Add configuration file support

tasket / Qubes-VM-hardening

Fend off malware at Qubes VM startup

GNU General Public License v3.0

74 stars 11 forks source link

Add configuration file support #19

Closed tasket closed 5 years ago

tasket commented 6 years ago

Implement a vms.all.conf and vmname.conf feature to alter behavior of vm-boot-protect.service.

Some initial ideas for properties:

Post-mount Exec: runs command after mounting volume as writeable
No abort/relocate on error; continue normally after showing notice
Change order of certain operations (i.e. deploy before hash check)
Skip vms.all operation(s)
No error/abort when hashed files don't exist
etc.

adrelanos commented 5 years ago

Post-mount Exec: runs command after mounting volume as writeable

Use case? Those who want that could just add another custom systemd service file?

No abort/relocate on error; continue normally after showing notice

As a learning / debugging mode?

Change order of certain operations (i.e. deploy before hash check)

Please elaborate. Why not always deploy before hash check?

tasket commented 5 years ago

Mostly "IDK". They seemed like good ideas at the time, but there has been no demand for them.

Reason to check hashes before deploy is that this order enables detection of tampering in cases where the tampered file would be over-written by the deploy.

tasket commented 5 years ago

This is mostly covered by .rc file support. Note that issue #13 is still open.