Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

add nosuid,nodev protection

Browse Source
This commit is contained in:
Christopher Laprise 2019-08-27 21:13:20 -04:00
parent 47b42547d1
commit 05d8649e05
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
4 changed files with 33 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -119,6 +119,7 @@ Some useful configurations have been supplied in /etc/default/vms:
* The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall` * The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall`
## Releases ## Releases
- v0.9.3 Protect against suid and device nodes
- v0.9.2 Fix vm-boot-protect mode - v0.9.2 Fix vm-boot-protect mode
- v0.9.1 Optimized, fix rc order, new "wiperw" tag - v0.9.1 Optimized, fix rc order, new "wiperw" tag
- v0.9.0 Add tags and rc files, protect more home scripts, reinitialize home - v0.9.0 Add tags and rc files, protect more home scripts, reinitialize home

20
configure-sudo-prompt
View File

@ -17,11 +17,27 @@ See https://qubes-os.org/doc/vm-sudo for manual instructions."
exit 1 exit 1
fi fi
if [ "$1" = "--force" ]; then
force=1
else
force=0
fi
if grep -q '^auth .* dom0\squbes\.VMAuth' /etc/pam.d/common-auth && [ $force = 0 ]; then
echo "System appears already configured for sudo prompts."
echo "To force re-configuration run 'configure-sudo-prompt --force'."
exit 0
fi
echo -e "\n--+ Enable yes/no authentication prompt for sudo +-- echo -e "\n--+ Enable yes/no authentication prompt for sudo +--
Warning: Before opting for this change a backup or clone Warning: Before opting for this change a backup or clone
should me made of this template!" should me made of this template!"
read -p "Configure sudo authentication prompt now? (y/n): " answer if [ $force = 0 ]; then
if [[ $answer == @(y|Y) ]]; then read -p "Configure sudo authentication prompt now? (y/n): " answer
fi
if [[ $answer == @(y|Y) ]] || [ $force = 1 ]; then
mv -fb /etc/pam.d/common-auth /etc/pam.d/common-auth~ mv -fb /etc/pam.d/common-auth /etc/pam.d/common-auth~
cat >/etc/pam.d/common-auth <<_EOF cat >/etc/pam.d/common-auth <<_EOF

7
install
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# From https://github.com/tasket/Qubes-VM-hardening # From https://github.com/tasket/Qubes-VM-hardening
# installer version 0.9.0 # installer version 0.9.3
set -e set -e
[ `id -u` -eq 0 ] || exit [ `id -u` -eq 0 ] || exit
@ -33,6 +33,11 @@ mkdir -p /etc/default/vms
# Careful... ownership & mode are not preserved here! # Careful... ownership & mode are not preserved here!
cp -riv default/vms/* /etc/default/vms cp -riv default/vms/* /etc/default/vms
echo "Adding nosuid,nodev options to /etc/fstab..."
cp /etc/fstab /etc/fstab.bak
awk '($1~"^/rw/" || $2~"^/rw$") && ($4!~"nosuid" || $4!~"nodev") {$4=$4",nosuid,nodev"}1' \
/etc/fstab.bak >/etc/fstab
echo -e "\nvm-boot-protect installed!\n" echo -e "\nvm-boot-protect installed!\n"

16
vm-boot-protect.sh
View File

@ -30,7 +30,7 @@ rwbak=$rw/vm-boot-protect
errlog=/var/run/vm-protect-error errlog=/var/run/vm-protect-error
servicedir=/var/run/qubes-service servicedir=/var/run/qubes-service
defdir=/etc/default/vms defdir=/etc/default/vms
version=0.9.2 version=0.9.3
# Define sh, bash, X and desktop init scripts in /home/user # Define sh, bash, X and desktop init scripts in /home/user
# to be protected # to be protected
@ -60,7 +60,7 @@ vm_boot_finish() { return; }
# Remount fs as read-write # Remount fs as read-write
remount_rw() { remount_rw() {
# Begin write operations # Begin write operations
if [ -e $dev ] && mount -o remount,rw $dev $rw ; then if [ -e $dev ] && mount -o remount,rw,nosuid,nodev $dev $rw ; then
echo Good rw remount. echo Good rw remount.
else else
abort_startup RELOCATE "Remount failed!" abort_startup RELOCATE "Remount failed!"
@ -139,7 +139,7 @@ fi
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
# Mount private volume in temp location # Mount private volume in temp location
mkdir -p $rw mkdir -p $rw
if [ -e $dev ] && mount -o ro $dev $rw ; then if [ -e $dev ] && mount -o ro,nosuid,nodev $dev $rw ; then
echo "Good read-only mount." echo "Good read-only mount."
else else
echo "Mount failed." echo "Mount failed."
@ -208,7 +208,7 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
# Deactivate private.img config dirs # Deactivate private.img config dirs
mkdir -p $rwbak mkdir -p $rwbak
for dir in $privdirs $privdirs_add; do # maybe use 'eval' for privdirs quotes/escaping for dir in $privdirs $privdirs_add; do # maybe use 'eval' for privdirs quotes/escaping
echo "Deactivate $dir" # echo "Deactivate $dir"
subdir=`echo $dir |sed -r 's|^/rw/||'` subdir=`echo $dir |sed -r 's|^/rw/||'`
bakdir="$rwbak/BAK-$subdir" bakdir="$rwbak/BAK-$subdir"
origdir="$rwbak/ORIG-$subdir" origdir="$rwbak/ORIG-$subdir"
@ -225,9 +225,9 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
# Populate /home/user w skel files if it was in privdirs # Populate /home/user w skel files if it was in privdirs
case "$subdir" in case "$subdir" in
"home"|"home/"|"home/user"|"home/user/") "home"|"home/"|"home/user"|"home/user/")
echo "Populating home dir" # echo "Populating home dir"
rm -rf /home/user $rw/home/user rm -rf /home/user $rw/home/user
mount --bind $rw/home /home mount --bind -o nosuid,nodev $rw/home /home
mkhomedir_helper user mkhomedir_helper user
umount /home umount /home
;; ;;
@ -246,8 +246,8 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`" dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
dstdir="`dirname \"$dstfile\"`" dstdir="`dirname \"$dstfile\"`"
if [ ! -e "$srcfile" ]; then if [ ! -e "$srcfile" ]; then
echo "Whitelist entry not present in filesystem:" # echo "Whitelist entry not present in filesystem:"
echo "$srcfile" # echo "$srcfile"
continue continue
# For very large dirs: mv whole dir when entry ends with '/' # For very large dirs: mv whole dir when entry ends with '/'
elif echo $wlfile |grep -q "\/$"; then elif echo $wlfile |grep -q "\/$"; then