whonix: Added protected-files file used to prevent scripts from modifying files that need to be protected

A file is created in /var/lib/qubes/protected-files.  Scripts can grep this file before modifying
        known files to be protected and skip any modifications if the file path is within protected-files.

        Usage Example:
            if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then

        Also cleaned up maintainer scripts removing unneeded systemd status functions and streamlined
        the enable/disable systemd unit files functions
This commit is contained in:
Jason Mehring 2015-04-22 02:04:10 -04:00 committed by Marek Marczykowski-Górecki
parent 0c0cb5f6b2
commit 56b0685aaa
5 changed files with 132 additions and 126 deletions

View File

@ -105,80 +105,47 @@ showIn() {
fi
}
setArrayAsGlobal() {
local array="$1"
local export_as="$2"
local code=$(declare -p "$array")
local replaced="${code/$array/$export_as}"
eval ${replaced/declare -/declare -g}
}
systemdInfo() {
changeSystemdStatus() {
unit=${1}
return_global_var=${2}
disable=${2-0}
declare -A INFO=()
while read line; do
INFO[${line%%=*}]="${line##*=}"
done < <(systemctl show ${unit} 2> /dev/null)
# Check if unit file is currently active (running)
systemctl is-active ${unit} > /dev/null 2>&1 && active=true || unset active
setArrayAsGlobal INFO $return_global_var
return ${#INFO[@]}
}
case ${disable} in
0)
systemctl --quiet enable ${unit} > /dev/null 2>&1 || true
;;
1)
if [ $active ]; then
systemctl --quiet stop ${unit} > /dev/null 2>&1 || true
fi
displayFailedStatus() {
action=${1}
unit=${2}
# Only display if there are results. In chroot environmnet there will be
# no results to 'systemctl show' command
systemdInfo ${unit} info || {
echo
echo "==================================================="
echo "FAILED: systemd ${action} ${unit}"
echo "==================================================="
echo " LoadState = ${info[LoadState]}"
echo " LoadError = ${info[LoadError]}"
echo " ActiveState = ${info[ActiveState]}"
echo " SubState = ${info[SubState]}"
echo "UnitFileState = ${info[UnitFileState]}"
echo
}
}
# Disable systemd units
disableSystemdUnits() {
for unit in $*; do
echo "Disabling ${unit}..."
systemctl is-active ${unit} > /dev/null 2>&1 && {
systemctl stop ${unit} > /dev/null 2>&1 || displayFailedStatus stop ${unit}
}
if [ -f /lib/systemd/system/${unit} ]; then
if fgrep -q '[Install]' /lib/systemd/system/${unit}; then
systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
systemctl --quiet disable ${unit} > /dev/null 2>&1 || true
else
echo "Masking service: ${unit}"
systemctl mask ${unit}
# Forcibly disable
ln -sf /dev/null /etc/systemd/system/${unit}
fi
else
systemctl disable ${unit} > /dev/null 2>&1 || displayFailedStatus disable ${unit}
systemctl --quiet disable ${unit} > /dev/null 2>&1 || true
fi
done
;;
esac
}
# Enable systemd units
enableSystemdUnits() {
for unit in $*; do
systemctl is-enabled ${unit} > /dev/null 2>&1 && {
echo "It appears ${unit} is already enabled!"
#displayFailedStatus is-enabled ${unit}
} || {
echo "Enabling: ${unit}..."
systemctl enable ${unit} > /dev/null 2>&1 || {
echo "Could not enable: ${unit}"
displayFailedStatus enable ${unit}
}
changeSystemdStatus ${unit} 0 || true
done
}
# Disable systemd units
disableSystemdUnits() {
for unit in $*; do
changeSystemdStatus ${unit} 1 || true
done
}
@ -204,6 +171,9 @@ case "${1}" in
dpkg-divert --divert /etc/init/${init}.conf.qubes-disabled --package qubes-core-agent --rename --add /etc/init/${init}.conf
done
# Disable sysv init network-manager
disableSystemdUnits network-manager
# Create NetworkManager configuration if we do not have it
if ! [ -e /etc/NetworkManager/NetworkManager.conf ]; then
echo '[main]' > /etc/NetworkManager/NetworkManager.conf
@ -217,19 +187,27 @@ case "${1}" in
rm -f /lib/firmware/updates
fi
# Location of files which contains list of protected files
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
# ensure that hostname resolves to 127.0.1.1 resp. ::1 and that /etc/hosts is
# in the form expected by qubes-sysinit.sh
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
for ip in '127\.0\.1\.1' '::1'; do
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
sed -i "s/^${ip}\(\s\|$\).*$/\0 `hostname`/" /etc/hosts || true
else
echo "${ip//\\/} `hostname`" >> /etc/hosts
echo "${ip//\\/} `hostname`" >> /etc/hosts || true
fi
done
fi
# remove hostname from 127.0.0.1 line (in debian the hostname is by default
# resolved to 127.0.1.1)
sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
sed -i "/^127\.0\.0\.1\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts || true
fi
chown user:user /home_volatile/user

View File

@ -6,6 +6,9 @@
disablegw=`qubesdb-read /qubes-service/disable-default-route 2> /dev/null`
disabledns=`qubesdb-read /qubes-service/disable-dns-server 2> /dev/null`
# Location of files which contains list of protected files
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
ip=`/usr/bin/qubesdb-read /qubes-ip 2> /dev/null`
if [ x$ip != x ]; then
netmask=`/usr/bin/qubesdb-read /qubes-netmask`
@ -19,11 +22,13 @@ if [ x$ip != x ]; then
fi
/sbin/ethtool -K $INTERFACE sg off
/sbin/ethtool -K $INTERFACE tx off
if ! grep -q "^/etc/resolv[.]conf$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
echo > /etc/resolv.conf
if [ "x$disabledns" != "x1" ]; then
echo "nameserver $gateway" > /etc/resolv.conf
echo "nameserver $secondary_dns" >> /etc/resolv.conf
fi
fi
if [ -f /var/run/qubes-service/network-manager ]; then
nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
cat > $nm_config <<__EOF__

View File

@ -239,16 +239,22 @@ fi
# Revert 'Prevent unnecessary updates in VMs':
sed -i -e '/^exclude = kernel/d' /etc/yum.conf
# Location of files which contains list of protected files
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
# qubes-core-vm has been broken for some time - it overrides /etc/hosts; restore original content
if ! grep -q "^/etc/hosts$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
if ! grep -q localhost /etc/hosts; then
cat <<EOF > /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 `hostname`
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
EOF
fi
fi
# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
# in the form expected by qubes-sysinit.sh
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
for ip in '127\.0\.0\.1' '::1'; do
if grep -q "^${ip}\(\s\|$\)" /etc/hosts; then
sed -i "/^${ip}\s/,+0s/\(\s`hostname`\)\+\(\s\|$\)/\2/g" /etc/hosts
@ -257,6 +263,7 @@ for ip in '127\.0\.0\.1' '::1'; do
echo "${ip} `hostname`" >> /etc/hosts
fi
done
fi
# Copy ip(|6)tables into place if they do not already exist in filesystem.
# This prevents conflict with iptables-service

View File

@ -16,7 +16,15 @@ start()
chmod 666 /proc/u2mfn
mkdir -p /var/run/xen-hotplug
mkdir -p /var/run/qubes
chgrp qubes /var/run/qubes
chmod 0775 /var/run/qubes
# Location of files which contains list of protected files
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
# Set the hostname
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
name=$(/usr/bin/qubesdb-read /name)
if ! [ -f /etc/this-is-dvm ] ; then
# we don't want to set hostname for DispVM
@ -25,13 +33,17 @@ start()
hostname $name
sed -i "s/^\(127\.0\.0\.1[\t ].*\) \($name \)\?\(.*\)/\1\2 $name/" /etc/hosts
fi
fi
# Set the timezone
if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
timezone=`/usr/bin/qubesdb-read /qubes-timezone 2> /dev/null`
if [ -n "$timezone" ]; then
ln -f /usr/share/zoneinfo/$timezone /etc/localtime
echo "# Clock configuration autogenerated based on Qubes dom0 settings" > /etc/sysconfig/clock
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
fi
fi
yum_proxy_setup=$(/usr/bin/qubesdb-read /qubes-service/yum-proxy-setup 2> /dev/null || /usr/bin/qubesdb-read /qubes-service/updates-proxy-setup 2> /dev/null)
type=$(/usr/bin/qubesdb-read /qubes-vm-type)
@ -47,10 +59,6 @@ start()
# qubesdb-read fails
INTERFACE=eth0 /usr/lib/qubes/setup-ip
mkdir -p /var/run/qubes
chgrp qubes /var/run/qubes
chmod 0775 /var/run/qubes
if [ -e /dev/xvdb ] ; then
# check if private.img (xvdb) is empty - all zeros
private_size_512=`blockdev --getsz /dev/xvdb`

View File

@ -10,6 +10,9 @@ DEFAULT_ENABLED="meminfo-writer"
QDB_READ=qubesdb-read
QDB_LS=qubesdb-multiread
# Location of files which contains list of protected files
PROTECTED_FILE_LIST='/var/lib/qubes/protected-files'
read_service() {
$QDB_READ /qubes-service/$1 2> /dev/null
}
@ -67,6 +70,7 @@ for srv in `$QDB_LS /qubes-service/ 2>/dev/null |grep ' = 0'|cut -f 1 -d ' '`; d
done
# Set the hostname
if ! grep -q "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
name=`$QDB_READ /name`
if [ -n "$name" ]; then
hostname $name
@ -78,7 +82,10 @@ if [ -n "$name" ]; then
sed -i "s/^\($ipv4_localhost_re\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
sed -i "s/^\(::1\(\s.*\)*\s\).*$/\1${name}/" /etc/hosts
fi
fi
# Set the timezone
if ! grep -q "^/etc/timezone$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
timezone=`$QDB_READ /qubes-timezone 2> /dev/null`
if [ -n "$timezone" ]; then
cp -p /usr/share/zoneinfo/$timezone /etc/localtime
@ -89,6 +96,7 @@ if [ -n "$timezone" ]; then
echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
fi
fi
fi
# Prepare environment for other services
echo > /var/run/qubes-service-environment