diff --git a/README.md b/README.md index 8846fbf..ec8a416 100644 --- a/README.md +++ b/README.md @@ -78,10 +78,11 @@ Examples where -root should *not* be enabled: ### Example configs -Some usefull configurations have been supplied in /etc/default/vms: +Some useful configurations have been supplied in /etc/default/vms: * vm-boot-tag-network: Contains a whitelist for Network Manager connections and the module blacklist which is often used with network interfaces in Qubes. By default, this config also activates for any VM named 'sys-net'. - * vm-boot-tag-qhome: Quarrantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality. + * vm-boot-tag-qhome: Quarantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality. + * vm-boot-tag-noqbackup: Deletes all quarantined files that are not whitelisted. * vm-boot-tag-ibrowse: Preserves Firefox bookmarks while quarantining the rest of /home folder. (To preserve pre-existing bookmarks, existing Firefox profile folder must be renamed to "profile.default" before activating this tag.) @@ -95,7 +96,7 @@ Some usefull configurations have been supplied in /etc/default/vms: ### Notes - * The /rw/home directory can be added to `privdirs` so it is quarrantined much like the other /rw dirs. The easiest way to configure this is to define `privdirs_add=/rw/home` in an rc file; see 'qhome.rc' for an exmaple. + * The /rw/home directory can be added to `privdirs` so it is quarantined much like the other /rw dirs. The easiest way to configure this is to define `privdirs_add=/rw/home` in an rc file; see 'qhome.rc' for an exmaple. * A bug in v0.8.4 will erase anything in '/etc/default/vms' when booting into the template. For proper future operation with sys-net or other VMs you may have customized in that path, updating Qubes-VM-hardening @@ -118,5 +119,3 @@ Some usefull configurations have been supplied in /etc/default/vms: - v0.8.2 Working rescue shell. Add sys-net whitelist, sudo config, fixes. - v0.8.0 Adds protection to /rw, file SHA checksums, whitelists, deployment - v0.2.0 Protects /home/user files and dirs - - diff --git a/default/vms/@tags/ibrowse.rc b/default/vms/@tags/ibrowse.rc index b26ec82..f61377b 100644 --- a/default/vms/@tags/ibrowse.rc +++ b/default/vms/@tags/ibrowse.rc @@ -1 +1,2 @@ +# Browser-focused config that saves only bookmarks, starts with /home quarantine privdirs_add="/rw/home" diff --git a/default/vms/@tags/noqbackup.rc b/default/vms/@tags/noqbackup.rc new file mode 100644 index 0000000..53f0302 --- /dev/null +++ b/default/vms/@tags/noqbackup.rc @@ -0,0 +1,2 @@ +# Removes any files that were quarantined under /rw/vm-boot-protect/ +save_backup=0 diff --git a/default/vms/@tags/qhome.rc b/default/vms/@tags/qhome.rc index b26ec82..3549057 100644 --- a/default/vms/@tags/qhome.rc +++ b/default/vms/@tags/qhome.rc @@ -1 +1,2 @@ +# Quarantine entire /home directory privdirs_add="/rw/home" diff --git a/vm-boot-protect.sh b/vm-boot-protect.sh index 95e4330..6f7bf92 100755 --- a/vm-boot-protect.sh +++ b/vm-boot-protect.sh @@ -41,7 +41,7 @@ chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env .config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"} chdirs_add=${chdirs_add:-""} -# Define dirs to apply quarrantine / whitelists +# Define dirs to apply quarantine / whitelists privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"} privdirs_add=${privdirs_add:-""} save_backup=${save_backup:-1}