freedomofpress · emkll · Oct 31, 2018 · Oct 19, 2018 · Oct 19, 2018 · Oct 19, 2018
diff --git a/Makefile b/Makefile
@@ -8,14 +8,13 @@ endif
 
 ## Builds and provisions all VMs required for testing workstation
 all: assert-dom0 validate clean update-fedora-templates			\
-	update-whonix-templates prep-whonix sd-workstation-template \
+	update-whonix-templates prep-whonix prep-dom0 sd-workstation-template \
 	sd-whonix sd-svs sd-gpg	\
 	sd-journalist sd-svs-disp
 
 clone: assert-dom0 ## Pulls the latest repo from work VM to dom0
 	@./scripts/clone-to-dom0
 
-
 sd-workstation-template: prep-salt ## Provisions base template for SDW AppVMs
 	sudo qubesctl top.enable sd-workstation-template
 	sudo qubesctl top.enable sd-workstation-template-files
@@ -128,6 +127,11 @@ prep-whonix: ## enables apparmor on whonix-ws-14 and whonix-gw-14
 	qvm-prefs -s whonix-gw-14 kernelopts "nopat apparmor=1 security=apparmor"
 	qvm-prefs -s whonix-ws-14 kernelopts "nopat apparmor=1 security=apparmor"
 
+prep-dom0: prep-salt # Copies dom0 config files for VM updates
+	sudo qubesctl top.enable sd-vm-updates
+	sudo qubesctl top.enable sd-dom0-files
+	sudo qubesctl --targets dom0 state.highstate
+
 list-vms: ## Prints all Qubes VMs managed by Workstation salt config
 	@./scripts/list-vms
 

diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls
@@ -0,0 +1,48 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# Installs dom0 config scripts specific to tracking updates
+# over time. These scripts should be ported to an RPM package.
+##
+
+
+# Copy script to system location so admins can run ad-hoc
+dom0-update-securedrop-script:
+  file.managed:
+    - name: /usr/bin/securedrop-update
+    - source: salt://securedrop-update
+    - user: root
+    - group: root
+    - mode: 755
+
+# Symlink update script into cron, for single point of update
+dom0-update-securedrop-script-cron:
+  file.symlink:
+    - name: /etc/cron.daily/securedrop-update-cron
+    - target: /usr/bin/securedrop-update
+
+# Create directory for storing SecureDrop-specific icons
+dom0-securedrop-icons-directory:
+  file.directory:
+    - name: /usr/share/securedrop/icons
+    - user: root
+    - group: root
+    - mode: 755
+    - makedirs: True
+
+# Copy SecureDrop icon for use in GUI feedback. It's also present in
+# the Salt directory, but the permissions on that dir don't permit
+# normal user reads.
+dom0-securedrop-icon:
+  file.managed:
+    - name: /usr/share/securedrop/icons/sd-logo.png
+    - source: salt://sd/sd-journalist/logo-small.png
+    - user: root
+    - group: root
+    - mode: 644
+  # Dependency on parent dir should be explicitly declared,
+  # but the require syntax below was throwing an error that the
+  # referenced task was "not available".
+  # require:
+  #   - dom0-securedrop-icons-directory
diff --git a/dom0/sd-dom0-files.top b/dom0/sd-dom0-files.top
@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  dom0:
+    - sd-dom0-files
diff --git a/dom0/sd-vm-updates.top b/dom0/sd-vm-updates.top
@@ -0,0 +1,9 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+# "Placeholder" config to trigger TemplateVM boots,
+# so upgrades can be applied automatically via cron.
+base:
+  qubes:type:template:
+    - match: pillar
+    - topd
diff --git a/dom0/securedrop-update b/dom0/securedrop-update
@@ -0,0 +1,54 @@
+#!/bin/bash
+# Utility for dom- to ensure all updates are regularly installed
+set -e
+set -u
+
+# Number of VMs to update in parallel. Default is 4,
+# which can be memory-intensive.
+SECUREDROP_MAX_CONCURRENCY=2
+
+
+# Ensure elevated privileges
+if [[ "$EUID" -ne 0 ]]; then
+    echo "Script must be run as root! Exiting..."
+    exit 1
+fi
+
+# Display GUI feedback about update process
+function securedrop-update-feedback() {
+    # Unpack msg as arg1
+    local msg="$1"
+    shift
+
+    # Running `notify-send` as root doesn't work, must be normal user.
+    # Setting 60s expire time (in ms) since it's a long-running cmd.
+    local qubes_user
+    qubes_user="$(id -nu 1000)"
+    su "$qubes_user" -c "notify-send \
+        --app-name 'SecureDrop Workstation' \
+        --icon /usr/share/securedrop/icons/sd-logo.png \
+        --expire-time 60000 \
+        'SecureDrop: $msg'"
+}
+
+# `qubesctl pkg.upgrade` will automatically update dom0 packages, as well,
+# but we *first* want the freshest RPMs from dom0, *then* we'll want to
+# update the VMs themselves.
+
+securedrop-update-feedback "Updating application..."
+qubesctl \
+    --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \
+    pkg.upgrade refresh=true
+
+securedrop-update-feedback "Updating VM configuration..."
+qubesctl \
+    --max-concurrency "$SECUREDROP_MAX_CONCURRENCY" \
+    state.highstate
+
+# Here would be a good place for state.highstate, to re-apply the VM configs.
+# Let's first make sure the package upgrade logic is stable, we can circle
+# back to enforce the Salt configs regularly.
+
+securedrop-update-feedback \
+    "Updates installed. Please reboot the workstation \
+to ensure the latest security fixes are applied."