From de19987532ea37f01cd36178065717e3d64df058 Mon Sep 17 00:00:00 2001
From: Stefan Jarina <stefan@jarina.io>
Date: Sat, 19 Dec 2020 14:48:19 +0100
Subject: [PATCH 1/5] add openSUSE Tumbleweed install script

---
 suse/opensuse/tumbleweed/README.md      | 18 +++++
 suse/opensuse/tumbleweed/allow-vsock.te | 10 +++
 suse/opensuse/tumbleweed/install.sh     | 95 +++++++++++++++++++++++++
 3 files changed, 123 insertions(+)
 create mode 100644 suse/opensuse/tumbleweed/README.md
 create mode 100644 suse/opensuse/tumbleweed/allow-vsock.te
 create mode 100644 suse/opensuse/tumbleweed/install.sh

diff --git a/suse/opensuse/tumbleweed/README.md b/suse/opensuse/tumbleweed/README.md
new file mode 100644
index 0000000..31b52c2
--- /dev/null
+++ b/suse/opensuse/tumbleweed/README.md
@@ -0,0 +1,18 @@
+# Script to enable XRDP on openSUSE Tumbleweed
+
+## Info
+
+- Designed to be idempotent, you can run it repeatedly
+- Installs required packages
+- Configures XRDP ini files
+- Will compile selinux module in case SELinux is installed on machine (it doesn't need to be enabled though)
+
+## Disclaimer
+
+I only tested this script on my own local installation of openSUSE Tumbleweed from 19/12/2020
+
+- Windows 10 version 20H2 (OS Build 19042.685)
+- Tumbleweed installed with KDE
+- Script might need some tweek in case other DE is used and thus gdm or lighdm needs to be enabled/configured
+- I can't turn off machine from xrdp session, so far did not find a fix
+  - workaround is to switch to basic session and click on shutdown button
diff --git a/suse/opensuse/tumbleweed/allow-vsock.te b/suse/opensuse/tumbleweed/allow-vsock.te
new file mode 100644
index 0000000..5f02b9a
--- /dev/null
+++ b/suse/opensuse/tumbleweed/allow-vsock.te
@@ -0,0 +1,10 @@
+module allow-vsock 1.0;
+
+require {
+        type unconfined_service_t;
+        type unlabeled_t;
+        class vsock_socket { getattr read write };
+}
+
+#============= unconfined_service_t ==============
+allow unconfined_service_t unlabeled_t:vsock_socket { getattr read write };
diff --git a/suse/opensuse/tumbleweed/install.sh b/suse/opensuse/tumbleweed/install.sh
new file mode 100644
index 0000000..db07fcc
--- /dev/null
+++ b/suse/opensuse/tumbleweed/install.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+#
+# This script is for openSUSE Tumbleweed Linux to configure XRDP for enhanced session mode
+#
+# The confioguration is adapted from the Arch script.
+#
+
+###############################################################
+# Install XRDP
+#
+if [ "$(id -u)" -ne 0 ]; then
+    echo 'This script must be run with root privileges' >&2
+    exit 1
+fi
+
+# Use rpm -q to check for exact package name, install if missing
+if ! rpm -q xrdp 2>&1 > /dev/null ; then
+    echo 'Refreshing repo cache'
+    zypper refresh
+    echo 'Installing missing xrdp package using zypper'
+    zypper -n install xrdp
+fi
+
+###############################################################
+# Configure XRDP
+#
+systemctl enable xrdp
+systemctl enable xrdp-sesman
+
+XRDP_INI_FILE=/etc/xrdp/xrdp.ini
+XRDP_INI_BAK_FILE=$XRDP_INI_FILE.enh_sess_orig.bak
+# Create backup of original XRDP ini file
+if [ ! -f "$XRDP_INI_BAK_FILE" ]; then
+    cp $XRDP_INI_FILE $XRDP_INI_BAK_FILE
+    echo "Original config file saved in $XRDP_INI_BAK_FILE"
+fi
+# Configure the installed XRDP ini files
+# use vsock transport
+sed -i_orig -e 's/port=3389/port=vsock:\/\/-1:3389/g' $XRDP_INI_FILE
+# use rdp security
+sed -i_orig -e 's/security_layer=negotiate/security_layer=rdp/g' $XRDP_INI_FILE
+# remove encryption validation
+sed -i_orig -e 's/crypt_level=high/crypt_level=none/g' $XRDP_INI_FILE
+# disable bitmap compression since its local its much faster
+sed -i_orig -e 's/bitmap_compression=true/bitmap_compression=false/g' $XRDP_INI_FILE
+#
+# sed -n -e 's/max_bpp=32/max_bpp=24/g' $XRDP_INI_FILE
+
+XRDP_SESMAN_INI_FILE=/etc/xrdp/sesman.ini
+# use the default lightdm x display
+sed -i_orig -e 's/X11DisplayOffset=10/X11DisplayOffset=0/g' $XRDP_SESMAN_INI_FILE
+# rename the redirected drives to 'shared-drives'
+sed -i_orig -e 's/FuseMountName=thinclient_drives/FuseMountName=shared-drives/g' $XRDP_SESMAN_INI_FILE
+
+# Change the allowed_users
+echo "allowed_users=anybody" > /etc/X11/Xwrapper.config
+
+# Ensure hv_sock gets loaded
+if [ ! -e /etc/modules-load.d/hv_sock.conf ]; then
+    echo "hv_sock" > /etc/modules-load.d/hv_sock.conf
+fi
+
+# Configure the policy xrdp session
+cat > /etc/polkit-1/rules.d/02-allow-colord.rules <<EOF
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-profile") &&
+        subject.isInGroup("users"))
+    {
+        return polkit.Result.YES;
+    }
+});
+EOF
+
+# Compile selinux module IF selinux is installed
+if rpm -q selinux 2>&1 > /dev/null ; then
+    checkmodule -M -m -o allow-vsock.mod allow-vsock.te
+    semodule_package -o allow-vsock.pp -m allow-vsock.mod
+    # Install the selinux module!
+    semodule -i allow-vsock.pp
+fi
+
+###############################################################################
+
+echo "####### Configuration Done #######"
+echo "Next to do"
+echo "Shutdown this VM"
+echo "On your host machine in an Administrator powershell prompt, execute this command: "
+echo "      Set-VM -VMName <your_vm_name> -EnhancedSessionTransportType HvSocket"
+echo "Start this VM, and you will see Enhanced mode available!"

From a72e9499d1be11dec6f6908858dc2e35c9cc8dc9 Mon Sep 17 00:00:00 2001
From: Stefan Jarina <stefan@jarina.io>
Date: Sat, 19 Dec 2020 14:51:02 +0100
Subject: [PATCH 2/5] update readme

---
 suse/opensuse/tumbleweed/README.md | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/suse/opensuse/tumbleweed/README.md b/suse/opensuse/tumbleweed/README.md
index 31b52c2..7c6d86b 100644
--- a/suse/opensuse/tumbleweed/README.md
+++ b/suse/opensuse/tumbleweed/README.md
@@ -6,13 +6,3 @@
 - Installs required packages
 - Configures XRDP ini files
 - Will compile selinux module in case SELinux is installed on machine (it doesn't need to be enabled though)
-
-## Disclaimer
-
-I only tested this script on my own local installation of openSUSE Tumbleweed from 19/12/2020
-
-- Windows 10 version 20H2 (OS Build 19042.685)
-- Tumbleweed installed with KDE
-- Script might need some tweek in case other DE is used and thus gdm or lighdm needs to be enabled/configured
-- I can't turn off machine from xrdp session, so far did not find a fix
-  - workaround is to switch to basic session and click on shutdown button

From 170476de06ac67f625ed1bf42c8c43c149dfcb27 Mon Sep 17 00:00:00 2001
From: Stefan Jarina <stefan@jarina.io>
Date: Sun, 20 Dec 2020 16:27:43 +0100
Subject: [PATCH 3/5] X11DisplayOffset, not switch to lightdm by default

---
 suse/opensuse/tumbleweed/install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/suse/opensuse/tumbleweed/install.sh b/suse/opensuse/tumbleweed/install.sh
index db07fcc..1088b33 100644
--- a/suse/opensuse/tumbleweed/install.sh
+++ b/suse/opensuse/tumbleweed/install.sh
@@ -49,7 +49,7 @@ sed -i_orig -e 's/bitmap_compression=true/bitmap_compression=false/g' $XRDP_INI_
 
 XRDP_SESMAN_INI_FILE=/etc/xrdp/sesman.ini
 # use the default lightdm x display
-sed -i_orig -e 's/X11DisplayOffset=10/X11DisplayOffset=0/g' $XRDP_SESMAN_INI_FILE
+#sed -i_orig -e 's/X11DisplayOffset=200/X11DisplayOffset=0/g' $XRDP_SESMAN_INI_FILE
 # rename the redirected drives to 'shared-drives'
 sed -i_orig -e 's/FuseMountName=thinclient_drives/FuseMountName=shared-drives/g' $XRDP_SESMAN_INI_FILE
 

From 865b8e017a4f24b9077057a678373e14c031bb54 Mon Sep 17 00:00:00 2001
From: Stefan Jarina <stefan@jarina.io>
Date: Sun, 20 Dec 2020 17:15:01 +0100
Subject: [PATCH 4/5] Add support for openSUSE Leap 15.2

---
 suse/opensuse/leap/15.2/README.md      |  34 ++++++++
 suse/opensuse/leap/15.2/allow-vsock.te |  10 +++
 suse/opensuse/leap/15.2/install.sh     | 108 +++++++++++++++++++++++++
 3 files changed, 152 insertions(+)
 create mode 100644 suse/opensuse/leap/15.2/README.md
 create mode 100644 suse/opensuse/leap/15.2/allow-vsock.te
 create mode 100644 suse/opensuse/leap/15.2/install.sh

diff --git a/suse/opensuse/leap/15.2/README.md b/suse/opensuse/leap/15.2/README.md
new file mode 100644
index 0000000..208e2dc
--- /dev/null
+++ b/suse/opensuse/leap/15.2/README.md
@@ -0,0 +1,34 @@
+# Script to enable XRDP on openSUSE Tumbleweed
+
+## Info
+
+- Designed to be idempotent, you can run it repeatedly
+- Installs required packages
+- Configures XRDP ini files
+- Will compile selinux module in case SELinux is installed on machine (it doesn't need to be enabled though)
+- support changing session to KDE Plasma
+
+## Run
+
+- If using GNOME
+
+```sh
+sudo sh install.sh
+```
+
+- If using KDE
+
+```sh
+sudo sh install.sh --kde
+```
+
+If using different DE
+
+Looks like xrdp on openSUSE leap 15.2 supports below DEs by default
+
+```sh
+sudo sed -i_orig -e 's/SESSION=".*"/SESSION="sle"/g' /etc/xrdp/startwm.sh     # set to 'SLE classic'
+sudo sed -i_orig -e 's/SESSION=".*"/SESSION="gnome"/g' /etc/xrdp/startwm.sh   # set to 'GNOME'
+sudo sed -i_orig -e 's/SESSION=".*"/SESSION="plasma"/g' /etc/xrdp/startwm.sh  # set to 'KDE'
+sudo sed -i_orig -e 's/SESSION=".*"/SESSION="icewm"/g' /etc/xrdp/startwm.sh   # set to 'IceWM'
+```
diff --git a/suse/opensuse/leap/15.2/allow-vsock.te b/suse/opensuse/leap/15.2/allow-vsock.te
new file mode 100644
index 0000000..5f02b9a
--- /dev/null
+++ b/suse/opensuse/leap/15.2/allow-vsock.te
@@ -0,0 +1,10 @@
+module allow-vsock 1.0;
+
+require {
+        type unconfined_service_t;
+        type unlabeled_t;
+        class vsock_socket { getattr read write };
+}
+
+#============= unconfined_service_t ==============
+allow unconfined_service_t unlabeled_t:vsock_socket { getattr read write };
diff --git a/suse/opensuse/leap/15.2/install.sh b/suse/opensuse/leap/15.2/install.sh
new file mode 100644
index 0000000..d6c6127
--- /dev/null
+++ b/suse/opensuse/leap/15.2/install.sh
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+#
+# This script is for openSUSE Tumbleweed Linux to configure XRDP for enhanced session mode
+#
+# The confioguration is adapted from the Arch script.
+#
+
+# Set desktop environment, used later to change SESSION="*****" in /etc/xrdp/starwm.sh
+desktop_env=gnome
+# Change to kde if --kde passed
+if [ $# -gt 0 ] && [ $1 = "--kde" ]; then
+  desktop_env=plasma
+fi
+
+###############################################################
+# Install XRDP
+#
+if [ "$(id -u)" -ne 0 ]; then
+    echo 'This script must be run with root privileges' >&2
+    exit 1
+fi
+
+# Use rpm -q to check for exact package name, install if missing
+if ! rpm -q xrdp 2>&1 > /dev/null ; then
+    echo 'Refreshing repo cache'
+    zypper refresh
+    echo 'Installing missing xrdp package using zypper'
+    zypper -n install xrdp
+fi
+
+###############################################################
+# Configure XRDP
+#
+systemctl enable xrdp
+systemctl enable xrdp-sesman
+
+XRDP_INI_FILE=/etc/xrdp/xrdp.ini
+XRDP_INI_BAK_FILE=$XRDP_INI_FILE.enh_sess_orig.bak
+# Create backup of original XRDP ini file
+if [ ! -f "$XRDP_INI_BAK_FILE" ]; then
+    cp $XRDP_INI_FILE $XRDP_INI_BAK_FILE
+    echo "Original config file saved in $XRDP_INI_BAK_FILE"
+fi
+# Configure the installed XRDP ini files
+# use vsock transport
+sed -i_orig -e 's/port=3389/port=vsock:\/\/-1:3389/g' $XRDP_INI_FILE
+# use rdp security
+sed -i_orig -e 's/security_layer=negotiate/security_layer=rdp/g' $XRDP_INI_FILE
+# remove encryption validation
+sed -i_orig -e 's/crypt_level=high/crypt_level=none/g' $XRDP_INI_FILE
+# disable bitmap compression since its local its much faster
+sed -i_orig -e 's/bitmap_compression=true/bitmap_compression=false/g' $XRDP_INI_FILE
+#
+# sed -n -e 's/max_bpp=32/max_bpp=24/g' $XRDP_INI_FILE
+
+XRDP_SESMAN_INI_FILE=/etc/xrdp/sesman.ini
+# use the default lightdm x display
+sed -i_orig -e 's/X11DisplayOffset=10/X11DisplayOffset=0/g' $XRDP_SESMAN_INI_FILE
+# rename the redirected drives to 'shared-drives'
+sed -i_orig -e 's/FuseMountName=thinclient_drives/FuseMountName=shared-drives/g' $XRDP_SESMAN_INI_FILE
+
+# adjust startwm.sh (this is needed only in Leap, not needed in Tumbleweed)
+if [ "$(grep -e 'SESSION=".*"' /etc/xrdp/startwm.sh)"  ]; then
+    sed -i_orig -e "s/SESSION=\".*\"/SESSION=\"$desktop_env\"/g" /etc/xrdp/startwm.sh
+    echo "Changed session to '${desktop_env^^}'"
+fi
+
+# Change the allowed_users
+echo "allowed_users=anybody" > /etc/X11/Xwrapper.config
+
+# Ensure hv_sock gets loaded
+if [ ! -e /etc/modules-load.d/hv_sock.conf ]; then
+    echo "hv_sock" > /etc/modules-load.d/hv_sock.conf
+fi
+
+# Configure the policy xrdp session
+cat > /etc/polkit-1/rules.d/02-allow-colord.rules <<EOF
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-profile") &&
+        subject.isInGroup("users"))
+    {
+        return polkit.Result.YES;
+    }
+});
+EOF
+
+# Compile selinux module IF selinux is installed
+if rpm -q selinux 2>&1 > /dev/null ; then
+    checkmodule -M -m -o allow-vsock.mod allow-vsock.te
+    semodule_package -o allow-vsock.pp -m allow-vsock.mod
+    # Install the selinux module!
+    semodule -i allow-vsock.pp
+fi
+
+###############################################################################
+
+echo "####### Configuration Done #######"
+echo "Next to do"
+echo "Shutdown this VM"
+echo "On your host machine in an Administrator powershell prompt, execute this command: "
+echo "      Set-VM -VMName <your_vm_name> -EnhancedSessionTransportType HvSocket"
+echo "Start this VM, and you will see Enhanced mode available!"

From 4570120c6834a42621fb8c1d822951b69429bf4f Mon Sep 17 00:00:00 2001
From: Stefan Jarina <stefan@jarina.io>
Date: Sat, 9 Apr 2022 20:04:27 +0200
Subject: [PATCH 5/5] add readme

---
 suse/opensuse/leap/15.2/README.md | 37 +++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/suse/opensuse/leap/15.2/README.md b/suse/opensuse/leap/15.2/README.md
index 208e2dc..672f4ec 100644
--- a/suse/opensuse/leap/15.2/README.md
+++ b/suse/opensuse/leap/15.2/README.md
@@ -32,3 +32,40 @@ sudo sed -i_orig -e 's/SESSION=".*"/SESSION="gnome"/g' /etc/xrdp/startwm.sh   #
 sudo sed -i_orig -e 's/SESSION=".*"/SESSION="plasma"/g' /etc/xrdp/startwm.sh  # set to 'KDE'
 sudo sed -i_orig -e 's/SESSION=".*"/SESSION="icewm"/g' /etc/xrdp/startwm.sh   # set to 'IceWM'
 ```
+
+## Known issues
+
+### I can't shutdown/restart machine from xrdp session, session just logoff, but muchine keeps running
+
+- There is a simple fix to that, but it is not a part of script as it might not be an intended change
+  - This solution does not work for Tumbleweed strangely
+- Below will allow any user that is part of group `power` to reboot/suspend/shutdown/hibernate the machine from GUI
+- Please adjust below solution in case you want this to be available for different group. e.g. `admins` or `wheel`
+
+```sh
+# group 'power' is not available on openSUSE by default, so we will create it
+sudo groupadd power
+
+# add your user to group power
+sudo usermod -a -G power <your_username>
+
+# add polkit rule
+sudo bash -c 'cat > /etc/polkit-1/rules.d/48-shutdown-power-group <<EOF
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.login1.reboot" ||
+         action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.power-off" ||
+         action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.suspend" ||
+         action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.hibernate" ||
+         action.id == "org.freedesktop.login1.hibernate-multiple-sessions") && subject.isInGroup("power"))
+    {
+    return polkit.Result.YES;
+    }
+});
+EOF'
+
+# restart your machine
+sudo reboot
+```