From f06cb6f908816224e9e2454885659ca667ab91ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Amadeusz=20Piotr=20=C5=BBo=C5=82nowski?= Date: Sun, 9 Feb 2020 22:51:15 +0000 Subject: [PATCH 1/3] Complete package-managers README.md --- package-managers/README.md | 40 +++++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/package-managers/README.md b/package-managers/README.md index b7ea1a4cb..98b4bacf3 100644 --- a/package-managers/README.md +++ b/package-managers/README.md @@ -3,7 +3,7 @@ Package managers Each Qubes VM should notify Qubes updater in dom0 of new updates available for the particular template or standalone VM. -The is the configuration and hooks for various package managers to +This is the configuration and hooks for various package managers to interact with Qubes updater. Moreover Qubes OS dom0 updates are downloaded by a Qubes VM, rather directly in dom0 which doesn't have networking configured at all. @@ -15,11 +15,41 @@ dom0 updates download in VM. It needs to be installed in VM which will handle dom0 updates download only. +App VM +------ + +Below is the list of universal scripts intended to be installed for all +distributions. The `upgrades-installed-check` script should be extended +with support for any new package manager that is used by a App VM. + +- `upgrades-installed-check` - Checks whether there are any pending + upgrades for various distributions. +- `upgrades-status-notify` - Notifies dom0 of any pending upgrades. + Apt --- -The configuration includes: +Below is the list of Apt specific files and configuration. + +- `apt-conf-00notify-hook` - Hook to notify dom0. +- `apt-conf-70no-unattended` - Disables unattended upgrades. We don't + want to App VM instances to upgrade themselves. And the upgrades + installation is managed by Qubes updater. +- `apt-qubes-archive-keyring.gpg` - Qubes public GPG key signing Qubes + deb packages. +- `apt-qubes-r4.list.in`- List of repos with Qubes packages for VM. + +DNF/Yum +------- + +Below is the list of DNF and Yum specific files and configuration. -1. Hook to notify dom0. -2. Disabling unattended upgrades (Qubes updater). -3. List of repos with Qubes packages for VM. +- `dnf-qubes-hooks.conf` +- `dnf-qubes-hooks.py` +- `qubes-download-dom0-updates.sh` +- `RPM-GPG-KEY-qubes-4-centos` +- `RPM-GPG-KEY-qubes-4-primary` +- `RPM-GPG-KEY-qubes-4-unstable` +- `yum-qubes-hooks.conf` +- `yum-qubes-hooks.py` +- `yum-qubes-r4.repo.in` From 2961b6be4117f475c38b9d24f4d095c932980ae0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Amadeusz=20Piotr=20=C5=BBo=C5=82nowski?= Date: Sun, 9 Feb 2020 23:02:46 +0000 Subject: [PATCH 2/3] Add README.md for passwordless root --- passwordless-root/README.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 passwordless-root/README.md diff --git a/passwordless-root/README.md b/passwordless-root/README.md new file mode 100644 index 000000000..1cfc063f8 --- /dev/null +++ b/passwordless-root/README.md @@ -0,0 +1,31 @@ +Passwordless root +----------------- + +Disables any authentication for root user in App VM. + +In Qubes VMs there is no point in isolating the root account from +the user account. This is because all the user data are already +accessible from the user account, so there is no direct benefit for +the attacker if she could escalate to root. + +At the same time allowing for easy user-to-root escalation in a VM +is simply convenient for users, especially for update installation. + + +Sudoers +------- + +`qubes.sudoers` - grants the default user permission to run any commands +as root without being prompted for password. + + +Polkit +------ + +TODO + + +PAM +--- + +For Debian only. TODO From e7d261d316df1decdcd84a9de9346d744c67226d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Amadeusz=20Piotr=20=C5=BBo=C5=82nowski?= Date: Sun, 9 Feb 2020 23:13:29 +0000 Subject: [PATCH 3/3] Add README.md for filesystem --- filesystem/README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 filesystem/README.md diff --git a/filesystem/README.md b/filesystem/README.md new file mode 100644 index 000000000..cf30bb04b --- /dev/null +++ b/filesystem/README.md @@ -0,0 +1,17 @@ +Filesystem +---------- + +Defines filesystem layout for VM-s. Apart from rootfs, which is not +persistent for App VM instances, there's read-write filesystem mounted +for `/home/` and `/usr/local`. + +Bind-dirs +--------- + +`30_cron.conf` defines bind-dir for directory where cron keeps state. +This is needed to avoid duplicate run of jobs. + +To learn more about bind-dirs, see +[How to make any file in a TemplateBasedVM persistent +using bind-dirs](https://www.qubes-os.org/doc/bind-dirs/) in [User +Documentation](https://www.qubes-os.org/doc/#user-documentation).