var and rc tweaks, add tag files

2024-10-01 06:35:42 -04:00 · 2019-08-11 06:26:26 -04:00 · 2019-08-11 06:26:26 -04:00 · ca67ef7fe3
commit ca67ef7fe3
parent 204e90a626
7 changed files with 30 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -57,6 +57,10 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-
   **Deployment** files are copied _recursively_ from ../vms/vms.all/rw/ and ../vms/$vmname/rw/ dirs. Example is to place the .bashrc file in /etc/default/vms/vms.all/rw/home/user/.bashrc for deployment to /rw/home/user/.bashrc. Once copying is complete,
 the /etc/defaults/vms folder is deleted from the running VM (this has no effect on the original in the template).

+   **rc files** are sh script fragments sourced from ../vms/vms.all.rc and ../vms/$vmname.rc. They run near the beginning of the vm-boot-protect service before mounting /rw, and can be used to override variable definitions like `privdirs` as well as the `vm_boot_finish` function which runs near the end before dismount. Another use for rc files is to run threat detection tools such as antivirus.
+
+   **Tags** may be defined with all of the above features so that you are not limited to specifying them for either all VMs or specifically-named VMs. Simply configure them as you would acccording to the above directions, but place the files under the '@tags' subdir instead. For example '/etc/default/vms/@tags/special.whitelist' defines a whitelist for the tag 'special'. A tag can be activated for one or more VMs by adding a Qubes service prefixed with `vm-boot-tag-` (i.e. vm-boot-tag-special) to the VMs.
+
 ### Where to use: Basic examples

 After installing into a template, simply enable `vm-boot-protect-root` service without configuration. Recommended for the following types of VMs:
@ -82,6 +86,8 @@ Examples where -root should *not* be enabled:

 ### Notes

+   * The /rw/home directory can be added to `privdirs` so it is quarrantined much like /rw/config, /rw/binddirs and /rw/usrlocal. The easiest way to configure this is to define `privdirs_add=/rw/home` in an rc file or a drop-in for the vm-boot-protect.service. But in the case of /rw/home, the /rw/home/user folder will be repopulated automatically from OS defaults (usually in /etc/skel) before whitelists are applied. For an example, see the `ibrowse` tag which quarrantines home while whitelisting Firefox bookmarks.
+
   * A bug in v0.8.4 will erase anything in '/etc/default/vms' when booting into the template. For proper
   future operation with sys-net or other VMs you may have customized in that path, updating Qubes-VM-hardening
   to the latest version (using the install script) is recommended, along with restoring any custom files
@ -98,6 +104,7 @@ Examples where -root should *not* be enabled:
   * Currently the service cannot seamlessly handle 'first boot' when the private volume must be initialized. If you enabled the service on a VM before its first startup, on first start the shell will display a notice telling you to restart the VM. Subsequent starts will proceed normally.
   
 ## Releases
+   - v0.9.0  Add tags and rc files, protect more home scripts, support home quarrantine
   - v0.8.5  Fix template detection, /etc/default/vms erasure
   - v0.8.4  Add protection to /home/user/.config/systemd
   - v0.8.3  Fix for install script copying to /etc/default/vms
--- a/default/vms/@tags/ibrowse.rc
+++ b/default/vms/@tags/ibrowse.rc
@ -0,0 +1 @@
+privdirs_add="/rw/home"
--- a/default/vms/@tags/ibrowse.whitelist
+++ b/default/vms/@tags/ibrowse.whitelist
@ -0,0 +1,3 @@
+/rw/home/user/.mozilla/firefox/profile.default/places.sqlite
+/rw/home/user/.mozilla/firefox/profile.default/places.sqlite-shm
+/rw/home/user/.mozilla/firefox/profile.default/places.sqlite-wal
--- a/default/vms/@tags/network.whitelist
+++ b/default/vms/@tags/network.whitelist
@ -0,0 +1,2 @@
+/rw/config/NM-system-connections/
+/rw/config/suspend-module-blacklist
--- a/default/vms/@tags/usb.rc
+++ b/default/vms/@tags/usb.rc
@ -0,0 +1 @@
+privdirs_add="/rw/home"
--- a/default/vms/sys-net.whitelist
+++ b/default/vms/sys-net.whitelist
@ -1,2 +0,0 @@
-/rw/config/NM-system-connections/
-/rw/config/suspend-module-blacklist
--- a/default/vms/sys-net.whitelist
+++ b/default/vms/sys-net.whitelist
@ -0,0 +1 @@
+@tags/network.whitelist
--- a/vm-boot-protect.sh
+++ b/vm-boot-protect.sh
@ -29,16 +29,16 @@ rw=/mnt/rwtmp
 rwbak=$rw/vm-boot-protect
 errlog=/var/run/vm-protect-error
 defdir=/etc/default/vms
-version="0.9.0b"
+version="0.9.0"

 # Define sh, bash, X and desktop init scripts in /home/user
 # to be protected
 chfiles=${chfiles:-".bashrc .bash_profile .bash_login .bash_logout .profile \
 .pam_environment .xprofile .xinitrc .xserverrc .Xsession .xsession .xsessionrc"}
-chfiles_add=""
+chfiles_add=${chfiles_add:-""}
 chdirs=${chdirs:-"bin .local/bin .config/autostart .config/plasma-workspace/env \
 .config/plasma-workspace/shutdown .config/autostart-scripts .config/systemd"}
-chdirs_add=""
+chdirs_add=${chdirs_add:-""}

 # Define dirs to apply quarrantine / whitelists
 privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
@ -112,14 +112,6 @@ abort_startup() {
 }


-# Run rc file commands if they exist
-for rcbase in vms.all $tags $vmname; do
-    if [ -e "$defdir/$rcbase.rc" ]; then
-        . "$defdir/$rcbase.rc"
-    fi
-done
-
-
 echo >$errlog # Clear

 if qsvc vm-boot-protect-cli; then
@ -145,7 +137,6 @@ if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then

    # Don't bother with root protections in template or standalone
    if ! is_rwonly_persistent; then
-        vm_boot_finish
        make_immutable
        exit 0
    fi
@ -161,6 +152,13 @@ fi

 if qsvc vm-boot-protect-root && is_rwonly_persistent; then

+    # Run rc file commands if they exist
+    for rcbase in vms.all $tags $vmname; do
+        if [ -e "$defdir/$rcbase.rc" ]; then
+            . "$defdir/$rcbase.rc"
+        fi
+    done
+
    # Check hashes
    checkcode=0
    for sha_base in $vmname $tags vms.all; do
@ -187,7 +185,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then

    # Files mutable for del/copy operations
    cd $rw/home/user
-    chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add
+    chattr -R -f -i $chfiles $chfiles_add $chdirs $chdirs_add $privdirs $privdirs_add \
+                    $rwbak/BAK-*
    cd /root


@ -202,7 +201,7 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
            mv "$bakdir" "$origdir"
        fi
        if [ -e "$bakdir" ]; then
-            chattr -R -i "$bakdir"
+            #chattr -R -i "$bakdir"
            rm -rf "$bakdir"
        fi
        mv "$rw/$subdir" "$bakdir"
@ -215,7 +214,6 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
                rm -rf /home/user $rw/home/user
                mount --bind $rw/home /home
                mkhomedir_helper user
-                #mv /home/user $rw/home
                umount /home
                ;;
        esac
@ -258,6 +256,8 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
        fi
    done

+    vm_boot_finish
+
 fi

 # Keep configs invisible at runtime...
@ -265,7 +265,6 @@ rm -rf "$defdir"

 if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
    echo "Preparing for unmount"
-    vm_boot_finish
    make_immutable
    umount $rw
 fi