Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

improve remount-secure

Browse Source
This commit is contained in:
Patrick Schleizer 2023-10-22 10:32:24 -04:00
parent ef69e512bd
commit 41077c94fb
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 20 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
usr/bin/remount-secure
View File

@ -32,6 +32,7 @@ init() {
## Debugging.
$output_command "INFO: mount_output:"
$output_command "$mount_output"
$output_command ""
}
parse_options() {
@ -70,6 +71,8 @@ parse_options() {
}
remount_secure() {
$output_command ""
## ${FUNCNAME[1]} is the name of the calling function. I.e. the function
## which called this function.
status_file_name="${FUNCNAME[1]}"
@ -83,8 +86,10 @@ remount_secure() {
## example old_mount_options:
## rw,nosuid,nodev,relatime,discard
if echo "$old_mount_options" | grep --quiet "$new_mount_options" ; then
$output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)"
$output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'"
if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then
$output_command "INFO: '$mount_folder' has already intended mount options. ($intended_mount_options)"
return 0
fi
@ -93,7 +98,7 @@ remount_secure() {
if [ "$option_force" == "true" ]; then
if [ -e "$status_file_full_path" ]; then
$output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want."
$output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want."
return 0
fi
fi
@ -101,39 +106,42 @@ remount_secure() {
## BUG: echo: write error: Broken pipe
if echo "$mount_output" | grep --quiet "$mount_folder " ; then
## Already mounted. Using remount.
$output_command INFO: Executing: mount -o "remount,${new_mount_options}" "$mount_folder"
mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100
$output_command INFO: Executing: mount -o "remount,${intended_mount_options}" "$mount_folder"
mount -o "remount,${intended_mount_options}" "$mount_folder" || exit_code=100
else
## Not yet mounted. Using mount bind.
$output_command INFO: Executing: mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder"
mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101
$output_command INFO: Executing: mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder"
mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101
fi
new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true
$output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'"
touch "$status_file_full_path"
}
_home() {
mount_folder="/home"
new_mount_options="nosuid,nodev${noexec_maybe}"
intended_mount_options="nosuid,nodev${noexec_maybe}"
remount_secure "$@"
}
_run() {
mount_folder="/run"
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
new_mount_options="nosuid,nodev${noexec_maybe}"
intended_mount_options="nosuid,nodev${noexec_maybe}"
remount_secure "$@"
}
_dev_shm() {
mount_folder="/dev/shm"
new_mount_options="nosuid,nodev${noexec_maybe}"
intended_mount_options="nosuid,nodev${noexec_maybe}"
remount_secure "$@"
}
_tmp() {
mount_folder="/tmp"
new_mount_options="nosuid,nodev${noexec_maybe}"
intended_mount_options="nosuid,nodev${noexec_maybe}"
remount_secure "$@"
}
@ -141,7 +149,7 @@ _tmp() {
# _lib() {
# mount_folder="/lib"
# ## Not using noexec on /lib.
# new_mount_options="nosuid,nodev"
# intended_mount_options="nosuid,nodev"
# remount_secure "$@"
# }