From 7c8e768b33d9cdea9f2ef55cd04c86c6f5b98dd1 Mon Sep 17 00:00:00 2001 From: Ro Date: Mon, 17 Jun 2024 18:09:39 -0400 Subject: [PATCH] Replace sdw-login.py and xdg autostart .desktop file with systemd user unit. --- ...reedom.SecureDropUpdater@autostart.service | 24 +++++++++++++++++++ files/sdw-login.py | 23 ------------------ .../securedrop-workstation-dom0-config.spec | 8 +++++-- securedrop_salt/dom0-xfce-desktop-file.j2 | 11 --------- securedrop_salt/sd-dom0-files.sls | 23 ------------------ 5 files changed, 30 insertions(+), 59 deletions(-) create mode 100644 files/app-press.freedom.SecureDropUpdater@autostart.service delete mode 100644 files/sdw-login.py delete mode 100644 securedrop_salt/dom0-xfce-desktop-file.j2 diff --git a/files/app-press.freedom.SecureDropUpdater@autostart.service b/files/app-press.freedom.SecureDropUpdater@autostart.service new file mode 100644 index 000000000..ec67035aa --- /dev/null +++ b/files/app-press.freedom.SecureDropUpdater@autostart.service @@ -0,0 +1,24 @@ +# SDW Updater systemd autostart unit: run sdw-updater (updater or login) +# For more information about the graphical-session.target, see +# https://manpages.debian.org/testing/systemd/systemd.special.7.en.html#Special_Passive_User_Units +# and https://github.com/systemd/systemd/commit/c92fcc4f4375b0. +# Additional troubleshooting may be required in some advanced cases (eg for i3 users, +# see see https://github.com/i3/i3/issues/5186). +# Note that the name of this unit follows a specific format, allowing for +# compatibility with systemd's `xdg-desktop-autostart.target`. + +[Unit] +Description=Start SecureDrop sdw-updater Login/Updater +PartOf=graphical-session.target +After=graphical-session.target + +[Service] +Type=exec +ExitType=cgroup +ExecStart=:/usr/bin/sdw-updater +Restart=no +# https://www.freedesktop.org/software/systemd/man/latest/systemd.slice.html +Slice=app.slice +# xdg-autostart-condition OnlyShowIn="XFCE" NotShowIn="" +# https://www.freedesktop.org/software/systemd/man/latest/systemd-xdg-autostart-generator.html +ExecCondition=/usr/lib/systemd/systemd-xdg-autostart-condition "XFCE" "" diff --git a/files/sdw-login.py b/files/sdw-login.py deleted file mode 100644 index d54fd5842..000000000 --- a/files/sdw-login.py +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/python3 -""" -Utility script for SecureDrop Workstation. Launches the SecureDrop Workstation -updater on boot. It will prompt users to apply template and dom0 updates -""" - -import logging -import os -import subprocess -import time - -SCRIPT_NAME = os.path.basename(__file__) -logger = logging.getLogger(SCRIPT_NAME) -logging.basicConfig(level=logging.INFO) - - -if __name__ == "__main__": - # Wait for the dom0 GUI widgets to load - # If we don't wait, a "Houston, we have a problem..." message is displayed - # to the user. - time.sleep(5) - - subprocess.check_call(["sdw-updater"]) diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index bd5f6d2cd..3f95bf847 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -90,7 +90,6 @@ install -m 644 files/securedrop-128x128.png %{buildroot}/%{_datadir}/icons/hicol install -m 644 files/securedrop-scalable.svg %{buildroot}/%{_datadir}/icons/hicolor/scalable/apps/securedrop.svg install -m 755 files/sdw-updater.py %{buildroot}/%{_bindir}/sdw-updater install -m 755 files/sdw-notify.py %{buildroot}/%{_bindir}/sdw-notify -install -m 755 files/sdw-login.py %{buildroot}/%{_bindir}/sdw-login install -m 644 files/sdw-notify.service %{buildroot}/%{_userunitdir}/ install -m 644 files/sdw-notify.timer %{buildroot}/%{_userunitdir}/ install -m 644 files/securedrop-logind-override-disable.service %{buildroot}/%{_unitdir}/ @@ -106,6 +105,8 @@ install -m 755 -d %{buildroot}/etc/systemd/logind.conf.d/ install -m 644 files/10-securedrop-logind_override.conf %{buildroot}/etc/systemd/logind.conf.d/ install -m 644 files/securedrop-user-xfce-settings.service %{buildroot}/%{_userunitdir}/ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_userunitdir}/ +install -m 644 files/app-press.freedom.SecureDropUpdater@autostart.service %{buildroot}/%{_userunitdir}/ + %files %attr(755, root, root) %{_datadir}/%{name}/scripts/clean-salt @@ -115,7 +116,6 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user %attr(755, root, root) %{_bindir}/sdw-admin %{_datadir}/%{name}/config.json.example /srv/salt/securedrop_salt/* -%attr(755, root, root) %{_bindir}/sdw-login %attr(755, root, root) %{_bindir}/sdw-notify %attr(755, root, root) %{_bindir}/sdw-updater %attr(644, root, root) %{_datadir}/applications/press.freedom.SecureDropUpdater.desktop @@ -130,6 +130,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user %{_userunitdir}/sdw-notify.timer %{_userunitdir}/securedrop-user-xfce-settings.service %{_userunitdir}/securedrop-user-xfce-icon-size.service +%{_userunitdir}/app-press.freedom.SecureDropUpdater@autostart.service %{_unitdir}/securedrop-logind-override-disable.service %attr(664, root, root) /etc/qubes/policy.d/31-securedrop-workstation.policy @@ -164,6 +165,9 @@ systemctl enable securedrop-logind-override-disable.service systemctl --global enable securedrop-user-xfce-icon-size.service ||: systemctl --global enable securedrop-user-xfce-settings.service ||: +# Invoke login/updater on boot +systemctl --global enable app-press.freedom.SecureDropUpdater@autostart.service ||: + %preun # If we're uninstalling (vs upgrading) if [ $1 -eq 0 ]; then diff --git a/securedrop_salt/dom0-xfce-desktop-file.j2 b/securedrop_salt/dom0-xfce-desktop-file.j2 deleted file mode 100644 index e84ec0d1f..000000000 --- a/securedrop_salt/dom0-xfce-desktop-file.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[Desktop Entry] -Encoding=UTF-8 -Version=0.9.4 -Type=Application -Name={{ desktop_name }} -Comment={{ desktop_comment }} -Exec={{ desktop_exec }} -OnlyShowIn=XFCE; -StartupNotify=false -Terminal=false -Hidden=false diff --git a/securedrop_salt/sd-dom0-files.sls b/securedrop_salt/sd-dom0-files.sls index ed3ff5391..1aa790b4f 100644 --- a/securedrop_salt/sd-dom0-files.sls +++ b/securedrop_salt/sd-dom0-files.sls @@ -55,29 +55,6 @@ dom0-install-debian-minimal-template: {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %} -dom0-login-autostart-directory: - file.directory: - - name: /home/{{ gui_user }}/.config/autostart - - user: {{ gui_user }} - - group: {{ gui_user }} - - mode: 700 - - makedirs: True - -dom0-login-autostart-desktop-file: - file.managed: - - name: /home/{{ gui_user }}/.config/autostart/press.freedom.SecureDropUpdater.desktop - - source: "salt://securedrop_salt/dom0-xfce-desktop-file.j2" - - template: jinja - - context: - desktop_name: SDWLogin - desktop_comment: Updates SecureDrop Workstation DispVMs at login - desktop_exec: /usr/bin/sdw-login - - user: {{ gui_user }} - - group: {{ gui_user }} - - mode: 664 - - require: - - file: dom0-login-autostart-directory - dom0-securedrop-launcher-desktop-shortcut: file.managed: - name: /home/{{ gui_user }}/Desktop/press.freedom.SecureDropUpdater.desktop