From 470cad6e9176f57d33b038640b20443c3fa971fc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 6 Dec 2019 05:14:02 -0500 Subject: [PATCH] remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 --- debian/control | 6 ++ lib/systemd/system/remount-secure.service | 17 +++++ usr/lib/security-misc/remount-secure | 82 +++++++++++++++++++++++ 3 files changed, 105 insertions(+) create mode 100644 lib/systemd/system/remount-secure.service create mode 100755 usr/lib/security-misc/remount-secure diff --git a/debian/control b/debian/control index 8a4f6c7..54ea27c 100644 --- a/debian/control +++ b/debian/control @@ -135,6 +135,12 @@ Description: enhances misc security settings * p8022 - IEEE 802.2 . user restrictions: + . + * remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and + noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To + opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest). + /lib/systemd/system/remount-secure.service + /usr/lib/security-misc/remount-secure . * A systemd service mounts /proc with hidepid=2 at boot to prevent users from seeing each other's processes. diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service new file mode 100644 index 0000000..385f18e --- /dev/null +++ b/lib/systemd/system/remount-secure.service @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Unit] +Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) +Documentation=https://github.com/Whonix/security-misc +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +ExecStart=/usr/lib/security-misc/remount-secure + +[Install] +WantedBy=sysinit.target diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure new file mode 100755 index 0000000..a55cbb0 --- /dev/null +++ b/usr/lib/security-misc/remount-secure @@ -0,0 +1,82 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## noexec in /tmp and/or /home can break some malware but also legitimate +## applications. + +set -e + +if [ -f /usr/lib/helper-scripts/pre.bsh ]; then + ## pre.bsh would `source` the following folders: + ## /etc/remount-secure_pre.d/*.conf + ## /usr/local/etc/remount-secure_pre.d/*.conf + source /usr/lib/helper-scripts/pre.bsh +fi + +if [ -e /etc/remount-disable ]; then + echo "$0: /etc/remount-disable exists. Doing nothing." + exit 0 +fi + +if [ -e /etc/noexec ]; then + noexec=true + echo "$0: Will remount with noexec." + exit 0 +fi + +mkdir --parents "/var/run/remount-secure" + +if [ "$noexec" = "true" ]; then + noexec_maybe=",noexec" +fi + +exit_code=0 + +home() { + if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then + return 0 + fi + mount -o remount,nosuid,nodev$noexec_maybe /home || exit_code=2 + touch "/var/run/remount-secure/${FUNCNAME}" +} + +run() { + if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then + return 0 + fi + ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html + mount -o remount,nosuid,nodev$noexec_maybe /run || exit_code=3 + touch "/var/run/remount-secure/${FUNCNAME}" +} + +shm() { + if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then + return 0 + fi + mount -o remount,nosuid,nodev$noexec_maybe /dev/shm || exit_code=4 + touch "/var/run/remount-secure/${FUNCNAME}" +} + +tmp() { + if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then + return 0 + fi + mount -o nosuid,nodev$noexec_maybe --bind /tmp /tmp || exit_code=5 + touch "/var/run/remount-secure/${FUNCNAME}" +} + +end() { + exit $exit_code +} + +main() { + home "$@" + run "$@" + shm "$@" + tmp "$@" + end "$@" +} + +main "$@"