From cec04c3d2bdbd74e0f55c26827d6c68646d05adb Mon Sep 17 00:00:00 2001 From: Christopher Laprise Date: Sun, 15 Apr 2018 15:17:05 -0400 Subject: [PATCH] Merge sha lists before check - issue #20 --- README.md | 4 ++-- vm-boot-protect.sh | 27 +++++++++++++++++++-------- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index a294fd4..0776046 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock- Files can be added to /etc/default/vms in the template to enable the following features... - **Hashes/Checksums** are checked in ../vms/vms.all.SHA and ../vms/$vmname.SHA files. File paths contained in them must be absolute. See man page for `sha256sum -c`. + **Hashes/Checksums** are checked in ../vms/vms.all.SHA and ../vms/$vmname.SHA files. File paths contained in them must be absolute, and references to '/home' must be prefixed with '/rw/'. Hashes in $vmname.SHA will override hashes specified for the same paths in vms.all.SHA. See also man page for `sha256sum -c`. **Whitelists** are checked in ../vms/vms.all.whitelist and ../vms/$vmname.whitelist files, and file paths contained in them must start with `/rw/`. A default is provided in ..vms/sys-net.whitelist to preserve Network Manager connections and sleep module list in sys-net. @@ -77,7 +77,7 @@ Leverage Qubes template non-persistence to fend off malware at VM startup: Lock- * Using the -root service with a [VPN VM](https://github.com/tasket/Qubes-vpn-support) requires manual configuration in the template and can be approached different ways: Whitelist (optionally with SHA) can be made for the appropriate files. Alternately, all VPN configs can be added under /etc/default/vms/vmname/rw so they'll be automatically deployed. - * Currently the service cannot seamlessly handle 'first boot' when the private volume must be initialized. If you enabled the service on a VM before its first startup, on first start you will see a special rescue shell telling you to restart the VM. Subsequent starts will proceed normally. + * Currently the service cannot seamlessly handle 'first boot' when the private volume must be initialized. If you enabled the service on a VM before its first startup, on first start the shell will display a notice telling you to restart the VM. Subsequent starts will proceed normally. ## Releases - v0.8.1 Working rescue shell. Add sys-net whitelist, sudo config, fixes. diff --git a/vm-boot-protect.sh b/vm-boot-protect.sh index edd65a0..49345fa 100644 --- a/vm-boot-protect.sh +++ b/vm-boot-protect.sh @@ -36,6 +36,7 @@ rw=/mnt/rwtmp rwbak=$rw/vm-boot-protect errlog=/var/run/vm-protect-error defdir=/etc/default/vms +version="0.8.2" # Function: Make user scripts immutable. @@ -128,15 +129,25 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then # Check hashes checkcode=0 - echo "File hash checks:" >/tmp/vm-protect-sum-error - for vmset in vms.all $vmname; do - if [ -f $defdir/$vmset.SHA ]; then - sha256sum --strict -c $defdir/$vmset.SHA >>$errlog 2>&1 - checkcode=$((checkcode+$?)) - fi - done + if [ -e $defdir/$vmname.SHA ]; then + # remove padding and add number field + sed 's/^ *//; s/ *$//; /^$/d; s/^/1 /' $defdir/$vmname.SHA \ + >/tmp/vm-boot-protect-sha + fi + if [ -e $defdir/vms.all.SHA ]; then + sed 's/^ *//; s/ *$//; /^$/d; s/^/2 /' $defdir/vms.all.SHA \ + >>/tmp/vm-boot-protect-sha + fi + if [ -e /tmp/vm-boot-protect-sha ]; then + echo "Checking file hashes." |tee $errlog + # Get unique paths, remove field and switch path to $rw before check; + # this allows hashes in $vmname.SHA to override ones in vms.all.SHA. + sort --unique --key=3 /tmp/vm-boot-protect-sha \ + | sed -r 's|^[1-2] (.*[[:space:]]*)/rw|\1'$rw'|' \ + | sha256sum --strict -c >>$errlog; checkcode=$? + fi - # Stop system startup on checksum mismatch: + # Divert startup on hash mismatch: if [ $checkcode != 0 ]; then abort_startup RELOCATE "Hash check failed!" fi