mirror of
https://github.com/tasket/Qubes-VM-hardening.git
synced 2024-10-01 06:35:42 -04:00
Fix whitelist for dirs
Was setting up dirs as subdirs
This commit is contained in:
parent
ca36bbe7e7
commit
2a5880751a
@ -66,6 +66,9 @@ Leverage Qubes template non-persistence to enhance the guest operating system's
|
||||
* The service name has been changed from `vm-sudo-protect` in pre-release to `vm-boot-protect`. The install script will automatically try to disable the old service.
|
||||
|
||||
* All the user-writable startup files in /home should be protected by the immutable flag; See issue #9 if you notice an omission or other problem. An extra step of disabling the flag using `sudo chattr -i` whenever the user wants to modify these startup files.
|
||||
|
||||
* Adding /home or subdirs of it to $privdirs is possible. This would quarantine everything in that dir to set the stage for applying whitelists on /home contents. The $privdirs variable can be changed via the service file, for example adding a .conf file in /lib/systemd/system/vm-boot-protect.d.
|
||||
|
||||
|
||||
## Releases
|
||||
- v0.8.1 Working rescue shell. Network Manager whitelist.
|
||||
|
@ -16,6 +16,7 @@ chdirs="bin .local/bin .config/autostart .config/plasma-workspace/env \
|
||||
|
||||
vmname=`qubesdb-read /name`
|
||||
rw=/mnt/rwtmp
|
||||
rwbak=$rw/vm-boot-protect
|
||||
errlog=/var/run/vm-protect-error
|
||||
defdir=/etc/default/vms
|
||||
|
||||
@ -82,7 +83,7 @@ fi
|
||||
# * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
|
||||
# * Remove /rw root startup files (config, usrlocal, bind-dirs).
|
||||
# * Contents of vms/vms.all and vms/$vmname folders will be copied.
|
||||
privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"}
|
||||
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
|
||||
|
||||
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
|
||||
@ -115,18 +116,19 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
|
||||
|
||||
# Deactivate private.img config dirs
|
||||
mkdir -p $rw/vm-boot-protect
|
||||
for dir in $privdirs; do
|
||||
mkdir -p $rwbak
|
||||
for dir in $privdirs; do # maybe use 'eval' for privdirs quotes/escaping
|
||||
echo "Deactivate $dir"
|
||||
bakdir=`dirname $dir`/vm-boot-protect/BAK-`basename $dir`
|
||||
origdir=`dirname $dir`/vm-boot-protect/ORIG-`basename $dir`
|
||||
if [ -d $bakdir ] && [ ! -d $origdir ]; then
|
||||
mv $bakdir $origdir
|
||||
subdir=`echo $dir |sed -r 's|^/rw/||'`
|
||||
bakdir="$rwbak/BAK-$subdir"
|
||||
origdir="$rwbak/ORIG-$subdir"
|
||||
if [ -d "$bakdir" ] && [ ! -d "$origdir" ]; then
|
||||
mv "$bakdir" "$origdir"
|
||||
fi
|
||||
rm -rf $bakdir
|
||||
mv $dir $bakdir
|
||||
rm -rf "$bakdir"
|
||||
mv "$rw/$subdir" "$bakdir"
|
||||
mkdir -p "$rw/$subdir"
|
||||
done
|
||||
mkdir -p $privdirs
|
||||
|
||||
for vmset in vms.all $vmname; do
|
||||
|
||||
@ -134,8 +136,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
cat $defdir/$vmset.whitelist \
|
||||
| while read wlfile; do
|
||||
# Must begin with '/rw/'
|
||||
if echo $wlfile |grep -q "^\/rw\/"; then #Was [ $wlfile =~ ^\/rw\/ ];
|
||||
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/BAK-\1|\"`"
|
||||
if echo $wlfile |grep -q "^\/rw\/"; then
|
||||
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rwbak/BAK-\1|\"`"
|
||||
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
|
||||
dstdir="`dirname \"$dstfile\"`"
|
||||
if [ ! -e "$srcfile" ]; then
|
||||
@ -145,10 +147,12 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
# For very large dirs: mv whole dir when entry ends with '/'
|
||||
elif echo $wlfile |grep -q "\/$"; then
|
||||
echo "Whitelist mv $srcfile"
|
||||
echo "to $dstfile"
|
||||
mkdir -p "$dstdir"
|
||||
mv "$srcfile" "$dstdir"
|
||||
mv -T "$srcfile" "$dstfile"
|
||||
else
|
||||
echo "Whitelist cp $srcfile"
|
||||
mkdir -p "$dstdir"
|
||||
cp -a --link "$srcfile" "$dstdir"
|
||||
fi
|
||||
elif [ -n "$wlfile" ]; then
|
||||
@ -160,6 +164,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
if [ -d $defdir/$vmset/rw ]; then
|
||||
echo "Copy files from $defdir/$vmset/rw"
|
||||
cp -af $defdir/$vmset/rw/* $rw
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
# Keep configs invisible at runtime...
|
||||
|
Loading…
Reference in New Issue
Block a user