add hardened fstab /usr/share/doc/security-misc/fstab-vm

to the documentation folder as an example not directly used by security-misc will later be used by Kicksecure VM build process https://github.com/Kicksecure/security-misc/issues/157
2024-10-01 08:25:45 -04:00 · 2023-12-12 11:50:11 -05:00 · 2023-12-12 11:50:11 -05:00 · 039de1dc9b
commit 039de1dc9b
parent dcaafa6c8b
1 changed files with 41 additions and 0 deletions
--- a/usr/share/doc/security-misc/fstab-vm
+++ b/usr/share/doc/security-misc/fstab-vm
@ -0,0 +1,41 @@
+# <file system>                                             <mount point>     <type>    <options>                  <dump> <pass>
+
+/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6       /                auto      defaults,errors=remount-ro  0      1
+
+proc                                                         /proc            proc      defaults                    0      0
+
+/dev                                                         /dev             none      bind                        0      0
+/dev                                                         /dev             none      remount,nosuid,noexec       0      0
+
+## noexec optional
+/dev/shm                                                     /dev/shm         tmpfs     nosuid,nodev,noexec         0      0
+
+/dev/cdrom                                                   /mnt/cdrom0      iso9660   ro,user,noauto              0      0
+
+/boot                                                        /boot            none      bind                        0      0
+/boot                                                        /boot            none      remount,nosuid,nodev,noexec 0      0
+
+/lib                                                         /lib             none      bind                        0      0
+/lib                                                         /lib             none      remount,nosuid,nodev        0      0
+
+## noexec optional
+/tmp                                                         /tmp             none      bind                        0      0
+/tmp                                                         /tmp             none      remount,nosuid,nodev,noexec 0      0
+
+/var                                                         /var             none      bind                        0      0
+/var                                                         /var             none      remount,nosuid,nodev        0      0
+
+## noexec optional
+/var/tmp                                                     /var/tmp         none      bind                        0      0
+/var/tmp                                                     /var/tmp         none      remount,nosuid,nodev,noexec 0      0
+
+/var/log                                                     /var/log         none      bind                        0      0
+/var/log                                                     /var/log         none      remount,nosuid,nodev,noexec 0      0
+
+## noexec optional
+/run                                                         /run             none      bind                        0      0
+/run                                                         /run             none      remount,nosuid,nodev,noexec 0      0
+
+## noexec optional
+/home                                                        /home            none      bind                        0      0
+/home                                                        /home            none      remount,nosuid,nodev,noexec 0      0