/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Template policy, services->features, core plugins #1637

Closed
woju opened this Issue Jan 15, 2016 · 7 comments

Comments

Assignees

@woju woju

Labels
Projects
None yet
Milestone
  Release 4.0
3 participants
@woju @marmarek @qubesos-bot
@woju
Member

woju commented Jan 15, 2016

Some templates, like whonix-ws, may like to impose some policies unto their appvms. (The example, discussed here, is time synchronisation — by default Whonix should not receive current time from dom0 for privacy reasons).

Those policies will be expressed as some plugins/enhacements to the core-admin. The logic (and program flow) of such plugins will contain that policy. Policy may be influenced by domain's properties (which are hardcoded into core) or "features", an expansion of the previous (core1-2) concept of "services". Features is a dictionary (key-value store), with keys being subset of ASCII and values being UTF-8 encoded strings. Value may be an empty string or the entire key-value pair may be absent.

During installation, template is started and it may perform some qrexec rpc calls. There should be one call (it is currently called qubes.NotifyTools), which when called signals to the plugins that there are some qubesdb entries updated, that should help the plugin to set the policy and maybe store it in domain's properties and/or features.

Then some tools, when faced with policy decision, may make decision based on the features of the domains in store. It is expressly allowed to make decisions based on properties/features of other domains, like domain's template or netvm.

Features may be shared between plugins/subsystems (i.e. plugin/tool may make decisions based on features kept by other tool/plugin), like in /proc/cmdline.

Anything missing?

/cc @marmarek

@woju woju added enhancement C: core task labels Jan 15, 2016

@woju woju self-assigned this Jan 15, 2016

@woju woju added this to the Release 4.0 milestone Jan 15, 2016

@woju

This comment has been minimized.

Show comment
Hide comment
@woju

woju Jan 15, 2016

Member

How that fits our previous conversation about qrexec policy?
Member

woju commented Jan 15, 2016

How that fits our previous conversation about qrexec policy?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jan 15, 2016

Member

Another use case for this mechanism would be Windows VMs, with Qubes Windows Tools being installed, or not. When it calls qubes.NotifyTools, some plugin will handle that to record the fact that tools are installed and the next time (or even this time?) VM should have proper GUI daemon started, possible to enable seamless mode etc.

How that fits our previous conversation about qrexec policy?

I think it is mostly orthogonal, as new qrexec policy (#867, #865) is mostly about calls made from VMs qubes, but here we are talking about mostly qubes settings and calls made to qubes. At best, those "features" discussed here may be (some of) factors being considered by qrexec policy.
Member

marmarek commented Jan 15, 2016

Another use case for this mechanism would be Windows VMs, with Qubes Windows Tools being installed, or not. When it calls qubes.NotifyTools, some plugin will handle that to record the fact that tools are installed and the next time (or even this time?) VM should have proper GUI daemon started, possible to enable seamless mode etc.

How that fits our previous conversation about qrexec policy?

I think it is mostly orthogonal, as new qrexec policy (#867, #865) is mostly about calls made from VMs qubes, but here we are talking about mostly qubes settings and calls made to qubes. At best, those "features" discussed here may be (some of) factors being considered by qrexec policy.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jan 19, 2016

Member

Related to: #1323
Member

marmarek commented Jan 19, 2016

Related to: #1323

@marmarek marmarek referenced this issue Jan 19, 2016

Closed

Debian template by default bundles (and starts) Tor #1625

@marmarek marmarek referenced this issue Jan 29, 2016

Closed

Implement qrexec service for installing template images #1705

This was referenced Feb 9, 2016

Closed
Open

woju added a commit to woju/qubes-core-qubesdb that referenced this issue May 18, 2016

@woju
python: fix qubesdb module in vm 
The function qdb_init() should get NULL but instead it got uninitalised
local variable, since PyArg_ParseTuple does not touch pointers to
omitted argumets.

QubesOS/qubes-issues#1637
5ae09e4

woju added a commit to woju/qubes-core-agent-linux that referenced this issue May 19, 2016

@woju
WIP misc: add qvm-features-request 
This tool is used to request features from template.

QubesOS/qubes-issues#1637
ffe6a31

woju added a commit to woju/qubes-core-admin that referenced this issue May 19, 2016

@woju
qubes/tools/qvm-features: add tool for managing qvm-features 
QubesOS/qubes-issues#1637
e757444

woju added a commit to woju/qubes-core-agent-linux that referenced this issue May 21, 2016

@woju
misc: add qvm-features-request 
This tool is used to request features from template.

QubesOS/qubes-issues#1637
73764be

woju added a commit to woju/qubes-core-agent-linux that referenced this issue May 21, 2016

@woju
misc: add qvm-features-request 
This tool is used to request features from template.

QubesOS/qubes-issues#1637
8e3f2c7

woju added a commit to woju/qubes-core-agent-linux that referenced this issue May 21, 2016

@woju
misc: add qvm-features-request 
This tool is used to request features from template.

QubesOS/qubes-issues#1637
f62fc40

marmarek added a commit to marmarek/qubes-core-qubesdb that referenced this issue Jun 1, 2016

@woju @marmarek
python: fix qubesdb module in vm 
The function qdb_init() should get NULL but instead it got uninitalised
local variable, since PyArg_ParseTuple does not touch pointers to
omitted argumets.

QubesOS/qubes-issues#1637
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
9e9dfc9

woju added a commit to woju/qubes-core-agent-linux that referenced this issue Jun 13, 2016

@woju
misc: add qvm-features-request 
This tool is used to request features from template.

QubesOS/qubes-issues#1637
5261f93

@woju woju referenced this issue in QubesOS/qubes-core-agent-linux Jun 13, 2016

Closed

misc: add qvm-features-request #16

marmarek added a commit to QubesOS/qubes-core-qubesdb that referenced this issue Jun 25, 2016

@woju @marmarek
python: fix qubesdb module in vm 
The function qdb_init() should get NULL but instead it got uninitalised
local variable, since PyArg_ParseTuple does not touch pointers to
omitted argumets.

QubesOS/qubes-issues#1637

(cherry picked from commit 9e9dfc9)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
90c6d0a

woju added a commit to woju/qubes-core-agent-linux that referenced this issue Oct 5, 2016

@woju
misc: add qvm-features-request 
This tool is used to request features from template.

QubesOS/qubes-issues#1637
f6bbfa8

This was referenced Oct 21, 2016

Open
Closed

woju added a commit to woju/qubes-core-agent-linux that referenced this issue Dec 6, 2016

@woju
misc: add qvm-features-request 
This tool is used to request features from template.

QubesOS/qubes-issues#1637
1aade4d

@woju woju referenced this issue in QubesOS/qubes-core-agent-linux Dec 6, 2016

Closed

misc: add qvm-features-request #30

woju added a commit to woju/qubes-core-agent-linux that referenced this issue Dec 7, 2016

@woju
misc: add qvm-features-request 
This tool is used to request features from template.

QubesOS/qubes-issues#1637
f894a03

@marmarek marmarek referenced this issue May 26, 2017

Open

Document qubes.PostInstall service, `/etc/qubes/post-install.d`, qvm-features-request #2829

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue May 26, 2017

@marmarek
vm: expose to VM only features with 'service/' prefix 
And place them in /qubes-service/ QubesDB directory. This allows
extensions to easily store some data not exposed to VM, but also have
control what VM will see. And at the same time, it make it compatible
with existing services framework

QubesOS/qubes-issues#1637
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
c472143

@marmarek marmarek closed this in marmarek/old-qubes-core-agent-linux@8694931 May 26, 2017

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue May 26, 2017

@marmarek
vm: expose to VM only features with 'service/' prefix 
And place them in /qubes-service/ QubesDB directory. This allows
extensions to easily store some data not exposed to VM, but also have
control what VM will see. And at the same time, it make it compatible
with existing services framework

QubesOS/qubes-issues#1637
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
e54cc11

@jpouellet jpouellet referenced this issue May 26, 2017

Open

Tool for performing multiple updates #2718

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 9, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jun 9, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc24-cur-test label Jun 9, 2017

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Jun 9, 2017

Closed

core-agent-linux v4.0.0 (r4.0) #68

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 9, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jun 9, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.0-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc25-cur-test label Jun 9, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 9, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jun 9, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-jessie-cur-test label Jun 9, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jun 9, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jun 9, 2017

Automated announcement from builder-github

The package qubes-core-agent_4.0.0-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-stretch-cur-test label Jun 9, 2017

@QubesOS QubesOS deleted a comment from aberja Jun 10, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment