whonix: Added protected-files file used to prevent scripts from modifying files that need to be protected
A file is created in /var/lib/qubes/protected-files. Scripts can grep this file before modifying known files to be protected and skip any modifications if the file path is within protected-files. Usage Example: if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then Also cleaned up maintainer scripts removing unneeded systemd status functions and streamlined the enable/disable systemd unit files functions
This commit is contained in:
parent
0c0cb5f6b2
commit
56b0685aaa
104
debian/qubes-core-agent.postinst
vendored
104
debian/qubes-core-agent.postinst
vendored
@ -105,80 +105,47 @@ showIn() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
setArrayAsGlobal() {
|
changeSystemdStatus() {
|
||||||
local array="$1"
|
|
||||||
local export_as="$2"
|
|
||||||
local code=$(declare -p "$array")
|
|
||||||
local replaced="${code/$array/$export_as}"
|
|
||||||
eval ${replaced/declare -/declare -g}
|
|
||||||
}
|
|
||||||
|
|
||||||
systemdInfo() {
|
|
||||||
unit=${1}
|
unit=${1}
|
||||||
return_global_var=${2}
|
disable=${2-0}
|
||||||
|
|
||||||
declare -A INFO=()
|
# Check if unit file is currently active (running)
|
||||||
while read line; do
|
systemctl is-active ${unit} > /dev/null 2>&1 && active=true || unset active
|
||||||
INFO[${line%%=*}]="${line##*=}"
|
|
||||||
done < <(systemctl show ${unit} 2> /dev/null)
|
|
||||||
|
|
||||||
setArrayAsGlobal INFO $return_global_var
|
case ${disable} in
|
||||||
return ${#INFO[@]}
|
0)
|
||||||
}
|
systemctl --quiet enable ${unit} > /dev/null 2>&1 || true
|
||||||
|
;;
|
||||||
|
1)
|
||||||
|
if [ $active ]; then
|
||||||
|
systemctl --quiet stop ${unit} > /dev/null 2>&1 || true
|
||||||
|
fi
|
||||||
|
|
||||||
displayFailedStatus() {
|
|
||||||
action=${1}
|
|
||||||
unit=${2}
|
|
||||||
|
|
||||||
# Only display if there are results. In chroot environmnet there will be
|
|
||||||
# no results to 'systemctl show' command
|
|
||||||
systemdInfo ${unit} info || {
|
|
||||||
echo
|
|
||||||
echo "==================================================="
|
|
||||||
echo "FAILED: systemd ${action} ${unit}"
|
|
||||||
echo "==================================================="
|
|
||||||
echo " LoadState = ${info[LoadState]}"
|
|
||||||
echo " LoadError = ${info[LoadError]}"
|
|
||||||
echo " ActiveState = ${info[ActiveState]}"
|
|
||||||
echo " SubState = ${info[SubState]}"
|
|
||||||
echo "UnitFileState = ${info[UnitFileState]}"
|
|
||||||
echo
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Disable systemd units
|
|
||||||
disableSystemdUnits() {
|
|
||||||
for unit in $*; do
|
|
||||||
echo "Disabling ${unit}..."
|
|
||||||
systemctl is-active ${unit} > /dev/null 2>&1 && {
|
|
||||||
systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit}
|
|
||||||
}
|
|
||||||
if [ -f /lib/systemd/system/${unit} ]; then
|
if [ -f /lib/systemd/system/${unit} ]; then
|
||||||
if fgrep -q '[Install]' /lib/systemd/system/${unit}; then
|
if fgrep -q '[Install]' /lib/systemd/system/${unit}; then
|
||||||
systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
|
systemctl --quiet disable ${unit} > /dev/null 2>&1 || true
|
||||||
else
|
else
|
||||||
echo "Masking service: ${unit}"
|
# Forcibly disable
|
||||||
systemctl mask ${unit}
|
ln -sf /dev/null /etc/systemd/system/${unit}
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
|
systemctl --quiet disable ${unit} > /dev/null 2>&1 || true
|
||||||
fi
|
fi
|
||||||
done
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
# Enable systemd units
|
# Enable systemd units
|
||||||
enableSystemdUnits() {
|
enableSystemdUnits() {
|
||||||
for unit in $*; do
|
for unit in $*; do
|
||||||
systemctl is-enabled ${unit} > /dev/null 2>&1 && {
|
changeSystemdStatus ${unit} 0 || true
|
||||||
echo "It appears ${unit} is already enabled!"
|
done
|
||||||
#displayFailedStatus is-enabled ${unit}
|
}
|
||||||
} || {
|
|
||||||
echo "Enabling: ${unit}..."
|
# Disable systemd units
|
||||||
systemctl enable ${unit} > /dev/null 2>&1 || {
|
disableSystemdUnits() {
|
||||||
echo "Could not enable: ${unit}"
|
for unit in $*; do
|
||||||
displayFailedStatus enable ${unit}
|
changeSystemdStatus ${unit} 1 || true
|
||||||
}
|
|
||||||
}
|
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -204,6 +171,9 @@ case "${1}" in
|
|||||||
dpkg-divert --divert /etc/init/${init}.conf.qubes-disabled --package qubes-core-agent --rename --add /etc/init/${init}.conf
|
dpkg-divert --divert /etc/init/${init}.conf.qubes-disabled --package qubes-core-agent --rename --add /etc/init/${init}.conf
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Disable sysv init network-manager
|
||||||
|
disableSystemdUnits network-manager
|
||||||
|
|
||||||
# Create NetworkManager configuration if we do not have it
|
# Create NetworkManager configuration if we do not have it
|
||||||
if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
|
if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
|
||||||
echo '[main]' > /etc/NetworkManager/NetworkManager.conf
|
echo '[main]' > /etc/NetworkManager/NetworkManager.conf
|
||||||
@ -217,19 +187,27 @@ case "${1}" in
|
|||||||
rm -f /lib/firmware/updates
|
rm -f /lib/firmware/updates
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Location of files which contains list of protected files
|
||||||
|
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
|
||||||
|
|
||||||
# ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
|
# ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
|
||||||
# in the form expected by qubes-sysinit.sh
|
# in the form expected by qubes-sysinit.sh
|
||||||
|
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
for ip in '127\.0\.1\.1' '::1'; do
|
for ip in '127\.0\.1\.1' '::1'; do
|
||||||
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
|
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
|
||||||
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
|
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
|
||||||
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
|
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts || true
|
||||||
else
|
else
|
||||||
echo "${ip//\\/} `hostname`" >> /etc/hosts
|
echo "${ip//\\/} `hostname`" >> /etc/hosts || true
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
# remove hostname from 127.0.0.1 line (in debian the hostname is by default
|
# remove hostname from 127.0.0.1 line (in debian the hostname is by default
|
||||||
# resolved to 127.0.1.1)
|
# resolved to 127.0.1.1)
|
||||||
sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
|
if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
|
sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
|
||||||
|
fi
|
||||||
|
|
||||||
chown user:user /home_volatile/user
|
chown user:user /home_volatile/user
|
||||||
|
|
||||||
|
@ -6,6 +6,9 @@
|
|||||||
disablegw=`qubesdb-read /qubes-service/disable-default-route 2> /dev/null`
|
disablegw=`qubesdb-read /qubes-service/disable-default-route 2> /dev/null`
|
||||||
disabledns=`qubesdb-read /qubes-service/disable-dns-server 2> /dev/null`
|
disabledns=`qubesdb-read /qubes-service/disable-dns-server 2> /dev/null`
|
||||||
|
|
||||||
|
# Location of files which contains list of protected files
|
||||||
|
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
|
||||||
|
|
||||||
ip=`/usr/bin/qubesdb-read /qubes-ip 2> /dev/null`
|
ip=`/usr/bin/qubesdb-read /qubes-ip 2> /dev/null`
|
||||||
if [ x$ip != x ]; then
|
if [ x$ip != x ]; then
|
||||||
netmask=`/usr/bin/qubesdb-read /qubes-netmask`
|
netmask=`/usr/bin/qubesdb-read /qubes-netmask`
|
||||||
@ -19,11 +22,13 @@ if [ x$ip != x ]; then
|
|||||||
fi
|
fi
|
||||||
/sbin/ethtool -K $INTERFACE sg off
|
/sbin/ethtool -K $INTERFACE sg off
|
||||||
/sbin/ethtool -K $INTERFACE tx off
|
/sbin/ethtool -K $INTERFACE tx off
|
||||||
|
if ! grep -q "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
echo > /etc/resolv.conf
|
echo > /etc/resolv.conf
|
||||||
if [ "x$disabledns" != "x1" ]; then
|
if [ "x$disabledns" != "x1" ]; then
|
||||||
echo "nameserver $gateway" > /etc/resolv.conf
|
echo "nameserver $gateway" > /etc/resolv.conf
|
||||||
echo "nameserver $secondary_dns" >> /etc/resolv.conf
|
echo "nameserver $secondary_dns" >> /etc/resolv.conf
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
if [ -f /var/run/qubes-service/network-manager ]; then
|
if [ -f /var/run/qubes-service/network-manager ]; then
|
||||||
nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
|
nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
|
||||||
cat > $nm_config <<__EOF__
|
cat > $nm_config <<__EOF__
|
||||||
|
@ -239,24 +239,31 @@ fi
|
|||||||
# Revert 'Prevent unnecessary updates in VMs':
|
# Revert 'Prevent unnecessary updates in VMs':
|
||||||
sed -i -e '/^exclude = kernel/d' /etc/yum.conf
|
sed -i -e '/^exclude = kernel/d' /etc/yum.conf
|
||||||
|
|
||||||
|
# Location of files which contains list of protected files
|
||||||
|
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
|
||||||
|
|
||||||
# qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
|
# qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
|
||||||
if ! grep -q localhost /etc/hosts; then
|
if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
|
if ! grep -q localhost /etc/hosts; then
|
||||||
cat <<EOF > /etc/hosts
|
cat <<EOF > /etc/hosts
|
||||||
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
|
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
|
||||||
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
|
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
|
||||||
EOF
|
EOF
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
|
# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
|
||||||
# in the form expected by qubes-sysinit.sh
|
# in the form expected by qubes-sysinit.sh
|
||||||
for ip in '127\.0\.0\.1' '::1'; do
|
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
|
for ip in '127\.0\.0\.1' '::1'; do
|
||||||
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
|
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
|
||||||
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
|
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
|
||||||
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
|
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
|
||||||
else
|
else
|
||||||
echo "${ip} `hostname`" >> /etc/hosts
|
echo "${ip} `hostname`" >> /etc/hosts
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
# Copy ip(|6)tables into place if they do not already exist in filesystem.
|
# Copy ip(|6)tables into place if they do not already exist in filesystem.
|
||||||
# This prevents conflict with iptables-service
|
# This prevents conflict with iptables-service
|
||||||
|
@ -16,7 +16,15 @@ start()
|
|||||||
chmod 666 /proc/u2mfn
|
chmod 666 /proc/u2mfn
|
||||||
|
|
||||||
mkdir -p /var/run/xen-hotplug
|
mkdir -p /var/run/xen-hotplug
|
||||||
|
mkdir -p /var/run/qubes
|
||||||
|
chgrp qubes /var/run/qubes
|
||||||
|
chmod 0775 /var/run/qubes
|
||||||
|
|
||||||
|
# Location of files which contains list of protected files
|
||||||
|
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
|
||||||
|
|
||||||
|
# Set the hostname
|
||||||
|
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
name=$(/usr/bin/qubesdb-read /name)
|
name=$(/usr/bin/qubesdb-read /name)
|
||||||
if ! [ -f /etc/this-is-dvm ] ; then
|
if ! [ -f /etc/this-is-dvm ] ; then
|
||||||
# we don't want to set hostname for DispVM
|
# we don't want to set hostname for DispVM
|
||||||
@ -25,13 +33,17 @@ start()
|
|||||||
hostname $name
|
hostname $name
|
||||||
sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
|
sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Set the timezone
|
||||||
|
if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
timezone=`/usr/bin/qubesdb-read /qubes-timezone 2> /dev/null`
|
timezone=`/usr/bin/qubesdb-read /qubes-timezone 2> /dev/null`
|
||||||
if [ -n "$timezone" ]; then
|
if [ -n "$timezone" ]; then
|
||||||
ln -f /usr/share/zoneinfo/$timezone /etc/localtime
|
ln -f /usr/share/zoneinfo/$timezone /etc/localtime
|
||||||
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
|
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
|
||||||
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
|
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
yum_proxy_setup=$(/usr/bin/qubesdb-read /qubes-service/yum-proxy-setup 2> /dev/null || /usr/bin/qubesdb-read /qubes-service/updates-proxy-setup 2> /dev/null)
|
yum_proxy_setup=$(/usr/bin/qubesdb-read /qubes-service/yum-proxy-setup 2> /dev/null || /usr/bin/qubesdb-read /qubes-service/updates-proxy-setup 2> /dev/null)
|
||||||
type=$(/usr/bin/qubesdb-read /qubes-vm-type)
|
type=$(/usr/bin/qubesdb-read /qubes-vm-type)
|
||||||
@ -47,10 +59,6 @@ start()
|
|||||||
# qubesdb-read fails
|
# qubesdb-read fails
|
||||||
INTERFACE=eth0 /usr/lib/qubes/setup-ip
|
INTERFACE=eth0 /usr/lib/qubes/setup-ip
|
||||||
|
|
||||||
mkdir -p /var/run/qubes
|
|
||||||
chgrp qubes /var/run/qubes
|
|
||||||
chmod 0775 /var/run/qubes
|
|
||||||
|
|
||||||
if [ -e /dev/xvdb ] ; then
|
if [ -e /dev/xvdb ] ; then
|
||||||
# check if private.img (xvdb) is empty - all zeros
|
# check if private.img (xvdb) is empty - all zeros
|
||||||
private_size_512=`blockdev --getsz /dev/xvdb`
|
private_size_512=`blockdev --getsz /dev/xvdb`
|
||||||
|
@ -10,6 +10,9 @@ DEFAULT_ENABLED="meminfo-writer"
|
|||||||
QDB_READ=qubesdb-read
|
QDB_READ=qubesdb-read
|
||||||
QDB_LS=qubesdb-multiread
|
QDB_LS=qubesdb-multiread
|
||||||
|
|
||||||
|
# Location of files which contains list of protected files
|
||||||
|
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
|
||||||
|
|
||||||
read_service() {
|
read_service() {
|
||||||
$QDB_READ /qubes-service/$1 2> /dev/null
|
$QDB_READ /qubes-service/$1 2> /dev/null
|
||||||
}
|
}
|
||||||
@ -67,8 +70,9 @@ for srv in `$QDB_LS /qubes-service/ 2>/dev/null |grep ' = 0'|cut -f 1 -d ' '`; d
|
|||||||
done
|
done
|
||||||
|
|
||||||
# Set the hostname
|
# Set the hostname
|
||||||
name=`$QDB_READ /name`
|
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
if [ -n "$name" ]; then
|
name=`$QDB_READ /name`
|
||||||
|
if [ -n "$name" ]; then
|
||||||
hostname $name
|
hostname $name
|
||||||
if [ -e /etc/debian_version ]; then
|
if [ -e /etc/debian_version ]; then
|
||||||
ipv4_localhost_re="127\.0\.1\.1"
|
ipv4_localhost_re="127\.0\.1\.1"
|
||||||
@ -77,10 +81,13 @@ if [ -n "$name" ]; then
|
|||||||
fi
|
fi
|
||||||
sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
|
sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
|
||||||
sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
|
sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
timezone=`$QDB_READ /qubes-timezone 2> /dev/null`
|
# Set the timezone
|
||||||
if [ -n "$timezone" ]; then
|
if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
|
||||||
|
timezone=`$QDB_READ /qubes-timezone 2> /dev/null`
|
||||||
|
if [ -n "$timezone" ]; then
|
||||||
cp -p /usr/share/zoneinfo/$timezone /etc/localtime
|
cp -p /usr/share/zoneinfo/$timezone /etc/localtime
|
||||||
if [ -e /etc/debian_version ]; then
|
if [ -e /etc/debian_version ]; then
|
||||||
echo "$timezone" > /etc/timezone
|
echo "$timezone" > /etc/timezone
|
||||||
@ -88,6 +95,7 @@ if [ -n "$timezone" ]; then
|
|||||||
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
|
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
|
||||||
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
|
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Prepare environment for other services
|
# Prepare environment for other services
|
||||||
|
Loading…
Reference in New Issue
Block a user