diff --git a/.vm-boot-protect.sh.kate-swp b/.vm-boot-protect.sh.kate-swp deleted file mode 100644 index 1b6a07c..0000000 Binary files a/.vm-boot-protect.sh.kate-swp and /dev/null differ diff --git a/README.md b/README.md index af3ee73..549b8d9 100644 --- a/README.md +++ b/README.md @@ -84,8 +84,9 @@ Some useful configurations have been supplied in /etc/default/vms: * vm-boot-tag-qhome: Quarantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality. * vm-boot-tag-noqbackup: Deletes all quarantined files that are not whitelisted. * vm-boot-tag-ibrowse: Preserves Firefox bookmarks while quarantining the /home folder. [Currently](https://github.com/tasket/Qubes-VM-hardening/issues/39) works with Firefox ESR. See Notes below. + * vm-boot-wiperw: Completely wipe and reformat the /rw partition. - + ### Scope and Limitations The *vm-boot-protect* concept enhances the guest operating system's own defenses by using the *root volume non-persistence* provided by the Qubes template system; thus a relatively pristine startup state may be achieved if the *private* volume is brought online in a controlled manner. Protecting the init/autostart files should result in Qubes template-based VMs that boot 'cleanly' with much less chance of being affected by malware initially. Even if malware persists in a VM, it should be possible to run other apps and terminals without interference if the malware has not escalated to root (admittedly, a big 'if'). @@ -118,6 +119,7 @@ Some useful configurations have been supplied in /etc/default/vms: * The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall` ## Releases + - v0.9.1 Optimized, fix rc order, new "wiperw" tag - v0.9.0 Add tags and rc files, protect more home scripts, reinitialize home - v0.8.5 Fix template detection, /etc/default/vms erasure - v0.8.4 Add protection to /home/user/.config/systemd diff --git a/default/vms/@tags/wiperw.rc b/default/vms/@tags/wiperw.rc new file mode 100644 index 0000000..3879af7 --- /dev/null +++ b/default/vms/@tags/wiperw.rc @@ -0,0 +1,4 @@ +# Completely wipes private volume contents + +blkdiscard $dev +mkfs.ext4 $dev diff --git a/vm-boot-protect.sh b/vm-boot-protect.sh index 586f3a6..d19772a 100755 --- a/vm-boot-protect.sh +++ b/vm-boot-protect.sh @@ -46,6 +46,12 @@ privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"} privdirs_add=${privdirs_add:-""} save_backup=${save_backup:-1} +if is_rwonly_persistent; then + rwonly_pers=1 +else + rwonly_pers=0 +fi + # Placeholder function: Runs at end vm_boot_finish() { return; } @@ -117,7 +123,7 @@ fi # Run rc file commands if they exist -if qsvc vm-boot-protect-root && is_rwonly_persistent; then +if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then # Get list of enabled tags from Qubes services tags=`find $servicedir -name 'vm-boot-tag-*' -type f -printf '%f\n' \ | sort | sed -E 's|^vm-boot-tag-|\@tags/|'` @@ -148,14 +154,14 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then fi # Begin exit if in template or standalone - if ! is_rwonly_persistent; then + if [ $rwonly_pers = 0 ]; then make_immutable umount $rw fi fi # Exit if in template or standalone -if ! is_rwonly_persistent; then +if [ $rwonly_pers = 0 ]; then exit 0 fi @@ -166,7 +172,7 @@ fi # * Remove /rw root startup files (config, usrlocal, bind-dirs). # * Contents of vms/vms.all and vms/$vmname folders will be copied. -if qsvc vm-boot-protect-root && is_rwonly_persistent; then +if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then # Check hashes checkcode=0