Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

var and rc tweaks, add tag files

Browse Source
This commit is contained in:
Christopher Laprise 2019-08-11 06:26:26 -04:00
parent 204e90a626
commit ca67ef7fe3
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
7 changed files with 30 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -57,6 +57,10 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-
**Deployment** files are copied _recursively_ from ../vms/vms.all/rw/ and ../vms/$vmname/rw/ dirs. Example is to place the .bashrc file in /etc/default/vms/vms.all/rw/home/user/.bashrc for deployment to /rw/home/user/.bashrc. Once copying is complete, **Deployment** files are copied _recursively_ from ../vms/vms.all/rw/ and ../vms/$vmname/rw/ dirs. Example is to place the .bashrc file in /etc/default/vms/vms.all/rw/home/user/.bashrc for deployment to /rw/home/user/.bashrc. Once copying is complete,
the /etc/defaults/vms folder is deleted from the running VM (this has no effect on the original in the template). the /etc/defaults/vms folder is deleted from the running VM (this has no effect on the original in the template).
**rc files** are sh script fragments sourced from ../vms/vms.all.rc and ../vms/$vmname.rc. They run near the beginning of the vm-boot-protect service before mounting /rw, and can be used to override variable definitions like `privdirs` as well as the `vm_boot_finish` function which runs near the end before dismount. Another use for rc files is to run threat detection tools such as antivirus.
**Tags** may be defined with all of the above features so that you are not limited to specifying them for either all VMs or specifically-named VMs. Simply configure them as you would acccording to the above directions, but place the files under the '@tags' subdir instead. For example '/etc/default/vms/@tags/special.whitelist' defines a whitelist for the tag 'special'. A tag can be activated for one or more VMs by adding a Qubes service prefixed with `vm-boot-tag-` (i.e. vm-boot-tag-special) to the VMs.
### Where to use: Basic examples ### Where to use: Basic examples
After installing into a template, simply enable `vm-boot-protect-root` service without configuration. Recommended for the following types of VMs: After installing into a template, simply enable `vm-boot-protect-root` service without configuration. Recommended for the following types of VMs:
@ -82,6 +86,8 @@ Examples where -root should *not* be enabled:
### Notes ### Notes
* The /rw/home directory can be added to `privdirs` so it is quarrantined much like /rw/config, /rw/binddirs and /rw/usrlocal. The easiest way to configure this is to define `privdirs_add=/rw/home` in an rc file or a drop-in for the vm-boot-protect.service. But in the case of /rw/home, the /rw/home/user folder will be repopulated automatically from OS defaults (usually in /etc/skel) before whitelists are applied. For an example, see the `ibrowse` tag which quarrantines home while whitelisting Firefox bookmarks.
* A bug in v0.8.4 will erase anything in '/etc/default/vms' when booting into the template. For proper * A bug in v0.8.4 will erase anything in '/etc/default/vms' when booting into the template. For proper
future operation with sys-net or other VMs you may have customized in that path, updating Qubes-VM-hardening future operation with sys-net or other VMs you may have customized in that path, updating Qubes-VM-hardening
to the latest version (using the install script) is recommended, along with restoring any custom files to the latest version (using the install script) is recommended, along with restoring any custom files
@ -98,6 +104,7 @@ Examples where -root should *not* be enabled:
* Currently the service cannot seamlessly handle 'first boot' when the private volume must be initialized. If you enabled the service on a VM before its first startup, on first start the shell will display a notice telling you to restart the VM. Subsequent starts will proceed normally. * Currently the service cannot seamlessly handle 'first boot' when the private volume must be initialized. If you enabled the service on a VM before its first startup, on first start the shell will display a notice telling you to restart the VM. Subsequent starts will proceed normally.
## Releases ## Releases
- v0.9.0 Add tags and rc files, protect more home scripts, support home quarrantine
- v0.8.5 Fix template detection, /etc/default/vms erasure - v0.8.5 Fix template detection, /etc/default/vms erasure
- v0.8.4 Add protection to /home/user/.config/systemd - v0.8.4 Add protection to /home/user/.config/systemd
- v0.8.3 Fix for install script copying to /etc/default/vms - v0.8.3 Fix for install script copying to /etc/default/vms

1
default/vms/@tags/ibrowse.rc Normal file
View File

@ -0,0 +1 @@
privdirs_add="/rw/home"

3
default/vms/@tags/ibrowse.whitelist Normal file
View File

@ -0,0 +1,3 @@
/rw/home/user/.mozilla/firefox/profile.default/places.sqlite
/rw/home/user/.mozilla/firefox/profile.default/places.sqlite-shm
/rw/home/user/.mozilla/firefox/profile.default/places.sqlite-wal

2
default/vms/@tags/network.whitelist Normal file
View File

@ -0,0 +1,2 @@
/rw/config/NM-system-connections/
/rw/config/suspend-module-blacklist

1
default/vms/@tags/usb.rc Normal file
View File

@ -0,0 +1 @@
privdirs_add="/rw/home"

2
default/vms/sys-net.whitelist
View File

@ -1,2 +0,0 @@
/rw/config/NM-system-connections/
/rw/config/suspend-module-blacklist

1
default/vms/sys-net.whitelist Symbolic link
View File

@ -0,0 +1 @@
@tags/network.whitelist

31
vm-boot-protect.sh
View File

@ -29,16 +29,16 @@ rw=/mnt/rwtmp
rwbak=$rw/vm-boot-protect rwbak=$rw/vm-boot-protect
errlog=/var/run/vm-protect-error errlog=/var/run/vm-protect-error
defdir=/etc/default/vms defdir=/etc/default/vms
version="0.9.0b" version="0.9.0"
# Define sh, bash, X and desktop init scripts in /home/user # Define sh, bash, X and desktop init scripts in /home/user
# to be protected # to be protected
chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \ chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
.pam_environment .xprofile .xinitrc .xserverrc .Xsession .xsession .xsessionrc"} .pam_environment .xprofile .xinitrc .xserverrc .Xsession .xsession .xsessionrc"}
chfiles_add="" chfiles_add=${chfiles_add:-""}
chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \ chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
.config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"} .config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
chdirs_add="" chdirs_add=${chdirs_add:-""}
# Define dirs to apply quarrantine / whitelists # Define dirs to apply quarrantine / whitelists
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"} privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
@ -112,14 +112,6 @@ abort_startup() {
} }
# Run rc file commands if they exist
for rcbase in vms.all $tags $vmname; do
if [ -e "$defdir/$rcbase.rc" ]; then
. "$defdir/$rcbase.rc"
fi
done
echo >$errlog # Clear echo >$errlog # Clear
if qsvc vm-boot-protect-cli; then if qsvc vm-boot-protect-cli; then
@ -145,7 +137,6 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
# Don't bother with root protections in template or standalone # Don't bother with root protections in template or standalone
if ! is_rwonly_persistent; then if ! is_rwonly_persistent; then
vm_boot_finish
make_immutable make_immutable
exit 0 exit 0
fi fi
@ -161,6 +152,13 @@ fi
if qsvc vm-boot-protect-root && is_rwonly_persistent; then if qsvc vm-boot-protect-root && is_rwonly_persistent; then
# Run rc file commands if they exist
for rcbase in vms.all $tags $vmname; do
if [ -e "$defdir/$rcbase.rc" ]; then
. "$defdir/$rcbase.rc"
fi
done
# Check hashes # Check hashes
checkcode=0 checkcode=0
for sha_base in $vmname $tags vms.all; do for sha_base in $vmname $tags vms.all; do
@ -187,7 +185,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
# Files mutable for del/copy operations # Files mutable for del/copy operations
cd $rw/home/user cd $rw/home/user
chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add \
$rwbak/BAK-*
cd /root cd /root
@ -202,7 +201,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
mv "$bakdir" "$origdir" mv "$bakdir" "$origdir"
fi fi
if [ -e "$bakdir" ]; then if [ -e "$bakdir" ]; then
chattr -R -i "$bakdir" #chattr -R -i "$bakdir"
rm -rf "$bakdir" rm -rf "$bakdir"
fi fi
mv "$rw/$subdir" "$bakdir" mv "$rw/$subdir" "$bakdir"
@ -215,7 +214,6 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
rm -rf /home/user $rw/home/user rm -rf /home/user $rw/home/user
mount --bind $rw/home /home mount --bind $rw/home /home
mkhomedir_helper user mkhomedir_helper user
#mv /home/user $rw/home
umount /home umount /home
;; ;;
esac esac
@ -258,6 +256,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
fi fi
done done
vm_boot_finish
fi fi
# Keep configs invisible at runtime... # Keep configs invisible at runtime...
@ -265,7 +265,6 @@ rm -rf "$defdir"
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
echo "Preparing for unmount" echo "Preparing for unmount"
vm_boot_finish
make_immutable make_immutable
umount $rw umount $rw
fi fi