Qubes-VM-hardening/usr/lib/qubes/init/vm-sudo-protect.sh

#!/bin/sh

## Protect startup of Qubes VMs from /rw scripts    ##
## https://github.com/tasket/Qubes-VM-hardening     ##


# Source Qubes library.
. /usr/lib/qubes/init/functions

# Define sh, bash, X and desktop init scripts in /home/user
# to be protected
chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \
.xprofile .xinitrc .xserverrc .xsession"
chdirs="bin .config/autostart .config/plasma-workspace/env \
.config/plasma-workspace/shutdown .config/autostart-scripts"
vmname=`qubesdb-read /name`
rw=/mnt/rwtmp

# Function: Make user scripts immutable.
make_immutable() {
    #initialize_home $rw/home ifneeded
    cd $rw/home/user
    mkdir -p $chdirs
    touch $chfiles
    chattr -R -f +i $chfiles $chdirs
    cd /root
    touch $rw/home/user/FIXED #debug
}

# Mount private volume in temp location
mkdir -p $rw
if [ -e /dev/xvdb ] && mount /dev/xvdb $rw ; then
    echo Good rw mount.
else
    echo Mount failed!
    xterm -hold -display :0 -title "VM PROTECTION: MOUNT FAILED!" \
-e "bash -i"
    exit 1
fi
if qsvc vm-sudo-protect-cli; then
    xterm -hold -display :0 -title "VM PROTECTION: SERVICE PROMPT" \
-e "echo Private volume is mounted at $rw; bash -i"
fi


# Protection measures for /rw dirs:
# Activated by presence of vm-sudo-protect-root Qubes service.
#   * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
#   * Remove /rw root startup files (config, usrlocal, bind-dirs).
#   * Contents of vms/vms.all and vms/$vmname folders will be copied.
defdir="/etc/default/vms"
privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"}

if qsvc vm-sudo-protect-root && is_rwonly_persistent; then

    # Check hashes
    checkcode=0
    echo "File hash checks:" >/tmp/vm-protect-sum-error
    for vmset in vms.all $vmname; do
        if [ -f $defdir/$vmset.SHA ]; then
            sha256sum --strict -c $defdir/$vmset.SHA >>/tmp/vm-protect-sum-error 2>&1
            checkcode=$((checkcode+$?))
        fi
    done
    cat /tmp/vm-protect-sum-error # For logging

    # Stop system startup on checksum mismatch:
    if [ $checkcode != 0 ]; then
        xterm -hold -display :0 -title "VM PROTECTION: CHECKSUM MISMATCH!" \
-e "cat /tmp/vm-protect-sum-error; echo Private volume is mounted at $rw; bash -i"
        exit 1
    fi

    # Files mutable for del/copy operations
    cd $rw/home/user
    chattr -R -f -i $chfiles $chdirs $privdirs
    cd /root

    # Deactivate private.img config dirs
    for dir in $privdirs; do
        bakdir=`dirname $dir`/BAK-`basename $dir`
        bak2dir=`dirname $dir`/BAK2-`basename $dir`
        if [ -d $bakdir ] && [ ! -d $bak2dir ]; then
            mv $bakdir $bak2dir
        fi
        rm -rf  $bakdir
        mv $dir $bakdir
    done
    mkdir -p $privdirs

    for vmset in vms.all $vmname; do

        # Process whitelists...
        cat $defdir/$vmset.whitelist \
        | while read wlfile; do
            # Must begin with '/rw/'
            if echo $wlfile |grep -q "^\/rw\/"; then #Was [ $wlfile =~ ^\/rw\/ ];
                srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/BAK-\1|\"`"
                dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
                dstdir="`dirname \"$dstfile\"`"
                if [ ! -e "$srcfile" ]; then
                    echo "Whitelist entry not present in filesystem."
                    continue
                # For very large dirs: mv whole dir when entry ends with '/'
                elif echo $wlfile |grep -q "\/$"; then
                    echo "Whitelist mv $srcfile"
                    mkdir -p "$dstdir"
                    mv "$srcfile" "$dstdir"
                else
                    echo "Whitelist cp $srcfile"
                    cp -a --link "$srcfile" "$dstdir"
                fi
            elif [ -n "$wlfile" ]; then
                echo "Whitelist path must begin with /rw/."
            fi
        done

        # Copy default files...
        if [ -d $defdir/$vmset/rw ]; then
            cp -af "$defdir/$vmset/rw/*" $rw
        fi

    done

fi

make_immutable
umount $rw
exit 0
Create vm-sudo-protect.sh 2017-04-17 14:23:59 -04:00			`#!/bin/sh`

In progress, broken. 2017-05-09 06:48:12 -04:00			`## Protect startup of Qubes VMs from /rw scripts ##`
			`## https://github.com/tasket/Qubes-VM-hardening ##`


			`# Source Qubes library.`
			`. /usr/lib/qubes/init/functions`
Update vm-sudo-protect.sh Avoids using fstab mountpoint and enables using `vm-sudo-protect-root` as Qubes service. 2017-04-20 19:33:44 -04:00
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`# Define sh, bash, X and desktop init scripts in /home/user`
Create vm-sudo-protect.sh 2017-04-17 14:23:59 -04:00			`# to be protected`
			`chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \`
			`.xprofile .xinitrc .xserverrc .xsession"`
Add bin to immutables 2018-01-25 07:49:53 -05:00			`chdirs="bin .config/autostart .config/plasma-workspace/env \`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`.config/plasma-workspace/shutdown .config/autostart-scripts"`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			vmname=`qubesdb-read /name`
			`rw=/mnt/rwtmp`
Create vm-sudo-protect.sh 2017-04-17 14:23:59 -04:00
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`# Function: Make user scripts immutable.`
In progress, broken. 2017-05-09 06:48:12 -04:00			`make_immutable() {`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`#initialize_home $rw/home ifneeded`
In progress, broken. 2017-05-09 06:48:12 -04:00			`cd $rw/home/user`
			`mkdir -p $chdirs`
			`touch $chfiles`
			`chattr -R -f +i $chfiles $chdirs`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`cd /root`
Fixes for testing. 2017-05-09 19:02:54 -04:00			`touch $rw/home/user/FIXED #debug`
In progress, broken. 2017-05-09 06:48:12 -04:00			`}`

			`# Mount private volume in temp location`
Update vm-sudo-protect.sh Avoids using fstab mountpoint and enables using `vm-sudo-protect-root` as Qubes service. 2017-04-20 19:33:44 -04:00			`mkdir -p $rw`
			`if [ -e /dev/xvdb ] && mount /dev/xvdb $rw ; then`
In progress, broken. 2017-05-09 06:48:12 -04:00			`echo Good rw mount.`
Create vm-sudo-protect.sh 2017-04-17 14:23:59 -04:00			`else`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`echo Mount failed!`
			`xterm -hold -display :0 -title "VM PROTECTION: MOUNT FAILED!" \`
			`-e "bash -i"`
			`exit 1`
Create vm-sudo-protect.sh 2017-04-17 14:23:59 -04:00			`fi`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`if qsvc vm-sudo-protect-cli; then`
			`xterm -hold -display :0 -title "VM PROTECTION: SERVICE PROMPT" \`
			`-e "echo Private volume is mounted at $rw; bash -i"`
			`fi`

Create vm-sudo-protect.sh 2017-04-17 14:23:59 -04:00
In progress, broken. 2017-05-09 06:48:12 -04:00			`# Protection measures for /rw dirs:`
fix comment 2017-04-21 00:17:55 -04:00			`# Activated by presence of vm-sudo-protect-root Qubes service.`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`# * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.`
			`# * Remove /rw root startup files (config, usrlocal, bind-dirs).`
			`# * Contents of vms/vms.all and vms/$vmname folders will be copied.`
Create vm-sudo-protect.sh 2017-04-17 14:23:59 -04:00			`defdir="/etc/default/vms"`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"}`
In progress, broken. 2017-05-09 06:48:12 -04:00
			`if qsvc vm-sudo-protect-root && is_rwonly_persistent; then`

			`# Check hashes`
			`checkcode=0`
			`echo "File hash checks:" >/tmp/vm-protect-sum-error`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`for vmset in vms.all $vmname; do`
In progress, broken. 2017-05-09 06:48:12 -04:00			`if [ -f $defdir/$vmset.SHA ]; then`
Fixes for testing. 2017-05-09 19:02:54 -04:00			`sha256sum --strict -c $defdir/$vmset.SHA >>/tmp/vm-protect-sum-error 2>&1`
In progress, broken. 2017-05-09 06:48:12 -04:00			`checkcode=$((checkcode+$?))`
			`fi`
			`done`
Fixes for testing. 2017-05-09 19:02:54 -04:00			`cat /tmp/vm-protect-sum-error # For logging`
Improved whitelist processing 2017-05-12 05:47:53 -04:00
			`# Stop system startup on checksum mismatch:`
In progress, broken. 2017-05-09 06:48:12 -04:00			`if [ $checkcode != 0 ]; then`
			`xterm -hold -display :0 -title "VM PROTECTION: CHECKSUM MISMATCH!" \`
			`-e "cat /tmp/vm-protect-sum-error; echo Private volume is mounted at $rw; bash -i"`
			`exit 1`
			`fi`

Fixes for testing. 2017-05-09 19:02:54 -04:00			`# Files mutable for del/copy operations`
In progress, broken. 2017-05-09 06:48:12 -04:00			`cd $rw/home/user`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`chattr -R -f -i $chfiles $chdirs $privdirs`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`cd /root`
Improved whitelist processing 2017-05-12 05:47:53 -04:00
			`# Deactivate private.img config dirs`
			`for dir in $privdirs; do`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			bakdir=`dirname $dir`/BAK-`basename $dir`
Backup when deactivating 2018-01-25 07:46:33 -05:00			bak2dir=`dirname $dir`/BAK2-`basename $dir`
			`if [ -d $bakdir ] && [ ! -d $bak2dir ]; then`
			`mv $bakdir $bak2dir`
			`fi`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`rm -rf $bakdir`
			`mv $dir $bakdir`
Fixes for testing. 2017-05-09 19:02:54 -04:00			`done`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`mkdir -p $privdirs`

			`for vmset in vms.all $vmname; do`

			`# Process whitelists...`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`cat $defdir/$vmset.whitelist \`
			`\| while read wlfile; do`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`# Must begin with '/rw/'`
			`if echo $wlfile \|grep -q "^\/rw\/"; then #Was [ $wlfile =~ ^\/rw\/ ];`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			srcfile="`echo $wlfile \|sed -r \"s\|^/rw/(.+)$\|$rw/BAK-\1\|\"`"
			dstfile="`echo $wlfile \|sed -r \"s\|^/rw/(.+)$\|$rw/\1\|\"`"
			dstdir="`dirname \"$dstfile\"`"
			`if [ ! -e "$srcfile" ]; then`
			`echo "Whitelist entry not present in filesystem."`
			`continue`
			`# For very large dirs: mv whole dir when entry ends with '/'`
			`elif echo $wlfile \|grep -q "\/$"; then`
			`echo "Whitelist mv $srcfile"`
			`mkdir -p "$dstdir"`
			`mv "$srcfile" "$dstdir"`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`else`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`echo "Whitelist cp $srcfile"`
			`cp -a --link "$srcfile" "$dstdir"`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`fi`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`elif [ -n "$wlfile" ]; then`
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`echo "Whitelist path must begin with /rw/."`
			`fi`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`done`
In progress, broken. 2017-05-09 06:48:12 -04:00
Improved whitelist processing 2017-05-12 05:47:53 -04:00			`# Copy default files...`
			`if [ -d $defdir/$vmset/rw ]; then`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`cp -af "$defdir/$vmset/rw/*" $rw`
Fixes for testing. 2017-05-09 19:02:54 -04:00			`fi`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00
In progress, broken. 2017-05-09 06:48:12 -04:00			`done`

			`fi`

			`make_immutable`
Fixes, add CLI service. 2017-05-13 15:00:13 -04:00			`umount $rw`
In progress, broken. 2017-05-09 06:48:12 -04:00			`exit 0`