diff --git a/README.md b/README.md index b877795..77b437e 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ Fends off malware at VM startup by locking-down or removing scripts in /rw priva --- -## vm-sudo-protect.service +## vm-boot-protect.service * Protect /home (user) executable files as immutable * Deactivate /rw (root) executables * Whitelisting for specifying persistent files @@ -23,8 +23,8 @@ Fends off malware at VM startup by locking-down or removing scripts in /rw priva $ sudo sh ./install ``` 2. Activate by specifying as a Qubes service for each VM; There are two levels... - - `vm-sudo-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, netVMs and Whonix. - - `vm-sudo-protect-root` - Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_. + - `vm-boot-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, netVMs and Whonix. + - `vm-boot-protect-root` - Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_. **removes** dirs specified in $privdirs. Default is /rw/config, /rw/usrlocal and /rw/bind-dirs. Use with caution! This feature can also replace files on a global or per-VM basis... see script for details. Not recommended for standalone or VMs that rely on /rw root dirs such as netVMs or Whonix. @@ -44,10 +44,18 @@ Note this sets the Linux immutable flag on files and directories, so intended mo ### Limitations -vm-sudo-protect relies mostly on the guest operating system's own defenses, with one added advantage of root fs non-persistence provided by the Qubes template system. This means that attacks which can somehow undermine the guest OS, i.e. by damaging the private fs itself or quickly exploiting network vulnerabilities, could conceivably still persist at startup. +vm-boot-protect relies mostly on the guest operating system's own defenses, with one added advantage of root fs non-persistence provided by the Qubes template system. This means that attacks which can somehow undermine the guest OS, i.e. by damaging the private fs itself or quickly exploiting network vulnerabilities, could conceivably still persist at startup. Further, if the user configures a vulnerable app to run at startup, this introduces a malware risk -- although not to the VM's whole execution environment if no privilege escalation is available to the attacker. +### Notes +* Disabling the Qubes default passwordless-root is necessary for this project to have a meaningful impact. Here are two recommended ways: + 1. [Enabling dom0 prompt for sudo](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt) + 2. Uninstall the `qubes-core-agent-passwordless-root` from the template. After doing this, you will have to use `qvm-run -u root` from dom0 to run VM commands as root. + +* The service name has been changed from `vm-sudo-protect` in pre-release to `vm-boot-protect`. The install script will automatically try to disable the old service. + +* Currently if a vm-boot-protect check fails there is no immediate way to alert the user at startup. The VM will attempt to shutdown instead. See issue #7 for discussion. ## Releases - v0.8.0 Adds protection to /rw, file SHA checksums, whitelists, deployment @@ -56,6 +64,4 @@ Further, if the user configures a vulnerable app to run at startup, this introdu ## See also: -[Enabling dom0 prompt for sudo](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt) - [AppArmor Profiles](https://github.com/tasket/AppArmor-Profiles) diff --git a/install b/install index 3d0a29b..c4770a8 100644 --- a/install +++ b/install @@ -1,11 +1,14 @@ #!/bin/sh [ `id -u` -eq 0 ] || exit -cp vm-sudo-protect.sh /usr/lib/qubes/init -chmod +x /usr/lib/qubes/init/vm-sudo-protect.sh -cp vm-sudo-protect.service /lib/systemd/system +cp vm-boot-protect.sh /usr/lib/qubes/init +chmod +x /usr/lib/qubes/init/vm-boot-protect.sh +cp vm-boot-protect.service /lib/systemd/system systemctl daemon-reload -systemctl enable vm-sudo-protect.service +systemctl enable vm-boot-protect.service -echo vm-sudo-protect installed! +echo Disabling the pre-release service (if present)... +systemctl disable vm-sudo-protect.service + +echo vm-boot-protect installed! diff --git a/lib/systemd/system/vm-sudo-protect.service b/vm-boot-protect.service similarity index 50% rename from lib/systemd/system/vm-sudo-protect.service rename to vm-boot-protect.service index f632011..0553a34 100644 --- a/lib/systemd/system/vm-sudo-protect.service +++ b/vm-boot-protect.service @@ -1,10 +1,10 @@ [Unit] -Description=Script protections to enhance VM security +Description=Protect Qubes VM execution environment at startup After=qubes-sysinit.service Before=qubes-mount-dirs.service -ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect -ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root -ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-cli +ConditionPathExists=|/var/run/qubes-service/vm-boot-protect +ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-root +ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-cli DefaultDependencies=false OnFailure=shutdown.target OnFailureJobMode=replace-irreversibly @@ -13,7 +13,7 @@ OnFailureJobMode=replace-irreversibly Type=oneshot RemainAfterExit=no #Environment="privdirs=/rw/config /rw/usrlocal /rw/bind-dirs" -ExecStart=/usr/lib/qubes/init/vm-sudo-protect.sh +ExecStart=/usr/lib/qubes/init/vm-boot-protect.sh [Install] WantedBy=sysinit.target diff --git a/usr/lib/qubes/init/vm-sudo-protect.sh b/vm-boot-protect.sh similarity index 96% rename from usr/lib/qubes/init/vm-sudo-protect.sh rename to vm-boot-protect.sh index 0102162..502f019 100644 --- a/usr/lib/qubes/init/vm-sudo-protect.sh +++ b/vm-boot-protect.sh @@ -37,21 +37,21 @@ else -e "bash -i" exit 1 fi -if qsvc vm-sudo-protect-cli; then +if qsvc vm-boot-protect-cli; then xterm -hold -display :0 -title "VM PROTECTION: SERVICE PROMPT" \ -e "echo Private volume is mounted at $rw; bash -i" fi # Protection measures for /rw dirs: -# Activated by presence of vm-sudo-protect-root Qubes service. +# Activated by presence of vm-boot-protect-root Qubes service. # * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked. # * Remove /rw root startup files (config, usrlocal, bind-dirs). # * Contents of vms/vms.all and vms/$vmname folders will be copied. defdir="/etc/default/vms" privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"} -if qsvc vm-sudo-protect-root && is_rwonly_persistent; then +if qsvc vm-boot-protect-root && is_rwonly_persistent; then # Check hashes checkcode=0