Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2025-03-18 05:06:06 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Remove quotes from copy glob

Browse Source
This commit is contained in:
Christopher Laprise 2018-03-29 09:54:31 -04:00
parent 05f4e30a22
commit a5de68de7e
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
2 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
vm-boot-protect.service
View File

@ -12,6 +12,7 @@ OnFailureJobMode=replace-irreversibly
[Service]
Type=oneshot
RemainAfterExit=no
# privdirs must begin with /rw
#Environment="privdirs=/rw/config /rw/usrlocal /rw/bind-dirs"
ExecStart=/usr/lib/qubes/init/vm-boot-protect.sh

12
vm-boot-protect.sh
View File

@ -46,7 +46,7 @@ fi
# Protection measures for /rw dirs:
# Activated by presence of vm-boot-protect-root Qubes service.
# * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
# * Remove /rw root startup files (config, usrlocal, bind-dirs).
# * Remove /rw root startup files - except whitelist.
# * Contents of vms/vms.all and vms/$vmname folders will be copied.
defdir="/etc/default/vms"
privdirs=${privdirs:-"$rw/config $rw/usrlocal $rw/bind-dirs"}
@ -78,10 +78,10 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
cd /root
# Deactivate private.img config dirs
mkdir -p `dirname $dir`/vm-boot-protect
mkdir -p $rw/vm-boot-protect
for dir in $privdirs; do
bakdir=`dirname $dir`/vm-boot-protect/BAK-`basename $dir`
origdir=`dirname $dir`/vm-boot-protect/ORIG-`basename $dir`
bakdir=$rw/vm-boot-protect/BAK-`basename $dir`
origdir=$rw/vm-boot-protect/ORIG-`basename $dir`
if [ -d $bakdir ] && [ ! -d $origdir ]; then
mv $bakdir $origdir
fi
@ -97,7 +97,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
| while read wlfile; do
# Must begin with '/rw/'
if echo $wlfile |grep -q "^\/rw\/"; then #Was [ $wlfile =~ ^\/rw\/ ];
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/BAK-\1|\"`"
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/vm-boot-protect/BAK-\1|\"`"
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
dstdir="`dirname \"$dstfile\"`"
if [ ! -e "$srcfile" ]; then
@ -119,7 +119,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
# Copy default files...
if [ -d $defdir/$vmset/rw ]; then
cp -af "$defdir/$vmset/rw/*" $rw
cp -af $defdir/$vmset/rw/* $rw
fi
done