Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix spelling, add tag noqbackup

Browse Source
This commit is contained in:
Christopher Laprise 2019-08-13 15:55:13 -04:00
parent 876491ceee
commit 700016197e
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
5 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -78,10 +78,11 @@ Examples where -root should *not* be enabled:
### Example configs
Some usefull configurations have been supplied in /etc/default/vms:
Some useful configurations have been supplied in /etc/default/vms:
* vm-boot-tag-network: Contains a whitelist for Network Manager connections and the module blacklist which is often used with network interfaces in Qubes. By default, this config also activates for any VM named 'sys-net'.
* vm-boot-tag-qhome: Quarrantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality.
* vm-boot-tag-qhome: Quarantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality.
* vm-boot-tag-noqbackup: Deletes all quarantined files that are not whitelisted.
* vm-boot-tag-ibrowse: Preserves Firefox bookmarks while quarantining the rest of /home folder. (To preserve pre-existing bookmarks, existing Firefox profile folder must be renamed to "profile.default" before activating this tag.)
@ -95,7 +96,7 @@ Some usefull configurations have been supplied in /etc/default/vms:
### Notes
* The /rw/home directory can be added to `privdirs` so it is quarrantined much like the other /rw dirs. The easiest way to configure this is to define `privdirs_add=/rw/home` in an rc file; see 'qhome.rc' for an exmaple.
* The /rw/home directory can be added to `privdirs` so it is quarantined much like the other /rw dirs. The easiest way to configure this is to define `privdirs_add=/rw/home` in an rc file; see 'qhome.rc' for an exmaple.
* A bug in v0.8.4 will erase anything in '/etc/default/vms' when booting into the template. For proper
future operation with sys-net or other VMs you may have customized in that path, updating Qubes-VM-hardening
@ -118,5 +119,3 @@ Some usefull configurations have been supplied in /etc/default/vms:
- v0.8.2 Working rescue shell. Add sys-net whitelist, sudo config, fixes.
- v0.8.0 Adds protection to /rw, file SHA checksums, whitelists, deployment
- v0.2.0 Protects /home/user files and dirs

1
default/vms/@tags/ibrowse.rc
View File

@ -1 +1,2 @@
# Browser-focused config that saves only bookmarks, starts with /home quarantine
privdirs_add="/rw/home"

2
default/vms/@tags/noqbackup.rc Normal file
View File

@ -0,0 +1,2 @@
# Removes any files that were quarantined under /rw/vm-boot-protect/
save_backup=0

1
default/vms/@tags/qhome.rc
View File

@ -1 +1,2 @@
# Quarantine entire /home directory
privdirs_add="/rw/home"

2
vm-boot-protect.sh
View File

@ -41,7 +41,7 @@ chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
chdirs_add=${chdirs_add:-""}
# Define dirs to apply quarrantine / whitelists
# Define dirs to apply quarantine / whitelists
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
privdirs_add=${privdirs_add:-""}
save_backup=${save_backup:-1}