From 563a9cfa3bba558da98d80612c81898490ef95fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 18 Jun 2025 17:58:13 +0200 Subject: [PATCH 1/2] Add qubes.VMRootExec service Make the single-command call work with root too --- debian/qubes-core-agent.install | 1 + qubes-rpc/Makefile | 1 + qubes-rpc/qubes.VMRootExec | 3 +++ rpm_spec/core-agent.spec.in | 1 + 4 files changed, 6 insertions(+) create mode 100755 qubes-rpc/qubes.VMRootExec diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install index 0cf9e04d4..02fce3b6b 100644 --- a/debian/qubes-core-agent.install +++ b/debian/qubes-core-agent.install @@ -36,6 +36,7 @@ etc/qubes-rpc/qubes.VMShell etc/qubes-rpc/qubes.VMRootShell etc/qubes-rpc/qubes.VMExec etc/qubes-rpc/qubes.VMExecGUI +etc/qubes-rpc/qubes.VMRootExec etc/qubes-rpc/qubes.WaitForSession etc/qubes-rpc/qubes.WaitForRunningSystem etc/qubes-rpc/qubes.GetDate diff --git a/qubes-rpc/Makefile b/qubes-rpc/Makefile index 88120d9a8..ca80d3514 100644 --- a/qubes-rpc/Makefile +++ b/qubes-rpc/Makefile @@ -72,6 +72,7 @@ install: qubes.Filecopy qubes.OpenInVM qubes.VMShell \ qubes.VMRootShell \ qubes.VMExec \ + qubes.VMRootExec \ qubes.OpenURL \ qubes.SuspendPre qubes.SuspendPost qubes.GetAppmenus \ qubes.SuspendPreAll \ diff --git a/qubes-rpc/qubes.VMRootExec b/qubes-rpc/qubes.VMRootExec new file mode 100755 index 000000000..eab322137 --- /dev/null +++ b/qubes-rpc/qubes.VMRootExec @@ -0,0 +1,3 @@ +#!/bin/sh + +exec /usr/bin/qubes-vmexec "$@" diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 925628a11..8c5a68778 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -911,6 +911,7 @@ rm -f %{name}-%{version} %config(noreplace) /etc/qubes-rpc/qubes.VMShell %config(noreplace) /etc/qubes-rpc/qubes.VMExec %config(noreplace) /etc/qubes-rpc/qubes.VMExecGUI +%config(noreplace) /etc/qubes-rpc/qubes.VMRootExec %config(noreplace) /etc/qubes-rpc/qubes.VMRootShell %config(noreplace) /etc/qubes-rpc/qubes.SuspendPre %config(noreplace) /etc/qubes-rpc/qubes.SuspendPreAll From 1c538af27ad2f17e45197dc62589dab378382e7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Wed, 18 Jun 2025 17:59:15 +0200 Subject: [PATCH 2/2] Use rpc-config for running qubes.VMRoot* services as root Don't require setting user=root in each policy line for them Fixes QubesOS/qubes-issues#9939 --- debian/qubes-core-agent.install | 2 ++ qubes-rpc/qubes.VMRootExec.config | 1 + qubes-rpc/qubes.VMRootShell.config | 1 + rpm_spec/core-agent.spec.in | 2 ++ 4 files changed, 6 insertions(+) create mode 100644 qubes-rpc/qubes.VMRootExec.config create mode 100644 qubes-rpc/qubes.VMRootShell.config diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install index 02fce3b6b..320415ea5 100644 --- a/debian/qubes-core-agent.install +++ b/debian/qubes-core-agent.install @@ -55,6 +55,8 @@ etc/qubes/rpc-config/qubes.StartApp etc/qubes/rpc-config/qubes.InstallUpdatesGUI etc/qubes/rpc-config/qubes.VMShell+WaitForSession etc/qubes/rpc-config/qubes.VMExecGUI +etc/qubes/rpc-config/qubes.VMRootExec +etc/qubes/rpc-config/qubes.VMRootShell etc/qubes/suspend-post.d/README etc/qubes/suspend-post.d/*.sh etc/qubes/suspend-pre.d/README diff --git a/qubes-rpc/qubes.VMRootExec.config b/qubes-rpc/qubes.VMRootExec.config new file mode 100644 index 000000000..684ea91ed --- /dev/null +++ b/qubes-rpc/qubes.VMRootExec.config @@ -0,0 +1 @@ +force-user='root' diff --git a/qubes-rpc/qubes.VMRootShell.config b/qubes-rpc/qubes.VMRootShell.config new file mode 100644 index 000000000..684ea91ed --- /dev/null +++ b/qubes-rpc/qubes.VMRootShell.config @@ -0,0 +1 @@ +force-user='root' diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 8c5a68778..66defcced 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -943,6 +943,8 @@ rm -f %{name}-%{version} %config(noreplace) /etc/qubes/rpc-config/qubes.InstallUpdatesGUI %config(noreplace) /etc/qubes/rpc-config/qubes.VMShell+WaitForSession %config(noreplace) /etc/qubes/rpc-config/qubes.VMExecGUI +%config(noreplace) /etc/qubes/rpc-config/qubes.VMRootExec +%config(noreplace) /etc/qubes/rpc-config/qubes.VMRootShell %config(noreplace) /etc/default/grub.qubes # MIME stuff