From b3f46e33070bbe83d46fe02e02b87e71dd2667b5 Mon Sep 17 00:00:00 2001
From: tasket <tasket@openmailbox.org>
Date: Thu, 20 Apr 2017 19:33:44 -0400
Subject: [PATCH] Update vm-sudo-protect.sh

Avoids using fstab mountpoint and enables using `vm-sudo-protect-root` as Qubes service.
---
 usr/lib/qubes/init/vm-sudo-protect.sh | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/usr/lib/qubes/init/vm-sudo-protect.sh b/usr/lib/qubes/init/vm-sudo-protect.sh
index 93f64a4..a9ad609 100644
--- a/usr/lib/qubes/init/vm-sudo-protect.sh
+++ b/usr/lib/qubes/init/vm-sudo-protect.sh
@@ -1,5 +1,8 @@
 #!/bin/sh
 
+## Protect startup of Qubes VMs from /rw scripts  ##
+## https://github.com/tasket/Qubes-VM-hardening   ##
+
 # Define sh, bash, X and desktop init scripts
 # to be protected
 chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \
@@ -7,8 +10,9 @@ chfiles=".bashrc .bash_profile .bash_login .bash_logout .profile \
 chdirs=".config/autostart .config/plasma-workspace/env .config/plasma-workspace/shutdown \
 .config/autostart-scripts"
 
-mkdir -p /rw
-if [ -e /dev/xvdb ] && mount /rw ; then
+rw=/mnt/rwtmp
+mkdir -p $rw
+if [ -e /dev/xvdb ] && mount /dev/xvdb $rw ; then
   echo Good rw mount.
 else
   exit 0
@@ -18,12 +22,12 @@ fi
 # Activated by presence of /etc/defaults/vms/vms.all dir.
 # Contents of vms/vms.all and vms/hostname will be copied.
 defdir="/etc/default/vms"
-rootdirs="/rw/config /rw/usrlocal /rw/bind-dirs"
-if [ -d $defdir/vms.all ] && [ `qubesdb-read /qubes-vm-persistence` = "rw-only" ]; then
+rootdirs="$rw/config $rw/usrlocal $rw/bind-dirs"
+if [ -e /var/run/qubes-service/vm-sudo-protect-root ] && [ `qubesdb-read /qubes-vm-persistence` = "rw-only" ]; then
   rm -rf $rootdirs
   # make user scripts temporarily mutable, in case 'rw/home/user'
   # files exist in defdir...
-  cd /rw/home/user
+  cd $rw/home/user
   chattr -R -f -i $chfiles $chdirs || true
   # copy..
   cp -af $defdir/vms.all/* / || true
@@ -33,11 +37,11 @@ if [ -d $defdir/vms.all ] && [ `qubesdb-read /qubes-vm-persistence` = "rw-only"
 fi
 
 # Make user scripts immutable
-cd /rw/home/user
+cd $rw/home/user
 mkdir -p $chdirs ||true
 touch $chfiles || true
 chattr -R -f +i $chfiles $chdirs || true
-touch /rw/home/user/FIXED || true
+touch $rw/home/user/FIXED || true
 
 cd /
-umount /rw
+umount $rw && rmdir $rw