From d2bd2c0a0e0c6e156544ed5f8cd502a4319e833a Mon Sep 17 00:00:00 2001
From: Christopher Laprise <tasket@protonmail.com>
Date: Mon, 15 Jul 2019 17:27:53 -0400
Subject: [PATCH] hide vms dir if svc not specified

---
 vm-boot-protect.service |  3 ---
 vm-boot-protect.sh      | 46 ++++++++++++++++++++++++-----------------
 2 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/vm-boot-protect.service b/vm-boot-protect.service
index d9094db..35b2b12 100644
--- a/vm-boot-protect.service
+++ b/vm-boot-protect.service
@@ -3,9 +3,6 @@ Description=Protect Qubes VM execution environment at startup
 Documentation=https://github.com/tasket/Qubes-VM-hardening
 After=qubes-sysinit.service
 Before=qubes-mount-dirs.service
-ConditionPathExists=|/var/run/qubes-service/vm-boot-protect
-ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-root
-ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-cli
 DefaultDependencies=false
 #OnFailure=rescue.target
 #OnFailureJobMode=replace-irreversibly
diff --git a/vm-boot-protect.sh b/vm-boot-protect.sh
index f2672b1..749e0e5 100644
--- a/vm-boot-protect.sh
+++ b/vm-boot-protect.sh
@@ -90,6 +90,10 @@ if ! is_rwonly_persistent; then
     if qsvc vm-boot-protect; then
         make_immutable
     fi
+    if ! is_template_vm; then
+        # Keep configs invisible for standalone vms
+        rm -rf "$defdir"
+    fi
     exit 0
     # cannot use abort_startup() before this point
 fi
@@ -100,24 +104,25 @@ if qsvc vm-boot-protect-cli; then
     abort_startup RELOCATE "CLI requested."
 fi
 
-# Mount private volume in temp location
-mkdir -p $rw
-if [ -e $dev ] && mount -o ro $dev $rw ; then
-    echo "Good read-only mount."
-else
-    echo "Mount failed."
-    # decide if this is initial boot or a bad volume
-    private_size_512=$(blockdev --getsz "$dev")
-    if head -c $(( private_size_512 * 512 )) /dev/zero | diff "$dev" - >/dev/null; then
-        touch /var/run/qubes/VM-BOOT-PROTECT-INITIALIZERW
-        abort_startup OK "FIRST BOOT INITIALIZATION: PLEASE RESTART VM!"
+if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
+    # Mount private volume in temp location
+    mkdir -p $rw
+    if [ -e $dev ] && mount -o ro $dev $rw ; then
+        echo "Good read-only mount."
     else
-        abort_startup RELOCATE "Mount failed; BAD private volume!"
+        echo "Mount failed."
+        # decide if this is initial boot or a bad volume
+        private_size_512=$(blockdev --getsz "$dev")
+        if head -c $(( private_size_512 * 512 )) /dev/zero | diff "$dev" - >/dev/null; then
+            touch /var/run/qubes/VM-BOOT-PROTECT-INITIALIZERW
+            abort_startup OK "FIRST BOOT INITIALIZATION: PLEASE RESTART VM!"
+        else
+            abort_startup RELOCATE "Mount failed; BAD private volume!"
+        fi
     fi
 fi
 
 
-
 # Protection measures for /rw dirs:
 # Activated by presence of vm-boot-protect-root Qubes service.
 #   * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
@@ -215,14 +220,17 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
             echo "Copy files from $defdir/$vmset/rw"
             cp -af $defdir/$vmset/rw/* $rw
         fi
-
     done
 
-    # Keep configs invisible at runtime...
-    rm -rf "$defdir"
-
 fi
 
-make_immutable
-umount $rw
+if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
+    make_immutable
+    umount $rw
+fi
+
+# Keep configs invisible at runtime...
+rm -rf "$defdir"
+
+
 exit 0