Qubes-VM-hardening/vm-boot-protect.sh

297 lines
9.1 KiB
Bash
Raw Normal View History

2017-04-17 14:23:59 -04:00
#!/bin/sh
2018-04-14 11:18:55 -04:00
## Protect startup of Qubes VMs from /rw content ##
## https://github.com/tasket/Qubes-VM-hardening ##
2019-07-13 05:39:42 -04:00
## Copyright 2017-2019 Christopher Laprise ##
## tasket@protonmail.com ##
2018-04-14 11:18:55 -04:00
# This file is part of Qubes-VM-hardening.
# Qubes-VM-hardening is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Qubes-VM-hardening is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
2018-04-14 11:18:55 -04:00
# along with Qubes-VM-hardening. If not, see <http://www.gnu.org/licenses/>.
2017-05-09 06:48:12 -04:00
# Source Qubes library.
. /usr/lib/qubes/init/functions
2017-05-12 05:47:53 -04:00
vmname=`qubesdb-read /name`
dev=/dev/xvdb
2017-05-12 05:47:53 -04:00
rw=/mnt/rwtmp
rwbak=$rw/vm-boot-protect
2018-04-02 10:55:55 -04:00
errlog=/var/run/vm-protect-error
2019-08-11 06:28:22 -04:00
servicedir=/var/run/qubes-service
2018-04-03 11:01:31 -04:00
defdir=/etc/default/vms
2019-08-18 15:49:10 -04:00
version=0.9.2
2018-04-03 11:01:31 -04:00
# Define sh, bash, X and desktop init scripts in /home/user
# to be protected
chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
.pam_environment .xprofile .xinitrc .xserverrc .Xsession .xsession .xsessionrc"}
2019-08-11 06:26:26 -04:00
chfiles_add=${chfiles_add:-""}
chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
2019-08-11 06:26:26 -04:00
chdirs_add=${chdirs_add:-""}
2019-08-13 15:55:13 -04:00
# Define dirs to apply quarantine / whitelists
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
2019-08-13 14:46:03 -04:00
privdirs_add=${privdirs_add:-""}
save_backup=${save_backup:-1}
2019-08-17 15:12:13 -04:00
if is_rwonly_persistent; then
rwonly_pers=1
else
rwonly_pers=0
fi
2019-07-30 23:43:32 -04:00
# Placeholder function: Runs at end
vm_boot_finish() { return; }
2019-07-30 23:43:32 -04:00
# Remount fs as read-write
remount_rw() {
# Begin write operations
if [ -e $dev ] && mount -o remount,rw $dev $rw ; then
echo Good rw remount.
else
abort_startup RELOCATE "Remount failed!"
fi
}
2017-05-13 15:00:13 -04:00
# Function: Make user scripts immutable.
2017-05-09 06:48:12 -04:00
make_immutable() {
echo "Making files IMMUTABLE"
remount_rw
2017-05-13 15:00:13 -04:00
#initialize_home $rw/home ifneeded
2017-05-09 06:48:12 -04:00
cd $rw/home/user
su user -c "mkdir -p $chdirs $chdirs_add; touch $chfiles $chfiles_add 2>/dev/null"
chattr -R -f +i $chfiles $chfiles_add $chdirs $chdirs_add
2017-05-13 15:00:13 -04:00
cd /root
2017-05-09 06:48:12 -04:00
}
2018-04-02 10:55:55 -04:00
# Start rescue shell then exit/fail
abort_startup() {
type="$1"
msg="$2"
echo "$msg" >>$errlog
2018-04-02 10:55:55 -04:00
cat $errlog
rc=1
if [ $type = "RELOCATE" ]; then
# quarantine private volume
umount $dev
mv -f $dev /dev/badxvdb
truncate --size=500M /root/dev-xvdb
loop=`losetup --find --show /root/dev-xvdb`
mv -f $loop $dev
elif [ $type = "OK" ]; then
# allow normal start with private vol
rc=0
fi
2018-04-02 10:55:55 -04:00
# insert status msg and run xterm
2018-04-02 10:55:55 -04:00
cat /etc/bashrc /etc/bash.bashrc >/etc/bashrc-insert
echo "echo '** VM-BOOT-PROTECT SERVICE SHELL'" >/etc/bashrc
if [ $type = "RELOCATE" ]; then
echo "echo '** Private volume is located at /dev/badxvdb'" >>/etc/bashrc
fi
2018-04-02 10:55:55 -04:00
echo "cat $errlog" >>/etc/bashrc
echo ". /etc/bashrc-insert" >>/etc/bashrc
ln -f /etc/bashrc /etc/bash.bashrc
echo '/usr/bin/nohup /usr/bin/xterm /bin/bash 0<&- &>/dev/null &' \
>/etc/X11/Xsession.d/98rescue
exit $rc
2018-04-02 10:55:55 -04:00
}
echo >$errlog # Clear
2018-03-29 02:57:06 -04:00
if qsvc vm-boot-protect-cli; then
abort_startup RELOCATE "CLI requested."
2018-04-02 10:55:55 -04:00
fi
2019-08-17 13:28:36 -04:00
# Run rc file commands if they exist
2019-08-17 15:12:13 -04:00
if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
2019-08-17 13:28:36 -04:00
# Get list of enabled tags from Qubes services
tags=`find $servicedir -name 'vm-boot-tag-*' -type f -printf '%f\n' \
| sort | sed -E 's|^vm-boot-tag-|\@tags/|'`
for rcbase in vms.all $tags $vmname; do
if [ -e "$defdir/$rcbase.rc" ]; then
. "$defdir/$rcbase.rc"
fi
done
fi
2019-07-15 17:27:53 -04:00
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
# Mount private volume in temp location
mkdir -p $rw
if [ -e $dev ] && mount -o ro $dev $rw ; then
echo "Good read-only mount."
else
2019-07-15 17:27:53 -04:00
echo "Mount failed."
# decide if this is initial boot or a bad volume
private_size_512=$(blockdev --getsz "$dev")
if head -c $(( private_size_512 * 512 )) /dev/zero | diff "$dev" - >/dev/null; then
touch /var/run/qubes/VM-BOOT-PROTECT-INITIALIZERW
abort_startup OK "FIRST BOOT INITIALIZATION: PLEASE RESTART VM!"
else
abort_startup RELOCATE "Mount failed; BAD private volume!"
fi
fi
2019-08-14 01:18:54 -04:00
# Begin exit if in template or standalone
2019-08-17 15:12:13 -04:00
if [ $rwonly_pers = 0 ]; then
2019-07-30 23:25:35 -04:00
make_immutable
2019-08-14 01:34:39 -04:00
umount $rw
2019-07-30 23:25:35 -04:00
fi
2017-05-13 15:00:13 -04:00
fi
2019-08-14 01:18:54 -04:00
# Exit if in template or standalone
2019-08-17 15:12:13 -04:00
if [ $rwonly_pers = 0 ]; then
2019-08-14 01:18:54 -04:00
exit 0
fi
2017-05-13 15:00:13 -04:00
2017-04-17 14:23:59 -04:00
2017-05-09 06:48:12 -04:00
# Protection measures for /rw dirs:
2018-03-29 02:57:06 -04:00
# Activated by presence of vm-boot-protect-root Qubes service.
2017-05-12 05:47:53 -04:00
# * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
2018-04-02 10:55:55 -04:00
# * Remove /rw root startup files (config, usrlocal, bind-dirs).
2017-05-12 05:47:53 -04:00
# * Contents of vms/vms.all and vms/$vmname folders will be copied.
2017-05-09 06:48:12 -04:00
2019-08-17 15:12:13 -04:00
if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
2017-05-09 06:48:12 -04:00
# Check hashes
checkcode=0
for sha_base in $vmname $tags vms.all; do
if [ -e "$defdir/$sha_base.SHA" ]; then
cat "$defdir/$sha_base.SHA" >>/tmp/vm-boot-protect-sha
fi
done
if [ -e /tmp/vm-boot-protect-sha ]; then
echo "Checking file hashes." |tee $errlog
# Strip padding, get unique paths and switch path to $rw before check;
# this allows hashes in $vmname.SHA to override ones in vms.all.SHA.
sed 's/^ *//; s/ *$//; /^$/d;' /tmp/vm-boot-protect-sha \
| sort -u -k2,2 \
| sed -r 's|^(\S+\s+)/rw|\1'$rw'|' \
| sha256sum --strict -c >>$errlog; checkcode=$?
fi
# Divert startup on hash mismatch:
2017-05-09 06:48:12 -04:00
if [ $checkcode != 0 ]; then
abort_startup RELOCATE "Hash check failed!"
2018-04-02 10:55:55 -04:00
fi
remount_rw
2017-05-09 06:48:12 -04:00
2017-05-09 19:02:54 -04:00
# Files mutable for del/copy operations
2017-05-09 06:48:12 -04:00
cd $rw/home/user
2019-08-11 06:26:26 -04:00
chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add \
$rwbak/BAK-*
2017-05-13 15:00:13 -04:00
cd /root
2017-05-12 05:47:53 -04:00
2018-04-02 10:55:55 -04:00
2017-05-12 05:47:53 -04:00
# Deactivate private.img config dirs
mkdir -p $rwbak
for dir in $privdirs $privdirs_add; do # maybe use 'eval' for privdirs quotes/escaping
2018-04-02 10:55:55 -04:00
echo "Deactivate $dir"
subdir=`echo $dir |sed -r 's|^/rw/||'`
bakdir="$rwbak/BAK-$subdir"
origdir="$rwbak/ORIG-$subdir"
2019-07-30 23:25:35 -04:00
if [ -e "$bakdir" ] && [ ! -e "$origdir" ]; then
mv "$bakdir" "$origdir"
2018-01-25 07:46:33 -05:00
fi
2019-07-30 23:25:35 -04:00
if [ -e "$bakdir" ]; then
2019-08-11 06:26:26 -04:00
#chattr -R -i "$bakdir"
2019-07-30 23:25:35 -04:00
rm -rf "$bakdir"
fi
mv "$rw/$subdir" "$bakdir"
mkdir -p "$rw/$subdir"
# Populate /home/user w skel files if it was in privdirs
case "$subdir" in
"home"|"home/"|"home/user"|"home/user/")
2019-07-30 23:25:35 -04:00
echo "Populating home dir"
rm -rf /home/user $rw/home/user
mount --bind $rw/home /home
2019-07-30 23:25:35 -04:00
mkhomedir_helper user
umount /home
;;
esac
2017-05-09 19:02:54 -04:00
done
2017-05-12 05:47:53 -04:00
for vmset in vms.all $tags $vmname; do
2017-05-12 05:47:53 -04:00
# Process whitelists...
2019-08-11 06:28:22 -04:00
if [ -e $defdir/$vmset.whitelist ]; then
cat $defdir/$vmset.whitelist \
| while read wlfile; do
# Must begin with '/rw/'
if echo $wlfile |grep -q "^\/rw\/"; then
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rwbak/BAK-\1|\"`"
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
dstdir="`dirname \"$dstfile\"`"
if [ ! -e "$srcfile" ]; then
echo "Whitelist entry not present in filesystem:"
echo "$srcfile"
continue
# For very large dirs: mv whole dir when entry ends with '/'
elif echo $wlfile |grep -q "\/$"; then
# echo "Whitelist mv $srcfile"
# echo "to $dstfile"
mkdir -p "$dstdir"
mv -T "$srcfile" "$dstfile"
else
# echo "Whitelist cp $srcfile"
mkdir -p "$dstdir"
cp -a --link "$srcfile" "$dstdir"
fi
elif [ -n "$wlfile" ]; then
echo "Whitelist path must begin with /rw/. Skipped."
2017-05-12 05:47:53 -04:00
fi
2019-08-11 06:28:22 -04:00
done
fi
2017-05-09 06:48:12 -04:00
2017-05-12 05:47:53 -04:00
# Copy default files...
if [ -d $defdir/$vmset/rw ]; then
2019-08-11 06:28:22 -04:00
# echo "Copy files from $defdir/$vmset/rw"
2018-03-29 09:54:31 -04:00
cp -af $defdir/$vmset/rw/* $rw
fi
2017-05-09 06:48:12 -04:00
done
2019-08-11 06:26:26 -04:00
vm_boot_finish
2019-07-15 17:27:53 -04:00
fi
2018-03-29 07:31:40 -04:00
2019-08-13 13:46:52 -04:00
# Remove backups if indicated
if [ $save_backup = 0 ]; then
chattr -R -f -i $rwbak
rm -rf $rwbak
fi
2019-08-13 14:46:03 -04:00
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
echo "Preparing for unmount"
make_immutable
umount $rw
fi
2019-08-18 15:49:10 -04:00
# Keep configs invisible at runtime...
if ! is_templatevm; then
rm -rf "$defdir" $servicedir/vm-boot-tag* $servicedir/vm-boot-protect* $errlog
fi
2017-05-09 06:48:12 -04:00
exit 0