Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-01-11 23:39:38 -05:00
Code Issues Packages Projects Releases Wiki Activity

manual fixes

Browse Source 
Manual fixes after the conversion tool.
This commit is contained in:
Marek Marczykowski-Górecki 2023-12-28 11:44:25 +01:00
parent 4a3b08fd7d
commit bbd0337e91
No known key found for this signature in database
GPG Key ID: F32894BE9684938A
26 changed files with 388 additions and 1613 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
developer/building/development-workflow.rst
View File

@ -179,7 +179,7 @@ RPMs will appear in qubes-src/linux-kernel/pkgs/fc20/x86_64:
Useful :doc:`QubesBuilder </developer/building/qubes-builder>` commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1. ``make check`` - will check if all the code was committed into

2
developer/general/documentation-style-guide.rst
View File

@ -208,7 +208,7 @@ the source less readable and more difficult to work with for
localization and automation purposes. Here are examples of several types
of alerts and their recommended icons:
.. code:: bash
.. code::
<div class="alert alert-success" role="alert">
<i class="fa fa-check-circle"></i>

4
developer/general/gsoc.rst
View File

@ -92,7 +92,7 @@ and therefore one of the most important things to do well.
Below is the application template:
.. code:: bash
.. code:: markdown
# Introduction
@ -136,7 +136,7 @@ incomplete. If you are interested in submitting a proposal based on
these ideas, you should contact the :ref:`qubes-devel mailing list <introduction/support:qubes-devel>` and associated GitHub issue to learn
more about the idea.
.. code:: bash
.. code:: markdown
### Adding a Proposal

2
developer/general/gsod.rst
View File

@ -224,7 +224,7 @@ satisfy the following criteria:
- The videos are suitable for embedding in appropriate places in the
Qubes documentation. (E.g., a video on how to update Qubes OS should
be appropriate for appearing on the :doc:`:doc:`how to update </user/how-to-guides/how-to-update>`` page.)
be appropriate for appearing on the :doc:`how to update </user/how-to-guides/how-to-update>` page.)
- Where possible, the videos should strive to be version-independent.
(For example, a video explaining the template system should still be

4
developer/general/how-to-edit-the-documentation.rst
View File

@ -3,7 +3,7 @@ How to edit the documentation
=============================
*Also see the* :doc:`documentation style guide </developer/general/documentation-style-guide>` *.*
*Also see the* :doc:`documentation style guide </developer/general/documentation-style-guide>`.
Qubes OS documentation pages are stored as plain text Markdown files in
the `qubes-doc <https://github.com/QubesOS/qubes-doc>`__ repository. By
@ -186,7 +186,7 @@ function the way they should when the website is rendered. They are not
further analyzed in an attempt to determine whether they are malicious.
Once a pull request passes review, the reviewer should add a signed
comment stating, “Passed review as of ``<LATEST_COMMIT>``” (or similar).
comment stating, “Passed review as of ``<LATEST_COMMIT>`` ” (or similar).
The documentation maintainer then verifies that the pull request is
mechanically sound (no merge conflicts, broken links, ANSI escapes,
etc.). If so, the documentation maintainer then merges the pull request,

6
developer/releases/3_0/release-notes.rst
View File

@ -3,12 +3,6 @@ Qubes R3.0 release notes
========================
Qubes R3.0 Release Notes
------------------------
This Qubes OS release is dedicated to the memory of Caspar Bowden.
New features since 2.0

50
developer/services/admin-api.rst
View File

@ -776,27 +776,35 @@ Policy admin API
There is also an API to view and update :doc:`Qubes RPC policy files </developer/services/qrexec>` in dom0. All of the following calls have dom0 as
destination:
+------------------+----------+------------------+------------------+
| call | argument | inside | return |
+==================+==========+==================+==================+
| ``policy.List`` | - | - | ``<name1> |
| ``polic | | | \n<name2>\n...`` |
| y.include.List`` | | | |
+------------------+----------+------------------+------------------+
| ``policy.Get`` | name | - | ``<tok |
| ``poli | | | en>\n<content>`` |
| cy.include.Get`` | | | |
+------------------+----------+------------------+------------------+
| `` | name | ``<tok | - |
| policy.Replace`` | | en>\n<content>`` | |
| ``policy.i | | | |
| nclude.Replace`` | | | |
+------------------+----------+------------------+------------------+
| ` | name | ``<token>`` | - |
| `policy.Remove`` | | | |
| ``policy. | | | |
| include.Remove`` | | | |
+------------------+----------+------------------+------------------+
.. list-table:: i
:widths: 15 8 8 15
:align: left
:header-rows: 1
* - call
- argument
- inside
- return
* - | ``policy.List``
| ``policy.include.List``
- `-`
- `-`
- | ``<name1>\n<name2>...``
* - | ``policy.Get``
| ``policy.include.Get``
- name
- `-`
- | ``<token>\n<content>``
* - | ``policy.Get``
| ``policy.include.Get``
- name
- | ``<token>\n<content>``
- `-`
* - | ``policy.Remove``
| ``policy.include.Remove``
- name
- ``<token>``
- `-`
The ``policy.*`` calls refer to main policy files
(``/etc/qubes/policy.d/``), and the ``policy.include.*`` calls refer to

4
developer/services/dom0-secure-updates.rst
View File

@ -61,10 +61,10 @@ qubes-dom0-update). Note that we assume that this script might get
compromised and fetch maliciously compromised downloads this is not a
problem as Dom0 verifies digital signatures on updates later. The
downloaded rpm files are placed in a
``/var/lib/qubes/dom0-updates`` directory on UpdateVM
``/var/lib/qubes/dom0-updates`` directory on UpdateVM
filesystem (again, they might get compromised while being kept there,
still this isnt a problem). This directory is passed to yum using the
``installroot=`` option.
``installroot=`` option.
Once updates are downloaded, the update script that runs in UpdateVM
requests an RPM service

4
developer/services/qrexec-internals.rst
View File

@ -14,7 +14,7 @@ Components residing in the same domain (``qrexec-client-vm`` to
``qrexec-agent``, ``qrexec-client`` to ``qrexec-daemon``) use local
sockets as the underlying transport medium. Components in separate
domains (``qrexec-daemon`` to ``qrexec-agent``, data channel between
``qrexec-agent``s) use vchan links. Because of `vchan limitation <https://github.com/qubesos/qubes-issues/issues/951>`__, it
``qrexec-agent``) use vchan links. Because of `vchan limitation <https://github.com/qubesos/qubes-issues/issues/951>`__, it
is not possible to establish qrexec connection back to the source
domain.
@ -185,7 +185,7 @@ dom0: request execution of ``cmd`` in domX
with ``qrexec-agent`` later.)
``qrexec-client`` translates that request into a ``MSG_EXEC_CMDLINE``
message sent to ``qrexec-daemon``, with ``connect_domain`` set to 0
(connect to **dom0**) and `connect_port also set to 0 (allocate a
(connect to **dom0**) and ``connect_port`` also set to 0 (allocate a
port).
- **dom0**: ``qrexec-daemon`` allocates a free port (in this case 513),

1
developer/services/qrexec.rst
View File

@ -367,7 +367,6 @@ particular service argument.
See `below <#rpc-service-with-argument-file-reader>`__ for an example of
an RPC service using an argument.
<!-- TODO document "Yes to All" authorization if it is reintroduced -->
Qubes RPC examples
------------------

1616
developer/system/gui.rst
View File

File diff suppressed because it is too large Load Diff

6
index.rst
View File

@ -358,11 +358,11 @@ System
Security-critical code </developer/system/security-critical-code>
Qubes core admin </developer/system/qubes-core-admin>
Qubes core admin <https://dev.qubes-os.org/projects/core-admin/>
Qubes core admin client </developer/system/qubes-core-admin-client>
Qubes core admin client <https://dev.qubes-os.org/projects/core-admin-client/>
Qubes core stack </developer/system/qubes-core-stack>
Qubes core stack <https://www.qubes-os.org/news/2017/10/03/core3/>
GUI virtualization </developer/system/gui>

2
introduction/getting-started.rst
View File

@ -165,7 +165,7 @@ Opening a terminal emulator in dom0 can be done in several ways:
- Go to the App Menu and select **Terminal Emulator** at the top.
- Press ``Alt``+ ``F3`` and search for ``xfce terminal``.
- Press ``Alt+F3`` and search for ``xfce terminal``.
- Right-click on the desktop and select **Open Terminal Here**.

8
introduction/intro.rst
View File

@ -3,7 +3,7 @@ Introduction
============
What is Qubes OS?
----------------
-----------------
Qubes OS is a free and open-source, security-oriented operating system for
single-user desktop computing. Qubes OS `leverages Xen-based virtualization <https://wiki.xen.org/wiki/Xen_Project_Software_Overview>`__ to allow for the creation and management of isolated compartments called :ref:`qubes <user/reference/glossary:qube>`.
@ -54,7 +54,7 @@ Features
- **Split GPG** Utilize :doc:`Split GPG </user/security-in-qubes/split-gpg>` to keep your private keys safe.
- **U2F proxy** Operate :doc:`Qubes U2F proxy </user/security-in-qubes/u2f-proxy>` to use your two-factor authentication devices without exposing your web browser to the full USB stack.
- **U2F/CTAP proxy** Operate :doc:`Qubes U2F/CTAP proxy </user/security-in-qubes/ctap-proxy>` to use your two-factor authentication devices without exposing your web browser to the full USB stack.
- **Open-source** Users are free to use, copy, and modify Qubes OS and :doc:`are encouraged to do so! </introduction/contributing>`
@ -63,7 +63,7 @@ Features
Why Qubes OS?
------------
-------------
Physical isolation is a given safeguard that the digital world lacks
@ -123,7 +123,7 @@ fact, Qubes has `distinct advantages over physical air gaps <https://invisibleth
Made to support vulnerable users and power users alike
-----------------------------------------------------
------------------------------------------------------
Qubes provides practical, usable security to vulnerable and

17
introduction/issue-tracking.rst
View File

@ -248,10 +248,13 @@ Search tips
`Xen <https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+label%3A%22C%3A+Xen%22>`__,
etc.).
- Search by closure reason:
```reason:completed`` <https://github.com/QubesOS/qubes-issues/issues?q=reason%3Acompleted>`__
and
```reason:"not planned"`` <https://github.com/QubesOS/qubes-issues/issues?q=reason%3A%22not+planned%22>`__.
- Search by closure reason: |reason completed|_ and |reason notplanned|_.
.. |reason completed| replace:: ``reason:completed``
.. _reason completed: https://github.com/QubesOS/qubes-issues/issues?q=reason%3Acompleted
.. |reason notplanned| replace:: ``reason:"not planned"``
.. _reason notplanned: https://github.com/QubesOS/qubes-issues/issues?q=reason%3A%22not+planned%22
- `Search by project <https://github.com/QubesOS/qubes-issues/projects>`__.
@ -446,8 +449,10 @@ Resolution
^^^^^^^^^^
In GitHub, an issue can be :title-reference:`closed as either ``completed`` or
``not planned`` <https://github.blog/changelog/2022-03-10-the-new-github-issues-march-10th-update/#%F0%9F%95%B5%F0%9F%8F%BD%E2%99%80%EF%B8%8F-issue-closed-reasons>`__.
In GitHub, an issue can be :title-reference:`closed as either ``completed`` or |notplanned|_.
.. |notplanned| replace:: ``not planned``
.. _notplanned: https://github.blog/changelog/2022-03-10-the-new-github-issues-march-10th-update/#%F0%9F%95%B5%F0%9F%8F%BD%E2%99%80%EF%B8%8F-issue-closed-reasons
Being closed as ``completed`` means that the issue has been fixed (in
the case of bugs) or done (in the case of enhancements and tasks). More

6
introduction/video-tours.rst
View File

@ -18,6 +18,7 @@ September 9-11, 2022 in Berlin, Germany.
:height: 315
:width: 560
:align: left
----
@ -25,6 +26,7 @@ September 9-11, 2022 in Berlin, Germany.
:height: 315
:width: 560
:align: left
----
@ -59,10 +61,6 @@ Explaining Computers presents "Qubes OS: Security Oriented Operating System"
----------------------------------------------------------------------------
----
.. youtube:: hWDvS_Mp6gc
:height: 315
:width: 560

2
project-security/verifying-signatures.rst
View File

@ -984,7 +984,7 @@ signature file has been modified. Try downloading it again or from a
different source.
Do I have to verify both the `detached PGP signature file <#how-to-verify-detached-pgp-signatures-on-qubes-isos>`__ and the `cryptographic hash values <#how-to-verify-the-cryptographic-hash-values-of-qubes-isos>`__?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
No, either method is sufficient by itself, but you can do both if you

2
user/advanced-topics/resize-disk-image.rst
View File

@ -156,5 +156,5 @@ to reduce the private storage of qube1 to 1GiB: Open a terminal in dom0:
If you have a SSD see :doc:`here <https://forum.qubes-os.org/t/19054>` for information on using
If you have a SSD see `here <https://forum.qubes-os.org/t/19054>`__ for information on using
fstrim.

2
user/downloading-installing-upgrading/download-mirrors.rst
View File

@ -11,7 +11,7 @@ List of Download Mirrors
The full list of known Qubes download mirrors is available
`here <https://www.qubes-os.org/downloads/#mirrors>__.
`here <https://www.qubes-os.org/downloads/#mirrors>`__.
Instructions for Mirror Operators
---------------------------------

32
user/how-to-guides/how-to-back-up-restore-and-migrate.rst
View File

@ -223,26 +223,26 @@ Here are some things to consider when selecting a passphrase for your
backups:
- If you plan to store the backup for a long time or on third-party
servers, you should make sure to use a very long, high-entropy
passphrase. (Depending on the decryption passphrase you use for your
system drive, this may necessitate selecting a stronger passphrase.
If your system drive decryption passphrase is already sufficiently
strong, it may not.)
servers, you should make sure to use a very long, high-entropy
passphrase. (Depending on the decryption passphrase you use for your
system drive, this may necessitate selecting a stronger passphrase.
If your system drive decryption passphrase is already sufficiently
strong, it may not.)
- An adversary who has access to your backups may try to substitute one
backup for another. For example, when you attempt to retrieve a
recent backup, the adversary may instead give you a very old backup
containing a compromised VM. If youre concerned about this type of
attack, you may wish to use a different passphrase for each backup,
e.g., by appending a number or date to the passphrase.
backup for another. For example, when you attempt to retrieve a
recent backup, the adversary may instead give you a very old backup
containing a compromised VM. If youre concerned about this type of
attack, you may wish to use a different passphrase for each backup,
e.g., by appending a number or date to the passphrase.
- If youre forced to enter your system drive decryption passphrase in
plain view of others (where it can be shoulder-surfed), then you may
want to use a different passphrase for your backups (even if your
system drive decryption passphrase is already maximally strong). On
the other hand, if youre careful to avoid shoulder-surfing and/or
have a passphrase thats difficult to detect via shoulder-surfing,
then this may not be a problem for you.
plain view of others (where it can be shoulder-surfed), then you may
want to use a different passphrase for your backups (even if your
system drive decryption passphrase is already maximally strong). On
the other hand, if youre careful to avoid shoulder-surfing and/or
have a passphrase thats difficult to detect via shoulder-surfing,
then this may not be a problem for you.

15
user/how-to-guides/how-to-install-software.rst
View File

@ -62,15 +62,10 @@ Installing software from default repositories
troubleshooting.)
.. figure:: /attachment/doc/r4.1-dom0-appmenu-select.png
:alt: `The Applications tab in Qube
Settings </attachment/doc/r4.1-dom0-appmenu-select.png>`__
:alt: `The Applications tab in Qube Settings </attachment/doc/r4.1-dom0-appmenu-select.png>`__
`The Applications tab in Qube
Settings </attachment/doc/r4.1-dom0-appmenu-select.png>`__
`The Applications tab in Qube Settings </attachment/doc/r4.1-dom0-appmenu-select.png>`__
Installing software from other sources
--------------------------------------
@ -134,11 +129,9 @@ running as a template in Qubes OS.
.. figure:: /attachment/doc/r4.1-dom0-appmenu-select.png
:alt: `The Applications tab in Qube
Settings </attachment/doc/r4.1-dom0-appmenu-select.png>`__
:alt: `The Applications tab in Qube Settings </attachment/doc/r4.1-dom0-appmenu-select.png>`__
`The Applications tab in Qube
Settings </attachment/doc/r4.1-dom0-appmenu-select.png>`__
`The Applications tab in Qube Settings </attachment/doc/r4.1-dom0-appmenu-select.png>`__
Troubleshooting
---------------

2
user/how-to-guides/how-to-use-pci-devices.rst
View File

@ -59,7 +59,7 @@ attach PCI-devices to a qube.
1. To reach the settings of any qube either
- Press Alt+F3 to open the application finder, type in the VM name,
select the “|appmenu|[VM-name]: Qube Settings” menu entry and
select the “\|appmenu\|[VM-name]: Qube Settings” menu entry and
press enter or click “Launch”!
- Select the VM in Qube Manager and click the settings-button or

117
user/security-in-qubes/firewall.rst
View File

@ -459,13 +459,13 @@ each destination qube to ease rules management:
.. code:: bash
nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
.. note:: the name ``custom-dnat-qubeDST`` is arbitrary
.. note::
Note: the name ``custom-dnat-qubeDST`` is arbitrary
Note: while we use a DNAT chain for a single qube, its totally
while we use a DNAT chain for a single qube, its totally
possible to have a single DNAT chain for multiple qubes
Second step, code a natting firewall rule to route traffic on the
@ -473,25 +473,23 @@ outside interface for the service to the sys-firewall VM
.. code:: bash
nft add rule qubes custom-dnat-qubeDEST iif == "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
nft add rule qubes custom-dnat-qubeDEST iif == "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
Third step, code the appropriate new filtering firewall rule to allow
new connections for the service
.. code:: bash
nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
Note: If you do not wish to limit the IP addresses connecting to the
.. note:: If you do not wish to limit the IP addresses connecting to the
service, remove ``ip saddr 192.168.x.y/24`` from the rules
If you want to expose the service on multiple interfaces, repeat the
steps 2 and 3 described above, for each interface. Alternatively, you
can leave out the interface completely.
If you want to expose the service on multiple interfaces, repeat the
steps 2 and 3 described above, for each interface. Alternatively, you
can leave out the interface completely.
Verify the rules on sys-net firewall correctly match the packets you
want by looking at its counters, check for the counter lines in the
@ -499,7 +497,7 @@ chains ``custom-forward`` and ``custom-dnat-qubeDEST``:
.. code:: bash
nft list table ip qubes
nft list table ip qubes
@ -508,14 +506,14 @@ in the dnat rule:
.. code:: bash
chain custom-forward {
iif "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter packets 7 bytes 448 accept
}
chain custom-dnat-qubeDEST {
type nat hook prerouting priority filter + 1; policy accept;
iif "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter packets 3 bytes 192 dnat to 10.138.33.59
}
chain custom-forward {
iif "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter packets 7 bytes 448 accept
}
chain custom-dnat-qubeDEST {
type nat hook prerouting priority filter + 1; policy accept;
iif "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter packets 3 bytes 192 dnat to 10.138.33.59
}
@ -524,7 +522,7 @@ service from an external device using the following command:
.. code:: bash
telnet 192.168.x.n 443
telnet 192.168.x.n 443
@ -534,8 +532,8 @@ so they get set on sys-net start-up:
.. code:: bash
[user@sys-net user]$ sudo -i
[root@sys-net user]# nano /rw/config/qubes-firewall-user-script
[user@sys-net user]$ sudo -i
[root@sys-net user]# nano /rw/config/qubes-firewall-user-script
@ -543,17 +541,17 @@ Content of ``/rw/config/qubes-firewall-user-script`` in ``sys-net``:
.. code:: bash
#!/bin/sh
# create the dnat chain for qubeDEST if it doesn't already exist
if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
then
# create the dnat rule
nft add rule qubes custom-dnat-qubeDEST iif == "ens6" saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
# allow forwarded traffic
nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
fi
#!/bin/sh
# create the dnat chain for qubeDEST if it doesn't already exist
if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
then
# create the dnat rule
nft add rule qubes custom-dnat-qubeDEST iif == "ens6" saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
# allow forwarded traffic
nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
fi
@ -569,7 +567,7 @@ routing rules:
.. code:: bash
nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
@ -578,7 +576,7 @@ outside interface for the service to the destination qube
.. code:: bash
nft add rule qubes custom-dnat-qubeDEST iif == "eth0" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
nft add rule qubes custom-dnat-qubeDEST iif == "eth0" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
@ -587,11 +585,11 @@ new connections for the service
.. code:: bash
nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
Note: If you do not wish to limit the IP addresses connecting to the
.. note:: If you do not wish to limit the IP addresses connecting to the
service, remove ``ip saddr 192.168.x.y/24`` from the rules
Once you have confirmed that the counters increase, store these commands
@ -599,9 +597,8 @@ in the script ``/rw/config/qubes-firewall-user-script``
.. code:: bash
[user@sys-net user]$ sudo -i
[root@sys-net user]# nano /rw/config/qubes-firewall-user-script
[user@sys-net user]$ sudo -i
[root@sys-net user]# nano /rw/config/qubes-firewall-user-script
Content of ``/rw/config/qubes-firewall-user-script`` in
@ -609,17 +606,17 @@ Content of ``/rw/config/qubes-firewall-user-script`` in
.. code:: bash
#!/bin/sh
# create the dnat chain for qubeDEST if it doesn't already exist
if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
then
# create the dnat rule
nft add rule qubes custom-dnat-qubeDEST iif == "eth0" tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
# allow forwarded traffic
nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
fi
#!/bin/sh
# create the dnat chain for qubeDEST if it doesn't already exist
if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
then
# create the dnat rule
nft add rule qubes custom-dnat-qubeDEST iif == "eth0" tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
# allow forwarded traffic
nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
fi
@ -638,7 +635,7 @@ The according rule to allow the traffic is:
.. code:: bash
nft add rule qubes custom-input tcp dport 443 ip daddr 10.137.0.xx ct state new,established,related counter accept
nft add rule qubes custom-input tcp dport 443 ip daddr 10.137.0.xx ct state new,established,related counter accept
@ -647,8 +644,8 @@ To make it persistent, you need to add this command in the script
.. code:: bash
[user@qubeDEST user]$ sudo -i
[root@qubeDEST user]# echo 'nft add rule qubes custom-input tcp dport 443 ip daddr 10.137.0.xx ct state new,established,related counter accept' >> /rw/config/rc.local
[user@qubeDEST user]$ sudo -i
[root@qubeDEST user]# echo 'nft add rule qubes custom-input tcp dport 443 ip daddr 10.137.0.xx ct state new,established,related counter accept' >> /rw/config/rc.local
@ -686,7 +683,7 @@ run this command:
.. code:: bash
tcpdump -i eth0 -nn dst port 443 and src net 192.168.x.y/24
tcpdump -i eth0 -nn dst port 443 and src net 192.168.x.y/24
@ -709,7 +706,7 @@ You can dump the ruleset in two files using the following command:
.. code:: bash
nft list ruleset | tee nft_backup | tee nft_new_ruleset
nft list ruleset | tee nft_backup | tee nft_new_ruleset
@ -720,6 +717,4 @@ You can revert to the original ruleset with the following commands:
.. code:: bash
nft flush ruleset && nft -f nft_backup
nft flush ruleset && nft -f nft_backup

25
user/templates/templates.rst
View File

@ -147,11 +147,10 @@ available templates. To install a template, use:
You can also use ``qvm-template`` to upgrade or reinstall templates.
| Repo definitions are stored in ``/etc/qubes/repo-templates`` and
associated keys in ``/etc/qubes/repo-templates/keys``.
| Repo definitions are stored in ``/etc/qubes/repo-templates`` and associated keys in ``/etc/qubes/repo-templates/keys``.
| There are additional repos for testing releases and community
templates. To temporarily enable any of these repos, use the
``--enablerepo=<repo-name>`` option. E.g. :
| templates. To temporarily enable any of these repos, use the
| ``--enablerepo=<repo-name>`` option. E.g. :
.. code:: bash
@ -388,22 +387,22 @@ changes in the parent template.
:header-rows: 1
* - Qube Type
- Inheritance1
- Persistence2
* - t emplate
- Inheritance [#f1]_
- Persistence [#f2]_
* - template
- N/A (templates cannot be based on templates)
- everything
* - app qube3
* - app qube [#f3]_
- /etc/skel to /home; /usr/local.orig to /usr/local
- /rw (includes /home, /usr/local, and bind-dirs)
* - dispo sable
* - disposable
- /rw (includes /home, /usr/local, and bind-dirs)
- nothing
| 1Upon creation
| 2Following shutdown
| 3Includes :ref:`disposable templates <user/reference/glossary:disposable template>`
.. [#f1] Upon creation
.. [#f2] Following shutdown
.. [#f3] Includes :ref:`disposable templates <user/reference/glossary:disposable template>`
Trusting your templates
@ -527,7 +526,7 @@ Important Notes
- ``qvm-trim-template`` is no longer necessary or available in Qubes
4.0 and higher. All qubes are created in a thin pool and trimming is
handled automatically. No user action is required. See :doc:`Disk Trim <https://forum.qubes-os.org/t/19054>` for more information.
handled automatically. No user action is required. See `Disk Trim <https://forum.qubes-os.org/t/19054>`__ for more information.
- RPM-installed templates are “system managed” and therefore cannot be
backed up using Qubes built-in backup function. In order to ensure

16
user/templates/windows/migrate-to-4-1.rst
View File

@ -120,13 +120,11 @@ BOOT DEVICE, which can be repaired as described above.
After successful uninstallation of the PV disk drivers, the disks will
appear as QEMU ATA disks.
:warning:
.. warning::
**Caution:** This change may lead Windows to declare that the
SYSTEM MESSAGE for: /home/user/qubes-doc-rst2/user/templates/windows/migrate-to-4-1.rst:100: (WARNING/2) Field list ends without a blank line; unexpected unindent.
Field list ends without a blank line; unexpected unindent.
hardware has changed and that in consequence, the activation is no
longer valid, possibly complaining that the use of the software is no
longer lawful. It should be possible to reactivate the software if a
valid product key is provided.
hardware has changed and that in consequence, the activation is no
longer valid, possibly complaining that the use of the software is no
longer lawful. It should be possible to reactivate the software if a
valid product key is provided.

54
user/templates/windows/qubes-windows-tools-4-0.rst
View File

@ -697,7 +697,7 @@ automatically, try to start Windows in safe mode (see above) and 1)
disable automatic restart on BSOD (Control Panel - System - Advanced
system settings - Advanced - Startup and recovery), 2) check the system
event log for BSOD events. If you can, send the ``memory.dmp`` dump file
from ``c:\Windows``. Xen logs (/var/log/xen/console/guest-*) are also
from ``c:\Windows``. Xen logs (``/var/log/xen/console/guest-*``) are also
useful as they contain pvdrivers diagnostic output.
If a specific component is malfunctioning, you can increase its log
@ -710,44 +710,32 @@ Below is a list of components:
:header-rows: 1
* - qrexec-agent
- Responsible for most communication with Qubes (dom0
* - and other domains), secure clipboard, file copying, qrexec services.
- Responsible for most communication with Qubes (dom0 and other domains), secure clipboard, file copying, qrexec services.
* - qrexec-wrapper
- Helper executable thats responsible for launching
* - qrexec services, handling their I/O and vchan communication.
- Helper executable thats responsible for launching qrexec services, handling their I/O and vchan communication.
* - qrexec-client-vm
- Used for communications by the qrexec protocol.
* - qga
- Gui agent.
-
- QgaWatchdog
- Service that monitors session/desktop
* - changes (logon/logoff/locking/UAC…) and simulates SAS sequence
* - (ctrl-alt-del).
-
- qubesdb-daemon
- Service for accessing Qubes
* - configuration database.
-
- network-setup
- Service that sets up network
* - parameters according to VMs configuration.
-
- prepare-volume
- Utility
* - that initializes and formats the disk backed by private.img file.
* - Its registered to run on next system boot during QWT setup, if that
* - feature is selected (it cant run during the setup because Xen block
* - device drivers are not yet active). It in turn registers move-profiles
* - (see below) to run at early boot.
-
- relocate-dir
* - QgaWatchdog
- Service that monitors session/desktop changes (logon/logoff/locking/UAC…) and simulates SAS sequence (ctrl-alt-del).
* - qubesdb-daemon
- Service for accessing Qubes configuration database.
* - network-setup
- Service that sets up network parameters according to VMs configuration.
* - prepare-volume
- Utility that initializes and formats the disk backed by private.img file.
Its registered to run on next system boot during QWT setup, if that
feature is selected (it cant run during the setup because Xen block
device drivers are not yet active). It in turn registers move-profiles
(see below) to run at early boot.
* - relocate-dir
- Utility that moves
* - user profiles directory to the private disk. Its registered as an early
* - boot native executable (similar to chkdsk) so it can run before any
* - profile files are opened by some other process. Its log is in a fixed
* - location: c:\move-profiles.log (it cant use our common logger
* - library so none of the log settings apply).
user profiles directory to the private disk. Its registered as an early
boot native executable (similar to chkdsk) so it can run before any
profile files are opened by some other process. Its log is in a fixed
location: c:\move-profiles.log (it cant use our common logger
library so none of the log settings apply).
Updates