diff --git a/MANIFEST.in b/MANIFEST.in index 8863347e8..a0ef0da26 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -5,7 +5,6 @@ include dom0/*.yml include dom0/*.conf include dom0/remove-tags.py include dom0/securedrop-handle-upgrade -include dom0/update-xfce-settings include README.md include LICENSE include VERSION diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index 6d92fcf9b..732ea2d3d 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -48,22 +48,6 @@ include: - sd-usb-autoattach-remove {% endif %} -# Reset desktop icon size to its original value -dom0-reset-icon-size-xfce: - cmd.script: - - name: salt://update-xfce-settings - - args: reset-icon-size - - runas: {{ gui_user }} - -# Reset power management options to their original values -{% if d.environment == "prod" or d.environment == "staging" %} -dom0-reset-power-management-xfce: - cmd.script: - - name: salt://update-xfce-settings - - args: reset-power-management - - runas: {{ gui_user }} -{% endif %} - # Removes all salt-provisioned files (if these files are also provisioned via # RPM, they should be removed as part of remove-dom0-sdw-config-files-dev) remove-dom0-sdw-config-files: @@ -84,17 +68,6 @@ remove-rpc-policy-tags: cmd.script: - name: salt://remove-tags -sd-cleanup-etc-changes: - file.replace: - - names: - - /etc/systemd/logind.conf - - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*' - - flags: - - MULTILINE - - DOTALL - - repl: '' - - backup: no - sd-cleanup-sys-firewall: cmd.run: - names: @@ -111,3 +84,19 @@ disable-systemd-units: # Even with "runas", "systemctl --user" from root will fail unless we # tell it explicitly how to connect to the user systemd. - XDG_RUNTIME_DIR: /run/user/{{ gui_user_id }} + +# Reset desktop icon size to its original value +dom0-reset-icon-size-xfce: + cmd.script: + - name: /usr/bin/securedrop/update-xfce-settings + - args: reset-icon-size + - runas: {{ gui_user }} + +# Reset power management options to their original values +{% if d.environment == "prod" or d.environment == "staging" %} +dom0-reset-power-management-xfce: + cmd.script: + - name: /usr/bin/securedrop/update-xfce-settings + - args: reset-power-management + - runas: {{ gui_user }} +{% endif %} diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls index a8ba7e24e..5c6ae560a 100644 --- a/dom0/sd-dom0-files.sls +++ b/dom0/sd-dom0-files.sls @@ -54,13 +54,6 @@ dom0-install-debian-minimal-template: {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %} -# Increase the default icon size for the GUI user for usability/accessibility reasons -dom0-adjust-desktop-icon-size-xfce: - cmd.script: - - name: salt://update-xfce-settings - - args: adjust-icon-size - - runas: {{ gui_user }} - dom0-login-autostart-directory: file.directory: - name: /home/{{ gui_user }}/.config/autostart @@ -123,12 +116,3 @@ dom0-write-environment-flag: - replace: False - require: - file: dom0-remove-old-environment-flag - -# Hide suspend/hibernate options in menus in prod systems -{% if d.environment == "prod" or d.environment == "staging" %} -dom0-disable-unsafe-power-management-xfce: - cmd.script: - - name: salt://update-xfce-settings - - args: disable-unsafe-power-management - - runas: {{ gui_user }} -{% endif %} diff --git a/files/logind-override-disable.service b/files/logind-override-disable.service index 283830fc9..1461e2782 100644 --- a/files/logind-override-disable.service +++ b/files/logind-override-disable.service @@ -1,11 +1,11 @@ [Unit] -Description=Disable power management settings +Description=Disable logind power management customization (dev systems only) +ConditionPathExists=/var/lib/securedrop-workstation/dev +Before=systemd-logind.service [Service] Type=oneshot -Before=systemd-logind.service ExecStart=rm -f /etc/systemd/logind.conf.d/10-logind_override.conf -ConditionPathExists=/var/lib/securedrop-workstation/dev [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/dom0/update-xfce-settings b/files/update-xfce-settings similarity index 100% rename from dom0/update-xfce-settings rename to files/update-xfce-settings diff --git a/files/user-xfce-icon-size.service b/files/user-xfce-icon-size.service new file mode 100644 index 000000000..243af53e8 --- /dev/null +++ b/files/user-xfce-icon-size.service @@ -0,0 +1,9 @@ +[Unit] +Description=Enlarge XFCE icon size for SDW + +[Service] +Type=oneshot +ExecStart=/usr/bin/securedrop/update-xfce-settings adjust-icon-size + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/files/user-xfce-settings.service b/files/user-xfce-settings.service new file mode 100644 index 000000000..f8b154657 --- /dev/null +++ b/files/user-xfce-settings.service @@ -0,0 +1,12 @@ +[Unit] +Description=Enable XFCE customizations for SDW +ConditionPathExists=|!/var/lib/securedrop-workstation/dev +ConditionPathExists=|/var/lib/securedrop-workstation/prod +ConditionPathExists=|/var/lib/securedrop-workstation/staging + +[Service] +Type=oneshot +ExecStart=/usr/bin/securedrop/update-xfce-settings disable-unsafe-power-management + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 8c12ca1a7..dc759db6a 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -68,6 +68,8 @@ install -m 755 -d %{buildroot}/srv/salt/sd/sd-workstation install -m 755 -d %{buildroot}/srv/salt/sd/usb-autoattach install -m 755 -d %{buildroot}/%{_datadir}/%{name}/scripts install -m 755 -d %{buildroot}/%{_bindir} +install -m 755 -d %{buildroot}/opt/securedrop +install -m 755 -d %{buildroot}/usr/bin/securedrop install -m 644 dom0/*.sls %{buildroot}/srv/salt/ install -m 644 dom0/*.top %{buildroot}/srv/salt/ install -m 644 dom0/*.j2 %{buildroot}/srv/salt/ @@ -75,7 +77,7 @@ install -m 644 dom0/*.yml %{buildroot}/srv/salt/ install -m 644 dom0/*.conf %{buildroot}/srv/salt/ install -m 755 dom0/remove-tags.py %{buildroot}/srv/salt/remove-tags install -m 755 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/ -install -m 755 dom0/update-xfce-settings %{buildroot}/srv/salt/ +install -m 755 files/update-xfce-settings %{buildroot}/usr/bin/securedrop/ install -m 644 sd-proxy/* %{buildroot}/srv/salt/sd/sd-proxy/ install -m 644 sd-whonix/* %{buildroot}/srv/salt/sd/sd-whonix/ install -m 644 sd-workstation/* %{buildroot}/srv/salt/sd/sd-workstation/ @@ -94,6 +96,7 @@ install -m 755 -d %{buildroot}/%{_datadir}/icons/hicolor/128x128/apps/ install -m 755 -d %{buildroot}/%{_datadir}/icons/hicolor/scalable/apps/ install -m 755 -d %{buildroot}/%{_sharedstatedir}/%{name}/ install -m 755 -d %{buildroot}/%{_userunitdir}/ +install -m 755 -d %{buildroot}/%{_unitdir} install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/%{_datadir}/applications/ install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/press.freedom.SecureDropUpdater.desktop install -m 644 files/securedrop-128x128.png %{buildroot}/%{_datadir}/icons/hicolor/128x128/apps/securedrop.png @@ -103,6 +106,7 @@ install -m 755 files/sdw-notify.py %{buildroot}/%{_bindir}/sdw-notify install -m 755 files/sdw-login.py %{buildroot}/%{_bindir}/sdw-login install -m 644 files/sdw-notify.service %{buildroot}/%{_userunitdir}/ install -m 644 files/sdw-notify.timer %{buildroot}/%{_userunitdir}/ +install -m 644 files/logind-override-disable.service %{buildroot}/%{_unitdir}/ install -m 755 -d %{buildroot}/etc/qubes/policy.d/ install -m 644 files/31-securedrop-workstation.policy %{buildroot}/etc/qubes/policy.d/ @@ -111,11 +115,10 @@ install -m 644 files/32-securedrop-workstation.policy %{buildroot}/etc/qubes/pol install -m 755 -d %{buildroot}/usr/share/securedrop/icons install -m 644 files/securedrop-128x128.png %{buildroot}/usr/share/securedrop/icons/sd-logo.png -install -m 755 -d %{buildroot}/opt/securedrop - install -m 755 -d %{buildroot}/etc/systemd/logind.conf.d/ install -m 644 files/10-logind_override.conf %{buildroot}/etc/systemd/logind.conf.d/ -install -m 644 files/logind-override-disable.service %{buildroot}/%{_unitdir}/ +install -m 644 files/user-xfce-settings.service %{buildroot}/%{_userunitdir}/ +install -m 644 files/user-xfce-icon-size.service %{buildroot}/%{_userunitdir}/ %files %attr(755, root, root) %{_datadir}/%{name}/scripts/clean-salt @@ -128,7 +131,6 @@ install -m 644 files/logind-override-disable.service %{buildroot}/%{_unitdir}/ /srv/salt/dom0-xfce-desktop-file.j2 /srv/salt/remove-tags /srv/salt/securedrop-* -/srv/salt/update-xfce-settings /srv/salt/fpf* /srv/salt/press.freedom.SecureDropUpdater.desktop @@ -145,17 +147,20 @@ install -m 644 files/logind-override-disable.service %{buildroot}/%{_unitdir}/ %{_datadir}/icons/hicolor/scalable/apps/securedrop.svg %{_userunitdir}/sdw-notify.service %{_userunitdir}/sdw-notify.timer +%{_userunitdir}/user-xfce-settings.service +%{_userunitdir}/user-xfce-icon-size.service %{_unitdir}/logind-override-disable.service %attr(664, root, root) /etc/qubes/policy.d/31-securedrop-workstation.policy %attr(664, root, root) /etc/qubes/policy.d/32-securedrop-workstation.policy + +# Override systemd-logind settings on staging and prod systems /etc/systemd/logind.conf.d/10-logind_override.conf #TODO: this is the same 128x128 icon "securedrop.png" in the datadir /usr/share/securedrop/icons/sd-logo.png -#TODO: is this superseded by notifier/updater file locations, above? -/opt/securedrop +%attr(755, root, root) /usr/bin/securedrop/update-xfce-settings %doc README.md %license LICENSE @@ -166,11 +171,29 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \ | sed -e 's/\.top$$//g' \ | xargs qubesctl top.enable > /dev/null - # Force full run of all Salt states - uncomment in release branch # mkdir -p /tmp/sdw-migrations # touch /tmp/sdw-migrations/whonix-17-update +# Enables service that conditionally removes our systemd-logind customizations +# on dev machines only. +# It's clumsy, but overrides to systemd services can't be conditionally applied. +# Changes take place after systemd restart. +systemctl enable logind-override-disable.service + +# Customize xfce power settings and icon size. Enabled for all users. +# Power settings changes conditionally disabled in dev environments. +systemctl --global enable user-xfce-icon-size.service ||: +systemctl --global enable user-xfce-settings.service ||: + +% preun +# If we're uninstalling (vs upgrading) +if [ $1 -eq 0 ]; then + systemctl disable --now logind-override-disable.service + systemctl --global disable user-xfce-icon-size.service ||: + systemctl --global disable user-xfce-settings.service ||: +fi + %changelog * Wed Feb 7 2024 SecureDrop Team - 0.10.0 - Use Whonix-17 template for sd-whonix