hide vms dir if svc not specified

This commit is contained in:
Christopher Laprise 2019-07-15 17:27:53 -04:00
parent 31c3a6fb0d
commit d2bd2c0a0e
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
2 changed files with 27 additions and 22 deletions

View File

@ -3,9 +3,6 @@ Description=Protect Qubes VM execution environment at startup
Documentation=https://github.com/tasket/Qubes-VM-hardening
After=qubes-sysinit.service
Before=qubes-mount-dirs.service
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-root
ConditionPathExists=|/var/run/qubes-service/vm-boot-protect-cli
DefaultDependencies=false
#OnFailure=rescue.target
#OnFailureJobMode=replace-irreversibly

View File

@ -90,6 +90,10 @@ if ! is_rwonly_persistent; then
if qsvc vm-boot-protect; then
make_immutable
fi
if ! is_template_vm; then
# Keep configs invisible for standalone vms
rm -rf "$defdir"
fi
exit 0
# cannot use abort_startup() before this point
fi
@ -100,6 +104,7 @@ if qsvc vm-boot-protect-cli; then
abort_startup RELOCATE "CLI requested."
fi
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
# Mount private volume in temp location
mkdir -p $rw
if [ -e $dev ] && mount -o ro $dev $rw ; then
@ -115,7 +120,7 @@ else
abort_startup RELOCATE "Mount failed; BAD private volume!"
fi
fi
fi
# Protection measures for /rw dirs:
@ -215,14 +220,17 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
echo "Copy files from $defdir/$vmset/rw"
cp -af $defdir/$vmset/rw/* $rw
fi
done
fi
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
make_immutable
umount $rw
fi
# Keep configs invisible at runtime...
rm -rf "$defdir"
fi
make_immutable
umount $rw
exit 0