feat: use native TCP socket with Qrexec

2025-03-24 16:16:44 -04:00 · 2024-06-25 01:28:53 +02:00 · 2024-06-25 01:28:53 +02:00 · 4facf458b7
commit 4facf458b7
parent 95289ed19a
10 changed files with 63 additions and 57 deletions
--- a/salt/sys-net/files/server/rpc/qusal.ConnectTCP
+++ b/salt/sys-net/files/server/rpc/qusal.ConnectTCP
@ -34,4 +34,4 @@ if test "${#port}" -gt 5 || test "${port}" -gt 65535; then
  exit 1
 fi

-exec socat - "TCP:${host}:${port}"
+exec socat STDIO "TCP:${host}:${port}"
--- a/salt/sys-print/files/server/rpc/qusal.Print
+++ b/salt/sys-print/files/server/rpc/qusal.Print
@ -1,7 +0,0 @@
-#!/bin/sh
-# SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-set -eu
-exec socat STDIO TCP:localhost:631
--- a/salt/sys-print/install-client.sls
+++ b/salt/sys-print/install-client.sls
@ -5,6 +5,15 @@ SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}

+"{{ slsdotpath }}-installed-client":
+  pkg.installed:
+    - require:
+      - sls: utils.tools.common.update
+    - install_recommends: False
+    - skip_suggestions: True
+    - pkgs:
+      - socat
+
 "{{ slsdotpath }}-client-systemd-print-forwarder":
  file.managed:
    - name: /usr/lib/systemd/system/qusal-print-forwarder.service
--- a/salt/sys-print/install.sls
+++ b/salt/sys-print/install.sls
@ -43,12 +43,21 @@ include:
      - user

 "{{ slsdotpath }}-rpc":
-  file.managed:
+  file.symlink:
    - name: /etc/qubes-rpc/qusal.Print
-    - source: salt://{{ slsdotpath }}/files/server/rpc/qusal.Print
-    - mode: '0755'
+    - target: /dev/tcp/127.0.0.1/631
    - user: root
    - group: root
+    - force: True
+    - makedirs: True
+
+"{{ slsdotpath }}-rpc-config":
+  file.symlink:
+    - name: /etc/qubes/rpc-config/qusal.Print
+    - target: /etc/qubes/rpc-config/qubes.ConnectTCP
+    - user: root
+    - group: root
+    - force: True
    - makedirs: True

 "{{ slsdotpath }}-bind-dirs":
--- a/salt/sys-rsync/files/server/rpc/qusal.Rsync
+++ b/salt/sys-rsync/files/server/rpc/qusal.Rsync
@ -1,9 +0,0 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-set -eu
-
-exec socat STDIO TCP:localhost:873
--- a/salt/sys-rsync/install.sls
+++ b/salt/sys-rsync/install.sls
@ -18,7 +18,6 @@ include:
    - skip_suggestions: True
    - pkgs:
      - rsync
-      - socat
      - man-db

 "{{ slsdotpath }}-stop-rsync":
@ -42,14 +41,22 @@ include:
    - group: root
    - makedirs: True

-"{{ slsdotpath }}-set-rpc-services":
-  file.recurse:
-    - name: /etc/qubes-rpc/
-    - source: salt://{{ slsdotpath }}/files/server/rpc/
-    - dir_mode: '0755'
-    - file_mode: '0755'
+"{{ slsdotpath }}-rpc":
+  file.symlink:
+    - name: /etc/qubes-rpc/qusal.Rsync
+    - target: /dev/tcp/127.0.0.1/873
    - user: root
    - group: root
+    - force: True
+    - makedirs: True
+
+"{{ slsdotpath }}-rpc-config":
+  file.symlink:
+    - name: /etc/qubes/rpc-config/qusal.Rsync
+    - target: /etc/qubes/rpc-config/qubes.ConnectTCP
+    - user: root
+    - group: root
+    - force: True
    - makedirs: True

 {% endif -%}
--- a/salt/sys-ssh/files/server/rpc/qusal.Ssh
+++ b/salt/sys-ssh/files/server/rpc/qusal.Ssh
@ -1,9 +0,0 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-set -eu
-
-exec socat STDIO TCP:localhost:22
--- a/salt/sys-ssh/install.sls
+++ b/salt/sys-ssh/install.sls
@ -18,7 +18,6 @@ include:
    - skip_suggestions: True
    - pkgs:
      - openssh-server
-      - socat
      - man-db

 "{{ slsdotpath }}-stop-ssh":
@ -33,14 +32,22 @@ include:
  service.masked:
    - name: ssh

-"{{ slsdotpath }}-set-rpc-services":
-  file.recurse:
-    - name: /etc/qubes-rpc/
-    - source: salt://{{ slsdotpath }}/files/server/rpc/
-    - dir_mode: '0755'
-    - file_mode: '0755'
+"{{ slsdotpath }}-rpc":
+  file.symlink:
+    - name: /etc/qubes-rpc/qusal.Ssh
+    - target: /dev/tcp/127.0.0.1/22
    - user: root
    - group: root
+    - force: True
+    - makedirs: True
+
+"{{ slsdotpath }}-rpc-config":
+  file.symlink:
+    - name: /etc/qubes/rpc-config/qusal.Ssh
+    - target: /etc/qubes/rpc-config/qubes.ConnectTCP
+    - user: root
+    - group: root
+    - force: True
    - makedirs: True

 "{{ slsdotpath }}-sshd-config":
--- a/salt/sys-syncthing/files/server/rpc/qusal.Syncthing
+++ b/salt/sys-syncthing/files/server/rpc/qusal.Syncthing
@ -1,9 +0,0 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-set -eu
-
-exec socat STDIO TCP:localhost:22000
--- a/salt/sys-syncthing/install.sls
+++ b/salt/sys-syncthing/install.sls
@ -26,18 +26,26 @@ include:
      - qubes-core-agent-networking
      - syncthing
      - jq
-      - socat
      - qubes-core-agent-thunar
      - thunar
      - man-db

-"{{ slsdotpath }}-rpc-service":
-  file.managed:
+"{{ slsdotpath }}-rpc":
+  file.symlink:
    - name: /etc/qubes-rpc/qusal.Syncthing
-    - source: salt://{{ slsdotpath }}/files/server/rpc/qusal.Syncthing
+    - target: /dev/tcp/127.0.0.1/22000
    - user: root
    - group: root
-    - mode: '0755'
+    - force: True
+    - makedirs: True
+
+"{{ slsdotpath }}-rpc-config":
+  file.symlink:
+    - name: /etc/qubes/rpc-config/qusal.Syncthing
+    - target: /etc/qubes/rpc-config/qubes.ConnectTCP
+    - user: root
+    - group: root
+    - force: True
    - makedirs: True

 "{{ slsdotpath }}-mask-syncthing":