From 2a5880751ad76254bc0f11badfdfae0efdf4cbc1 Mon Sep 17 00:00:00 2001 From: Christopher Laprise Date: Tue, 3 Apr 2018 15:54:55 -0400 Subject: [PATCH] Fix whitelist for dirs Was setting up dirs as subdirs --- README.md | 3 +++ vm-boot-protect.sh | 32 +++++++++++++++++++------------- 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index ffbb10d..7637ff0 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,9 @@ Leverage Qubes template non-persistence to enhance the guest operating system's * The service name has been changed from `vm-sudo-protect` in pre-release to `vm-boot-protect`. The install script will automatically try to disable the old service. * All the user-writable startup files in /home should be protected by the immutable flag; See issue #9 if you notice an omission or other problem. An extra step of disabling the flag using `sudo chattr -i` whenever the user wants to modify these startup files. + + * Adding /home or subdirs of it to $privdirs is possible. This would quarantine everything in that dir to set the stage for applying whitelists on /home contents. The $privdirs variable can be changed via the service file, for example adding a .conf file in /lib/systemd/system/vm-boot-protect.d. + ## Releases - v0.8.1 Working rescue shell. Network Manager whitelist. diff --git a/vm-boot-protect.sh b/vm-boot-protect.sh index b1c6761..7c75831 100644 --- a/vm-boot-protect.sh +++ b/vm-boot-protect.sh @@ -16,6 +16,7 @@ chdirs="bin .local/bin .config/autostart .config/plasma-workspace/env \ vmname=`qubesdb-read /name` rw=/mnt/rwtmp +rwbak=$rw/vm-boot-protect errlog=/var/run/vm-protect-error defdir=/etc/default/vms @@ -82,7 +83,7 @@ fi # * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked. # * Remove /rw root startup files (config, usrlocal, bind-dirs). # * Contents of vms/vms.all and vms/$vmname folders will be copied. -privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"} +privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"} if qsvc vm-boot-protect-root && is_rwonly_persistent; then @@ -115,18 +116,19 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then # Deactivate private.img config dirs - mkdir -p $rw/vm-boot-protect - for dir in $privdirs; do + mkdir -p $rwbak + for dir in $privdirs; do # maybe use 'eval' for privdirs quotes/escaping echo "Deactivate $dir" - bakdir=`dirname $dir`/vm-boot-protect/BAK-`basename $dir` - origdir=`dirname $dir`/vm-boot-protect/ORIG-`basename $dir` - if [ -d $bakdir ] && [ ! -d $origdir ]; then - mv $bakdir $origdir + subdir=`echo $dir |sed -r 's|^/rw/||'` + bakdir="$rwbak/BAK-$subdir" + origdir="$rwbak/ORIG-$subdir" + if [ -d "$bakdir" ] && [ ! -d "$origdir" ]; then + mv "$bakdir" "$origdir" fi - rm -rf $bakdir - mv $dir $bakdir + rm -rf "$bakdir" + mv "$rw/$subdir" "$bakdir" + mkdir -p "$rw/$subdir" done - mkdir -p $privdirs for vmset in vms.all $vmname; do @@ -134,8 +136,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then cat $defdir/$vmset.whitelist \ | while read wlfile; do # Must begin with '/rw/' - if echo $wlfile |grep -q "^\/rw\/"; then #Was [ $wlfile =~ ^\/rw\/ ]; - srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/BAK-\1|\"`" + if echo $wlfile |grep -q "^\/rw\/"; then + srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rwbak/BAK-\1|\"`" dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`" dstdir="`dirname \"$dstfile\"`" if [ ! -e "$srcfile" ]; then @@ -145,10 +147,12 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then # For very large dirs: mv whole dir when entry ends with '/' elif echo $wlfile |grep -q "\/$"; then echo "Whitelist mv $srcfile" + echo "to $dstfile" mkdir -p "$dstdir" - mv "$srcfile" "$dstdir" + mv -T "$srcfile" "$dstfile" else echo "Whitelist cp $srcfile" + mkdir -p "$dstdir" cp -a --link "$srcfile" "$dstdir" fi elif [ -n "$wlfile" ]; then @@ -160,6 +164,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then if [ -d $defdir/$vmset/rw ]; then echo "Copy files from $defdir/$vmset/rw" cp -af $defdir/$vmset/rw/* $rw + fi + done # Keep configs invisible at runtime...