Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2025-02-18 13:54:21 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix whitelist for dirs

Browse Source 
Was setting up dirs as subdirs
This commit is contained in:
Christopher Laprise 2018-04-03 15:54:55 -04:00
parent ca36bbe7e7
commit 2a5880751a
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
2 changed files with 22 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -66,6 +66,9 @@ Leverage Qubes template non-persistence to enhance the guest operating system's
* The service name has been changed from `vm-sudo-protect` in pre-release to `vm-boot-protect`. The install script will automatically try to disable the old service. * The service name has been changed from `vm-sudo-protect` in pre-release to `vm-boot-protect`. The install script will automatically try to disable the old service.
* All the user-writable startup files in /home should be protected by the immutable flag; See issue #9 if you notice an omission or other problem. An extra step of disabling the flag using `sudo chattr -i` whenever the user wants to modify these startup files. * All the user-writable startup files in /home should be protected by the immutable flag; See issue #9 if you notice an omission or other problem. An extra step of disabling the flag using `sudo chattr -i` whenever the user wants to modify these startup files.
* Adding /home or subdirs of it to $privdirs is possible. This would quarantine everything in that dir to set the stage for applying whitelists on /home contents. The $privdirs variable can be changed via the service file, for example adding a .conf file in /lib/systemd/system/vm-boot-protect.d.
## Releases ## Releases
- v0.8.1 Working rescue shell. Network Manager whitelist. - v0.8.1 Working rescue shell. Network Manager whitelist.

32
vm-boot-protect.sh
View File

@ -16,6 +16,7 @@ chdirs="bin .local/bin .config/autostart .config/plasma-workspace/env \
vmname=`qubesdb-read /name` vmname=`qubesdb-read /name`
rw=/mnt/rwtmp rw=/mnt/rwtmp
rwbak=$rw/vm-boot-protect
errlog=/var/run/vm-protect-error errlog=/var/run/vm-protect-error
defdir=/etc/default/vms defdir=/etc/default/vms
@ -82,7 +83,7 @@ fi
# * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked. # * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
# * Remove /rw root startup files (config, usrlocal, bind-dirs). # * Remove /rw root startup files (config, usrlocal, bind-dirs).
# * Contents of vms/vms.all and vms/$vmname folders will be copied. # * Contents of vms/vms.all and vms/$vmname folders will be copied.
privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"} privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
if qsvc vm-boot-protect-root && is_rwonly_persistent; then if qsvc vm-boot-protect-root && is_rwonly_persistent; then
@ -115,18 +116,19 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
# Deactivate private.img config dirs # Deactivate private.img config dirs
mkdir -p $rw/vm-boot-protect mkdir -p $rwbak
for dir in $privdirs; do for dir in $privdirs; do # maybe use 'eval' for privdirs quotes/escaping
echo "Deactivate $dir" echo "Deactivate $dir"
bakdir=`dirname $dir`/vm-boot-protect/BAK-`basename $dir` subdir=`echo $dir |sed -r 's|^/rw/||'`
origdir=`dirname $dir`/vm-boot-protect/ORIG-`basename $dir` bakdir="$rwbak/BAK-$subdir"
if [ -d $bakdir ] && [ ! -d $origdir ]; then origdir="$rwbak/ORIG-$subdir"
mv $bakdir $origdir if [ -d "$bakdir" ] && [ ! -d "$origdir" ]; then
mv "$bakdir" "$origdir"
fi fi
rm -rf $bakdir rm -rf "$bakdir"
mv $dir $bakdir mv "$rw/$subdir" "$bakdir"
mkdir -p "$rw/$subdir"
done done
mkdir -p $privdirs
for vmset in vms.all $vmname; do for vmset in vms.all $vmname; do
@ -134,8 +136,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
cat $defdir/$vmset.whitelist \ cat $defdir/$vmset.whitelist \
| while read wlfile; do | while read wlfile; do
# Must begin with '/rw/' # Must begin with '/rw/'
if echo $wlfile |grep -q "^\/rw\/"; then #Was [ $wlfile =~ ^\/rw\/ ]; if echo $wlfile |grep -q "^\/rw\/"; then
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/BAK-\1|\"`" srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rwbak/BAK-\1|\"`"
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`" dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
dstdir="`dirname \"$dstfile\"`" dstdir="`dirname \"$dstfile\"`"
if [ ! -e "$srcfile" ]; then if [ ! -e "$srcfile" ]; then
@ -145,10 +147,12 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
# For very large dirs: mv whole dir when entry ends with '/' # For very large dirs: mv whole dir when entry ends with '/'
elif echo $wlfile |grep -q "\/$"; then elif echo $wlfile |grep -q "\/$"; then
echo "Whitelist mv $srcfile" echo "Whitelist mv $srcfile"
echo "to $dstfile"
mkdir -p "$dstdir" mkdir -p "$dstdir"
mv "$srcfile" "$dstdir" mv -T "$srcfile" "$dstfile"
else else
echo "Whitelist cp $srcfile" echo "Whitelist cp $srcfile"
mkdir -p "$dstdir"
cp -a --link "$srcfile" "$dstdir" cp -a --link "$srcfile" "$dstdir"
fi fi
elif [ -n "$wlfile" ]; then elif [ -n "$wlfile" ]; then
@ -160,6 +164,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
if [ -d $defdir/$vmset/rw ]; then if [ -d $defdir/$vmset/rw ]; then
echo "Copy files from $defdir/$vmset/rw" echo "Copy files from $defdir/$vmset/rw"
cp -af $defdir/$vmset/rw/* $rw cp -af $defdir/$vmset/rw/* $rw
fi
done done
# Keep configs invisible at runtime... # Keep configs invisible at runtime...