optimize, add tag wiperw
This commit is contained in:
Christopher Laprise
parent
bbdc5b711b
commit
13d5c5d2de
Binary file not shown.
|
|
@ -84,8 +84,9 @@ Some useful configurations have been supplied in /etc/default/vms:
|
|||
* vm-boot-tag-qhome: Quarantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality.
|
||||
* vm-boot-tag-noqbackup: Deletes all quarantined files that are not whitelisted.
|
||||
* vm-boot-tag-ibrowse: Preserves Firefox bookmarks while quarantining the /home folder. [Currently](https://github.com/tasket/Qubes-VM-hardening/issues/39) works with Firefox ESR. See Notes below.
|
||||
* vm-boot-wiperw: Completely wipe and reformat the /rw partition.
|
||||
|
||||
|
||||
|
||||
### Scope and Limitations
|
||||
|
||||
The *vm-boot-protect* concept enhances the guest operating system's own defenses by using the *root volume non-persistence* provided by the Qubes template system; thus a relatively pristine startup state may be achieved if the *private* volume is brought online in a controlled manner. Protecting the init/autostart files should result in Qubes template-based VMs that boot 'cleanly' with much less chance of being affected by malware initially. Even if malware persists in a VM, it should be possible to run other apps and terminals without interference if the malware has not escalated to root (admittedly, a big 'if').
|
||||
|
|
@ -118,6 +119,7 @@ Some useful configurations have been supplied in /etc/default/vms:
|
|||
* The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall`
|
||||
|
||||
## Releases
|
||||
- v0.9.1 Optimized, fix rc order, new "wiperw" tag
|
||||
- v0.9.0 Add tags and rc files, protect more home scripts, reinitialize home
|
||||
- v0.8.5 Fix template detection, /etc/default/vms erasure
|
||||
- v0.8.4 Add protection to /home/user/.config/systemd
|
||||
|
|
|
|||
|
|
@ -0,0 +1,4 @@
|
|||
# Completely wipes private volume contents
|
||||
|
||||
blkdiscard $dev
|
||||
mkfs.ext4 $dev
|
||||
|
|
@ -46,6 +46,12 @@ privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
|
|||
privdirs_add=${privdirs_add:-""}
|
||||
save_backup=${save_backup:-1}
|
||||
|
||||
if is_rwonly_persistent; then
|
||||
rwonly_pers=1
|
||||
else
|
||||
rwonly_pers=0
|
||||
fi
|
||||
|
||||
|
||||
# Placeholder function: Runs at end
|
||||
vm_boot_finish() { return; }
|
||||
|
|
@ -117,7 +123,7 @@ fi
|
|||
|
||||
|
||||
# Run rc file commands if they exist
|
||||
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
|
||||
# Get list of enabled tags from Qubes services
|
||||
tags=`find $servicedir -name 'vm-boot-tag-*' -type f -printf '%f\n' \
|
||||
| sort | sed -E 's|^vm-boot-tag-|\@tags/|'`
|
||||
|
|
@ -148,14 +154,14 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
|||
fi
|
||||
|
||||
# Begin exit if in template or standalone
|
||||
if ! is_rwonly_persistent; then
|
||||
if [ $rwonly_pers = 0 ]; then
|
||||
make_immutable
|
||||
umount $rw
|
||||
fi
|
||||
|
||||
fi
|
||||
# Exit if in template or standalone
|
||||
if ! is_rwonly_persistent; then
|
||||
if [ $rwonly_pers = 0 ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
|
|
@ -166,7 +172,7 @@ fi
|
|||
# * Remove /rw root startup files (config, usrlocal, bind-dirs).
|
||||
# * Contents of vms/vms.all and vms/$vmname folders will be copied.
|
||||
|
||||
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
|
||||
|
||||
# Check hashes
|
||||
checkcode=0
|
||||
|
|
|
|||
Loading…
Reference in New Issue