do not remount if already has intended mount options

This commit is contained in:
Patrick Schleizer 2019-12-21 04:21:26 -05:00
parent 203f4ad46e
commit 0c5848494b
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

View File

@ -42,6 +42,10 @@ home() {
return 0 return 0
fi fi
new_mount_options="nosuid,nodev${noexec_maybe}" new_mount_options="nosuid,nodev${noexec_maybe}"
if mount | grep /home | grep -q "$new_mount_options" ; then
echo "INFO: $FUNCNAME has already intended mount options."
return 0
fi
mount -o "remount,${new_mount_options}" /home || exit_code=2 mount -o "remount,${new_mount_options}" /home || exit_code=2
touch "/var/run/remount-secure/${FUNCNAME}" touch "/var/run/remount-secure/${FUNCNAME}"
} }
@ -52,6 +56,10 @@ run() {
fi fi
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
new_mount_options="nosuid,nodev${noexec_maybe}" new_mount_options="nosuid,nodev${noexec_maybe}"
if mount | grep /run | grep -q "$new_mount_options" ; then
echo "INFO: $FUNCNAME has already intended mount options."
return 0
fi
mount -o "remount,${new_mount_options}" /run || exit_code=3 mount -o "remount,${new_mount_options}" /run || exit_code=3
touch "/var/run/remount-secure/${FUNCNAME}" touch "/var/run/remount-secure/${FUNCNAME}"
} }
@ -61,6 +69,10 @@ shm() {
return 0 return 0
fi fi
new_mount_options="nosuid,nodev${noexec_maybe}" new_mount_options="nosuid,nodev${noexec_maybe}"
if mount | grep /dev/shm | grep -q "$new_mount_options" ; then
echo "INFO: $FUNCNAME has already intended mount options."
return 0
fi
mount -o "remount,${new_mount_options}" /dev/shm || exit_code=4 mount -o "remount,${new_mount_options}" /dev/shm || exit_code=4
touch "/var/run/remount-secure/${FUNCNAME}" touch "/var/run/remount-secure/${FUNCNAME}"
} }
@ -70,6 +82,10 @@ tmp() {
return 0 return 0
fi fi
new_mount_options="nosuid,nodev${noexec_maybe}" new_mount_options="nosuid,nodev${noexec_maybe}"
if mount | grep /tmp | grep -q "$new_mount_options" ; then
echo "INFO: $FUNCNAME has already intended mount options."
return 0
fi
mount -o "$new_mount_options" --bind /tmp /tmp || exit_code=5 mount -o "$new_mount_options" --bind /tmp /tmp || exit_code=5
touch "/var/run/remount-secure/${FUNCNAME}" touch "/var/run/remount-secure/${FUNCNAME}"
} }
@ -79,6 +95,10 @@ securityfs() {
return 0 return 0
fi fi
new_mount_options="nosuid,nodev${noexec_maybe}" new_mount_options="nosuid,nodev${noexec_maybe}"
if mount | grep /sys/kernel/security | grep -q "$new_mount_options" ; then
echo "INFO: $FUNCNAME has already intended mount options."
return 0
fi
mount -o "$new_mount_options" --bind /sys/kernel/security /sys/kernel/security || exit_code=6 mount -o "$new_mount_options" --bind /sys/kernel/security /sys/kernel/security || exit_code=6
touch "/var/run/remount-secure/${FUNCNAME}" touch "/var/run/remount-secure/${FUNCNAME}"
} }
@ -89,6 +109,10 @@ lib() {
fi fi
## Not using noexec on /lib. ## Not using noexec on /lib.
new_mount_options="nosuid,nodev" new_mount_options="nosuid,nodev"
if mount | grep /lib | grep -q "$new_mount_options" ; then
echo "INFO: $FUNCNAME has already intended mount options."
return 0
fi
mount -o "$new_mount_options" --bind /lib /lib || exit_code=7 mount -o "$new_mount_options" --bind /lib /lib || exit_code=7
touch "/var/run/remount-secure/${FUNCNAME}" touch "/var/run/remount-secure/${FUNCNAME}"
} }