Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

hide vms dir if svc not specified

Browse Source
This commit is contained in:
Christopher Laprise 2019-07-15 17:27:53 -04:00
parent 31c3a6fb0d
commit d2bd2c0a0e
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
2 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
vm-boot-protect.service
View File

@ -3,9 +3,6 @@ Description=Protect Qubes VM execution environment at startup
Documentation=https://github.com/tasket/Qubes-VM-hardening Documentation=https://github.com/tasket/Qubes-VM-hardening
After=qubes-sysinit.service After=qubes-sysinit.service
Before=qubes-mount-dirs.service Before=qubes-mount-dirs.service
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-root
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-cli
DefaultDependencies=false DefaultDependencies=false
#OnFailure=rescue.target #OnFailure=rescue.target
#OnFailureJobMode=replace-irreversibly #OnFailureJobMode=replace-irreversibly

46
vm-boot-protect.sh
View File

@ -90,6 +90,10 @@ if ! is_rwonly_persistent; then
if qsvc vm-boot-protect; then if qsvc vm-boot-protect; then
make_immutable make_immutable
fi fi
if ! is_template_vm; then
# Keep configs invisible for standalone vms
rm -rf "$defdir"
fi
exit 0 exit 0
# cannot use abort_startup() before this point # cannot use abort_startup() before this point
fi fi
@ -100,24 +104,25 @@ if qsvc vm-boot-protect-cli; then
abort_startup RELOCATE "CLI requested." abort_startup RELOCATE "CLI requested."
fi fi
# Mount private volume in temp location if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
mkdir -p $rw # Mount private volume in temp location
if [ -e $dev ] && mount -o ro $dev $rw ; then mkdir -p $rw
echo "Good read-only mount." if [ -e $dev ] && mount -o ro $dev $rw ; then
else echo "Good read-only mount."
echo "Mount failed."
# decide if this is initial boot or a bad volume
private_size_512=$(blockdev --getsz "$dev")
if head -c $(( private_size_512 * 512 )) /dev/zero | diff "$dev" - >/dev/null; then
touch /var/run/qubes/VM-BOOT-PROTECT-INITIALIZERW
abort_startup OK "FIRST BOOT INITIALIZATION: PLEASE RESTART VM!"
else else
abort_startup RELOCATE "Mount failed; BAD private volume!" echo "Mount failed."
# decide if this is initial boot or a bad volume
private_size_512=$(blockdev --getsz "$dev")
if head -c $(( private_size_512 * 512 )) /dev/zero | diff "$dev" - >/dev/null; then
touch /var/run/qubes/VM-BOOT-PROTECT-INITIALIZERW
abort_startup OK "FIRST BOOT INITIALIZATION: PLEASE RESTART VM!"
else
abort_startup RELOCATE "Mount failed; BAD private volume!"
fi
fi fi
fi fi
# Protection measures for /rw dirs: # Protection measures for /rw dirs:
# Activated by presence of vm-boot-protect-root Qubes service. # Activated by presence of vm-boot-protect-root Qubes service.
# * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked. # * Hashes in vms/vms.all.SHA and vms/$vmname.SHA files will be checked.
@ -215,14 +220,17 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
echo "Copy files from $defdir/$vmset/rw" echo "Copy files from $defdir/$vmset/rw"
cp -af $defdir/$vmset/rw/* $rw cp -af $defdir/$vmset/rw/* $rw
fi fi
done done
# Keep configs invisible at runtime...
rm -rf "$defdir"
fi fi
make_immutable if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
umount $rw make_immutable
umount $rw
fi
# Keep configs invisible at runtime...
rm -rf "$defdir"
exit 0 exit 0