[Whonix-devel] [qubes-devel] Require script to run immed. after /rw mount
Patrick Schleizer
patrick-mailinglists at whonix.org
Tue Apr 18 00:09:00 CEST 2017
Chris Laprise:
> I am trying to setup templates so the startup sequence in template-based
> VMs can take action on /rw contents before they can affect the execution
> environment (bind-dirs, rc.local, etc).
>
> Unless there is a setting for this (disabling startup execution of
> private.img contents) that I'm not aware of, I think some modification
> of Qubes would be necessary to properly enable such action. This is
> because currently bind-dirs.sh activation is lumped-in with mount-dirs.sh.
>
> My suggestion would be to put the activation of qubes/init/bind-dirs.sh
> under a separate systemd service. Alternately, mount-dirs.sh could have
> a hook that points to a specific user script in /etc.
>
Btw you can hook between mount-dirs.sh and bind-dirs.sh already.
https://github.com/QubesOS/qubes-core-agent-linux/blob/d177e73bba077815ebfd15d9782f0787772067d9/vm-systemd/bind-dirs.sh#L121-L131
does the trick.
You could a hook here:
/usr/lib/qubes-bind-dirs.d/20_vm-sudo-protect.conf
Since all files in that folder get `source`ed by (`bash`) `bind-dirs.sh`.
The actual functionality of bind-dirs.sh would run after that.
https://github.com/QubesOS/qubes-core-agent-linux/blob/d177e73bba077815ebfd15d9782f0787772067d9/vm-systemd/bind-dirs.sh#L133
(Kicked off by: main "$@")
A bit hacky? Since that folder was supposed for configuration files, but
running hooks from there would work as well.
More information about the Whonix-devel
mailing list