From 49916a21b7c163904d8c770092ea483a348f62ba Mon Sep 17 00:00:00 2001
From: Erik Moeller <eloquence@gmail.com>
Date: Tue, 21 Apr 2020 17:35:09 -0700
Subject: [PATCH] Run tag cleanup via Salt to avoid duplication
---
MANIFEST.in | 1 +
Makefile | 1 -
{scripts => dom0}/remove-tags | 0
dom0/sd-clean-all.sls | 7 +++++++
rpm-build/SPECS/securedrop-workstation-dom0-config.spec | 2 ++
scripts/securedrop-admin.py | 2 --
6 files changed, 10 insertions(+), 3 deletions(-)
rename {scripts => dom0}/remove-tags (100%)
diff --git a/MANIFEST.in b/MANIFEST.in
index a3f77ee9..7a10c4f6 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -3,6 +3,7 @@ include dom0/*.top
include dom0/*.j2
include dom0/*.yml
include dom0/*.conf
+include dom0/remove-tags
include dom0/securedrop-admin
include dom0/securedrop-login
include dom0/securedrop-launcher.desktop
diff --git a/Makefile b/Makefile
index 8043c38b..bb9c20ac 100644
--- a/Makefile
+++ b/Makefile
@@ -110,7 +110,6 @@ clean: assert-dom0 prep-salt ## Destroys all SD VMs
$(MAKE) destroy-all
sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-clean-whonix
sudo qubesctl --show-output state.sls sd-clean-all
- ./scripts/remove-tags
sudo dnf -y -q remove securedrop-workstation-dom0-config 2>/dev/null || true
$(MAKE) clean-salt
diff --git a/scripts/remove-tags b/dom0/remove-tags
similarity index 100%
rename from scripts/remove-tags
rename to dom0/remove-tags
diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
index 1d5b5647..0778f2a0 100644
--- a/dom0/sd-clean-all.sls
+++ b/dom0/sd-clean-all.sls
@@ -46,6 +46,12 @@ remove-dom0-sdw-config-files:
- /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
- /home/{{ gui_user }}/.securedrop_launcher
+
+# Remove any custom RPC policy tags added to non-SecureDrop VMs by the user
+remove-rpc-policy-tags:
+ cmd.script:
+ - name: salt://remove-tags
+
# Removes files that are provisioned by the dom0 RPM, only for the development
# environment, since dnf takes care of those provisioned in the RPM
{% if d.environment == "dev" %}
@@ -53,6 +59,7 @@ remove-dom0-sdw-config-files-dev:
file.absent:
- names:
- /opt/securedrop
+ - /srv/salt/remove-tags
- /srv/salt/securedrop-update
- /srv/salt/update-xfce-settings
{% endif %}
diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
index b38da295..c446c73a 100644
--- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
+++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
@@ -59,6 +59,7 @@ install -m 644 dom0/*.top %{buildroot}/srv/salt/
install -m 644 dom0/*.j2 %{buildroot}/srv/salt/
install -m 644 dom0/*.yml %{buildroot}/srv/salt/
install -m 644 dom0/*.conf %{buildroot}/srv/salt/
+install -m 655 dom0/remove-tags %{buildroot}/srv/salt/
install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/
install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/
install -m 655 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/
@@ -92,6 +93,7 @@ install -m 644 launcher/sdw_util/*.py %{buildroot}/srv/salt/launcher/sdw_util/
/opt/securedrop/launcher/**/*.py
/srv/salt/sd*
/srv/salt/dom0-xfce-desktop-file.j2
+/srv/salt/remove-tags
/srv/salt/securedrop-*
/srv/salt/update-xfce-settings
/srv/salt/fpf*
diff --git a/scripts/securedrop-admin.py b/scripts/securedrop-admin.py
index b4df75d5..b28c1e85 100644
--- a/scripts/securedrop-admin.py
+++ b/scripts/securedrop-admin.py
@@ -106,8 +106,6 @@ def perform_uninstall():
subprocess.check_call(
["sudo", "dnf", "-y", "-q", "remove", "qubes-template-securedrop-workstation-buster"]
)
- print("Removing SecureDrop tags from remaining VMs")
- subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/remove-tags")])
print("Uninstalling dom0 config package")
subprocess.check_call(
["sudo", "dnf", "-y", "-q", "remove", "securedrop-workstation-dom0-config"]