rpms/linux-sgx
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Adapt qgs.service for SELinux policy and sock perms

Browse Source 
Changes to qgs.service to make it more amenable to writing a strict
SELinux policy.

Also add patch to allow control over socket perms so QEMU can get
access to the socket.

Related: https://issues.redhat.com/browse/RHELPLAN-171792
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2025-06-09 13:29:32 +01:00
parent b26306ecae
commit 32e6af3c36
21 changed files with 153 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
0100-Drop-use-of-bundled-pre-built-openssl.patch
View File

@ -1,7 +1,7 @@
From d70390caa01c88dd681e6ce68f850d26a33bb838 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 100/116] Drop use of bundled pre-built openssl
Subject: [PATCH 100/117] Drop use of bundled pre-built openssl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -188,5 +188,5 @@ index a20a3cd..c8e1d01 100644
debug:
$(PCKCERTSEL_VERBOSE)$(MAKE) DEBUG=1 all
--
2.48.1
2.49.0

4
0101-Improve-debuggability-of-build-system.patch
View File

@ -1,7 +1,7 @@
From b4d3b1401e16a557bcba1fe02b525bd5c26ee532 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 1 Mar 2024 12:05:01 +0000
Subject: [PATCH 101/116] Improve debuggability of build system
Subject: [PATCH 101/117] Improve debuggability of build system
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -128,5 +128,5 @@ index fba7f43..5979699 100644
.PHONY: qal
qal:
--
2.48.1
2.49.0

4
0102-Support-build-time-setting-of-enclave-load-directory.patch
View File

@ -1,7 +1,7 @@
From edcd2d044a8e20cf8d2e1cebba7f74f2573c9ae5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 102/116] Support build time setting of enclave load directory
Subject: [PATCH 102/117] Support build time setting of enclave load directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -259,5 +259,5 @@ index d9c2bac..1065949 100644
App_Link_Flags += -lcurl -ldl -lpthread
ifeq ($(STANDALONE), 1)
--
2.48.1
2.49.0

4
0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch
View File

@ -1,7 +1,7 @@
From 3cbab8069678b15276d7a8d2d0c7aa34532ad4af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 15:46:41 +0000
Subject: [PATCH 103/116] Look for versioned sgx_urts library in
Subject: [PATCH 103/117] Look for versioned sgx_urts library in
PCKRetrievalTool
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -40,5 +40,5 @@ index d77a6eb..d195717 100644
}
#endif
--
2.48.1
2.49.0

4
0104-Don-t-import-pypac-in-pccsadmin.patch
View File

@ -1,7 +1,7 @@
From 2609841a9ddedd4c3f22778bff0aa399ce6d4f9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 27 Feb 2024 20:28:24 +0000
Subject: [PATCH 104/116] Don't import pypac in pccsadmin
Subject: [PATCH 104/117] Don't import pypac in pccsadmin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -29,5 +29,5 @@ index 9f1d224..af1e78e 100644
from lib.intelsgx.credential import Credentials
from requests.adapters import HTTPAdapter
--
2.48.1
2.49.0

4
0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch
View File

@ -1,7 +1,7 @@
From eb1018b10a5adedcdc1ae3cf8f5d8be6de5b7d6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 29 Feb 2024 14:21:36 +0000
Subject: [PATCH 105/116] Look for PCKRetrievalTool config file in /etc/
Subject: [PATCH 105/117] Look for PCKRetrievalTool config file in /etc/
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -39,5 +39,5 @@ index e423f38..36f219b 100644
if(strnlen(local_configuration_file_path ,MAX_PATH)+strnlen(LOCAL_NETWORK_SETTING,MAX_PATH)+sizeof(char) > MAX_PATH) {
return false;
--
2.48.1
2.49.0

4
0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch
View File

@ -1,7 +1,7 @@
From c1773ce8ab60a0d887a52b821de28d6fd996b7f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 28 Mar 2025 16:00:27 +0000
Subject: [PATCH 106/116] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and
Subject: [PATCH 106/117] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and
libraries
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -205,5 +205,5 @@ index 4937fe9..83aefee 100644
LDFLAGS += '-Wl,-rpath,$$ORIGIN'
CXXFLAGS += '-DSTANDALONE'
--
2.48.1
2.49.0

4
0107-qgs-add-space-between-program-name-first-arg-in-usag.patch
View File

@ -1,7 +1,7 @@
From a74ede38e306ff82ddbaf094d6148dc1bf9e524c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Oct 2024 14:42:29 +0100
Subject: [PATCH 107/116] qgs: add space between program name & first arg in
Subject: [PATCH 107/117] qgs: add space between program name & first arg in
usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -35,5 +35,5 @@ index 478dbfe..3618b5a 100644
exit(1);
}
--
2.48.1
2.49.0

4
0108-qgs-protect-against-format-strings-in-QL-log-message.patch
View File

@ -1,7 +1,7 @@
From 1e760dc7a67d601121b625e0d2bd7b2fe8b7b042 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 4 Oct 2024 09:43:17 +0100
Subject: [PATCH 108/116] qgs: protect against format strings in QL log
Subject: [PATCH 108/117] qgs: protect against format strings in QL log
messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -35,5 +35,5 @@ index 77838c3..1e97b58 100644
}
--
2.48.1
2.49.0

12
0109-qgs-add-debug-parameter-to-control-logging.patch
View File

@ -1,7 +1,7 @@
From ddd7a6a15ed433b1bd75c620f3c075609d5f3c94 Mon Sep 17 00:00:00 2001
From d43ef4cac2c2c022b89b0938be71a9b36b9a1923 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Oct 2024 16:57:35 +0100
Subject: [PATCH 109/116] qgs: add --debug parameter to control logging
Subject: [PATCH 109/117] qgs: add --debug parameter to control logging
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -90,7 +90,7 @@ index 1e97b58..db642f7 100644
QGS_LOG_WARN("Failed to set logging callback for the quote provider library.\n");
}
diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
index 3618b5a..a65a985 100644
index 3618b5a..47f6c26 100644
--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
@@ -75,7 +75,7 @@ int main(int argc, const char* argv[])
@ -106,10 +106,10 @@ index 3618b5a..a65a985 100644
<< endl;
no_daemon = true;
continue;
+ } else if (strcmp(argv[i], "--debug") == 0) {
+ } else if (strcmp(argv[i], "--debug") == 0) {
+ qgs_verbose = qgs_debug = true;
+ continue;
+ } else if (strcmp(argv[i], "--verbose") == 0) {
+ } else if (strcmp(argv[i], "--verbose") == 0) {
+ qgs_verbose = true;
+ continue;
} else if (strncmp(argv[i], "-p=", 3 ) == 0) {
@ -125,5 +125,5 @@ index 3618b5a..a65a985 100644
exit(1);
}
--
2.48.1
2.49.0

6
0110-pccsadmin-remove-leftover-debugging-print-args-state.patch
View File

@ -1,7 +1,7 @@
From d4fa45636b1a58cf832fd7b955ef1b3f2368d526 Mon Sep 17 00:00:00 2001
From d375ba770975e565850ac12392bbc44807f28f75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 8 Oct 2024 10:13:02 +0100
Subject: [PATCH 110/116] pccsadmin: remove leftover debugging 'print(args)'
Subject: [PATCH 110/117] pccsadmin: remove leftover debugging 'print(args)'
statement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -29,5 +29,5 @@ index ffee326..8e447c5 100755
if args.command == 'put' and args.url and args.url.endswith("/appraisalpolicy"):
if not args.fmspc or not args.input_file:
--
2.48.1
2.49.0

6
0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch
View File

@ -1,7 +1,7 @@
From d9b93bb6836027b94ba93980002d7f2f7cc81415 Mon Sep 17 00:00:00 2001
From 1db2f71aead55201fcd82efa7d1ee99c9fa006b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 17 Jan 2025 15:39:39 +0000
Subject: [PATCH 111/116] Fix soname version for libsgx_qe3_logic.so library
Subject: [PATCH 111/117] Fix soname version for libsgx_qe3_logic.so library
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -51,5 +51,5 @@ index 9b8c936..c92d782 100644
$(BUILD_DIR):
--
2.48.1
2.49.0

6
0112-Workaround-broken-GCC-15.patch
View File

@ -1,7 +1,7 @@
From a3858a707f3f37722d5b851f89cfd61bd9361343 Mon Sep 17 00:00:00 2001
From 9c8155bb1b2928390a21408944fd876f40c281e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 6 Feb 2025 20:08:59 +0000
Subject: [PATCH 112/116] Workaround broken GCC 15
Subject: [PATCH 112/117] Workaround broken GCC 15
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -36,5 +36,5 @@ index 15fbdd4..4400544 100644
private:
struct alignas(A)_T_instantiator_
--
2.48.1
2.49.0

6
0113-Don-t-disable-cf-protection-for-qgs.patch
View File

@ -1,7 +1,7 @@
From 9a9cee8d5535320ab7f52388d8cd832c50bd100e Mon Sep 17 00:00:00 2001
From c4a2855d01b06e1da960a677379c55a5b31b427c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 2 Apr 2025 18:39:31 +0100
Subject: [PATCH 113/116] Don't disable cf-protection for qgs
Subject: [PATCH 113/117] Don't disable cf-protection for qgs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -27,5 +27,5 @@ index 8228bdf..5116d85 100644
DEPENDS = ${QGS_OBJS test_client.o:.o=.d}
--
2.48.1
2.49.0

6
0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
View File

@ -1,7 +1,7 @@
From c765d43c957cb18c7614883b3a4043fed22b8e92 Mon Sep 17 00:00:00 2001
From 3bcde80a8e81c6f9992085f5a924544fb6082d79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Thu, 3 Apr 2025 17:44:48 +0100
Subject: [PATCH 114/116] Delete broken checks for GCC version that break
Subject: [PATCH 114/117] Delete broken checks for GCC version that break
-fstack-protector-strong
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -201,5 +201,5 @@ index b6968c6..1d2106b 100644
ifdef DEBUG
COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG
--
2.48.1
2.49.0

6
0115-Use-distro-provided-rapidjson-package.patch
View File

@ -1,7 +1,7 @@
From 9588a9e5e730e31773437d96fdb1b4e8c1dfc55f Mon Sep 17 00:00:00 2001
From e7afd8a28400d47b3864514fde5c2ce62d3937ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 26 Feb 2024 12:19:51 +0000
Subject: [PATCH 115/116] Use distro provided rapidjson package
Subject: [PATCH 115/117] Use distro provided rapidjson package
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -170,5 +170,5 @@ index c8e1d01..6f1440a 100644
# the library shared object name
LIB_NAME := libPCKCertSelection.a
--
2.48.1
2.49.0

6
0116-Don-t-stomp-on-VERBOSE-variable.patch
View File

@ -1,7 +1,7 @@
From 35efa4bf39f88b0fe172b43e6c8ce81f4bb40dfc Mon Sep 17 00:00:00 2001
From 224d1fe828bc4fcaa0861c3b59ddcc0c979fc2d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 16 Apr 2025 11:48:52 +0100
Subject: [PATCH 116/116] Don't stomp on "VERBOSE" variable
Subject: [PATCH 116/117] Don't stomp on "VERBOSE" variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -97,5 +97,5 @@ index 3d474bb..0f593f5 100644
- $(VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL)
+ $(CMD_VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL)
--
2.48.1
2.49.0

103
0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch Normal file
View File

@ -0,0 +1,103 @@
From 8ded27dcf0c5a02c7869568bd1cafd5c2d15c0b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 2 May 2025 14:48:24 +0100
Subject: [PATCH 117/117] qgs: add -m=MODE parameter for UNIX socket mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The UNIX socket mode default is controlled by the process umask, but it
can be desirable to override this to open up the socket mode, while
keeping the umask restrictive.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
.../quote_wrapper/qgs/server_main.cpp | 35 +++++++++++++++++--
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
index 47f6c26..4628b18 100644
--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
+++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp
@@ -73,9 +73,10 @@ int main(int argc, const char* argv[])
bool no_daemon = false;
unsigned long int port = 0;
unsigned long int num_threads = 0;
+ unsigned long int mode = 0;
char *endptr = NULL;
if (argc > 4) {
- cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads] [--verbose] [--debug]"
+ cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-m=unix_socket_mode] [-n=number_threads] [--verbose] [--debug]"
<< endl;
exit(1);
}
@@ -106,6 +107,19 @@ int main(int argc, const char* argv[])
}
cout << "port number [" << port << "] found in cmdline" << endl;
continue;
+ } else if (strncmp(argv[i], "-m=", 3 ) == 0) {
+ if (strspn(argv[i] + 3, "0123456789") != strlen(argv[i] + 3)) {
+ cout << "Please input valid socket mode" << endl;
+ exit(1);
+ }
+ errno = 0;
+ mode = strtoul(argv[i] + 3, &endptr, 8);
+ if (errno || strlen(endptr) || (mode > UINT_MAX) ) {
+ cout << "Please input valid socket mode" << endl;
+ exit(1);
+ }
+ cout << "socket mode [" << oct << mode << dec << "] found in cmdline" << endl;
+ continue;
} else if (strncmp(argv[i], "-n=", 3) == 0) {
if (strspn(argv[i] + 3, "0123456789") != strlen(argv[i] + 3)) {
cout << "Please input valid thread number" << endl;
@@ -120,7 +134,7 @@ int main(int argc, const char* argv[])
cout << "thread number [" << num_threads << "] found in cmdline" << endl;
continue;
} else {
- cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads] [--verbose] [--debug]"
+ cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-m=unix_socket_mode] [-n=number_threads] [--verbose] [--debug]"
<< endl;
exit(1);
}
@@ -129,7 +143,7 @@ int main(int argc, const char* argv[])
// Use the port number in QGS_CONFIG_FILE if no valid port number on
// command line
- if (port == 0 || num_threads == 0) {
+ if (port == 0 || num_threads == 0 || mode == 0) {
ifstream config_file(QGS_CONFIG_FILE);
if (config_file.is_open()) {
string line;
@@ -161,6 +175,15 @@ int main(int argc, const char* argv[])
<< QGS_CONFIG_FILE << endl;
exit(1);
}
+ } else if (!mode && name.compare("socket_mode") == 0) {
+ errno = 0;
+ endptr = NULL;
+ mode = strtoul(value, &endptr, 8);
+ if (errno || strlen(endptr) || (mode > UINT_MAX)) {
+ cout << "Please input valid socket mode in "
+ << QGS_CONFIG_FILE << endl;
+ exit(1);
+ }
} else if (!num_threads && name.compare("number_threads") == 0) {
errno = 0;
endptr = NULL;
@@ -212,6 +235,12 @@ int main(int argc, const char* argv[])
}
QGS_LOG_INFO("About to create QgsServer with num_thread = %d\n", (uint8_t)num_threads);
server = new QgsServer(io_service, ep, (uint8_t)num_threads);
+ /* Allow mode to be determined by umask by default,
+ * overriding only if an explicit mode is requested
+ */
+ if (!port && mode != 0) {
+ chmod(QGS_UNIX_SOCKET_FILE, mode);
+ }
QGS_LOG_INFO("About to start main loop\n");
io_service.run();
QGS_LOG_INFO("Quit main loop\n");
--
2.49.0

3
linux-sgx.spec
View File

@ -341,6 +341,7 @@ Patch0113: 0113-Don-t-disable-cf-protection-for-qgs.patch
Patch0114: 0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch
#Patch0115: 0115-Use-distro-provided-rapidjson-package.patch
Patch0116: 0116-Don-t-stomp-on-VERBOSE-variable.patch
Patch0117: 0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch
# 0200-0299 -> against intel-sgx-ssl.git
Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch
@ -1542,7 +1543,7 @@ ln -s libsgx_qe3_logic.so.1 %{buildroot}%{_libdir}/libsgx_qe3_logic.so
%config(noreplace) %{_sysconfdir}/qgs.conf
%{_sysusersdir}/qgs.conf
%attr(0700,qgs,qgs) %dir %{_sharedstatedir}/qgs
%attr(0700,qgs,qgs) %dir %{_rundir}/tdx-qgs
%ghost %attr(0755,qgs,qgs) %dir %{_rundir}/tdx-qgs
%files -n tdx-attest-libs

8
qgs.service
View File

@ -8,16 +8,12 @@ Requires=mpa_registration.service
Type=simple
User=qgs
EnvironmentFile=-/etc/sysconfig/qgs
ExecStartPre=+mkdir -p /var/run/tdx-qgs
ExecStartPre=+chown qgs.qgs /var/run/tdx-qgs
ExecStart=/usr/sbin/qgs --no-daemon $QGS_ARGS
# qgs fails to delete the socket on stop and
# won't delete it on startup either :-(
ExecStopPost=rm -f /var/run/tdx-qgs/qgs.socket
ExecStart=/usr/sbin/qgs --no-daemon -m=0666 $QGS_ARGS
ExecReload=/bin/kill -SIGHUP $MAINPID
Restart=on-failure
RestartSec=15s
RuntimeDirectory=tdx-qgs
WorkingDirectory=/var/lib/qgs
InaccessibleDirectories=/home
DevicePolicy=closed

1
qgs.sysconfig
View File

@ -1,4 +1,5 @@
# To enable QGS verbose mode, or debugging (implies verbose),
# uncomment one of these:
QGS_ARGS=
#QGS_ARGS=--debug
#QGS_ARGS=--verbose