2019-12-06 05:14:02 -05:00
|
|
|
#!/bin/bash
|
|
|
|
|
2023-03-30 02:08:47 -04:00
|
|
|
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2019-12-06 05:14:02 -05:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
|
|
## noexec in /tmp and/or /home can break some malware but also legitimate
|
|
|
|
## applications.
|
|
|
|
|
2019-12-20 06:35:02 -05:00
|
|
|
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
|
|
|
|
|
2023-10-22 06:32:19 -04:00
|
|
|
#set -x
|
2019-12-06 05:14:02 -05:00
|
|
|
set -e
|
2023-10-22 06:23:48 -04:00
|
|
|
set -o pipefail
|
|
|
|
set -o nounset
|
2019-12-06 05:14:02 -05:00
|
|
|
|
2021-08-03 12:48:57 -04:00
|
|
|
if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
|
2019-12-06 05:14:02 -05:00
|
|
|
## pre.bsh would `source` the following folders:
|
|
|
|
## /etc/remount-secure_pre.d/*.conf
|
|
|
|
## /usr/local/etc/remount-secure_pre.d/*.conf
|
2023-10-22 06:23:48 -04:00
|
|
|
# shellcheck disable=SC1091
|
2021-08-03 12:48:57 -04:00
|
|
|
source /usr/libexec/helper-scripts/pre.bsh
|
2019-12-06 05:14:02 -05:00
|
|
|
fi
|
|
|
|
|
2023-10-22 06:31:57 -04:00
|
|
|
if test -o xtrace ; then
|
|
|
|
output_command=true
|
|
|
|
else
|
|
|
|
output_command=echo
|
|
|
|
fi
|
|
|
|
|
2019-12-07 01:53:33 -05:00
|
|
|
if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then
|
2023-10-22 06:31:57 -04:00
|
|
|
$output_command "INFO: file /etc/remount-disable exists. Doing nothing."
|
2019-12-06 05:14:02 -05:00
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
2019-12-21 08:03:33 -05:00
|
|
|
if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then
|
|
|
|
noexec=false
|
2023-10-22 06:31:57 -04:00
|
|
|
$output_command "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists."
|
2019-12-06 11:16:43 -05:00
|
|
|
else
|
2019-12-21 08:03:33 -05:00
|
|
|
if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then
|
|
|
|
noexec=true
|
2023-10-22 06:31:57 -04:00
|
|
|
$output_command "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists."
|
2019-12-21 08:03:33 -05:00
|
|
|
else
|
2023-10-22 06:31:57 -04:00
|
|
|
$output_command "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist."
|
2019-12-21 08:03:33 -05:00
|
|
|
fi
|
2019-12-06 05:14:02 -05:00
|
|
|
fi
|
|
|
|
|
|
|
|
mkdir --parents "/var/run/remount-secure"
|
|
|
|
|
2023-10-22 06:23:48 -04:00
|
|
|
[[ -v noexec ]] || noexec=""
|
|
|
|
[[ -v noexec_maybe ]] || noexec_maybe=""
|
|
|
|
|
2019-12-06 05:14:02 -05:00
|
|
|
if [ "$noexec" = "true" ]; then
|
|
|
|
noexec_maybe=",noexec"
|
|
|
|
fi
|
|
|
|
|
2023-10-22 06:23:48 -04:00
|
|
|
command -v str_replace >/dev/null
|
|
|
|
|
2019-12-06 05:14:02 -05:00
|
|
|
exit_code=0
|
|
|
|
|
2019-12-21 05:07:10 -05:00
|
|
|
mount_output="$(mount)"
|
|
|
|
|
|
|
|
remount_secure() {
|
|
|
|
## ${FUNCNAME[1]} is the name of the calling function. I.e. the function
|
|
|
|
## which called this function.
|
|
|
|
status_file_name="${FUNCNAME[1]}"
|
|
|
|
## example status_file_name:
|
|
|
|
## _home
|
2019-12-21 05:18:34 -05:00
|
|
|
status_file_full_path="/var/run/remount-secure/${status_file_name}"
|
|
|
|
## example status_file_full_path:
|
|
|
|
## /var/run/remount-secure/_home
|
2019-12-21 05:07:10 -05:00
|
|
|
|
2023-10-22 06:23:48 -04:00
|
|
|
## str_replace is provided by package helper-scripts.
|
2021-08-22 05:23:24 -04:00
|
|
|
mount_folder="$(echo "${status_file_name}" | LANG=C str_replace "_" "/")"
|
2019-12-21 05:07:10 -05:00
|
|
|
## example mount_folder:
|
|
|
|
## /home
|
|
|
|
|
2019-12-21 05:14:51 -05:00
|
|
|
mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true
|
2019-12-21 05:11:19 -05:00
|
|
|
|
2023-10-22 06:29:38 -04:00
|
|
|
if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then
|
2023-10-22 06:48:56 -04:00
|
|
|
$output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)"
|
2019-12-21 04:21:26 -05:00
|
|
|
return 0
|
|
|
|
fi
|
2019-12-21 05:07:10 -05:00
|
|
|
|
2023-10-22 06:48:56 -04:00
|
|
|
## When this package is upgraded, the systemd unit will run again.
|
|
|
|
## If the user meanwhile manually relaxed mount options, this should not be undone.
|
|
|
|
|
|
|
|
if [ "${1:-}" == "--force" ]; then
|
|
|
|
if [ -e "$status_file_full_path" ]; then
|
|
|
|
$output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want."
|
|
|
|
return 0
|
|
|
|
fi
|
2019-12-21 05:25:54 -05:00
|
|
|
fi
|
|
|
|
|
2019-12-24 17:54:02 -05:00
|
|
|
## BUG: echo: write error: Broken pipe
|
2023-10-22 06:29:38 -04:00
|
|
|
if echo "$mount_output" | grep --quiet "$mount_folder " ; then
|
2019-12-21 05:07:10 -05:00
|
|
|
## Already mounted. Using remount.
|
2023-10-22 06:48:56 -04:00
|
|
|
$output_command INFO: Executing: mount -o "remount,${new_mount_options}" "$mount_folder"
|
2019-12-21 05:22:27 -05:00
|
|
|
mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100
|
2019-12-21 05:07:10 -05:00
|
|
|
else
|
|
|
|
## Not yet mounted. Using mount bind.
|
2023-10-22 06:48:56 -04:00
|
|
|
$output_command INFO: Executing: mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder"
|
2019-12-21 05:22:27 -05:00
|
|
|
mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101
|
2019-12-21 05:07:10 -05:00
|
|
|
fi
|
|
|
|
|
2019-12-21 05:18:34 -05:00
|
|
|
touch "$status_file_full_path"
|
2019-12-06 05:14:02 -05:00
|
|
|
}
|
|
|
|
|
2019-12-21 05:07:10 -05:00
|
|
|
_home() {
|
|
|
|
new_mount_options="nosuid,nodev${noexec_maybe}"
|
|
|
|
remount_secure "$@"
|
|
|
|
}
|
|
|
|
|
2019-12-21 04:33:03 -05:00
|
|
|
_run() {
|
2019-12-06 05:14:02 -05:00
|
|
|
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
|
2019-12-21 04:17:10 -05:00
|
|
|
new_mount_options="nosuid,nodev${noexec_maybe}"
|
2019-12-21 05:07:10 -05:00
|
|
|
remount_secure "$@"
|
2019-12-06 05:14:02 -05:00
|
|
|
}
|
|
|
|
|
2019-12-21 04:33:03 -05:00
|
|
|
_dev_shm() {
|
2019-12-21 04:17:10 -05:00
|
|
|
new_mount_options="nosuid,nodev${noexec_maybe}"
|
2019-12-21 05:07:10 -05:00
|
|
|
remount_secure "$@"
|
2019-12-06 05:14:02 -05:00
|
|
|
}
|
|
|
|
|
2019-12-21 04:33:03 -05:00
|
|
|
_tmp() {
|
2019-12-21 04:17:10 -05:00
|
|
|
new_mount_options="nosuid,nodev${noexec_maybe}"
|
2019-12-21 05:07:10 -05:00
|
|
|
remount_secure "$@"
|
2019-12-06 05:14:02 -05:00
|
|
|
}
|
|
|
|
|
2019-12-21 14:06:10 -05:00
|
|
|
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25
|
|
|
|
# _lib() {
|
|
|
|
# ## Not using noexec on /lib.
|
|
|
|
# new_mount_options="nosuid,nodev"
|
|
|
|
# remount_secure "$@"
|
|
|
|
# }
|
2019-12-20 05:27:11 -05:00
|
|
|
|
2019-12-06 05:14:02 -05:00
|
|
|
end() {
|
|
|
|
exit $exit_code
|
|
|
|
}
|
|
|
|
|
|
|
|
main() {
|
2019-12-21 04:33:03 -05:00
|
|
|
_home "$@"
|
|
|
|
_run "$@"
|
|
|
|
_dev_shm "$@"
|
|
|
|
_tmp "$@"
|
2019-12-21 14:06:10 -05:00
|
|
|
#_lib "$@"
|
2019-12-06 05:14:02 -05:00
|
|
|
end "$@"
|
|
|
|
}
|
|
|
|
|
|
|
|
main "$@"
|