Git-Mirrors/Qubes-VM-hardening
1
0
Fork 0
mirror of https://github.com/tasket/Qubes-VM-hardening.git synced 2024-10-01 06:35:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

tweaks to log, tags and cleanup

Browse Source
This commit is contained in:
Christopher Laprise 2019-08-11 06:28:22 -04:00
parent ca67ef7fe3
commit ebe40e1391
No known key found for this signature in database
GPG Key ID: 448568C8B281C952
1 changed files with 36 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
vm-boot-protect.sh
View File

@ -28,6 +28,7 @@ dev=/dev/xvdb
rw=/mnt/rwtmp
rwbak=$rw/vm-boot-protect
errlog=/var/run/vm-protect-error
servicedir=/var/run/qubes-service
defdir=/etc/default/vms
version="0.9.0"
@ -44,10 +45,6 @@ chdirs_add=${chdirs_add:-""}
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
privdirs_add=""
# Get list of enabled tags from Qubes services
tags=`find /var/run/qubes-service -name 'vm-boot-tag-*' -type f -printf '%f\n' \
| sort | sed -E 's|^vm-boot-tag-|\@tags/|'`
# Placeholder function: Runs at end
vm_boot_finish() { return; }
@ -152,6 +149,10 @@ fi
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
# Get list of enabled tags from Qubes services
tags=`find $servicedir -name 'vm-boot-tag-*' -type f -printf '%f\n' \
| sort | sed -E 's|^vm-boot-tag-|\@tags/|'`
# Run rc file commands if they exist
for rcbase in vms.all $tags $vmname; do
if [ -e "$defdir/$rcbase.rc" ]; then
@ -222,36 +223,38 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
for vmset in vms.all $tags $vmname; do
# Process whitelists...
cat $defdir/$vmset.whitelist \
| while read wlfile; do
# Must begin with '/rw/'
if echo $wlfile |grep -q "^\/rw\/"; then
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rwbak/BAK-\1|\"`"
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
dstdir="`dirname \"$dstfile\"`"
if [ ! -e "$srcfile" ]; then
echo "Whitelist entry not present in filesystem:"
echo "$srcfile"
continue
# For very large dirs: mv whole dir when entry ends with '/'
elif echo $wlfile |grep -q "\/$"; then
echo "Whitelist mv $srcfile"
echo "to $dstfile"
mkdir -p "$dstdir"
mv -T "$srcfile" "$dstfile"
else
echo "Whitelist cp $srcfile"
mkdir -p "$dstdir"
cp -a --link "$srcfile" "$dstdir"
if [ -e $defdir/$vmset.whitelist ]; then
cat $defdir/$vmset.whitelist \
| while read wlfile; do
# Must begin with '/rw/'
if echo $wlfile |grep -q "^\/rw\/"; then
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rwbak/BAK-\1|\"`"
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
dstdir="`dirname \"$dstfile\"`"
if [ ! -e "$srcfile" ]; then
echo "Whitelist entry not present in filesystem:"
echo "$srcfile"
continue
# For very large dirs: mv whole dir when entry ends with '/'
elif echo $wlfile |grep -q "\/$"; then
# echo "Whitelist mv $srcfile"
# echo "to $dstfile"
mkdir -p "$dstdir"
mv -T "$srcfile" "$dstfile"
else
# echo "Whitelist cp $srcfile"
mkdir -p "$dstdir"
cp -a --link "$srcfile" "$dstdir"
fi
elif [ -n "$wlfile" ]; then
echo "Whitelist path must begin with /rw/. Skipped."
fi
elif [ -n "$wlfile" ]; then
echo "Whitelist path must begin with /rw/. Skipped."
fi
done
done
fi
# Copy default files...
if [ -d $defdir/$vmset/rw ]; then
echo "Copy files from $defdir/$vmset/rw"
# echo "Copy files from $defdir/$vmset/rw"
cp -af $defdir/$vmset/rw/* $rw
fi
done
@ -260,13 +263,13 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
fi
# Keep configs invisible at runtime...
rm -rf "$defdir"
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
echo "Preparing for unmount"
make_immutable
umount $rw
fi
# Keep configs invisible at runtime...
rm -rf "$defdir" $servicedir/vm-boot-tag* $servicedir/vm-boot-protect* $errlog
exit 0