Service rename to vm-boot-protect

2025-01-13 00:19:50 -05:00 · 2018-03-29 02:57:06 -04:00 · 2018-03-29 02:57:06 -04:00 · 333e3188a1
commit 333e3188a1
parent d0d14c43f8
4 changed files with 28 additions and 19 deletions
--- a/README.md
+++ b/README.md
@ -5,7 +5,7 @@ Fends off malware at VM startup by locking-down or removing scripts in /rw priva
 ---


-## vm-sudo-protect.service
+## vm-boot-protect.service
   * Protect /home (user) executable files as immutable
   * Deactivate /rw (root) executables
   * Whitelisting for specifying persistent files
@ -23,8 +23,8 @@ Fends off malware at VM startup by locking-down or removing scripts in /rw priva
 $ sudo sh ./install
 ```
 2. Activate by specifying as a Qubes service for each VM; There are two levels...
-   - `vm-sudo-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, netVMs and Whonix.
-   - `vm-sudo-protect-root` -  Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_.
+   - `vm-boot-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, netVMs and Whonix.
+   - `vm-boot-protect-root` -  Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_.

   
   **removes** dirs specified in $privdirs. Default is /rw/config, /rw/usrlocal and /rw/bind-dirs. Use with caution! This feature can also replace files on a global or per-VM basis... see script for details. Not recommended for standalone or VMs that rely on /rw root dirs such as netVMs or Whonix.
@ -44,10 +44,18 @@ Note this sets the Linux immutable flag on files and directories, so intended mo

 ### Limitations

-vm-sudo-protect relies mostly on the guest operating system's own defenses, with one added advantage of root fs non-persistence provided by the Qubes template system. This means that attacks which can somehow undermine the guest OS, i.e. by damaging the private fs itself or quickly exploiting network vulnerabilities, could conceivably still persist at startup.
+vm-boot-protect relies mostly on the guest operating system's own defenses, with one added advantage of root fs non-persistence provided by the Qubes template system. This means that attacks which can somehow undermine the guest OS, i.e. by damaging the private fs itself or quickly exploiting network vulnerabilities, could conceivably still persist at startup.

 Further, if the user configures a vulnerable app to run at startup, this introduces a malware risk -- although not to the VM's whole execution environment if no privilege escalation is available to the attacker.

+### Notes
+* Disabling the Qubes default passwordless-root is necessary for this project to have a meaningful impact. Here are two recommended ways:
+   1. [Enabling dom0 prompt for sudo](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt)
+   2. Uninstall the `qubes-core-agent-passwordless-root` from the template. After doing this, you will have to use `qvm-run -u root` from dom0 to run VM commands as root.
+
+* The service name has been changed from `vm-sudo-protect` in pre-release to `vm-boot-protect`. The install script will automatically try to disable the old service.
+
+* Currently if a vm-boot-protect check fails there is no immediate way to alert the user at startup. The VM will attempt to shutdown instead. See issue #7 for discussion.
 
 ## Releases
 - v0.8.0  Adds protection to /rw, file SHA checksums, whitelists, deployment
@ -56,6 +64,4 @@ Further, if the user configures a vulnerable app to run at startup, this introdu

 ## See also:

-[Enabling dom0 prompt for sudo](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt)
-
 [AppArmor Profiles](https://github.com/tasket/AppArmor-Profiles)
--- a/13
+++ b/13
@ -1,11 +1,14 @@
 #!/bin/sh
 [ `id -u` -eq 0 ] || exit

-cp vm-sudo-protect.sh /usr/lib/qubes/init
-chmod +x /usr/lib/qubes/init/vm-sudo-protect.sh
-cp vm-sudo-protect.service /lib/systemd/system
+cp vm-boot-protect.sh /usr/lib/qubes/init
+chmod +x /usr/lib/qubes/init/vm-boot-protect.sh
+cp vm-boot-protect.service /lib/systemd/system
 systemctl daemon-reload
-systemctl enable vm-sudo-protect.service
+systemctl enable vm-boot-protect.service

-echo vm-sudo-protect installed!
+echo Disabling the pre-release service (if present)...
+systemctl disable vm-sudo-protect.service
+
+echo vm-boot-protect installed!

--- a/lib/systemd/system/vm-sudo-protect.service
+++ b/lib/systemd/system/vm-sudo-protect.service
@ -1,10 +1,10 @@
 [Unit]
-Description=Script protections to enhance VM security
+Description=Protect Qubes VM execution environment at startup
 After=qubes-sysinit.service
 Before=qubes-mount-dirs.service
-ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect
-ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root
-ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-cli
+ConditionPathExists=|/var/run/qubes-service/vm-boot-protect
+ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-root
+ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-cli
 DefaultDependencies=false
 OnFailure=shutdown.target
 OnFailureJobMode=replace-irreversibly
@ -13,7 +13,7 @@ OnFailureJobMode=replace-irreversibly
 Type=oneshot
 RemainAfterExit=no
 #Environment="privdirs=/rw/config /rw/usrlocal /rw/bind-dirs"
-ExecStart=/usr/lib/qubes/init/vm-sudo-protect.sh
+ExecStart=/usr/lib/qubes/init/vm-boot-protect.sh

 [Install]
 WantedBy=sysinit.target 
--- a/usr/lib/qubes/init/vm-sudo-protect.sh
+++ b/usr/lib/qubes/init/vm-sudo-protect.sh
@ -37,21 +37,21 @@ else
 -e "bash -i"
    exit 1
 fi
-if qsvc vm-sudo-protect-cli; then
+if qsvc vm-boot-protect-cli; then
    xterm -hold -display :0 -title "VM PROTECTION: SERVICE PROMPT" \
 -e "echo Private volume is mounted at $rw; bash -i"
 fi


 # Protection measures for /rw dirs:
-# Activated by presence of vm-sudo-protect-root Qubes service.
+# Activated by presence of vm-boot-protect-root Qubes service.
 #   * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
 #   * Remove /rw root startup files (config, usrlocal, bind-dirs).
 #   * Contents of vms/vms.all and vms/$vmname folders will be copied.
 defdir="/etc/default/vms"
 privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"}

-if qsvc vm-sudo-protect-root && is_rwonly_persistent; then
+if qsvc vm-boot-protect-root && is_rwonly_persistent; then

    # Check hashes
    checkcode=0