[Whonix-devel] [qubes-devel] Require script to run immed. after /rw mount

Patrick Schleizer patrick-mailinglists at whonix.org
Tue Apr 18 03:06:00 CEST 2017 

Marek Marczykowski-Górecki:
> On Mon, Apr 17, 2017 at 11:06:00PM +0000, Patrick Schleizer wrote:
>> Marek Marczykowski-Górecki:
>>> On Mon, Apr 17, 2017 at 10:02:00PM +0000, Patrick Schleizer wrote:
>>>>> Alternately, mount-dirs.sh could have
>>>>> a hook that points to a specific user script in /etc.
>>>
>>>> User script sounds a bit limited. What about something a little more
>>>> flexible?
>>>
>>>> Untested pseudo code:
>>>
>>>> if [ -d /etc/qubes/mount-dirs-post.d ]; then
>>>>    run-parts /etc/qubes/mount-dirs-post.d
>>>> fi
>>>
>>> IMO this is the way to go. In addition to your VM hardening scripts,
>>> this could be used also for some /rw initialization, beyond /etc/skel.
>>> AFAIR there was a need for similar thing to copy Tor Browser there.
>>>
>>> As for implementation - do we want it in /etc, /usr/lib, or both (so
>>> files in /etc could override /usr/lib)?
> 
>> Yes in both. Actually in all three. I.e. /etc/, /usr/lib and in
>> /usr/local (/rw) to make it complete.
> 
> No, the whole point about this script is to run something _before_
> anything gets processed/run from /rw.

Right. (Scratch that /rw idea.)

>>> But having both means we can't
>>> use run-parts :(
> 
>> Why not just use above "Untested pseudo code" three times with the
>> different dirs? :)
> 
> Because it will not allow to disable/override a script in /usr/lib by
> placing a script with the same name in /etc.

Alright. We can have that feature. Then perhaps let's use bash `source`.

Each snipped could define an entry function named
number_main_drop-in-name or so. For example.

/usr/lib/qubes-mount-dirs.d/50_bind_dirs.conf:

50_main_bind_dirs() {
   /path/to/actual/script
}

To disable that, a lexically higher configuration file could just do.

/etc/qubes-mount-dirs.d/50_bind_dirs.conf:

50_main_bind_dirs() {
   true
}

Then the mount-dirs.sh script could `source` all these `.conf`s, and use
`compgen` to get a list of function names, match these for `_main_`.
Then run these functions in lexical order.

Does that look good? If needed, I could as well describe that better or
write some pseudo code for that. I like this override / configureability
stuff.

Cheers,
Patrick

More information about the Whonix-devel mailing list