chfiles optional default. fix immutable in template.

2024-10-01 06:35:42 -04:00 · 2019-07-28 15:42:57 -04:00 · 2019-07-28 15:42:57 -04:00 · 43ca3dcf17
commit 43ca3dcf17
parent 2a8c60e75f
1 changed files with 30 additions and 27 deletions
--- a/vm-boot-protect.sh
+++ b/vm-boot-protect.sh
@ -25,10 +25,10 @@

 # Define sh, bash, X and desktop init scripts in /home/user
 # to be protected
-chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \
-.xprofile .xinitrc .xserverrc .xsession"
-chdirs="bin .local/bin .config/autostart .config/plasma-workspace/env \
-.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"
+chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
+.xprofile .xinitrc .xserverrc .xsession"}
+chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
+.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}

 vmname=`qubesdb-read /name`
 dev=/dev/xvdb
@ -39,8 +39,20 @@ defdir=/etc/default/vms
 version="0.8.5"


+# Remount fs as read-write
+remount_rw() {
+    # Begin write operations
+    if [ -e $dev ] && mount -o remount,rw $dev $rw ; then
+        echo Good rw remount.
+    else
+        abort_startup RELOCATE "Remount failed!"
+    fi
+}
+
+
 # Function: Make user scripts immutable.
 make_immutable() {
+    remount_rw
    #initialize_home $rw/home ifneeded
    cd $rw/home/user
    mkdir -p $chdirs
@ -49,6 +61,7 @@ make_immutable() {
    cd /root
 }

+
 # Start rescue shell then exit/fail
 abort_startup() {
    type="$1"
@ -85,19 +98,6 @@ abort_startup() {
 }


-# Don't bother with root protections in template or standalone
-if ! is_rwonly_persistent; then
-    if qsvc vm-boot-protect; then
-        make_immutable
-    fi
-    if ! is_templatevm; then
-        # Keep configs invisible for standalone vms
-        rm -rf "$defdir"
-    fi
-    exit 0
-    # cannot use abort_startup() before this point
-fi
-
 echo >$errlog # Clear

 if qsvc vm-boot-protect-cli; then
@ -120,6 +120,15 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
            abort_startup RELOCATE "Mount failed; BAD private volume!"
        fi
    fi
+
+	# Don't bother with root protections in template or standalone
+	if ! is_rwonly_persistent; then
+		if qsvc vm-boot-protect; then
+		    make_immutable
+		fi
+		exit 0
+	fi
+
 fi


@ -157,12 +166,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
        abort_startup RELOCATE "Hash check failed!"
    fi

-    # Begin write operations
-    if [ -e $dev ] && mount -o remount,rw $dev $rw ; then
-        echo Good rw remount.
-    else
-        abort_startup RELOCATE "Remount failed!"
-    fi
+    remount_rw

    # Files mutable for del/copy operations
    cd $rw/home/user
@ -224,13 +228,12 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then

 fi

+# Keep configs invisible at runtime...
+rm -rf "$defdir"
+
 if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
    make_immutable
    umount $rw
 fi

-# Keep configs invisible at runtime...
-rm -rf "$defdir"
-
-
 exit 0