On Wednesday, January 24, 2018 at 8:32:24 PM UTC+1, Chris Laprise wrote: > On 01/24/2018 10:55 AM, Yuraeitha wrote: > > > > > All 3 suggestions are you guys brought up are really intriguig, I'm pretty > > excited about this, these ideas are excellent, even better than I hoped for. > > > > I'm using Qubes 4, so I assume I can't give the beta setup a try until or > > if it becomes available on Qubes 4. But I from my initial understanding I > > like the extra security it provides, although I've yet to better grasp its > > full potential. It seems like a pretty cool project you're working on there > > Chris. > > > > Unfortunately I don't have much experience as a coder either, so I can't > > make such a script Alex, I can at most read scripts or make simple ones. > > But it's a pretty good idea as well, it'd be amazing if someone would want > > to make such a bookmark-manager and contribute it to Qubes. Maybe even take > > it further and storing the bookmarks outside the VM until a single bookmark > > is needed? Similar to keeping i.e. KeePassX in an offline VM? Though I > > imagine that would add further complicity, which is definitely outside my > > skill-set. > > I'm going to test the Qubes-VM-hardening service on Qubes 4 tonight to > see if it needs any adjustment for the whitelisting feature to work. > I'll also expand on the (admittedly sparse) instructions. > > If it works then its probably easier to add a service and maintain a > single whitelist file. > > > > For now I'll try dwell down into the /usr/lib/qubes/init/setup-rw.sh > > re-mounting suggestion. It's the only one I have the skill-set and > > current-means to pull off on my own. It's been some long exhausting days, > > so hopefully I'll get around to try this tomorrow. > > > > I'm currently pondering about how to change the mount points correctly > > though. It seems like it has similar logic to traditional Linux mounting > > logic, and when combined with Qubes template/appVM logic, then it seems > > like I can solve it with some trial and error and exploring-testing, using > > your post as an initial starting point. I have some leads now, it'll be > > interesting to look into. I'll post pack on how it goes. > > Actually, you don't even need to change the mountpoint, which is done by > mount-dirs.sh, BTW. One example is to change the line that starts > 'initialize_home' to: > > rm -rf /rw/home-old > mv /rw/home /rw/home-old > initialize_home "/rw/home" unconditionally > > ...and then cp or mv files from /rw/home-old as needed. > > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Sorry for the delay, it was finally possible to find home-time to play with this (the dread of being on the road too much). I followed your instructions, and it works beautifully! The change from "ifneeded" to "unconditionally", is it correctly understood to be the one that freezes the /rw/home folder at the template: /usr/lib/qubes/init/mount-dirs.sh? If so, then I think I understand this part of it now. I might do this to all my templates, it's a pretty awesome trick, many thanks for sharing/helping! :) My worries are if updates clean up these scripts though. I know it might be an impossible question to answer as anything is likely subject to change whenever, but does updates happen to these files frequently? Will the updater warn if there are changes? (like i.e. it does if there are changes to /etc/fstab in debian templates?). Have you considered sharing this as a guide on https://www.qubes-os.org/doc/ on this? Of course only if you got the time and interest. Maybe even whether your script adjustment can be implemented as a permanent feature of Qubes templates, and then people only have to move between the folders in the AppVM, and not do anything to the scripts in the template? That'd be pretty neat for those who have a hard time getting to the motor under the car's lid, so to speak. I mean, it's pretty smart, it even works like before if not moving anything between the folders, so people won't even feel any difference if not moving between the folders, I assume. Will be keeping an eye out for when/if you release the VM-hardening beta for Qubes 4, no pressure though, can wait till/if you have the time/interest. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9268fb67-8353-45da-b418-a760ebc0e2b9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
