mirror of
https://github.com/tasket/Qubes-VM-hardening.git
synced 2024-10-01 06:35:42 -04:00
var and rc tweaks, add tag files
This commit is contained in:
parent
204e90a626
commit
ca67ef7fe3
@ -57,6 +57,10 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-
|
|||||||
**Deployment** files are copied _recursively_ from ../vms/vms.all/rw/ and ../vms/$vmname/rw/ dirs. Example is to place the .bashrc file in /etc/default/vms/vms.all/rw/home/user/.bashrc for deployment to /rw/home/user/.bashrc. Once copying is complete,
|
**Deployment** files are copied _recursively_ from ../vms/vms.all/rw/ and ../vms/$vmname/rw/ dirs. Example is to place the .bashrc file in /etc/default/vms/vms.all/rw/home/user/.bashrc for deployment to /rw/home/user/.bashrc. Once copying is complete,
|
||||||
the /etc/defaults/vms folder is deleted from the running VM (this has no effect on the original in the template).
|
the /etc/defaults/vms folder is deleted from the running VM (this has no effect on the original in the template).
|
||||||
|
|
||||||
|
**rc files** are sh script fragments sourced from ../vms/vms.all.rc and ../vms/$vmname.rc. They run near the beginning of the vm-boot-protect service before mounting /rw, and can be used to override variable definitions like `privdirs` as well as the `vm_boot_finish` function which runs near the end before dismount. Another use for rc files is to run threat detection tools such as antivirus.
|
||||||
|
|
||||||
|
**Tags** may be defined with all of the above features so that you are not limited to specifying them for either all VMs or specifically-named VMs. Simply configure them as you would acccording to the above directions, but place the files under the '@tags' subdir instead. For example '/etc/default/vms/@tags/special.whitelist' defines a whitelist for the tag 'special'. A tag can be activated for one or more VMs by adding a Qubes service prefixed with `vm-boot-tag-` (i.e. vm-boot-tag-special) to the VMs.
|
||||||
|
|
||||||
### Where to use: Basic examples
|
### Where to use: Basic examples
|
||||||
|
|
||||||
After installing into a template, simply enable `vm-boot-protect-root` service without configuration. Recommended for the following types of VMs:
|
After installing into a template, simply enable `vm-boot-protect-root` service without configuration. Recommended for the following types of VMs:
|
||||||
@ -82,6 +86,8 @@ Examples where -root should *not* be enabled:
|
|||||||
|
|
||||||
### Notes
|
### Notes
|
||||||
|
|
||||||
|
* The /rw/home directory can be added to `privdirs` so it is quarrantined much like /rw/config, /rw/binddirs and /rw/usrlocal. The easiest way to configure this is to define `privdirs_add=/rw/home` in an rc file or a drop-in for the vm-boot-protect.service. But in the case of /rw/home, the /rw/home/user folder will be repopulated automatically from OS defaults (usually in /etc/skel) before whitelists are applied. For an example, see the `ibrowse` tag which quarrantines home while whitelisting Firefox bookmarks.
|
||||||
|
|
||||||
* A bug in v0.8.4 will erase anything in '/etc/default/vms' when booting into the template. For proper
|
* A bug in v0.8.4 will erase anything in '/etc/default/vms' when booting into the template. For proper
|
||||||
future operation with sys-net or other VMs you may have customized in that path, updating Qubes-VM-hardening
|
future operation with sys-net or other VMs you may have customized in that path, updating Qubes-VM-hardening
|
||||||
to the latest version (using the install script) is recommended, along with restoring any custom files
|
to the latest version (using the install script) is recommended, along with restoring any custom files
|
||||||
@ -98,6 +104,7 @@ Examples where -root should *not* be enabled:
|
|||||||
* Currently the service cannot seamlessly handle 'first boot' when the private volume must be initialized. If you enabled the service on a VM before its first startup, on first start the shell will display a notice telling you to restart the VM. Subsequent starts will proceed normally.
|
* Currently the service cannot seamlessly handle 'first boot' when the private volume must be initialized. If you enabled the service on a VM before its first startup, on first start the shell will display a notice telling you to restart the VM. Subsequent starts will proceed normally.
|
||||||
|
|
||||||
## Releases
|
## Releases
|
||||||
|
- v0.9.0 Add tags and rc files, protect more home scripts, support home quarrantine
|
||||||
- v0.8.5 Fix template detection, /etc/default/vms erasure
|
- v0.8.5 Fix template detection, /etc/default/vms erasure
|
||||||
- v0.8.4 Add protection to /home/user/.config/systemd
|
- v0.8.4 Add protection to /home/user/.config/systemd
|
||||||
- v0.8.3 Fix for install script copying to /etc/default/vms
|
- v0.8.3 Fix for install script copying to /etc/default/vms
|
||||||
|
1
default/vms/@tags/ibrowse.rc
Normal file
1
default/vms/@tags/ibrowse.rc
Normal file
@ -0,0 +1 @@
|
|||||||
|
privdirs_add="/rw/home"
|
3
default/vms/@tags/ibrowse.whitelist
Normal file
3
default/vms/@tags/ibrowse.whitelist
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
/rw/home/user/.mozilla/firefox/profile.default/places.sqlite
|
||||||
|
/rw/home/user/.mozilla/firefox/profile.default/places.sqlite-shm
|
||||||
|
/rw/home/user/.mozilla/firefox/profile.default/places.sqlite-wal
|
2
default/vms/@tags/network.whitelist
Normal file
2
default/vms/@tags/network.whitelist
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
/rw/config/NM-system-connections/
|
||||||
|
/rw/config/suspend-module-blacklist
|
1
default/vms/@tags/usb.rc
Normal file
1
default/vms/@tags/usb.rc
Normal file
@ -0,0 +1 @@
|
|||||||
|
privdirs_add="/rw/home"
|
@ -1,2 +0,0 @@
|
|||||||
/rw/config/NM-system-connections/
|
|
||||||
/rw/config/suspend-module-blacklist
|
|
1
default/vms/sys-net.whitelist
Symbolic link
1
default/vms/sys-net.whitelist
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
@tags/network.whitelist
|
@ -29,16 +29,16 @@ rw=/mnt/rwtmp
|
|||||||
rwbak=$rw/vm-boot-protect
|
rwbak=$rw/vm-boot-protect
|
||||||
errlog=/var/run/vm-protect-error
|
errlog=/var/run/vm-protect-error
|
||||||
defdir=/etc/default/vms
|
defdir=/etc/default/vms
|
||||||
version="0.9.0b"
|
version="0.9.0"
|
||||||
|
|
||||||
# Define sh, bash, X and desktop init scripts in /home/user
|
# Define sh, bash, X and desktop init scripts in /home/user
|
||||||
# to be protected
|
# to be protected
|
||||||
chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
|
chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
|
||||||
.pam_environment .xprofile .xinitrc .xserverrc .Xsession .xsession .xsessionrc"}
|
.pam_environment .xprofile .xinitrc .xserverrc .Xsession .xsession .xsessionrc"}
|
||||||
chfiles_add=""
|
chfiles_add=${chfiles_add:-""}
|
||||||
chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
|
chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
|
||||||
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
|
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
|
||||||
chdirs_add=""
|
chdirs_add=${chdirs_add:-""}
|
||||||
|
|
||||||
# Define dirs to apply quarrantine / whitelists
|
# Define dirs to apply quarrantine / whitelists
|
||||||
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
|
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
|
||||||
@ -112,14 +112,6 @@ abort_startup() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Run rc file commands if they exist
|
|
||||||
for rcbase in vms.all $tags $vmname; do
|
|
||||||
if [ -e "$defdir/$rcbase.rc" ]; then
|
|
||||||
. "$defdir/$rcbase.rc"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
|
|
||||||
echo >$errlog # Clear
|
echo >$errlog # Clear
|
||||||
|
|
||||||
if qsvc vm-boot-protect-cli; then
|
if qsvc vm-boot-protect-cli; then
|
||||||
@ -145,7 +137,6 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
|||||||
|
|
||||||
# Don't bother with root protections in template or standalone
|
# Don't bother with root protections in template or standalone
|
||||||
if ! is_rwonly_persistent; then
|
if ! is_rwonly_persistent; then
|
||||||
vm_boot_finish
|
|
||||||
make_immutable
|
make_immutable
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
@ -161,6 +152,13 @@ fi
|
|||||||
|
|
||||||
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||||
|
|
||||||
|
# Run rc file commands if they exist
|
||||||
|
for rcbase in vms.all $tags $vmname; do
|
||||||
|
if [ -e "$defdir/$rcbase.rc" ]; then
|
||||||
|
. "$defdir/$rcbase.rc"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
# Check hashes
|
# Check hashes
|
||||||
checkcode=0
|
checkcode=0
|
||||||
for sha_base in $vmname $tags vms.all; do
|
for sha_base in $vmname $tags vms.all; do
|
||||||
@ -187,7 +185,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
|||||||
|
|
||||||
# Files mutable for del/copy operations
|
# Files mutable for del/copy operations
|
||||||
cd $rw/home/user
|
cd $rw/home/user
|
||||||
chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add
|
chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add \
|
||||||
|
$rwbak/BAK-*
|
||||||
cd /root
|
cd /root
|
||||||
|
|
||||||
|
|
||||||
@ -202,7 +201,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
|||||||
mv "$bakdir" "$origdir"
|
mv "$bakdir" "$origdir"
|
||||||
fi
|
fi
|
||||||
if [ -e "$bakdir" ]; then
|
if [ -e "$bakdir" ]; then
|
||||||
chattr -R -i "$bakdir"
|
#chattr -R -i "$bakdir"
|
||||||
rm -rf "$bakdir"
|
rm -rf "$bakdir"
|
||||||
fi
|
fi
|
||||||
mv "$rw/$subdir" "$bakdir"
|
mv "$rw/$subdir" "$bakdir"
|
||||||
@ -215,7 +214,6 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
|||||||
rm -rf /home/user $rw/home/user
|
rm -rf /home/user $rw/home/user
|
||||||
mount --bind $rw/home /home
|
mount --bind $rw/home /home
|
||||||
mkhomedir_helper user
|
mkhomedir_helper user
|
||||||
#mv /home/user $rw/home
|
|
||||||
umount /home
|
umount /home
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -258,6 +256,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
vm_boot_finish
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Keep configs invisible at runtime...
|
# Keep configs invisible at runtime...
|
||||||
@ -265,7 +265,6 @@ rm -rf "$defdir"
|
|||||||
|
|
||||||
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
||||||
echo "Preparing for unmount"
|
echo "Preparing for unmount"
|
||||||
vm_boot_finish
|
|
||||||
make_immutable
|
make_immutable
|
||||||
umount $rw
|
umount $rw
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user