Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

version 0.9.0

Browse Source
This commit is contained in:
Christopher Laprise 2019-08-15 15:08:44 -04:00
parent 8327e1e106
commit 9bff232683
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -76,14 +76,14 @@ Examples where -root should *not* be enabled:
* Standalone VMs. Plain `vm-boot-protect` makes more sense for these. * Standalone VMs. Plain `vm-boot-protect` makes more sense for these.
* Non-Linux VMs (currently unsupported for any mode) * Non-Linux VMs (currently unsupported for any mode)
### Example configs ### Example tags
Some useful configurations have been supplied in /etc/default/vms: Some useful configurations have been supplied in /etc/default/vms:
* vm-boot-tag-network: Contains a whitelist for Network Manager connections and the module blacklist which is often used with network interfaces in Qubes. By default, this config also activates for any VM named 'sys-net'. * vm-boot-tag-network: Contains a whitelist for Network Manager connections and the module blacklist which is often used with network interfaces in Qubes. By default, this config also activates for any VM named 'sys-net'.
* vm-boot-tag-qhome: Quarantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality. * vm-boot-tag-qhome: Quarantines /home in addition to the /rw system dirs. Useful for 'sys-usb' and DispVM-like functionality.
* vm-boot-tag-noqbackup: Deletes all quarantined files that are not whitelisted. * vm-boot-tag-noqbackup: Deletes all quarantined files that are not whitelisted.
* vm-boot-tag-ibrowse: Preserves Firefox bookmarks while quarantining the rest of /home folder. (To preserve pre-existing bookmarks, existing Firefox profile folder must be renamed to "profile.default" before activating this tag.) * vm-boot-tag-ibrowse: Preserves Firefox bookmarks while quarantining the /home folder. [Currently](https://github.com/tasket/Qubes-VM-hardening/issues/39) works with Firefox ESR.
### Scope and Limitations ### Scope and Limitations

2
vm-boot-protect.sh
View File

@ -30,7 +30,7 @@ rwbak=$rw/vm-boot-protect
errlog=/var/run/vm-protect-error errlog=/var/run/vm-protect-error
servicedir=/var/run/qubes-service servicedir=/var/run/qubes-service
defdir=/etc/default/vms defdir=/etc/default/vms
version="0.9.0b" version="0.9.0"
# Define sh, bash, X and desktop init scripts in /home/user # Define sh, bash, X and desktop init scripts in /home/user
# to be protected # to be protected