begin rc, chfiles as user, process etc/skel

This commit is contained in:
Christopher Laprise 2019-07-30 17:19:11 -04:00
parent 43ca3dcf17
commit 302c968313
No known key found for this signature in database
GPG Key ID: 448568C8B281C952

View File

@ -23,13 +23,6 @@
# Source Qubes library.
. /usr/lib/qubes/init/functions
# Define sh, bash, X and desktop init scripts in /home/user
# to be protected
chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
.xprofile .xinitrc .xserverrc .xsession"}
chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
vmname=`qubesdb-read /name`
dev=/dev/xvdb
rw=/mnt/rwtmp
@ -38,6 +31,27 @@ errlog=/var/run/vm-protect-error
defdir=/etc/default/vms
version="0.8.5"
# Define sh, bash, X and desktop init scripts in /home/user
# to be protected
chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
.xprofile .xinitrc .xserverrc .xsession"}
chfiles_add=""
chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
chdirs_add=""
# Define dirs to apply quarrantine / whitelists
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
privdirs_add=""
# Run rc file commands if they exist
if [ -e $defdir/vms.all.rc ]; then
. $defdir/vms.all.rc
fi
if [ -e $defdir/$vmname.rc ]; then
. $defdir/$vmname.rc
fi
# Remount fs as read-write
remount_rw() {
@ -55,9 +69,8 @@ make_immutable() {
remount_rw
#initialize_home $rw/home ifneeded
cd $rw/home/user
mkdir -p $chdirs
touch $chfiles
chattr -R -f +i $chfiles $chdirs
su user -c "mkdir -p $chdirs $chdirs_add; touch $chfiles $chfiles_add"
chattr -R -f +i $chfiles $chfiles_add $chdirs $chdirs_add
cd /root
}
@ -123,9 +136,7 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
# Don't bother with root protections in template or standalone
if ! is_rwonly_persistent; then
if qsvc vm-boot-protect; then
make_immutable
fi
exit 0
fi
@ -137,7 +148,6 @@ fi
# * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
# * Remove /rw root startup files (config, usrlocal, bind-dirs).
# * Contents of vms/vms.all and vms/$vmname folders will be copied.
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
@ -170,13 +180,13 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
# Files mutable for del/copy operations
cd $rw/home/user
chattr -R -f -i $chfiles $chdirs $privdirs
chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add
cd /root
# Deactivate private.img config dirs
mkdir -p $rwbak
for dir in $privdirs; do # maybe use 'eval' for privdirs quotes/escaping
for dir in $privdirs $privdirs_add; do # maybe use 'eval' for privdirs quotes/escaping
echo "Deactivate $dir"
subdir=`echo $dir |sed -r 's|^/rw/||'`
bakdir="$rwbak/BAK-$subdir"
@ -187,6 +197,15 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
rm -rf "$bakdir"
mv "$rw/$subdir" "$bakdir"
mkdir -p "$rw/$subdir"
# Populate /home/user w skel files if it was in privdirs
case "$subdir" in
"home"|"home/"|"home/user"|"home/user/")
mkdir -p $rw/home/user
cp -aT /etc/skel $rw/home/user
chown -R user:user $rw/home/user
;;
esac
done
for vmset in vms.all $vmname; do