diff --git a/.gitlab/bin/build.sh b/.gitlab/bin/build.sh index aa349d7..49abedc 100755 --- a/.gitlab/bin/build.sh +++ b/.gitlab/bin/build.sh @@ -11,7 +11,7 @@ readonly REPOS="qubes-aports" readonly ALPINE_REPOS="main community testing" readonly ARCH=$(apk --print-arch) # gitlab variables -readonly BASEBRANCH=$(echo ${CI_RUNNER_TAGS%%-*} | sed 's|apk||') +readonly BASEBRANCH=$CI_MERGE_REQUEST_TARGET_BRANCH_NAME : "${REPODEST:=$HOME/packages}" : "${MIRROR:=https://lab.ilot.io/ayakael/repo-apk/-/raw}" @@ -70,36 +70,30 @@ report() { } get_release() { - case $BASEBRANCH in - v*) echo "${BASEBRANCH%-*}";; + local RELEASE=$(echo $CI_RUNNER_TAGS | awk -F '-' '{print $2}') + case $RELEASE in + v*) echo "${RELEASE%-*}";; edge) echo edge;; - *) die "Branch \"$BASEBRANCH\" not supported!" + *) die "Branch \"$RELEASE\" not supported!" esac } build_aport() { local repo="$1" aport="$2" - cd "$APORTSDIR/$repo/$aport" - export CHOST=$CI_ALPINE_TARGET_ARCH + cd "$APORTSDIR/$aport" if abuild -r 2>&1 | report "build-$aport"; then checkapk | report "checkapk-$aport" || true - aport_ok="$aport_ok $repo/$aport" + aport_ok="$aport_ok $aport" else - aport_ng="$aport_ng $repo/$aport" + aport_ng="$aport_ng $aport" fi } check_aport() { local repo="$1" aport="$2" - cd "$APORTSDIR/$repo/$aport" - export CHOST=$CI_ALPINE_TARGET_ARCH - # TODO: this enables crossbuild only on user, this should be cleaner - if [ "$repo" != "user" ] && [ "$repo" != "backports" ] && [ "$CI_ALPINE_TARGET_ARCH" != "$ARCH" ]; then - aport_na="$aport_na $repo/$aport" - return 1 - fi + cd "$APORTSDIR/$aport" if ! abuild check_arch 2>/dev/null; then - aport_na="$aport_na $repo/$aport" + aport_na="$aport_na $aport" return 1 fi } @@ -115,11 +109,6 @@ set_repositories_for() { done sudo sh -c "printf '%s\n' $repos >> /etc/apk/repositories" sudo apk update || true - if [ "$CI_ALPINE_TARGET_ARCH" != "$ARCH" ]; then - sudo sh -c "printf '%s\n' $repos >> $HOME/sysroot-$CI_ALPINE_TARGET_ARCH/etc/apk/repositories" - sudo cp -R /etc/apk/keys/* $HOME/sysroot-$CI_ALPINE_TARGET_ARCH/etc/apk/keys/. - sudo apk --root=$HOME/sysroot-$CI_ALPINE_TARGET_ARCH update || true - fi } apply_offset_limit() { @@ -142,9 +131,6 @@ setup_system() { repos="$repos $MIRROR/$release/cross" sudo sh -c "printf '%s\n' $repos > /etc/apk/repositories" sudo apk -U upgrade -a || sudo apk fix || die "Failed to up/downgrade system" - if [ "$CI_ALPINE_TARGET_ARCH" != "$ARCH" ]; then - sudo apk add gcc-$CI_ALPINE_TARGET_ARCH - fi gitlab_key_to_rsa $ABUILD_KEY rsa-private $HOME/.abuild/$ABUILD_KEY_NAME.rsa gitlab_key_to_rsa $ABUILD_KEY_PUB rsa-public $HOME/.abuild/$ABUILD_KEY_NAME.rsa.pub chmod 700 $HOME/.abuild/$ABUILD_KEY_NAME.rsa @@ -222,11 +208,11 @@ section_end setup build_start=$CI_ALPINE_BUILD_OFFSET build_limit=$CI_ALPINE_BUILD_LIMIT -for repo in $(changed_repos); do +for repo in qubes-aports; do mkdir -p "$APORTSDIR"/logs "$APORTSDIR"/packages "$APORTSDIR"/keys set_repositories_for "$repo" built_aports=0 - changed_aports_in_repo=$(changed_aports "$repo") + changed_aports_in_repo=$(changed_aports $BASEBRANCH) changed_aports_in_repo_count=$(echo "$changed_aports_in_repo" | wc -l) changed_aports_to_build=$(echo "$changed_aports_in_repo" | apply_offset_limit "$build_start" "$build_limit") diff --git a/.gitlab/bin/functions.sh b/.gitlab/bin/functions.sh index 44de1fe..3792bb7 100755 --- a/.gitlab/bin/functions.sh +++ b/.gitlab/bin/functions.sh @@ -5,17 +5,6 @@ # shellcheck disable=SC3040 set -eu -o pipefail -changed_repos() { - : "${APORTSDIR?APORTSDIR missing}" - : "${BASEBRANCH?BASEBRANCH missing}" - - cd "$APORTSDIR" - for repo in $REPOS; do - git diff --diff-filter=ACMR --exit-code "$BASEBRANCH"...HEAD -- "$repo" >/dev/null \ - || echo "$repo" - done -} - changed_aports() { : "${APORTSDIR?APORTSDIR missing}" : "${BASEBRANCH?BASEBRANCH missing}" @@ -24,11 +13,11 @@ changed_aports() { local repo="$1" local aports - aports=$(git diff --name-only --diff-filter=ACMR --relative="$repo" \ + aports=$(git diff --name-only --diff-filter=ACMR \ "$BASEBRANCH"...HEAD -- "*/APKBUILD" | xargs -rn1 dirname) # shellcheck disable=2086 - ap builddirs -d "$APORTSDIR/$repo" $aports 2>/dev/null | xargs -rn1 basename + ap builddirs -d "$APORTSDIR" $aports 2>/dev/null | xargs -rn1 basename } section_start() { diff --git a/.gitlab/bin/push.sh b/.gitlab/bin/push.sh index e93101a..cb4a77e 100755 --- a/.gitlab/bin/push.sh +++ b/.gitlab/bin/push.sh @@ -11,6 +11,8 @@ readonly APORTSDIR=$CI_PROJECT_DIR readonly REPOS="backports user" readonly BASEBRANCH=$CI_MERGE_REQUEST_TARGET_BRANCH_NAME +ALPINE_RELEASE=$(echo $CI_RUNNER_TAGS | awk -F '-' '{print $2}') + export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" gitlab_key_to_rsa $ABUILD_KEY rsa-private $HOME/.abuild/$ABUILD_KEY_NAME.rsa @@ -20,36 +22,35 @@ chmod 700 "$HOME"/.ssh/id_rsa chmod 700 "$HOME"/.abuild/$ABUILD_KEY_NAME.rsa echo "PACKAGER_PRIVKEY=$HOME/.abuild/$ABUILD_KEY_NAME.rsa" > $HOME/.abuild/abuild.conf -echo "REPODEST=$HOME/repo-apk" >> $HOME/.abuild/abuild.conf +echo "REPODEST=$HOME/repo-apk/qubes" >> $HOME/.abuild/abuild.conf sudo cp $HOME/.abuild/$ABUILD_KEY_NAME.rsa.pub /etc/apk/keys/. if [ -d $HOME/repo-apk ]; then git -C $HOME/repo-apk fetch - git -C $HOME/repo-apk checkout $BASEBRANCH + git -C $HOME/repo-apk checkout $ALPINE_RELEASE git -C $HOME/repo-apk pull --rebase else - git clone git@lab.ilot.io:ayakael/repo-apk -b $BASEBRANCH $HOME/repo-apk + git clone git@lab.ilot.io:ayakael/repo-apk -b $ALPINE_RELEASE $HOME/repo-apk fi +# TODO: Detect qubes release +QUBES_REL=r41 + for i in $(find packages -type f -name "*.apk"); do - install -vDm644 $i ${i/packages/$HOME\/repo-apk} + install -vDm644 $i ${i/packages\/qubes-aports/$HOME\/repo-apk\/qubes\/$QUBES_REL} done fetch_flags="-qn" git fetch $fetch_flags "$CI_MERGE_REQUEST_PROJECT_URL" \ "+refs/heads/$BASEBRANCH:refs/heads/$BASEBRANCH" -for repo in $(changed_repos); do - rm $HOME/repo-apk/$repo/*/APKINDEX.tar.gz | true - mkdir -p $repo/DUMMY - echo "pkgname=DUMMY" > $repo/DUMMY/APKBUILD - cd $repo/DUMMY - for i in $(find $HOME/repo-apk/$repo -maxdepth 1 -mindepth 1 -printf '%P '); do - CHOST=$i abuild index - done - cd "$CI_PROJECT_DIR" - rm -R $repo/DUMMY -done +rm $HOME/repo-apk/qubes/$QUBES_REL/*/APKINDEX.tar.gz || true +mkdir -p qubes/$QUBES_REL/DUMMY +echo "pkgname=DUMMY" > qubes/$QUBES_REL/DUMMY/APKBUILD +cd qubes/$QUBES_REL/DUMMY +abuild index +cd "$CI_PROJECT_DIR" +rm -R qubes/$QUBES_REL/DUMMY git -C $HOME/repo-apk add . git -C $HOME/repo-apk commit -m "Update from $CI_MERGE_REQUEST_IID - $CI_MERGE_REQUEST_TITLE" diff --git a/qubes-db-vm/0001-create_pidfile.patch b/qubes-db-vm/0001-create_pidfile.patch new file mode 100644 index 0000000..947f45c --- /dev/null +++ b/qubes-db-vm/0001-create_pidfile.patch @@ -0,0 +1,50 @@ +From d20a9db122608e0992c9ab6f675920d4bb1ee88f Mon Sep 17 00:00:00 2001 +From: "build@apk-groulx" +Date: Fri, 4 Mar 2022 22:50:19 +0000 +Subject: [PATCH 1/1] create_pidfile + +--- + daemon/db-daemon.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/daemon/db-daemon.c b/daemon/db-daemon.c +index 9934d16..2b28995 100644 +--- a/daemon/db-daemon.c ++++ b/daemon/db-daemon.c +@@ -618,11 +618,8 @@ int create_pidfile(struct db_daemon_data *d) { + mode_t old_umask; + struct stat stat_buf; + +- /* do not create pidfile for VM daemon - service is managed by systemd */ +- if (!d->remote_name) +- return 1; + snprintf(pidfile_name, sizeof(pidfile_name), +- "/var/run/qubes/qubesdb.%s.pid", d->remote_name); ++ "/var/run/qubes/qubes-db.pid"); + + old_umask = umask(0002); + pidfile = fopen(pidfile_name, "w"); +@@ -643,10 +640,8 @@ void remove_pidfile(struct db_daemon_data *d) { + struct stat stat_buf; + + /* no pidfile for VM daemon - service is managed by systemd */ +- if (!d->remote_name) +- return; + snprintf(pidfile_name, sizeof(pidfile_name), +- "/var/run/qubes/qubesdb.%s.pid", d->remote_name); ++ "/var/run/qubes/qubes-db.pid"); + + if (stat(pidfile_name, &stat_buf) == 0) { + /* remove pidfile only if it's the one created this process */ +@@ -754,7 +749,7 @@ int fuzz_main(int argc, char **argv) { + exit(1); + case 0: + close(ready_pipe[0]); +- snprintf(log_path, sizeof(log_path), "/var/log/qubes/qubesdb.%s.log", d.remote_name); ++ snprintf(log_path, sizeof(log_path), "/var/log/qubes/qubes-db.log"); + + close(0); + old_umask = umask(0); +-- +2.34.1 + diff --git a/qubes-db-vm/0001-musl-build.patch b/qubes-db-vm/0001-musl-build.patch new file mode 100644 index 0000000..8619e8e --- /dev/null +++ b/qubes-db-vm/0001-musl-build.patch @@ -0,0 +1,37 @@ +From 24fd21fe10476a83d9dee30cf2ef9dbb8b238730 Mon Sep 17 00:00:00 2001 +From: "build@apk-groulx" +Date: Sat, 26 Feb 2022 21:05:26 +0000 +Subject: [PATCH 1/1] musl-build.patch + +--- + client/qdb-client.c | 1 + + daemon/db-daemon.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/client/qdb-client.c b/client/qdb-client.c +index 77f6566..e289019 100644 +--- a/client/qdb-client.c ++++ b/client/qdb-client.c +@@ -17,6 +17,7 @@ + + #include + #include ++#include + + #define MAX_FILE_NAME 256 + +diff --git a/daemon/db-daemon.c b/daemon/db-daemon.c +index 9934d16..2f35f00 100644 +--- a/daemon/db-daemon.c ++++ b/daemon/db-daemon.c +@@ -37,6 +37,7 @@ struct thread_param { + #include "buffer.h" + #include + #include "qubesdb_internal.h" ++#include + + int init_vchan(struct db_daemon_data *d); + +-- +2.35.1 + diff --git a/qubes-db-vm/APKBUILD b/qubes-db-vm/APKBUILD new file mode 100644 index 0000000..eb62b7e --- /dev/null +++ b/qubes-db-vm/APKBUILD @@ -0,0 +1,50 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-db-vm +subpackages="$pkgname-openrc" +pkgver=4.1.15 +pkgrel=0 +_gittag="v$pkgver" +pkgdesc="QubesDB libs and daemon service." +arch="x86_64" +url="https://github.com/QubesOS/qubes-core-qubesdb" +license='GPL' +options="!check" # No testsuite +depends="python3" +makedepends=" + python3-dev + qubes-libvchan-xen-dev + qubes-libvchan-xen + " +source=" + $pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-core-qubesdb/archive/refs/tags/$_gittag.tar.gz + 0001-musl-build.patch + 0001-create_pidfile.patch + qubes-db.openrc + " +builddir="$srcdir"/qubes-core-qubesdb-$pkgver +subpackages="$pkgname-dev" + +build() { + # Build all with python bindings + CFLAGS="$CFLAGS -Wno-implicit-function-declaration" make all BACKEND_VMM=xen SYSTEMD=0 + + # replace all shebangs with /bin/sh as qubes expects bash + # shellcheck disable=SC2013 + for i in $(grep '/bin/sh' -Rl .); do + sed -i 's|/bin/sh|/bin/bash|' "$i" + done +} + +package() { + # Install all with python bindings + make install DESTDIR=$pkgdir LIBDIR=/usr/lib BINDIR=/usr/bin SBINDIR=/sbin + install -Dm 755 "$srcdir"/qubes-db.openrc "$pkgdir"/etc/init.d/qubes-db +} +sha512sums=" +13f67292c4ae1f143b2b3b7a3e57727de84b961559a0094f594ff379df27a4e078ab1473062e3ef0662f2174131237890fdaa3d54d041d6f66a901dd516732ec qubes-db-vm-v4.1.15.tar.gz +af86268c264c843b94f9cefb735b9d078dc58819c890fc0a31dd79fa2761d3c2fa87aed73752bca1db07948ba86ecfe16a745b19672ccc10dfb9461df24aa207 0001-musl-build.patch +ffe9ea8f65b4e164c3a0d1c8762d1e3b39de3799ae3e63f825457d52de49c6522820950e6262deaa9235ad97cd7c60bf1c9a077fff716c4ca9dbd688e9a73c91 0001-create_pidfile.patch +3d87f82d3637cf10bf1a3058ebbd2590ab17f65d1b49058f62d892f126635497abd5045f6797bc8069e5de08bb6e08fc6146deb6422090ad02122764cc6d72f0 qubes-db.openrc +" diff --git a/qubes-db-vm/qubes-db.openrc b/qubes-db-vm/qubes-db.openrc new file mode 100644 index 0000000..0d6bf0c --- /dev/null +++ b/qubes-db-vm/qubes-db.openrc @@ -0,0 +1,19 @@ +#!/sbin/openrc-run + +name=$RC_SVCNAME +cfgfile="/etc/qubes/$RC_SVCNAME.conf" +command="/sbin/qubesdb-daemon" +command_args="0" +command_user="root" +pidfile="/run/qubes/$RC_SVCNAME.pid" +start_stop_daemon_args="" +command_background="true" +output_log="/var/log/qubes/$RC_SVCNAME.log" +error_log="/var/log/qubes/$RC_SVCNAME.err" + +start_pre() { + checkpath --directory --owner $command_user:qubes --mode 0775 \ + /run/qubes \ + /var/log/qubes \ + /var/run/qubes +} diff --git a/qubes-gpg-split/APKBUILD b/qubes-gpg-split/APKBUILD new file mode 100644 index 0000000..a0ec9f2 --- /dev/null +++ b/qubes-gpg-split/APKBUILD @@ -0,0 +1,39 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-gpg-split +subpackages="$pkgname-doc" +pkgver=2.0.64 +_gittag="v$pkgver" +pkgrel=0 +pkgdesc="Used Qubes AppVM as a “smart card”" +arch="x86_64" +url="https://github.com/QubesOS/qubes-app-linux-split-gpg" +license='GPL' +depends=" + gnupg + zenity + " +makedepends=" + gcc + make + pandoc + pkgconf + " +source="$pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-app-linux-split-gpg/archive/refs/tags/$_gittag.tar.gz" +builddir="$srcdir"/qubes-app-linux-split-gpg-${_gittag/v} + +build() { + cd "src/" + make +} + +package() { + make install-vm DESTDIR="$pkgdir" + + # Alpine packaging guidelines: /var/run is a symlink to a tmpfs. Don't create it. + rm -r "$pkgdir/var/run" +} +sha512sums=" +8701ce5b5fe213e1f6294c4d67eb1a4afcb23b14c11af127d4a44108275287733bdc4e8ab0d0ed8882aeaee9391c68ba40bcb6448e325a25d25823e893b5d96a qubes-gpg-split-v2.0.64.tar.gz +" diff --git a/qubes-libvchan-xen/APKBUILD b/qubes-libvchan-xen/APKBUILD new file mode 100644 index 0000000..42b721e --- /dev/null +++ b/qubes-libvchan-xen/APKBUILD @@ -0,0 +1,30 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-libvchan-xen +pkgver=4.1.13 +pkgrel=1 +_gittag=v$pkgver +pkgdesc="The Qubes core libraries for installation inside a Qubes Dom0 and VM." +arch="x86_64" +url="https://github.com/QubesOS/qubes-core-vchan-xen" +license='GPL' +depends="xen" +makedepends="xen-dev" +builddir="$srcdir"/qubes-core-vchan-xen-$pkgver +subpackages="$pkgname-dev" + +source="$pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-core-vchan-xen/archive/refs/tags/$_gittag.tar.gz" + +build() { + cd "$builddir"/vchan + make -f Makefile.linux +} + +package() { + make install DESTDIR="$pkgdir" LIBDIR=/usr/lib INCLUDEDIR=/usr/include +} + +sha512sums=" +cefb6b89f75936d791910d2169170536221d3123a1b33a14bea1fc5c08950ce934666719bf08eb3cc86ac055f85e6834f71e21c31189fa7299af09296c3cd99f qubes-libvchan-xen-v4.1.13.tar.gz +" diff --git a/qubes-meta-packages/APKBUILD b/qubes-meta-packages/APKBUILD new file mode 100644 index 0000000..4107cb3 --- /dev/null +++ b/qubes-meta-packages/APKBUILD @@ -0,0 +1,43 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-meta-packages +subpackages=" + qubes-vm-dependencies + qubes-vm-recommended + " +pkgver=4.1.21 +_gittag="v$pkgver" +pkgrel=0 +pkgdesc="Meta packages for Qubes-specific components" +arch="noarch" +url="https://github.com/QubesOS/qubes-meta-packages" +license='GPL' +source="$pkgname-$_gittag::https://github.com/QubesOS/qubes-meta-packages/archive/refs/tags/$_gittag.tar.gz" +options="!check" # No testsuite +builddir="$pkgname-${_gittag/v}" + +package() { + mkdir -p "$pkgdir" +} + +dependencies() { + depends=" + qubes-vm-core + qubes-vm-gui + qubes-vm-pulseaudio + qubes-vm-qrexec + " + mkdir -p "$subpkgdir" +} + +recommended() { + depends=" + qubes-gpg-split + qubes-usb-proxy + " + mkdir -p "$subpkgdir" +} +sha512sums=" +3431b7ce80a40d0a7b30461b2e8fa99527bef4acada22c7533c581421103125b2635acfe66196dc8183748c78154904edbcc0064e368c8eaa9d77d25d9514729 qubes-meta-packages-v4.1.21 +" diff --git a/qubes-pass/APKBUILD b/qubes-pass/APKBUILD new file mode 100644 index 0000000..826d911 --- /dev/null +++ b/qubes-pass/APKBUILD @@ -0,0 +1,25 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-pass +pkgver=0.0.35 +_gittag="v$pkgver" +pkgrel=1 +pkgdesc="An inter-VM password manager for Qubes OS" +arch="noarch" +url="https://github.com/Rudd-O/qubes-pass" +license="GPL3" +depends="qubes-vm-core" +makedepends=" + make + pkgconf + " +options="!check" +source="$pkgname-$_gittag.tar.gz::https://github.com/Rudd-O/qubes-pass/archive/$_gittag.tar.gz" + +package() { + make install-client DESTDIR="$pkgdir" +} +sha512sums=" +68701d0b4a6a1a58041c7af331dfb1c58f44b8d8c878dfcfc93d0ca16326bea0865990d33b0ea2090e91bf3a7de864865541d5b1c05a187dc17515c0792b5511 qubes-pass-v0.0.35.tar.gz +" diff --git a/qubes-usb-proxy/APKBUILD b/qubes-usb-proxy/APKBUILD new file mode 100644 index 0000000..486ff53 --- /dev/null +++ b/qubes-usb-proxy/APKBUILD @@ -0,0 +1,36 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-usb-proxy +pkgver=1.1.2 +_gittag="v$pkgver" +pkgrel=0 +pkgdesc="The Qubes service for proxying USB devices" +arch="noarch" +url="https://github.com/QubesOS/qubes-app-linux-usb-proxy" +license="GPL" +options="!check" # No testsuite +depends=" + qubes-vm-core + usbutils + " +makedepends=" + gcc + make + pkgconf + " +source="$pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-app-linux-usb-proxy/archive/refs/tags/$_gittag.tar.gz" +builddir="$srcdir"/qubes-app-linux-usb-proxy-${_gittag/v} + +package() { + make install-vm DESTDIR="$pkgdir" + + # replace all shebangs with /bin/sh as qubes expects bash + # shellcheck disable=SC2013 + for i in $(grep '/bin/sh' -Rl .); do + sed -i 's|/bin/sh|/bin/bash|' "$i" + done +} +sha512sums=" +d82dd944b8a420e1509fd84992d56120a1df802448675f390faec28af0e622dc2ee74542b007dd95e18c04d81786da396058270e6e0282943cbcbeadf184ec77 qubes-usb-proxy-v1.1.2.tar.gz +" diff --git a/qubes-vm-core/APKBUILD b/qubes-vm-core/APKBUILD new file mode 100644 index 0000000..a352a67 --- /dev/null +++ b/qubes-vm-core/APKBUILD @@ -0,0 +1,169 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-vm-core +subpackages=" + qubes-vm-networking:networking:noarch + qubes-vm-passwordless-root:root:noarch + $pkgname-openrc + $pkgname-doc + " +pkgver=4.1.39 +pkgrel=1 +_gittag="v$pkgver" +pkgdesc="The Qubes core files for installation inside a Qubes VM." +arch="x86_64" +url="https://github.com/QubesOS/qubes-core-agent-linux" +license="GPL" +options="!check" # No testsuite +depends=" + coreutils + dconf + desktop-file-utils + device-mapper + ethtool + fakeroot + gawk + grep + haveged + icu + imagemagick + librsvg + net-tools + ntpsec + procps + py3-dbus + py3-gobject3 + py3-xdg + python3 + qubes-db-vm + qubes-libvchan-xen + qubes-vm-utils + sed + socat + xdg-utils + zenity + " +makedepends=" + gcc + libx11-dev + linux-pam-dev + make + pandoc + pkgconf + py3-setuptools + python3 + qubes-db-vm + qubes-libvchan-xen + qubes-vm-utils + " +options="suid" +source=" + $pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-core-agent-linux/archive/refs/tags/$_gittag.tar.gz + qubes-core-early.openrc + qubes-core-netvm.openrc + qubes-core.openrc + qubes-firewall.openrc + qubes-iptables.openrc + qubes-sysinit.openrc + qubes-updates-proxy-forwarder.openrc + qubes-updates-proxy.openrc + qvm-sync-clock.sh + " +builddir="$srcdir"/qubes-core-agent-linux-${_gittag/v} + + +build() { + # Fix for network tools paths + sed 's:/sbin/ethtool:ethtool:g' -i network/* + sed 's:/sbin/ip:ip:g' -i network/* + sed 's:/bin/grep:grep:g' -i network/* + + for dir in qubes-rpc misc; do + make -C "$dir" + done + + # replace all shebangs with /bin/sh as qubes expects bash + # shellcheck disable=SC2013 + for i in $(grep '/bin/sh' -Rl .); do + sed -i 's|/bin/sh|/bin/bash|' "$i" + done +} + +#This package provides: +# * qrexec agent +# * qubes rpc scripts +# * core linux tools and scripts +# * core systemd services and drop-ins +# * basic network functionality (setting IP address, DNS, default gateway) +package() { + make install-corevm DESTDIR="$pkgdir" SBINDIR=/sbin LIBDIR=/usr/lib SYSLIBDIR=/lib + make -C app-menu install DESTDIR="$pkgdir" install LIBDIR=/usr/lib SYSLIBDIR=/lib + make -C misc install DESTDIR="$pkgdir" install LIBDIR=/usr/lib SYSLIBDIR=/lib + make -C qubes-rpc DESTDIR="$pkgdir" install + make -C qubes-rpc/kde DESTDIR="$pkgdir" install + make -C qubes-rpc/nautilus DESTDIR="$pkgdir" install + make -C qubes-rpc/thunar DESTDIR="$pkgdir" install + make -C network DESTDIR="$pkgdir" install + install -Dm755 "$builddir"/network/update-proxy-configs "$pkgdir"/usr/lib/qubes/. + install -Dm755 "$srcdir"/qvm-sync-clock.sh "$pkgdir"/etc/qubes/suspend-post.d/. + + for i in $source; do + case $i in + *.openrc) install -Dm755 "$srcdir"/$i \ + "$pkgdir"/etc/init.d/${i%.*};; + *.confd) install -Dm644 "$srcdir"/$i \ + "$pkgdir"/etc/conf.d/${i%.*};; + esac + done + +} + + +#This package provides: +# * proxy service used by TemplateVMs to download updates +# * qubes-firewall service (FirewallVM) +# +#Integration of NetworkManager for Qubes VM: +# * make connections config persistent +# * adjust DNS redirections when needed +# * show/hide NetworkManager applet icon +# +networking() { + pkgdesc="Qubes OS tools allowing to use a Qubes VM as a NetVM/ProxyVM" + depends=" + conntrack-tools + ethtool + iptables + net-tools + networkmanager + nftables + python3 + qubes-db-vm + qubes-vm-core + qubes-vm-utils + tinyproxy + " + cd "$builddir" + install -dm 755 "$subpkgdir"/usr/bin + mv "$pkgdir"/usr/bin/qubes-firewall "$subpkgdir"/usr/bin/. + make install-netvm DESTDIR="$subpkgdir" SBINDIR=/sbin LIBDIR=/usr/lib SYSLIBDIR=/lib +} + +root() { + cd "$builddir" + pkgdesc="Qubes OS Passwordless root access from normal user" + make -C passwordless-root install DESTDIR="$subpkgdir" SBINDIR=/sbin LIBDIR=/usr/lib SYSLIBDIR=/lib +} +sha512sums=" +2ac642946ed6ca12857d7d88ec54bb293ca5f9fe99c79fceffd4717bbcc0265367bc1cfbddd0ec52cd1a0dc714a3f2978aa08c32199e76d761c53910ae1d5908 qubes-vm-core-v4.1.39.tar.gz +95c080a593ca1cd457ffafc0cdd6ee28999c72f67191a3955b6081a4a7d287cae4cd0c626139562e5e1eb55516c25402a174e3599daf7d4cb259d6b4bbdff155 qubes-core-early.openrc +61529413a16b7fa0df691c24adc41b90477c01ea70d572921ecec89df23932e5a2e60c4e73b9a84181dc30424e2e6af4ad1c7dcf6c42689c3cc346a9923d6e07 qubes-core-netvm.openrc +da8e293520f5fce29ce76d7586e8ce1a4164798a1214079fb554c690264da1d774fdad3f45825aac52c2c3a0b0cfd39df73eb33394dedd7c043fe0f2344b90ca qubes-core.openrc +8f1ea1b6bfb4d3089a51cc3e325861ee7b644f743b2652bf61789933adedefdbc743a61567ad980d2a6077647eb61570b68a056125abaab2a67166d249a961b0 qubes-firewall.openrc +437a3dc443c5b0311c5dc8f792739eef89e38b2e854b9a5bb248211dd0eb0f26c1d79588ca2b4b63236b8bed0d735be6b2265d8328885730a8aa5f854301d61f qubes-iptables.openrc +e9096560e4ee4cad836b686e18eb6dbac729227683eda2f0c8b3541c909f64de3489dbb66e3752014deab69cbfae7885bc15b9bb7e3942c02e40328337b9ef30 qubes-sysinit.openrc +b1e8af2335955e52cf1817c56296f94f8c472e68d7a17a28f516fe4f5fa8a8053d4f9333efbb007a82a06f9442a4a6cfe5f9c751de07f337e47ee04cb18b9395 qubes-updates-proxy-forwarder.openrc +29d316b9f48cad15f6e22aaa67b228a5e4893ded86463dbe25b3cc68301b961473e79c01f003b1665e217ad4af2e618625442250d5607c1c16462e3f5eed069c qubes-updates-proxy.openrc +cca9f49422fa25cd5f3942dce8edd3ecff080bf5c407a7a790b438bedea054f39a4a3d8c179b44c4c08fc490b597e14d00dad9b0240861e83957e0af7aa6475d qvm-sync-clock.sh +" diff --git a/qubes-vm-core/qubes-core-early.openrc b/qubes-vm-core/qubes-core-early.openrc new file mode 100755 index 0000000..f0635ee --- /dev/null +++ b/qubes-vm-core/qubes-core-early.openrc @@ -0,0 +1,39 @@ +#!/sbin/openrc-run + +name=$RC_SVCNAME +error_log=/var/log/qubes/$RC_SVCNAME.log + +depend() { + need qubes-sysinit + need qubes-db +} + +start_pre() { + checkpath --directory --owner $command_user:qubes --mode 0775 \ + /var/lib/qubes +} + + +start() +{ + echo "Enabling transparent hugepages" | tee -a "$error_log" + echo "madvise" > /sys/kernel/mm/transparent_hugepage/enabled + + echo "Setting up early config" | tee -a "$error_log" + /usr/lib/qubes/init/qubes-early-vm-config.sh 2>&1 | tee -a "$error_log" + + echo "Adjusting root filesystem size:" | tee -a "$error_log" + /usr/lib/qubes/init/resize-rootfs-if-needed.sh 2>&1 | tee -a "$error_log" + + echo "Setting up Qubes persistent file systems:" 2>&1 | tee -a "$error_log" + /usr/lib/qubes/init/mount-dirs.sh 2>&1 | tee -a "$error_log" + + echo "Executing Qubes random seed scripts:" | tee -a "$error_log" + /usr/lib/qubes/init/qubes-random-seed.sh 2>&1 | tee -a "$error_log" + +} + +stop() +{ + return 0 +} diff --git a/qubes-vm-core/qubes-core-netvm.openrc b/qubes-vm-core/qubes-core-netvm.openrc new file mode 100755 index 0000000..4cb3530 --- /dev/null +++ b/qubes-vm-core/qubes-core-netvm.openrc @@ -0,0 +1,30 @@ +#!/sbin/openrc-run + +name=$RC_SVCNAME +cfgfile="/etc/qubes/$RC_SVCNAME.conf" +command="/usr/lib/qubes/init/network-proxy-setup" +command_args="" +command_user="root" +pidfile="/run/qubes/$RC_SVCNAME.pid" +start_stop_daemon_args="" +command_background="yes" +output_log="/var/log/qubes/$RC_SVCNAME.log" +error_log="/var/log/qubes/$RC_SVCNAME.err" + +# Source Qubes library. +# shellcheck source=init/functions +. /usr/lib/qubes/init/functions + +depend() { + need net +} + +start_pre() { + if is_netvm; then + /usr/lib/qubes/network-manager-prepare-conf-dir + /sbin/service networkmanager start + fi + + checkpath --directory --owner $command_user:qubes --mode 0775 \ + /run/$RC_SVCNAME /var/log/$RC_SVCNAME +} diff --git a/qubes-vm-core/qubes-core.openrc b/qubes-vm-core/qubes-core.openrc new file mode 100755 index 0000000..03c0721 --- /dev/null +++ b/qubes-vm-core/qubes-core.openrc @@ -0,0 +1,30 @@ +#!/sbin/openrc-run + +name=$RC_SVCNAME +error_log=/var/log/qubes/$RC_SVCNAME.log + +depend() { + need qubes-db + need qubes-meminfo-writer + need qubes-core-early +} + +start() +{ + echo "Finagling printer icon:" | tee -a "$error_log" + /usr/lib/qubes/init/control-printer-icon.sh 2>&1 | tee -a "$error_log" + + echo "Executing Qubes misc post scripts:" | tee -a "$error_log" + /usr/lib/qubes/init/misc-post.sh 2>&1 | tee -a "$error_log" + + echo "Setting up IP:" | tee -a "$error_log" + /usr/lib/qubes/setup-ip add eth0 2>&1 | tee -a "$error_log" + + echo "Syncing clock" | tee -a "$error_log" + /usr/bin/qvm-sync-clock | tee -a "$error_log" +} + +stop() +{ + /usr/lib/qubes/init/misc-post-stop.sh +} diff --git a/qubes-vm-core/qubes-firewall.openrc b/qubes-vm-core/qubes-firewall.openrc new file mode 100755 index 0000000..6cc4b38 --- /dev/null +++ b/qubes-vm-core/qubes-firewall.openrc @@ -0,0 +1,22 @@ +#!/sbin/openrc-run + +name=$RC_SVCNAME +cfgfile="/etc/qubes/$RC_SVCNAME.conf" +command="/usr/bin/qubes-firewall" +command_args="" +command_user="root" +pidfile="/run/qubes/$RC_SVCNAME.pid" +start_stop_daemon_args="" +command_background="yes" +output_log="/var/log/qubes/$RC_SVCNAME.log" +error_log="/var/log/qubes/$RC_SVCNAME.err" + +depend() { + need qubes-db +} + +start_pre() { + /sbin/ethtool -K "$(get_qubes_managed_iface)" sg off + checkpath --directory --owner $command_user:qubes --mode 0775 \ + /run/$RC_SVCNAME /var/log/qubes +} diff --git a/qubes-vm-core/qubes-iptables.openrc b/qubes-vm-core/qubes-iptables.openrc new file mode 100755 index 0000000..6daa9ac --- /dev/null +++ b/qubes-vm-core/qubes-iptables.openrc @@ -0,0 +1,75 @@ +#!/bin/bash +# +# qubes-iptables Start Qubes base iptables firewall +# +# chkconfig: 2345 08 92 +# description: Loads iptables firewall +# +# config: /etc/qubes/iptables.rules +# config: /etc/qubes/ip6tables.rules +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Loads Qubes base iptables firewall +# Description: Loads Qubes base iptables firewall +### END INIT INFO + +IPTABLES=iptables +IPTABLES_DATA_DIR=/etc/qubes + +if [ ! -x /sbin/$IPTABLES ]; then + echo $"${IPTABLES}: /sbin/$IPTABLES does not exist." + exit 5 +fi + +start() { + ipt=$1 + IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules + ipv6_enabled= + if qubesdb-read /qubes-ip6 >/dev/null 2>&1 || \ + qubesdb-read /qubes-netvm-gateway6 >/dev/null 2>&1; then + ipv6_enabled=true + fi + # if IPv6 is enabled, load alternative rules file + if [ "$ipt" = "ip6tables" ] && [ -n "$ipv6_enabled" ]; then + IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}-enabled.rules + fi + CMD=$ipt + # Do not start if there is no config file. + [ ! -f "$IPTABLES_DATA" ] && return 6 + + CMD_ARGS= + if "$CMD-restore" --help 2>&1 | grep -q wait=; then + # 'wait' must be last on command line if secs not specified + CMD_ARGS=--wait + fi + + echo -n $"${CMD}: Applying firewall rules: " + + "$CMD-restore" "$IPTABLES_DATA" $CMD_ARGS + ret="$?" + if [ "$ret" -eq 0 ]; then + echo OK + else + echo FAIL; return 1 + fi + + return $ret +} + +case "$1" in + start) + start iptables && start ip6tables + RETVAL=$? + ;; + *) + echo $"Usage: ${IPTABLES} start" + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/qubes-vm-core/qubes-sysinit.openrc b/qubes-vm-core/qubes-sysinit.openrc new file mode 100755 index 0000000..186e0fd --- /dev/null +++ b/qubes-vm-core/qubes-sysinit.openrc @@ -0,0 +1,18 @@ +#!/sbin/openrc-run + +name=$RC_SVCNAME +error_log="/var/log/qubes/$RC_SVCNAME.log" +depend() { + need qubes-db +} + +start() +{ + echo "Executing Qubes system initialization scripts:" + /usr/lib/qubes/init/qubes-sysinit.sh 2>&1 | tee -a $error_log +} + +stop() +{ + return 0 +} diff --git a/qubes-vm-core/qubes-updates-proxy-forwarder.openrc b/qubes-vm-core/qubes-updates-proxy-forwarder.openrc new file mode 100755 index 0000000..52e53f8 --- /dev/null +++ b/qubes-vm-core/qubes-updates-proxy-forwarder.openrc @@ -0,0 +1,116 @@ +#!/bin/bash +# +# Updates proxy forwarder Startup script for the updates proxy forwarder +# +# chkconfig: 345 85 15 +# description: forwards connection to updates proxy over Qubes RPC +# +# processname: ncat +# pidfile: /var/run/qubes-updates-proxy-forwarder.pid +# + +# Source function library. +# shellcheck disable=SC1091 +. /etc/init.d/functions.sh + +# Source Qubes library. +# shellcheck source=init/functions +. /usr/lib/qubes/init/functions + +# Check that networking is up. +[ "$NETWORKING" = "no" ] && exit 0 + +exec="/usr/bin/ncat" +prog=$(basename $exec) +pidfile="/var/run/qubes-updates-proxy-forwarder.pid" + +# shellcheck disable=SC1091 +[ -e /etc/sysconfig/qubes-updates-proxy-forwarder ] && . /etc/sysconfig/qubes-updates-proxy-forwarder + +lockfile=/var/lock/subsys/qubes-updates-proxy-forwarder + +start() { + have_qubesdb || return + + if ! qsvc updates-proxy-setup ; then + # updates proxy configuration disabled + exit 0 + fi + + if qsvc qubes-updates-proxy ; then + # updates proxy running here too, avoid looping traffic back to itself + exit 0 + fi + + [ -x $exec ] || exit 5 + + echo -n $"Starting $prog (as Qubes updates proxy forwarder): " + # shellcheck disable=SC2016 + start-stop-daemon \ + --exec $exec \ + --pidfile "$pidfile" \ + --make-pidfile \ + --background \ + --start \ + -- \ + -k -l -e 'qrexec-client-vm $default qubes.UpdatesProxy' + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc -p $pidfile "$prog" + retval=$? + echo + [ $retval -eq 0 ] && rm -f $lockfile + return $retval +} + +restart() { + stop + start +} + +force_reload() { + restart +} + +rh_status() { + status "$prog" +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|force-reload}" + exit 2 +esac +exit $? + diff --git a/qubes-vm-core/qubes-updates-proxy.openrc b/qubes-vm-core/qubes-updates-proxy.openrc new file mode 100755 index 0000000..884aeb3 --- /dev/null +++ b/qubes-vm-core/qubes-updates-proxy.openrc @@ -0,0 +1,124 @@ +#!/bin/bash +# +# tinyproxy Startup script for the tinyproxy server as Qubes updates proxy +# +# chkconfig: 345 85 15 +# description: small, efficient HTTP/SSL proxy daemon +# +# processname: tinyproxy +# config: /etc/tinyproxy/tinyproxy-updates.conf +# config: /etc/sysconfig/tinyproxy-updates +# pidfile: /var/run/tinyproxy/tinyproxy-updates.pid +# +# Note: pidfile is created by tinyproxy in its config +# see PidFile in the configuration file. + +# Source function library. +# shellcheck disable=SC1091 +. /etc/init.d/functions.sh + +# Source Qubes library. +# shellcheck source=init/functions +. /usr/lib/qubes/init/functions + +# Check that networking is up. +[ "$NETWORKING" = "no" ] && exit 0 + +exec="$(command -v tinyproxy)" +prog=$(basename "$exec") +config="/etc/tinyproxy/tinyproxy-updates.conf" +pidfile="/var/run/tinyproxy-updates/tinyproxy.pid" + +# shellcheck disable=SC1091 +[ -e /etc/sysconfig/tinyproxy-updates ] && . /etc/sysconfig/tinyproxy-updates + +lockfile=/var/lock/subsys/tinyproxy-updates + +start() { + have_qubesdb || return + + if qsvc qubes-updates-proxy ; then + # Yum proxy disabled + exit 0 + fi + + [ -x "$exec" ] || exit 5 + [ -f $config ] || exit 6 + # setup network redirection + /sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + /sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + + echo -n $"Starting $prog (as Qubes updates proxy): " + daemon "$exec" -c $config + retval=$? + echo + [ $retval -eq 0 ] && touch $lockfile + return $retval +} + +stop() { + echo -n $"Stopping $prog: " + killproc -p $pidfile "$prog" + retval=$? + echo + /sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT + /sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT + [ $retval -eq 0 ] && rm -f "$lockfile" + return $retval +} + +restart() { + stop + start +} + +reload() { + echo -n $"Reloading $prog: " + killproc -p $pidfile "$prog" -HUP + echo +} + +force_reload() { + restart +} + +rh_status() { + status "$prog" +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? + diff --git a/qubes-vm-core/qvm-sync-clock.sh b/qubes-vm-core/qvm-sync-clock.sh new file mode 100755 index 0000000..bd616f6 --- /dev/null +++ b/qubes-vm-core/qvm-sync-clock.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +if [ ! -f /var/run/qubes-service/clocksync ]; then + # https://github.com/QubesOS/qubes-issues/issues/7265 + /usr/bin/qvm-sync-clock +fi diff --git a/qubes-vm-gui-dev/APKBUILD b/qubes-vm-gui-dev/APKBUILD new file mode 100644 index 0000000..558fb78 --- /dev/null +++ b/qubes-vm-gui-dev/APKBUILD @@ -0,0 +1,23 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-vm-gui-dev +pkgver=4.1.1 +_gittag="v$pkgver" +pkgrel=1 +pkgdesc="Common files for Qubes GUI - protocol headers." +arch="noarch" +url="https://github.com/QubesOS/qubes-gui-common" +license="GPL" +options="!check" # No testsuite +builddir="$srcdir"/qubes-gui-common-${_gittag/v} + +source="$pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-gui-common/archive/refs/tags/$_gittag.tar.gz" + +package() { + install -dm 755 -p $pkgdir/usr/include + cp include/*.h $pkgdir/usr/include/ +} +sha512sums=" +2d962822413b1e4da6ef9303bce9b25e179829080a4ab96aeb7b274682c32b4620201d1de9c177346ab8d80913ae5e5384792b301d350850408fa790cb77d641 qubes-vm-gui-dev-v4.1.1.tar.gz +" diff --git a/qubes-vm-gui/0001-initd-fix.patch b/qubes-vm-gui/0001-initd-fix.patch new file mode 100644 index 0000000..7bb8a3c --- /dev/null +++ b/qubes-vm-gui/0001-initd-fix.patch @@ -0,0 +1,22 @@ +From 7f7914fc2d0957012f1c4b130b0e442d43110c7d Mon Sep 17 00:00:00 2001 +From: "build@apk-groulx" +Date: Sat, 5 Mar 2022 00:59:30 +0000 +Subject: [PATCH 1/1] initd fix + +--- + appvm-scripts/usr/lib/qubes/qubes-gui-agent-pre.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/appvm-scripts/usr/lib/qubes/qubes-gui-agent-pre.sh b/appvm-scripts/usr/lib/qubes/qubes-gui-agent-pre.sh +index dc0a578..4c9623a 100755 +--- a/appvm-scripts/usr/lib/qubes/qubes-gui-agent-pre.sh ++++ b/appvm-scripts/usr/lib/qubes/qubes-gui-agent-pre.sh +@@ -23,4 +23,4 @@ if [ -n "$debug_mode" ] && [ "$debug_mode" -gt 0 ]; then + gui_opts="$gui_opts -vv" + fi + +-echo "GUI_OPTS=$gui_opts" >> /var/run/qubes-service-environment ++echo "GUI_OPTS=\"$gui_opts\"" >> /var/run/qubes-service-environment +-- +2.34.1 + diff --git a/qubes-vm-gui/0001-musl-build.patch b/qubes-vm-gui/0001-musl-build.patch new file mode 100644 index 0000000..c14f2e8 --- /dev/null +++ b/qubes-vm-gui/0001-musl-build.patch @@ -0,0 +1,24 @@ +From 5713c7f16d2634947804a7d7bd4882cba93a21f1 Mon Sep 17 00:00:00 2001 +From: "build@apk-groulx" +Date: Wed, 2 Mar 2022 17:07:20 +0000 +Subject: [PATCH 1/1] musl build + +--- + gui-agent/vmside.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/gui-agent/vmside.c b/gui-agent/vmside.c +index fd76f4d..89a41c8 100644 +--- a/gui-agent/vmside.c ++++ b/gui-agent/vmside.c +@@ -50,6 +50,7 @@ + #include "list.h" + #include "error.h" + #include "encoding.h" ++#include + #include + + /* Get the size of an array. Error out on pointers. */ +-- +2.35.1 + diff --git a/qubes-vm-gui/APKBUILD b/qubes-vm-gui/APKBUILD new file mode 100644 index 0000000..206e9e0 --- /dev/null +++ b/qubes-vm-gui/APKBUILD @@ -0,0 +1,105 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-vm-gui +subpackages="qubes-vm-pulseaudio $pkgname-openrc" +pkgver=4.1.27 +pkgrel=1 +_gittag="v$pkgver" +pkgdesc="The Qubes GUI Agent for AppVMs" +arch="x86_64" +url="https://github.com/QubesOS/qubes-gui-agent-linux" +license="GPL" +options="!check" # No testsuite +depends=" + libxcomposite + py3-xcffib + xinit + zenity + " +makedepends=" + autoconf + automake + gcc + git + libtool + libxcomposite-dev + libxt + linux-pam-dev + make + patch + pixman + pkgconf + pulseaudio-dev + qubes-db-vm + qubes-db-vm-dev + qubes-libvchan-xen-dev + qubes-vm-gui-dev + xen-dev + util-macros + xorg-server-dev + " + +source=" + $pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-gui-agent-linux/archive/refs/tags/$_gittag.tar.gz + 0001-musl-build.patch + 0001-initd-fix.patch + qubes-gui-agent.openrc + qubes-sessions.sh + qubes-gui-agent.pam + " +builddir="$srcdir"/qubes-gui-agent-linux-${_gittag/v} +_qubes_backend_vmm=xen + +build() { + local pa_ver=$(pkg-config --modversion libpulse 2>/dev/null | cut -f 1 -d "-") + + rm -f pulse/pulsecore + ln -s pulsecore-$pa_ver pulse/pulsecore + + # Bug fixes : /var/run/console depends on pam_console, which is fedora specific + # As a consequece, /var/run/console does not exists and qubes-gui-agent will always fail + sed 's:ExecStartPre=/bin/touch:#ExecStartPre=/bin/touch:' -i appvm-scripts/qubes-gui-agent.service + # Ensure that qubes-gui-agent starts after user autologin + sed 's/After=\(.*\)qubes-misc-post.service/After=\1qubes-misc-post.service getty.target/' -i appvm-scripts/qubes-gui-agent.service + # Starts qubes-session after X11 start + install -Dm 755 "$srcdir"/qubes-sessions.sh "$pkgdir"/etc/X11/xinit/xinitrc.d/90-qubes-sessions.sh + # Remove broken pam and replace with adequate + install -Dm 644 "$srcdir"/qubes-gui-agent.pam "$pkgdir"/etc/pam.d/qubes-gui-agent + + make BACKEND_VMM="$_qubes_backend_vmm" appvm + make appvm + + # replace all shebangs with /bin/sh as qubes expects bash + # shellcheck disable=SC2013 + for i in $(grep '/bin/sh' -Rl .); do + sed -i 's|/bin/sh|/bin/bash|' "$i" + done +} + +package() { + make install-rh-agent DESTDIR="$pkgdir" LIBDIR=/usr/lib USRLIBDIR=/usr/lib SYSLIBDIR=/lib + install -Dm 755 "$srcdir"/qubes-gui-agent.openrc "$pkgdir"/etc/init.d/qubes-gui-agent +} + +pulseaudio() { + pkgdesc="Pulseaudio support for Qubes VM" + depends=" + alsa-lib + alsa-utils + pulseaudio + pulseaudio-alsa + " + local pa_ver=$(pkg-config --modversion libpulse 2>/dev/null | cut -f 1 -d "-") + + cd "$builddir" + make install-pulseaudio DESTDIR=$subpkgdir PA_VER=$pa_ver LIBDIR=/usr/lib USRLIBDIR=/usr/lib SYSLIBDIR=/lib +} +sha512sums=" +118f5e94562a04f2f3322708dcf7e21c35e8f8fe8dec8a3cb5fc7c7b8c8948a04e4d26b7ddea1e283dbab13508d2a91792df8c9edb661047e68ce4b2004357e7 qubes-vm-gui-v4.1.27.tar.gz +f0bbb936e14689d0cbced2f564b8911f9287c0217616f02f3bd0c3060e516d080ad538219f089f5841c2b9d18bb4ad8efb63516ddfd46c18b038218378996a7d 0001-musl-build.patch +262b93b4ea172926dc18b7af372168ff3f645a02db1529cb73af3d5aa6252a75500bfbd95344a835bbf646e753018d0e27885e41a03f06247226a485edb5e028 0001-initd-fix.patch +68d01e594296e18d54d8eaa17863451c3ac121e4fcacf98b64db14166bdcf38aa66f1c3659c5014c0a9cc25b5368df66f8c642b8e7af59da8d2a5ad97da9a194 qubes-gui-agent.openrc +bd707f7956f58c2bb24ccb9adad1381c069e70820fcb1b01b09dc88570d9df00e0dc92a9ac3b242f828314568d5487257566a6fc61e75e62e010b7e4871f9ea0 qubes-sessions.sh +b512d691f2a6b11fc329bf91dd05ca9c589bbd444308b27d3c87c75262dedf6afc68a9739229249a4bd3d0c43cb1f871eecbb93c4fe559e0f38bdabbffd06ad7 qubes-gui-agent.pam +" diff --git a/qubes-vm-gui/qubes-gui-agent.openrc b/qubes-vm-gui/qubes-gui-agent.openrc new file mode 100644 index 0000000..315421b --- /dev/null +++ b/qubes-vm-gui/qubes-gui-agent.openrc @@ -0,0 +1,26 @@ +#!/sbin/openrc-run + +name=$RC_SVCNAME +cfgfile="/etc/qubes/$RC_SVCNAME.conf" +command="/usr/bin/qubes-gui" +pidfile="/run/qubes/$RC_SVCNAME.pid" +command_background="yes" +output_log="/var/log/qubes/$RC_SVCNAME.log" +error_log="/var/log/qubes/$RC_SVCNAME.err" + +depend() { + need qubes-db +} + +start_pre() { + checkpath --directory --owner $command_user:qubes --mode 0775 \ + /run/qubes /var/log/qubes /var/run/console + # start console-kit-daemon + /usr/bin/ck-list-sessions > /dev/null 2>&1 + # pretend tha user is at local console + touch /var/run/console/user + /bin/sh -c /usr/lib/qubes/qubes-gui-agent-pre.sh + . /var/run/qubes-service-environment + command_args="$command_args $GUI_OPTS" + export DISPLAY=:0 +} diff --git a/qubes-vm-gui/qubes-gui-agent.pam b/qubes-vm-gui/qubes-gui-agent.pam new file mode 100644 index 0000000..84f2ae7 --- /dev/null +++ b/qubes-vm-gui/qubes-gui-agent.pam @@ -0,0 +1,6 @@ +# basic PAM configuration for Alpine. +auth sufficient pam_rootok.so +auth include base-auth +account include base-account +password include base-password +session include base-session-noninteractive diff --git a/qubes-vm-gui/qubes-sessions.sh b/qubes-vm-gui/qubes-sessions.sh new file mode 100644 index 0000000..b20b9a5 --- /dev/null +++ b/qubes-vm-gui/qubes-sessions.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +echo "qubes-session initializing..." + +exec /usr/bin/qubes-session + +echo "qubes-session initialized" diff --git a/qubes-vm-qrexec/APKBUILD b/qubes-vm-qrexec/APKBUILD new file mode 100644 index 0000000..812146d --- /dev/null +++ b/qubes-vm-qrexec/APKBUILD @@ -0,0 +1,59 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-vm-qrexec +subpackages="$pkgname-openrc $pkgname-doc" +pkgver=4.1.20 +_gittag="v$pkgver" +pkgrel=0 +pkgdesc="The Qubes qrexec files (qube side)" +arch="x86_64" +url="https://github.com/QubesOS/qubes-core-qrexec" +license='GPL' +depends="qubes-libvchan-xen" +options="!check" # No testsuite +makedepends=" + gcc + make + pandoc + pkgconf + py3-setuptools + lld + qubes-libvchan-xen-dev + " +source=" + $pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-core-qrexec/archive/refs/tags/$_gittag.tar.gz + qubes-qrexec-agent.openrc + agent-qrexec-fork-server-undef-fortify-source.patch + " +builddir="$srcdir/qubes-core-qrexec-${_gittag/v}" + +prepare() { + default_prepare + # remove all -Werror + msg "Eradicating -Werror..." + find . \( -name '*.mk' -o -name 'Make*' \) -exec sed -i -e 's/-Werror//g' {} + +} + +build() { + make all-base + make all-vm + + # change all shebangs to bash as expected + # shellcheck disable=SC2013 + for i in $(grep '/bin/sh' -RlI .); do + sed -i 's|/bin/sh|/bin/bash|' "$i" + done +} + +package() { + export LDFLAGS="$LDFLAGS -fuse-ld=lld" + make install-base DESTDIR="$pkgdir" SBINDIR=/sbin LIBDIR=/usr/lib SYSLIBDIR=/lib + make install-vm DESTDIR="$pkgdir" SBINDIR=/sbin LIBDIR=/usr/lib SYSLIBDIR=/lib + install -Dm 755 "$srcdir"/qubes-qrexec-agent.openrc "$pkgdir"/etc/init.d/qubes-qrexec-agent +} +sha512sums=" +650d6ae2a48dddc8207b0b1466024fc2bc48b6d10f11ba35411fa1e44049ddc5d1fe9ca77d968598444db34bac8fb781b6fa4c837846af52161dbf246f3a99fb qubes-vm-qrexec-v4.1.20.tar.gz +e2dd5cace82e881c40d5d37c69f7327fbabde81c9d23283de23de9f1197b7b018ef07a8d90e95c61bd249426d9d8297e7cb372333245941ffa0682c90ea3461f qubes-qrexec-agent.openrc +69b88c8d344f0d575eac398937040ba39a0d8fb8ea0a2b160c48d84775e1da4e226a76f3c5d3be7b045f577b634bb35cd5c5536248e18117c4121a38f9f3bf13 agent-qrexec-fork-server-undef-fortify-source.patch +" diff --git a/qubes-vm-qrexec/agent-qrexec-fork-server-undef-fortify-source.patch b/qubes-vm-qrexec/agent-qrexec-fork-server-undef-fortify-source.patch new file mode 100644 index 0000000..f0b62f1 --- /dev/null +++ b/qubes-vm-qrexec/agent-qrexec-fork-server-undef-fortify-source.patch @@ -0,0 +1,12 @@ +diff --git a/agent/qrexec-fork-server.c b/agent/qrexec-fork-server.c +index e9bcab7..655d138 100644 +--- a/agent/qrexec-fork-server.c ++++ b/agent/qrexec-fork-server.c +@@ -32,6 +32,7 @@ + #include + #include "libqrexec-utils.h" + #include "qrexec-agent.h" ++#undef _FORTIFY_SOURCE + + extern char **environ; + const bool qrexec_is_fork_server = true; diff --git a/qubes-vm-qrexec/qubes-qrexec-agent.openrc b/qubes-vm-qrexec/qubes-qrexec-agent.openrc new file mode 100644 index 0000000..81d5281 --- /dev/null +++ b/qubes-vm-qrexec/qubes-qrexec-agent.openrc @@ -0,0 +1,22 @@ +#!/sbin/openrc-run + +name=$RC_SVCNAME +cfgfile="/etc/qubes/$RC_SVCNAME.conf" +command="/usr/lib/qubes/qrexec-agent" +command_args="" +command_user="root" +pidfile="/run/qubes/$RC_SVCNAME.pid" +start_stop_daemon_args="" +command_background="yes" +output_log="/var/log/qubes/$RC_SVCNAME.log" +error_log="/var/log/qubes/$RC_SVCNAME.err" + +depend() { + need xendriverdomain +} + +start_pre() { + /bin/sh -c '[ -e /dev/xen/evtchn ] || modprobe xen_evtchn' + checkpath --directory --owner $command_user:qubes --mode 0775 \ + /run/qubes /var/log/qubes +} diff --git a/qubes-vm-utils/APKBUILD b/qubes-vm-utils/APKBUILD new file mode 100644 index 0000000..b90507a --- /dev/null +++ b/qubes-vm-utils/APKBUILD @@ -0,0 +1,63 @@ +# Maintainer: Antoine Martin (ayakael) +# Contributor: Antoine Martin (ayakael) + +pkgname=qubes-vm-utils +subpackages=" + qubes-vm-kernel-support:support:noarch + $pkgname-openrc + " +pkgver=4.1.19 +pkgrel=0 +_gittag="v$pkgver" +pkgdesc="Common Linux files for Qubes VM." +arch="x86_64" +url="https://github.com/QubesOS/qubes-linux-utils" +license='GPL' +depends=" + imagemagick + py3-pillow + py3-numpy + " +makedepends=" + gcc + make + pkgconfig + py3-setuptools + qubes-libvchan-xen-dev + xen-dev + " +source=" + $pkgname-$_gittag.tar.gz::https://github.com/QubesOS/qubes-linux-utils/archive/refs/tags/$_gittag.tar.gz + qubes-meminfo-writer.openrc + " +options="!check" # No testsuite +builddir="$srcdir"/${pkgname/vm/linux}-${_gittag/v} + +build() { + export BACKEND_VMM=xen + make all +} + +package() { + make install DESTDIR="$pkgdir" LIBDIR=/usr/lib SYSLIBDIR=/lib SBINDIR=/sbin + install -Dm 755 "$srcdir"/qubes-meminfo-writer.openrc "$pkgdir"/etc/init.d/qubes-meminfo-writer +} + +support() { + depends=" + mkinitcpio + dkms + grub + " + cd "$builddir" + mkdir -p "$subpkgdir"/usr/lib/initcpio/install/ + mkdir -p "$subpkgdir"/usr/lib/initcpio/hooks/ + mkdir -p "$subpkgdir"/usr/lib/qubes/ + mkdir -p "$subpkgdir"/usr/bin/ + + install -m 755 "$builddir"/dracut/full-dmroot/qubes_cow_setup.sh "$subpkgdir"/usr/lib/qubes/qubes_cow_setup.sh +} +sha512sums=" +adfa6190af80e8ff92b899056370b8e820820154dcbad2d141debc72a6f122d94894eb0ffd5f56715db8ff7c3166c63b8832a78f70c35d86d42af071297b7d35 qubes-vm-utils-v4.1.19.tar.gz +aebc606faa95948be77766f164fc40e4be66e4398e7f56ad52ba9de4c8f7de4ec0c4b48b23a3a6dd083d6f19ae1a591f3ae0caf2c696fd061cd8fea4bdf7d4f3 qubes-meminfo-writer.openrc +" diff --git a/qubes-vm-utils/qubes-meminfo-writer.openrc b/qubes-vm-utils/qubes-meminfo-writer.openrc new file mode 100644 index 0000000..9e8acdc --- /dev/null +++ b/qubes-vm-utils/qubes-meminfo-writer.openrc @@ -0,0 +1,17 @@ +#!/sbin/openrc-run + +name=$RC_SVCNAME +cfgfile="/etc/qubes/$RC_SVCNAME.conf" +pidfile="/var/run/meminfo-writer.pid" +command="/sbin/meminfo-writer" +command_args="30000 100000 $pidfile" +command_user="root" +start_stop_daemon_args="" +command_background="yes" +output_log="/var/log/qubes/$RC_SVCNAME.log" +error_log="/var/log/qubes/$RC_SVCNAME.err" + +start_pre() { + checkpath --directory --owner $command_user:qubes --mode 0775 \ + /var/log/qubes +}