Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2025-06-10 23:32:54 -04:00
Code Issues Projects Releases Packages Wiki Activity

Fixes for testing.

Browse source
This commit is contained in:
Christopher Laprise 2017-05-09 19:02:54 -04:00
parent 4e68dfab79
commit e54a10ea51
No known key found for this signature in database
GPG key ID: 448568C8B281C952
2 changed files with 19 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/systemd/system/vm-sudo-protect.service
View file

@ -5,8 +5,8 @@ Before=qubes-mount-dirs.service
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect
ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root ConditionPathExists=|/var/run/qubes-service/vm-sudo-protect-root
DefaultDependencies=false DefaultDependencies=false
#OnFailure=shutdown.target OnFailure=shutdown.target
#OnFailureJobMode=replace-irreversibly OnFailureJobMode=replace-irreversibly
[Service] [Service]
Type=oneshot Type=oneshot

34
usr/lib/qubes/init/vm-sudo-protect.sh
View file

@ -20,7 +20,7 @@ make_immutable() {
mkdir -p $chdirs mkdir -p $chdirs
touch $chfiles touch $chfiles
chattr -R -f +i $chfiles $chdirs chattr -R -f +i $chfiles $chdirs
touch $rw/home/user/FIXED touch $rw/home/user/FIXED #debug
} }
# Mount private volume in temp location # Mount private volume in temp location
@ -48,54 +48,40 @@ if qsvc vm-sudo-protect-root && is_rwonly_persistent; then
echo "File hash checks:" >/tmp/vm-protect-sum-error echo "File hash checks:" >/tmp/vm-protect-sum-error
for vmset in vms.all $HOSTNAME; do for vmset in vms.all $HOSTNAME; do
if [ -f $defdir/$vmset.SHA ]; then if [ -f $defdir/$vmset.SHA ]; then
sha256sum --strict -c $defdir/$vmset.SHA &>>/tmp/vm-protect-sum-error sha256sum --strict -c $defdir/$vmset.SHA >>/tmp/vm-protect-sum-error 2>&1
checkcode=$((checkcode+$?)) checkcode=$((checkcode+$?))
fi fi
done done
cat /tmp/vm-protect-sum-error # For logging
# Stop system startup if checksum mismatched # Stop system startup if checksum mismatched
if [ $checkcode != 0 ]; then if [ $checkcode != 0 ]; then
cat /tmp/vm-protect-sum-error # For logging
xterm -hold -display :0 -title "VM PROTECTION: CHECKSUM MISMATCH!" \ xterm -hold -display :0 -title "VM PROTECTION: CHECKSUM MISMATCH!" \
-e "cat /tmp/vm-protect-sum-error; echo Private volume is mounted at $rw; bash -i" -e "cat /tmp/vm-protect-sum-error; echo Private volume is mounted at $rw; bash -i"
exit 1 exit 1
fi fi
# Files mutable for del/copy operations
# Make user scripts temporarily mutable, in case 'rw/home/user'
# files exist in defdir -- Copy default files
cd $rw/home/user cd $rw/home/user
chattr -R -f -i $chfiles $chdirs chattr -R -f -i $chfiles $chdirs $rootdirs
# Deactivate config dirs # Deactivate config dirs
for dir in $rootdirs; do for dir in $rootdirs; do
if [ -d $dir ]; then if [ -d $dir ]; then
chattr -R -f -i $dir if [ ! -d $dir-BAK ]; then
cp -a --link $dir $dir-BAK cp -a --link $dir $dir-BAK
# rm -rf $dir-BAK
# mv $dir $dir-BAK
find $dir -type f | cat - $defdir/$HOSTNAME.whitelist $defdir/vms.all.whitelist \
| sed -r "s|^\ */rw(.+)\ *$|$rw\1|" | sort | uniq -u | xargs -I fpath rm -f "fpath"
fi fi
find $dir/* -depth | cat - $defdir/$HOSTNAME.whitelist $defdir/vms.all.whitelist \
for vmset in vms.all $HOSTNAME; do | sed -r "s|^\ */rw(.+)\ *$|$rw\1|" | sort | uniq -u | xargs -I fpath rm -fd 'fpath'
# Process whitelists -- FIX FIX FIX
while false; do
# while read srcfile; do
if [[ $srcfile =~ ^$dir\/ ]]; then
cp -a --link --parents `sed -r "s|^/rw/|$rw/BAK-|" <<<$srcfile` /
else
echo "Cannot use relative or non-rw whitelist path."
fi fi
done <$defdir/$vmset.whitelist done
# Copy default files # Copy default files
for vmset in vms.all $HOSTNAME; do
if [ -d $defdir/$vmset ]; then if [ -d $defdir/$vmset ]; then
cp -af $defdir/$vmset/* / cp -af $defdir/$vmset/* /
fi fi
done done
done
fi fi