Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2025-01-27 08:17:10 -05:00
Code Issues Packages Projects Releases Wiki Activity

Service rename to vm-boot-protect

Browse Source
This commit is contained in:
Christopher Laprise 2018-03-29 02:57:06 -04:00
parent d0d14c43f8
commit 333e3188a1
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
4 changed files with 28 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@ -5,7 +5,7 @@ Fends off malware at VM startup by locking-down or removing scripts in /rw priva
--- ---
## vm-sudo-protect.service ## vm-boot-protect.service
* Protect /home (user) executable files as immutable * Protect /home (user) executable files as immutable
* Deactivate /rw (root) executables * Deactivate /rw (root) executables
* Whitelisting for specifying persistent files * Whitelisting for specifying persistent files
@ -23,8 +23,8 @@ Fends off malware at VM startup by locking-down or removing scripts in /rw priva
$ sudo sh ./install $ sudo sh ./install
``` ```
2. Activate by specifying as a Qubes service for each VM; There are two levels... 2. Activate by specifying as a Qubes service for each VM; There are two levels...
- `vm-sudo-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, netVMs and Whonix. - `vm-boot-protect` - Protects executables/scripts within /home/user and may be used with wide array of Qubes VMs including standalone, netVMs and Whonix.
- `vm-sudo-protect-root` - Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_. - `vm-boot-protect-root` - Protects /home/user as above, automatic /rw executable deactivation, whitelisting, checksumming, deployment. Works with appVMs, netVMs, etc. that are _template-based_.
**removes** dirs specified in $privdirs. Default is /rw/config, /rw/usrlocal and /rw/bind-dirs. Use with caution! This feature can also replace files on a global or per-VM basis... see script for details. Not recommended for standalone or VMs that rely on /rw root dirs such as netVMs or Whonix. **removes** dirs specified in $privdirs. Default is /rw/config, /rw/usrlocal and /rw/bind-dirs. Use with caution! This feature can also replace files on a global or per-VM basis... see script for details. Not recommended for standalone or VMs that rely on /rw root dirs such as netVMs or Whonix.
@ -44,10 +44,18 @@ Note this sets the Linux immutable flag on files and directories, so intended mo
### Limitations ### Limitations
vm-sudo-protect relies mostly on the guest operating system's own defenses, with one added advantage of root fs non-persistence provided by the Qubes template system. This means that attacks which can somehow undermine the guest OS, i.e. by damaging the private fs itself or quickly exploiting network vulnerabilities, could conceivably still persist at startup. vm-boot-protect relies mostly on the guest operating system's own defenses, with one added advantage of root fs non-persistence provided by the Qubes template system. This means that attacks which can somehow undermine the guest OS, i.e. by damaging the private fs itself or quickly exploiting network vulnerabilities, could conceivably still persist at startup.
Further, if the user configures a vulnerable app to run at startup, this introduces a malware risk -- although not to the VM's whole execution environment if no privilege escalation is available to the attacker. Further, if the user configures a vulnerable app to run at startup, this introduces a malware risk -- although not to the VM's whole execution environment if no privilege escalation is available to the attacker.
### Notes
* Disabling the Qubes default passwordless-root is necessary for this project to have a meaningful impact. Here are two recommended ways:
1. [Enabling dom0 prompt for sudo](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt)
2. Uninstall the `qubes-core-agent-passwordless-root` from the template. After doing this, you will have to use `qvm-run -u root` from dom0 to run VM commands as root.
* The service name has been changed from `vm-sudo-protect` in pre-release to `vm-boot-protect`. The install script will automatically try to disable the old service.
* Currently if a vm-boot-protect check fails there is no immediate way to alert the user at startup. The VM will attempt to shutdown instead. See issue #7 for discussion.
## Releases ## Releases
- v0.8.0 Adds protection to /rw, file SHA checksums, whitelists, deployment - v0.8.0 Adds protection to /rw, file SHA checksums, whitelists, deployment
@ -56,6 +64,4 @@ Further, if the user configures a vulnerable app to run at startup, this introdu
## See also: ## See also:
[Enabling dom0 prompt for sudo](https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt)
[AppArmor Profiles](https://github.com/tasket/AppArmor-Profiles) [AppArmor Profiles](https://github.com/tasket/AppArmor-Profiles)

13
install
View File

@ -1,11 +1,14 @@
#!/bin/sh #!/bin/sh
[ `id -u` -eq 0 ] || exit [ `id -u` -eq 0 ] || exit
cp vm-sudo-protect.sh /usr/lib/qubes/init cp vm-boot-protect.sh /usr/lib/qubes/init
chmod +x /usr/lib/qubes/init/vm-sudo-protect.sh chmod +x /usr/lib/qubes/init/vm-boot-protect.sh
cp vm-sudo-protect.service /lib/systemd/system cp vm-boot-protect.service /lib/systemd/system
systemctl daemon-reload systemctl daemon-reload
systemctl enable vm-sudo-protect.service systemctl enable vm-boot-protect.service
echo vm-sudo-protect installed! echo Disabling the pre-release service (if present)...
systemctl disable vm-sudo-protect.service
echo vm-boot-protect installed!

10
lib/systemd/system/vm-sudo-protect.service → vm-boot-protect.service
View File

@ -1,10 +1,10 @@
[Unit] [Unit]
Description=Script protections to enhance VM security Description=Protect Qubes VM execution environment at startup
After=qubes-sysinit.service After=qubes-sysinit.service
Before=qubes-mount-dirs.service Before=qubes-mount-dirs.service
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect ConditionPathExists=|/var/run/qubes-service/vm-boot-protect
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-root
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-cli ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-cli
DefaultDependencies=false DefaultDependencies=false
OnFailure=shutdown.target OnFailure=shutdown.target
OnFailureJobMode=replace-irreversibly OnFailureJobMode=replace-irreversibly
@ -13,7 +13,7 @@ OnFailureJobMode=replace-irreversibly
Type=oneshot Type=oneshot
RemainAfterExit=no RemainAfterExit=no
#Environment="privdirs=/rw/config /rw/usrlocal /rw/bind-dirs" #Environment="privdirs=/rw/config /rw/usrlocal /rw/bind-dirs"
ExecStart=/usr/lib/qubes/init/vm-sudo-protect.sh ExecStart=/usr/lib/qubes/init/vm-boot-protect.sh
[Install] [Install]
WantedBy=sysinit.target WantedBy=sysinit.target

6
usr/lib/qubes/init/vm-sudo-protect.sh → vm-boot-protect.sh
View File

@ -37,21 +37,21 @@ else
-e "bash -i" -e "bash -i"
exit 1 exit 1
fi fi
if qsvc vm-sudo-protect-cli; then if qsvc vm-boot-protect-cli; then
xterm -hold -display :0 -title "VM PROTECTION: SERVICE PROMPT" \ xterm -hold -display :0 -title "VM PROTECTION: SERVICE PROMPT" \
-e "echo Private volume is mounted at $rw; bash -i" -e "echo Private volume is mounted at $rw; bash -i"
fi fi
# Protection measures for /rw dirs: # Protection measures for /rw dirs:
# Activated by presence of vm-sudo-protect-root Qubes service. # Activated by presence of vm-boot-protect-root Qubes service.
# * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked. # * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
# * Remove /rw root startup files (config, usrlocal, bind-dirs). # * Remove /rw root startup files (config, usrlocal, bind-dirs).
# * Contents of vms/vms.all and vms/$vmname folders will be copied. # * Contents of vms/vms.all and vms/$vmname folders will be copied.
defdir="/etc/default/vms" defdir="/etc/default/vms"
privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"} privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"}
if qsvc vm-sudo-protect-root && is_rwonly_persistent; then if qsvc vm-boot-protect-root && is_rwonly_persistent; then
# Check hashes # Check hashes
checkcode=0 checkcode=0