add nosuid,nodev protection

README.md

@@ -119,6 +119,7 @@ Some useful configurations have been supplied in /etc/default/vms:
    * The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall`
 
 ## Releases
+   - v0.9.3  Protect against suid and device nodes
    - v0.9.2  Fix vm-boot-protect mode
    - v0.9.1  Optimized, fix rc order, new "wiperw" tag
    - v0.9.0  Add tags and rc files, protect more home scripts, reinitialize home

configure-sudo-prompt

@@ -17,11 +17,27 @@ See https://qubes-os.org/doc/vm-sudo for manual instructions."
     exit 1
 fi
 
+
+if [ "$1" = "--force" ]; then
+    force=1
+else
+    force=0
+fi
+
+if grep -q '^auth .* dom0\squbes\.VMAuth' /etc/pam.d/common-auth && [ $force = 0 ]; then
+    echo "System appears already configured for sudo prompts."
+    echo "To force re-configuration run 'configure-sudo-prompt --force'."
+    exit 0
+fi
+
+
 echo -e "\n--+  Enable yes/no authentication prompt for sudo  +--
 Warning: Before opting for this change a backup or clone
 should me made of this template!"
-read -p "Configure sudo authentication prompt now? (y/n): " answer
-if [[ $answer == @(y|Y) ]]; then
+if [ $force = 0 ]; then
+    read -p "Configure sudo authentication prompt now? (y/n): " answer
+fi
+if [[ $answer == @(y|Y) ]] || [ $force = 1 ]; then
 
     mv -fb /etc/pam.d/common-auth /etc/pam.d/common-auth~
     cat >/etc/pam.d/common-auth <<_EOF

install

@@ -1,6 +1,6 @@
 #!/bin/bash
 # From https://github.com/tasket/Qubes-VM-hardening
-# installer version 0.9.0
+# installer version 0.9.3
 
 set -e
 [ `id -u` -eq 0 ] || exit
@@ -33,6 +33,11 @@ mkdir -p /etc/default/vms
 # Careful... ownership & mode are not preserved here!
 cp -riv default/vms/* /etc/default/vms
 
+echo "Adding nosuid,nodev options to /etc/fstab..."
+cp /etc/fstab /etc/fstab.bak
+awk '($1~"^/rw/" || $2~"^/rw$") && ($4!~"nosuid" || $4!~"nodev") {$4=$4",nosuid,nodev"}1' \
+    /etc/fstab.bak >/etc/fstab
+
 
 echo -e "\nvm-boot-protect installed!\n"
 

vm-boot-protect.sh

@@ -30,7 +30,7 @@ rwbak=$rw/vm-boot-protect
 errlog=/var/run/vm-protect-error
 servicedir=/var/run/qubes-service
 defdir=/etc/default/vms
-version=0.9.2
+version=0.9.3
 
 # Define sh, bash, X and desktop init scripts in /home/user
 # to be protected
@@ -60,7 +60,7 @@ vm_boot_finish() { return; }
 # Remount fs as read-write
 remount_rw() {
     # Begin write operations
-    if [ -e $dev ] && mount -o remount,rw $dev $rw ; then
+    if [ -e $dev ] && mount -o remount,rw,nosuid,nodev $dev $rw ; then
         echo Good rw remount.
     else
         abort_startup RELOCATE "Remount failed!"
@@ -139,7 +139,7 @@ fi
 if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
     # Mount private volume in temp location
     mkdir -p $rw
-    if [ -e $dev ] && mount -o ro $dev $rw ; then
+    if [ -e $dev ] && mount -o ro,nosuid,nodev $dev $rw ; then
         echo "Good read-only mount."
     else
         echo "Mount failed."
@@ -208,7 +208,7 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
     # Deactivate private.img config dirs
     mkdir -p $rwbak
     for dir in $privdirs $privdirs_add; do # maybe use 'eval' for privdirs quotes/escaping
-        echo "Deactivate $dir"
+        # echo "Deactivate $dir"
         subdir=`echo $dir |sed -r 's|^/rw/||'`
         bakdir="$rwbak/BAK-$subdir"
         origdir="$rwbak/ORIG-$subdir"
@@ -225,9 +225,9 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
         # Populate /home/user w skel files if it was in privdirs
         case "$subdir" in
             "home"|"home/"|"home/user"|"home/user/")
-                echo "Populating home dir"
+                # echo "Populating home dir"
                 rm -rf /home/user $rw/home/user
-                mount --bind $rw/home /home
+                mount --bind -o nosuid,nodev $rw/home /home
                 mkhomedir_helper user
                 umount /home
                 ;;
@@ -246,8 +246,8 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
                     dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
                     dstdir="`dirname \"$dstfile\"`"
                     if [ ! -e "$srcfile" ]; then
-                        echo "Whitelist entry not present in filesystem:"
-                        echo "$srcfile"
+                        # echo "Whitelist entry not present in filesystem:"
+                        # echo "$srcfile"
                         continue
                     # For very large dirs: mv whole dir when entry ends with '/'
                     elif echo $wlfile |grep -q "\/$"; then