microsoft · stefanjarina · Dec 19, 2020 · Dec 19, 2020 · Dec 20, 2020 · Dec 20, 2020
diff --git a/suse/opensuse/leap/15.2/README.md b/suse/opensuse/leap/15.2/README.md
@@ -0,0 +1,71 @@
+# Script to enable XRDP on openSUSE Tumbleweed
+
+## Info
+
+- Designed to be idempotent, you can run it repeatedly
+- Installs required packages
+- Configures XRDP ini files
+- Will compile selinux module in case SELinux is installed on machine (it doesn't need to be enabled though)
+- support changing session to KDE Plasma
+
+## Run
+
+- If using GNOME
+
+```sh
+sudo sh install.sh
+```
+
+- If using KDE
+
+```sh
+sudo sh install.sh --kde
+```
+
+If using different DE
+
+Looks like xrdp on openSUSE leap 15.2 supports below DEs by default
+
+```sh
+sudo sed -i_orig -e 's/SESSION=".*"/SESSION="sle"/g' /etc/xrdp/startwm.sh     # set to 'SLE classic'
+sudo sed -i_orig -e 's/SESSION=".*"/SESSION="gnome"/g' /etc/xrdp/startwm.sh   # set to 'GNOME'
+sudo sed -i_orig -e 's/SESSION=".*"/SESSION="plasma"/g' /etc/xrdp/startwm.sh  # set to 'KDE'
+sudo sed -i_orig -e 's/SESSION=".*"/SESSION="icewm"/g' /etc/xrdp/startwm.sh   # set to 'IceWM'
+```
+
+## Known issues
+
+### I can't shutdown/restart machine from xrdp session, session just logoff, but muchine keeps running
+
+- There is a simple fix to that, but it is not a part of script as it might not be an intended change
+  - This solution does not work for Tumbleweed strangely
+- Below will allow any user that is part of group `power` to reboot/suspend/shutdown/hibernate the machine from GUI
+- Please adjust below solution in case you want this to be available for different group. e.g. `admins` or `wheel`
+
+```sh
+# group 'power' is not available on openSUSE by default, so we will create it
+sudo groupadd power
+
+# add your user to group power
+sudo usermod -a -G power <your_username>
+
+# add polkit rule
+sudo bash -c 'cat > /etc/polkit-1/rules.d/48-shutdown-power-group <<EOF
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.login1.reboot" ||
+         action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.power-off" ||
+         action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.suspend" ||
+         action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.hibernate" ||
+         action.id == "org.freedesktop.login1.hibernate-multiple-sessions") && subject.isInGroup("power"))
+    {
+    return polkit.Result.YES;
+    }
+});
+EOF'
+
+# restart your machine
+sudo reboot
+```
diff --git a/suse/opensuse/leap/15.2/allow-vsock.te b/suse/opensuse/leap/15.2/allow-vsock.te
@@ -0,0 +1,10 @@
+module allow-vsock 1.0;
+
+require {
+        type unconfined_service_t;
+        type unlabeled_t;
+        class vsock_socket { getattr read write };
+}
+
+#============= unconfined_service_t ==============
+allow unconfined_service_t unlabeled_t:vsock_socket { getattr read write };
diff --git a/suse/opensuse/leap/15.2/install.sh b/suse/opensuse/leap/15.2/install.sh
@@ -0,0 +1,108 @@
+#!/bin/bash
+
+#
+# This script is for openSUSE Tumbleweed Linux to configure XRDP for enhanced session mode
+#
+# The confioguration is adapted from the Arch script.
+#
+
+# Set desktop environment, used later to change SESSION="*****" in /etc/xrdp/starwm.sh
+desktop_env=gnome
+# Change to kde if --kde passed
+if [ $# -gt 0 ] && [ $1 = "--kde" ]; then
+  desktop_env=plasma
+fi
+
+###############################################################
+# Install XRDP
+#
+if [ "$(id -u)" -ne 0 ]; then
+    echo 'This script must be run with root privileges' >&2
+    exit 1
+fi
+
+# Use rpm -q to check for exact package name, install if missing
+if ! rpm -q xrdp 2>&1 > /dev/null ; then
+    echo 'Refreshing repo cache'
+    zypper refresh
+    echo 'Installing missing xrdp package using zypper'
+    zypper -n install xrdp
+fi
+
+###############################################################
+# Configure XRDP
+#
+systemctl enable xrdp
+systemctl enable xrdp-sesman
+
+XRDP_INI_FILE=/etc/xrdp/xrdp.ini
+XRDP_INI_BAK_FILE=$XRDP_INI_FILE.enh_sess_orig.bak
+# Create backup of original XRDP ini file
+if [ ! -f "$XRDP_INI_BAK_FILE" ]; then
+    cp $XRDP_INI_FILE $XRDP_INI_BAK_FILE
+    echo "Original config file saved in $XRDP_INI_BAK_FILE"
+fi
+# Configure the installed XRDP ini files
+# use vsock transport
+sed -i_orig -e 's/port=3389/port=vsock:\/\/-1:3389/g' $XRDP_INI_FILE
+# use rdp security
+sed -i_orig -e 's/security_layer=negotiate/security_layer=rdp/g' $XRDP_INI_FILE
+# remove encryption validation
+sed -i_orig -e 's/crypt_level=high/crypt_level=none/g' $XRDP_INI_FILE
+# disable bitmap compression since its local its much faster
+sed -i_orig -e 's/bitmap_compression=true/bitmap_compression=false/g' $XRDP_INI_FILE
+#
+# sed -n -e 's/max_bpp=32/max_bpp=24/g' $XRDP_INI_FILE
+
+XRDP_SESMAN_INI_FILE=/etc/xrdp/sesman.ini
+# use the default lightdm x display
+sed -i_orig -e 's/X11DisplayOffset=10/X11DisplayOffset=0/g' $XRDP_SESMAN_INI_FILE
+# rename the redirected drives to 'shared-drives'
+sed -i_orig -e 's/FuseMountName=thinclient_drives/FuseMountName=shared-drives/g' $XRDP_SESMAN_INI_FILE
+
+# adjust startwm.sh (this is needed only in Leap, not needed in Tumbleweed)
+if [ "$(grep -e 'SESSION=".*"' /etc/xrdp/startwm.sh)"  ]; then
+    sed -i_orig -e "s/SESSION=\".*\"/SESSION=\"$desktop_env\"/g" /etc/xrdp/startwm.sh
+    echo "Changed session to '${desktop_env^^}'"
+fi
+
+# Change the allowed_users
+echo "allowed_users=anybody" > /etc/X11/Xwrapper.config
+
+# Ensure hv_sock gets loaded
+if [ ! -e /etc/modules-load.d/hv_sock.conf ]; then
+    echo "hv_sock" > /etc/modules-load.d/hv_sock.conf
+fi
+
+# Configure the policy xrdp session
+cat > /etc/polkit-1/rules.d/02-allow-colord.rules <<EOF
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-profile") &&
+        subject.isInGroup("users"))
+    {
+        return polkit.Result.YES;
+    }
+});
+EOF
+
+# Compile selinux module IF selinux is installed
+if rpm -q selinux 2>&1 > /dev/null ; then
+    checkmodule -M -m -o allow-vsock.mod allow-vsock.te
+    semodule_package -o allow-vsock.pp -m allow-vsock.mod
+    # Install the selinux module!
+    semodule -i allow-vsock.pp
+fi
+
+###############################################################################
+
+echo "####### Configuration Done #######"
+echo "Next to do"
+echo "Shutdown this VM"
+echo "On your host machine in an Administrator powershell prompt, execute this command: "
+echo "      Set-VM -VMName <your_vm_name> -EnhancedSessionTransportType HvSocket"
+echo "Start this VM, and you will see Enhanced mode available!"
diff --git a/suse/opensuse/tumbleweed/README.md b/suse/opensuse/tumbleweed/README.md
@@ -0,0 +1,8 @@
+# Script to enable XRDP on openSUSE Tumbleweed
+
+## Info
+
+- Designed to be idempotent, you can run it repeatedly
+- Installs required packages
+- Configures XRDP ini files
+- Will compile selinux module in case SELinux is installed on machine (it doesn't need to be enabled though)
diff --git a/suse/opensuse/tumbleweed/allow-vsock.te b/suse/opensuse/tumbleweed/allow-vsock.te
@@ -0,0 +1,10 @@
+module allow-vsock 1.0;
+
+require {
+        type unconfined_service_t;
+        type unlabeled_t;
+        class vsock_socket { getattr read write };
+}
+
+#============= unconfined_service_t ==============
+allow unconfined_service_t unlabeled_t:vsock_socket { getattr read write };
diff --git a/suse/opensuse/tumbleweed/install.sh b/suse/opensuse/tumbleweed/install.sh
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+#
+# This script is for openSUSE Tumbleweed Linux to configure XRDP for enhanced session mode
+#
+# The confioguration is adapted from the Arch script.
+#
+
+###############################################################
+# Install XRDP
+#
+if [ "$(id -u)" -ne 0 ]; then
+    echo 'This script must be run with root privileges' >&2
+    exit 1
+fi
+
+# Use rpm -q to check for exact package name, install if missing
+if ! rpm -q xrdp 2>&1 > /dev/null ; then
+    echo 'Refreshing repo cache'
+    zypper refresh
+    echo 'Installing missing xrdp package using zypper'
+    zypper -n install xrdp
+fi
+
+###############################################################
+# Configure XRDP
+#
+systemctl enable xrdp
+systemctl enable xrdp-sesman
+
+XRDP_INI_FILE=/etc/xrdp/xrdp.ini
+XRDP_INI_BAK_FILE=$XRDP_INI_FILE.enh_sess_orig.bak
+# Create backup of original XRDP ini file
+if [ ! -f "$XRDP_INI_BAK_FILE" ]; then
+    cp $XRDP_INI_FILE $XRDP_INI_BAK_FILE
+    echo "Original config file saved in $XRDP_INI_BAK_FILE"
+fi
+# Configure the installed XRDP ini files
+# use vsock transport
+sed -i_orig -e 's/port=3389/port=vsock:\/\/-1:3389/g' $XRDP_INI_FILE
+# use rdp security
+sed -i_orig -e 's/security_layer=negotiate/security_layer=rdp/g' $XRDP_INI_FILE
+# remove encryption validation
+sed -i_orig -e 's/crypt_level=high/crypt_level=none/g' $XRDP_INI_FILE
+# disable bitmap compression since its local its much faster
+sed -i_orig -e 's/bitmap_compression=true/bitmap_compression=false/g' $XRDP_INI_FILE
+#
+# sed -n -e 's/max_bpp=32/max_bpp=24/g' $XRDP_INI_FILE
+
+XRDP_SESMAN_INI_FILE=/etc/xrdp/sesman.ini
+# use the default lightdm x display
+#sed -i_orig -e 's/X11DisplayOffset=200/X11DisplayOffset=0/g' $XRDP_SESMAN_INI_FILE
+# rename the redirected drives to 'shared-drives'
+sed -i_orig -e 's/FuseMountName=thinclient_drives/FuseMountName=shared-drives/g' $XRDP_SESMAN_INI_FILE
+
+# Change the allowed_users
+echo "allowed_users=anybody" > /etc/X11/Xwrapper.config
+
+# Ensure hv_sock gets loaded
+if [ ! -e /etc/modules-load.d/hv_sock.conf ]; then
+    echo "hv_sock" > /etc/modules-load.d/hv_sock.conf
+fi
+
+# Configure the policy xrdp session
+cat > /etc/polkit-1/rules.d/02-allow-colord.rules <<EOF
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.freedesktop.color-manager.delete-profile") &&
+        subject.isInGroup("users"))
+    {
+        return polkit.Result.YES;
+    }
+});
+EOF
+
+# Compile selinux module IF selinux is installed
+if rpm -q selinux 2>&1 > /dev/null ; then
+    checkmodule -M -m -o allow-vsock.mod allow-vsock.te
+    semodule_package -o allow-vsock.pp -m allow-vsock.mod
+    # Install the selinux module!
+    semodule -i allow-vsock.pp
+fi
+
+###############################################################################
+
+echo "####### Configuration Done #######"
+echo "Next to do"
+echo "Shutdown this VM"
+echo "On your host machine in an Administrator powershell prompt, execute this command: "
+echo "      Set-VM -VMName <your_vm_name> -EnhancedSessionTransportType HvSocket"
+echo "Start this VM, and you will see Enhanced mode available!"