fix: dom0 as sys-git client

The salt module git.config_get does not work in Dom0 and does not have a key to set the system gitconfig.
2025-01-22 21:31:19 -05:00 · 2024-01-18 09:19:40 +01:00 · 2024-01-18 09:19:40 +01:00 · 23bccebaab
commit 23bccebaab
parent 3faa523820
5 changed files with 23 additions and 6 deletions
--- a/salt/dom0/install-dev.sls
+++ b/salt/dom0/install-dev.sls
@ -6,6 +6,9 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 {% if grains['nodename'] == 'dom0' -%}

+include:
+  - sys-git.install-client
+
 "{{ slsdotpath }}-dev-updated":
  pkg.uptodate:
    - refresh: True
--- a/salt/sys-git/README.md
+++ b/salt/sys-git/README.md
@ -6,6 +6,7 @@ Git operations through Qrexec in Qubes OS.

 * [Description](#description)
 * [Alternatives comparison](#alternatives-comparison)
+* [Security](#security)
 * [Installation](#installation)
 * [Access control](#access-control)
 * [Usage](#usage)
@ -42,6 +43,11 @@ implementation:
 | Validates Git communication | False | False | True | False |
 | Verifies tag signature | False | False | True | False |

+## Security
+
+It is not possible to filter Git's stdout from a Qrexec call as it is used by
+the local running git process.
+
 ## Installation

 - Top
--- a/salt/sys-git/files/client/git-core/git-init-qrexec
+++ b/salt/sys-git/files/client/git-core/git-init-qrexec
@ -40,12 +40,12 @@ default_qube="sys-git"
 rpc_cmd="${vendor}.${rpc}+${repo}"

 if command -v qrexec-client-vm >/dev/null; then
-  exec qrexec-client-vm -- "${authority}" "${rpc_cmd}"
+  exec qrexec-client-vm -tT -- "${authority}" "${rpc_cmd}"
 elif command -v qrexec-client >/dev/null; then
  if test "${authority}" = "@default"; then
    authority="${default_qube}"
  fi
-  exec qrexec-client -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  exec qrexec-client -tT -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
 fi

 die "Qrexec programs not found: qrexec-client-vm, qrexec-client"
--- a/salt/sys-git/files/client/git-core/git-remote-qrexec-connect
+++ b/salt/sys-git/files/client/git-core/git-remote-qrexec-connect
@ -66,14 +66,14 @@ then
 fi

 if command -v qrexec-client-vm >/dev/null; then
-  log "->" qrexec-client-vm -- "${authority}" "${rpc_cmd}"
-  exec qrexec-client-vm -- "${authority}" "${rpc_cmd}"
+  log "->" qrexec-client-vm -T -- "${authority}" "${rpc_cmd}"
+  exec qrexec-client-vm -T -- "${authority}" "${rpc_cmd}"
 elif command -v qrexec-client >/dev/null; then
  if test "${authority}" = "@default"; then
    authority="${default_qube}"
  fi
-  log "->" qrexec-client -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
-  exec qrexec-client -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  log "->" qrexec-client -T -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
+  exec qrexec-client -T -d "${authority}" -- "DEFAULT:QUBESRPC ${rpc_cmd} dom0"
 fi

 die "Qrexec programs not found: qrexec-client-vm, qrexec-client"
--- a/salt/sys-git/install-client.sls
+++ b/salt/sys-git/install-client.sls
@ -29,6 +29,9 @@ include:
    'RedHat': {
      'exec_path': '/usr/libexec/git-core',
    },
+    'Qubes OS': {
+      'exec_path': '/usr/libexec/git-core',
+    },
 }.get(grains.os_family) -%}

 "{{ slsdotpath }}-install-client-git-core-dir":
@ -46,3 +49,8 @@ include:
      - mode
      - user
      - group
+
+"{{ slsdotpath }}-install-client-allow-protocol":
+  cmd.run:
+    - name: git config --system protocol.qrexec.allow always
+    - runas: root