Fixes for testing.

2025-03-17 20:56:08 -04:00 · 2017-05-09 19:02:54 -04:00 · 2017-05-09 19:02:54 -04:00 · e54a10ea51
commit e54a10ea51
parent 4e68dfab79
2 changed files with 19 additions and 33 deletions
--- a/lib/systemd/system/vm-sudo-protect.service
+++ b/lib/systemd/system/vm-sudo-protect.service
@ -5,8 +5,8 @@ Before=qubes-mount-dirs.service
 ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect
 ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root
 DefaultDependencies=false
-#OnFailure=shutdown.target
-#OnFailureJobMode=replace-irreversibly
+OnFailure=shutdown.target
+OnFailureJobMode=replace-irreversibly

 [Service]
 Type=oneshot
--- a/usr/lib/qubes/init/vm-sudo-protect.sh
+++ b/usr/lib/qubes/init/vm-sudo-protect.sh
@ -20,7 +20,7 @@ make_immutable() {
    mkdir -p $chdirs
    touch $chfiles
    chattr -R -f +i $chfiles $chdirs
-    touch $rw/home/user/FIXED
+    touch $rw/home/user/FIXED #debug
 }

 # Mount private volume in temp location
@ -48,53 +48,39 @@ if qsvc vm-sudo-protect-root && is_rwonly_persistent; then
    echo "File hash checks:" >/tmp/vm-protect-sum-error
    for vmset in vms.all $HOSTNAME; do
        if [ -f $defdir/$vmset.SHA ]; then
-            sha256sum --strict -c $defdir/$vmset.SHA &>>/tmp/vm-protect-sum-error
+            sha256sum --strict -c $defdir/$vmset.SHA >>/tmp/vm-protect-sum-error 2>&1
            checkcode=$((checkcode+$?))
        fi
    done
+    cat /tmp/vm-protect-sum-error # For logging
    # Stop system startup if checksum mismatched
    if [ $checkcode != 0 ]; then
-        cat /tmp/vm-protect-sum-error # For logging
        xterm -hold -display :0 -title "VM PROTECTION: CHECKSUM MISMATCH!" \
 -e "cat /tmp/vm-protect-sum-error; echo Private volume is mounted at $rw; bash -i"
        exit 1
    fi


-
-
-    # Make user scripts temporarily mutable, in case 'rw/home/user'
-    # files exist in defdir -- Copy default files
+    # Files mutable for del/copy operations
    cd $rw/home/user
-    chattr -R -f -i $chfiles $chdirs
+    chattr -R -f -i $chfiles $chdirs $rootdirs

    # Deactivate config dirs
    for dir in $rootdirs; do
        if [ -d $dir ]; then
-            chattr -R -f -i $dir
-            cp -a --link $dir $dir-BAK
-#            rm -rf $dir-BAK
-#            mv $dir $dir-BAK
-            find $dir -type f | cat - $defdir/$HOSTNAME.whitelist $defdir/vms.all.whitelist \
-| sed -r "s|^\ */rw(.+)\ *$|$rw\1|" | sort | uniq -u | xargs -I fpath rm -f "fpath"
-        fi
-
-        for vmset in vms.all $HOSTNAME; do
-            # Process whitelists -- FIX FIX FIX
-            while false; do
-#            while read srcfile; do
-                if [[ $srcfile =~ ^$dir\/ ]]; then
-                    cp -a --link --parents `sed -r "s|^/rw/|$rw/BAK-|" <<<$srcfile` /
-                else
-                    echo "Cannot use relative or non-rw whitelist path."
-                fi
-            done <$defdir/$vmset.whitelist
-
-            # Copy default files
-            if [ -d $defdir/$vmset ]; then
-                cp -af $defdir/$vmset/* /
+            if [ ! -d $dir-BAK ]; then
+                cp -a --link $dir $dir-BAK
            fi
-        done
+            find $dir/* -depth | cat - $defdir/$HOSTNAME.whitelist $defdir/vms.all.whitelist \
+| sed -r "s|^\ */rw(.+)\ *$|$rw\1|" | sort | uniq -u | xargs -I fpath rm -fd 'fpath'
+        fi
+    done
+
+    # Copy default files
+    for vmset in vms.all $HOSTNAME; do
+        if [ -d $defdir/$vmset ]; then
+            cp -af $defdir/$vmset/* /
+        fi
    done

 fi