From 1ecb680b44b9bb96991be83960a6f5aee17c0417 Mon Sep 17 00:00:00 2001 From: Rudd-O Date: Wed, 24 Oct 2018 07:32:19 +0000 Subject: [PATCH 1/4] Allow per-VM protected file list Hopefully this can be pushed as an update for Qubes 3.2 as well? --- init/functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/init/functions b/init/functions index 82f4a5b..81d571d 100644 --- a/init/functions +++ b/init/functions @@ -1,7 +1,7 @@ #!/bin/bash # Location of files which contains list of protected files -PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' +PROTECTED_FILE_LIST='/etc/qubes/protected-files.d /rw/qubes/protected-files.d' qsvc() { # Returns whether a service is enabled. @@ -100,7 +100,7 @@ reload_random_seed() { } is_protected_file() { - grep -Fxrq --exclude='*.rpmsave' --exclude='*~' --exclude='*.rpmnew' --exclude='*.rpmold' -- "${1}" "$PROTECTED_FILE_LIST" 2>/dev/null + grep -Fxrq --exclude='*.rpmsave' --exclude='*~' --exclude='*.rpmnew' --exclude='*.rpmold' -- "${1}" $PROTECTED_FILE_LIST 2>/dev/null } umount_retry() { From 3b93db99f8c5b89663a8cfa740d511769bdbec84 Mon Sep 17 00:00:00 2001 From: Rudd-O Date: Wed, 24 Oct 2018 08:00:20 +0000 Subject: [PATCH 2/4] Fix logic bug. --- init/functions | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/init/functions b/init/functions index 81d571d..68edab8 100644 --- a/init/functions +++ b/init/functions @@ -1,7 +1,8 @@ #!/bin/bash # Location of files which contains list of protected files -PROTECTED_FILE_LIST='/etc/qubes/protected-files.d /rw/qubes/protected-files.d' +PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' +PER_VM_PROTECTED_FILE_LIST='/rw/qubes/protected-files.d' qsvc() { # Returns whether a service is enabled. @@ -100,7 +101,16 @@ reload_random_seed() { } is_protected_file() { - grep -Fxrq --exclude='*.rpmsave' --exclude='*~' --exclude='*.rpmnew' --exclude='*.rpmold' -- "${1}" $PROTECTED_FILE_LIST 2>/dev/null + local ret=0 + local pfilelist + for pfilelist in "$PROTECTED_FILE_LIST" "$PER_VM_PROTECTED_FILE_LIST" ; do + if test -d "$pfilelist" ; then + # If this succeeds, we return immediately to the caller. + # If not, we let the loop continue. + grep -Fxrq --exclude='*.rpmsave' --exclude='*~' --exclude='*.rpmnew' --exclude='*.rpmold' -- "${1}" "$pfilelist" 2>/dev/null && return 0 || ret="$?" + fi + done + return "$ret" } umount_retry() { From 03883ece9680648de68ea8774883f1d7b2b47869 Mon Sep 17 00:00:00 2001 From: Rudd-O Date: Thu, 15 Nov 2018 19:08:46 +0000 Subject: [PATCH 3/4] /rw/config --- init/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init/functions b/init/functions index 68edab8..9087ada 100644 --- a/init/functions +++ b/init/functions @@ -2,7 +2,7 @@ # Location of files which contains list of protected files PROTECTED_FILE_LIST='/etc/qubes/protected-files.d' -PER_VM_PROTECTED_FILE_LIST='/rw/qubes/protected-files.d' +PER_VM_PROTECTED_FILE_LIST='/rw/config/protected-files.d' qsvc() { # Returns whether a service is enabled. From 8ce95f0db1bd35d53729ce5831d9b52622f8044c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 6 Dec 2018 14:44:42 +0100 Subject: [PATCH 4/4] is_protected_file: if no config dir is present, assume the file is _not_ protected --- init/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init/functions b/init/functions index 9087ada..19a522e 100644 --- a/init/functions +++ b/init/functions @@ -101,7 +101,7 @@ reload_random_seed() { } is_protected_file() { - local ret=0 + local ret=1 local pfilelist for pfilelist in "$PROTECTED_FILE_LIST" "$PER_VM_PROTECTED_FILE_LIST" ; do if test -d "$pfilelist" ; then