fedora


Qubes 4.0 with Fedora 26: Setup RPM Fusion and ffmpeg

Recently we wanted to process some media on a Fedora 26 running under a Qubes OS 4.0 installation, we decided to use ffmpeg which is not part of the default repositories but it can be found in the RPM Fusion repositories. To do so, first we updated our system and enabled the RPM Fusion repositories as follows:

sudo dnf update;

sudo dnf upgrade -y;

sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm;

sudo dnf config-manager --set-enabled rpmfusion-free rpmfusion-nonfree;

By default DNF on the template VM did not enable the rpmfusion repositories so we had to enable them manually with the last command above or else we would get the following error:

$ sudo dnf install ffmpeg;
Last metadata expiration check: 0:17:49 ago on Tue Oct 16 09:09:22 2018.
No match for argument: ffmpeg

Then, we updated the system once more so that the information from the new repositories would get downloaded to our system and then we performed the installation of ffmpeg. While installing ffmpeg, since it was the first time that we were using the new repositories we were asked to verify the keys that were imported. We were able to manually verify the keys from this page.

The commands used to install ffmpeg are the following:

sudo dnf update;

sudo dnf install ffmpeg;


Advertisements

Fedora 28: Setup RPM Fusion and ffmpeg

Recently we wanted to process some media on a Fedora 28, we decided to use ffmpeg which is not part of the default repositories but it can be found in the RPM Fusion repositories. To do so, first we updated our system and enabled the RPM Fusion repositories as follows:

sudo dnf update;

sudo dnf upgrade -y;

sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm;

Then, we updated the system once more so that the information from the new repositories would get downloaded to our system and then we performed the installation of ffmpeg. While installing ffmpeg, since it was the first time that we were using the new repositories we were asked to verify the keys that were imported. We were able to manually verify the keys from this page.

The commands used to install ffmpeg are the following:

sudo dnf update;

sudo dnf install ffmpeg;

Full Installation Log

[[email protected] ~]$ sudo dnf update
[sudo] password for xeirwn: 
Last metadata expiration check: 1:05:54 ago on Fri 28 Sep 2018 08:48:36 AM EEST.
Dependencies resolved.
Nothing to do.
Complete!
[[email protected] ~]$ sudo dnf upgrade -y
Last metadata expiration check: 1:06:13 ago on Fri 28 Sep 2018 08:48:36 AM EEST.
Dependencies resolved.
Nothing to do.
Complete!
[[email protected] ~]$ sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm https://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
Last metadata expiration check: 1:06:49 ago on Fri 28 Sep 2018 08:48:36 AM EEST.
rpmfusion-free-release-28.noarch.rpm                                      31 kB/s |  20 kB     00:00    
rpmfusion-nonfree-release-28.noarch.rpm                                   41 kB/s |  21 kB     00:00    
Dependencies resolved.
=========================================================================================================
 Package                              Arch              Version            Repository               Size
=========================================================================================================
Installing:
 rpmfusion-free-release               noarch            28-1               @commandline             20 k
 rpmfusion-nonfree-release            noarch            28-1               @commandline             21 k

Transaction Summary
=========================================================================================================
Install  2 Packages

Total size: 41 k
Installed size: 18 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                 1/1 
  Installing       : rpmfusion-nonfree-release-28-1.noarch                                           1/2 
  Installing       : rpmfusion-free-release-28-1.noarch                                              2/2 
  Verifying        : rpmfusion-free-release-28-1.noarch                                              1/2 
  Verifying        : rpmfusion-nonfree-release-28-1.noarch                                           2/2 

Installed:
  rpmfusion-free-release.noarch 28-1                rpmfusion-nonfree-release.noarch 28-1               

Complete!
[[email protected] ~]$ sudo dnf update
RPM Fusion for Fedora 28 - Free - Updates                                152 kB/s | 481 kB     00:03    
RPM Fusion for Fedora 28 - Free                                          195 kB/s | 754 kB     00:03    
RPM Fusion for Fedora 28 - Nonfree - Updates                              59 kB/s |  85 kB     00:01    
RPM Fusion for Fedora 28 - Nonfree                                        72 kB/s | 208 kB     00:02    
Last metadata expiration check: 0:00:00 ago on Fri 28 Sep 2018 09:56:01 AM EEST.
Dependencies resolved.
Nothing to do.
Complete!
[[email protected] ~]$ sudo dnf install ffmpeg
Last metadata expiration check: 0:01:01 ago on Fri 28 Sep 2018 09:56:01 AM EEST.
Dependencies resolved.
=========================================================================================================
 Package               Arch       Version                               Repository                  Size
=========================================================================================================
Installing:
 ffmpeg                x86_64     4.0.2-6.fc28                          rpmfusion-free-updates     1.3 M
Installing dependencies:
 clang5.0-libs         x86_64     5.0.1-3.fc28                          fedora                      12 M
 ffmpeg-libs           x86_64     4.0.2-6.fc28                          rpmfusion-free-updates     6.7 M
 hwloc-libs            x86_64     1.11.9-1.fc28                         fedora                     1.6 M
 libaom                x86_64     1.0.0-3.fc28                          updates                    1.2 M
 libass                x86_64     0.13.4-6.fc28                         updates                    104 k
 libavdevice           x86_64     4.0.2-6.fc28                          rpmfusion-free-updates      94 k
 libclc                x86_64     0.2.0-9.git1cb3fbf.fc27               fedora                     7.9 M
 libmfx                x86_64     1.23-3.fc28                           fedora                      35 k
 llvm5.0-libs          x86_64     5.0.1-7.fc28                          fedora                      15 M
 ocl-icd               x86_64     2.2.12-1.fc28                         fedora                      50 k
 opencl-filesystem     noarch     1.0-6.fc27                            fedora                     7.1 k
 opencore-amr          x86_64     0.1.5-3.fc28                          rpmfusion-free             180 k
 vid.stab              x86_64     1.1-4.20170830gitafc8ea9.fc28         fedora                      50 k
 vo-amrwbenc           x86_64     0.1.3-4.fc28                          rpmfusion-free              77 k
 x264-libs             x86_64     0.152-5.20171224gite9a5903.fc28       rpmfusion-free             575 k
 x265-libs             x86_64     2.7-3.fc28                            rpmfusion-free             1.7 M
 xvidcore              x86_64     1.3.5-1.fc28                          rpmfusion-free             268 k
 zvbi                  x86_64     0.2.35-5.fc28                         fedora                     423 k
Installing weak dependencies:
 beignet               x86_64     1.3.2-2.fc28                          fedora                     4.8 M
 mesa-libOpenCL        x86_64     18.0.5-4.fc28                         updates                    350 k
 pocl                  x86_64     1.1-4.fc28                            updates                     13 M

Transaction Summary
=========================================================================================================
Install  22 Packages

Total download size: 67 M
Installed size: 253 M
Is this ok [y/N]: y
Downloading Packages:
(1/22): libaom-1.0.0-3.fc28.x86_64.rpm                                   250 kB/s | 1.2 MB     00:05    
(2/22): libmfx-1.23-3.fc28.x86_64.rpm                                     63 kB/s |  35 kB     00:00    
(3/22): ocl-icd-2.2.12-1.fc28.x86_64.rpm                                 180 kB/s |  50 kB     00:00    
(4/22): vid.stab-1.1-4.20170830gitafc8ea9.fc28.x86_64.rpm                 58 kB/s |  50 kB     00:00    
(5/22): zvbi-0.2.35-5.fc28.x86_64.rpm                                    192 kB/s | 423 kB     00:02    
(6/22): ffmpeg-4.0.2-6.fc28.x86_64.rpm                                   140 kB/s | 1.3 MB     00:09    
(7/22): vo-amrwbenc-0.1.3-4.fc28.x86_64.rpm                               26 kB/s |  77 kB     00:02    
(8/22): opencore-amr-0.1.5-3.fc28.x86_64.rpm                              15 kB/s | 180 kB     00:12    
(9/22): x264-libs-0.152-5.20171224gite9a5903.fc28.x86_64.rpm              65 kB/s | 575 kB     00:08    
(10/22): xvidcore-1.3.5-1.fc28.x86_64.rpm                                 65 kB/s | 268 kB     00:04    
(11/22): libavdevice-4.0.2-6.fc28.x86_64.rpm                              53 kB/s |  94 kB     00:01    
(12/22): libass-0.13.4-6.fc28.x86_64.rpm                                 141 kB/s | 104 kB     00:00    
(13/22): beignet-1.3.2-2.fc28.x86_64.rpm                                 460 kB/s | 4.8 MB     00:10    
(14/22): x265-libs-2.7-3.fc28.x86_64.rpm                                  87 kB/s | 1.7 MB     00:20    
(15/22): clang5.0-libs-5.0.1-3.fc28.x86_64.rpm                           506 kB/s |  12 MB     00:23    
(16/22): opencl-filesystem-1.0-6.fc27.noarch.rpm                          54 kB/s | 7.1 kB     00:00    
(17/22): ffmpeg-libs-4.0.2-6.fc28.x86_64.rpm                             107 kB/s | 6.7 MB     01:04    
(18/22): hwloc-libs-1.11.9-1.fc28.x86_64.rpm                             343 kB/s | 1.6 MB     00:04    
(19/22): mesa-libOpenCL-18.0.5-4.fc28.x86_64.rpm                         225 kB/s | 350 kB     00:01    
(20/22): llvm5.0-libs-5.0.1-7.fc28.x86_64.rpm                            412 kB/s |  15 MB     00:36    
(21/22): libclc-0.2.0-9.git1cb3fbf.fc27.x86_64.rpm                       544 kB/s | 7.9 MB     00:14    
(22/22): pocl-1.1-4.fc28.x86_64.rpm                                      390 kB/s |  13 MB     00:34    
---------------------------------------------------------------------------------------------------------
Total                                                                    685 kB/s |  67 MB     01:39     
warning: /var/cache/dnf/rpmfusion-free-updates-18aab6236926d6fd/packages/ffmpeg-4.0.2-6.fc28.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 09eab3f2: NOKEY
Importing GPG key 0x09EAB3F2:
 Userid     : "RPM Fusion free repository for Fedora (28) <[email protected]>"
 Fingerprint: 3424 9D2C B375 8B55 48E2 874F C08D 3269 09EA B3F2
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-28
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                 1/1 
  Installing       : opencl-filesystem-1.0-6.fc27.noarch                                            1/22 
  Installing       : llvm5.0-libs-5.0.1-7.fc28.x86_64                                               2/22 
  Running scriptlet: llvm5.0-libs-5.0.1-7.fc28.x86_64                                               2/22 
  Installing       : clang5.0-libs-5.0.1-3.fc28.x86_64                                              3/22 
  Installing       : beignet-1.3.2-2.fc28.x86_64                                                    4/22 
  Installing       : libclc-0.2.0-9.git1cb3fbf.fc27.x86_64                                          5/22 
  Installing       : hwloc-libs-1.11.9-1.fc28.x86_64                                                6/22 
  Installing       : pocl-1.1-4.fc28.x86_64                                                         7/22 
  Installing       : mesa-libOpenCL-18.0.5-4.fc28.x86_64                                            8/22 
  Running scriptlet: mesa-libOpenCL-18.0.5-4.fc28.x86_64                                            8/22 
  Installing       : ocl-icd-2.2.12-1.fc28.x86_64                                                   9/22 
  Running scriptlet: ocl-icd-2.2.12-1.fc28.x86_64                                                   9/22 
  Installing       : libass-0.13.4-6.fc28.x86_64                                                   10/22 
  Installing       : xvidcore-1.3.5-1.fc28.x86_64                                                  11/22 
  Installing       : x265-libs-2.7-3.fc28.x86_64                                                   12/22 
  Installing       : x264-libs-0.152-5.20171224gite9a5903.fc28.x86_64                              13/22 
  Running scriptlet: x264-libs-0.152-5.20171224gite9a5903.fc28.x86_64                              13/22 
  Installing       : vo-amrwbenc-0.1.3-4.fc28.x86_64                                               14/22 
  Running scriptlet: vo-amrwbenc-0.1.3-4.fc28.x86_64                                               14/22 
  Installing       : opencore-amr-0.1.5-3.fc28.x86_64                                              15/22 
  Running scriptlet: opencore-amr-0.1.5-3.fc28.x86_64                                              15/22 
  Installing       : zvbi-0.2.35-5.fc28.x86_64                                                     16/22 
  Running scriptlet: zvbi-0.2.35-5.fc28.x86_64                                                     16/22 
  Installing       : vid.stab-1.1-4.20170830gitafc8ea9.fc28.x86_64                                 17/22 
  Running scriptlet: vid.stab-1.1-4.20170830gitafc8ea9.fc28.x86_64                                 17/22 
  Installing       : libmfx-1.23-3.fc28.x86_64                                                     18/22 
  Running scriptlet: libmfx-1.23-3.fc28.x86_64                                                     18/22 
  Installing       : libaom-1.0.0-3.fc28.x86_64                                                    19/22 
  Installing       : ffmpeg-libs-4.0.2-6.fc28.x86_64                                               20/22 
  Running scriptlet: ffmpeg-libs-4.0.2-6.fc28.x86_64                                               20/22 
  Installing       : libavdevice-4.0.2-6.fc28.x86_64                                               21/22 
  Running scriptlet: libavdevice-4.0.2-6.fc28.x86_64                                               21/22 
  Installing       : ffmpeg-4.0.2-6.fc28.x86_64                                                    22/22 
  Running scriptlet: ffmpeg-4.0.2-6.fc28.x86_64                                                    22/22 
  Verifying        : ffmpeg-4.0.2-6.fc28.x86_64                                                     1/22 
  Verifying        : ffmpeg-libs-4.0.2-6.fc28.x86_64                                                2/22 
  Verifying        : libaom-1.0.0-3.fc28.x86_64                                                     3/22 
  Verifying        : libmfx-1.23-3.fc28.x86_64                                                      4/22 
  Verifying        : ocl-icd-2.2.12-1.fc28.x86_64                                                   5/22 
  Verifying        : vid.stab-1.1-4.20170830gitafc8ea9.fc28.x86_64                                  6/22 
  Verifying        : zvbi-0.2.35-5.fc28.x86_64                                                      7/22 
  Verifying        : opencore-amr-0.1.5-3.fc28.x86_64                                               8/22 
  Verifying        : vo-amrwbenc-0.1.3-4.fc28.x86_64                                                9/22 
  Verifying        : x264-libs-0.152-5.20171224gite9a5903.fc28.x86_64                              10/22 
  Verifying        : x265-libs-2.7-3.fc28.x86_64                                                   11/22 
  Verifying        : xvidcore-1.3.5-1.fc28.x86_64                                                  12/22 
  Verifying        : libavdevice-4.0.2-6.fc28.x86_64                                               13/22 
  Verifying        : libass-0.13.4-6.fc28.x86_64                                                   14/22 
  Verifying        : beignet-1.3.2-2.fc28.x86_64                                                   15/22 
  Verifying        : clang5.0-libs-5.0.1-3.fc28.x86_64                                             16/22 
  Verifying        : llvm5.0-libs-5.0.1-7.fc28.x86_64                                              17/22 
  Verifying        : opencl-filesystem-1.0-6.fc27.noarch                                           18/22 
  Verifying        : pocl-1.1-4.fc28.x86_64                                                        19/22 
  Verifying        : hwloc-libs-1.11.9-1.fc28.x86_64                                               20/22 
  Verifying        : mesa-libOpenCL-18.0.5-4.fc28.x86_64                                           21/22 
  Verifying        : libclc-0.2.0-9.git1cb3fbf.fc27.x86_64                                         22/22 

Installed:
  ffmpeg.x86_64 4.0.2-6.fc28                                  beignet.x86_64 1.3.2-2.fc28                
  mesa-libOpenCL.x86_64 18.0.5-4.fc28                         pocl.x86_64 1.1-4.fc28                     
  clang5.0-libs.x86_64 5.0.1-3.fc28                           ffmpeg-libs.x86_64 4.0.2-6.fc28            
  hwloc-libs.x86_64 1.11.9-1.fc28                             libaom.x86_64 1.0.0-3.fc28                 
  libass.x86_64 0.13.4-6.fc28                                 libavdevice.x86_64 4.0.2-6.fc28            
  libclc.x86_64 0.2.0-9.git1cb3fbf.fc27                       libmfx.x86_64 1.23-3.fc28                  
  llvm5.0-libs.x86_64 5.0.1-7.fc28                            ocl-icd.x86_64 2.2.12-1.fc28               
  opencl-filesystem.noarch 1.0-6.fc27                         opencore-amr.x86_64 0.1.5-3.fc28           
  vid.stab.x86_64 1.1-4.20170830gitafc8ea9.fc28               vo-amrwbenc.x86_64 0.1.3-4.fc28            
  x264-libs.x86_64 0.152-5.20171224gite9a5903.fc28            x265-libs.x86_64 2.7-3.fc28                
  xvidcore.x86_64 1.3.5-1.fc28                                zvbi.x86_64 0.2.35-5.fc28                  

Complete!

YARA on Fedora

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

Recently, we tried to compile YARA on a Fedora 23 GNU/Linux (running through a qubes-os version 3).
As the installation guide is directed towards Ubuntu/Debian users, we soon found out that the installation had some missing dependencies. Below, you will find all the steps we followed to download YARA / install its dependencies and build it enabling as all optional features.

sudo dnf install automake libtool make gcc flex bison jansson-devel jansson openssl openssl-devel file-libs file-devel python-magic python3-magic;

git clone https://github.com/VirusTotal/yara; # Or download a release from: https://github.com/virustotal/yara/releases/tag/v3.8.1

cd yara;

./bootstrap.sh;

./configure --enable-cuckoo --enable-magic --enable-dotnet;

make;

sudo make install;

This information is an extension to the installation guide.


Fedora GNU/Linux : Disable USB Storage Devices

There is this machine that runs Fedora GNU/Linux, for which its owners asked us to block all USB Storage Devices without affecting other peripheral devices like keyboards and mice. The reason for that was to prevent unlawful data leakage that the users of that machine could do.

On Linux there is a kernel module named usb_storage that can be found at /lib/modules/$KERNEL_VERSION/kernel/drivers/usb/storage/usb-storage.ko.xz (to get the kernel version, execute uname -r;) which operates as the USB Mass Storage driver for Linux.

Apparently, we just needed to block the usb_storage module.  Initially, we tried to block the module by using the /etc/modprobe.d/blacklist.conf file but with no success. We failed to blacklist the module using the following commands (we were not sure which of the two names are correct, so we tried both, one at a time. It appears that both can be correct..):
echo -e "usb_storage\n" | sudo tee -a /etc/modprobe.d/blacklist.conf;
echo -e "usb-storage\n" | sudo tee -a /etc/modprobe.d/blacklist.conf;

After creating/updating the blacklist.conf file we restarted the machine as the module does not get loaded on boot automatically, it only gets loaded when needed. Unfortunately, as we mentioned before, these attempts led to no solution as we were still able to use USB storage devices even after creating the blacklist.conf file.
Since this method failed, we had to turn our heads towards a different solution, that due to its nature, it can be considered a hack.

Solution

What we did was to create a new configuration file in /etc/modprobe.d/ that would prevent usb_storage from being loaded by redirecting any requests to load the specific module to the /bin/true application.

echo "install usb_storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf;
# Or the following (both names usb_storage and usb-storage seem to work)
# echo "install usb-storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf;

Then, we had to make sure that the module was not already loaded. To see if the usb_storage module was already loaded we executed:

lsmod | grep -i usb_storage;

When lsmod | grep -i usb_storage; did not return any results, then it meant we were done! Since it was not in the list, it meant that the module was not loaded and so the next time someone tried to use a USB mass storage device they would not be able to load the module.

In cases were we got a line back (and thus the module was already loaded), then we needed to unload it manually or restart the machine. To avoid rebooting the machine we used modprobe to unload the usb_storage module.

modprobe -r usb_storage;

Some times, we would get the following error: modprobe: FATAL: Module usb_storage is in use.. This error meant that some other kernel module was using usb_storage and would not allow us to unload it. Using lsmod | grep -i usb_storage; we would get back a line like the following: usb_storage 73728 1 uas. The last column is a comma separated list of kernel modules that use usb_storage and we would need to unload them as well (replacing commas with space characters). Since we had only one dependency, our command became like the one below:

modprobe -r uas usb_storage;

And we were done!

To Re-enable USB mass storage devices (revert)

That is the easy part, to re-enable access to the USB mass storage devices, all we had to do was delete the configuration file:

rm /etc/modprobe.d/disable-usb-storage.conf;

Of course, to block them again, the we would have to follow the steps in the above solution.


Fedora GNU/Linux: Disable/Stop or Enable/Start Bluetooth service

There was this Fedora box for which we were asked to disable most of the methods it had available for communicating with the outside world.
One of the features of the box that we decided to block was its Bluetooth device.
To make our life easy, and since the users would not have admin rights, we decided to simply stop and disable the Bluetooth service on the box and be over with it!

The way we stopped and disabled the Bluetooth service was with the following two devices.

#Stop Bluetooth service that is currently executing
systemctl stop bluetooth;
#Prevent Bluetooth service from starting after a reboot
systemctl disable bluetooth;

Once you disable the service and stop it, you will notice that on the GUI of the Gnome settings application it still shows the basic menu for the Bluetooth device.
That should not worry you though because if you enter the Bluetooth configuration tab you will notice that the user will not be able to turn the device on and make use of it.

Revert changes and re-enable / re-start the Bluetooth service:

In order to restore the Bluetooth service back to normal (to enable it and start it), just execute the following two commands:

#Start the Bluetooth service right now
systemctl start bluetooth;
#Make sure that Bluetooth service will start after each system restart
systemctl enable bluetooth;