Support DispVMs for sys VMs in Qubes 4.1

A clean install of 4.1-rc3 resulted in both sys-firewall and sys-usb
being created as DispVMs. My understanding is this is now the *default*
setting, but more testing required. These changes permit installation
with those settings, but notably do not accommodate for udev rules fro
sys-usb under 4.1. More changes required to support print/export.

dom0/sd-dom0-files.sls

@@ -91,7 +91,9 @@ dom0-install-securedrop-workstation-template:
 {% endif %}
     - require:
       - file: dom0-workstation-rpm-repo
+{% if grains['osrelease'] != '4.1' %}
       - pkg: dom0-remove-securedrop-workstation-stretch-template
+{% endif %}
 
 # Remove the legacy auto updater script
 dom0-remove-legacy-updater:

dom0/sd-sys-vms.sls

@@ -11,15 +11,17 @@ include:
 
 {% set sd_supported_fedora_version = 'fedora-34' %}
 
-# Install latest templates required for SDW VMs.
-#dom0-install-fedora-template:
-#  pkg.installed:
-#    - pkgs:
-#      - qubes-template-{{ sd_supported_fedora_version }}
 
+# Install latest templates required for SDW VMs.
 dom0-install-fedora-template:
+{% if grains['osrelease'] == '4.1' %}
   qvm.template_installed:
     - name: {{ sd_supported_fedora_version }}
+{% else %}
+  pkg.installed:
+    - pkgs:
+      - qubes-template-{{ sd_supported_fedora_version }}
+{% endif %}
 
 # Update the mgmt VM before updating the new Fedora VM. The order is required
 # and listed in the release notes for F32 & F33.
@@ -72,7 +74,13 @@ set-fedora-default-template-version:
 # Now proceed with rebooting all the sys-* VMs, since the new template is up to date.
 
 {% for sys_vm in ['sys-usb', 'sys-net', 'sys-firewall'] %}
-{% if salt['cmd.shell']('qvm-prefs '+sys_vm+' template') != sd_supported_fedora_version %}
+{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:'+sys_vm+':disposable', false) %}
+# As of Qubes 4.1, certain sys-* VMs will be DispVMs by default.
+{% set sd_supported_fedora_template = sd_supported_fedora_version+'-dvm' %}
+{% else %}
+{% set sd_supported_fedora_template = sd_supported_fedora_version %}
+{% endif %}
+{% if salt['cmd.shell']('qvm-prefs '+sys_vm+' template') != sd_supported_fedora_template %}
 sd-{{ sys_vm }}-fedora-version-halt:
   qvm.kill:
     - name: {{ sys_vm }}
@@ -93,13 +101,11 @@ sd-{{ sys_vm }}-fedora-version-halt-wait:
       - pkg: dom0-install-fedora-template
 {% endif %}
 
-# Will fail on 4.1 systems where sys-* VMs were set to be disposible (a preference one can
-# set during the install process
 sd-{{ sys_vm }}-fedora-version-update:
   qvm.vm:
     - name: {{ sys_vm }}
     - prefs:
-      - template: {{ sd_supported_fedora_version }}
+      - template: {{ sd_supported_fedora_template }}
     - require:
       - cmd: sd-{{ sys_vm }}-fedora-version-halt-wait
 

dom0/sd-workstation-template.sls

@@ -20,7 +20,11 @@ sd-workstation-template:
       - enable:
         - service.paxctld
     - require:
+{% if grains['osrelease'] == '4.1' %}
+      - qvm: dom0-install-securedrop-workstation-template
+{% else %}
       - pkg: dom0-install-securedrop-workstation-template
+{% endif %}
 
 # Installs consolidated templateVMs:
 # - sd-small-buster-template, to be used for

tests/base.py

@@ -12,6 +12,31 @@
 CURRENT_WHONIX_VERSION = "16"
 
 
+# Lifted from launcher/sdw_util/Util.py
+def get_qubes_version():
+    """
+    Helper function for checking the Qubes version. Returns None if not on Qubes.
+    """
+    is_qubes = False
+    version = None
+    try:
+        with open("/etc/os-release") as f:
+            for line in f:
+                try:
+                    key, value = line.rstrip().split("=")
+                except ValueError:
+                    continue
+                if key == "NAME" and "qubes" in value.lower():
+                    is_qubes = True
+                if key == "VERSION_ID":
+                    version = value
+    except FileNotFoundError:
+        return None
+    if not is_qubes:
+        return None
+    return version
+
+
 # base class for per-VM testing
 
 

tests/test_qubes_vms.py

@@ -1,7 +1,7 @@
 import unittest
 
 from qubesadmin import Qubes
-from base import CURRENT_FEDORA_TEMPLATE, CURRENT_WHONIX_VERSION
+from base import CURRENT_FEDORA_TEMPLATE, CURRENT_WHONIX_VERSION, get_qubes_version
 
 
 class SD_Qubes_VM_Tests(unittest.TestCase):
@@ -22,9 +22,16 @@ def test_current_fedora_for_sys_vms(self):
         an up-to-date version of Fedora.
         """
         sys_vms = ["sys-firewall", "sys-net", "sys-usb", "default-mgmt-dvm"]
+        sys_vms_maybe_disp = ["sys-firewall", "sys-usb"]
+
         for sys_vm in sys_vms:
             vm = self.app.domains[sys_vm]
-            self.assertEqual(vm.template.name, CURRENT_FEDORA_TEMPLATE)
+            wanted_template = CURRENT_FEDORA_TEMPLATE
+            if get_qubes_version() == "4.1" and sys_vm in sys_vms_maybe_disp:
+                wanted_template += "-dvm"
+            self.assertEqual(
+                vm.template.name, wanted_template, "Unexpected template for {}".format(sys_vm)
+            )
 
     def test_current_whonix_vms(self):
         """

tests/test_vms_platform.py

@@ -234,18 +234,6 @@ def test_dispvm_default_platform(self):
         result = subprocess.check_output(cmd).decode("utf-8").rstrip("\n")
         self.assertEqual(result, "sd-viewer")
 
-    def test_sys_vms_use_supported_fedora(self):
-        """
-        The 'sys-*' VMs must be updated to use the latest version of Fedora,
-        to ensure critical components such as 'sys-firewall' receive security
-        updates.
-        """
-        sys_vms = ["sys-firewall", "sys-net", "sys-usb"]
-        for vm in sys_vms:
-            wanted_template = CURRENT_FEDORA_TEMPLATE
-            found_template = self.app.domains[vm].template.name
-            self.assertEqual(wanted_template, found_template)
-
     def test_all_sd_vm_apt_sources(self):
         """
         Test all VMs fpf apt source list iteratively.