Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

Revert first-start policy to notification.

Browse Source
This commit is contained in:
Christopher Laprise 2018-04-12 19:58:24 -04:00
parent 4456e57bf2
commit 895cf8e01f
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
2 changed files with 39 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -75,6 +75,8 @@ Leverages Qubes template non-persistence to enhance the guest operating system's
* Adding /home or subdirs of it to $privdirs is possible. This would quarantine everything there to set the stage for applying whitelists on /home contents. The $privdirs variable can be changed via the service file, for example adding a .conf file in /lib/systemd/system/vm-boot-protect.d. * Adding /home or subdirs of it to $privdirs is possible. This would quarantine everything there to set the stage for applying whitelists on /home contents. The $privdirs variable can be changed via the service file, for example adding a .conf file in /lib/systemd/system/vm-boot-protect.d.
* Using the -root option with a [VPN VM](https://github.com/tasket/Qubes-vpn-support) can be approached different ways: SHA + whitelist combination can be made for the appropriate files. Alternately, all VPN configs can be added under /etc/default/vms/vmname/rw so they'll be automatically deployed. * Using the -root option with a [VPN VM](https://github.com/tasket/Qubes-vpn-support) can be approached different ways: SHA + whitelist combination can be made for the appropriate files. Alternately, all VPN configs can be added under /etc/default/vms/vmname/rw so they'll be automatically deployed.
* Currently the service cannot seamlessly handle 'first boot' when the private volume must be initialized. If you enabled the service on a VM before its first startup, on first start you will see a special rescue shell telling you to restart the VM. Subsequent starts will proceed normally.
## Releases ## Releases
- v0.8.1 Working rescue shell. Add sys-net whitelist, sudo config, fixes. - v0.8.1 Working rescue shell. Add sys-net whitelist, sudo config, fixes.

53
vm-boot-protect.sh
View File

@ -31,6 +31,7 @@ chdirs="bin .local/bin .config/autostart .config/plasma-workspace/env \
.config/plasma-workspace/shutdown .config/autostart-scripts" .config/plasma-workspace/shutdown .config/autostart-scripts"
vmname=`qubesdb-read /name` vmname=`qubesdb-read /name`
dev=/dev/xvdb
rw=/mnt/rwtmp rw=/mnt/rwtmp
rwbak=$rw/vm-boot-protect rwbak=$rw/vm-boot-protect
errlog=/var/run/vm-protect-error errlog=/var/run/vm-protect-error
@ -45,29 +46,41 @@ make_immutable() {
touch $chfiles touch $chfiles
chattr -R -f +i $chfiles $chdirs chattr -R -f +i $chfiles $chdirs
cd /root cd /root
#touch $rw/home/user/FIXED #debug
} }
# Start rescue shell then exit/fail # Start rescue shell then exit/fail
abort_startup() { abort_startup() {
echo "$1" >>$errlog type="$1"
msg="$2"
echo "$msg" >>$errlog
cat $errlog cat $errlog
umount /dev/xvdb rc=1
mv -f /dev/xvdb /dev/badxvdb if [ $type = "RELOCATE" ]; then
truncate --size=500M /root/dev-xvdb # quarantine private volume
loop=`losetup --find --show /root/dev-xvdb` umount $dev
mv -f $loop /dev/xvdb mv -f $dev /dev/badxvdb
truncate --size=500M /root/dev-xvdb
loop=`losetup --find --show /root/dev-xvdb`
mv -f $loop $dev
elif [ $type = "OK" ]; then
# allow normal start with private vol
rc=0
fi
# insert status msg and run xterm
cat /etc/bashrc /etc/bash.bashrc >/etc/bashrc-insert cat /etc/bashrc /etc/bash.bashrc >/etc/bashrc-insert
echo "echo '** VM-BOOT-PROTECT SERVICE SHELL'" >/etc/bashrc echo "echo '** VM-BOOT-PROTECT SERVICE SHELL'" >/etc/bashrc
echo "echo '** Private volume is located at /dev/badxvdb'" >>/etc/bashrc if [ $type = "RELOCATE" ]; then
echo "echo '** Private volume is located at /dev/badxvdb'" >>/etc/bashrc
fi
echo "cat $errlog" >>/etc/bashrc echo "cat $errlog" >>/etc/bashrc
echo ". /etc/bashrc-insert" >>/etc/bashrc echo ". /etc/bashrc-insert" >>/etc/bashrc
ln -f /etc/bashrc /etc/bash.bashrc ln -f /etc/bashrc /etc/bash.bashrc
echo '/usr/bin/nohup /usr/bin/xterm /bin/bash 0<&- &>/dev/null &' \ echo '/usr/bin/nohup /usr/bin/xterm /bin/bash 0<&- &>/dev/null &' \
>/etc/X11/Xsession.d/98rescue >/etc/X11/Xsession.d/98rescue
exit 1
exit $rc
} }
@ -77,21 +90,29 @@ if ! is_rwonly_persistent; then
make_immutable make_immutable
fi fi
exit 0 exit 0
# cannot use abort_startup() before this point
fi fi
echo >$errlog # Clear echo >$errlog # Clear
if qsvc vm-boot-protect-cli; then if qsvc vm-boot-protect-cli; then
abort_startup "CLI requested." abort_startup RELOCATE "CLI requested."
fi fi
# Mount private volume in temp location # Mount private volume in temp location
mkdir -p $rw mkdir -p $rw
if [ -e /dev/xvdb ] && mount -o ro /dev/xvdb $rw ; then if [ -e $dev ] && mount -o ro $dev $rw ; then
echo "Good read-only mount." echo "Good read-only mount."
else else
echo "Mount failed. Let qubes-mount-dirs (re)initialize volume..." echo "Mount failed."
exit 0 # decide if this is initial boot or a bad volume
private_size_512=$(blockdev --getsz "$dev")
if head -c $(( private_size_512 * 512 )) /dev/zero | diff "$dev" - >/dev/null; then
touch /var/run/qubes/VM-BOOT-PROTECT-INITIALIZERW
abort_startup OK "FIRST BOOT INITIALIZATION: PLEASE RESTART VM!"
else
abort_startup RELOCATE "Mount and mount-dirs failed; BAD private volume!"
fi
fi fi
@ -117,14 +138,14 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
# Stop system startup on checksum mismatch: # Stop system startup on checksum mismatch:
if [ $checkcode != 0 ]; then if [ $checkcode != 0 ]; then
abort_startup "Hash check failed!" abort_startup RELOCATE "Hash check failed!"
fi fi
# Begin write operations # Begin write operations
if [ -e /dev/xvdb ] && mount -o remount,rw /dev/xvdb $rw ; then if [ -e $dev ] && mount -o remount,rw $dev $rw ; then
echo Good rw remount. echo Good rw remount.
else else
abort_startup "Remount failed!" abort_startup RELOCATE "Remount failed!"
fi fi
# Files mutable for del/copy operations # Files mutable for del/copy operations