mirror of
https://github.com/tasket/Qubes-VM-hardening.git
synced 2024-10-01 06:35:42 -04:00
In progress, broken.
This commit is contained in:
parent
9c720c15cf
commit
4e68dfab79
@ -5,6 +5,8 @@ Before=qubes-mount-dirs.service
|
||||
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect
|
||||
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root
|
||||
DefaultDependencies=false
|
||||
#OnFailure=shutdown.target
|
||||
#OnFailureJobMode=replace-irreversibly
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
@ -3,6 +3,10 @@
|
||||
## Protect startup of Qubes VMs from /rw scripts ##
|
||||
## https://github.com/tasket/Qubes-VM-hardening ##
|
||||
|
||||
|
||||
# Source Qubes library.
|
||||
. /usr/lib/qubes/init/functions
|
||||
|
||||
# Define sh, bash, X and desktop init scripts
|
||||
# to be protected
|
||||
chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \
|
||||
@ -10,6 +14,16 @@ chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \
|
||||
chdirs=".config/autostart .config/plasma-workspace/env .config/plasma-workspace/shutdown \
|
||||
.config/autostart-scripts"
|
||||
|
||||
# Make user scripts immutable:
|
||||
make_immutable() {
|
||||
cd $rw/home/user
|
||||
mkdir -p $chdirs
|
||||
touch $chfiles
|
||||
chattr -R -f +i $chfiles $chdirs
|
||||
touch $rw/home/user/FIXED
|
||||
}
|
||||
|
||||
# Mount private volume in temp location
|
||||
rw=/mnt/rwtmp
|
||||
mkdir -p $rw
|
||||
if [ -e /dev/xvdb ] && mount /dev/xvdb $rw ; then
|
||||
@ -18,34 +32,74 @@ else
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Experimental: Remove /rw root startup files and copy defaults.
|
||||
# Protection measures for /rw dirs:
|
||||
# Activated by presence of vm-sudo-protect-root Qubes service.
|
||||
# Contents of vms/vms.all and vms/hostname will be copied.
|
||||
# * Hashes in vms/vms.all.SHA and vms/$HOSTNAME.SHA files will be checked.
|
||||
# * Remove /rw root startup files.
|
||||
# * Contents of vms/vms.all and vms/$HOSTNAME folders will be copied.
|
||||
defdir="/etc/default/vms"
|
||||
rootdirs="$rw/config $rw/usrlocal $rw/bind-dirs"
|
||||
HOSTNAME=`hostname`
|
||||
|
||||
if [ -e /var/run/qubes-service/vm-sudo-protect-root ] \
|
||||
&& [ `qubesdb-read /qubes-vm-persistence` = "rw-only" ]; then
|
||||
rm -rf $rootdirs
|
||||
# make user scripts temporarily mutable, in case 'rw/home/user'
|
||||
# files exist in defdir...
|
||||
if qsvc vm-sudo-protect-root && is_rwonly_persistent; then
|
||||
|
||||
# Check hashes
|
||||
checkcode=0
|
||||
echo "File hash checks:" >/tmp/vm-protect-sum-error
|
||||
for vmset in vms.all $HOSTNAME; do
|
||||
if [ -f $defdir/$vmset.SHA ]; then
|
||||
sha256sum --strict -c $defdir/$vmset.SHA &>>/tmp/vm-protect-sum-error
|
||||
checkcode=$((checkcode+$?))
|
||||
fi
|
||||
done
|
||||
# Stop system startup if checksum mismatched
|
||||
if [ $checkcode != 0 ]; then
|
||||
cat /tmp/vm-protect-sum-error # For logging
|
||||
xterm -hold -display :0 -title "VM PROTECTION: CHECKSUM MISMATCH!" \
|
||||
-e "cat /tmp/vm-protect-sum-error; echo Private volume is mounted at $rw; bash -i"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
# Make user scripts temporarily mutable, in case 'rw/home/user'
|
||||
# files exist in defdir -- Copy default files
|
||||
cd $rw/home/user
|
||||
chattr -R -f -i $chfiles $chdirs || true
|
||||
# copy..
|
||||
if [ -d $defdir/vms.all ]; then
|
||||
cp -af $defdir/vms.all/* / || true
|
||||
fi
|
||||
if [ -d $defdir/$(hostname) ]; then
|
||||
cp -af $defdir/$(hostname)/* / || true
|
||||
fi
|
||||
chattr -R -f -i $chfiles $chdirs
|
||||
|
||||
# Deactivate config dirs
|
||||
for dir in $rootdirs; do
|
||||
if [ -d $dir ]; then
|
||||
chattr -R -f -i $dir
|
||||
cp -a --link $dir $dir-BAK
|
||||
# rm -rf $dir-BAK
|
||||
# mv $dir $dir-BAK
|
||||
find $dir -type f | cat - $defdir/$HOSTNAME.whitelist $defdir/vms.all.whitelist \
|
||||
| sed -r "s|^\ */rw(.+)\ *$|$rw\1|" | sort | uniq -u | xargs -I fpath rm -f "fpath"
|
||||
fi
|
||||
|
||||
# Make user scripts immutable
|
||||
cd $rw/home/user
|
||||
mkdir -p $chdirs ||true
|
||||
touch $chfiles || true
|
||||
chattr -R -f +i $chfiles $chdirs || true
|
||||
touch $rw/home/user/FIXED || true
|
||||
for vmset in vms.all $HOSTNAME; do
|
||||
# Process whitelists -- FIX FIX FIX
|
||||
while false; do
|
||||
# while read srcfile; do
|
||||
if [[ $srcfile =~ ^$dir\/ ]]; then
|
||||
cp -a --link --parents `sed -r "s|^/rw/|$rw/BAK-|" <<<$srcfile` /
|
||||
else
|
||||
echo "Cannot use relative or non-rw whitelist path."
|
||||
fi
|
||||
done <$defdir/$vmset.whitelist
|
||||
|
||||
# Copy default files
|
||||
if [ -d $defdir/$vmset ]; then
|
||||
cp -af $defdir/$vmset/* /
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
fi
|
||||
|
||||
make_immutable
|
||||
cd /
|
||||
umount $rw && rmdir $rw
|
||||
exit 0
|
||||
|
Loading…
Reference in New Issue
Block a user