From 0c5848494b147b067afa2b70451fc7e5087823f2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Dec 2019 04:21:26 -0500 Subject: [PATCH] do not remount if already has intended mount options --- usr/lib/security-misc/remount-secure | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure index 21be55a..1939a0e 100755 --- a/usr/lib/security-misc/remount-secure +++ b/usr/lib/security-misc/remount-secure @@ -42,6 +42,10 @@ home() { return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /home | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "remount,${new_mount_options}" /home || exit_code=2 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -52,6 +56,10 @@ run() { fi ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /run | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "remount,${new_mount_options}" /run || exit_code=3 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -61,6 +69,10 @@ shm() { return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /dev/shm | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "remount,${new_mount_options}" /dev/shm || exit_code=4 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -70,6 +82,10 @@ tmp() { return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /tmp | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "$new_mount_options" --bind /tmp /tmp || exit_code=5 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -79,6 +95,10 @@ securityfs() { return 0 fi new_mount_options="nosuid,nodev${noexec_maybe}" + if mount | grep /sys/kernel/security | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "$new_mount_options" --bind /sys/kernel/security /sys/kernel/security || exit_code=6 touch "/var/run/remount-secure/${FUNCNAME}" } @@ -89,6 +109,10 @@ lib() { fi ## Not using noexec on /lib. new_mount_options="nosuid,nodev" + if mount | grep /lib | grep -q "$new_mount_options" ; then + echo "INFO: $FUNCNAME has already intended mount options." + return 0 + fi mount -o "$new_mount_options" --bind /lib /lib || exit_code=7 touch "/var/run/remount-secure/${FUNCNAME}" }