162 Commits

Author SHA1 Message Date
Snowy Marmot
dad1f6a723
Update per review
Update with suggested wording per talex5
2019-12-14 00:24:55 +00:00
Snowy Marmot
315fe4681e
Note that AppVM Size may need to increase
Add note that AppVM used to build from source may need a private image larger than the default 2048MB.
2019-11-27 16:01:58 +00:00
Thomas Leonard
706be3d823
Merge pull request #81 from talex5/upstream-updates
Fix build
2019-11-18 09:46:14 +00:00
Thomas Leonard
930d209cdb Fix build
- A new ocaml-migrate-parsetree.1.4.0 was released, replacing the old
  1.4.0 with new code. This was rejected by the checksum test.
  Fixed by updating to the latest opam-repository.
  See: https://github.com/ocaml/opam-repository/pull/15294

- The latest opam-repository pulls in mirage 3.7, which doesn't work
  (`No available version of mirage-clock satisfies the constraints`), so
  pin the previous mirage 3.5.2 version instead.

- Mirage now generates `.merlin`, so remove it from Git.
2019-11-17 14:33:56 +00:00
Thomas Leonard
32e4b8a31a
Merge pull request #80 from talex5/upstream-updates
Upstream updates
2019-08-25 19:09:54 +01:00
Thomas Leonard
49195ed5e1 Update Docker build for new mirage-xen
Also, switched to the experimental new OCurrent images, as they are much
smaller:

- Before: 1 GB (ocaml/opam2:debian-10-ocaml-4.08)
- Now:  309 MB (ocurrent/opam:alpine-3.10-ocaml-4.08)
2019-08-25 19:01:22 +01:00
xaki23
bc7706cc97
rename things for newer mirage-xen versions 2019-08-25 18:12:59 +02:00
xaki23
3fefba21a7
bump OCAML_VERSION to 4.08.1 2019-08-25 18:12:17 +02:00
Thomas Leonard
b8a310dfa6
Merge pull request #75 from talex5/upstream-updates
Update to latest ipaddr
2019-07-28 17:48:09 +01:00
xaki23
cac3e53be1 README: create the symlink-redirected docker dir
Otherwise, installing the docker package removes the dangling symlink.
2019-07-28 17:35:59 +01:00
Thomas Leonard
ce29c09f0f Show final sha256 checksum in Travis output 2019-07-28 17:08:10 +01:00
Thomas Leonard
8b411db751 Removed some hard-coded installs from Dockerfile
There's no advantage to installing these manually, and with the current
version of mirage they had to be downgraded again in the next step.
2019-07-28 16:49:16 +01:00
xaki23
16231e2e52 Adjust to ipaddr-4.0.0 renaming _bytes to _octets 2019-07-28 16:49:04 +01:00
xaki23
cb6d03d83d Use OCaml 4.08.0 for qubes-builder builds (was 4.07.1) 2019-07-28 16:43:04 +01:00
Thomas Leonard
aeaab0f078
Merge pull request #72 from talex5/unpin-netchannel
Remove netchannel pin
2019-06-22 15:34:30 +01:00
Thomas Leonard
f9856a3605 Remove netchannel pin
Version 1.11.0 has been released now, and the current trunk doesn't
build without updating other things. The error was:

    File "lib/xenstore.ml", line 165, characters 19-34:
    Error: The module OS is an alias for module Os_xen, which is missing
        ocamlopt lib/.netchannel.objs/native/netchannel__Backend.{cmx,o} (exit 2)
    (cd _build/default && /home/opam/.opam/4.07/bin/ocamlopt.opt -w -40 -g -I lib/.netchannel.objs/byte -I lib/.netchannel.objs/native -I /home/opam/.opam/4.07/lib/base/caml -I /home/opam/.opam/4.07/lib/bigarray-compat -I /home/opam/.opam/4.07/lib/bytes -I /home/opam/.opam/4.07/lib/cstruct -I /home/opam/.opam/4.07/lib/fmt -I /home/opam/.opam/4.07/lib/io-page -I /home/opam/.opam/4.07/lib/io-page-x[...]
    File "lib/backend.ml", line 23, characters 16-29:
    Error: The module OS is an alias for module Os_xen, which is missing

Reported by ronpunz in https://groups.google.com/forum/#!topic/qubes-users/PsYUXvypPDs
2019-06-22 14:57:04 +01:00
Thomas Leonard
e7eb4412ed
Merge pull request #71 from talex5/remove-cmdliner-pin
Remove cmdliner pin as 1.0.4 is now released
2019-06-22 14:40:44 +01:00
Thomas Leonard
d36ecf96af Remove cmdliner pin as 1.0.4 is now released
Reverts 06511e076f
2019-06-15 12:57:37 +01:00
Thomas Leonard
448ba654fb
Merge pull request #69 from jaseg/patch-1
Fix ln(1) call in build instructions
2019-05-31 09:06:09 +01:00
jaseg
0a4b01a841
Fix ln(1) call in build instructions
The arguments were backwards. [```ln``` takes the link target first, then the link name](https://linux.die.net/man/1/ln).
2019-05-31 12:50:33 +09:00
yomimono
7d22eafa59
Merge pull request #68 from talex5/updatevm
Note that mirage-firewall cannot be used as UpdateVM
2019-05-29 17:55:25 -05:00
yomimono
0c571a0601
Merge pull request #67 from talex5/fix-typo
Fix typos in docs
2019-05-29 17:54:51 -05:00
Thomas Leonard
3ab7284a64 Note that mirage-firewall cannot be used as UpdateVM
Reported at: https://groups.google.com/forum/#!topic/qubes-users/YPFtbwyoUjc
2019-05-29 15:25:10 +01:00
Thomas Leonard
de7d05ebfa Fix typos in docs 2019-05-29 09:01:08 +01:00
yomimono
adb451e7e3
Merge pull request #66 from talex5/add-changelog
Add CHANGELOG
v0.6
2019-05-28 15:25:48 -05:00
Thomas Leonard
ee97d67c84 Add CHANGELOG
Older entries are imported from the release notes. The 0.6 ones are from
the Git commits.
2019-05-28 21:09:52 +01:00
yomimono
c55819ffdf
Merge pull request #64 from talex5/combine-ips
Combine Client_gateway and Firewall_uplink
2019-05-16 18:03:59 -04:00
Thomas Leonard
672c82c43c Combine Client_gateway and Firewall_uplink
Before, we used Client_gateway for the IP address of the firewall on the
client network and Firewall_uplink for its address on the uplink
network. However, Qubes 4 uses the same IP address for both, so we can't
separate these any longer, and there doesn't seem to be any advantage to
keeping them separate anyway.
2019-05-16 19:30:51 +01:00
Thomas Leonard
a93bb954d7
Merge pull request #54 from talex5/rule-examples
Allow naming hosts and add examples to rules.ml
2019-05-07 10:03:42 +01:00
Thomas Leonard
691c4ae745 Update build hash 2019-05-06 10:37:24 +01:00
Thomas Leonard
e15fc8c219 Make example rule more restrictive
In the (commented-out) example rules, instead of allowing any client to
continue a TCP flow with any other client, just allow Untrusted to reply
to Dev. This is all that is needed to make the SSH example work.
2019-05-06 10:35:51 +01:00
Thomas Leonard
eec1e985e5 Add overview of the main components of the firewall 2019-05-06 10:35:51 +01:00
Thomas Leonard
b60d098e96 Give exact types for Packet.src
Before, the packet passed to rules.ml could have any host as its src.
Now, `from_client` knows that `src` must be a `Client`, and `from_netvm`
knows that `src` is `External` or `NetVM`.
2019-05-06 10:35:51 +01:00
Thomas Leonard
189a736368 Add some types to the rules
Before, we inferred the types from rules.ml and then the compiler
checked that it was consistent with what firewall.ml expected. If it
wasn't it reported the problem as being with firewall.ml, which could be
confusing to users.
2019-05-06 10:35:51 +01:00
Thomas Leonard
acf46b4231 Allow naming hosts and add examples to rules.ml
Previously we passed in the interface, from which it was possible (but
a little difficult) to extract the IP address and compare with some
predefined ones. Now, we allow the user to list IP addresses and named
tags for them, which can be matched on easily.

Added example rules showing how to block access to an external service
or allow SSH between AppVMs.

Requested at
https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ.
2019-05-06 10:35:51 +01:00
Thomas Leonard
433f3e8f01
Merge pull request #61 from talex5/fix-mac
Force backend MAC to fe:ff:ff:ff:ff:ff to fix HVM clients
2019-05-06 10:32:50 +01:00
Thomas Leonard
d7b376d373 Respond to ARP requests for *.*.*.1
This is a work-around to get DHCP working with HVM domains.
See: https://github.com/QubesOS/qubes-issues/issues/5022
2019-05-06 09:57:47 +01:00
Thomas Leonard
8b4cc6f5a9 Improve logging 2019-05-06 09:56:02 +01:00
Thomas Leonard
0a4dd7413c Force backend MAC to fe:ff:ff:ff:ff:ff to fix HVM clients
Xen appears to configure the same MAC address for both the frontend
and backend in XenStore. e.g.

    [tal@dom0 ~]$ xenstore-ls /local/domain/3/backend/vif/19/0
    frontend = "/local/domain/19/device/vif/0"
    mac = "00:16:3e:5e:6c:00"
    [...]

    [tal@dom0 ~]$ xenstore-ls /local/domain/19/device/vif/0
    mac = "00:16:3e:5e:6c:00"

This works if the client uses just a simple ethernet device, but fails
if it connects via a bridge. HVM domains have an associated stub domain
running qemu, which provides an emulated network device. The stub domain
uses a bridge to connect qemu's interface with eth0, and this didn't
work.

Force the use of the fixed version of mirage-net-xen, which no longer
uses XenStore to get the backend MAC, and provides a new function to get
the frontend one.
2019-05-06 09:52:46 +01:00
yomimono
65b79208a1
Merge pull request #60 from talex5/await-net-config
Wait if dom0 is slow to set the network configuration
2019-04-30 16:18:08 -05:00
yomimono
321a93aa5d
Merge pull request #58 from talex5/advisories
Link to security advisories from README
2019-04-30 16:13:40 -05:00
Thomas Leonard
9d2723a08a Require mirage-nat >= 1.2.0 for ICMP support 2019-04-28 16:10:02 +01:00
Thomas Leonard
c7fc54af02 Wait if dom0 is slow to set the network configuration
Sometimes we boot before dom0 has put the network settings in QubesDB.
If that happens, log a message, wait until the database changes, and
retry.
2019-04-28 16:08:27 +01:00
Thomas Leonard
eb14f7e777 Link to security advisories from README
Also, link from binary installation to deployment section.
2019-04-26 12:39:34 +01:00
Thomas Leonard
5e1588f861
Merge pull request #55 from talex5/fix-icmp
Upgrade to latest mirage-nat to fix ICMP
2019-04-17 11:45:40 +01:00
Thomas Leonard
45eef49c95 Upgrade to latest mirage-nat to fix ICMP
Now ping and traceroute should work.
2019-04-16 18:21:07 +01:00
yomimono
debd34cc3a
Merge pull request #52 from talex5/repro-builds
Add patch to cmdliner for reproducible build
2019-04-13 12:15:57 -05:00
yomimono
7000d9a010
Merge pull request #51 from talex5/update-docs
Clarify how to build from source
2019-04-13 12:14:14 -05:00
Thomas Leonard
5958cfed97 Clarify how to build from source 2019-04-08 10:43:30 +01:00
Thomas Leonard
06511e076f Add patch to cmdliner for reproducible build
See https://github.com/dbuenzli/cmdliner/pull/106
2019-04-08 10:35:42 +01:00