WIP Intial Qubes 4.2 Updater Integration

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     container:
-      image: registry.fedoraproject.org/fedora:32
+      image: registry.fedoraproject.org/fedora:37
     steps:
       - run: dnf install -y make
       - uses: actions/checkout@v4
@@ -20,7 +20,7 @@ jobs:
   build-rpm:
     runs-on: ubuntu-latest
     container:
-      image: registry.fedoraproject.org/fedora:32
+      image: registry.fedoraproject.org/fedora:37
     steps:
       - run: dnf install -y make git
       - uses: actions/checkout@v4
@@ -29,13 +29,15 @@ jobs:
           make install-deps
           pip install --require-hashes -r requirements/dev-requirements.txt
       - name: Build RPM
-        run: make build-rpm
+        run: |
+          git config --global --add safe.directory '*'
+          make build-rpm
       - name: Check reproducibility
         run: make reprotest
   launcher-tests:
     runs-on: ubuntu-latest
     container:
-      image: registry.fedoraproject.org/fedora:32
+      image: registry.fedoraproject.org/fedora:37
     steps:
       - run: dnf install -y make
       - uses: actions/checkout@v4

.github/workstation-ci.yml

@@ -1,2 +1,2 @@
 # for <https://github.com/freedomofpress/securedrop-workstation-ci>
-qubes: "4.1"
+qubes: "4.2"

Makefile

@@ -1,9 +1,11 @@
 DEFAULT_GOAL: help
-# We prefer to use python3.8 if it's availabe, as that is the version shipped
-# with Fedora 32, but we're also OK with just python3 if that's all we've got
-PYTHON3 := $(if $(shell bash -c "command -v python3.8"), python3.8, python3)
-# If we're on anything but Fedora 32, execute some commands in a container
-CONTAINER := $(if $(shell grep "Thirty Two" /etc/fedora-release),,./scripts/container.sh)
+# We prefer to use python3.11 if it's availabe, as that is the version shipped
+# with Fedora 37, but we're also OK with just python3 if that's all we've got
+PYTHON3 := $(if $(shell bash -c "command -v python3.11"), python3.8, python3)
+# If we're on anything but Fedora 37, execute some commands in a container
+# Note: if your development environment is Fedora 37 based, you may want to
+# manually prepend ./scripts/container.sh to commands you want to execute
+CONTAINER := $(if $(shell grep "Thirty Seven" /etc/fedora-release),,./scripts/container.sh)
 
 HOST=$(shell hostname)
 
@@ -34,9 +36,12 @@ build-rpm: ## Build RPM package
 
 .PHONY: reprotest
 reprotest: ## Check RPM package reproducibility
-	TERM=xterm-256color $(CONTAINER) bash -c "sudo ln -s $$PWD/scripts/fake-setarch.py /usr/local/bin/setarch && sudo reprotest 'make build-rpm' 'rpm-build/RPMS/noarch/*.rpm' --variations '+all,+kernel,-fileordering,-domain_host'"
+	TERM=xterm-256color $(CONTAINER) bash -c "sudo ln -s $$PWD/scripts/fake-setarch.py /usr/local/bin/setarch && sudo reprotest 'make build-rpm' 'rpm-build/RPMS/noarch/*.rpm' --variations '+all,+kernel,-time,-fileordering,-domain_host'"
+	@echo
+	@echo Warning! Temporarily removed time variations for reprotest.
+	@echo Suspecting upstream issues in rpm land is causing issues with 1 file\'s modification time not being clamped correctly only in a reprotest environment.
 
-# Installs Fedora 32 package dependencies, to build RPMs and run tests,
+# Installs Fedora 37 package dependencies, to build RPMs and run tests,
 # primarily useful in CI/containers
 .PHONY: install-deps
 install-deps:

bootstrap/Dockerfile

@@ -1,6 +1,6 @@
-FROM registry.fedoraproject.org/fedora:32
+FROM registry.fedoraproject.org/fedora:37
 LABEL org="Freedom of the Press"
-LABEL image_name="securedrop-workstation-qubes-4.1"
+LABEL image_name="securedrop-workstation-qubes-4.2"
 
 ARG USER_NAME
 ENV USER_NAME ${USER_NAME:-root}

dom0/sd-app.sls

@@ -47,7 +47,7 @@ sd-app-template-sync-appmenus:
   cmd.run:
     - name: >
         qvm-start --skip-if-running sd-small-{{ sdvars.distribution }}-template &&
-        qvm-sync-appmenus sd-small-{{ sdvars.distribution }}-template
+        qvm-sync-appmenus --force-root sd-small-{{ sdvars.distribution }}-template
     - require:
       - qvm: sd-small-{{ sdvars.distribution }}-template
     - onchanges:

dom0/sd-clean-all.sls

@@ -5,7 +5,7 @@
 
 set-fedora-as-default-dispvm:
   cmd.run:
-    - name: qvm-check fedora-38-dvm && qubes-prefs default_dispvm fedora-38-dvm || qubes-prefs default_dispvm ''
+    - name: qvm-check default-dvm && qubes-prefs default_dispvm default-dvm || qubes-prefs default_dispvm ''
 
 {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
 
@@ -23,7 +23,7 @@ restore-sys-usb-dispvm-halt-wait:
 restore-sys-usb-dispvm:
   qvm.prefs:
     - name: sys-usb
-    - template: fedora-38-dvm
+    - template: default-dvm
     - require:
       - cmd: restore-sys-usb-dispvm-halt-wait
       - cmd: set-fedora-as-default-dispvm
@@ -34,11 +34,11 @@ restore-sys-usb-dispvm-start:
     - require:
       - qvm: restore-sys-usb-dispvm
 
-# autoattach modifications are only present in sd-fedora-38-dvm
+# autoattach modifications are only present in sd-fedora-39-dvm
 # so no more sd-usb-autoattach-remove necessary
 remove-sd-fedora-dispvm:
   qvm.absent:
-    - name: sd-fedora-38-dvm
+    - name: sd-fedora-39-dvm
     - require:
       - qvm: restore-sys-usb-dispvm
 {% else %}

dom0/sd-clean-default-dispvm.sls

@@ -3,4 +3,4 @@
 
 set-fedora-as-default-dispvm:
   cmd.run:
-    - name: qvm-check fedora-38-dvm && qubes-prefs default_dispvm fedora-38-dvm || qubes-prefs default_dispvm ''
+    - name: qvm-check default-dvm && qubes-prefs default_dispvm default-dvm || qubes-prefs default_dispvm ''

dom0/sd-default-config.sls

@@ -28,6 +28,6 @@
 {% endif %}
 
 # Append repo URL with appropriate dom0 Fedora version
-{% set fedora_repo = "f32" %}
-{% set _ = sdvars.update({"distribution": "bullseye"}) %}
+{% set fedora_repo = "f37" %}
+{% set _ = sdvars.update({"distribution": "bookworm"}) %}
 {% set _ = sdvars.update({"dom0_yum_repo_url": sdvars["dom0_yum_repo_url"] + fedora_repo}) %}

dom0/sd-devices.sls

@@ -36,11 +36,12 @@ sd-devices-dvm:
 
 # Ensure the Qubes menu is populated with relevant app entries,
 # so that Nautilus/Files can be started via GUI interactions.
+# TODO: debian-12-minimal doesn't have passwordless root - do we want to add it?
 sd-devices-template-sync-appmenus:
   cmd.run:
     - name: >
         qvm-start --skip-if-running sd-large-{{ sdvars.distribution }}-template &&
-        qvm-sync-appmenus sd-large-{{ sdvars.distribution }}-template
+        qvm-sync-appmenus --force-root sd-large-{{ sdvars.distribution }}-template
     - require:
       - qvm: sd-large-{{ sdvars.distribution }}-template
     - onchanges:

dom0/sd-dom0-files.sls

@@ -46,31 +46,11 @@ dom0-workstation-rpm-repo:
     - require:
       - file: dom0-rpm-test-key
 
-dom0-workstation-templates-repo:
-  # Using file.blockreplace because /etc/qubes/repo-templates/ is not a .d
-  # style directory, and qvm.template_installed:fromrepo seems to only support
-  # using a repo from this file. Installing manually via a cli-command-instead?
-  file.blockreplace:
-    - name: /etc/qubes/repo-templates/qubes-templates.repo
-    - append_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        [securedrop-workstation-templates]
-        gpgcheck=1
-        gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
-        enabled=1
-        baseurl={{ sdvars.dom0_yum_repo_url }}
-        name=SecureDrop Workstation Templates repository
-    - require:
-      - file: dom0-rpm-test-key
-
-dom0-install-securedrop-workstation-template:
+# TODO: trying out debian-12-minimal - this should be parameterised
+dom0-install-debian-base-template:
   cmd.run:
     - name: >
-        qvm-template info --machine-readable securedrop-workstation-{{ sdvars.distribution }} | grep -q "installed|securedrop-workstation-{{ sdvars.distribution }}|" || qvm-template install securedrop-workstation-{{ sdvars.distribution }}
-    - require:
-      - file: dom0-workstation-rpm-repo
+        qvm-template info --machine-readable debian-12-minimal | grep -q "installed|debian-12-minimal|" || qvm-template install debian-12-minimal
 
 # Create directory for storing SecureDrop-specific icons
 dom0-securedrop-icons-directory:

dom0/sd-dom0-qvm-rpc.sls

@@ -6,105 +6,8 @@
 # As a general strategy, in addition to explicit grants, we provide
 # catch-all deny policies for SDW-provisioned VMs. Where possible,
 # we prefer to prepend SDW policies, in order to support overrides
-# for the general system. We use the 'blockreplace' Salt state
-# to achieve this for the 4.0-style grants, and order the policy
-# files numerically for the 4.1-style grants.
+# for the general system.
 #
-##
-
-# Certain policies use the legacy format (i.e. in /etc/qubes-rpc/policy/)
-# under both Qubes 4.0 & 4.1. Under 4.1, we continue to use the legacy path,
-# because the backwards-compatibility logic loads those files first,
-# via /etc/qubes/policy.d/35-compat.policy. Since first match wins,
-# we want our overrides to be present early, during the backwards compat loading.
-dom0-rpc-qubes.ClipboardPaste:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.ClipboardPaste
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @tag:sd-send-app-clipboard sd-app ask
-        sd-app @tag:sd-receive-app-clipboard ask
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.PdfConvert:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.PdfConvert
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.USB:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.USB
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        sd-devices sys-usb allow
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.ensure.USBAttach:
-  file.managed:
-    - name: /etc/qubes-rpc/policy/qubes.USBAttach
-    - contents: |
-        @anyvm @anyvm ask
-    - replace: false
-
-dom0-rpc-qubes.USBAttach:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.USBAttach
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        sys-usb sd-devices allow,user=root
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-    - require:
-      - file: dom0-rpc-qubes.ensure.USBAttach
-
-# The GPG policies still exist in the legacy location on 4.1,
-# and the legacy locations take precedence over SDW rules due
-# to the import in `/etc/qubes/policy.d/35-compat.policy`,
-# so we'll maintain them in the old location.
-dom0-rpc-qubes.Gpg:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.Gpg
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @tag:sd-client sd-gpg allow
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.GpgImportKey:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.GpgImportKey
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @tag:sd-client sd-gpg allow
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-
-# Permit the SecureDrop Proxy to manage Client connections
-dom0-rpc-securedrop.Proxy:
-  file.prepend:
-    - name: /etc/qubes-rpc/policy/securedrop.Proxy
-    - text: |
-        sd-app sd-proxy allow
-        @anyvm @anyvm deny
-
 # Qubes suggests using files starting with 70- to be the allow policies
 # and 60- deny policies, but due to the way SDW policies are stacked at the
 # moment, we reverse this suggested order
@@ -114,6 +17,27 @@ dom0-rpc-qubes.r5-format-deny:
     - contents: |
         securedrop.Log          *           @anyvm @anyvm deny
 
+        securedrop.Proxy        *           @anyvm @anyvm deny
+
+        qubes.GpgImportKey      *           @anyvm @tag:sd-workstation deny
+        qubes.GpgImportKey      *           @tag:sd-workstation @anyvm deny
+
+        qubes.Gpg               *           @anyvm @tag:sd-workstation deny
+        qubes.Gpg               *           @tag:sd-workstation @anyvm deny
+
+        qubes.USBAttach         *           @anyvm @tag:sd-workstation deny
+        qubes.USBAttach         *           @tag:sd-workstation @anyvm deny
+
+        qubes.USB               *           @anyvm @tag:sd-workstation deny
+        qubes.USB               *           @tag:sd-workstation @anyvm deny
+
+        qubes.PdfConvert        *           @anyvm @tag:sd-workstation deny
+        qubes.PdfConvert        *           @tag:sd-workstation @anyvm deny
+
+        # TODO: should this be handled with the new Global Config UI instead?
+        qubes.ClipboardPaste    *           @anyvm @tag:sd-workstation deny
+        qubes.ClipboardPaste    *           @tag:sd-workstation @anyvm deny
+
         qubes.FeaturesRequest   *           @anyvm @tag:sd-workstation deny
         qubes.FeaturesRequest   *           @tag:sd-workstation @anyvm deny
 
@@ -146,10 +70,23 @@ dom0-rpc-qubes.r5-format-ask-allow:
         securedrop.Log          *           sd-log sd-log deny notify=no
         securedrop.Log          *           @tag:sd-workstation sd-log allow
 
+        securedrop.Proxy        *           sd-app sd-proxy allow
+
+        qubes.Gpg               *           @tag:sd-client sd-gpg allow
+
+        qubes.USBAttach         *           sys-usb sd-devices allow  user=root
+        qubes.USBAttach         *           @anyvm @anyvm ask
+
+        qubes.USB               *           sd-devices sys-usb allow
+
+        # TODO: should this be handled with the new Global Config UI instead?
+        qubes.ClipboardPaste    *           @tag:sd-send-app-clipboard sd-app ask
+        qubes.ClipboardPaste    *           sd-app @tag:sd-receive-app-clipboard ask
+
         qubes.Filecopy          *           sd-log @default ask
         qubes.Filecopy          *           sd-log @tag:sd-receive-logs ask
         qubes.Filecopy          *           sd-proxy @tag:sd-client allow
 
         qubes.OpenInVM          *           @tag:sd-client @dispvm:sd-viewer allow
         qubes.OpenInVM          *           @tag:sd-client sd-devices allow
-        qubes.OpenInVM          *           sd-devices @dispvm:sd-viewer allow
+        qubes.OpenInVM          *           sd-devices @dispvm:sd-viewer allow

dom0/sd-logging-setup.sls

@@ -1,7 +1,8 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-{% if grains['id'] in ["securedrop-workstation-bullseye", "sd-small-bullseye-template", "sd-large-bullseye-template"] %}
+# TODO: parametrise this
+{% if grains['id'] in ["sd-small-bookworm-template", "sd-large-bookworm-template"] %}
 include:
   - fpf-apt-repo