Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2025-06-07 05:52:50 -04:00
Code Issues Projects Releases Packages Wiki Activity

In progress, broken.

Browse source
This commit is contained in:
Christopher Laprise 2017-05-09 06:48:12 -04:00
parent 9c720c15cf
commit 4e68dfab79
No known key found for this signature in database
GPG key ID: 448568C8B281C952
2 changed files with 83 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/systemd/system/vm-sudo-protect.service
View file

@ -5,6 +5,8 @@ Before=qubes-mount-dirs.service
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root
DefaultDependencies=false DefaultDependencies=false
#OnFailure=shutdown.target
#OnFailureJobMode=replace-irreversibly
[Service] [Service]
Type=oneshot Type=oneshot

96
usr/lib/qubes/init/vm-sudo-protect.sh
View file

@ -3,6 +3,10 @@
## Protect startup of Qubes VMs from /rw scripts ## ## Protect startup of Qubes VMs from /rw scripts ##
## https://github.com/tasket/Qubes-VM-hardening ## ## https://github.com/tasket/Qubes-VM-hardening ##
# Source Qubes library.
. /usr/lib/qubes/init/functions
# Define sh, bash, X and desktop init scripts # Define sh, bash, X and desktop init scripts
# to be protected # to be protected
chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \ chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \
@ -10,6 +14,16 @@ chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \
chdirs=".config/autostart .config/plasma-workspace/env .config/plasma-workspace/shutdown \ chdirs=".config/autostart .config/plasma-workspace/env .config/plasma-workspace/shutdown \
.config/autostart-scripts" .config/autostart-scripts"
# Make user scripts immutable:
make_immutable() {
cd $rw/home/user
mkdir -p $chdirs
touch $chfiles
chattr -R -f +i $chfiles $chdirs
touch $rw/home/user/FIXED
}
# Mount private volume in temp location
rw=/mnt/rwtmp rw=/mnt/rwtmp
mkdir -p $rw mkdir -p $rw
if [ -e /dev/xvdb ] && mount /dev/xvdb $rw ; then if [ -e /dev/xvdb ] && mount /dev/xvdb $rw ; then
@ -18,34 +32,74 @@ else
exit 0 exit 0
fi fi
# Experimental: Remove /rw root startup files and copy defaults. # Protection measures for /rw dirs:
# Activated by presence of vm-sudo-protect-root Qubes service. # Activated by presence of vm-sudo-protect-root Qubes service.
# Contents of vms/vms.all and vms/hostname will be copied. # * Hashes in vms/vms.all.SHA and vms/$HOSTNAME.SHA files will be checked.
# * Remove /rw root startup files.
# * Contents of vms/vms.all and vms/$HOSTNAME folders will be copied.
defdir="/etc/default/vms" defdir="/etc/default/vms"
rootdirs="$rw/config $rw/usrlocal $rw/bind-dirs" rootdirs="$rw/config $rw/usrlocal $rw/bind-dirs"
HOSTNAME=`hostname`
if [ -e /var/run/qubes-service/vm-sudo-protect-root ] \ if qsvc vm-sudo-protect-root && is_rwonly_persistent; then
&& [ `qubesdb-read /qubes-vm-persistence` = "rw-only" ]; then
rm -rf $rootdirs # Check hashes
# make user scripts temporarily mutable, in case 'rw/home/user' checkcode=0
# files exist in defdir... echo "File hash checks:" >/tmp/vm-protect-sum-error
for vmset in vms.all $HOSTNAME; do
if [ -f $defdir/$vmset.SHA ]; then
sha256sum --strict -c $defdir/$vmset.SHA &>>/tmp/vm-protect-sum-error
checkcode=$((checkcode+$?))
fi
done
# Stop system startup if checksum mismatched
if [ $checkcode != 0 ]; then
cat /tmp/vm-protect-sum-error # For logging
xterm -hold -display :0 -title "VM PROTECTION: CHECKSUM MISMATCH!" \
-e "cat /tmp/vm-protect-sum-error; echo Private volume is mounted at $rw; bash -i"
exit 1
fi
# Make user scripts temporarily mutable, in case 'rw/home/user'
# files exist in defdir -- Copy default files
cd $rw/home/user cd $rw/home/user
chattr -R -f -i $chfiles $chdirs || true chattr -R -f -i $chfiles $chdirs
# copy..
if [ -d $defdir/vms.all ]; then # Deactivate config dirs
cp -af $defdir/vms.all/* / || true for dir in $rootdirs; do
fi if [ -d $dir ]; then
if [ -d $defdir/$(hostname) ]; then chattr -R -f -i $dir
cp -af $defdir/$(hostname)/* / || true cp -a --link $dir $dir-BAK
fi # rm -rf $dir-BAK
# mv $dir $dir-BAK
find $dir -type f | cat - $defdir/$HOSTNAME.whitelist $defdir/vms.all.whitelist \
| sed -r "s|^\ */rw(.+)\ *$|$rw\1|" | sort | uniq -u | xargs -I fpath rm -f "fpath"
fi fi
# Make user scripts immutable for vmset in vms.all $HOSTNAME; do
cd $rw/home/user # Process whitelists -- FIX FIX FIX
mkdir -p $chdirs ||true while false; do
touch $chfiles || true # while read srcfile; do
chattr -R -f +i $chfiles $chdirs || true if [[ $srcfile =~ ^$dir\/ ]]; then
touch $rw/home/user/FIXED || true cp -a --link --parents `sed -r "s|^/rw/|$rw/BAK-|" <<<$srcfile` /
else
echo "Cannot use relative or non-rw whitelist path."
fi
done <$defdir/$vmset.whitelist
# Copy default files
if [ -d $defdir/$vmset ]; then
cp -af $defdir/$vmset/* /
fi
done
done
fi
make_immutable
cd / cd /
umount $rw && rmdir $rw umount $rw && rmdir $rw
exit 0