Initial support for export VM

* Export named disposable VM creation (sd-export-usb based on sd-export-dvm based on sd-export-template)
* Permanently attach a config-specified usb port id to sd-export VM
* Qubes will always automount anything connected to that port to sd-export
* Use mime handler for to handle transfers to sd-export-usb
* sd-export named disposable vm was named to sd-export-usb, so we must change the tests to reflect this change.

Makefile

@@ -54,6 +54,12 @@ sd-svs-disp: prep-salt ## Provisions SD Submission Viewing VM
 	sudo qubesctl --show-output --targets sd-svs-disp-template state.highstate
 	sudo qubesctl --show-output --targets sd-svs-disp state.highstate
 
+sd-export: prep-salt ## Provisions SD Export VM
+	sudo qubesctl top.enable sd-export
+	sudo qubesctl top.enable sd-export-files
+	sudo qubesctl --show-output --targets sd-export-template state.highstate
+	sudo qubesctl --show-output --targets sd-export-dvm state.highstate
+
 clean-salt: assert-dom0 ## Purges SD Salt configuration from dom0
 	@echo "Purging Salt config..."
 	@sudo rm -rf /srv/salt/sd
@@ -78,6 +84,12 @@ remove-sd-svs: assert-dom0 ## Destroys SD SVS VM
 remove-sd-gpg: assert-dom0 ## Destroys SD GPG keystore VM
 	@./scripts/destroy-vm sd-gpg
 
+remove-sd-export: assert-dom0 ## Destroys SD EXPORT VMs
+	@qvm-kill sd-export-usb
+	@qvm-usb detach sd-export-usb || true
+	@./scripts/destroy-vm sd-export-usb
+	@./scripts/destroy-vm sd-export-dvm
+
 clean: assert-dom0 destroy-all clean-salt ## Destroys all SD VMs
 	sudo dnf -y -q remove securedrop-workstation-dom0-config || true
 	sudo rm -f /usr/bin/securedrop-update \
@@ -131,7 +143,7 @@ prep-dom0: prep-salt # Copies dom0 config files for VM updates
 list-vms: ## Prints all Qubes VMs managed by Workstation salt config
 	@./scripts/list-vms
 
-destroy-all: ## Destroys all VMs managed by Workstation salt config
+destroy-all: remove-sd-export ## Destroys all VMs managed by Workstation salt config
 	@./scripts/list-vms | xargs ./scripts/destroy-vm
 
 # Explanation of the below shell command should it ever break.

config.json.example

@@ -2,5 +2,8 @@
   "hidserv": {
     "hostname": "avgfxawdn6c3coe3.onion",
     "key": "Il8Xas7uf6rjtc0LxYwhrx"
+  },
+  "usb": {
+    "device": "sys-usb:2-4"
   }
 }

dom0/sd-dom0-qvm-rpc.sls

@@ -43,6 +43,7 @@ dom0-rpc-qubes.OpenInVM:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         sd-svs $dispvm:sd-svs-disp allow
+        sd-svs sd-export-usb allow
         $anyvm $tag:sd-workstation deny
 dom0-rpc-qubes.OpenURL:
   file.blockreplace:

dom0/sd-export-files.sls

@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# sd-export-files
+# ========
+#
+# Moves files into place on sd-export
+#
+##
+include:
+  - fpf-apt-test-repo
+
+sd-export-send-to-usb-script:
+  file.managed:
+    - name: /usr/bin/send-to-usb
+    - source: salt://sd/sd-export/send-to-usb
+    - user: root
+    - group: root
+    - mode: 755
+    - makedirs: True
+
+sd-export-template-mimetype:
+  file.blockreplace:
+    - name: /etc/mailcap
+    - prepend_if_not_found: False
+    - marker_start: "# ----- User Section Begins ----- #"
+    - marker_end: "# -----  User Section Ends  ----- #"
+    - content: |
+        application/octet-stream; /usr/bin/send-to-usb '%s';
+  cmd.run:
+    - name: sudo update-mime

dom0/sd-export-files.top

@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  sd-export-template:
+    - sd-export-files

dom0/sd-export.sls

@@ -0,0 +1,60 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+#
+# Installs 'sd-export' AppVM, to persistently store SD data
+# This VM has no network configured.
+##
+include:
+  - sd-workstation-template
+
+sd-export-template:
+  qvm.vm:
+    - name: sd-export-template
+    - clone:
+      - source: sd-workstation-template
+      - label: yellow
+    - tags:
+      - add:
+        - sd-workstation
+    - require:
+      - sls: sd-workstation-template
+
+sd-export-dvm:
+  qvm.vm:
+    - name: sd-export-dvm
+    - present:
+      - template: sd-export-template
+      - label: yellow
+    - prefs:
+      - netvm: ""
+      - template_for_dispvms: True
+    - tags:
+      - add:
+        - sd-workstation
+    - require:
+      - qvm: sd-export-template
+
+# Ensure the Qubes menu is populated with relevant app entries,
+# so that Nautilus/Files can be started via GUI interactions.
+sd-export-template-sync-appmenus:
+  cmd.run:
+    - name: >
+        qvm-start --skip-if-running sd-export-template &&
+        qvm-sync-appmenus sd-export-template
+    - require:
+      - qvm: sd-export-template
+    - onchanges:
+      - qvm: sd-export-template
+
+{% import_json "sd/config.json" as d %}
+
+# Here we must create as the salt stack does not appear to allow us to create
+# VMs with the class DispVM and attach the usb device specified in the config
+# permanently to this VM
+create-named-sd-export-dispvm-and-permanently-attach:
+  cmd.run:
+    - name: >
+        qvm-remove --force sd-export-usb || true;
+        qvm-create --class DispVM --template sd-export-dvm --label red sd-export-usb;
+        qvm-usb attach --persistent sd-export-usb {{ d.usb.device }} || true;

dom0/sd-export.top

@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  dom0:
+    - sd-export

scripts/list-vms

@@ -16,6 +16,9 @@ declare -a sd_workstation_vm_names=(
   sd-whonix
   sd-svs-disp
   sd-svs-disp-template
+  sd-export-template
+  sd-export-dvm
+  sd-export
 )
 
 for vm in "${sd_workstation_vm_names[@]}" ; do

scripts/prep-salt

@@ -20,6 +20,7 @@ if [[ ! -d "$SDW_SALT_DIR" ]]; then
     sudo cp -r sd-proxy /srv/salt/sd
     sudo cp -r sd-svs /srv/salt/sd
     sudo cp -r sd-workstation /srv/salt/sd
+    sudo cp -r sd-export /srv/salt/sd
     sudo cp dom0/* /srv/salt/
 fi
 

sd-export/send-to-usb

@@ -0,0 +1,30 @@
+#! /usr/bin/python3
+
+import os
+import shutil
+import subprocess
+import sys
+
+DEVICE = "/dev/sda1"
+MOUNTPOINT = "/tmp/usb"
+FILE = sys.argv[1]
+
+if os.path.exists(FILE):
+    # mount target not created
+    if not os.path.exists(MOUNTPOINT):
+        os.makedirs(MOUNTPOINT)
+    # check if drive already mounted, otherwise mount
+    rc = subprocess.call(["mountpoint", MOUNTPOINT],
+                         stdout = subprocess.DEVNULL,
+                         stderr = subprocess.DEVNULL)
+    if rc:
+        out = subprocess.run(["sudo",
+                              "mount",
+                              "-o", "uid=1000,gid=1000",
+                              DEVICE,
+                              MOUNTPOINT])
+
+    # move files to drive (overwrites existing files) and unmount drive
+    shutil.move(FILE,
+                os.path.join(MOUNTPOINT, os.path.basename(FILE)))
+    subprocess.run(["sudo", "umount", MOUNTPOINT])

tests/base.py

@@ -12,6 +12,7 @@
     "sd-svs",
     "sd-svs-disp",
     "sd-whonix",
+    "sd-export-usb"
 ]
 
 

tests/test_vms_exist.py

@@ -117,6 +117,28 @@ def sd_svs_disp_template(self):
         self.assertTrue('sd-workstation' in vm.tags)
         self.assertTrue(vm.template_for_dispvms)
 
+    def sd_export_template(self):
+        vm = self.app.domains["sd-export-template"]
+        nvm = vm.netvm
+        self.assertTrue(nvm is None)
+        self.assertTrue('sd-workstation' in vm.tags)
+        self._check_kernel(vm)
+
+    def sd_export_dvm(self):
+        vm = self.app.domains["sd-export-dvm"]
+        nvm = vm.netvm
+        self.assertTrue(nvm is None)
+        self.assertTrue('sd-workstation' in vm.tags)
+        self.assertTrue(vm.template_for_dispvms)
+        self._check_kernel(vm)
+
+    def sd_export(self):
+        vm = self.app.domains["sd-export-usb"]
+        nvm = vm.netvm
+        self.assertTrue(nvm is None)
+        self.assertTrue('sd-workstation' in vm.tags)
+        self._check_kernel(vm)
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_VM_Tests)

tests/vars/qubes-rpc.yml

@@ -91,6 +91,7 @@
   starts_with: |-
     ### BEGIN securedrop-workstation ###
     sd-svs $dispvm:sd-svs-disp allow
+    sd-svs sd-export-usb allow
     $anyvm $tag:sd-workstation deny
     ### END securedrop-workstation ###