Git-Mirrors/reliant-system
1
0
Fork 0
mirror of https://codeberg.org/andersonarc/reliant-system.git synced 2025-11-15 13:37:42 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

reliant.profile and reliant.e2fsck commandline options; unseal and seal now mount and unmount instead of changing flags; displayed volume limit via reliant.dvl=VID

Browse source
This commit is contained in:
Anderson Rosenberg 2025-10-22 14:34:13 -04:00
parent 8a3ae37678
commit 501d68bf7e
No known key found for this signature in database
GPG key ID: 7ACF448C0590AB9C
7 changed files with 130 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -94,6 +94,14 @@ action=accept dst4=1.1.1.1 dstports=80 proto=tcp
``` ```
Due to potential security implications of arbitrary code execution (firewall.rules is not sanitized when a volume is unsealed), the user is asked for manual confirmation before the firewall configuration is executed. Due to potential security implications of arbitrary code execution (firewall.rules is not sanitized when a volume is unsealed), the user is asked for manual confirmation before the firewall configuration is executed.
### Commandline arguments
- `systemd.volatile=overlay` controls the switch between Protected Mode (when present) and Maintenance Mode (when omitted)
- `reliant.e2fsck` runs `e2fsck -p` on every volume before mount to avoid needing an extra reboot in case of accidental data corruption
- `reliant.profile` mounts the upperdir and workdir of OverlayFS in an accessible location under /run/reliant for debugging purposes
- `reliant.dvl=VOLUME_ID` limits the amount of volumes displayed in Qubes app menu, manager, and other places, useful for when you want to avoid showing your hidden qubes in public
- Displayed volume limit does **NOT** provide plausible deniability or actual device inspection
## Known issues ## Known issues
- All known issues of [Shufflecake](https://shufflecake.net/#faq) and [QubesOS](https://www.qubes-os.org/faq). - All known issues of [Shufflecake](https://shufflecake.net/#faq) and [QubesOS](https://www.qubes-os.org/faq).

6
dracut/99reliant/scripts/reliant-initramfs.sh
View file

@ -111,6 +111,12 @@ main() {
# Run the surgeon script to fix qubes.xml # Run the surgeon script to fix qubes.xml
surgeon-suture surgeon-suture
# Seal all volumes
for path in '/run/shufflecake/'*; do
name="${path##*/}"
reliant-seal "$name"
done
} }
main main

15
extra/shufflecake-close.sh
View file

@ -8,11 +8,20 @@ if [ ! -d /run/shufflecake ]; then
exit 0 exit 0
fi fi
# Shut down everything first
qvm-shutdown --force --all --wait --timeout 10 || true
# Detach loop devices
losetup -D || true
# Seal and close each Shufflecake volume # Seal and close each Shufflecake volume
for path in /run/shufflecake/*; do for path in /run/shufflecake/*; do
volume="${path##*/}" volume="${path##*/}" || true
reliant-seal "$volume" reliant-seal "$volume" || true
umount "$path"
# reliant-seal does unmount now, but leave this for good measure
# or if the user has old reliant-seal for some reason
umount "$path" || true
done done
# Close the Shufflecake device # Close the Shufflecake device

2
qubes-sflc/shufflecake-c

@ -1 +1 @@
Subproject commit 96c1557cdde6d92c299592cbfcd39af1e51b7c29 Subproject commit 635fcbd228dcd28b748ccc47bee14dcfc7434dd2

66
tools/reliant-mount
View file

@ -33,11 +33,49 @@ while true; do
fi fi
done done
# Check for the displayed volume limit in commandline arguments
# This is only useful when booting in public to hide deniable qubes
dvl_required=$RELIANT_FALSE
for argument in $(cat /proc/cmdline); do
if [[ "$argument" == reliant.dvl=* ]]; then
dvl_id="${argument##*/}"
dvl_required=$RELIANT_TRUE
fi
done
# Set the displayed volume limit
if [ -n "$dvl_id" ]; then
dvl_device="/dev/mapper/sflc_0_$dvl_id"
# Notify the user so they know the limit has been detected
if [ -b "$dvl_device" ]; then
plymouth display-message --text="Displayed volumes limited"
sleep 1
plymouth hide-message --text="Displayed volumes limited"
else
while true; do
dvl_id=$(plymouth ask-question --prompt="Displayed volume limit is invalid. Provide a new one")
dvl_device="/dev/mapper/sflc_0_$dvl_id"
# Validate user input
if [ -b $dvl_device ]; then
plymouth display-message --text="Limit adjusted successfully"
sleep 1
plymouth hide-message --text="Limit adjusted successfully"
break
fi
done
fi
fi
# Create the volume root directory under /run # Create the volume root directory under /run
mkdir -m 750 /run/shufflecake mkdir -m 750 /run/shufflecake
# Check if we need to e2fsck
reliant_e2fsck=$(grep -q reliant.e2fsck /proc/cmdline)
# Mount each volume # Mount each volume
find /dev/mapper -maxdepth 1 -name 'sflc_*' | while read -r device; do find /dev/mapper -maxdepth 1 -name 'sflc_0_*' | while read -r device; do
# IMPORTANT: Seal it # IMPORTANT: Seal it
blockdev --setro "$device" || exit 1 blockdev --setro "$device" || exit 1
@ -45,9 +83,19 @@ find /dev/mapper -maxdepth 1 -name 'sflc_*' | while read -r device; do
name="${device##*/}" name="${device##*/}"
mountpoint="/run/shufflecake/$name" mountpoint="/run/shufflecake/$name"
# e2fsck if requested
if [ "$reliant_e2fsck" ]; then
e2fsck -p "$device" &> /dev/null || true # If the user has mixed filesystems, it will fail for some
fi
# Mount in /run/shufflecake # Mount in /run/shufflecake
mkdir -m 750 "$mountpoint" mkdir -m 750 "$mountpoint"
mount -o ro,noatime,nodiratime "$device" "$mountpoint" &> /dev/null || true # allow it to silently fail in case there's no filesystem or it is corrupted mount -o ro,noatime,nodiratime "$device" "$mountpoint" &> /dev/null || true # Allow it to silently fail in case there's no filesystem or it is corrupted
# Apply the displayed volume limit if required
if [ $dvl_required = $RELIANT_TRUE ] && [ "$device" = "$dvl_device" ]; then
break
fi
done done
# Set up the volatile image pool # Set up the volatile image pool
@ -57,3 +105,17 @@ for path in '/sysroot/var/lib/qubes/appvms/'*; do
name="${path##*/}" name="${path##*/}"
mkdir -m 750 "/run/volatile/appvms/$name" mkdir -m 750 "/run/volatile/appvms/$name"
done done
# Check if we need to set up profiling
if grep -q reliant.profile /proc/cmdline; then
mkdir -m 750 /run/reliant
mkdir -m 750 /run/reliant/profile
# Upperdir
mkdir -m 750 /run/reliant/profile/upper
mount --bind /run/systemd/overlay-sysroot/upper /run/reliant/profile/upper
# Workdir
mkdir -m 750 /run/reliant/profile/work
mount --bind /run/systemd/overlay-sysroot/work /run/reliant/profile/work
fi

8
tools/reliant-seal
View file

@ -38,11 +38,15 @@ done
echo "Done." echo "Done."
echo -n "Sealing mountpoint... " echo -n "Sealing mountpoint... "
mount -o remount,ro,noatime,nodiratime /run/shufflecake/$name mount -o remount,ro,noatime,nodiratime "/run/shufflecake/$name"
echo "Done." echo "Done."
echo -n "Sealing device... " echo -n "Sealing device... "
blockdev --setro /dev/mapper/$name blockdev --setro "/dev/mapper/$name"
echo "Done."
echo -n "Unmounting device... "
umount "/run/shufflecake/$name" && rmdir "/run/shufflecake/$name"
echo "Done." echo "Done."
echo -e "${GREEN}Sealed.${ENDCOLOR} See reliant-status for more information." echo -e "${GREEN}Sealed.${ENDCOLOR} See reliant-status for more information."

43
tools/reliant-unseal
View file

@ -5,8 +5,8 @@ RED="\e[31;1m"
GREEN="\e[32;1m" GREEN="\e[32;1m"
ENDCOLOR="\e[0m" ENDCOLOR="\e[0m"
if [ "$#" -ne 1 ]; then if [ "$#" -lt 1 ]; then
echo "Expected 1 argument." echo "Expected at least 1 argument."
exit 1 exit 1
fi fi
@ -21,23 +21,44 @@ if [ ! -d /run/shufflecake ]; then
fi fi
name=$1 name=$1
device="/dev/mapper/$name"
echo -n "Unsealing device... " echo -n "Unsealing device... "
blockdev --setrw /dev/mapper/$name blockdev --setrw "$device"
echo "Done." echo "Done."
echo -n "Unsealing mountpoint... " echo -n "Unsealing mountpoint... "
mount -o remount,rw,noatime,nodiratime /run/shufflecake/$name mkdir "/run/shufflecake/$name"
mount -o rw,noatime,nodiratime "$device" "/run/shufflecake/$name"
echo "Done." echo "Done."
# Check if we were given a qube list
allowed_qubes="${*:2}"
echo "Creating links... " echo "Creating links... "
for appvm in /run/shufflecake/$name/appvms/*; do for appvm in "/run/shufflecake/$name/appvms/"*; do
qube="${appvm##*/}" qube="${appvm##*/}"
# Filter if user provided a list of qubes
if [ ! -z "$allowed_qubes" ]; then
allowed=0
for allowed_qube in $allowed_qubes; do
if [ "$qube" = "$allowed_qube" ]; then
allowed=1
break
fi
done
# Only unseal explicitly requested qubes
if [ $allowed -ne 1 ]; then
continue
fi
fi
# Directory link # Directory link
directory="/var/lib/qubes/appvms/$qube" directory="/var/lib/qubes/appvms/$qube"
if [ ! -d $directory ]; then if [ ! -d "$directory" ]; then
install -d -o root -g qubes -m 0750 $directory install -d -o root -g qubes -m 0750 "$directory"
fi fi
# App menus # App menus
@ -46,9 +67,9 @@ for appvm in /run/shufflecake/$name/appvms/*; do
su user -c "qvm-shutdown $qube" &>/dev/null || true su user -c "qvm-shutdown $qube" &>/dev/null || true
# Firewall rules # Firewall rules
if [ -f $appvm/firewall.rules ]; then if [ -f "$appvm/firewall.rules" ]; then
echo "Found firewall.rules. Approve?" echo "Found firewall.rules. Approve?"
cat $appvm/firewall.rules cat "$appvm/firewall.rules"
read -p "[Y/N]: " -n 1 -r read -p "[Y/N]: " -n 1 -r
echo echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then if [[ ! $REPLY =~ ^[Yy]$ ]]; then
@ -59,9 +80,9 @@ for appvm in /run/shufflecake/$name/appvms/*; do
echo "Approved." echo "Approved."
su user -c "qvm-firewall $qube reset" su user -c "qvm-firewall $qube reset"
su user -c "qvm-firewall $qube del --rule-no 0" su user -c "qvm-firewall $qube del --rule-no 0"
while read; do while read -r; do
su user -c "qvm-firewall $qube add $REPLY" su user -c "qvm-firewall $qube add $REPLY"
done < $appvm/firewall.rules done < "$appvm/firewall.rules"
su user -c "qvm-firewall $qube add action=drop" su user -c "qvm-firewall $qube add action=drop"
fi fi
done done