security-misc/usr/lib/security-misc/remount-secure

#!/bin/bash

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## noexec in /tmp and/or /home can break some malware but also legitimate
## applications.

## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707

#set -x
set -e

if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
   ## pre.bsh would `source` the following folders:
   ## /etc/remount-secure_pre.d/*.conf
   ## /usr/local/etc/remount-secure_pre.d/*.conf
   source /usr/lib/helper-scripts/pre.bsh
fi

if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then
   echo "INFO: file /etc/remount-disable exists. Doing nothing."
   exit 0
fi

if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then
   noexec=false
   echo "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists."
else
   if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then
      noexec=true
      echo "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists."
   else
      echo "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist."
   fi
fi

mkdir --parents "/var/run/remount-secure"

if [ "$noexec" = "true" ]; then
   noexec_maybe=",noexec"
fi

exit_code=0

mount_output="$(mount)"

remount_secure() {
   ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function
   ## which called this function.
   status_file_name="${FUNCNAME[1]}"
   ## example status_file_name:
   ## _home
   status_file_full_path="/var/run/remount-secure/${status_file_name}"
   ## example status_file_full_path:
   ## /var/run/remount-secure/_home

   ## str_replace is provided by package helper-scripts.
   mount_folder="$(echo "${status_file_name}" | str_replace "_" "/")"
   ## example mount_folder:
   ## /home

   mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true

   if echo "$mount_line_of_mount_folder" | grep -q "$new_mount_options" ; then
      echo "INFO: $mount_folder has already intended mount options."
      return 0
   fi

   if [ -e "$status_file_full_path" ]; then
      echo "INFO: $mount_folder already remounted earlier. Not remounting again."
      return 0
   fi

   if echo "$mount_output" | grep -q "$mount_folder " ; then
      ## Already mounted. Using remount.
      echo mount -o "remount,${new_mount_options}" "$mount_folder"
      mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100
   else
      ## Not yet mounted. Using mount bind.
      echo mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder"
      mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101
   fi

   touch "$status_file_full_path"
}

_home() {
   new_mount_options="nosuid,nodev${noexec_maybe}"
   remount_secure "$@"
}

_run() {
   ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
   new_mount_options="nosuid,nodev${noexec_maybe}"
   remount_secure "$@"
}

_dev_shm() {
   new_mount_options="nosuid,nodev${noexec_maybe}"
   remount_secure "$@"
}

_tmp() {
   new_mount_options="nosuid,nodev${noexec_maybe}"
   remount_secure "$@"
}

## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25
# _lib() {
#    ## Not using noexec on /lib.
#    new_mount_options="nosuid,nodev"
#    remount_secure "$@"
# }

end() {
   exit $exit_code
}

main() {
   _home "$@"
   _run "$@"
   _dev_shm "$@"
   _tmp "$@"
   #_lib "$@"
   end "$@"
}

main "$@"