Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

chfiles optional default. fix immutable in template.

Browse Source
This commit is contained in:
Christopher Laprise 2019-07-28 15:42:57 -04:00
parent 2a8c60e75f
commit 43ca3dcf17
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
1 changed files with 30 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
vm-boot-protect.sh Normal file → Executable file
View File

@ -25,10 +25,10 @@
# Define sh, bash, X and desktop init scripts in /home/user # Define sh, bash, X and desktop init scripts in /home/user
# to be protected # to be protected
chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \ chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
.xprofile .xinitrc .xserverrc .xsession" .xprofile .xinitrc .xserverrc .xsession"}
chdirs="bin .local/bin .config/autostart .config/plasma-workspace/env \ chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd" .config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
vmname=`qubesdb-read /name` vmname=`qubesdb-read /name`
dev=/dev/xvdb dev=/dev/xvdb
@ -39,8 +39,20 @@ defdir=/etc/default/vms
version="0.8.5" version="0.8.5"
# Remount fs as read-write
remount_rw() {
# Begin write operations
if [ -e $dev ] && mount -o remount,rw $dev $rw ; then
echo Good rw remount.
else
abort_startup RELOCATE "Remount failed!"
fi
}
# Function: Make user scripts immutable. # Function: Make user scripts immutable.
make_immutable() { make_immutable() {
remount_rw
#initialize_home $rw/home ifneeded #initialize_home $rw/home ifneeded
cd $rw/home/user cd $rw/home/user
mkdir -p $chdirs mkdir -p $chdirs
@ -49,6 +61,7 @@ make_immutable() {
cd /root cd /root
} }
# Start rescue shell then exit/fail # Start rescue shell then exit/fail
abort_startup() { abort_startup() {
type="$1" type="$1"
@ -85,19 +98,6 @@ abort_startup() {
} }
# Don't bother with root protections in template or standalone
if ! is_rwonly_persistent; then
if qsvc vm-boot-protect; then
make_immutable
fi
if ! is_templatevm; then
# Keep configs invisible for standalone vms
rm -rf "$defdir"
fi
exit 0
# cannot use abort_startup() before this point
fi
echo >$errlog # Clear echo >$errlog # Clear
if qsvc vm-boot-protect-cli; then if qsvc vm-boot-protect-cli; then
@ -120,6 +120,15 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
abort_startup RELOCATE "Mount failed; BAD private volume!" abort_startup RELOCATE "Mount failed; BAD private volume!"
fi fi
fi fi
# Don't bother with root protections in template or standalone
if ! is_rwonly_persistent; then
if qsvc vm-boot-protect; then
make_immutable
fi
exit 0
fi
fi fi
@ -157,12 +166,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
abort_startup RELOCATE "Hash check failed!" abort_startup RELOCATE "Hash check failed!"
fi fi
# Begin write operations remount_rw
if [ -e $dev ] && mount -o remount,rw $dev $rw ; then
echo Good rw remount.
else
abort_startup RELOCATE "Remount failed!"
fi
# Files mutable for del/copy operations # Files mutable for del/copy operations
cd $rw/home/user cd $rw/home/user
@ -224,13 +228,12 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
fi fi
# Keep configs invisible at runtime...
rm -rf "$defdir"
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
make_immutable make_immutable
umount $rw umount $rw
fi fi
# Keep configs invisible at runtime...
rm -rf "$defdir"
exit 0 exit 0