mirror of
https://github.com/tasket/Qubes-VM-hardening.git
synced 2024-10-01 06:35:42 -04:00
hide vms dir if svc not specified
This commit is contained in:
parent
31c3a6fb0d
commit
d2bd2c0a0e
@ -3,9 +3,6 @@ Description=Protect Qubes VM execution environment at startup
|
||||
Documentation=https://github.com/tasket/Qubes-VM-hardening
|
||||
After=qubes-sysinit.service
|
||||
Before=qubes-mount-dirs.service
|
||||
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect
|
||||
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-root
|
||||
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-cli
|
||||
DefaultDependencies=false
|
||||
#OnFailure=rescue.target
|
||||
#OnFailureJobMode=replace-irreversibly
|
||||
|
@ -90,6 +90,10 @@ if ! is_rwonly_persistent; then
|
||||
if qsvc vm-boot-protect; then
|
||||
make_immutable
|
||||
fi
|
||||
if ! is_template_vm; then
|
||||
# Keep configs invisible for standalone vms
|
||||
rm -rf "$defdir"
|
||||
fi
|
||||
exit 0
|
||||
# cannot use abort_startup() before this point
|
||||
fi
|
||||
@ -100,24 +104,25 @@ if qsvc vm-boot-protect-cli; then
|
||||
abort_startup RELOCATE "CLI requested."
|
||||
fi
|
||||
|
||||
# Mount private volume in temp location
|
||||
mkdir -p $rw
|
||||
if [ -e $dev ] && mount -o ro $dev $rw ; then
|
||||
echo "Good read-only mount."
|
||||
else
|
||||
echo "Mount failed."
|
||||
# decide if this is initial boot or a bad volume
|
||||
private_size_512=$(blockdev --getsz "$dev")
|
||||
if head -c $(( private_size_512 * 512 )) /dev/zero | diff "$dev" - >/dev/null; then
|
||||
touch /var/run/qubes/VM-BOOT-PROTECT-INITIALIZERW
|
||||
abort_startup OK "FIRST BOOT INITIALIZATION: PLEASE RESTART VM!"
|
||||
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
||||
# Mount private volume in temp location
|
||||
mkdir -p $rw
|
||||
if [ -e $dev ] && mount -o ro $dev $rw ; then
|
||||
echo "Good read-only mount."
|
||||
else
|
||||
abort_startup RELOCATE "Mount failed; BAD private volume!"
|
||||
echo "Mount failed."
|
||||
# decide if this is initial boot or a bad volume
|
||||
private_size_512=$(blockdev --getsz "$dev")
|
||||
if head -c $(( private_size_512 * 512 )) /dev/zero | diff "$dev" - >/dev/null; then
|
||||
touch /var/run/qubes/VM-BOOT-PROTECT-INITIALIZERW
|
||||
abort_startup OK "FIRST BOOT INITIALIZATION: PLEASE RESTART VM!"
|
||||
else
|
||||
abort_startup RELOCATE "Mount failed; BAD private volume!"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
|
||||
# Protection measures for /rw dirs:
|
||||
# Activated by presence of vm-boot-protect-root Qubes service.
|
||||
# * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
|
||||
@ -215,14 +220,17 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||
echo "Copy files from $defdir/$vmset/rw"
|
||||
cp -af $defdir/$vmset/rw/* $rw
|
||||
fi
|
||||
|
||||
done
|
||||
|
||||
# Keep configs invisible at runtime...
|
||||
rm -rf "$defdir"
|
||||
|
||||
fi
|
||||
|
||||
make_immutable
|
||||
umount $rw
|
||||
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
||||
make_immutable
|
||||
umount $rw
|
||||
fi
|
||||
|
||||
# Keep configs invisible at runtime...
|
||||
rm -rf "$defdir"
|
||||
|
||||
|
||||
exit 0
|
||||
|
Loading…
Reference in New Issue
Block a user