Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

add more bind mounts of mount options hardening

Browse Source 
as suggested in https://github.com/Kicksecure/security-misc/pull/202
This commit is contained in:
Patrick Schleizer 2024-02-22 05:58:53 -05:00
parent ad9d913902
commit 38783faf60
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
usr/bin/remount-secure
View File

@ -208,6 +208,13 @@ _boot() {
remount_secure remount_secure
} }
_boot_efi() {
## TODO: new, test
mount_folder="$NEWROOT/boot/efi"
intended_mount_options="nosuid,nodev,noexec"
remount_secure
}
_run() { _run() {
mount_folder="/run" mount_folder="/run"
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
@ -229,6 +236,13 @@ _dev_shm() {
remount_secure remount_secure
} }
_sys() {
## TODO: new, test
mount_folder="/sys"
intended_mount_options="nosuid,nodev,noexec"
remount_secure
}
_tmp() { _tmp() {
mount_folder="$NEWROOT/tmp" mount_folder="$NEWROOT/tmp"
intended_mount_options="nosuid,nodev${most_noexec_maybe}" intended_mount_options="nosuid,nodev${most_noexec_maybe}"
@ -255,12 +269,63 @@ _var() {
remount_secure remount_secure
} }
_usr() {
## TODO: new, test
mount_folder="$NEWROOT/usr"
intended_mount_options="nodev"
remount_secure
}
_home() { _home() {
mount_folder="$NEWROOT/home" mount_folder="$NEWROOT/home"
intended_mount_options="nosuid,nodev${home_noexec_maybe}" intended_mount_options="nosuid,nodev${home_noexec_maybe}"
remount_secure remount_secure
} }
_root() {
## TODO: new, test
mount_folder="$NEWROOT/root"
intended_mount_options="nosuid,nodev${home_noexec_maybe}"
remount_secure
}
_srv() {
## TODO: new, test
mount_folder="$NEWROOT/srv"
intended_mount_options="nosuid,nodev${home_noexec_maybe}"
remount_secure
}
_media() {
## TODO: new, test
mount_folder="$NEWROOT/media"
intended_mount_options="nosuid,nodev${home_noexec_maybe}"
remount_secure
}
_mnt() {
## TODO: new, test
mount_folder="$NEWROOT/mnt"
intended_mount_options="nosuid,nodev${home_noexec_maybe}"
remount_secure
}
_opt() {
## TODO: new, test
mount_folder="$NEWROOT/opt"
intended_mount_options="nosuid,nodev${home_noexec_maybe}"
remount_secure
}
_etc() {
## TODO: new, test
## /etc cannot be noexec because various executables are there. To find, run:
## sudo find /etc -executable
mount_folder="$NEWROOT/etc"
intended_mount_options="nosuid,nodev"
remount_secure
}
end() { end() {
## Debugging. ## Debugging.
#$output_command "INFO: 'findmnt --list' output at the END." #$output_command "INFO: 'findmnt --list' output at the END."
@ -277,6 +342,7 @@ main() {
preparation preparation
_boot _boot
_boot_efi
_run _run
_dev _dev
_dev_shm _dev_shm
@ -284,9 +350,19 @@ main() {
_var_tmp _var_tmp
_var_log _var_log
_var _var
_usr
_home _home
_root
_srv
_media
_mnt
_opt
_etc
end end
} }
## TODO: see also hidepid /usr/lib/systemd/system/proc-hidepid.service
#mount --options defaults,nosuid,nodev,noexec,remount,subset=pid /proc
main "$@" main "$@"