diff --git a/Makefile b/Makefile index 72a9e9ce..cfdec68b 100644 --- a/Makefile +++ b/Makefile @@ -58,20 +58,20 @@ remove-usb-autoattach: prep-dev ## Removes udev rules and scripts from sys-usb sudo qubesctl --show-output state.sls sd-usb-autoattach-remove sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs - sudo qubesctl --show-output state.sls sd-workstation-buster-template - sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template state.highstate + sudo qubesctl --show-output state.sls sd-workstation-bullseye-template + sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-bullseye-template state.highstate sd-proxy: prep-dev ## Provisions SD Proxy VM sudo qubesctl --show-output state.sls sd-proxy - sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-proxy state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-proxy state.highstate sd-gpg: prep-dev ## Provisions SD GPG keystore VM sudo qubesctl --show-output state.sls sd-gpg - sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template,sd-gpg state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-bullseye-template,sd-gpg state.highstate sd-app: prep-dev ## Provisions SD APP VM sudo qubesctl --show-output state.sls sd-app - sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-app state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-app state.highstate sd-whonix: prep-dev ## Provisions SD Whonix VM sudo qubesctl --show-output state.sls sd-whonix @@ -79,15 +79,15 @@ sd-whonix: prep-dev ## Provisions SD Whonix VM sd-viewer: prep-dev ## Provisions SD Submission Viewing VM sudo qubesctl --show-output state.sls sd-viewer - sudo qubesctl --show-output --skip-dom0 --targets sd-viewer-buster-template,sd-viewer state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-viewer-bullseye-template,sd-viewer state.highstate sd-devices: prep-dev ## Provisions SD Export VM sudo qubesctl --show-output state.sls sd-devices - sudo qubesctl --show-output --skip-dom0 --targets sd-devices-buster-template,sd-devices,sd-devices-dvm state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-devices-bullseye-template,sd-devices,sd-devices-dvm state.highstate sd-log: prep-dev ## Provisions SD logging VM sudo qubesctl --show-output state.sls sd-log - sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-log state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-log state.highstate prep-dev: assert-dom0 ## Configures Salt layout for SD workstation VMs @./scripts/prep-dev diff --git a/dom0/fpf-apt-repo.sls b/dom0/fpf-apt-repo.sls index 66e5bb43..bb32033e 100644 --- a/dom0/fpf-apt-repo.sls +++ b/dom0/fpf-apt-repo.sls @@ -13,6 +13,7 @@ # - update.qubes-vm # - sd-default-config +# Imports "sdvars" for environment config {% from 'sd-default-config.sls' import sdvars with context %} # Debian Buster was changed from 'stable' to 'oldstable' on 2021-08, @@ -39,7 +40,9 @@ install-python-apt-for-repo-config: configure-fpf-apt-repo: pkgrepo.managed: - - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} main" + # Can't reuse sdvars.distribution here because this queries grains from VMs + # rather than dom0 + - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} {{ sdvars.component }}" - file: /etc/apt/sources.list.d/securedrop_workstation.list - key_url: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}" - clean_file: True # squash file to ensure there are no duplicates diff --git a/dom0/sd-app-files.sls b/dom0/sd-app-files.sls index 408c07b7..e9bb8ea2 100644 --- a/dom0/sd-app-files.sls +++ b/dom0/sd-app-files.sls @@ -5,15 +5,15 @@ # sd-app-files # ======== # -# Moves files into place on sd-small-buster-template +# Moves files into place on sd-small-$sdvars.distribution-template # ## include: - fpf-apt-repo - sd-logging-setup -# FPF repo is setup in "securedrop-workstation-buster" template, -# and then cloned as "sd-small-buster-template" +# FPF repo is setup in "securedrop-workstation-$sdvars.distribution" template, +# and then cloned as "sd-small-$sdvars.distribution-template" install-securedrop-client-package: pkg.installed: - pkgs: diff --git a/dom0/sd-app.sls b/dom0/sd-app.sls index e40179d1..1a412604 100644 --- a/dom0/sd-app.sls +++ b/dom0/sd-app.sls @@ -5,6 +5,10 @@ # Installs 'sd-app' AppVM, to persistently store SD data # This VM has no network configured. ## + +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -15,7 +19,7 @@ sd-app: - present: - label: yellow - prefs: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - netvm: "" - tags: - add: @@ -25,7 +29,7 @@ sd-app: - enable: - service.paxctld - require: - - qvm: sd-small-buster-template + - qvm: sd-small-{{ sdvars.distribution }}-template {% import_json "sd/config.json" as d %} @@ -42,9 +46,9 @@ sd-app-private-volume-size: sd-app-template-sync-appmenus: cmd.run: - name: > - qvm-start --skip-if-running sd-small-buster-template && - qvm-sync-appmenus sd-small-buster-template + qvm-start --skip-if-running sd-small-{{ sdvars.distribution }}-template && + qvm-sync-appmenus sd-small-{{ sdvars.distribution }}-template - require: - - qvm: sd-small-buster-template + - qvm: sd-small-{{ sdvars.distribution }}-template - onchanges: - - qvm: sd-small-buster-template + - qvm: sd-small-{{ sdvars.distribution }}-template diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index d2e7b169..9d98e019 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -9,7 +9,7 @@ set-fedora-as-default-dispvm: {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %} -{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %} +{% if salt['pillar.get']('qvm:sys-usb:disposable', true) %} restore-sys-usb-dispvm-halt: qvm.kill: - name: sys-usb @@ -103,9 +103,6 @@ sd-cleanup-etc-changes: - DOTALL - repl: '' - backup: no -{% if grains['osrelease'] == '4.0' %} - - ignore_if_missing: True -{% endif %} {% if d.environment == "prod" or d.environment == "staging" %} apply-systemd-changes: @@ -129,9 +126,7 @@ sd-cleanup-rpc-mgmt-policy: - /etc/qubes-rpc/policy/qubes.VMShell - /etc/qubes-rpc/policy/qubes.VMRootShell - repl: '' -{% if grains['osrelease'] == '4.1' %} - ignore_if_missing: True -{% endif %} - pattern: '^disp-mgmt-sd-\w+\s+sd-\w+\s+allow,user=root' {% set sdw_customized_rpc_files = salt['cmd.shell']('grep -rIl "BEGIN securedrop-workstation" /etc/qubes-rpc/ | cat').splitlines() %} diff --git a/dom0/sd-default-config.sls b/dom0/sd-default-config.sls index 3af56ee3..7e8960f3 100644 --- a/dom0/sd-default-config.sls +++ b/dom0/sd-default-config.sls @@ -14,8 +14,20 @@ {% import_json "sd/config.json" as d %} # Respect "dev" env if provided, default to "prod" -{% if d.environment == "dev" or d.environment == "staging" %} - {% set sdvars = sdvars_defaults["dev"] %} +{% if d.environment == "dev" %} + # use apt-test and nightlies + {% set sdvars = sdvars_defaults["test"] %} + {% set _ = sdvars.update({"component": "nightlies"}) %} +{% elif d.environment == "staging" %} + # use apt-test and main (RC/test builds) + {% set sdvars = sdvars_defaults["test"] %} + {% set _ = sdvars.update({"component": "main"}) %} {% else %} {% set sdvars = sdvars_defaults["prod"] %} + {% set _ = sdvars.update({"component": "main"}) %} {% endif %} + +# Append repo URL with appropriate dom0 Fedora version +{% set fedora_repo = "f32" %} +{% set _ = sdvars.update({"distribution": "bullseye"}) %} +{% set _ = sdvars.update({"dom0_yum_repo_url": sdvars["dom0_yum_repo_url"] + fedora_repo}) %} diff --git a/dom0/sd-default-config.yml b/dom0/sd-default-config.yml index 779fbb19..b294fca3 100644 --- a/dom0/sd-default-config.yml +++ b/dom0/sd-default-config.yml @@ -1,11 +1,14 @@ --- +# Both prod.dom0_yum_repo_url and test.dom0_yum_repo_url will be appended to with +# the respective Fedora release depending on Qubes OS version +# # Production variables, for use with real-world installs prod: - dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/f25" + dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/" apt_repo_url: "https://apt.freedom.press" signing_key_filename: "securedrop-release-signing-pubkey-2021.asc" -# Development variables, suited for use during local development -dev: - dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" +# Staging and Dev variables, for QAing and local development +test: + dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/" apt_repo_url: "https://apt-test.freedom.press" signing_key_filename: "apt-test-pubkey.asc" diff --git a/dom0/sd-devices.sls b/dom0/sd-devices.sls index 24183252..945b21c0 100644 --- a/dom0/sd-devices.sls +++ b/dom0/sd-devices.sls @@ -5,6 +5,10 @@ # Installs 'sd-devices' AppVM, to persistently store SD data # This VM has no network configured. ## + +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -13,33 +17,33 @@ sd-devices-dvm: qvm.vm: - name: sd-devices-dvm - present: - - template: sd-large-buster-template + - template: sd-large-{{ sdvars.distribution }}-template - label: red - prefs: - - template: sd-large-buster-template + - template: sd-large-{{ sdvars.distribution }}-template - netvm: "" - template_for_dispvms: True - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - features: - enable: - service.paxctld - require: - - qvm: sd-large-buster-template + - qvm: sd-large-{{ sdvars.distribution }}-template # Ensure the Qubes menu is populated with relevant app entries, # so that Nautilus/Files can be started via GUI interactions. sd-devices-template-sync-appmenus: cmd.run: - name: > - qvm-start --skip-if-running sd-large-buster-template && - qvm-sync-appmenus sd-large-buster-template + qvm-start --skip-if-running sd-large-{{ sdvars.distribution }}-template && + qvm-sync-appmenus sd-large-{{ sdvars.distribution }}-template - require: - - qvm: sd-large-buster-template + - qvm: sd-large-{{ sdvars.distribution }}-template - onchanges: - - qvm: sd-large-buster-template + - qvm: sd-large-{{ sdvars.distribution }}-template sd-devices-create-named-dispvm: qvm.vm: diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls index 9031e424..564b6022 100644 --- a/dom0/sd-dom0-files.sls +++ b/dom0/sd-dom0-files.sls @@ -46,7 +46,6 @@ dom0-workstation-rpm-repo: - require: - file: dom0-rpm-test-key -{% if grains['osrelease'] == '4.1' %} dom0-workstation-templates-repo: # Using file.blockreplace because /etc/qubes/repo-templates/ is not a .d # style directory, and qvm.template_installed:fromrepo seems to only support @@ -65,7 +64,6 @@ dom0-workstation-templates-repo: name=SecureDrop Workstation Templates repository - require: - file: dom0-rpm-test-key -{% endif %} dom0-remove-securedrop-workstation-stretch-template: pkg.removed: @@ -75,20 +73,11 @@ dom0-remove-securedrop-workstation-stretch-template: - file: dom0-workstation-rpm-repo dom0-install-securedrop-workstation-template: -{% if grains['osrelease'] == '4.1' %} cmd.run: - name: > - qvm-template install securedrop-workstation-buster -{% else %} - pkg.installed: - - pkgs: - - qubes-template-securedrop-workstation-buster -{% endif %} + qvm-template install securedrop-workstation-{{ sdvars.distribution }} - require: - file: dom0-workstation-rpm-repo -{% if grains['osrelease'] != '4.1' %} - - pkg: dom0-remove-securedrop-workstation-stretch-template -{% endif %} # Remove the legacy auto updater script dom0-remove-legacy-updater: diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls index e3bea37f..c434f3c1 100644 --- a/dom0/sd-dom0-qvm-rpc.sls +++ b/dom0/sd-dom0-qvm-rpc.sls @@ -96,96 +96,6 @@ dom0-rpc-qubes.GpgImportKey: @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny -# Some legacy RPC files were moved under Qubes 4.1, to /etc/qubes/policy.d/. -# We'll continue to configure them under the legacy path for 4.0 hosts. -{% if grains['osrelease'] == '4.0' %} -dom0-rpc-qubes.FeaturesRequest: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.FeaturesRequest - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.Filecopy: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.Filecopy - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - sd-log @default ask - sd-log @tag:sd-receive-logs ask - sd-proxy @tag:sd-client allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.GetImageRGBA: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.GetImageRGBA - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.OpenInVM: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.OpenInVM - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @tag:sd-client @dispvm:sd-viewer allow - @tag:sd-client sd-devices allow - sd-devices @dispvm:sd-viewer allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.OpenURL: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.OpenURL - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.StartApp: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.StartApp - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.VMRootShell: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.VMRootShell - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.VMshell: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.VMShell - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -{% elif grains['osrelease'] == '4.1' %} # Qubes suggests using files starting with 70- to be the allow policies # and 60- deny policies, but due to the way SDW policies are stacked at the # moment, we reverse this suggested order @@ -234,5 +144,3 @@ dom0-rpc-qubes.r5-format-ask-allow: qubes.OpenInVM * @tag:sd-client @dispvm:sd-viewer allow qubes.OpenInVM * @tag:sd-client sd-devices allow qubes.OpenInVM * sd-devices @dispvm:sd-viewer allow - -{% endif %} diff --git a/dom0/sd-gpg.sls b/dom0/sd-gpg.sls index 41706c65..9ef086c3 100644 --- a/dom0/sd-gpg.sls +++ b/dom0/sd-gpg.sls @@ -9,6 +9,9 @@ # This VM has no network configured. ## +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -17,10 +20,10 @@ sd-gpg: qvm.vm: - name: sd-gpg - present: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - label: purple - prefs: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - netvm: "" - autostart: true - tags: diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls index cc0bf664..c6200eb2 100644 --- a/dom0/sd-log.sls +++ b/dom0/sd-log.sls @@ -6,6 +6,10 @@ # from all SecureDrop related VMs. # This VM has no network configured. ## + +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -14,10 +18,10 @@ sd-log: qvm.vm: - name: sd-log - present: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - label: red - prefs: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - netvm: "" - autostart: true - tags: @@ -29,25 +33,7 @@ sd-log: - service.redis - service.securedrop-log - require: - - qvm: sd-small-buster-template - -{% if grains['osrelease'] == '4.0' %} -# Allow any SecureDrop VM to log to the centralized log VM -sd-log-dom0-securedrop.Log: - file.prepend: - - name: /etc/qubes-rpc/policy/securedrop.Log - - text: | - @tag:sd-workstation sd-log allow - @anyvm @anyvm deny -{% elif grains['osrelease'] == '4.1' %} -# In 4.1 this policy is handled in the more central app policy -# files added by sd-dom0-qvm-rpc.sls, no need to keep this -# around in 4.0 if we migrated -sd-log-dom0-remove-old-securedrop.Log-policy: - file.absent: - - names: - - /etc/qubes-rpc/policy/securedrop.Log -{% endif %} + - qvm: sd-small-{{ sdvars.distribution }}-template {% import_json "sd/config.json" as d %} diff --git a/dom0/sd-logging-setup.sls b/dom0/sd-logging-setup.sls index 274b3f24..e5e1d80d 100644 --- a/dom0/sd-logging-setup.sls +++ b/dom0/sd-logging-setup.sls @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : -{% if grains['id'] in ["securedrop-workstation-buster", "sd-small-buster-template", "sd-large-buster-template"] %} +{% if grains['id'] in ["securedrop-workstation-bullseye", "sd-small-bullseye-template", "sd-large-bullseye-template"] %} include: - fpf-apt-repo @@ -21,7 +21,7 @@ configure-rsyslog-for-sd: {% endif %} -{% if grains['id'] == "sd-small-buster-template" %} +{% if grains['id'] == "sd-small-{}-template".format(grains['oscodename']) %} install-redis-for-sd-log-template: pkg.installed: - pkgs: diff --git a/dom0/sd-proxy.sls b/dom0/sd-proxy.sls index 9e50c4d7..7636f4d4 100644 --- a/dom0/sd-proxy.sls +++ b/dom0/sd-proxy.sls @@ -6,6 +6,9 @@ # and the SecureDrop servers. ## +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-whonix - sd-upgrade-templates @@ -16,16 +19,16 @@ sd-proxy: - present: - label: blue - prefs: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - netvm: sd-whonix - autostart: true - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - require: - qvm: sd-whonix - - qvm: sd-small-buster-template + - qvm: sd-small-{{ sdvars.distribution }}-template # Permit the SecureDrop Proxy to manage Client connections sd-proxy-dom0-securedrop.Proxy: diff --git a/dom0/sd-sys-vms.sls b/dom0/sd-sys-vms.sls index f4886feb..49d3639f 100644 --- a/dom0/sd-sys-vms.sls +++ b/dom0/sd-sys-vms.sls @@ -14,15 +14,9 @@ include: # Install latest templates required for SDW VMs. dom0-install-fedora-template: -{% if grains['osrelease'] == '4.1' %} cmd.run: - name: > - qvm-template install fedora-35 -{% else %} - pkg.installed: - - pkgs: - - qubes-template-{{ sd_supported_fedora_version }} -{% endif %} + qvm-template install {{ sd_supported_fedora_version }} # Update the mgmt VM before updating the new Fedora VM. The order is required # and listed in the release notes for F32 & F33. @@ -32,30 +26,18 @@ set-fedora-template-as-default-mgmt-dvm: qvm-shutdown --wait default-mgmt-dvm && qvm-prefs default-mgmt-dvm template {{ sd_supported_fedora_version }} - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} # If the VM has just been installed via package manager, update it immediately update-fedora-template-if-new: cmd.wait: - name: sudo qubesctl --skip-dom0 --targets {{ sd_supported_fedora_version }} state.sls update.qubes-vm - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} # Update the mgmt-dvm setting first, to avoid problems during first update - cmd: set-fedora-template-as-default-mgmt-dvm - watch: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} # qvm.default-dispvm is not strictly required here, but we want it to be # updated as soon as possible to ensure make clean completes successfully, as @@ -64,61 +46,66 @@ set-fedora-default-template-version: cmd.run: - name: qubes-prefs default_template {{ sd_supported_fedora_version }} - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} - sls: qvm.default-dispvm -# sys-usb qubes are disposable in the default configuration - instead of forcing -# users to turn sys-usb into an AppVM, we're just cloning the DispVM template to -# make our changes to allow auto-attaching USB drives. -{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %} -clone-dispvm-for-sys-usb-customization: - cmd.run: - - name: > - qvm-check sd-fedora-dvm || qvm-clone {{ sd_supported_fedora_version }}-dvm sd-fedora-dvm +# On 4.1, several sys qubes are disposable by default - since we also want to +# upgrade the templates for those, we need to ensure that the respective dvms +# exist, as just installing a new template won't create a DispVM template +# automatically. +# sys-usb is also disposable by default but a special case as we want to +# customize the underlying DispVM template for usability purposes: we want to +# consistently auto-attach USB devices to our sd-devices qube +{% set required_dispvms = [ sd_supported_fedora_version + '-dvm' ] %} +{% if salt['pillar.get']('qvm:sys-usb:disposable', true) %} + {% set _ = required_dispvms.append("sd-fedora-dvm") %} +{% endif %} + +{% for required_dispvm in required_dispvms %} +create-{{ required_dispvm }}: + qvm.vm: + - name: {{ required_dispvm }} + - present: + - template: {{ sd_supported_fedora_version }} + - label: red + - prefs: + - template: {{ sd_supported_fedora_version }} + - template_for_dispvms: True +{% if required_dispvm == 'sd-fedora-dvm' %} + - netvm: "" +{% endif %} - require: - cmd: dom0-install-fedora-template -{% endif %} +{% endfor %} # Now proceed with rebooting all the sys-* VMs, since the new template is up to date. {% for sys_vm in ['sys-usb', 'sys-net', 'sys-firewall'] %} -{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:'+sys_vm+':disposable', false) %} +{% if salt['pillar.get']('qvm:' + sys_vm + ':disposable', false) %} # As of Qubes 4.1, certain sys-* VMs will be DispVMs by default. -{% if sys_vm == 'sys-usb' %} -# If sys-usb is disposable, we want it to use the template we just cloned so we -# can customize it -{% set sd_supported_fedora_template = 'sd-fedora-dvm' %} + {% if sys_vm == 'sys-usb' %} + # If sys-usb is disposable, we want it to use the template we just created so we + # can customize it later in the process + {% set sd_supported_fedora_template = 'sd-fedora-dvm' %} + {% else %} + {% set sd_supported_fedora_template = sd_supported_fedora_version + '-dvm' %} + {% endif %} {% else %} -{% set sd_supported_fedora_template = sd_supported_fedora_version+'-dvm' %} + {% set sd_supported_fedora_template = sd_supported_fedora_version %} {% endif %} -{% else %} -{% set sd_supported_fedora_template = sd_supported_fedora_version %} -{% endif %} -{% if salt['cmd.shell']('qvm-prefs '+sys_vm+' template') != sd_supported_fedora_template %} +{% if salt['cmd.shell']('qvm-prefs ' + sys_vm + ' template') != sd_supported_fedora_template %} sd-{{ sys_vm }}-fedora-version-halt: qvm.kill: - name: {{ sys_vm }} - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} sd-{{ sys_vm }}-fedora-version-halt-wait: cmd.run: - name: sleep 5 - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} sd-{{ sys_vm }}-fedora-version-update: qvm.vm: @@ -127,6 +114,9 @@ sd-{{ sys_vm }}-fedora-version-update: - template: {{ sd_supported_fedora_template }} - require: - cmd: sd-{{ sys_vm }}-fedora-version-halt-wait +{% if sd_supported_fedora_template.endswith("-dvm") %} + - qvm: create-{{ sd_supported_fedora_template }} +{% endif %} sd-{{ sys_vm }}-fedora-version-start: qvm.start: diff --git a/dom0/sd-usb-autoattach-add.sls b/dom0/sd-usb-autoattach-add.sls index 86e4a861..4c4632b4 100644 --- a/dom0/sd-usb-autoattach-add.sls +++ b/dom0/sd-usb-autoattach-add.sls @@ -6,6 +6,15 @@ # USB devices to sd-devices. ## +# If sys-usb is disposable, we have already set up sd-fedora-dvm to make our +# modifications in, so we only want to modify sys-usb if it is a regular AppVM + +{% set apply = True %} +{% if grains['id'] == 'sys-usb' and salt['pillar.get']('qvm:sys-usb:disposable', true) %} + {% set apply = False %} +{% endif %} + +{% if apply %} sd-udev-rules: file.managed: - name: /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules @@ -39,3 +48,4 @@ sd-attach-export-device: - user: root - group: root - mode: 0555 +{% endif %} diff --git a/dom0/sd-viewer.sls b/dom0/sd-viewer.sls index 414422c9..d28e157d 100644 --- a/dom0/sd-viewer.sls +++ b/dom0/sd-viewer.sls @@ -11,6 +11,9 @@ # This VM has no network configured. ## +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -19,10 +22,10 @@ sd-viewer: qvm.vm: - name: sd-viewer - present: - - template: sd-large-buster-template + - template: sd-large-{{ sdvars.distribution }}-template - label: green - prefs: - - template: sd-large-buster-template + - template: sd-large-{{ sdvars.distribution }}-template - netvm: "" - template_for_dispvms: True - default_dispvm: "" @@ -30,12 +33,12 @@ sd-viewer: - add: - sd-workstation - sd-viewer-vm - - sd-buster + - sd-{{ sdvars.distribution }} - features: - enable: - service.paxctld - require: - - qvm: sd-large-buster-template + - qvm: sd-large-{{ sdvars.distribution }}-template sd-viewer-default-dispvm: cmd.run: diff --git a/dom0/sd-whonix.sls b/dom0/sd-whonix.sls index 8c788ff2..9f9c09aa 100644 --- a/dom0/sd-whonix.sls +++ b/dom0/sd-whonix.sls @@ -11,6 +11,9 @@ # ## +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-upgrade-templates @@ -29,6 +32,6 @@ sd-whonix: - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - require: - sls: sd-upgrade-templates diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls index 9cb3e25b..8e35eaa5 100644 --- a/dom0/sd-workstation-template.sls +++ b/dom0/sd-workstation-template.sls @@ -1,60 +1,59 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-dom0-files # Sets virt_mode and kernel to use custom hardened kernel. sd-workstation-template: qvm.vm: - - name: securedrop-workstation-buster + - name: securedrop-workstation-{{ sdvars.distribution }} - prefs: - virt-mode: hvm - kernel: '' - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - sd-workstation-updates - features: - enable: - service.paxctld - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-securedrop-workstation-template -{% else %} - - pkg: dom0-install-securedrop-workstation-template -{% endif %} # Installs consolidated templateVMs: -# - sd-small-buster-template, to be used for +# - sd-small-{{ sdvars.distribution }}-template, to be used for # sd-app, sd-gpg, sd-log, and sd-proxy -# - sd-large-buster-template, to be used for +# - sd-large-{{ sdvars.distribution }}-template, to be used for # sd-export and sd-viewer -sd-small-buster-template: +sd-small-{{ sdvars.distribution }}-template: qvm.vm: - - name: sd-small-buster-template + - name: sd-small-{{ sdvars.distribution }}-template - clone: - - source: securedrop-workstation-buster + - source: securedrop-workstation-{{ sdvars.distribution }} - label: red - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - sd-workstation-updates - require: - qvm: sd-workstation-template -sd-large-buster-template: +sd-large-{{ sdvars.distribution }}-template: qvm.vm: - - name: sd-large-buster-template + - name: sd-large-{{ sdvars.distribution }}-template - clone: - - source: securedrop-workstation-buster + - source: securedrop-workstation-{{ sdvars.distribution }} - label: red - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - sd-workstation-updates - require: - qvm: sd-workstation-template diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top index b933ace3..d60f2f2b 100644 --- a/dom0/sd-workstation.top +++ b/dom0/sd-workstation.top @@ -20,12 +20,14 @@ base: - sd-whonix - sd-remove-unused-templates - sd-small-buster-template: + sd-small-bullseye-template: + - match: pcre - sd-logging-setup - sd-workstation-template-files - sd-app-files - sd-proxy-template-files - sd-large-buster-template: + sd-large-bullseye-template: + - match: pcre - sd-logging-setup - sd-workstation-template-files - sd-devices-files @@ -38,24 +40,17 @@ base: - sd-mime-handling sd-whonix: - sd-whonix-hidserv-key - securedrop-workstation-buster: + securedrop-workstation-bullseye: + - match: pcre - sd-workstation-template-files - sd-logging-setup -# Depending on whether sys-usb is disposable or not, we want to -# modify different qubes. If sd-fedora-dvm will only be -# created by sd-sys-vms.sls if sys-usb is disposable. -{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %} - sd-fedora-dvm: -{% else %} - sys-usb: -{% endif %} + 'sd-fedora-dvm,sys-usb': + - match: list - sd-usb-autoattach-add sd-log: - sd-logging-setup sd-viewer: - sd-mime-handling - sd-devices: - - sd-mime-handling sd-devices-dvm: - sd-mime-handling sd-proxy: diff --git a/dom0/securedrop-handle-upgrade b/dom0/securedrop-handle-upgrade index 41706019..0026a347 100755 --- a/dom0/securedrop-handle-upgrade +++ b/dom0/securedrop-handle-upgrade @@ -15,7 +15,7 @@ if [[ $TASK == "prepare" ]]; then # sd-app, we simply shutdown the machine as we want to preserve the data if qvm-check sd-app --quiet; then BASE_TEMPLATE=$(qvm-prefs sd-app template) - if [[ ! $BASE_TEMPLATE =~ "small-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "small-bullseye" ]]; then if qvm-check --running sd-app; then qvm-shutdown --wait sd-app fi @@ -30,7 +30,7 @@ if [[ $TASK == "prepare" ]]; then # provisioning process runs again and sets that value to sd-viewer if qvm-check --quiet sd-viewer; then BASE_TEMPLATE=$(qvm-prefs sd-viewer template) - if [[ ! $BASE_TEMPLATE =~ "large-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "large-bullseye" ]]; then qubes-prefs default_dispvm '' qvm-shutdown --wait sd-viewer qvm-remove -f sd-viewer @@ -39,7 +39,7 @@ if [[ $TASK == "prepare" ]]; then if qvm-check --quiet sd-devices; then BASE_TEMPLATE=$(qvm-prefs sd-devices-dvm template) - if [[ ! $BASE_TEMPLATE =~ "large-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "large-bullseye" ]]; then qvm-shutdown --wait sd-devices qvm-shutdown --wait sd-devices-dvm qvm-remove -f sd-devices @@ -52,7 +52,7 @@ if [[ $TASK == "prepare" ]]; then # shutdown if a client is connected. if qvm-check --quiet sd-proxy; then BASE_TEMPLATE=$(qvm-prefs sd-proxy template) - if [[ ! $BASE_TEMPLATE =~ "large-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "large-bullseye" ]]; then qvm-shutdown --wait sd-proxy fi fi @@ -83,7 +83,7 @@ if [[ $TASK == "prepare" ]]; then # For sd-gpg, we simply shutdown the machine if qvm-check --quiet sd-gpg; then BASE_TEMPLATE=$(qvm-prefs sd-gpg template) - if [[ ! $BASE_TEMPLATE =~ "small-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "small-bullseye" ]]; then qvm-shutdown --wait sd-gpg fi fi @@ -91,7 +91,7 @@ if [[ $TASK == "prepare" ]]; then # Shut down sd-log last, since other VMs will autostart it by sending logs if qvm-check --quiet sd-log; then BASE_TEMPLATE=$(qvm-prefs sd-log template) - if [[ ! $BASE_TEMPLATE =~ "small-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "small-bullseye" ]]; then qvm-shutdown --wait sd-log fi fi @@ -100,8 +100,8 @@ elif [[ $TASK == "remove" ]]; then # before deleting it. for template in sd-app-template sd-viewer-template sd-devices-template sd-proxy-template \ sd-svs-template sd-svs-disp-template sd-export-template sd-proxy-template \ - sd-svs-buster-template sd-export-buster-template sd-svs-disp-buster-template sd-app-buster-template \ - sd-viewer-buster-template sd-proxy-buster-template sd-devices-buster-template sd-log-buster-template + sd-svs-bullseye-template sd-export-bullseye-template sd-svs-disp-bullseye-template sd-app-bullseye-template \ + sd-viewer-bullseye-template sd-proxy-bullseye-template sd-devices-bullseye-template sd-log-bullseye-template do if qvm-check "${template}" --quiet; then if qvm-check --running "${template}"; then diff --git a/launcher/sdw-launcher.py b/launcher/sdw-launcher.py index a8fbf6be..e225b53b 100755 --- a/launcher/sdw-launcher.py +++ b/launcher/sdw-launcher.py @@ -8,7 +8,6 @@ import argparse if Util.get_qt_version() == 5: - print("Using Qt5 (experimental)") from PyQt5.QtWidgets import QApplication else: from PyQt4.QtGui import QApplication diff --git a/launcher/sdw_updater_gui/Updater.py b/launcher/sdw_updater_gui/Updater.py index 34cd05fc..5f8cca5e 100644 --- a/launcher/sdw_updater_gui/Updater.py +++ b/launcher/sdw_updater_gui/Updater.py @@ -31,6 +31,8 @@ # logic to leverage the Qubes Python API. MIGRATION_DIR = "/tmp/sdw-migrations" # nosec +DEBIAN_VERSION = "bullseye" + sdlog = Util.get_logger(module=__name__) detail_log = Util.get_logger(prefix=DETAIL_LOGGER_PREFIX, module=__name__) @@ -39,13 +41,13 @@ # In the future, we could use qvm-prefs to extract this information. current_vms = { "fedora": "fedora-35", - "sd-viewer": "sd-large-buster-template", - "sd-app": "sd-small-buster-template", - "sd-log": "sd-small-buster-template", - "sd-devices": "sd-large-buster-template", - "sd-proxy": "sd-small-buster-template", + "sd-viewer": "sd-large-{}-template".format(DEBIAN_VERSION), + "sd-app": "sd-small-{}-template".format(DEBIAN_VERSION), + "sd-log": "sd-small-{}-template".format(DEBIAN_VERSION), + "sd-devices": "sd-large-{}-template".format(DEBIAN_VERSION), + "sd-proxy": "sd-small-{}-template".format(DEBIAN_VERSION), "sd-whonix": "whonix-gw-16", - "sd-gpg": "sd-small-buster-template", + "sd-gpg": "sd-small-{}-template".format(DEBIAN_VERSION), } current_templates = set([val for key, val in current_vms.items() if key != "dom0"]) diff --git a/launcher/tests/fixtures/os-release-qubes-4.0 b/launcher/tests/fixtures/os-release-qubes-4.0 deleted file mode 100644 index 567f3464..00000000 --- a/launcher/tests/fixtures/os-release-qubes-4.0 +++ /dev/null @@ -1,7 +0,0 @@ -NAME=Qubes -VERSION="4.0 (R4.0)" -ID=qubes -VERSION_ID=4.0 -PRETTY_NAME="Qubes 4.0 (R4.0)" -ANSI_COLOR="0;31" -CPE_NAME="cpe:/o:ITL:qubes:4.0" diff --git a/launcher/tests/test_updater.py b/launcher/tests/test_updater.py index a672c9b0..7d5c5a9d 100644 --- a/launcher/tests/test_updater.py +++ b/launcher/tests/test_updater.py @@ -27,6 +27,8 @@ "sd-devices", ] +DEBIAN_VERSION = "bullseye" + TEST_RESULTS_OK = { "dom0": UpdateStatus.UPDATES_OK, "fedora": UpdateStatus.UPDATES_OK, @@ -491,8 +493,8 @@ def test_shutdown_and_start_vms( ] template_vm_calls = [ call("fedora-35"), - call("sd-large-buster-template"), - call("sd-small-buster-template"), + call("sd-large-{}-template".format(DEBIAN_VERSION)), + call("sd-small-{}-template".format(DEBIAN_VERSION)), call("whonix-gw-16"), ] app_vm_calls = [ @@ -537,8 +539,8 @@ def test_shutdown_and_start_vms_sysvm_fail( ] template_vm_calls = [ call("fedora-35"), - call("sd-large-buster-template"), - call("sd-small-buster-template"), + call("sd-large-{}-template".format(DEBIAN_VERSION)), + call("sd-small-{}-template".format(DEBIAN_VERSION)), call("whonix-gw-16"), ] error_calls = [ diff --git a/launcher/tests/test_updaterapp.py b/launcher/tests/test_updaterapp.py index 930675cf..5bb5a29a 100644 --- a/launcher/tests/test_updaterapp.py +++ b/launcher/tests/test_updaterapp.py @@ -39,7 +39,7 @@ def setUpClass(cls): def tearDownClass(cls): cls._app.quit() - @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.0") + @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.1") @mock.patch("UpdaterApp.subprocess.check_output", return_value=b"none") def test_netcheck_no_network_should_fail(self, mocked_output, mocked_qubes_version): """ @@ -61,7 +61,7 @@ def test_netcheck_no_qubes_should_fail_with_error(self, mocked_error, mocked_qub assert mocked_error.called @mock.patch("subprocess.check_output", return_value=b"full") - @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.0") + @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.1") def test_netcheck_should_succeed(self, mocked_qubes_version, mocked_output): """ When the network connectivity check is run in Qubes @@ -70,7 +70,7 @@ def test_netcheck_should_succeed(self, mocked_qubes_version, mocked_output): """ assert updater_app._is_netcheck_successful() - @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.0") + @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.1") @mock.patch("UpdaterApp.logger.error") @mock.patch("subprocess.check_output", return_value=b"none") def test_updater_app_with_no_connectivity_should_error( @@ -85,7 +85,7 @@ def test_updater_app_with_no_connectivity_should_error( updater_app_dialog._check_network_and_update() assert self._is_network_fail_view(updater_app_dialog) - @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.0") + @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.1") @mock.patch("subprocess.check_output", return_value=b"full") @mock.patch("UpdaterApp.logger.info") @mock.patch("UpdaterApp.UpgradeThread") diff --git a/launcher/tests/test_util.py b/launcher/tests/test_util.py index 1d7d367d..c91f789f 100644 --- a/launcher/tests/test_util.py +++ b/launcher/tests/test_util.py @@ -22,6 +22,8 @@ path_to_util = os.path.join(os.path.dirname(os.path.abspath(__file__)), relpath_util) util = SourceFileLoader("Util", path_to_util).load_module() +DEBIAN_VERSION = "bullseye" + @mock.patch("Util.sdlog.error") @mock.patch("Util.sdlog.warning") @@ -200,7 +202,6 @@ def test_for_conflicting_process( @pytest.mark.parametrize( "os_release_fixture,version_contains", [ - ("os-release-qubes-4.0", "4.0"), ("os-release-qubes-4.1", "4.1"), ("os-release-ubuntu", None), ("no-such-file", None), @@ -209,7 +210,7 @@ def test_for_conflicting_process( @mock.patch("Util.sdlog.error") @mock.patch("Util.sdlog.warning") @mock.patch("Util.sdlog.info") -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) def test_detect_qubes( mocked_info, mocked_warning, mocked_error, os_release_fixture, version_contains ): @@ -232,7 +233,6 @@ def test_detect_qubes( @pytest.mark.parametrize( "os_release_fixture,expected_qt_version", [ - ("os-release-qubes-4.0", 4), ("os-release-qubes-4.1", 5), ("os-release-ubuntu", 4), ("no-such-file", 4), @@ -242,7 +242,7 @@ def test_detect_qubes( @mock.patch("Util.sdlog.error") @mock.patch("Util.sdlog.warning") @mock.patch("Util.sdlog.info") -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) def test_pick_qt( mocked_info, mocked_warning, @@ -282,7 +282,7 @@ def test_pick_bad_qt(mocked_info, mocked_warning, mocked_error, env_override): """ mocked_env = {"SDW_UPDATER_QT": env_override} with mock.patch.dict("os.environ", mocked_env), mock.patch( - "Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0") + "Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1") ), pytest.raises(ValueError): util.get_qt_version() @@ -303,13 +303,12 @@ def test_get_logger(): @pytest.mark.parametrize( "os_release_fixture,version_contains", [ - ("os-release-qubes-4.0", "4.0"), ("os-release-qubes-4.1", "4.1"), ("os-release-ubuntu", None), ("no-such-file", None), ], ) -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) def test_is_sdapp_halted_yes(os_release_fixture, version_contains): """ When sd-app state is 'Halted' @@ -317,7 +316,7 @@ def test_is_sdapp_halted_yes(os_release_fixture, version_contains): """ output = bytes( "NAME STATE CLASS LABEL TEMPLATE\nsd-app" - " Halted AppVM yellow sd-small-buster-template\n", + " Halted AppVM yellow sd-small-{}-template\n".format(DEBIAN_VERSION), "utf-8", ) @@ -329,13 +328,12 @@ def test_is_sdapp_halted_yes(os_release_fixture, version_contains): @pytest.mark.parametrize( "os_release_fixture,version_contains", [ - ("os-release-qubes-4.0", "4.0"), ("os-release-qubes-4.1", "4.1"), ("os-release-ubuntu", None), ("no-such-file", None), ], ) -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) def test_is_sdapp_halted_no(os_release_fixture, version_contains): """ When sd-app is not Halted (i.e. Running, Pasued) @@ -343,7 +341,7 @@ def test_is_sdapp_halted_no(os_release_fixture, version_contains): """ output = bytes( "NAME STATE CLASS LABEL TEMPLATE\nsd-app" - " Paused AppVM yellow sd-small-buster-template\n", + " Paused AppVM yellow sd-small-{}-template\n".format(DEBIAN_VERSION), "utf-8", ) @@ -355,13 +353,12 @@ def test_is_sdapp_halted_no(os_release_fixture, version_contains): @pytest.mark.parametrize( "os_release_fixture,version_contains", [ - ("os-release-qubes-4.0", "4.0"), ("os-release-qubes-4.1", "4.1"), ("os-release-ubuntu", None), ("no-such-file", None), ], ) -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) @mock.patch("subprocess.check_output", side_effect=subprocess.CalledProcessError(1, "check_output")) def test_is_sdapp_halted_error(patched_subprocess, os_release_fixture, version_contains): """ diff --git a/scripts/build-dom0-rpm b/scripts/build-dom0-rpm index 54ad218a..f32d3de1 100755 --- a/scripts/build-dom0-rpm +++ b/scripts/build-dom0-rpm @@ -27,22 +27,14 @@ export SOURCE_DATE_EPOCH # Place tarball where rpmbuild will find it cp dist/*.tar.gz rpm-build/SOURCES/ -# Build for Qubes 4.0.x and 4.1.x, for which dom0 is based on -# fedora-25 and fedora-32, respectively. -for i in 25 32; do - # dom0 defaults to python3.5 in fedora-25 - python_version="python3.5" - if [[ $i = 32 ]]; then - python_version="python3.8" - fi - dist=".fc${i}" - rpmbuild \ - --quiet \ - --define "_topdir $PWD/rpm-build" \ - --define "dist $dist" \ - --define "_python_version $python_version" \ - -bb --clean "rpm-build/SPECS/securedrop-workstation-dom0-config.spec" -done +python_version="python3.8" +dist=".fc32" +rpmbuild \ + --quiet \ + --define "_topdir $PWD/rpm-build" \ + --define "dist $dist" \ + --define "_python_version $python_version" \ + -bb --clean "rpm-build/SPECS/securedrop-workstation-dom0-config.spec" printf '\nBuild complete! RPMs and their checksums are:\n\n' find rpm-build/ -type f -iname '*.rpm' -print0 | sort -zV | xargs -0 sha256sum diff --git a/scripts/provision-all b/scripts/provision-all index f4816ac5..d332dec8 100755 --- a/scripts/provision-all +++ b/scripts/provision-all @@ -17,7 +17,8 @@ echo "Set up dom0 config files, including RPC policies, and create VMs" sudo qubesctl --show-output state.highstate echo "Set up logging VMs early" -sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-small-buster-template state.highstate +sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-small-bullseye-template state.highstate + # Reboot sd-log so it's ready to receive logs from other VMs about to be configured qvm-shutdown --wait sd-log && qvm-start sd-log diff --git a/scripts/sdw-admin.py b/scripts/sdw-admin.py index 9c8c3953..4f036890 100755 --- a/scripts/sdw-admin.py +++ b/scripts/sdw-admin.py @@ -15,6 +15,8 @@ sys.path.insert(1, os.path.join(SCRIPTS_PATH, "scripts/")) from validate_config import SDWConfigValidator, ValidationError # noqa: E402 +DEBIAN_VERSION = "bullseye" + def parse_args(): parser = argparse.ArgumentParser() @@ -116,18 +118,6 @@ def perform_uninstall(keep_template_rpm=False): print("Reverting dom0 configuration") subprocess.check_call(["sudo", "qubesctl", "state.sls", "sd-clean-all"]) subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/clean-salt")]) - if not keep_template_rpm: - print("Uninstalling Template") - subprocess.check_call( - [ - "sudo", - "dnf", - "-y", - "-q", - "remove", - "qubes-template-securedrop-workstation-buster", - ] - ) print("Uninstalling dom0 config package") subprocess.check_call( ["sudo", "dnf", "-y", "-q", "remove", "securedrop-workstation-dom0-config"] diff --git a/sd-workstation/securedrop-release-signing-pubkey-2021.asc b/sd-workstation/securedrop-release-signing-pubkey-2021.asc index 070e2253..8a6d1810 100644 --- a/sd-workstation/securedrop-release-signing-pubkey-2021.asc +++ b/sd-workstation/securedrop-release-signing-pubkey-2021.asc @@ -12,20 +12,20 @@ DWkG/xqMWXVZOtUa+REYrTCg9Zo7qlbIniRGeGfGtXYXI023clJH7QkSOEVbCzju SMG+mvRVGJVEWmkoD6mUqzgs+VpoJ9/f1OV5iZjeYRN7fDUYgZzYuWJp3fYmlvHj 3oiAN7UrcUwESgoVl+Ga2VFJd+3w0qBLM+3bORq0z1sUp9oJhFpLLtqRuQARAQAB tEpTZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXkgPHNlY3VyZWRyb3AtcmVs -ZWFzZS1rZXktMjAyMUBmcmVlZG9tLnByZXNzPokCVAQTAQoAPhYhBCNZ5lOMBhPm -UpVebBiO3Tt7IuajBQJgmWatAhsDBQkCKbYABQsJCAcDBRUKCQgLBRYCAwEAAh4B -AheAAAoJEBiO3Tt7IuajwuMP/3HGnRKTgRLdxeL/8tK4E204N+W3dPYhge1sFLeD -ak0vXQeTzxizU/1Hi1+qLv+XRpKziPE0gvKnc8wThPhJ+G93hEAqI/Es4VIklzbB -f/xhLeE54wk6tqz+wy4ugoq0NrRTLFRXT2SXA/enSxaH16fk/5LcNF0V8CTvoaGn -5kvhZCSPJyw7eqPZGjH2pxy33sktprEAjN7aXuIHw3IiRHmrqgqSCpjn5rEEXO3Y -u8osqh5ZdVQLnmtQiosA4IVNOKRJU9nTDnIVducx+RLG3Bz3Qf7/mmRC+M3hqGWB -skk0c2+DtspsNyZh1E+8II3qVGqFwMBovSI0wPX3IOK4Wb91dz3/n8Ahc2N7pBY3 -7wH1GHjT/2Bv80F5d3bbUJVFDLEFFMSUcj4E6dxU38XkbBTODrOYcjzlIT6uK/XH -Q61fE1e7PSVeNqr6eIqqaTdNZaOJNtlO5umYx0WQawKT72eznPW6HJkX5cfuTj9H -ARwRCNOTpipOo499bMtk7UjJcTwc9KOxJeKDkbMUfe/43Zp1njctWuv2e/NPz92J -Ma3BmLluuBR9HJTWKp8L6Ia55vhvtm3+hsgiTCf7gdpxkwRO7470ZeyZMZtARwxp -2wcIrqdOKW8Zwij2Zsi882PPJjR4N07KiEv9pUBtLzlX3VsHBFSu32klxW3cNlSZ -1eK/uQINBGCZZq0BEACq7CxMegB4JuC81VDZKNGgPvRfZYzvE9JGV9G/Gz2Ko8IN +ZWFzZS1rZXktMjAyMUBmcmVlZG9tLnByZXNzPokCVAQTAQoAPgIbAwULCQgHAwUV +CgkICwUWAgMBAAIeAQIXgBYhBCNZ5lOMBhPmUpVebBiO3Tt7IuajBQJifjhkBQkE +CpM3AAoJEBiO3Tt7IuajHFUP/1fwi22pZcpDUyzxGViUK8DmZjcGVGFNBJ40SDSl +XudO044U4OLFTVjNvpHvz6F4T7P+9PSHbjiAOSqx6UApib5EK/w38iQ7PQX+Cg1s +L6pDXCrVNmnxl/FgGN/0MjIjpPGW0CmsEUu+xqJlb43SSAb5z65TJAsyXPgkkPyU ++z1XTPdd27Qvw/BvcH7Fy/ksTIJcL6kFcUBAgJ/HcM6AbRleKSTrrANLjH+c9DqR +s7v0PFAs6TADIQsPNrAeeXxyPqgEQObDeTvXjPb1gJ3r1G1fWKkLb/oBo4cVB+xe +t9djj4uvKO/ETuKzXNWkcTdNhaNO4SMcNt/enxurNb3LLZPXOnEb4cHVGA4/Qoyy +jhgAqJMECw5+nUBn5zM/THQR7r63hBmFqtO9nRo6qNHI1DJ/KWMH892ekpgOYys1 +yMILFyDQLgB+iFHohR4VSeQONWpuSMTWYIQ7vfQVDah9Z7byOJ+M8XJcTv1OLY+L +K11b1CaSe7V/dLHhlYzLaLvV/LT8GaDwMQFT6NwsMOPwRhyWUsdy/OLPPMBY6eNK +JRHQ3wNnClTiWi7iM5QfHa2g+46YuKFMr1YraUwHxUb6ELNNYeg0ycr77H+Ysmam +hHA5YPnxJIzx9nWCBgXGyn9FIxGy32vwh9qdsGvbUQbSSdLdXLVEDY492vuSjkaN +AJqruQINBGCZZq0BEACq7CxMegB4JuC81VDZKNGgPvRfZYzvE9JGV9G/Gz2Ko8IN tsBMbIQVXLndeuJZqYPTk5X6dPKJe6ik9WUSpdvpxLdy1FiVjvOMxaXvZCeXB8NS jicHq8KWRrvgM15GGRo1vBC8BLyjh6tnImkmI86HNJEy3kvN7OjgFeXactO4yXaP Gu4J8OglAYOLvNjamriY/ExFS5uURrmHgJB9beEFY+XS7FbUj81R3H64XCKlKIVu @@ -36,18 +36,18 @@ sAE+DqRgeWFLBVWdaeU98zawLR15Qsx85cGvxFJaE9LyPWHyHSlJeyrT0hNE02HG bZDWR/47s6jicncfYVNqSH5d1Ifj8guuxDQZyJLEh18kcOH0wezt7lM/H6kXZnDz slOJUAubUgpZ/IbTgdd49UW93QepI+ynuwSogqIPf521XAU/Or7OY+t7J2e1VaCC zvez+oiZ6GWh6lBpccPUnDWtti3U2i5hK4swGFa3Uvi6UwbZHihi/iUip4uKxQAR -AQABiQI8BBgBCgAmFiEEI1nmU4wGE+ZSlV5sGI7dO3si5qMFAmCZZq0CGwwFCQIp -tgAACgkQGI7dO3si5qNAJhAAsjrKyJY1A814QI82Jk1BcpbYRpr5D11/Y8okj142 -Ury/14yVJ1mdFNIqXiKaazR2UJef+W7EZYXWEUFC4BpYFC75tnGAIuKpdBjd6hiJ -Z+sWi10eit3IejAwHkbzRTCvPEDxaQTK1EEB/AKE+9fJhnjIVIIYLgIRYwvNBT/S -J5A1OhoSHtYppD8FpGFw7Hl/t9DK5YETyvY8vkqAMZ9rxp9ZdLni9NsgHa4SCxb/ -1t9ixziUdwbBH0ulHJF3D3Gv6U4Rtcjyi/CLwMaC9pJ7PfISQBYL0USkL9WUYTy7 -IPn60fcvrXIx0ZoR0T4L5rbIQpJ89bVvyT2a1BTFo0zp46hzq9O5g6dr3oB94UKf -bYxNOjNwyMmSyT/JVHzS5H8RAk9UdXmJZXuUFGlPJwfqakGOzZm+X8m6bfbALS++ -b0CAfkWVLNSASXdkK0du5XpIEFFca2qc0vxgqNFDNJC9lrjIx95Bxiql8kOhhloo -/mXz7rZl9vbXBespZCMosFlatkL6hnFm28IIb8vOwGrOuToxyJUQcD8u6iT8kpWF -j5EBqojf1VEaYOogVX8kBFfNTUWmHslD44f46IqIm/lE/wAGev3Aec+olqdD1B75 -hdWwJXNaMxCYVofIgihTMKUeSuXHXNajtwbcUJYyeX4X/LrknXu5EoBfUIXZEZ/J -u3U= -=pCIa +AQABiQI8BBgBCgAmAhsMFiEEI1nmU4wGE+ZSlV5sGI7dO3si5qMFAmKCILEFCQQK +hwQACgkQGI7dO3si5qN/Og//UeRS0+fjYedZGwVMCd591TDET/vdD1CXf2KIic9u +4Fd9nNqbYNB9/c5QWtVYsB9lWctL3RA7C3DtzWUXQtvTUFAimSJ9H1WtOMvNNAwR +KubXzy4niU1exo9veljdKFBflyFNVBrazL+ChUzQvTR9Osw+sgGO8JQCnxjwG0R9 +O5QbWfkQzCl0VwZAZOZrWz8AvcSCTErgkkAbIbyhjyhiSsr956MJ5GWlDPlbWXwC +U/aIWNbyghi6sdZ59RtxMFh7yQMG5/468Lt6hIBHhb16wOwEutvT5vo7lz8+L0P3 +C71vMhgk0tzbV4n3JYOQAUqbDfo9WGK3u4ZBzgkdM3q8UTP2RvCVGQVyZJ4etxHS +aWHA5ufnzQ+ocssd/lH0+Z5VVTzE54MlJauJBnX3XQuP4fba3jjJRenZdr4I70AY +edkS5x8vwHUewmlHgOrs9AJnGvmurbFjUKdVERpjs5cF/m9BqBgVc5e2OmYFlbtY +7NKwnFvOBEamKz8fB9OGQq5uqxdPJycJkLL2m7wYZFGxnzdwHbQwdfv8qLNLt9ox +xDf1kSnh4P6TgVx1N3G1MiSSC79Nk2MVvpQ6MsQ4O290FBybsJ0/1R01e3L9trst +XEXQ4gF6MHMYdBpNhcBlovGMPpI1AG7Uz2TMVM0p+T8DFOBbPP6057fX8zr1+SP0 +Zbk= +=5n1q -----END PGP PUBLIC KEY BLOCK----- diff --git a/sd-workstation/securedrop-release-signing-pubkey-LEGACY.asc b/sd-workstation/securedrop-release-signing-pubkey-LEGACY.asc deleted file mode 100644 index 7c1f70d5..00000000 --- a/sd-workstation/securedrop-release-signing-pubkey-LEGACY.asc +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFgIrN8BEACnXQFtRVzlePZL/4wfdsAI0FohKj+v17c9U/JNOOwax2DapJe+ -pQ7jZ8G2kUDLTNTMgZLze/gmOJF28olplMi9sLwBynKbN2xOq6MybxE9NLLeE7/y -ZfMZrgMSwgHW40udRZEEpe9IYKZP2QXLGFOmRiqiQ0HNp9WKFNTfi03Yx3XEUeeZ -kap9i0+1sktYBrlnUzXUTJHiUjJTEiI9NX23Vey0NtaveJLzdEQmsYQWaMbX4ECD -Hz+UNRNrjXv303bJgSGBm53tsvQzd6Lyzk4RGOKKifm4A2RRXf6zZCpRmOJUD5dH -8eLNeNyJpRY13rzcqp6Sk05n/RJOH9QbClzBT4rAbTtDKIKsutGnPxL+8fwKoaut -xZjcZLNh712nfiMl07rmgD4by0rp8xe29MIUNkjqg01pckfvUXknRhuo7ZmrAphz -ZZKLSApWXbB32ug5WNoGaQmq+hye1i40zu3fx8MRYefkpSSatNuIbrwLLnq0NR+k -qXcP1SPgtoy/EnW0oa/NDiT/rSh1PuAjG7oOpiNdQdmnA+xIYGreeNoPtuh7gJRc -XYrtWI5zzsGwrFE0LMMPw6SVGONfM5M4Efc+oUn3cIn7gQITm31JNTbRpnwT7bMo -Hy+MrILJITj6Rwi8EGyeTBVolM/L0W3WpjJuj6yhcRZURkBMA01aSUG3yQARAQAB -tB5TZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXmJAlcEEwEKAEECGwMFCwkI -BwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQQiJFyB47rrQTizYGExD1YSAPStdwUC -XsZBhAUJCNOEJQAKCRAxD1YSAPStd+ovD/4+jLGlwlLmBpgvohrbiC7xCioVW+Ik -18j+uUSyYBNhvDOZugY+/Z6X99PHvjgjRbTle2NvAx5itdZfiooGSZ8cuiPRbDkQ -xpmZqOdkpN+5/B5dh/bd+P/K2Ggxqkyb80b+xoDviLh6OmIDPILTbz9ACkwu5jdH -0wo0UEt5C+GT8lvBmVXii6vGlTvsv86/yLShvBq6mEJ+7nazWMOShJy3bvyrJRMg -3dZfQSB6WlVCRO9EDBlvTW9Xedva7VDu6Up1BSD+enpXWRLTbqWvxmS7QQ2Usw58 -D7CCoJDA+8zL6UkJFrVxTiXQWbOvttkOA9++aJp4IbXsqTyrIkxNRjlKdyET9xbB -HGSgJhhgGUNVZNBxHVZFHvHurXDX0OyfWaYY9ET/EjqMCjUbWh0vh2c6/M3rDh+J -nH+tZUjJ9mM/AJ0hcORPVv3wbWdsfWq9r3t1Q7wlphal7RzgNqPymekj+1ndTs4y -jfsWgLmxYF8knP1+EipoL1Q7vm1JdO0VOb4IyhF+6VUTkjrDy6uHwXc3fMGHEAeU -nZvhVzZSx8h8HVsfnppM2RjNZKPwNQ43he8HllLqsRFsumg6gbBNRgrsVEBjRzxf -OKESJqxVZ5iHUvWPQPuGjuh83HiUxPN4yjZXUVNXv0Alevv1By3ALeVAmaQVw/KA -/sNu9p74VRggjrRFU2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxzZWN1 -cmVkcm9wLXJlbGVhc2Uta2V5QGZyZWVkb20ucHJlc3M+iQJUBBMBCgA+AhsDBQsJ -CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcFAl7G -QZQFCQjThCUACgkQMQ9WEgD0rXcWVg/+JJT7J0ycCd2Rl7A2K4YQfJcf6TV05HDf -/sxc+JGs1hh/CFgR5Nt1TDPg7dQfCumQWI+e4A8NSFllIKGEajgxdAg/uszO9UQL -9iVtyNFY69/gfWeNVyOoioYxRSlaIyKUD2PINeHi5KYDe3dkh9aXDA/X4sB8k7Dt -mvDXqNX4/85P9M9JUjWahHqG3giYW9nyvvlMeV82K4BPPhwwqwbRRaIVNcdytDIi -LvXxOZf/TjX3xHbwTHYghclZZX3ZCiZ8OTD+yLkCqTJsT9GVfIlO/algc+7ezz7B -acsSuTa77/+8vy78dA5k9JM6rSZzfl/8T3LOmDLq+RE+DCUXx8ZJ+qnrr5aSruPB -BSlu7S/26NIAtB6LyKtSBpX39y66/9lYCaQWZDcNraq5PWInv0kQqXEc6C8Vi25q -BFE3a4Lt45bZMGCREYvLWXRxzH9rESVVekxZVZEjgmldh94OLRuXRvU8nlu2fq4G -YH0a+Oy/87LemKv7q2IZX6s7uTZg5xMBTaPqFsE/AGQWQfHvj1EWthcaeoIasfxE -lsWi9qHE4N+Jg/L+XC90S0kogDWGdyS+mKf0dE6jq4ioKf29zRJ4629id6VYHeib -i3df/KOdUeeth5X9ann6/KNncX7Us16rV4a6Tl1OLoV7xkwh2Hy8MfClDkTYeoHc -Y6V2vWAk0Rc= -=LOAb ------END PGP PUBLIC KEY BLOCK----- diff --git a/tests/test_dom0_config.py b/tests/test_dom0_config.py index de42f553..03432f00 100644 --- a/tests/test_dom0_config.py +++ b/tests/test_dom0_config.py @@ -17,12 +17,14 @@ "sd-log-buster-template", ] +DEBIAN_VERSION = "bullseye" + VMS_TO_UPDATE = [ - "sd-large-buster-template", - "sd-small-buster-template", + "sd-large-{}-template".format(DEBIAN_VERSION), + "sd-small-{}-template".format(DEBIAN_VERSION), "whonix-ws-16", "whonix-gw-16", - "securedrop-workstation-buster", + "securedrop-workstation-{}".format(DEBIAN_VERSION), ] diff --git a/tests/test_dom0_rpm_repo.py b/tests/test_dom0_rpm_repo.py index 99cb395b..5e462c44 100644 --- a/tests/test_dom0_rpm_repo.py +++ b/tests/test_dom0_rpm_repo.py @@ -2,6 +2,10 @@ import unittest +DEBIAN_VERSION = "bullseye" +FEDORA_VERSION = "f32" + + class SD_Dom0_Rpm_Repo_Tests(unittest.TestCase): pubkey_wanted = "" @@ -9,8 +13,8 @@ class SD_Dom0_Rpm_Repo_Tests(unittest.TestCase): pubkey_actual = "/etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation" # noqa pubkey_wanted_prod = "sd-workstation/securedrop-release-signing-pubkey-2021.asc" pubkey_wanted_test = "sd-workstation/apt-test-pubkey.asc" - yum_repo_url_prod = "https://yum.securedrop.org/workstation/dom0/f25" - yum_repo_url_test = "https://yum-test.securedrop.org/workstation/dom0/f25" + yum_repo_url_prod = f"https://yum.securedrop.org/workstation/dom0/{FEDORA_VERSION}" + yum_repo_url_test = f"https://yum-test.securedrop.org/workstation/dom0/{FEDORA_VERSION}" def setUp(self): # Enable full diff output in test report, to aid in debugging diff --git a/tests/test_qubes_rpc.py b/tests/test_qubes_rpc.py index a631b0f5..4cabb020 100644 --- a/tests/test_qubes_rpc.py +++ b/tests/test_qubes_rpc.py @@ -42,14 +42,7 @@ def _startsWith(self, filename, expectedPolicy): return False def _loadVars(self): - qubes_version = get_qubes_version() - if qubes_version == "4.1": - fname = "qubes-rpc-41.yml" - elif qubes_version == "4.0": - fname = "qubes-rpc.yml" - else: - raise Exception("Could not determine Qubes OS version") - filepath = os.path.join(os.path.dirname(os.path.abspath(__file__)), "vars", fname) + filepath = os.path.join(os.path.dirname(os.path.abspath(__file__)), "vars", "qubes-rpc.yml") with io.open(filepath, "r") as f: data = yaml.safe_load(f) return data diff --git a/tests/test_qubes_vms.py b/tests/test_qubes_vms.py index 2154ec20..ef86e1d7 100644 --- a/tests/test_qubes_vms.py +++ b/tests/test_qubes_vms.py @@ -1,7 +1,7 @@ import unittest from qubesadmin import Qubes -from base import CURRENT_FEDORA_TEMPLATE, CURRENT_WHONIX_VERSION, get_qubes_version +from base import CURRENT_FEDORA_TEMPLATE, CURRENT_WHONIX_VERSION class SD_Qubes_VM_Tests(unittest.TestCase): @@ -28,7 +28,7 @@ def test_current_fedora_for_sys_vms(self): for sys_vm in sys_vms: vm = self.app.domains[sys_vm] wanted_templates = [CURRENT_FEDORA_TEMPLATE] - if get_qubes_version() == "4.1" and sys_vm in sys_vms_maybe_disp: + if sys_vm in sys_vms_maybe_disp: if sys_vm in sys_vms_custom_disp: wanted_templates.append("sd-fedora-dvm") else: diff --git a/tests/test_sd_devices.py b/tests/test_sd_devices.py index a4e00bc8..c0041fa3 100644 --- a/tests/test_sd_devices.py +++ b/tests/test_sd_devices.py @@ -17,6 +17,7 @@ def test_files_are_properly_copied(self): def test_sd_export_package_installed(self): self.assertTrue(self._package_is_installed("cryptsetup")) self.assertTrue(self._package_is_installed("printer-driver-brlaser")) + self.assertTrue(self._package_is_installed("printer-driver-hpcups")) self.assertTrue(self._package_is_installed("securedrop-export")) self.assertTrue(self._package_is_installed("gnome-disk-utility")) diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index 3911cb62..e51e2bef 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -5,7 +5,8 @@ from base import WANTED_VMS -EXPECTED_KERNEL_VERSION = "4.14.241-grsec-workstation" +DEBIAN_VERSION = "bullseye" +EXPECTED_KERNEL_VERSION = "5.15.41-grsec-workstation" class SD_VM_Tests(unittest.TestCase): @@ -36,20 +37,6 @@ def _check_kernel(self, vm): assert kernel_version.endswith("-grsec-workstation") assert kernel_version == EXPECTED_KERNEL_VERSION - # QubesOS 4.1 stopped requiring u2mfn.ko for HVMs, the packages won't build the respective - # kernel module anymore - # This portion of the test assumes that 4.1 is always used with templates that use - # repositories for 4.1 (in our case, bullseye based templates) - with open("/etc/qubes-release") as qubes_release: - if "R4.1" in qubes_release.read(): - return - - u2mfn_filepath = "/usr/lib/modules/{}/updates/dkms/u2mfn.ko".format(EXPECTED_KERNEL_VERSION) - # cmd will raise exception if file not found - stdout, stderr = vm.run("sudo test -f {}".format(u2mfn_filepath)) - assert stdout == b"" - assert stderr == b"" - def _check_service_running(self, vm, service): """ Ensures a given service is running inside a given VM. @@ -76,7 +63,7 @@ def test_sd_proxy_config(self): vm = self.app.domains["sd-proxy"] nvm = vm.netvm self.assertTrue(nvm.name == "sd-whonix") - self.assertTrue(vm.template == "sd-small-buster-template") + self.assertTrue(vm.template == "sd-small-{}-template".format(DEBIAN_VERSION)) self.assertTrue(vm.autostart is True) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) @@ -86,7 +73,7 @@ def test_sd_app_config(self): vm = self.app.domains["sd-app"] nvm = vm.netvm self.assertTrue(nvm is None) - self.assertTrue(vm.template == "sd-small-buster-template") + self.assertTrue(vm.template == "sd-small-{}-template".format(DEBIAN_VERSION)) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) self._check_kernel(vm) @@ -104,7 +91,7 @@ def test_sd_viewer_config(self): vm = self.app.domains["sd-viewer"] nvm = vm.netvm self.assertTrue(nvm is None) - self.assertTrue(vm.template == "sd-large-buster-template") + self.assertTrue(vm.template == "sd-large-{}-template".format(DEBIAN_VERSION)) self.assertFalse(vm.provides_network) self.assertTrue(vm.template_for_dispvms) # sd-viewer should not be able to create other disposable VMs @@ -118,7 +105,7 @@ def test_sd_gpg_config(self): nvm = vm.netvm self.assertTrue(nvm is None) # No sd-gpg-template, since keyring is managed in $HOME - self.assertTrue(vm.template == "sd-small-buster-template") + self.assertTrue(vm.template == "sd-small-{}-template".format(DEBIAN_VERSION)) self.assertTrue(vm.autostart is True) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) @@ -129,7 +116,7 @@ def test_sd_log_config(self): vm = self.app.domains["sd-log"] nvm = vm.netvm self.assertTrue(nvm is None) - self.assertTrue(vm.template == "sd-small-buster-template") + self.assertTrue(vm.template == "sd-small-{}-template".format(DEBIAN_VERSION)) self.assertTrue(vm.autostart is True) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) @@ -146,7 +133,7 @@ def test_sd_log_config(self): self.assertEqual(vol.size, size * 1024 * 1024 * 1024) def test_sd_workstation_template(self): - vm = self.app.domains["securedrop-workstation-buster"] + vm = self.app.domains["securedrop-workstation-{}".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue(vm.virt_mode == "hvm") @@ -156,27 +143,27 @@ def test_sd_workstation_template(self): self._check_service_running(vm, "paxctld") def test_sd_proxy_template(self): - vm = self.app.domains["sd-small-buster-template"] + vm = self.app.domains["sd-small-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) def sd_app_template(self): - vm = self.app.domains["sd-small-buster-template"] + vm = self.app.domains["sd-small-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) self._check_kernel(vm) def sd_viewer_template(self): - vm = self.app.domains["sd-large-buster-template"] + vm = self.app.domains["sd-large-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) self.assertTrue(vm.template_for_dispvms) def sd_export_template(self): - vm = self.app.domains["sd-large-buster-template"] + vm = self.app.domains["sd-large-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) @@ -200,7 +187,7 @@ def sd_export(self): self._check_kernel(vm) def sd_small_template(self): - vm = self.app.domains["sd-small-buster-template"] + vm = self.app.domains["sd-small-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) @@ -208,7 +195,7 @@ def sd_small_template(self): self._check_kernel(vm) def sd_large_template(self): - vm = self.app.domains["sd-large-buster-template"] + vm = self.app.domains["sd-large-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py index cd8d51f2..53d687f0 100644 --- a/tests/test_vms_platform.py +++ b/tests/test_vms_platform.py @@ -6,16 +6,15 @@ from base import WANTED_VMS, CURRENT_FEDORA_TEMPLATE -SUPPORTED_SD_PLATFORMS = ["Debian GNU/Linux 10 (buster)"] +BULLSEYE_STRING = "Debian GNU/Linux 11 (bullseye)" -SUPPORTED_WHONIX_PLATFORMS = ["Debian GNU/Linux 11 (bullseye)"] +SUPPORTED_SD_DEBIAN_DIST = "bullseye" +SUPPORTED_WHONIX_PLATFORMS = [BULLSEYE_STRING] apt_url = "" -FPF_APT_SOURCES_STRETCH_DEV = "deb [arch=amd64] https://apt-test.freedom.press stretch main" -FPF_APT_SOURCES_BUSTER_DEV = "deb [arch=amd64] https://apt-test.freedom.press buster main" -FPF_APT_SOURCES_STRETCH = "deb [arch=amd64] https://apt.freedom.press stretch main" -FPF_APT_SOURCES_BUSTER = "deb [arch=amd64] https://apt.freedom.press buster main" +FPF_APT_TEST_SOURCES = "deb [arch=amd64] https://apt-test.freedom.press {dist} {component}" +FPF_APT_SOURCES = "deb [arch=amd64] https://apt.freedom.press {dist} {component}" APT_SOURCES_FILE = "/etc/apt/sources.list.d/securedrop_workstation.list" @@ -27,10 +26,14 @@ def setUp(self): if "environment" not in config: config["environment"] = "dev" + dist = SUPPORTED_SD_DEBIAN_DIST + if config["environment"] == "prod": - self.apt_url = FPF_APT_SOURCES_BUSTER + self.apt_url = FPF_APT_SOURCES.format(dist=dist, component="main") + elif config["environment"] == "staging": + self.apt_url = FPF_APT_TEST_SOURCES.format(dist=dist, component="main") else: - self.apt_url = FPF_APT_SOURCES_BUSTER_DEV + self.apt_url = FPF_APT_TEST_SOURCES.format(dist=dist, component="nightlies") def tearDown(self): pass @@ -53,13 +56,14 @@ def _validate_vm_platform(self, vm): Asserts that the given AppVM is based on an OS listed in the SUPPORTED__PLATFORMS list, as specified in tests. sd-whonix is based on the whonix-16 template. - All other workstation-provisioned VMs should be buster based. + All other workstation-provisioned VMs should be + SUPPORTED_SD_DEBIAN_DIST based. """ platform = self._get_platform_info(vm) if vm.name in ["sd-whonix"]: self.assertIn(platform, SUPPORTED_WHONIX_PLATFORMS) else: - self.assertIn(platform, SUPPORTED_SD_PLATFORMS) + self.assertIn(SUPPORTED_SD_DEBIAN_DIST, platform) def _validate_apt_sources(self, vm): """ @@ -76,9 +80,6 @@ def _validate_apt_sources(self, vm): contents = stdout.decode("utf-8").rstrip("\n") self.assertTrue(self.apt_url in contents) - self.assertFalse(FPF_APT_SOURCES_STRETCH in contents) - # Old alpha URL for apt repo should be absent - self.assertFalse("apt-test-qubes.freedom.press" in contents) def _ensure_packages_up_to_date(self, vm, fedora=False): """ @@ -144,15 +145,10 @@ def _ensure_keyring_package_exists_and_has_correct_key(self, vm): results = stdout.rstrip().decode("utf-8") fpf_gpg_pub_key_info = """/etc/apt/trusted.gpg.d/securedrop-keyring.gpg --------------------------------------------- -pub rsa4096 2016-10-20 [SC] [expired: 2021-06-30] - 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77 -uid [ expired] SecureDrop Release Signing Key -uid [ expired] SecureDrop Release Signing Key - -pub rsa4096 2021-05-10 [SC] [expires: 2022-07-04] +pub rsa4096 2021-05-10 [SC] [expires: 2023-07-04] 2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3 uid [ unknown] SecureDrop Release Signing Key -sub rsa4096 2021-05-10 [E] [expires: 2022-07-04]""" +sub rsa4096 2021-05-10 [E] [expires: 2023-07-04]""" # display any differences self.maxDiff = None self.assertEqual(results, fpf_gpg_pub_key_info), "Keyring incorrect in " + vm.name diff --git a/tests/vars/qubes-rpc-41.yml b/tests/vars/qubes-rpc-41.yml deleted file mode 100644 index ad8d5971..00000000 --- a/tests/vars/qubes-rpc-41.yml +++ /dev/null @@ -1,135 +0,0 @@ -- policy: /etc/qubes-rpc/policy/qubes.ClipboardPaste - starts_with: |- - ### BEGIN securedrop-workstation ### - @tag:sd-send-app-clipboard sd-app ask - sd-app @tag:sd-receive-app-clipboard ask - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: /etc/qubes-rpc/policy/qubes.GetDate - starts_with: |- - $tag:anon-vm $anyvm deny - -- policy: qubes.Gpg - starts_with: |- - ### BEGIN securedrop-workstation ### - @tag:sd-client sd-gpg allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.GpgImportKey - starts_with: |- - ### BEGIN securedrop-workstation ### - @tag:sd-client sd-gpg allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.InputKeyboard - starts_with: |- - $anyvm $anyvm deny - -- policy: qubes.InputMouse - starts_with: |- - sys-usb dom0 ask,user=root,default_target=dom0 - $anyvm $anyvm deny - -- policy: /etc/qubes-rpc/policy/qubes.PdfConvert - starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.ReceiveUpdates - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow - -- policy: securedrop.Proxy - starts_with: |- - sd-app sd-proxy allow - @anyvm @anyvm deny - -- policy: qubes.SyncAppMenus - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow - -- policy: /etc/qubes-rpc/policy/qubes.UpdatesProxy - starts_with: |- - $tag:whonix-updatevm $default allow,target=sys-whonix - $tag:whonix-updatevm $anyvm deny - -- policy: /etc/qubes-rpc/policy/qubes.USB - starts_with: |- - ### BEGIN securedrop-workstation ### - sd-devices sys-usb allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: /etc/qubes-rpc/policy/qubes.USBAttach - starts_with: |- - ### BEGIN securedrop-workstation ### - sys-usb sd-devices allow,user=root - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.WindowIconUpdater - starts_with: |- - $anyvm dom0 allow - -- policy: /etc/qubes/policy.d/60-securedrop-workstation.policy - starts_with: |- - # required to suppress unsupported loopback error notifications - securedrop.Log * sd-log sd-log deny notify=no - securedrop.Log * @tag:sd-workstation sd-log allow - - qubes.Filecopy * sd-log @default ask - qubes.Filecopy * sd-log @tag:sd-receive-logs ask - qubes.Filecopy * sd-proxy @tag:sd-client allow - - qubes.OpenInVM * @tag:sd-client @dispvm:sd-viewer allow - qubes.OpenInVM * @tag:sd-client sd-devices allow - qubes.OpenInVM * sd-devices @dispvm:sd-viewer allow - -- policy: /etc/qubes/policy.d/70-securedrop-workstation.policy - starts_with: |- - securedrop.Log * @anyvm @anyvm deny - - qubes.FeaturesRequest * @anyvm @tag:sd-workstation deny - qubes.FeaturesRequest * @tag:sd-workstation @anyvm deny - - qubes.Filecopy * @anyvm @tag:sd-workstation deny - qubes.Filecopy * @tag:sd-workstation @anyvm deny - - qubes.GetImageRGBA * @anyvm @tag:sd-workstation deny - qubes.GetImageRGBA * @tag:sd-workstation @anyvm deny - - qubes.OpenInVM * @anyvm @tag:sd-workstation deny - qubes.OpenInVM * @tag:sd-workstation @anyvm deny - - qubes.OpenURL * @anyvm @tag:sd-workstation deny - qubes.OpenURL * @tag:sd-workstation @anyvm deny - - qubes.StartApp * @anyvm @tag:sd-workstation deny - qubes.StartApp * @tag:sd-workstation @anyvm deny - - qubes.VMRootShell * @anyvm @tag:sd-workstation deny - qubes.VMRootShell * @tag:sd-workstation @anyvm deny - - qubes.VMShell * @anyvm @tag:sd-workstation deny - qubes.VMShell * @tag:sd-workstation @anyvm deny - diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml index c8065615..ad8d5971 100644 --- a/tests/vars/qubes-rpc.yml +++ b/tests/vars/qubes-rpc.yml @@ -1,4 +1,4 @@ -- policy: qubes.ClipboardPaste +- policy: /etc/qubes-rpc/policy/qubes.ClipboardPaste starts_with: |- ### BEGIN securedrop-workstation ### @tag:sd-send-app-clipboard sd-app ask @@ -7,48 +7,9 @@ @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### -- policy: qubes.FeaturesRequest +- policy: /etc/qubes-rpc/policy/qubes.GetDate starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.Filecopy - starts_with: |- - ### BEGIN securedrop-workstation ### - sd-log @default ask - sd-log @tag:sd-receive-logs ask - sd-proxy @tag:sd-client allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.GetDate - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $tag:anon-vm $anyvm deny - $anyvm $anyvm allow,target=dom0 - -- policy: qubes.GetImageRGBA - starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.GetRandomizedTime - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow + $tag:anon-vm $anyvm deny - policy: qubes.Gpg starts_with: |- @@ -72,45 +33,10 @@ - policy: qubes.InputMouse starts_with: |- - sys-usb dom0 allow,user=root + sys-usb dom0 ask,user=root,default_target=dom0 $anyvm $anyvm deny -- policy: qubes.NotifyTools - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow - -- policy: qubes.NotifyUpdates - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow - -- policy: qubes.OpenInVM - starts_with: |- - ### BEGIN securedrop-workstation ### - @tag:sd-client @dispvm:sd-viewer allow - @tag:sd-client sd-devices allow - sd-devices @dispvm:sd-viewer allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.OpenURL - starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.PdfConvert +- policy: /etc/qubes-rpc/policy/qubes.PdfConvert starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny @@ -126,23 +52,11 @@ $anyvm dom0 allow -- policy: securedrop.Log - starts_with: |- - @tag:sd-workstation sd-log allow - @anyvm @anyvm deny - - policy: securedrop.Proxy starts_with: |- sd-app sd-proxy allow @anyvm @anyvm deny -- policy: qubes.StartApp - starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - - policy: qubes.SyncAppMenus starts_with: |- ## Note that policy parsing stops at the first match, @@ -152,28 +66,12 @@ $anyvm dom0 allow -- policy: qubes.UpdatesProxy +- policy: /etc/qubes-rpc/policy/qubes.UpdatesProxy starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - # Upgrade all TemplateVMs through sys-whonix. - #$type:TemplateVM $default allow,target=sys-whonix - - # Upgrade Whonix TemplateVMs through sys-whonix. $tag:whonix-updatevm $default allow,target=sys-whonix - - # Deny Whonix TemplateVMs using UpdatesProxy of any other VM. $tag:whonix-updatevm $anyvm deny - # Default rule for all TemplateVMs - direct the connection to sys-net - $type:TemplateVM $default allow,target=sys-net - - $anyvm $anyvm deny - -- policy: qubes.USB +- policy: /etc/qubes-rpc/policy/qubes.USB starts_with: |- ### BEGIN securedrop-workstation ### sd-devices sys-usb allow @@ -181,7 +79,7 @@ @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### -- policy: qubes.USBAttach +- policy: /etc/qubes-rpc/policy/qubes.USBAttach starts_with: |- ### BEGIN securedrop-workstation ### sys-usb sd-devices allow,user=root @@ -189,20 +87,49 @@ @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### -- policy: qubes.VMRootShell +- policy: qubes.WindowIconUpdater starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### + $anyvm dom0 allow -- policy: qubes.VMShell +- policy: /etc/qubes/policy.d/60-securedrop-workstation.policy starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### + # required to suppress unsupported loopback error notifications + securedrop.Log * sd-log sd-log deny notify=no + securedrop.Log * @tag:sd-workstation sd-log allow -- policy: qubes.WindowIconUpdater + qubes.Filecopy * sd-log @default ask + qubes.Filecopy * sd-log @tag:sd-receive-logs ask + qubes.Filecopy * sd-proxy @tag:sd-client allow + + qubes.OpenInVM * @tag:sd-client @dispvm:sd-viewer allow + qubes.OpenInVM * @tag:sd-client sd-devices allow + qubes.OpenInVM * sd-devices @dispvm:sd-viewer allow + +- policy: /etc/qubes/policy.d/70-securedrop-workstation.policy starts_with: |- - $anyvm dom0 allow + securedrop.Log * @anyvm @anyvm deny + + qubes.FeaturesRequest * @anyvm @tag:sd-workstation deny + qubes.FeaturesRequest * @tag:sd-workstation @anyvm deny + + qubes.Filecopy * @anyvm @tag:sd-workstation deny + qubes.Filecopy * @tag:sd-workstation @anyvm deny + + qubes.GetImageRGBA * @anyvm @tag:sd-workstation deny + qubes.GetImageRGBA * @tag:sd-workstation @anyvm deny + + qubes.OpenInVM * @anyvm @tag:sd-workstation deny + qubes.OpenInVM * @tag:sd-workstation @anyvm deny + + qubes.OpenURL * @anyvm @tag:sd-workstation deny + qubes.OpenURL * @tag:sd-workstation @anyvm deny + + qubes.StartApp * @anyvm @tag:sd-workstation deny + qubes.StartApp * @tag:sd-workstation @anyvm deny + + qubes.VMRootShell * @anyvm @tag:sd-workstation deny + qubes.VMRootShell * @tag:sd-workstation @anyvm deny + + qubes.VMShell * @anyvm @tag:sd-workstation deny + qubes.VMShell * @tag:sd-workstation @anyvm deny + diff --git a/tests/vars/sd-viewer.mimeapps b/tests/vars/sd-viewer.mimeapps index 6d44163b..00a680e6 100644 --- a/tests/vars/sd-viewer.mimeapps +++ b/tests/vars/sd-viewer.mimeapps @@ -21,11 +21,11 @@ video/x-theora+ogg=org.gnome.Totem.desktop video/mp4=org.gnome.Totem.desktop video/x-msvideo=org.gnome.Totem.desktop video/x-ms-wmv=org.gnome.Totem.desktop -image/jpeg=eog.desktop -image/gif=eog.desktop +image/jpeg=org.gnome.eog.desktop +image/gif=org.gnome.eog.desktop image/tiff=org.gnome.Evince.desktop -image/png=eog.desktop -image/svg+xml=eog.desktop +image/png=org.gnome.eog.desktop +image/svg+xml=org.gnome.eog.desktop image/vnd.djvu=org.gnome.Evince.desktop application/vnd.rar=org.gnome.FileRoller.desktop application/zip=org.gnome.FileRoller.desktop diff --git a/utils/qa-switch.sh b/utils/qa-switch.sh deleted file mode 100644 index 45fc725a..00000000 --- a/utils/qa-switch.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/bash - -# -# Updates securedrop templates and dom0 to use QA repos and -# template-consolidation component. -# -# - -if [[ $(id -u) -ne 0 ]] ; then echo "Please run as root" ; exit 1 ; fi - -cp -R `dirname "$0"`/qa-switch/ /srv/salt/ - -cd /srv/salt -echo Updating dom0... -qubesctl --show-output --targets dom0 state.apply qa-switch.dom0 - -export template_list="sd-app-buster-template sd-devices-buster-template sd-log-buster-template sd-proxy-buster-template sd-viewer-buster-template securedrop-workstation-buster whonix-gw-16" - -echo Updating Debian-based templates: -for t in $template_list; do echo Updating $t...; qubesctl --show-output --skip-dom0 --targets $t state.apply qa-switch.buster; done - -echo Replacing prod config YAML... - -if [ ! -f "/srv/salt/qa-switch/sd-default-config.yml.orig" ]; then - cp sd-default-config.yml qa-switch/sd-default-config.yml.orig -fi -cp qa-switch/sd-qa-config.yml sd-default-config.yml - -echo "Done! (Run this script after 'sudo qubes-dom0-update -y' to reapply)" diff --git a/utils/qa-switch/buster.sls b/utils/qa-switch/buster.sls deleted file mode 100644 index 0b519004..00000000 --- a/utils/qa-switch/buster.sls +++ /dev/null @@ -1,10 +0,0 @@ -remove-prod-apt-repo: - pkgrepo.absent: - - name: "deb [arch=amd64] https://apt.freedom.press buster main" - -add-test-apt-repo: - pkgrepo.managed: - - name: "deb [arch=amd64] https://apt-test.freedom.press buster main" - - file: /etc/apt/sources.list.d/securedrop_workstation.list - - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc" - - clean_file: True diff --git a/utils/qa-switch/dom0.sls b/utils/qa-switch/dom0.sls deleted file mode 100644 index 6b397267..00000000 --- a/utils/qa-switch/dom0.sls +++ /dev/null @@ -1,44 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : - -## -# Installs dom0 config scripts specific to tracking updates -# over time. These scripts should be ported to an RPM package. -## - -dom0-rpm-test-key: - file.managed: - # We write the pubkey to the repos config location, because the repos - # config location is automatically sent to dom0's UpdateVM. Otherwise, - # we must place the GPG key inside the fedora TemplateVM, then - # restart sys-firewall. - - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation - - source: "salt://sd/sd-workstation/apt-test-pubkey.asc" - - user: root - - group: root - - mode: 644 - -dom0-rpm-test-key-import: - cmd.run: - - name: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation - - require: - - file: dom0-rpm-test-key - -dom0-workstation-rpm-repo: - # We use file.managed rather than pkgrepo.managed, because Qubes dom0 - # settings write new repos to /etc/yum.real.repos.d/, but only /etc/yum.repos.d/ - # is copied to the UpdateVM for fetching dom0 packages. - file.managed: - - name: /etc/yum.repos.d/securedrop-workstation-dom0.repo - - user: root - - group: root - - mode: 644 - - contents: | - [securedrop-workstation-dom0] - gpgcheck=1 - gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation - enabled=1 - baseurl=https://yum-test.securedrop.org/workstation/dom0/f25 - name=SecureDrop Workstation Qubes dom0 repo - - require: - - file: dom0-rpm-test-key diff --git a/utils/qa-switch/sd-qa-config.yml b/utils/qa-switch/sd-qa-config.yml deleted file mode 100644 index 4afde585..00000000 --- a/utils/qa-switch/sd-qa-config.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# Production variables, for use with real-world installs -prod: - dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" - apt_repo_url: "https://apt-test.freedom.press" - signing_key_filename: "apt-test-pubkey.asc" -# Development variables, suited for use during local development -dev: - dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" - apt_repo_url: "https://apt-test.freedom.press" - signing_key_filename: "apt-test-pubkey.asc" diff --git a/utils/qa-switch/top.sls b/utils/qa-switch/top.sls deleted file mode 100644 index f09282d3..00000000 --- a/utils/qa-switch/top.sls +++ /dev/null @@ -1,33 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : - -base: - dom0: - - sd-dom0-switch - - sd-log-buster-template: - - sd-buster-switch - sd-devices-buster-template: - - sd-buster-switch - sd-gpg: - - sd-buster-switch - sd-proxy-buster-template: - - sd-buster-switch - sd-app: - - sd-buster-switch - sd-viewer-buster-template: - - sd-buster-switch - sd-app-buster-template: - - sd-buster-switch - sys-firewall: - - sd-buster-switch - sd-whonix: - - sd-buster-switch - securedrop-workstation-buster: - - sd-buster-switch - sys-usb: - - sd-buster-switch - whonix-gw-16: - - sd-buster-switch - sd-log: - - sd-buster-switch