mirror of
https://github.com/tasket/Qubes-VM-hardening.git
synced 2025-08-12 08:30:48 -04:00
tweaks to log, tags and cleanup
This commit is contained in:
Christopher Laprise
parent
ca67ef7fe3
commit
ebe40e1391
1 changed files with 36 additions and 33 deletions
|
|
@ -28,6 +28,7 @@ dev=/dev/xvdb
|
||||||
rw=/mnt/rwtmp
|
rw=/mnt/rwtmp
|
||||||
rwbak=$rw/vm-boot-protect
|
rwbak=$rw/vm-boot-protect
|
||||||
errlog=/var/run/vm-protect-error
|
errlog=/var/run/vm-protect-error
|
||||||
|
servicedir=/var/run/qubes-service
|
||||||
defdir=/etc/default/vms
|
defdir=/etc/default/vms
|
||||||
version="0.9.0"
|
version="0.9.0"
|
||||||
|
|
||||||
|
|
@ -44,10 +45,6 @@ chdirs_add=${chdirs_add:-""}
|
||||||
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
|
privdirs=${privdirs:-"/rw/config /rw/usrlocal /rw/bind-dirs"}
|
||||||
privdirs_add=""
|
privdirs_add=""
|
||||||
|
|
||||||
# Get list of enabled tags from Qubes services
|
|
||||||
tags=`find /var/run/qubes-service -name 'vm-boot-tag-*' -type f -printf '%f\n' \
|
|
||||||
| sort | sed -E 's|^vm-boot-tag-|\@tags/|'`
|
|
||||||
|
|
||||||
|
|
||||||
# Placeholder function: Runs at end
|
# Placeholder function: Runs at end
|
||||||
vm_boot_finish() { return; }
|
vm_boot_finish() { return; }
|
||||||
|
|
@ -152,6 +149,10 @@ fi
|
||||||
|
|
||||||
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||||
|
|
||||||
|
# Get list of enabled tags from Qubes services
|
||||||
|
tags=`find $servicedir -name 'vm-boot-tag-*' -type f -printf '%f\n' \
|
||||||
|
| sort | sed -E 's|^vm-boot-tag-|\@tags/|'`
|
||||||
|
|
||||||
# Run rc file commands if they exist
|
# Run rc file commands if they exist
|
||||||
for rcbase in vms.all $tags $vmname; do
|
for rcbase in vms.all $tags $vmname; do
|
||||||
if [ -e "$defdir/$rcbase.rc" ]; then
|
if [ -e "$defdir/$rcbase.rc" ]; then
|
||||||
|
|
@ -222,36 +223,38 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||||
for vmset in vms.all $tags $vmname; do
|
for vmset in vms.all $tags $vmname; do
|
||||||
|
|
||||||
# Process whitelists...
|
# Process whitelists...
|
||||||
cat $defdir/$vmset.whitelist \
|
if [ -e $defdir/$vmset.whitelist ]; then
|
||||||
| while read wlfile; do
|
cat $defdir/$vmset.whitelist \
|
||||||
# Must begin with '/rw/'
|
| while read wlfile; do
|
||||||
if echo $wlfile |grep -q "^\/rw\/"; then
|
# Must begin with '/rw/'
|
||||||
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rwbak/BAK-\1|\"`"
|
if echo $wlfile |grep -q "^\/rw\/"; then
|
||||||
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
|
srcfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rwbak/BAK-\1|\"`"
|
||||||
dstdir="`dirname \"$dstfile\"`"
|
dstfile="`echo $wlfile |sed -r \"s|^/rw/(.+)$|$rw/\1|\"`"
|
||||||
if [ ! -e "$srcfile" ]; then
|
dstdir="`dirname \"$dstfile\"`"
|
||||||
echo "Whitelist entry not present in filesystem:"
|
if [ ! -e "$srcfile" ]; then
|
||||||
echo "$srcfile"
|
echo "Whitelist entry not present in filesystem:"
|
||||||
continue
|
echo "$srcfile"
|
||||||
# For very large dirs: mv whole dir when entry ends with '/'
|
continue
|
||||||
elif echo $wlfile |grep -q "\/$"; then
|
# For very large dirs: mv whole dir when entry ends with '/'
|
||||||
echo "Whitelist mv $srcfile"
|
elif echo $wlfile |grep -q "\/$"; then
|
||||||
echo "to $dstfile"
|
# echo "Whitelist mv $srcfile"
|
||||||
mkdir -p "$dstdir"
|
# echo "to $dstfile"
|
||||||
mv -T "$srcfile" "$dstfile"
|
mkdir -p "$dstdir"
|
||||||
else
|
mv -T "$srcfile" "$dstfile"
|
||||||
echo "Whitelist cp $srcfile"
|
else
|
||||||
mkdir -p "$dstdir"
|
# echo "Whitelist cp $srcfile"
|
||||||
cp -a --link "$srcfile" "$dstdir"
|
mkdir -p "$dstdir"
|
||||||
|
cp -a --link "$srcfile" "$dstdir"
|
||||||
|
fi
|
||||||
|
elif [ -n "$wlfile" ]; then
|
||||||
|
echo "Whitelist path must begin with /rw/. Skipped."
|
||||||
fi
|
fi
|
||||||
elif [ -n "$wlfile" ]; then
|
done
|
||||||
echo "Whitelist path must begin with /rw/. Skipped."
|
fi
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
# Copy default files...
|
# Copy default files...
|
||||||
if [ -d $defdir/$vmset/rw ]; then
|
if [ -d $defdir/$vmset/rw ]; then
|
||||||
echo "Copy files from $defdir/$vmset/rw"
|
# echo "Copy files from $defdir/$vmset/rw"
|
||||||
cp -af $defdir/$vmset/rw/* $rw
|
cp -af $defdir/$vmset/rw/* $rw
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
@ -260,13 +263,13 @@ if qsvc vm-boot-protect-root && is_rwonly_persistent; then
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Keep configs invisible at runtime...
|
|
||||||
rm -rf "$defdir"
|
|
||||||
|
|
||||||
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
if qsvc vm-boot-protect || qsvc vm-boot-protect-root; then
|
||||||
echo "Preparing for unmount"
|
echo "Preparing for unmount"
|
||||||
make_immutable
|
make_immutable
|
||||||
umount $rw
|
umount $rw
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Keep configs invisible at runtime...
|
||||||
|
rm -rf "$defdir" $servicedir/vm-boot-tag* $servicedir/vm-boot-protect* $errlog
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue