Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)

Browse Source 
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
This commit is contained in:
Patrick Schleizer 2019-12-06 05:14:02 -05:00
parent 8cf5ed990a
commit 470cad6e91
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
3 changed files with 105 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
debian/control vendored
View File

@ -135,6 +135,12 @@ Description: enhances misc security settings
* p8022 - IEEE 802.2 * p8022 - IEEE 802.2
. .
user restrictions: user restrictions:
.
* remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and
noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To
opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest).
/lib/systemd/system/remount-secure.service
/usr/lib/security-misc/remount-secure
. .
* A systemd service mounts /proc with hidepid=2 at boot to prevent users from * A systemd service mounts /proc with hidepid=2 at boot to prevent users from
seeing each other's processes. seeing each other's processes.

17
lib/systemd/system/remount-secure.service Normal file
View File

@ -0,0 +1,17 @@
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
[Unit]
Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
Documentation=https://github.com/Whonix/security-misc
DefaultDependencies=no
Before=sysinit.target
Requires=local-fs.target
After=local-fs.target
[Service]
Type=oneshot
ExecStart=/usr/lib/security-misc/remount-secure
[Install]
WantedBy=sysinit.target

82
usr/lib/security-misc/remount-secure Executable file
View File

@ -0,0 +1,82 @@
#!/bin/bash
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## noexec in /tmp and/or /home can break some malware but also legitimate
## applications.
set -e
if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
## pre.bsh would `source` the following folders:
## /etc/remount-secure_pre.d/*.conf
## /usr/local/etc/remount-secure_pre.d/*.conf
source /usr/lib/helper-scripts/pre.bsh
fi
if [ -e /etc/remount-disable ]; then
echo "$0: /etc/remount-disable exists. Doing nothing."
exit 0
fi
if [ -e /etc/noexec ]; then
noexec=true
echo "$0: Will remount with noexec."
exit 0
fi
mkdir --parents "/var/run/remount-secure"
if [ "$noexec" = "true" ]; then
noexec_maybe=",noexec"
fi
exit_code=0
home() {
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
return 0
fi
mount -o remount,nosuid,nodev$noexec_maybe /home || exit_code=2
touch "/var/run/remount-secure/${FUNCNAME}"
}
run() {
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
return 0
fi
## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html
mount -o remount,nosuid,nodev$noexec_maybe /run || exit_code=3
touch "/var/run/remount-secure/${FUNCNAME}"
}
shm() {
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
return 0
fi
mount -o remount,nosuid,nodev$noexec_maybe /dev/shm || exit_code=4
touch "/var/run/remount-secure/${FUNCNAME}"
}
tmp() {
if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then
return 0
fi
mount -o nosuid,nodev$noexec_maybe --bind /tmp /tmp || exit_code=5
touch "/var/run/remount-secure/${FUNCNAME}"
}
end() {
exit $exit_code
}
main() {
home "$@"
run "$@"
shm "$@"
tmp "$@"
end "$@"
}
main "$@"