On Sat, Apr 15, 2017 at 10:13 AM, Chris Laprise <[email protected]> wrote: > On 04/14/2017 12:18 PM, Chris Laprise wrote: >> >> I am trying to setup templates so the startup sequence in template-based >> VMs can take action on /rw contents before they can affect the execution >> environment (bind-dirs, rc.local, etc). >> >> Unless there is a setting for this (disabling startup execution of >> private.img contents) that I'm not aware of, I think some modification >> of Qubes would be necessary to properly enable such action. This is >> because currently bind-dirs.sh activation is lumped-in with mount-dirs.sh. >> >> My suggestion would be to put the activation of qubes/init/bind-dirs.sh >> under a separate systemd service. Alternately, mount-dirs.sh could have >> a hook that points to a specific user script in /etc. > > > A possible workaround I'm trying is to have my systemd unit run before > qubes-mount-dirs.service and do an independent mount-dismount of /rw. > > This allows my script to perform simple sanitizing operations in /rw before > anything in there has a chance to run. So far, it works...
What is your long-term goal with this effort? This and your "Qubes-VM-hardening" stuff [1] looks to be trying to allow data persistence while aiming to avoid the ability for the persisted data to somehow hijack control on subsequent VM boots. If so, ISTM that this could be achieved using DispVMs with a persistent rw volume mounted somewhere other than /home (or any path which installed software automatically reads). Furthermore, such an approach also seems more robust than any attempt to essentially blacklist known-sensitive paths (which I think would eventually converge towards wanting to protect all of ~/.*) no? I'm curious what you have in mind and what the intended use case is. Cheers, Jean-Philippe [1]: https://github.com/tasket/Qubes-VM-hardening -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CABQWM_AB%2B%3DjjG8-aDpV8pxKvFEK8K-N_mGwNuSZ4SVK14sNSgw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
