add nosuid,nodev protection

2019-08-27 21:13:20 -04:00 · 2019-08-27 21:13:20 -04:00 · 05d8649e05
parent 47b42547d1
commit 05d8649e05
4 changed files with 33 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -119,6 +119,7 @@ Some useful configurations have been supplied in /etc/default/vms:
   * The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall`

 ## Releases
+   - v0.9.3  Protect against suid and device nodes
   - v0.9.2  Fix vm-boot-protect mode
   - v0.9.1  Optimized, fix rc order, new "wiperw" tag
   - v0.9.0  Add tags and rc files, protect more home scripts, reinitialize home
--- a/20
+++ b/20
@ -17,11 +17,27 @@ See https://qubes-os.org/doc/vm-sudo for manual instructions."
    exit 1
 fi

+
+if [ "$1" = "--force" ]; then
+    force=1
+else
+    force=0
+fi
+
+if grep -q '^auth .* dom0\squbes\.VMAuth' /etc/pam.d/common-auth && [ $force = 0 ]; then
+    echo "System appears already configured for sudo prompts."
+    echo "To force re-configuration run 'configure-sudo-prompt --force'."
+    exit 0
+fi
+
+
 echo -e "\n--+  Enable yes/no authentication prompt for sudo  +--
 Warning: Before opting for this change a backup or clone
 should me made of this template!"
-read -p "Configure sudo authentication prompt now? (y/n): " answer
-if [[ $answer == @(y|Y) ]]; then
+if [ $force = 0 ]; then
+    read -p "Configure sudo authentication prompt now? (y/n): " answer
+fi
+if [[ $answer == @(y|Y) ]] || [ $force = 1 ]; then

    mv -fb /etc/pam.d/common-auth /etc/pam.d/common-auth~
    cat >/etc/pam.d/common-auth <<_EOF
--- a/7
+++ b/7
@ -1,6 +1,6 @@
 #!/bin/bash
 # From https://github.com/tasket/Qubes-VM-hardening
-# installer version 0.9.0
+# installer version 0.9.3

 set -e
 [ `id -u` -eq 0 ] || exit
@ -33,6 +33,11 @@ mkdir -p /etc/default/vms
 # Careful... ownership & mode are not preserved here!
 cp -riv default/vms/* /etc/default/vms

+echo "Adding nosuid,nodev options to /etc/fstab..."
+cp /etc/fstab /etc/fstab.bak
+awk '($1~"^/rw/" || $2~"^/rw$") && ($4!~"nosuid" || $4!~"nodev") {$4=$4",nosuid,nodev"}1' \
+    /etc/fstab.bak >/etc/fstab
+

 echo -e "\nvm-boot-protect installed!\n"

--- a/vm-boot-protect.sh
+++ b/vm-boot-protect.sh
@ -30,7 +30,7 @@ rwbak=$rw/vm-boot-protect
 errlog=/var/run/vm-protect-error
 servicedir=/var/run/qubes-service
 defdir=/etc/default/vms
-version=0.9.2
+version=0.9.3

 # Define sh, bash, X and desktop init scripts in /home/user
 # to be protected
@ -60,7 +60,7 @@ vm_boot_finish() { return; }
 # Remount fs as read-write
 remount_rw() {
    # Begin write operations
-    if [ -e $dev ] && mount -o remount,rw $dev $rw ; then
+    if [ -e $dev ] && mount -o remount,rw,nosuid,nodev $dev $rw ; then
        echo Good rw remount.
    else
        abort_startup RELOCATE "Remount failed!"
@ -139,7 +139,7 @@ fi
 if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
    # Mount private volume in temp location
    mkdir -p $rw
-    if [ -e $dev ] && mount -o ro $dev $rw ; then
+    if [ -e $dev ] && mount -o ro,nosuid,nodev $dev $rw ; then
        echo "Good read-only mount."
    else
        echo "Mount failed."
@ -208,7 +208,7 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
    # Deactivate private.img config dirs
    mkdir -p $rwbak
    for dir in $privdirs $privdirs_add; do # maybe use 'eval' for privdirs quotes/escaping
-        echo "Deactivate $dir"
+        # echo "Deactivate $dir"
        subdir=`echo $dir |sed -r 's|^/rw/||'`
        bakdir="$rwbak/BAK-$subdir"
        origdir="$rwbak/ORIG-$subdir"
@ -225,9 +225,9 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
        # Populate /home/user w skel files if it was in privdirs
        case "$subdir" in
            "home"|"home/"|"home/user"|"home/user/")
-                echo "Populating home dir"
+                # echo "Populating home dir"
                rm -rf /home/user $rw/home/user
-                mount --bind $rw/home /home
+                mount --bind -o nosuid,nodev $rw/home /home
                mkhomedir_helper user
                umount /home
                ;;
@ -246,8 +246,8 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
                    dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
                    dstdir="`dirname \"$dstfile\"`"
                    if [ ! -e "$srcfile" ]; then
-                        echo "Whitelist entry not present in filesystem:"
-                        echo "$srcfile"
+                        # echo "Whitelist entry not present in filesystem:"
+                        # echo "$srcfile"
                        continue
                    # For very large dirs: mv whole dir when entry ends with '/'
                    elif echo $wlfile |grep -q "\/$"; then