Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2025-04-25 09:29:22 -04:00
Code Issues Packages Projects Releases Wiki Activity

optimize, add tag wiperw

Browse Source
This commit is contained in:
Christopher Laprise 2019-08-17 15:12:13 -04:00
parent bbdc5b711b
commit 13d5c5d2de
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
4 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.vm-boot-protect.sh.kate-swp
View File

Binary file not shown.

2
README.md
View File

@ -84,6 +84,7 @@ Some useful configurations have been supplied in /etc/default/vms:
* vm-boot-tag-qhome: Quarantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality. * vm-boot-tag-qhome: Quarantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality.
* vm-boot-tag-noqbackup: Deletes all quarantined files that are not whitelisted. * vm-boot-tag-noqbackup: Deletes all quarantined files that are not whitelisted.
* vm-boot-tag-ibrowse: Preserves Firefox bookmarks while quarantining the /home folder. [Currently](https://github.com/tasket/Qubes-VM-hardening/issues/39) works with Firefox ESR. See Notes below. * vm-boot-tag-ibrowse: Preserves Firefox bookmarks while quarantining the /home folder. [Currently](https://github.com/tasket/Qubes-VM-hardening/issues/39) works with Firefox ESR. See Notes below.
* vm-boot-wiperw: Completely wipe and reformat the /rw partition.
### Scope and Limitations ### Scope and Limitations
@ -118,6 +119,7 @@ Some useful configurations have been supplied in /etc/default/vms:
* The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall` * The service can be removed from the system with `cd Qubes-VM-hardening; sudo bash install --uninstall`
## Releases ## Releases
- v0.9.1 Optimized, fix rc order, new "wiperw" tag
- v0.9.0 Add tags and rc files, protect more home scripts, reinitialize home - v0.9.0 Add tags and rc files, protect more home scripts, reinitialize home
- v0.8.5 Fix template detection, /etc/default/vms erasure - v0.8.5 Fix template detection, /etc/default/vms erasure
- v0.8.4 Add protection to /home/user/.config/systemd - v0.8.4 Add protection to /home/user/.config/systemd

4
default/vms/@tags/wiperw.rc Normal file
View File

@ -0,0 +1,4 @@
# Completely wipes private volume contents
blkdiscard $dev
mkfs.ext4 $dev

14
vm-boot-protect.sh
View File

@ -46,6 +46,12 @@ privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
privdirs_add=${privdirs_add:-""} privdirs_add=${privdirs_add:-""}
save_backup=${save_backup:-1} save_backup=${save_backup:-1}
if is_rwonly_persistent; then
rwonly_pers=1
else
rwonly_pers=0
fi
# Placeholder function: Runs at end # Placeholder function: Runs at end
vm_boot_finish() { return; } vm_boot_finish() { return; }
@ -117,7 +123,7 @@ fi
# Run rc file commands if they exist # Run rc file commands if they exist
if qsvc vm-boot-protect-root && is_rwonly_persistent; then if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
# Get list of enabled tags from Qubes services # Get list of enabled tags from Qubes services
tags=`find $servicedir -name 'vm-boot-tag-*' -type f -printf '%f\n' \ tags=`find $servicedir -name 'vm-boot-tag-*' -type f -printf '%f\n' \
| sort | sed -E 's|^vm-boot-tag-|\@tags/|'` | sort | sed -E 's|^vm-boot-tag-|\@tags/|'`
@ -148,14 +154,14 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
fi fi
# Begin exit if in template or standalone # Begin exit if in template or standalone
if ! is_rwonly_persistent; then if [ $rwonly_pers = 0 ]; then
make_immutable make_immutable
umount $rw umount $rw
fi fi
fi fi
# Exit if in template or standalone # Exit if in template or standalone
if ! is_rwonly_persistent; then if [ $rwonly_pers = 0 ]; then
exit 0 exit 0
fi fi
@ -166,7 +172,7 @@ fi
# * Remove /rw root startup files (config, usrlocal, bind-dirs). # * Remove /rw root startup files (config, usrlocal, bind-dirs).
# * Contents of vms/vms.all and vms/$vmname folders will be copied. # * Contents of vms/vms.all and vms/$vmname folders will be copied.
if qsvc vm-boot-protect-root && is_rwonly_persistent; then if qsvc vm-boot-protect-root && [ $rwonly_pers = 1 ]; then
# Check hashes # Check hashes
checkcode=0 checkcode=0