On 04/20/2017 05:51 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, Apr 20, 2017 at 05:46:48PM -0400, Chris Laprise wrote:
On 04/17/2017 06:12 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Apr 17, 2017 at 10:02:00PM +0000, Patrick Schleizer wrote:
Hi! :)
You want a hook exactly between mount-dirs.sh and bind-dirs.sh?
Chris Laprise:
Alternately, mount-dirs.sh could have
a hook that points to a specific user script in /etc.
User script sounds a bit limited. What about something a little more
flexible?
Untested pseudo code:
if [ -d /etc/qubes/mount-dirs-post.d ]; then
run-parts /etc/qubes/mount-dirs-post.d
fi
IMO this is the way to go. In addition to your VM hardening scripts,
this could be used also for some /rw initialization, beyond /etc/skel.
AFAIR there was a need for similar thing to copy Tor Browser there.
IIUC, this idea is for R4.x release..? It will be nice to have, but in the
meantime I'm still looking for a way to make this possible in R3.2 without
getting medieval (sed /usr/lib...script.sh).
Actually, if the behaviour without any additional configuration would be
unchanged, we may consider it also for R3.2.
It would be really nice to activate my script on a per-VM basis(!) from
Qubes Manager settings. I'm having better luck doing it this way, running it
before meminfowriter and after qubes-sysinit.
For this, take a look here:
https://www.qubes-os.org/doc/qubes-service/
Yes, already there. It seems to work well now. I settled on specifying
WantedBy=sysinit.target and no 'Before'.
https://github.com/tasket/Qubes-VM-hardening/blob/systemd/lib/systemd/system/vm-sudo-protect.service
--
Chris Laprise, [email protected]
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/2b342ecc-cccd-3026-ef3b-d718b23115a4%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
