Making /home and /usr/local non persistent

[atlahua]

Hi there!

I need to be able to start DVM's from different templates
simultaneously. This feature is not available as far as I know.
For this reason I am trying the next best thing which is to make /home
and /usr/local to make sure that nothing is left when I power down a
standard Template based VM.

How can I achieve that?

Thnx in advance for your contributions,
A.

[Unman]

This will be incorporated in r4.

I've posted before with details of a simple way of running DVMs based on
different templates. It relies on the fact that generating a new
DVMTemplate leaves old DVMTemplates in place on disk.

I'll just quote my earlier mail:

First generate assorted disposableVMs using qvm-create-default-dvm and customize
them as you will. (Strictly this isn't necessary but you may as well get
your disposableVM just the way you want it.)

Because you can set disposableVMs with different netvms, and alternate
Qubes networking paths, it's possible to trigger disposableVMs using
different torVMs/ VPNs through different NICs, in the same time it takes
to load a disposableVM ordinarily.
I have a number of keyboard shortcuts to call a script with different
parameters, to do exactly this. It's multi-template disposableVMs on the
cheap, and works for me.

#!/bin/sh
if [ $# -eq 0 -o $# -gt 2 ] ; then
echo 'Usage: switch_dvm templatename [command]'
exit 1
fi
TEMPLATENAME=$1
DVMTMPL="$TEMPLATENAME"-dvm
DVMTMPLDIR="/var/lib/qubes/appvms/$DVMTMPL"
ROOT=/var/lib/qubes/dvmdata/savefile-root
DEFAULT=/var/lib/qubes/dvmdata/default-savefile
CURRENT=/var/run/qubes/current-savefile
SHMDIR=/dev/shm/qubes
SHMCOPY=$SHMDIR/current-savefile
if [ -d $DVMTMPLDIR ] ; then
rm -f $ROOT $DEFAULT $CURRENT
ln -s "$DVMTMPLDIR/dvm-savefile" $DEFAULT
ln -s "/var/lib/qubes/vm-templates/$TEMPLATENAME/root.img" $ROOT
rm -f $SHMCOPY
cp $DEFAULT $SHMCOPY || exit 1
chgrp qubes $SHMCOPY
chmod 660 $SHMCOPY
ln -s $SHMCOPY $CURRENT
rm /var/lib/qubes/dvmdata/vmdir
ln -s $DVMTMPLDIR /var/lib/qubes/dvmdata/vmdir
else
echo "Creating new dvm"
qvm-create-default-dvm $1
fi
if [ $2 ] ; then
echo $2 | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red
fi


unman

[Chris Laprise]

I've created a detection and control service for VM private volumes that
makes /rw/usrlocal, /rw/config and /rw/bind-dirs non-persistent to help
VMs fend off malware infestation. It acts at boot time before /rw (and
thus /home) is brought online.

Its script could easily be adapted to work with /rw/home as well by
adding that path to "$rootdirs" and a command like "mkdir -p
$rw/home/user" just before the make_immutable part.

https://github.com/tasket/Qubes-VM-hardening/tree/systemd

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[atlahua]

__________________________________________________________________

Thanks Unman.
I do not have a full understanding of how dvm's are created and
therefore I am going to need some time to understand how your script
works.
I have one initial question though: what is the second argument, the
[command]?

[atlahua]

______________________________________________________________-
Hi Chris.
Thanks for your answer.
There is one thing I do not understand though: by making those files or
folders inmutable you stop them from being modified. What I need is for
them to load from the template every time the template based VM starts.
I am relatively new to linux and to scripting so forgive me if I am
missing some basic and fundamental concepts here.
Regards,
Atlahua

[Chris Laprise]

The service does four basic things (in order):

* Checks hashes for any files you specify in .SHA lists; Alerts you and
stops boot process if any checks fail.

* Disables /rw/config, /rw/usrlocal, /rw/bind-dirs to protect against
malware that had gained root access
- Files in these dirs may be white listed

* Copies any files you setup in /etc/default/vms into /rw or anywhere
else in the system.

* Makes /home start scripts immutable, protecting against non-escalating
(non-root) malware

...then it allows the system to mount /rw normally and finish booting.


So its like a management kit for securing and configuring the private
disk image (/rw and /home).

If you want the same files in /home/user every time an appVM starts, you
can add the files to '/etc/default/vms/vms.all/rw/home' and they will be
copied on each VM boot (you can also target VMs by name; replace vms.all
with the VM name). If you also want the other contents of /home/user
removed, you can add '/rw/home' to the $rootdirs= definition.

The overall steps for setup are installing the systemd service to the
template according to the README, then adding any files you desire in
/etc/defualt/vms, shutdown template, assign appVMs to template and also
add the 'vm-sudo-protect-root' service to them in the Qubes Manager
settings.

[Unman]

On Wed, May 10, 2017 at 04:57:35PM +0000, atlahua wrote:
> __________________________________________________________________
>
> Thanks Unman.
> I do not have a full understanding of how dvm's are created and therefore I
> am going to need some time to understand how your script works.
> I have one initial question though: what is the second argument, the
> [command]?
>

The command to create a DVM Template is qvm-create-default-dvm, and this
is a python file that is pretty easy to understand.
The DVM templates are retained in the /var/lib/qubes/appvms/ directory -
if you create a few then you will see them there, with the dvm suffix.
A disposableVM is spawned from the saved state of a running DVMTemplate
- that's why it loads so fast.

All my script does is relink the saved state for a particular
DVMTemplate to the "current" Template, and then spawns a disposableVM
based on that state.

The second argument is just whatever you want to run in the disposableVM
- 'xterm' or 'firefox'. I use keyboard shortcuts linked to different
invocations.

I think this gives you exactly what you are looking for.

unman