Disable hardened_malloc for Thunderbird

Add thunderird
Add hardened_malloc note
2025-02-20 18:21:34 -05:00 · 2025-01-28 08:46:49 -07:00 · 2025-01-28 08:38:57 -07:00 · 2025-01-28 08:03:13 -07:00 · 2025-01-28 07:23:15 -07:00 · 2025-01-28 07:21:13 -07:00
4 changed files with 50 additions and 1 deletions
--- a/etc/qubes-rpc/qubes.SshAgent
+++ b/etc/qubes-rpc/qubes.SshAgent
@ -0,0 +1,8 @@
+#!/bin/sh
+# Qubes App Split SSH Script
+
+# safeguard - Qubes notification bubble for each ssh request
+notify-send "[$(qubesdb-read /name)] SSH agent access from: $QREXEC_REMOTE_DOMAIN"
+
+# SSH connection
+socat - "UNIX-CONNECT:$SSH_AUTH_SOCK"
--- a/fedora-gnome/fedora-gnome.sh
+++ b/fedora-gnome/fedora-gnome.sh
@ -147,6 +147,8 @@ sudo chmod 644 /etc/ld.so.preload

 # Enable hardened_malloc for Flatpak
 sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so
+
+## Unforunately, user override needs to be run per-app VM
 flatpak override --user --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so

 # Setup DNF
--- a/fedora-gnome/thunderbird.sh
+++ b/fedora-gnome/thunderbird.sh
@ -0,0 +1,33 @@
+#!/bin/sh
+
+# Copyright (C) 2025 Thien Tran
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+set -eu -o pipefail
+
+unpriv(){
+  sudo -u nobody "${@}"
+}
+
+download() {
+  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
+}
+
+sudo dnf install -y thunderbird
+
+# Change the GPG Domain name appropriately
+echo 'QUBES_GPG_DOMAIN=vault' | sudo tee -a /etc/environment
+
+# Disable hardened_malloc (for now)
+sudo rm /etc/ld.so.preload
--- a/fedora-gnome/vault.sh
+++ b/fedora-gnome/vault.sh
@ -24,4 +24,10 @@ download() {
  unpriv curl -s --proxy http://127.0.0.1:8082 "${1}" | sudo tee "${2}" > /dev/null
 }

-sudo dnf install -y keepassxc openssh-askpass
+download https://raw.githubusercontent.com/TommyTran732/QubesOS-Scripts/main/etc/qubes-rpc/qubes.SshAgent /etc/qubes-rpc/qubes.SshAgent
+sudo chmod +x /etc/qubes-rpc/qubes.SshAgent
+
+# Not using openssh-askpass here, because of this bug:
+# https://github.com/QubesOS/qubes-issues/issues/9741
+
+sudo dnf install -y keepassxc
Author	SHA1	Message	Date
Tommy	380faedd0d	Disable hardened_malloc for Thunderbird	2025-01-28 08:46:49 -07:00
Tommy	403c798238	Add thunderird	2025-01-28 08:38:57 -07:00
Tommy	624943db7b	Add hardened_malloc note Signed-off-by: Tommy <contact@tommytran.io>	2025-01-28 08:03:13 -07:00
Tommy	7fc29b213d	Add qubes.SshAgent rpc to vault template	2025-01-28 07:23:15 -07:00
Tommy	418edc11ef	Add qubes-rpc for SshAgent	2025-01-28 07:21:13 -07:00