "$$config" "$(DESTDIR)$(QUBESRPCCONFDIR)/$${config%.config}"; \ done diff --git a/qubes-rpc/qubes.UpdatesProxy b/qubes-rpc/qubes.UpdatesProxy deleted file mode 100755 index d364842d7..000000000 --- a/qubes-rpc/qubes.UpdatesProxy +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -exec socat STDIO TCP4:127.0.0.1:8082 diff --git a/qubes-rpc/qubes.UpdatesProxy.config b/qubes-rpc/qubes.UpdatesProxy.config new file mode 100644 index 000000000..a4e2df2c1 --- /dev/null +++ b/qubes-rpc/qubes.UpdatesProxy.config @@ -0,0 +1,2 @@ +skip-service-descriptor=true +exit-on-service-eof=true diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index f524c7be0..8dbb7ea69 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -1100,6 +1100,7 @@ rm -f %{name}-%{version} %config(noreplace) /etc/qubes/qubes-ipv4.nft %config(noreplace) /etc/qubes/qubes-ipv6.nft %config(noreplace) /etc/qubes/qubes-ipv6-disabled.nft +%config(noreplace) /etc/qubes/rpc-config/qubes.UpdatesProxy %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf %config(noreplace) /etc/tinyproxy/updates-blacklist %config(noreplace) /etc/udev/rules.d/99-qubes-network.rules From dd2bf50b542913293b32841736476e607375fd26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 29 Apr 2024 03:41:14 +0200 Subject: [PATCH 3/6] Use 'qrexec-client-vm --use-stdin-socket' to properly handle EOF When qrexec-client-vm is called from a systemd unit connected to a socket, it the same socket on both stdin and stdout. Tell qrexec-client-vm about it, so it can use shutdown() instead of close() to properly deliver EOF. It will also make the qrexec-client-vm to use just stdin FD. QubesOS/qubes-issues#9169 --- vm-systemd/qubes-updates-proxy-forwarder@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vm-systemd/qubes-updates-proxy-forwarder@.service b/vm-systemd/qubes-updates-proxy-forwarder@.service index 01d065830..89595b86d 100644 --- a/vm-systemd/qubes-updates-proxy-forwarder@.service +++ b/vm-systemd/qubes-updates-proxy-forwarder@.service @@ -2,6 +2,6 @@ Description=Forward connection to updates proxy over Qubes RPC [Service] -ExecStart=/usr/bin/qrexec-client-vm '' qubes.UpdatesProxy +ExecStart=/usr/bin/qrexec-client-vm --use-stdin-socket '' qubes.UpdatesProxy StandardInput=socket StandardOutput=inherit From 7cddb8818bf1187029d941e16f2af4de43e1f1b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 29 Apr 2024 03:44:11 +0200 Subject: [PATCH 4/6] Log updates proxy connection errors to journal StandardError defaults to "inherit", which would connect the socket from the package manager here. Do not send qrexec error messages as HTTP proxy response... --- vm-systemd/qubes-updates-proxy-forwarder@.service | 1 + 1 file changed, 1 insertion(+) diff --git a/vm-systemd/qubes-updates-proxy-forwarder@.service b/vm-systemd/qubes-updates-proxy-forwarder@.service index 89595b86d..dee48c6af 100644 --- a/vm-systemd/qubes-updates-proxy-forwarder@.service +++ b/vm-systemd/qubes-updates-proxy-forwarder@.service @@ -5,3 +5,4 @@ Description=Forward connection to updates proxy over Qubes RPC ExecStart=/usr/bin/qrexec-client-vm --use-stdin-socket '' qubes.UpdatesProxy StandardInput=socket StandardOutput=inherit +StandardError=journal From efa37e447a71910289b802572886105d84654795 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 9 May 2024 03:20:41 +0200 Subject: [PATCH 5/6] Require qrexec >= 4.2.19 for built-in TCP support qubes.UpdatesProxy and qubes.ConnecTCP are converted to use the built-in TCP support in qrexec. QubesOS/qubes-issues#9037 --- archlinux/PKGBUILD.in | 1 + debian/control | 2 +- rpm_spec/core-agent.spec.in | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/archlinux/PKGBUILD.in b/archlinux/PKGBUILD.in index 93401c6ac..008f7dcf3 100644 --- a/archlinux/PKGBUILD.in +++ b/archlinux/PKGBUILD.in @@ -59,6 +59,7 @@ package_qubes-vm-core() { qubes-vm-utils qubes-libvchan qubes-db-vm + 'qubes-vm-qrexec>=4.2.19' python python-xdg ntp diff --git a/debian/control b/debian/control index 94495a609..18de8201c 100644 --- a/debian/control +++ b/debian/control @@ -47,7 +47,7 @@ Depends: python3-xdg, python3-dbus, qubes-utils (>= 3.1.3), - qubes-core-qrexec, + qubes-core-qrexec (>= 4.2.19), qubesdb-vm, systemd, xdg-user-dirs, diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 8dbb7ea69..70082a19a 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -163,7 +163,7 @@ Requires: librsvg2-tools %endif Requires: zenity Requires: dconf -Requires: qubes-core-qrexec-vm +Requires: qubes-core-qrexec-vm >= 4.2.19 Requires: qubes-libvchan Requires: qubes-db-vm # qubes.Suspend{Pre,Post} From 8874cb5b59ea9185615ba60293261119a3d06eaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 9 May 2024 11:51:09 +0200 Subject: [PATCH 6/6] ci: drop R4.1 builds It isn't compatible anymore --- .gitlab-ci.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7dacd3571..9a1aaee2d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -14,10 +14,6 @@ checks:tests: - shellcheck -e SC1117 $(grep -l '^#!/bin/\(ba\)\?sh' $(git ls-files)) stage: checks include: -- file: /r4.1/gitlab-base.yml - project: QubesOS/qubes-continuous-integration -- file: /r4.1/gitlab-vm.yml - project: QubesOS/qubes-continuous-integration - file: /r4.2/gitlab-base.yml project: QubesOS/qubes-continuous-integration - file: /r4.2/gitlab-vm.yml