add nosuid,nodev protection

This commit is contained in:
Christopher Laprise 2019-08-27 21:13:20 -04:00
parent 47b42547d1
commit 05d8649e05
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
4 changed files with 33 additions and 11 deletions

View File

@ -119,6 +119,7 @@ Some useful configurations have been supplied in /etc/default/vms:
* The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall`
## Releases
- v0.9.3 Protect against suid and device nodes
- v0.9.2 Fix vm-boot-protect mode
- v0.9.1 Optimized, fix rc order, new "wiperw" tag
- v0.9.0 Add tags and rc files, protect more home scripts, reinitialize home

View File

@ -17,11 +17,27 @@ See https://qubes-os.org/doc/vm-sudo for manual instructions."
exit 1
fi
if [ "$1" = "--force" ]; then
force=1
else
force=0
fi
if grep -q '^auth .* dom0\squbes\.VMAuth' /etc/pam.d/common-auth && [ $force = 0 ]; then
echo "System appears already configured for sudo prompts."
echo "To force re-configuration run 'configure-sudo-prompt --force'."
exit 0
fi
echo -e "\n--+ Enable yes/no authentication prompt for sudo +--
Warning: Before opting for this change a backup or clone
should me made of this template!"
if [ $force = 0 ]; then
read -p "Configure sudo authentication prompt now? (y/n): " answer
if [[ $answer == @(y|Y) ]]; then
fi
if [[ $answer == @(y|Y) ]] || [ $force = 1 ]; then
mv -fb /etc/pam.d/common-auth /etc/pam.d/common-auth~
cat >/etc/pam.d/common-auth <<_EOF

View File

@ -1,6 +1,6 @@
#!/bin/bash
# From https://github.com/tasket/Qubes-VM-hardening
# installer version 0.9.0
# installer version 0.9.3
set -e
[ `id -u` -eq 0 ] || exit
@ -33,6 +33,11 @@ mkdir -p /etc/default/vms
# Careful... ownership & mode are not preserved here!
cp -riv default/vms/* /etc/default/vms
echo "Adding nosuid,nodev options to /etc/fstab..."
cp /etc/fstab /etc/fstab.bak
awk '($1~"^/rw/" || $2~"^/rw$") && ($4!~"nosuid" || $4!~"nodev") {$4=$4",nosuid,nodev"}1' \
/etc/fstab.bak >/etc/fstab
echo -e "\nvm-boot-protect installed!\n"

View File

@ -30,7 +30,7 @@ rwbak=$rw/vm-boot-protect
errlog=/var/run/vm-protect-error
servicedir=/var/run/qubes-service
defdir=/etc/default/vms
version=0.9.2
version=0.9.3
# Define sh, bash, X and desktop init scripts in /home/user
# to be protected
@ -60,7 +60,7 @@ vm_boot_finish() { return; }
# Remount fs as read-write
remount_rw() {
# Begin write operations
if [ -e $dev ] && mount -o remount,rw $dev $rw ; then
if [ -e $dev ] && mount -o remount,rw,nosuid,nodev $dev $rw ; then
echo Good rw remount.
else
abort_startup RELOCATE "Remount failed!"
@ -139,7 +139,7 @@ fi
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
# Mount private volume in temp location
mkdir -p $rw
if [ -e $dev ] && mount -o ro $dev $rw ; then
if [ -e $dev ] && mount -o ro,nosuid,nodev $dev $rw ; then
echo "Good read-only mount."
else
echo "Mount failed."
@ -208,7 +208,7 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
# Deactivate private.img config dirs
mkdir -p $rwbak
for dir in $privdirs $privdirs_add; do # maybe use 'eval' for privdirs quotes/escaping
echo "Deactivate $dir"
# echo "Deactivate $dir"
subdir=`echo $dir |sed -r 's|^/rw/||'`
bakdir="$rwbak/BAK-$subdir"
origdir="$rwbak/ORIG-$subdir"
@ -225,9 +225,9 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
# Populate /home/user w skel files if it was in privdirs
case "$subdir" in
"home"|"home/"|"home/user"|"home/user/")
echo "Populating home dir"
# echo "Populating home dir"
rm -rf /home/user $rw/home/user
mount --bind $rw/home /home
mount --bind -o nosuid,nodev $rw/home /home
mkhomedir_helper user
umount /home
;;
@ -246,8 +246,8 @@ if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
dstdir="`dirname \"$dstfile\"`"
if [ ! -e "$srcfile" ]; then
echo "Whitelist entry not present in filesystem:"
echo "$srcfile"
# echo "Whitelist entry not present in filesystem:"
# echo "$srcfile"
continue
# For very large dirs: mv whole dir when entry ends with '/'
elif echo $wlfile |grep -q "\/$"; then