From e54a10ea51856dae352f5b4b5f377d965c47f7ef Mon Sep 17 00:00:00 2001 From: Christopher Laprise Date: Tue, 9 May 2017 19:02:54 -0400 Subject: [PATCH] Fixes for testing. --- lib/systemd/system/vm-sudo-protect.service | 4 +- usr/lib/qubes/init/vm-sudo-protect.sh | 48 ++++++++-------------- 2 files changed, 19 insertions(+), 33 deletions(-) diff --git a/lib/systemd/system/vm-sudo-protect.service b/lib/systemd/system/vm-sudo-protect.service index 401abd1..099454e 100644 --- a/lib/systemd/system/vm-sudo-protect.service +++ b/lib/systemd/system/vm-sudo-protect.service @@ -5,8 +5,8 @@ Before=qubes-mount-dirs.service ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root DefaultDependencies=false -#OnFailure=shutdown.target -#OnFailureJobMode=replace-irreversibly +OnFailure=shutdown.target +OnFailureJobMode=replace-irreversibly [Service] Type=oneshot diff --git a/usr/lib/qubes/init/vm-sudo-protect.sh b/usr/lib/qubes/init/vm-sudo-protect.sh index ad48ae1..c5220be 100644 --- a/usr/lib/qubes/init/vm-sudo-protect.sh +++ b/usr/lib/qubes/init/vm-sudo-protect.sh @@ -20,7 +20,7 @@ make_immutable() { mkdir -p $chdirs touch $chfiles chattr -R -f +i $chfiles $chdirs - touch $rw/home/user/FIXED + touch $rw/home/user/FIXED #debug } # Mount private volume in temp location @@ -48,53 +48,39 @@ if qsvc vm-sudo-protect-root && is_rwonly_persistent; then echo "File hash checks:" >/tmp/vm-protect-sum-error for vmset in vms.all $HOSTNAME; do if [ -f $defdir/$vmset.SHA ]; then - sha256sum --strict -c $defdir/$vmset.SHA &>>/tmp/vm-protect-sum-error + sha256sum --strict -c $defdir/$vmset.SHA >>/tmp/vm-protect-sum-error 2>&1 checkcode=$((checkcode+$?)) fi done + cat /tmp/vm-protect-sum-error # For logging # Stop system startup if checksum mismatched if [ $checkcode != 0 ]; then - cat /tmp/vm-protect-sum-error # For logging xterm -hold -display :0 -title "VM PROTECTION: CHECKSUM MISMATCH!" \ -e "cat /tmp/vm-protect-sum-error; echo Private volume is mounted at $rw; bash -i" exit 1 fi - - - # Make user scripts temporarily mutable, in case 'rw/home/user' - # files exist in defdir -- Copy default files + # Files mutable for del/copy operations cd $rw/home/user - chattr -R -f -i $chfiles $chdirs + chattr -R -f -i $chfiles $chdirs $rootdirs # Deactivate config dirs for dir in $rootdirs; do if [ -d $dir ]; then - chattr -R -f -i $dir - cp -a --link $dir $dir-BAK -# rm -rf $dir-BAK -# mv $dir $dir-BAK - find $dir -type f | cat - $defdir/$HOSTNAME.whitelist $defdir/vms.all.whitelist \ -| sed -r "s|^\ */rw(.+)\ *$|$rw\1|" | sort | uniq -u | xargs -I fpath rm -f "fpath" - fi - - for vmset in vms.all $HOSTNAME; do - # Process whitelists -- FIX FIX FIX - while false; do -# while read srcfile; do - if [[ $srcfile =~ ^$dir\/ ]]; then - cp -a --link --parents `sed -r "s|^/rw/|$rw/BAK-|" <<<$srcfile` / - else - echo "Cannot use relative or non-rw whitelist path." - fi - done <$defdir/$vmset.whitelist - - # Copy default files - if [ -d $defdir/$vmset ]; then - cp -af $defdir/$vmset/* / + if [ ! -d $dir-BAK ]; then + cp -a --link $dir $dir-BAK fi - done + find $dir/* -depth | cat - $defdir/$HOSTNAME.whitelist $defdir/vms.all.whitelist \ +| sed -r "s|^\ */rw(.+)\ *$|$rw\1|" | sort | uniq -u | xargs -I fpath rm -fd 'fpath' + fi + done + + # Copy default files + for vmset in vms.all $HOSTNAME; do + if [ -d $defdir/$vmset ]; then + cp -af $defdir/$vmset/* / + fi done fi