From b6fe31696df142f1e7d732b673671c01a547c6c5 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Thu, 8 Feb 2024 10:46:11 -0500 Subject: [PATCH] qubes-vm-core: fix apk proxy --- qubes-vm-core/APKBUILD | 14 +- qubes-vm-core/apk-proxy.sh | 5 + .../qubes-updates-proxy-forwarder.openrc | 136 ++++-------------- qubes-vm-core/sudo-aliases.sh | 2 + 4 files changed, 42 insertions(+), 115 deletions(-) create mode 100644 qubes-vm-core/apk-proxy.sh create mode 100644 qubes-vm-core/sudo-aliases.sh diff --git a/qubes-vm-core/APKBUILD b/qubes-vm-core/APKBUILD index 5295f8a..56dbdf5 100644 --- a/qubes-vm-core/APKBUILD +++ b/qubes-vm-core/APKBUILD @@ -10,7 +10,7 @@ subpackages=" $pkgname-pyc " pkgver=4.2.28 -pkgrel=0 +pkgrel=3 _gittag="v$pkgver" pkgdesc="The Qubes core files for installation inside a Qubes VM." arch="x86_64" @@ -18,8 +18,8 @@ url="https://github.com/QubesOS/qubes-core-agent-linux" license="GPL" options="!check" # No testsuite depends=" - coreutils blkid + coreutils dconf desktop-file-utils device-mapper @@ -40,7 +40,6 @@ depends=" py3-dbus py3-gobject3 py3-xdg - python3 qubes-db-vm qubes-libvchan-xen qubes-vm-utils @@ -74,6 +73,7 @@ source=" qubes-sysinit.openrc qubes-updates-proxy-forwarder.openrc qubes-updates-proxy.openrc + apk-proxy.sh qvm-sync-clock.sh setupip-do-not-use-systemctl.patch " @@ -114,6 +114,9 @@ package() { make -C network DESTDIR="$pkgdir" install install -Dm755 "$builddir"/network/update-proxy-configs "$pkgdir"/usr/lib/qubes/. install -Dm755 "$srcdir"/qvm-sync-clock.sh "$pkgdir"/etc/qubes/suspend-post.d/. + install -Dm644 "$srcdir"/apk-proxy.sh "$pkgdir"/etc/profile.d/apk-proxy.sh + install -dm755 "$pkgdir"/etc/bash + ln -s /etc/profile.d/apk-proxy.sh "$pkgdir"/etc/bash/apk-proxy.sh for i in $source; do case $i in @@ -123,7 +126,6 @@ package() { "$pkgdir"/etc/conf.d/${i%.*};; esac done - } @@ -145,7 +147,6 @@ networking() { net-tools networkmanager nftables - python3 qubes-db-vm qubes-vm-core qubes-vm-utils @@ -170,8 +171,9 @@ da8e293520f5fce29ce76d7586e8ce1a4164798a1214079fb554c690264da1d774fdad3f45825aac 8f1ea1b6bfb4d3089a51cc3e325861ee7b644f743b2652bf61789933adedefdbc743a61567ad980d2a6077647eb61570b68a056125abaab2a67166d249a961b0 qubes-firewall.openrc 437a3dc443c5b0311c5dc8f792739eef89e38b2e854b9a5bb248211dd0eb0f26c1d79588ca2b4b63236b8bed0d735be6b2265d8328885730a8aa5f854301d61f qubes-iptables.openrc e9096560e4ee4cad836b686e18eb6dbac729227683eda2f0c8b3541c909f64de3489dbb66e3752014deab69cbfae7885bc15b9bb7e3942c02e40328337b9ef30 qubes-sysinit.openrc -b1e8af2335955e52cf1817c56296f94f8c472e68d7a17a28f516fe4f5fa8a8053d4f9333efbb007a82a06f9442a4a6cfe5f9c751de07f337e47ee04cb18b9395 qubes-updates-proxy-forwarder.openrc +99ec0afc167866727072606aa183f0c7a539e68e0d8b9a57f6b9c129d3722c9135e1487eef438807d7138af0e669fb14608cbc1f1d5620ee9e995f294a8929f8 qubes-updates-proxy-forwarder.openrc 29d316b9f48cad15f6e22aaa67b228a5e4893ded86463dbe25b3cc68301b961473e79c01f003b1665e217ad4af2e618625442250d5607c1c16462e3f5eed069c qubes-updates-proxy.openrc +517d59e4699c24f23ccd59f5d4be3a519a426eee99d742c637fe1a9e69caa073621f4e9362c30182ba5a1a3eb0a769070c96e2c6b24cd8366a1f8f450a0b1c01 apk-proxy.sh cca9f49422fa25cd5f3942dce8edd3ecff080bf5c407a7a790b438bedea054f39a4a3d8c179b44c4c08fc490b597e14d00dad9b0240861e83957e0af7aa6475d qvm-sync-clock.sh eb59321c800e65ce873085a1105b1b697d2a8ecaefcdaa8280a81d0082c0022653ecd746c7ec37e2c544265892afb77531effa17b0fa6c45a6a86925b513bdea setupip-do-not-use-systemctl.patch " diff --git a/qubes-vm-core/apk-proxy.sh b/qubes-vm-core/apk-proxy.sh new file mode 100644 index 0000000..957ee76 --- /dev/null +++ b/qubes-vm-core/apk-proxy.sh @@ -0,0 +1,5 @@ +# Use the update proxy over the QubesOS RPC for apk +# /etc/init.d/qubes-updates-proxy-forwarder creates the socket to the proxy +alias apk='https_proxy="http://127.0.0.1:8082/" http_proxy="http://127.0.0.1:8082/" apk' +# allow aliases with sudo +alias sudo='sudo ' diff --git a/qubes-vm-core/qubes-updates-proxy-forwarder.openrc b/qubes-vm-core/qubes-updates-proxy-forwarder.openrc index 52e53f8..fe84480 100755 --- a/qubes-vm-core/qubes-updates-proxy-forwarder.openrc +++ b/qubes-vm-core/qubes-updates-proxy-forwarder.openrc @@ -1,116 +1,34 @@ -#!/bin/bash -# +#!/sbin/openrc-run # Updates proxy forwarder Startup script for the updates proxy forwarder -# -# chkconfig: 345 85 15 # description: forwards connection to updates proxy over Qubes RPC -# -# processname: ncat -# pidfile: /var/run/qubes-updates-proxy-forwarder.pid -# +# The clients should use the below shell variable exports: +# http_proxy="http://127.0.0.1:8082/" +# https_proxy="http://127.0.0.1:8082/" +# For apk, see the /etc/profile.d/apk-proxy.sh alias -# Source function library. -# shellcheck disable=SC1091 -. /etc/init.d/functions.sh +name=$RC_SVCNAME +cfgfile="/etc/qubes/$RC_SVCNAME.conf" +command="/bin/busybox" +command_args="nc -lk -s 127.0.0.1 -p 8082 -e /usr/bin/qrexec-client-vm @default qubes.UpdatesProxy" +command_user="root" +pidfile="/run/qubes/$RC_SVCNAME.pid" +command_background="yes" +output_log="/var/log/qubes/$RC_SVCNAME.log" +error_log="/var/log/qubes/$RC_SVCNAME.err" -# Source Qubes library. -# shellcheck source=init/functions -. /usr/lib/qubes/init/functions - -# Check that networking is up. -[ "$NETWORKING" = "no" ] && exit 0 - -exec="/usr/bin/ncat" -prog=$(basename $exec) -pidfile="/var/run/qubes-updates-proxy-forwarder.pid" - -# shellcheck disable=SC1091 -[ -e /etc/sysconfig/qubes-updates-proxy-forwarder ] && . /etc/sysconfig/qubes-updates-proxy-forwarder - -lockfile=/var/lock/subsys/qubes-updates-proxy-forwarder - -start() { - have_qubesdb || return - - if ! qsvc updates-proxy-setup ; then - # updates proxy configuration disabled - exit 0 - fi - - if qsvc qubes-updates-proxy ; then - # updates proxy running here too, avoid looping traffic back to itself - exit 0 - fi - - [ -x $exec ] || exit 5 - - echo -n $"Starting $prog (as Qubes updates proxy forwarder): " - # shellcheck disable=SC2016 - start-stop-daemon \ - --exec $exec \ - --pidfile "$pidfile" \ - --make-pidfile \ - --background \ - --start \ - -- \ - -k -l -e 'qrexec-client-vm $default qubes.UpdatesProxy' - retval=$? - echo - [ $retval -eq 0 ] && touch $lockfile - return $retval +depend() { + need qubes-qrexec-agent + need net } -stop() { - echo -n $"Stopping $prog: " - killproc -p $pidfile "$prog" - retval=$? - echo - [ $retval -eq 0 ] && rm -f $lockfile - return $retval +start_pre() { + checkpath --directory --owner $command_user:qubes --mode 0775 \ + /run/qubes \ + /var/log/qubes \ + /var/run/qubes + # TODO should fail if qubes-update-proxy is running + # if qsvc qubes-updates-proxy ; then + # # updates proxy running here too, avoid looping traffic back to itself + # exit 0 + # fi } - -restart() { - stop - start -} - -force_reload() { - restart -} - -rh_status() { - status "$prog" -} - -rh_status_q() { - rh_status >/dev/null 2>&1 -} - -case "$1" in - start) - rh_status_q && exit 0 - $1 - ;; - stop) - rh_status_q || exit 0 - $1 - ;; - restart) - $1 - ;; - force-reload) - force_reload - ;; - status) - rh_status - ;; - condrestart|try-restart) - rh_status_q || exit 0 - restart - ;; - *) - echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|force-reload}" - exit 2 -esac -exit $? - diff --git a/qubes-vm-core/sudo-aliases.sh b/qubes-vm-core/sudo-aliases.sh new file mode 100644 index 0000000..3ee7ff3 --- /dev/null +++ b/qubes-vm-core/sudo-aliases.sh @@ -0,0 +1,2 @@ +# allow aliases with sudo +alias sudo='sudo '