mirror of
https://github.com/tasket/Qubes-VM-hardening.git
synced 2024-10-01 06:35:42 -04:00
parent
850843e7c0
commit
204e90a626
@ -29,12 +29,12 @@ rw=/mnt/rwtmp
|
|||||||
rwbak=$rw/vm-boot-protect
|
rwbak=$rw/vm-boot-protect
|
||||||
errlog=/var/run/vm-protect-error
|
errlog=/var/run/vm-protect-error
|
||||||
defdir=/etc/default/vms
|
defdir=/etc/default/vms
|
||||||
version="0.8.5"
|
version="0.9.0b"
|
||||||
|
|
||||||
# Define sh, bash, X and desktop init scripts in /home/user
|
# Define sh, bash, X and desktop init scripts in /home/user
|
||||||
# to be protected
|
# to be protected
|
||||||
chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
|
chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
|
||||||
.xprofile .xinitrc .xserverrc .xsession"}
|
.pam_environment .xprofile .xinitrc .xserverrc .Xsession .xsession .xsessionrc"}
|
||||||
chfiles_add=""
|
chfiles_add=""
|
||||||
chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
|
chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
|
||||||
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
|
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
|
||||||
@ -44,20 +44,15 @@ chdirs_add=""
|
|||||||
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
|
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
|
||||||
privdirs_add=""
|
privdirs_add=""
|
||||||
|
|
||||||
|
# Get list of enabled tags from Qubes services
|
||||||
|
tags=`find /var/run/qubes-service -name 'vm-boot-tag-*' -type f -printf '%f\n' \
|
||||||
|
| sort | sed -E 's|^vm-boot-tag-|\@tags/|'`
|
||||||
|
|
||||||
|
|
||||||
# Placeholder function: Runs at end
|
# Placeholder function: Runs at end
|
||||||
vm_boot_finish() { return; }
|
vm_boot_finish() { return; }
|
||||||
|
|
||||||
|
|
||||||
# Run rc file commands if they exist
|
|
||||||
if [ -e $defdir/vms.all.rc ]; then
|
|
||||||
. $defdir/vms.all.rc
|
|
||||||
fi
|
|
||||||
if [ -e $defdir/$vmname.rc ]; then
|
|
||||||
. $defdir/$vmname.rc
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
# Remount fs as read-write
|
# Remount fs as read-write
|
||||||
remount_rw() {
|
remount_rw() {
|
||||||
# Begin write operations
|
# Begin write operations
|
||||||
@ -71,10 +66,11 @@ remount_rw() {
|
|||||||
|
|
||||||
# Function: Make user scripts immutable.
|
# Function: Make user scripts immutable.
|
||||||
make_immutable() {
|
make_immutable() {
|
||||||
|
echo "Making files IMMUTABLE"
|
||||||
remount_rw
|
remount_rw
|
||||||
#initialize_home $rw/home ifneeded
|
#initialize_home $rw/home ifneeded
|
||||||
cd $rw/home/user
|
cd $rw/home/user
|
||||||
su user -c "mkdir -p $chdirs $chdirs_add; touch $chfiles $chfiles_add"
|
su user -c "mkdir -p $chdirs $chdirs_add; touch $chfiles $chfiles_add 2>/dev/null"
|
||||||
chattr -R -f +i $chfiles $chfiles_add $chdirs $chdirs_add
|
chattr -R -f +i $chfiles $chfiles_add $chdirs $chdirs_add
|
||||||
cd /root
|
cd /root
|
||||||
}
|
}
|
||||||
@ -116,6 +112,14 @@ abort_startup() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Run rc file commands if they exist
|
||||||
|
for rcbase in vms.all $tags $vmname; do
|
||||||
|
if [ -e "$defdir/$rcbase.rc" ]; then
|
||||||
|
. "$defdir/$rcbase.rc"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
echo >$errlog # Clear
|
echo >$errlog # Clear
|
||||||
|
|
||||||
if qsvc vm-boot-protect-cli; then
|
if qsvc vm-boot-protect-cli; then
|
||||||
@ -159,21 +163,18 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
|||||||
|
|
||||||
# Check hashes
|
# Check hashes
|
||||||
checkcode=0
|
checkcode=0
|
||||||
if [ -e $defdir/$vmname.SHA ]; then
|
for sha_base in $vmname $tags vms.all; do
|
||||||
# remove padding and add number field
|
if [ -e "$defdir/$sha_base.SHA" ]; then
|
||||||
sed 's/^ *//; s/ *$//; /^$/d; s/^/1 /' $defdir/$vmname.SHA \
|
cat "$defdir/$sha_base.SHA" >>/tmp/vm-boot-protect-sha
|
||||||
>/tmp/vm-boot-protect-sha
|
fi
|
||||||
fi
|
done
|
||||||
if [ -e $defdir/vms.all.SHA ]; then
|
|
||||||
sed 's/^ *//; s/ *$//; /^$/d; s/^/2 /' $defdir/vms.all.SHA \
|
|
||||||
>>/tmp/vm-boot-protect-sha
|
|
||||||
fi
|
|
||||||
if [ -e /tmp/vm-boot-protect-sha ]; then
|
if [ -e /tmp/vm-boot-protect-sha ]; then
|
||||||
echo "Checking file hashes." |tee $errlog
|
echo "Checking file hashes." |tee $errlog
|
||||||
# Get unique paths, remove field and switch path to $rw before check;
|
# Strip padding, get unique paths and switch path to $rw before check;
|
||||||
# this allows hashes in $vmname.SHA to override ones in vms.all.SHA.
|
# this allows hashes in $vmname.SHA to override ones in vms.all.SHA.
|
||||||
sort --unique --key=3 /tmp/vm-boot-protect-sha \
|
sed 's/^ *//; s/ *$//; /^$/d;' /tmp/vm-boot-protect-sha \
|
||||||
| sed -r 's|^[1-2] (.*[[:space:]]*)/rw|\1'$rw'|' \
|
| sort -u -k2,2 \
|
||||||
|
| sed -r 's|^(\S+\s+)/rw|\1'$rw'|' \
|
||||||
| sha256sum --strict -c >>$errlog; checkcode=$?
|
| sha256sum --strict -c >>$errlog; checkcode=$?
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -220,7 +221,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
|||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
for vmset in vms.all $vmname; do
|
for vmset in vms.all $tags $vmname; do
|
||||||
|
|
||||||
# Process whitelists...
|
# Process whitelists...
|
||||||
cat $defdir/$vmset.whitelist \
|
cat $defdir/$vmset.whitelist \
|
||||||
@ -263,6 +264,7 @@ fi
|
|||||||
rm -rf "$defdir"
|
rm -rf "$defdir"
|
||||||
|
|
||||||
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
||||||
|
echo "Preparing for unmount"
|
||||||
vm_boot_finish
|
vm_boot_finish
|
||||||
make_immutable
|
make_immutable
|
||||||
umount $rw
|
umount $rw
|
||||||
|
Loading…
Reference in New Issue
Block a user