security-misc/usr/bin/remount-secure

245 lines
6.2 KiB
Plaintext
Raw Normal View History

#!/bin/bash
2023-03-30 02:08:47 -04:00
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## noexec in /tmp and/or /home can break some malware but also legitimate
## applications.
2023-10-22 12:54:25 -04:00
## https://www.kicksecure.com/wiki/Dev/remount-secure
2019-12-20 06:35:02 -05:00
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2023-10-22 06:32:19 -04:00
#set -x
set -e
set -o pipefail
set -o nounset
2023-10-22 10:01:38 -04:00
init() {
if test -o xtrace ; then
output_command=true
else
output_command=echo
fi
2023-10-22 10:01:38 -04:00
if [ "$(id -u)" != "0" ]; then
$output_command "ERROR: must be run as root! sudo $0"
exit 1
fi
2023-10-22 13:58:55 -04:00
$output_command "$0: INFO: START"
2023-10-22 10:01:38 -04:00
mkdir --parents "/run/remount-secure"
exit_code=0
2023-10-22 10:16:43 -04:00
2023-10-22 12:54:25 -04:00
## dracut sets NEWROOT=/sysroot
[[ -v NEWROOT ]] || NEWROOT=""
if [ "$NEWROOT" = "" ]; then
$output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'"
else
$output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'"
fi
2023-10-22 10:16:43 -04:00
## Debugging.
2023-10-22 11:11:10 -04:00
$output_command "INFO: 'findmnt --list' output at the START."
$output_command "$(findmnt --list)"
2023-10-22 10:32:24 -04:00
$output_command ""
2023-10-22 12:54:25 -04:00
## Debugging.
#echo "ls -la /root/"
#ls -la / || true
#echo "ls -la /sysroot/"
#ls -la /sysroot/ || true
#echo "env"
#env || true
2023-10-22 10:01:38 -04:00
}
2019-12-21 05:07:10 -05:00
2023-10-22 09:36:03 -04:00
parse_options() {
## Thanks to:
## http://mywiki.wooledge.org/BashFAQ/035
while :
do
case ${1:-} in
--remountnoexec)
$output_command "INFO: --remountnoexec"
noexec_maybe=",noexec"
shift
;;
--force)
$output_command "INFO: --force"
option_force=true
shift
;;
--)
shift
break
;;
-*)
echo "unknown option: $1" >&2
exit 1
;;
*)
break
;;
esac
done
[[ -v noexec_maybe ]] || noexec_maybe=""
2023-10-22 10:11:31 -04:00
[[ -v option_force ]] || option_force=""
2023-10-22 09:36:03 -04:00
}
2019-12-21 05:07:10 -05:00
remount_secure() {
2023-10-22 10:32:24 -04:00
$output_command ""
2019-12-21 05:07:10 -05:00
## ${FUNCNAME[1]} is the name of the calling function. I.e. the function
## which called this function.
status_file_name="${FUNCNAME[1]}"
## example status_file_name:
## _home
2023-10-22 09:44:17 -04:00
status_file_full_path="/run/remount-secure/${status_file_name}"
2019-12-21 05:18:34 -05:00
## example status_file_full_path:
2023-10-22 09:44:17 -04:00
## /run/remount-secure/_home
2019-12-21 05:07:10 -05:00
2023-10-22 10:25:57 -04:00
old_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true
## example old_mount_options:
## rw,nosuid,nodev,relatime,discard
2019-12-21 05:11:19 -05:00
2023-10-22 10:32:24 -04:00
$output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'"
if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then
$output_command "INFO: '$mount_folder' has already intended mount options. ($intended_mount_options)"
return 0
fi
2019-12-21 05:07:10 -05:00
## When this package is upgraded, the systemd unit will run again.
## If the user meanwhile manually relaxed mount options, this should not be undone.
2023-10-22 11:06:34 -04:00
if [ ! "$option_force" == "true" ]; then
if [ -e "$status_file_full_path" ]; then
2023-10-22 10:32:24 -04:00
$output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want."
return 0
fi
2019-12-21 05:25:54 -05:00
fi
2023-10-22 12:54:25 -04:00
if ! test -d "$mount_folder" ; then
$output_command "INFO: '$mount_folder' folder exists: no"
exit_code=102
return 0
fi
$output_command "INFO: '$mount_folder' folder exists: yes"
2023-10-22 11:11:10 -04:00
if findmnt --noheadings "$mount_folder" >/dev/null ; then
2023-10-22 10:49:53 -04:00
$output_command "INFO: '$mount_folder' already mounted, therefore using remount."
2023-10-22 10:38:48 -04:00
$output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder"
mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100
2019-12-21 05:07:10 -05:00
else
2023-10-22 10:49:53 -04:00
$output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind."
2023-10-22 10:38:48 -04:00
$output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder"
mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101
2019-12-21 05:07:10 -05:00
fi
2023-10-22 11:12:54 -04:00
new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true
$output_command "INFO: '$mount_folder' new_mount_options: $new_mount_options"
2023-10-22 10:32:24 -04:00
2019-12-21 05:18:34 -05:00
touch "$status_file_full_path"
}
2023-10-22 12:54:25 -04:00
_boot() {
mount_folder="$NEWROOT/boot"
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
intended_mount_options="nosuid,nodev${noexec_maybe}"
remount_secure "$@"
}
2019-12-21 04:33:03 -05:00
_run() {
2023-10-22 14:29:02 -04:00
mount_folder="/run"
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
2023-10-22 10:32:24 -04:00
intended_mount_options="nosuid,nodev${noexec_maybe}"
2019-12-21 05:07:10 -05:00
remount_secure "$@"
}
2023-10-22 13:30:50 -04:00
_dev() {
2023-10-22 14:29:02 -04:00
mount_folder="/dev"
2023-10-22 13:30:50 -04:00
intended_mount_options="nosuid,${noexec_maybe}"
remount_secure "$@"
}
2023-10-22 12:54:25 -04:00
2019-12-21 04:33:03 -05:00
_dev_shm() {
2023-10-22 14:29:02 -04:00
mount_folder="/dev/shm"
2023-10-22 10:32:24 -04:00
intended_mount_options="nosuid,nodev${noexec_maybe}"
2019-12-21 05:07:10 -05:00
remount_secure "$@"
}
2019-12-21 04:33:03 -05:00
_tmp() {
2023-10-22 15:05:33 -04:00
mount_folder="$NEWROOT/tmp"
2023-10-22 12:54:25 -04:00
intended_mount_options="nosuid,nodev${noexec_maybe}"
remount_secure "$@"
}
_var() {
2023-10-22 15:05:33 -04:00
mount_folder="$NEWROOT/var"
2023-10-22 12:54:25 -04:00
## TODO: nodev? noexec?
intended_mount_options="nosuid"
remount_secure "$@"
}
_var_tmp() {
2023-10-22 14:29:02 -04:00
mount_folder="/var/tmp"
2023-10-22 10:32:24 -04:00
intended_mount_options="nosuid,nodev${noexec_maybe}"
2019-12-21 05:07:10 -05:00
remount_secure "$@"
}
2023-10-22 14:44:58 -04:00
_var_log() {
2023-10-22 15:05:33 -04:00
mount_folder="$NEWROOT/var/log"
2023-10-22 14:44:58 -04:00
intended_mount_options="nosuid,nodev,noexec"
remount_secure "$@"
}
2023-10-22 14:00:06 -04:00
_lib() {
mount_folder="$NEWROOT/lib"
## Not using noexec on /lib.
2023-10-22 15:11:26 -04:00
## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25
2023-10-22 14:00:06 -04:00
intended_mount_options="nosuid,nodev"
remount_secure "$@"
}
2023-10-22 10:37:02 -04:00
_home() {
2023-10-22 12:54:25 -04:00
mount_folder="$NEWROOT/home"
2023-10-22 10:37:02 -04:00
intended_mount_options="nosuid,nodev${noexec_maybe}"
remount_secure "$@"
}
end() {
2023-10-22 11:11:10 -04:00
## Debugging.
$output_command "INFO: 'findmnt --list' output at the END."
$output_command "$(findmnt --list)"
2023-10-22 13:58:55 -04:00
$output_command "$0: INFO: END"
exit $exit_code
}
2023-10-22 13:31:44 -04:00
## TODO: need to be tested one by one
main() {
2023-10-22 14:45:45 -04:00
init
2023-10-22 09:36:03 -04:00
parse_options "$@"
2023-10-22 14:45:45 -04:00
_boot
_run
2023-10-22 14:00:06 -04:00
## TODO: ?
2023-10-22 14:45:45 -04:00
#_dev
2023-10-22 14:00:06 -04:00
2023-10-22 14:45:45 -04:00
_dev_shm
_tmp
2023-10-22 14:29:02 -04:00
2023-10-22 15:10:21 -04:00
_var
2023-10-22 14:39:52 -04:00
2023-10-22 14:45:45 -04:00
_var_tmp
2023-10-22 15:05:33 -04:00
_var_log
2023-10-22 14:44:58 -04:00
2023-10-22 14:00:06 -04:00
## TODO: broken?
2023-10-22 14:45:45 -04:00
#_lib
2023-10-22 14:00:06 -04:00
2023-10-22 14:45:45 -04:00
_home
end
}
main "$@"