mirror of
https://github.com/tasket/Qubes-VM-hardening.git
synced 2024-10-01 06:35:42 -04:00
var and rc tweaks, add tag files
This commit is contained in:
Christopher Laprise
parent
204e90a626
commit
ca67ef7fe3
@ -57,6 +57,10 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-
|
||||
**Deployment** files are copied _recursively_ from ../vms/vms.all/rw/ and ../vms/$vmname/rw/ dirs. Example is to place the .bashrc file in /etc/default/vms/vms.all/rw/home/user/.bashrc for deployment to /rw/home/user/.bashrc. Once copying is complete,
|
||||
the /etc/defaults/vms folder is deleted from the running VM (this has no effect on the original in the template).
|
||||
|
||||
**rc files** are sh script fragments sourced from ../vms/vms.all.rc and ../vms/$vmname.rc. They run near the beginning of the vm-boot-protect service before mounting /rw, and can be used to override variable definitions like `privdirs` as well as the `vm_boot_finish` function which runs near the end before dismount. Another use for rc files is to run threat detection tools such as antivirus.
|
||||
|
||||
**Tags** may be defined with all of the above features so that you are not limited to specifying them for either all VMs or specifically-named VMs. Simply configure them as you would acccording to the above directions, but place the files under the '@tags' subdir instead. For example '/etc/default/vms/@tags/special.whitelist' defines a whitelist for the tag 'special'. A tag can be activated for one or more VMs by adding a Qubes service prefixed with `vm-boot-tag-` (i.e. vm-boot-tag-special) to the VMs.
|
||||
|
||||
### Where to use: Basic examples
|
||||
|
||||
After installing into a template, simply enable `vm-boot-protect-root` service without configuration. Recommended for the following types of VMs:
|
||||
@ -82,6 +86,8 @@ Examples where -root should *not* be enabled:
|
||||
|
||||
### Notes
|
||||
|
||||
* The /rw/home directory can be added to `privdirs` so it is quarrantined much like /rw/config, /rw/binddirs and /rw/usrlocal. The easiest way to configure this is to define `privdirs_add=/rw/home` in an rc file or a drop-in for the vm-boot-protect.service. But in the case of /rw/home, the /rw/home/user folder will be repopulated automatically from OS defaults (usually in /etc/skel) before whitelists are applied. For an example, see the `ibrowse` tag which quarrantines home while whitelisting Firefox bookmarks.
|
||||
|
||||
* A bug in v0.8.4 will erase anything in '/etc/default/vms' when booting into the template. For proper
|
||||
future operation with sys-net or other VMs you may have customized in that path, updating Qubes-VM-hardening
|
||||
to the latest version (using the install script) is recommended, along with restoring any custom files
|
||||
@ -98,6 +104,7 @@ Examples where -root should *not* be enabled:
|
||||
* Currently the service cannot seamlessly handle 'first boot' when the private volume must be initialized. If you enabled the service on a VM before its first startup, on first start the shell will display a notice telling you to restart the VM. Subsequent starts will proceed normally.
|
||||
|
||||
## Releases
|
||||
- v0.9.0 Add tags and rc files, protect more home scripts, support home quarrantine
|
||||
- v0.8.5 Fix template detection, /etc/default/vms erasure
|
||||
- v0.8.4 Add protection to /home/user/.config/systemd
|
||||
- v0.8.3 Fix for install script copying to /etc/default/vms
|
||||
|
||||
1
default/vms/@tags/ibrowse.rc
Normal file
1
default/vms/@tags/ibrowse.rc
Normal file
@ -0,0 +1 @@
|
||||
privdirs_add="/rw/home"
|
||||
3
default/vms/@tags/ibrowse.whitelist
Normal file
3
default/vms/@tags/ibrowse.whitelist
Normal file
@ -0,0 +1,3 @@
|
||||
/rw/home/user/.mozilla/firefox/profile.default/places.sqlite
|
||||
/rw/home/user/.mozilla/firefox/profile.default/places.sqlite-shm
|
||||
/rw/home/user/.mozilla/firefox/profile.default/places.sqlite-wal
|
||||
2
default/vms/@tags/network.whitelist
Normal file
2
default/vms/@tags/network.whitelist
Normal file
@ -0,0 +1,2 @@
|
||||
/rw/config/NM-system-connections/
|
||||
/rw/config/suspend-module-blacklist
|
||||
1
default/vms/@tags/usb.rc
Normal file
1
default/vms/@tags/usb.rc
Normal file
@ -0,0 +1 @@
|
||||
privdirs_add="/rw/home"
|
||||
@ -1,2 +0,0 @@
|
||||
/rw/config/NM-system-connections/
|
||||
/rw/config/suspend-module-blacklist
|
||||
1
default/vms/sys-net.whitelist
Symbolic link
1
default/vms/sys-net.whitelist
Symbolic link
@ -0,0 +1 @@
|
||||
@tags/network.whitelist
|
||||
@ -29,16 +29,16 @@ rw=/mnt/rwtmp
|
||||
rwbak=$rw/vm-boot-protect
|
||||
errlog=/var/run/vm-protect-error
|
||||
defdir=/etc/default/vms
|
||||
version="0.9.0b"
|
||||
version="0.9.0"
|
||||
|
||||
# Define sh, bash, X and desktop init scripts in /home/user
|
||||
# to be protected
|
||||
chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
|
||||
.pam_environment .xprofile .xinitrc .xserverrc .Xsession .xsession .xsessionrc"}
|
||||
chfiles_add=""
|
||||
chfiles_add=${chfiles_add:-""}
|
||||
chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
|
||||
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
|
||||
chdirs_add=""
|
||||
chdirs_add=${chdirs_add:-""}
|
||||
|
||||
# Define dirs to apply quarrantine / whitelists
|
||||
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
|
||||
@ -112,14 +112,6 @@ abort_startup() {
|
||||
}
|
||||
|
||||
|
||||
# Run rc file commands if they exist
|
||||
for rcbase in vms.all $tags $vmname; do
|
||||
if [ -e "$defdir/$rcbase.rc" ]; then
|
||||
. "$defdir/$rcbase.rc"
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
echo >$errlog # Clear
|
||||
|
||||
if qsvc vm-boot-protect-cli; then
|
||||
@ -145,7 +137,6 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
||||
|
||||
# Don't bother with root protections in template or standalone
|
||||
if ! is_rwonly_persistent; then
|
||||
vm_boot_finish
|
||||
make_immutable
|
||||
exit 0
|
||||
fi
|
||||
@ -161,6 +152,13 @@ fi
|
||||
|
||||
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
|
||||
# Run rc file commands if they exist
|
||||
for rcbase in vms.all $tags $vmname; do
|
||||
if [ -e "$defdir/$rcbase.rc" ]; then
|
||||
. "$defdir/$rcbase.rc"
|
||||
fi
|
||||
done
|
||||
|
||||
# Check hashes
|
||||
checkcode=0
|
||||
for sha_base in $vmname $tags vms.all; do
|
||||
@ -187,7 +185,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
|
||||
# Files mutable for del/copy operations
|
||||
cd $rw/home/user
|
||||
chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add
|
||||
chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add \
|
||||
$rwbak/BAK-*
|
||||
cd /root
|
||||
|
||||
|
||||
@ -202,7 +201,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
mv "$bakdir" "$origdir"
|
||||
fi
|
||||
if [ -e "$bakdir" ]; then
|
||||
chattr -R -i "$bakdir"
|
||||
#chattr -R -i "$bakdir"
|
||||
rm -rf "$bakdir"
|
||||
fi
|
||||
mv "$rw/$subdir" "$bakdir"
|
||||
@ -215,7 +214,6 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
rm -rf /home/user $rw/home/user
|
||||
mount --bind $rw/home /home
|
||||
mkhomedir_helper user
|
||||
#mv /home/user $rw/home
|
||||
umount /home
|
||||
;;
|
||||
esac
|
||||
@ -258,6 +256,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
fi
|
||||
done
|
||||
|
||||
vm_boot_finish
|
||||
|
||||
fi
|
||||
|
||||
# Keep configs invisible at runtime...
|
||||
@ -265,7 +265,6 @@ rm -rf "$defdir"
|
||||
|
||||
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
||||
echo "Preparing for unmount"
|
||||
vm_boot_finish
|
||||
make_immutable
|
||||
umount $rw
|
||||
fi
|
||||
|
||||
Loading…
Reference in New Issue
Block a user