[Whonix-devel] [qubes-devel] Require script to run immed. after /rw mount
Chris Laprise
tasket at openmailbox.org
Fri Apr 21 02:51:04 CEST 2017
On 04/20/2017 05:51 PM, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Thu, Apr 20, 2017 at 05:46:48PM -0400, Chris Laprise wrote:
>> On 04/17/2017 06:12 PM, Marek Marczykowski-Górecki wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> On Mon, Apr 17, 2017 at 10:02:00PM +0000, Patrick Schleizer wrote:
>>>> Hi! :)
>>>>
>>>> You want a hook exactly between mount-dirs.sh and bind-dirs.sh?
>>>>
>>>> Chris Laprise:
>>>>> Alternately, mount-dirs.sh could have
>>>>> a hook that points to a specific user script in /etc.
>>>>
>>>> User script sounds a bit limited. What about something a little more
>>>> flexible?
>>>>
>>>> Untested pseudo code:
>>>>
>>>> if [ -d /etc/qubes/mount-dirs-post.d ]; then
>>>> run-parts /etc/qubes/mount-dirs-post.d
>>>> fi
>>>
>>> IMO this is the way to go. In addition to your VM hardening scripts,
>>> this could be used also for some /rw initialization, beyond /etc/skel.
>>> AFAIR there was a need for similar thing to copy Tor Browser there.
>>
>> IIUC, this idea is for R4.x release..? It will be nice to have, but in the
>> meantime I'm still looking for a way to make this possible in R3.2 without
>> getting medieval (sed /usr/lib...script.sh).
>
> Actually, if the behaviour without any additional configuration would be
> unchanged, we may consider it also for R3.2.
>
>> It would be really nice to activate my script on a per-VM basis(!) from
>> Qubes Manager settings. I'm having better luck doing it this way, running it
>> before meminfowriter and after qubes-sysinit.
>
> For this, take a look here:
> https://www.qubes-os.org/doc/qubes-service/
Yes, already there. It seems to work well now. I settled on specifying
WantedBy=sysinit.target and no 'Before'.
https://github.com/tasket/Qubes-VM-hardening/blob/systemd/lib/systemd/system/vm-sudo-protect.service
--
Chris Laprise, tasket at openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
More information about the Whonix-devel
mailing list